Compliance Corner with Alex Henderson: Issue 2 – The Power Of Known Unknowns
In his latest reveal, iGamingFuture columnist Alex Henderson discusses the importance of Compliance, Known Unknowns, the Power of Mock Audits – and how to stay abreast, if not ahead, of the Regulatory Game.
I do not believe there is a right or wrong approach to embedding compliance within an organisation. There are, however, some best practice steps that most compliance officers find effective.
A blueprint for compliance looks different within each business, and for every compliance officer that designs them.
As I mentioned in my previous article, I believe two important steps are essential. And for any compliance function that does not have these implemented, they should be considered – especially within the iGaming industry.
Firstly, I want to focus on mock audits. Consider this your compliance health check, essential to making sure your organisation’s compliance function is effective and fit-for-purpose. Everyone knows it’s sensible to have one’s car regularly serviced – and that it’s up to date with its MOT, so that it does not break down on you. The only difference here is that instead of a breakdown and call out to the AA, your firm ends up paying a few million in fines and severe reputational damage that can seriously impact both company and key stakeholders.
So the big question is: Why wait?
I think most entities would agree that there are very few things in our industry more daunting than a pending compliance assessment from a regulator, or FIU. It can put the entire business on edge and you can smell the tension. But, key here to remember, “the more you take part in audits, the less stressful they become”. Practicing for these audits can really help with relaxing the team members who will be involved. It also allows for those involved in governance to be aware of where the risks are and provide resources and support where needed.
I believe the reason we dread external audits is the “fear of the unknown”; a deep-seated worry that there is something a regulator might find that we ourselves are not even aware exists. In some cases, as many of us know, regulators will keep digging and digging until they find something to use against an operator, so why give them the luxury of making it easy. Force the regulators to get out the excavators and search for something that you have already discovered and remedied. Key word being remedied – not to be mistaken with hidden. It’s only natural that all of us want to discover our weaknesses, failings, even our unintended breaches. Far better for us to beat the regulator to the draw and simultaneously demonstrate what has been done to rectify the situation.
Such a course of action is not bullet-proof.
Regulatory assessments have the ability to catch out the best of operations. But preparing yourself in the form of mock audits is certainly a good way to give yourself an extra layer of protection and assurance.
For me, regular auto health-checks and mock audits are not only beneficial from an assessment perspective. They also serve a greater purpose for the business, than simply preparing for an audit.
During regular mock audits, you will uncover many areas where upgrades can be made across the business; from improving the customer journey, to reviewing historical decisions and gauging levels of potential risk. By conducting a self-assessment, you are inviting criticism. And this is something that many compliance departments are not open to.
I liken it to asking family or close friends their candid opinion on important personal issues. I may not like the response. But it enables me to “fix” potential problems before they become unmanageable.
It’s the same when conducting a compliance mock audit. The entire team has a platform to critique a process, question why a decision was made on an account – and, crucially, make suggestions for improvement. I am confident that without regular mock audits, we would not have made half the progress that has been made in the past few years. The same can be said for every organisation I have been part of.
The Power of Mock Audits
So what should a mock audit consist of? This should be based on several factors:
Which regulations are you subject to? For example, UK Gambling Commission, KSA or looking deeper at the complexities of GDPR.
Have you been subject to a previous regulatory assessment, and, if so, what were the findings?
If you fell short on an area before, this has to be a sector for which you can show improvement and clear compliance within the regulatory framework.
Where have other operators fallen short?
And finally, live testing of controls!
You can choose to conduct these yourselves, or have the assistance of a third party. There are pros and cons for both. Going external brings the added benefit of having little-to-no previous knowledge of the operation and effectively starting with a blank page. It also brings an objective eye to proceedings, which allows for an in-depth, critical analysis of weaknesses – in contrast to internal reviews, which have a higher probability of being subjective. One great plus of keeping it internal, however, is that it saves on costs and provides a great opportunity for all team members to be involved.
I can make a strong case for either pathway. Whichever road you travel, as long as you create a real opportunity to unearth weakness and build improvement, successful results will be your reward.
It is key to remember: Audits are not deterministic. If you prepare yourself adequately, and continuously seek to improve, you will have a winning outcome.