About a month ago independent developer Tiny Build made a bold accusation. They claimed that a company called G2A was “facilitating a fraud-fueled economy” by allowing digital game keys purchased with stolen credit cards to be sold secondhand online. What followed was an ugly public confrontation between the two organizations.
In the last few weeks, G2A has seemingly made concessions in favor of developers by agreeing to, among other things, offer a form of royalty payments. Since Polygon began covering the story, G2A has even made changes in how it verifies the the identity of its users.
Now G2A wants to set the record straight about its business practices. It offered up the company’s chief executive officer, Bartosz Skwarczek, for an interview.
In order to make sense of the whole story, Polygon also reached out to several experts in the international payments industry. Here’s what we learned about digital goods, the gray market and G2A’s place in it all.
A CASE OF MISTAKEN IDENTITY
One of the first points, and perhaps the most important, that Skwarczek wanted to make is that G2A is no longer a seller of digital goods, gray market or otherwise.
He said that for a long time they were, among other things, a retailer of digital goods. But as of today G2A does not maintain its own inventory. Instead, Skwarczek said, their main line of business is as a marketplace.
“When you’re saying that G2A is a reseller [in your previous articles] people think that this is the truth,” Skwarczek told Polygon. “This is not. We have eBay’s business model, which means that there are third-party sellers here. There are 200,000 external, third-party sellers. We’re not buying product from them and selling those products to the market. We are just delivering the platform and they are doing the transactions.”
The benefit of such a marketplace, Skwarczek said, is that competition drives down the cost of goods for consumers. It’s just that, in this instance, nearly all of those goods are ephemeral digital codes. Because of the breadth of payment options that G2A allows, it has also been able to make inroads into places its competitors can’t easily reach like India and Turkey. But, Skwarczek said, its biggest markets are the U.S. and Europe.
“When you have 200,000 sellers competing with each other, it’s obvious that the price will be good,” Skwarczek said. “However, there’s one more important thing. All other functionalities on your website, on your marketplace, must be nearly perfect to bring those customers to your side. This is why we started [focusing on] support, which right now is considered one of the best, if not the best, in the industry. We do benchmarking every month, comparing our marketplace to other marketplaces and other developers, other publishers.”
That attention to user experience, he said, is why today G2A has more than 34,000 different products available for purchase compared to Steam’s 12,000.
“Today,” Skwarczek said, “we’re number one.”
The basis for the conflict between Tiny Build and other publishers like Electronic Arts and Ubisoft is complex. At its core is the issue of chargebacks.
When stolen credit cards are used online, card holders often don’t realize that fraud has taken place until their billing statement arrives. Once fraud is reported, credit card companies issue chargebacks, a process by which a suspect transaction is invalidated, denying publishers like Tiny Build compensation for those purchases.
The chargeback process itself can take up to 30 days. That leaves a window of opportunity for criminals using stolen credit cards to sell their digital codes online using marketplaces like G2A. Recently, Tiny Build’s CEO Alex Nichiporchik said he was able to buy game codes — the same game codes purchased with stolen credit cards through his own online shop — on G2A’s marketplace. That means that anonymous resellers and G2A both profited from these sales. Meanwhile, the transactions run through Tiny Build were invalidated through chargebacks.
In its defense, G2A denied to Polygon that it knowingly participates in the sale of stolen goods.
“G2A is a marketplace,” its PR team stated via email. “We provide a service for people to buy and sell goods. We absolutely in no way participate in or support any activity that is not legal.
“It is our responsibility to do everything we can to protect the integrity of the marketplace and we take that responsibility seriously. Our security policies and regulations have been built to be in full compliance with the regulations set forth by all global regulatory authorities.”
So what are G2A’s responsibilities to buyers and sellers as a global marketplace?
CROSSING THE BORDER
Faisal Khan is a banking and payments consultant based in Pakistan who specializes in cross-border transactions. “If money moves across borders,” Khan told Polygon, “if value moves across borders — be it overseas, business-to-business, peer-to-peer, chargebacks, Bitcoin — that’s my domain.”
Khan was quick to point out that the relationship between G2A and the sellers that use its marketplace is covered in the liability clause of their terms and conditions. Right now, that liability cannot exceed €500.
Khan said their liability to users — those buying codes on their marketplace — is functionally zero.
Adding further distance between itself and its patrons, Khan said, is the fact that G2A does business out of Hong Kong.
“The European Union, the United States and Canada have very strict payment laws in addition to their very strong consumer protection laws,” Khan said. “So, in this case if a transaction goes bad or gray or if it becomes contentious, they can get away with it.
