Mystery Shopper Tests Examine Germany’s Gambling Safeguards

Inside the mystery shopper tests: What happened at Tipico, Tipwin and Sportwetten.de?

When Germany introduced the Glücksspielstaatsvertrag 2021, the objective was clear. A nationwide regulatory framework supported by central technical systems would provide a consistent level of player protection regardless of which licensed operator a customer chose. Whether a player registered online or through a betting shop, deposited cash or used electronic payment methods, the underlying safeguards were intended to operate according to the same legal principles.

Different customer journeys. Different outcomes. The same regulatory framework.

In practice, however, achieving consistency across a modern gambling market is considerably more complex than drafting legislation. Today's licensed operators rely upon interconnected technical infrastructures linking betting shops, online platforms, customer databases, payment systems and central regulatory tools such as LUGAS. Every customer journey involves multiple systems communicating with one another in real time. The effectiveness of regulation therefore depends not only on legal requirements but also on whether these technical systems interact consistently under a wide variety of circumstances.

Our previous article examined these broader structural questions and considered why practical testing has become an increasingly important component of modern gambling supervision. It argued that mystery shopper exercises provide an opportunity to observe how regulatory safeguards operate during genuine customer interactions rather than relying solely upon technical documentation or written procedures. That discussion focused primarily on the wider regulatory implications rather than the individual test scenarios themselves.

This follow-up article takes the next step.

Rather than discussing gambling regulation in abstract terms, we examine several of the customer journeys documented during the February 2025 mystery shopper programme. These include reported scenarios involving Tipico, Tipwin, Sportwetten.de and Tiptorro. The purpose is not to determine whether any operator complied with or breached regulatory requirements. That responsibility rests exclusively with the competent authorities following their own investigative processes.

Instead, this article asks a different question. Why did apparently similar customer journeys sometimes produce different reported outcomes?

That question deserves attention because consistency lies at the heart of every regulatory system. If two customers complete broadly comparable journeys under the same legal framework yet experience different technical outcomes, understanding the reasons becomes important for operators, regulators and policymakers alike. Different outcomes do not necessarily indicate non-compliance. They may arise from differences in account architecture, timing, technical implementation, customer configuration or other operational variables that are not immediately visible from the outside.

The mystery shopper documentation itself reflects this complexity. Some test cases reportedly suggested that customers were able to perform activities that the authors believed should have been prevented by the relevant technical safeguards. Other test cases involving similar operators and comparable customer journeys reportedly produced the opposite result, with the controls appearing to function as intended. These contrasting observations are arguably more significant than any individual example because they shift the discussion away from isolated incidents and towards questions of repeatability, testing methodology and supervisory assessment.

For that reason, the following analysis reconstructs the reported customer journeys individually before considering what broader regulatory questions they may raise. Throughout this article, the mystery shopper reports are treated as documentary evidence of specific observations made under defined testing conditions. They should not be interpreted as regulatory findings, formal determinations of compliance or evidence of wrongdoing by any operator. Rather, they provide an opportunity to examine how complex technical safeguards may operate under real-world conditions and why continued testing remains an essential component of effective regulatory oversight.

Understanding the mystery shopper programme

One of the difficulties when analysing mystery shopper reports is that readers often jump directly to the reported outcome without first considering the methodology behind the exercise. Yet the value of any testing programme depends not only on what it finds but also on how those findings were obtained. Before examining the individual customer journeys, it is therefore useful to understand the structure of the February 2025 exercise.

The testing programme focused on customer experiences rather than technical audits. Instead of examining software code, reviewing internal policies or analysing system architecture, the testers approached the market in the same way as ordinary customers. They visited licensed betting shops in different German cities, registered customer accounts, deposited funds through retail locations and subsequently attempted to use the associated online betting services. The objective was to observe how regulatory safeguards appeared to operate during genuine customer journeys rather than under controlled laboratory conditions.

According to the documentation, the programme included multiple testers operating across several locations, including Berlin, Munich, Hamburg and Hannover. Different combinations of licensed operators were examined, allowing the authors to compare how similar customer journeys reportedly developed under different circumstances. This approach is particularly valuable because it reduces the risk of drawing conclusions from a single isolated observation. Instead, the reports allow comparisons between different customer experiences that were designed to test broadly comparable regulatory processes.

