After recently working with a clutch of different operators and businesses within the gaming industry and financial services, I can safely say that Regulatory Audits–aka Compliance Assessments–have evolved in the past 12-months. And not always for the better.
I don’t necessarily see this as a negative. But as regulators fail to share good practice, I think it’s apposite to table The Good, The Bad and The Ugly gleaned from my work.
The Good:
Regulators, such as the UK Gambling Commission, MGA and the FIAU, are more communicative in the build-up to, and throughout, their assessments.
This means that as an operator you are far more aware of the focus in the assessment, and there is more open dialogue. They go out of their way to make you feel at ease and ensure that you know the assessments are not a witch hunt.
There is a bit more consistency across regulators, meaning; although the regulations vary and with that so will your risk appetites; the actual format and areas of assessment are similar.
Of course some regulators will not focus on or even mention Safer Gambling, Marketing or Data Security. Others will, however, focus heavily on these areas of compliance.
The consistency is within the content. They want to see examples of compliance and procedural adherence to regulations and legislation. The questions being asked will be similar.
A huge positive is the assessment of, and discussions with, key members of staff: those in a position of governance, MLRO and key positions such as employees in charge of Technical Security and marketing.
The experts in these areas can demonstrate their competence and provide clear understanding and compliance from the business.
Of course if you do not have competent and qualified persons holding these positions there is a risk that this positive point can backfire.
So it’s a must that you run a check on all key positions and give yourselves the comfort of adhering to the expected standards.
Another positive is the condensed assessments.
FCA assessments can now be done over just a few weeks, and gaming regulators typically split their assessments over 4-8 days over a number of weeks. This allows business to continue during the assessment period and minimises disruption.
Audits, by their nature, can be highly stressful. So getting away from the audit environment each week can really help with the mental-health side of things.
The Bad:
The time involved in preparing for and working through a compliance assessment is huge. It requires heavy lifting from everyone involved to gather data, review the information and prepare for the lines of questioning you might face.
Working late into the evening is to be expected, as veterans know, but it’s important to prepare one’s junior colleagues for the potential impact.
Many auditors appear to have a set script and checklist, and it can be frustrating when faced with this blinkered approach and lack of flexibility.
A checklist approach can also have the negative impact of failing to identify good practice and positive input from staff, because tunnel vision dominates.
Operators and financial institutions need to invest in training and development so that all their employees–seniors as well as juniors–can demonstrate their competence.
And The Ugly:
Don’t be fooled when regulators post an intro call and attempt to put you at ease.
This is a classic technique designed to catch you off guard. So stay alert and stay on point!
Often the level of competence and even professionalism of those conducting the assessments is not great.
And there are many examples of regulators not fully understanding, or even knowing, the full range of compliance law they have been tasked to enforce.
Sometimes regulators get it wrong. They cite incorrect regulations, or expect a business to comply with their incorrect interpretation of the law.
The challenges of righting such a scenario are obvious.
Conclusion:
In many ways regulatory assessments have changed for the better.
But I would love to see more assessors who have operational experience. In this way their questions and assessment would be far more effective.
Regulatory assessment needs to be more transparent from the off; right from the release of updated guidance and regulations.
It is not realistic to continuously hold operators to an undefined standard.
As an industry, we should expect more from our regulators and hold them to the same standards to which they hold operators.
It’s a perennial conundrum: Who watches the watchmen?