Where does compliance sit within a gaming company?

Compliance was definitely simpler before 2010. Prior to that time, a gaming operator would do its best to be compliant with one gaming law, while providing its gaming services throughout the EU on the merits of holding one licence issued in an EEA country, which at that time was either a licence from Malta, the UK or Gibraltar. Having only one set of compliance requirements to follow meant that every part of the ‘design-to-supply’ cycle was straightforward. Then came the Santa Casa vs Bwin ECJ case, and everything changed.

Today, we have a situation of national authorisation regimes across the EEA, which bar a couple of jurisdictions, means that a B2C operator needs to be authorised by every EEA jurisdiction it wants to target. The complexity a multi-jurisdictional licensing situation brought with it is not only limited to the licence application process, but has serious ramifications across the technology stack, design, information security, finance, operations and legal. Game design, certification, back-office functionality and in-built player protection measures vary across jurisdictions, making compliance the most complicated function.

Traditionally, most gaming companies placed compliance as a subset of the legal department. However, over the past five years, one of the questions posed to me by clients is whether the compliance function should be a function in its own right, or whether it should be part of the operations department. In truth, there isn’t an unequivocal structure to adopt, as each company structure needs to be considered individually.

Access to all areas

If an operation develops its own games, then compliance needs to be involved during the game design stage and would need to be part of the games testing phase. If marketing is developing a customer-retention scheme, compliance needs to ensure RG rules are followed. When a website or app team are redesigning the look and feel of the public interface, compliance needs to ensure those changes do not compromise the licence’s good standing. When the infrastructure team make changes (even minor ones) to the architecture, compliance needs to be involved, as what may seem to be a simple architecture change may need to be notified to multiple regulators. All of the above situations make it difficult to determine where the compliance function should ideally be placed in a company structure. Here are some tips which may answer the question posed:

• Consider becoming matrix-based: Small outfits should consider matrix instead of vertical structures to ensure compliance and other elements of the gaming operation work as cross-functional teams.
• Build bridges between compliance and the rest of the organisation: Larger operations may consider having a central compliance function, while also having a compliance ‘ambassador’ within each function that acts as a liaison officer between production, operations and compliance.
• Simplify complexity: For those operations licensed in more than three jurisdictions, consider having an in-house compliance implementation team, while being supported by outsourced compliance specialists per jurisdiction, that ensure the company is up to date on compliance developments.
• Consider using team collaborative solutions: Consider using tools that allow doc­ument team editing, task tracking and functional task approvals to run projects that involve compliance matters across operations, legal, finance and technology.

Reuben Portanier is a partner at the regulatory and gaming advisory firm, Afilexion Alliance, which forms part of the GTG Advocates group. He is an IMGL member, former CEO of the Malta Gaming Authority and former board trustee on the International Association of Gaming Regulators.