The customer journey itself followed a relatively consistent pattern throughout much of the testing. A tester first attended a betting shop operated by one or more licensed providers. Following registration, the customer received credentials enabling access to both the retail and online environments where such functionality was available. Funds were then deposited through the betting shop before online betting activity was attempted using the newly created account. In several scenarios, a second operator was introduced shortly afterwards in order to observe how the relevant regulatory safeguards appeared to respond.

At first glance, this may appear to be a straightforward process. In reality, however, each stage involves a considerable amount of technical interaction. Identity verification must be completed successfully. Customer records must be synchronised between retail and online systems. Deposits must be recorded correctly. Activity information must be transmitted between the operator's infrastructure and the relevant central regulatory systems. Only after these individual components have interacted successfully can the customer proceed through the complete journey.

This complexity is precisely why practical testing has become increasingly important. A regulatory safeguard may appear entirely effective when assessed through documentation or technical specifications. The true challenge lies in determining whether those safeguards continue to operate consistently when exposed to real customer behaviour involving different operators, different retail locations, different account structures and different technical implementations. Mystery shopper exercises cannot answer every regulatory question, but they can provide valuable insight into how integrated systems behave outside controlled testing environments.

The reports examined in this article therefore represent observations made under specific circumstances. They do not establish regulatory breaches, nor do they determine whether any operator complied with or failed to comply with the Glücksspielstaatsvertrag 2021. Rather, they document customer experiences that may assist regulators, operators and policymakers in understanding how increasingly complex technical systems function in practice. Interpreting those observations requires careful analysis rather than immediate conclusions.

Case study one: Tipico and Sportwetten.de

The first customer journey documented in the summary report involved betting shops operated by Tipico and Sportwetten.de. It has become one of the most frequently discussed examples within the testing programme because it illustrates how relatively ordinary customer behaviour can give rise to wider regulatory questions.

According to the report, the tester first visited betting shops operated by both companies in Berlin. During the registration process, customer credentials were issued for both the retail environment and the corresponding online accounts. Cash was subsequently deposited through the betting shops onto the respective customer accounts before the tester attempted to place wagers online. The sequence itself was unremarkable. It reflected the type of hybrid retail and online experience that many licensed operators now provide to their customers.

The reported observation becomes significant only during the next stage of the journey.

According to the mystery shopper documentation, the tester first placed an online wager using the Tipico account. Within approximately five minutes, a second wager was reportedly placed through the Sportwetten.de account. The authors of the report concluded that this customer was able to participate in activity across multiple operators in circumstances where they believed the relevant regulatory controls should have prevented such an outcome.

It is important to distinguish carefully between the observation itself and the interpretation that follows. The report documents what the testers state they experienced during that particular customer journey. Whether the reported outcome reflected a temporary technical event, differences in system implementation, account-specific characteristics or another explanation cannot be determined from the publicly available documentation alone. Nor does the report itself attempt to answer those questions. It records the observation and explains why the authors considered it noteworthy.

From a regulatory perspective, however, the scenario raises an entirely legitimate question. If central monitoring systems are intended to apply certain safeguards consistently across licensed operators, how should regulators evaluate situations where one customer journey appears to produce a different outcome from that expected by the testers? Answering that question requires considerably more than reviewing screenshots. It requires understanding the interaction between multiple technical systems operating simultaneously, something that is rarely visible from the customer's perspective.

Why this customer journey deserves closer examination?

The reported Tipico and Sportwetten.de scenario is interesting for reasons that extend well beyond the individual operators involved. If viewed in isolation, it could easily be dismissed as a single customer experience recorded under specific testing conditions. The real significance emerges only when this scenario is compared with other customer journeys documented within the same programme.

Modern gambling regulation increasingly relies on the assumption that technical safeguards operate consistently regardless of where a customer enters the regulated market. A player registering through a betting shop in Berlin should generally expect the same regulatory protections as a player registering elsewhere under comparable circumstances. Likewise, operators implementing the same legal requirements would ordinarily expect similar customer journeys to produce broadly similar outcomes. When apparent differences emerge, understanding the reasons becomes more important than the individual observation itself.