“In the U.S. I have the CFPB, which is the Consumer Financial Protection Bureau, to go to. I’m going to go to the Better Business Bureau. There’s a lot of protection that is offered to consumers in the United States. In this case, they’ll say, ‘Well what are you going to do? The transaction was done.’”
But with the case of digital goods, it gets even more complicated.
Say that Developer X has a batch of Steam codes fraudulently purchased from its online store. It reports those codes as stolen to G2A, G2A takes them down. Fine. Done deal. Skwarczek says that his company has a robust database that makes that possible and fairly easy.
WITH THE CASE OF DIGITAL GOODS, IT GETS EVEN MORE COMPLICATED.
But say that Developer X has a batch of Steam codes fraudulently purchased and doesn’treport those codes to G2A. Maybe they’re not aware, as in the case of Tiny Build. They’re still for sale on the G2A marketplace and you, Susie Consumer, buys one. The game code is accepted by Steam, and it works for a while. But Developer X eventually reports the codes to Steam, and one day Susie Consumer goes into her library and the game she bought on G2A is gone. Access is revoked.
What’s G2A’s liability to the customer in this instance? Again, by their terms and conditions, functionally zero.
“It always depends on the case,” G2A’s Skwarczek told Polygon. “Because sometimes we give money back, of course, because the customer — because there are rights [given to them by their governments] to do it, all right? We have to be fair between sellers and buyers.”
Unless, of course, you buy G2A Shield, a one-time up-charge and a monthly subscription service available from G2A.
If Susie Consumer buys G2A Shield and if something goes wrong with her code, does she get her money back? Absolutely, Skwarczek said. No questions asked.
“We’re so sure of our security systems that we guarantee that [transaction] with our [own] money,” Skwarczek said. “This is not an insurance. This is a guarantee for customers that they receive their money back. He receives his money back if he wants to use G2A Shield.”
Once more, Skwarczek stressed how different G2A’s liabilities are now that it is strictly a marketplace and not a retailer.
“There are absolutely different regulations between marketplaces and retailers. We are obliged to ask questions when customers come to us with a return policy — except with G2A Shield — because there is a seller who needs to know why a customer wants to give the product back.”
Skwarczek during a visit to Google’s headquarters. Also pictured is G2A’s chief marketing officer Dawid Rozek.
So say then that you are a criminal who has turned stolen credit cards into game codes. And say that, hypothetically at least, you’ve moved those codes quickly to the G2A marketplace and successfully sold them to a couple hundred Susie Consumers.
The ultimate goal is to pull cash out of your end of the internet. That’s called money laundering and, as an international business that serves as a marketplace for goods, G2A is obligated to root that practice out. The way it does that is with a set of practices known in the payments industry called “know your customer,” or KYC. It’s the process by which G2A, and other marketplaces like it, are bound by law to verify the identity of their sellers before they allow money to be transferred through their system.
But at what threshold do KYC practices kick in at G2A?
“In the United States,” Skwarczek said, “if you’re not a payment institution, it’s $5,000. If you are, it’s more strict. If you’re a financial institution, then it’s $2,000. … [At G2A] every transaction, every seller who is selling goods over $2,000 in this more restricted model, must be verified with KYC procedure. … ID and everything.”
But the vast majority of game codes fall well below that threshold. To keep criminals on their toes, Skwarczek says that G2A can trigger a KYC verification at any time. Maybe it will come at the $2,000 mark, but it could just as easily come at $500 or less.
“We comply with every regulation which is there. Why aren’t we more strict about these verifications? It’s all about the balance between being the most user-friendly and being the most strict about everything.”
But, says payments expert Faisal Khan, another important aspect of anti-money laundering practices — also known as AML — is something called a “velocity check.”
The clients that Khan works with, as a matter of course, use software that tracks how many of a given type of transactions is moving through their payments system. Those could be structured payments of about the same size, moving from one place to another over a short period of time. But it could just as easily be a particular game code moving through a marketplace in large numbers very suddenly.
“WE DON’T HAVE ANY WEAK POINTS,” SKWARCZEK SAID. “WE’RE JUST GROWING SO FAST THAT WE NEED MORE AND MORE GOOD PEOPLE.”
“You’re deliberately introducing hundreds if not thousands of transactions under the limit so that you don’t get flagged,” Khan said. “G2A should have a bird’s eye view on the entire ecosystem. They should be able to correlate the data and be able to see, suddenly, all these accounts coming up.
