We use the plural in the title simply because today the remote gaming operator has to comply with, not only one regulatory regime, but various ones, especially where they hold other National licenses.

Compliance with various laws and regulations in the countries where they operate is essential to ensure that the operator protects one of its main assets, the license. Operators are also required to comply with various standards such as ISO:27001 and/or PCI DSS. Certain compliance matters can be handled in-house by the compliance officer or team whilst others need to be outsourced to competent service-providers as third party assurance is required, or in-house expertise on particular subjects is not available.

The operator has to potentially consider among other things: Licensing regulations, Taxes, VAT, AML/CFT, Data Protection, information security, employment laws, company law, and PCI DSS (where credit card data is stored, transmitted or processed).  No simple feat to accomplish!

The expected changes in the AML/CFT regulations will make online gaming operators obliged entities, creating new challenges for the operator. Changes to operating procedures and to gaming systems will, more likely than not, be required for the operator to become and remain compliant. Whilst most agree that pure money laundering occurring in the industry is not a real threat, the broader view of money laundering where proceeds of crime may be gambled on an online site, is a very real threat. Staff has to be trained and systems modified to identify unusual activity on an account. Staff must also know what actions to take and not take when they detect such suspicious activity. Annual reporting to the FIU would have to be carried out by the MLRO, and a comprehensive AML/CFT policy drawn up and maintained by the MLRO.

Data Protection changes could potentially have an effect on data retention policies of an operator and would require changes in systems and policies and procedures to ensure compliance at all times.

Changes to the VAT regulations on electronic services at the start of 2015 have created more confusion and uncertainty in the gaming industry due to the complexity and inconsistencies in the way VAT is being applied or not applied in various jurisdictions on gaming transactions. How to achieve compliance in this area is still being debated!

PCI DSS has launched a new Version 3.0 of its PCI Data Security Standard with effect from January 2014 and although the changes are not major, it is another matter for the operators who require certification to also take into consideration.

Various jurisdictions in the EU and world-wide are constantly implementing new laws about online gaming or changing existing ones, and someone has to be aware of what is going on in the EU and the world. Where can an operator freely sell his products, where can he definitely not enter the market, where can he get a license and what will it involve?

One thing for certain is that unless an operator has substantial resources they cannot even consider obtaining licenses in other jurisdictions, as coping with Maltese regulations and laws is already a costly and time consuming task, which is set to increase further due to the upcoming changes mentioned above.

Service providers are also required to keep up with the changing environment and compliance requirements and possibly clients expect them to keep them informed accordingly. As is expected most, if not all, service providers do not have the resources or skill sets to be experts in all matters discussed in this article. There are various possibilities, either striking partnerships with other providers who offer different skill sets, thus being able to provide a full service to their operators or the operator has to shop around for the right partner depending on the task required.

The remote gaming industry has developed to such an extent in Malta that the major players are known to everyone and operators know who to go to for: Tax/VAT issues, IT Audits, licensing matters, RNG certifications, employment, office and residential premises, payment processing, co-location and bandwidth, banks and other similar requirements. Companies have set up in Malta to provide services specifically for the gaming industry. This eco-system has developed well in the past 15 years and continues to evolve, as most healthy eco-systems tend to do.

The service provider should keep abreast with the changes going on, not only to continue to provide a quality service to its customers, but potentially to take the opportunity to create a new service line to satisfy more requirements of the gaming operators. Experience has shown us that if an operator can obtain quality services from one service provider, he will not shop around for other partners but stick to the one he knows and trusts.

One of the biggest problems for operators is that some services can only be provided by a supplier who holds the right accreditations/certifications, for example in the case of ISO:27001 audits, or PCI DSS certification, or RNG testing. The suppliers of such services, who also have gaming knowledge are globally limited in number, and in Malta even more so, making choices available very limited.

The service provider must stick to what he knows best, but that does not mean that there aren’t opportunities for new services, especially when these are based on the core competencies of the company and related to the services already provided. Previous knowledge and experience of staff,  for which there was no market previously could quite easily become a new service line designed to meet new compliance requirements.

Both operator and service provider are regularly being affected by the changes in regulations, legislation and standards and must be able to prepare for, and cope with the complex environments they work in. Financial institutions have been doing it for years and continue to do so and gaming operators will have to learn how to live, or rather survive, in a heavily regulated environment. The added problem for gaming operators is that whereas in the EU, there is consensus on financial institutions, the gaming industry remains without overall consensus and uncertainty continues to prevail. However, in those areas such as AML/CFT and Data Protection the regulations will definitely apply to the operators and they must now also strictly comply at all times in the various jurisdictions they operate. Hopefully, when the countries transpose the directives they do so in a consistent manner to reduce the burden of compliance. However, for the 4th AMLD this would greatly depend on the risk based approach taken and the results of the risk assessment of each member state. There are tough times ahead!

Kyte is an established service provider focusing on the gaming industry which provides PCI DSS certifications, ISO:27001 audits, System and Compliance Audits for the MGA, data protection services, AML/CFT training, IS Audits.

Prepared by Alan Alden, Director of Contact Advisory Services Ltd

Featured in Malta EGR Report - May 2015

© Contact Advisory Services Ltd 2008 - 2015