This is particularly relevant because the mystery shopper documentation contains examples pointing in different directions. Some customer journeys reportedly resulted in outcomes that the authors considered inconsistent with the intended operation of the relevant safeguards. Others, involving similar operators and broadly comparable circumstances, reportedly produced the opposite result. Rather than weakening the value of the testing, these differences arguably make it more informative. They suggest that the important question is not whether a single test succeeded or failed but why different tests appear to have produced different results.

Without access to the underlying technical infrastructure, it is impossible to determine the explanation from the publicly available reports alone. Numerous variables could influence how a customer journey develops. Timing may differ by only a few seconds. Data may be processed asynchronously. Customer accounts may be configured differently. Retail and online account structures may not be identical across operators. None of these possibilities establish that a regulatory issue exists. They simply illustrate why isolated observations should be interpreted cautiously and why regulators often require repeated testing before reaching conclusions.

From a supervisory perspective, this distinction is fundamental. Effective regulation depends not only on identifying unusual outcomes but also on understanding whether they are repeatable. If the same customer journey repeatedly produces the same observation under controlled conditions, confidence in the finding naturally increases. Conversely, if similar tests produce different outcomes, investigators must determine which variables changed and whether those variables are relevant to the wider operation of the market.

The Berlin scenario therefore serves as an appropriate starting point for the wider discussion. It introduces a regulatory question that cannot be answered by screenshots alone. It requires technical analysis, repeated testing and a detailed understanding of how multiple systems interact throughout a customer's journey.

Case study two: Tipwin and Tipico

The second customer journey documented within the summary report involved Tipwin and Tipico. While the operators differed from the previous example, the overall structure of the test followed a remarkably similar pattern. Once again, the tester entered the regulated market through betting shops before moving into the online environment, allowing the interaction between retail operations and online betting services to be observed under practical conditions.

According to the report, the tester registered through betting shops operated by Tipwin and Tipico in Hannover. Following registration, online access credentials were issued and cash deposits were made through the retail locations. The tester then proceeded to use the associated online betting accounts. As with the previous case, the customer journey itself reflected a normal commercial process that many licensed operators now provide through integrated retail and online account structures.

The reported observation again centred on the sequence of betting activity. According to the summary, the tester first placed a wager using the Tipwin account before subsequently placing another wager through the Tipico account within a relatively short period. The authors concluded that this represented another example in which the expected safeguards did not appear to operate in the manner anticipated during that particular customer journey.

Viewed on its own, this second scenario appears broadly consistent with the earlier Berlin example. Both involve retail registration, cash deposits, online betting and subsequent activity across more than one licensed operator. Both were interpreted by the authors as examples where the relevant controls did not produce the outcome they expected. At first glance, the two cases might therefore appear to reinforce one another.

However, this is precisely the point at which the wider testing programme becomes especially interesting.

The documentation does not present a series of identical outcomes. Instead, it contains examples where apparently comparable customer journeys reportedly produced different results. That distinction changes the nature of the discussion considerably. Rather than asking whether one particular operator behaved correctly or incorrectly, attention shifts towards understanding why similar testing conditions did not always produce the same observations.

For regulators, this distinction matters because consistency is often a stronger indicator than individual results. A single observation may identify a potential area for further investigation. Multiple observations pointing in different directions create a different challenge altogether. They require investigators to identify the variables responsible for those differences before any meaningful conclusions can be reached.

When the system appeared to operate as expected?

One of the most important findings within the summary report receives comparatively little attention despite arguably being the most valuable observation in the entire testing programme.

According to the documentation, another tester registered with Tipico, Tipwin and Sportwetten.de in Hamburg under a broadly comparable retail and online account structure. Unlike the earlier scenarios, however, the report states that parallel betting was not possible during this customer journey. The authors further noted that the LUGAS activity file appeared to function correctly in this instance and that the relevant controls behaved as expected.

From an analytical perspective, this observation is arguably more significant than either of the previous examples.

If every mystery shopper had experienced the same reported outcome, the discussion would naturally focus on whether a broader implementation issue existed. Instead, the documentation presents a more complex picture. Some testers reportedly experienced outcomes that the authors questioned, while others using similar combinations of operators did not. That immediately raises a more sophisticated regulatory question. Which factor changed?

