Skip to main content

One post tagged with "rule-exposure"

View All Tags
MissedComplianceProxy

Locance (LocationSmart) Ontario: real-money deposit with no identity check + detection rules exposed in API

locancelocationsmartontariocompliancekyc

Source. June 2, 2026 weekly sync.
Ticket. CIV-53: Locance (LocationSmart) Ontario — compliance and security gaps.

What we tested

Locance (LocationSmart), a geolocation provider active in Ontario. Two angles: the account-onboarding and deposit flow, and the content of the API response when connecting from outside the jurisdiction.

What happened

  • No identity / location verification. A tester completed account registration and a real-money Interac deposit without ever being asked to verify identity or location — a step that should be mandatory under Ontario iGaming compliance rules.
  • Detection logic exposed in plain text. Connecting from a Singapore IP, the API response visibly named the exact detection rules that were triggered — e.g. IP proxy detected, IP hosting provider.

Why it matters

Two distinct problems on one provider:

  1. The identity-verification gap is a direct compliance failure. Completing a real-money deposit with no KYC step is a regulator-facing defect under Ontario rules.
  2. The exposed detection logic is a security weakness. Any technically sophisticated fraudster intercepting the response learns precisely which rules they need to evade, and can tune their attack accordingly.

Both findings are relevant for competitive positioning against operators considering Locance.

Cross-reference

Locance profile → · June 2 weekly sync →