“If they’re not doing velocity checks on their AML policy, then the policy itself is flawed. It is seriously flawed.”
We asked Skwarczek to tell us about his anti-money laundering practices at G2A. He would not go into detail, other than to say that he’s actively hiring as he expands into new territories. Right now, in fact, G2A has an opening for a “global payments compliance officer.” One of the requirements is for that individual to have experience in AML practices.
They also need “proven experience of building something from scratch.” But, Skwarczek said, that is not evidence of lax or absent AML practices.
“We don’t have any weak points,” Skwarczek said. “We’re just growing so fast that we need more and more good people. Our company is about specialty. This year we’ve hired more than 200 specialists into our company, people from different parts of the world.”
In G2A’s defense, it’s easy to see the game industry’s release schedule itself mirroring this kind of velocity within the marketplace. How is G2A supposed to know the difference between a popular new game, and a popular new kind of fraud? That’s part of the challenge of their particular business model.
KATY BAR THE DOOR
One of the issues that Tiny Build takes with G2A is the ease of putting goods — stolen or otherwise — up for sale on their marketplace.
In late June, after discovering that so many of their games had been sold on G2A without their knowledge, Tiny Build called on the company to make significant changes in how they verify the identity of their users.
“Actually verify your merchants,” Tiny Build’s Nichiporchik pleaded in late June. “I just made an account and within an hour was able to sell a ton of keys, no verification whatsoever. If eBay allowed you to sell merchandise without verifying sellers’ credentials (they ask you for IDs, statements confirming addresses, tie it to your bank account, etc), they’d probably under similar fire right now as they’d facilitate stolen goods trade.”
While Polygon was researching this article, G2A did make a significant change in how they validate sellers. Now, instead of an email alone, G2A also requires that sellers connect their account to a Facebook or a VK social media profile and validate their phone numbers. Only after all three pieces of information are confirmed are they cleared to sell on the marketplace.
That verification, G2A told Polygon, extends to all accounts on the marketplace both old and new.
While that will undoubtedly deter casual fraudsters, it also presents a hurdle for new users to the platform and may slow the growth of G2A. But they made the change anyway as an act of good faith.
But is it an effective deterrent for money laundering?
Daniel Csoka is a member of the Federal Reserve’s Faster Payments Task Force, an initiative to create a more streamlined and secure payments system in the U.S. As such, he has expertise in online payments and anti-money laundering practices. We asked him about G2A’s change to a three-point verification system for all sellers.
“Well, what does it take for me to get a Russian Facebook [VK] page?” Csoka said. “Probably not much. What does it take for me to get an email? Well we already know that I can get a throwaway one. What’s it take for me to get a phone? I can buy a burner.
“WE HAVE OUR OWN PLANS FOR THE FUTURE. … BIG PLANS AND AMBITIONS.”
“Did you know that the number one name of prepaid phone users before the 9/11 attacks was ‘Mickey Mouse’? So, in terms of answering your question from a Faster Payments Task Force perspective, what do I think about that? It’s woefully underwhelming. Before I used one anonymous source. Now they want three.”
Tiny Build’s Nichiporchik was similarly unimpressed.
“Every site out there does social media logins and SMS verification,” he told Polygon via email. “There’s nothing stopping people from getting burner cell-phones and going around this.”
Throughout our interview, G2A’s Skwarczek was adamant about the quality of his marketplace. With regard to the specific issue with Tiny Build, where some 27,000 game codes were sold in a short period of time, he was careful to point out that only a very small portion of those transactions themselves had complications. Only .16 percent of those transactions he said — roughly 43 of them — had issues with payment fraud on G2A. And, for those customers who received the codes, only .8 percent had issues with those codes that required a call to G2A’s customer service.
His system, the G2A system, works well Skwarczek said. They are complying with those laws which apply to their marketplace, and the only way to stop fraud as in the instance with Tiny Build was for developers to work more closely with his team.
As for the future, G2A is experiencing unprecedented growth Skwarczek says. That’s why venture capitalists are beating down his door.
“VCs are trying us and are convincing us to work with them,” G2A’s CEO told Polygon. “But we’re refusing everyone at the moment. They’re pretty frustrated. We have several offers.
“Every week someone is coming and saying, ‘We’d like to be a partner in G2A.’ We have our own plans for the future. We’ve considered a few very serious scenarios, but we know what we have to do. We have our homework to do. We have big plans and ambitions. We want to be a solid partner for everyone in the gaming industry.”