The publicly available reports do not answer that question, nor should they be expected to. Their purpose was to document observations rather than perform a forensic technical investigation. Nevertheless, the differing outcomes highlight why practical testing cannot rely on isolated examples alone. They also demonstrate why regulators frequently require repeated observations before drawing broader conclusions about system performance.

From a technical perspective, even seemingly minor differences can influence how integrated systems behave. Registration sequences, transaction timing, account synchronisation, processing intervals or other operational characteristics may all contribute to different customer experiences. Whether any of these factors played a role in the reported outcomes cannot be established from the available documentation. What can be said is that the differing observations reinforce the importance of understanding the circumstances under which regulatory safeguards operate as intended and those under which further examination may be appropriate.

Looking beyond the operators

At this stage, it becomes useful to pause before examining additional scenarios. The temptation when reading a mystery shopper report is to focus primarily on the names of the operators involved. Tipico, Tipwin, Sportwetten.de and Tiptorro naturally attract attention because they are familiar brands within the regulated German market. Yet concentrating exclusively on the operators risks overlooking the more important regulatory question that emerges from the testing.

Each of the documented customer journeys represents only one point within a much larger technical ecosystem. Behind every registration, deposit and wager sits a chain of interconnected systems responsible for identity verification, account management, payment processing, transaction recording and regulatory monitoring. The customer experiences only the visible outcome. The underlying processes remain largely invisible, even when a detailed mystery shopper report is available.

This distinction matters because two customer journeys that appear almost identical from the outside may involve different technical pathways internally. One customer may complete identity verification seconds earlier than another. One transaction may reach a central monitoring system fractionally before another. Different operators may rely on different software providers or account architectures while still seeking to comply with the same regulatory requirements. None of these differences necessarily indicate a regulatory problem, but they demonstrate why technical supervision is considerably more complex than simply reviewing policies or legal documentation.

The mystery shopper programme therefore raises questions that extend beyond any individual operator. How should regulators determine whether a central technical safeguard is functioning consistently across dozens of licensed businesses? How many customer journeys must be examined before confidence can be established? Perhaps most importantly, how can supervisory authorities distinguish between an isolated operational anomaly and a broader implementation issue that may warrant further investigation?

These are not questions unique to gambling regulation. Similar challenges arise wherever complex digital systems underpin regulatory compliance. Financial institutions, payment providers, telecommunications companies and healthcare providers all rely on interconnected technical infrastructures that must operate reliably under millions of individual customer interactions. Gambling regulation increasingly belongs within that same category.

The importance of repeatability

One principle underpins almost every technical investigation. An observation becomes significantly more valuable when it can be repeated under comparable conditions. This principle is well understood within software engineering, cybersecurity, scientific research and regulatory testing. If a particular outcome occurs only once and cannot subsequently be reproduced, investigators naturally consider whether temporary or highly specific factors may have influenced the result.

The mystery shopper documentation illustrates why this principle is so important. The programme contains examples where testers reportedly experienced outcomes that the authors considered noteworthy. It also contains examples where similar customer journeys reportedly produced different observations. Taken together, these findings encourage a more measured interpretation than either example would support on its own.

For regulators, repeatability provides the foundation for evidence-based supervision. Before any formal conclusions can be reached, investigators typically seek to understand whether a reported observation can be reproduced under similar circumstances. If repeated testing consistently produces the same outcome, confidence in the observation increases. If repeated testing produces different outcomes, the focus shifts towards identifying the variables responsible for those differences.

This approach also protects operators. A single unusual customer journey should not automatically be interpreted as evidence of systemic non-compliance. Equally, a single successful customer journey should not automatically demonstrate that every aspect of a complex technical system functions perfectly under all conditions. Both perspectives require a broader body of evidence before meaningful conclusions can be drawn.

The February 2025 mystery shopper exercise therefore demonstrates the value of practical testing while also illustrating its limitations. It provides documented observations that deserve careful consideration, but it does not eliminate the need for further analysis, technical review or additional testing where appropriate. That distinction is essential if regulatory discussions are to remain evidence-driven rather than speculative.

What questions naturally follow?

The publicly available reports inevitably leave several questions unanswered. This is not a criticism of the testing programme itself. Mystery shopper exercises are designed to observe customer experiences rather than perform comprehensive forensic examinations of complex technical infrastructures. Their purpose is to identify situations that may warrant closer attention rather than provide definitive explanations.

One obvious question concerns timing. How quickly should information relating to customer activity become available across interconnected regulatory systems? If different technical components communicate in real time, minor delays may have little practical significance. If they communicate through different processing cycles, however, customer experiences may vary depending on the precise sequence of events. The reports do not provide sufficient technical information to assess this possibility, but it represents one of several areas that regulators may naturally consider during any subsequent review.

Another question concerns account architecture. Modern betting operators often combine retail and online services within integrated customer accounts. While the commercial objective may be similar across different businesses, the technical implementation can differ considerably. Different wallet structures, identity management systems and software platforms may all influence how customer activity is processed before reaching central monitoring systems. Again, the publicly available documentation does not permit conclusions on these matters, but it illustrates why apparently similar customer journeys may not always be technically identical.

The reports also encourage reflection on testing methodology itself. How many customer journeys are sufficient to evaluate a regulatory safeguard operating across an entire national market? Should testing concentrate on random sampling or focus on particular customer behaviours that present higher regulatory risk? How frequently should such exercises be repeated as software platforms continue to evolve? These are questions of regulatory strategy rather than operator conduct, yet they may ultimately prove just as important for the long-term effectiveness of the German gambling framework.

Taken together, these unanswered questions reinforce the broader theme emerging throughout this article. The mystery shopper programme is perhaps most valuable not because it claims to provide final answers, but because it identifies areas where additional examination, technical analysis and regulatory dialogue may be beneficial. In a sector that increasingly depends on interconnected digital systems, asking the right questions is often the first step towards understanding how those systems perform in practice.

What role should the GGL play?

The questions arising from the mystery shopper programme naturally lead to the role of the regulator. Whenever practical testing produces observations that differ from expectations, attention inevitably turns towards the supervisory authority responsible for assessing whether further examination is appropriate. In Germany, that responsibility lies with the GGL.

It is important to recognise the distinction between regulatory oversight and technical operation. The GGL does not develop every software platform used by licensed operators, nor does it control every individual technical process occurring within retail shops, payment systems or customer account infrastructures. Its role is fundamentally different. The regulator establishes supervisory expectations, monitors compliance with the legal framework and determines whether additional enquiries or investigations are required when questions arise.

This distinction becomes particularly important in highly technical environments. Modern regulatory supervision increasingly involves assessing how multiple independent systems interact rather than examining a single piece of software in isolation. A customer journey involving retail registration, cash deposits, online betting and central monitoring may involve several independent technical components operating simultaneously. Even where each individual component functions as intended, regulators may still wish to understand how the complete process performs under real-world conditions.

The mystery shopper programme therefore illustrates one of the broader challenges facing every modern regulator. Supervisory authorities must assess not only whether legal obligations exist but also whether those obligations are being implemented consistently across a diverse and evolving technical landscape. This requires different forms of expertise from those traditionally associated with regulatory supervision. Legal analysis remains essential, but it increasingly sits alongside data analysis, systems testing and technical assessment.

For that reason, practical testing should not necessarily be viewed as a criticism of the regulatory framework. On the contrary, it can be understood as one of the tools that helps regulators evaluate whether complex systems continue to achieve the objectives established by legislation. Where testing raises questions, those questions provide an opportunity for further analysis rather than immediate conclusions.

The growing importance of technical supervision

One broader lesson emerging from the mystery shopper documentation is that gambling regulation has become increasingly dependent upon technology. Legislative provisions establish the legal framework, but the practical application of many player protection measures now depends upon software operating correctly under countless different customer scenarios.

This represents a significant evolution from traditional regulatory models. Historically, compliance often centred on policies, procedures and operational controls that could be examined through documentation and physical inspections. While these elements remain important, they now coexist with digital infrastructures that process vast quantities of customer information every second. Supervising such environments requires different methodologies and, in many cases, different expertise.

The reports considered throughout this article demonstrate why this matters. The customer journeys described involve a sequence of technical events occurring within relatively short periods. Registration data must be processed. Account information must be synchronised. Deposits must be recorded. Customer activity must be monitored. Each individual step may function correctly while the interaction between those steps still merits closer examination. Understanding these interactions is becoming an increasingly important aspect of effective regulation.

This trend extends well beyond Germany. Financial regulation, payment services, telecommunications and other heavily regulated industries face comparable challenges as technology becomes more deeply integrated into regulatory compliance. Supervisory authorities are increasingly required to assess not only whether legal obligations exist but also whether the underlying technological infrastructure delivers those obligations consistently in practice.

For gambling regulation, this development may prove particularly significant. As retail and online environments continue to converge, the distinction between traditional operational supervision and technical systems supervision is likely to become less pronounced. Future regulatory effectiveness may depend as much on the ability to understand interconnected digital infrastructures as on the interpretation of legislative provisions themselves.

Our final thoughts

The mystery shopper programme examined in this article does not provide definitive answers regarding the operation of Germany's regulatory framework. Nor does it establish that any particular operator complied with or failed to comply with the requirements of the Glücksspielstaatsvertrag 2021. Such determinations remain matters for the competent authorities based upon their own investigative processes and access to information that extends far beyond the publicly available documentation.

What the reports do provide is something arguably just as valuable. They offer a series of carefully documented customer journeys illustrating how modern gambling regulation functions under practical conditions. Some observations reportedly aligned with the expectations of the testers. Others prompted further questions. Together, these contrasting outcomes highlight the complexity of supervising a market in which legal obligations are increasingly implemented through interconnected technical systems rather than isolated operational processes.

Perhaps the most significant lesson is that consistency deserves as much attention as individual observations. A regulatory framework should ideally produce predictable outcomes when comparable customer journeys occur under comparable conditions. Where differences emerge, understanding the reasons becomes more important than assigning immediate responsibility. In many respects, this is the central challenge facing modern technical regulation across numerous industries.

The mystery shopper exercise therefore contributes to a broader discussion about regulatory methodology rather than simply operator conduct. It encourages reflection on how practical testing should be designed, how technical safeguards should be evaluated and how regulators can continue to demonstrate public confidence in increasingly sophisticated supervisory systems. Those questions are likely to remain relevant long after the specific customer journeys examined in this article have passed into history.

In the next article in this series, we will move from customer journeys to another aspect of the mystery shopper documentation that has received comparatively little public attention. The reports also examined the operation of cross-operator monthly deposit limits and recorded several observations concerning how those limits reportedly functioned during practical testing. As with the customer journeys discussed here, the objective will not be to draw conclusions regarding compliance but to examine the broader regulatory questions that these observations may raise within Germany's evolving gambling framework.

FAQs

What is a mystery shopper programme in the gambling industry?
A mystery shopper programme involves testers using gambling services like ordinary customers to observe how regulatory safeguards and customer processes work in real-world conditions.

Why were mystery shopper tests conducted in Germany?
The tests aimed to evaluate how licensed operators implemented player protection measures under Germany's Gambling State Treaty 2021 during actual customer journeys.

Which betting operators were discussed in the article?
The article examines reported customer journeys involving Tipico, Tipwin, Sportwetten.de and Tiptorro.

Did the mystery shopper reports prove regulatory breaches?
No. The reports documented observations made during testing but did not determine whether any operator complied with or breached regulatory requirements.

What role does LUGAS play in Germany's gambling market?
LUGAS is a central technical system designed to support player protection and regulatory monitoring across licensed gambling operators.

Why did similar customer journeys produce different outcomes?
The article explains that differences may result from technical implementation, account structures, timing, system interactions or other operational variables rather than regulatory failures.

Who is responsible for investigating the reported findings?
The Joint Gambling Authority of the Federal States (GGL) is responsible for supervisory assessments and any regulatory investigations.

Why is repeatability important in mystery shopper testing?
Repeated testing helps regulators determine whether an observation represents an isolated event or a consistent pattern requiring further investigation.

How does mystery shopper testing benefit gambling regulation?
It provides insight into how technical safeguards perform during genuine customer experiences rather than relying only on documentation or technical specifications.

What is the main conclusion of the article?
The article concludes that consistent testing and technical supervision are essential for understanding how complex regulatory systems perform in practice.