What to Expect during Regulatory Visits

By Kirsty Knight, Senior Compliance Manager & Operations Manager (AML Services)

If you are an entity that holds an Isle of Man Gambling Supervision Commission (“GSC”) licence under the Online Gambling Regulation Act 2001 (“OGRA”), you will be subject to a regulatory compliance visit or assessment.

Typically, a regulatory compliance visit or assessment will commence within the first 6-12 months of the licensed operation “going live” and then for standard risk operators, within 18 months of the previous visit. This is something that can often feel daunting with some operators unclear as to what is expected from them and as to the process and steps undertaken by the GSC throughout this review. In this blog, we will walk you through the rationale for these visits and what to expect before, during and after.

Why do we need a regulatory assessment? 

The gaming sector on the Isle of Man is regulated by the GSC. The GSC’s core principles in regulating the gambling industry are to keep the industry crime free, protect the young and those at risk, and to ensure that services offered are fair.

To ensure its licence holders are upkeeping the core principles, and in turn, the reputation and trust within the industry, the GSC is empowered by law to supervise licence holders’ compliance across core regulatory areas such as anti-money laundering and terrorist financing (amongst others).

In accordance with both the Financial Action Task Force (“FATF”) recommendations and the GSC’s own legislation and guidance, the GSC have adopted a risk-based approach to supervision. This approach enables the GSC to allocate resource as to the frequency and scope of assessments and compliance reviews on licence holders.

Types of visits

• Self-Assessments

The GSC issues two different kinds of self-assessments to operators - a general compliance assessment and an AML assessment. Each self-assessment identifies the regulatory requirement and its source, and then requires the licence holder to self-assess its own processes, policies and procedures to determine whether it is considered as met, partially met or not met. In addition, licence holders are expected to provide an explanation and supporting evidence to their evaluation.

The self-assessments and supporting information/evidence are then reviewed by the GSC and may be referred to when an on-site inspection is conducted at a later date. There is also the potential that between the self-assessment submission and the face to face visit the documentation submitted will be scrutinised and actions raised with given timeframes to be completed.

• Onsite visits

There are two different types of onsite visits - one focuses on general compliance and the other on AML/CFT. These can take place concurrently, or within separate visits (dependant upon the GSC’s requirements and requests). The onsite visit allows for checks to be undertaken into the details provided in previous self-assessments and policies and procedures.

Time given to prepare

In general, the GSC will provide a 4-week notice period of any suggested visit date and seek to arrange a mutually convenient time for the visit. This gives any off-Island directors and the Money Laundering Reporting Officer (“MLRO”) the opportunity to attend in person on the Island and is something that the GSC would expect.

What happens once the date has been agreed?

Once a date has been confirmed, a pre-visit letter will be issued along with the requirements of what information and supporting evidence should be provided to the GSC before the visit and by when. This is now the time to set your wheels into motion as there will be a list of documents and information required to be provided prior to the visit. My top tips would be: 

• Book your meeting room - sounds simple but it is an easy one to forget!
• Undertake and review your player dip sample in advance of onward submission to the regulator – this will enable you to dip sample and test the effectiveness of your policies and procedures.
• Review all policies and procedures to ensure they are accurate and up-to-date
• Set up a “mock audit” with all attendees so as to manage expectations for the format of the visit.
  
  

The day of the visit

The GSC will go through the self-assessment and cover areas such as:

• Quarterly returns
• General overview of the business
• Business Continuity Plan
• How you consider your business model may be abused by criminals
• Compliance culture at Board level

If the visit is pertaining to AML, you will be questioned on the following areas:

• The MLRO will be tested on the role of the MLRO, checking whether they are sufficiently resourced and how they keep their knowledge up to date.
• The risk-based approach
• Code requirements i.e., Customer Due Diligence, Enhanced Due Diligence, Source of Funds and Source of Wealth, Politically Exposed Persons, and Sanctions.
• Record keeping and registers.

Additionally, you will be asked to show how the systems work, navigate through any back-office systems, and take the GSC through some examples of players. This can include reports on customers who have exceeded qualifying payment thresholds, examples of when CDD has been declined and examples where enhanced due diligence has been requested.

The attendees

In attendance on the day, there should be at least one director and the Designated Official/Operations Manager. If the visit is pertaining to AML, then the MLRO should also attend or their Deputy and the AML/CFT Compliance Officer. It may also be worthwhile having someone to take notes during the day to refer to for future reference and key learnings for future visits.

Feedback after the visit

A draft report will be sent out shortly after the visit. This will include:

• The topics covered
• An overview of the responses given
• Observations of the GSC
• Any areas noted as deficient and actions required to address the deficiencies.

The report utilises a “traffic light” system to highlight areas which they consider to be “satisfactory” (green), “minor” (amber) and “major” (red). They will detail examples of where issues were found either in the policies and procedures or in the dip sample of players.

Licence holders are given the opportunity to provide comment on the draft report (only to the extent of the factual accuracy of the report), and a final report will then be issued.

Where there has been a positive outcome of the visit there may be only areas of improvement recommended. If there are multiple areas to improve upon it may be suggested that a remediation plan is put in place. This should include the following stages: -

• Assess the feedback in a pragmatic manner and take it as an opportunity to improve.
• Prioritise the areas where deficiencies have been identified from highest priority down through to best practice improvements.
• Engage with all stakeholders to agree realistic timeframes for changes.
• Arrange board meetings to ensure the board are appraised of the remediation plan and progress as well as updated policies and procedures being approved in a timely manner.
• Ensure version controls are updated and a version control table is updated to evidence all changes made.
  
  

The GSC may ask for progress updates throughout the period of remediation and meet with you at the end of the remediation work to ensure that they are happy that all areas of concern have been addressed. However, this will not result in a revised report as the findings are conclusive. The regulator may come back and do a follow up visit or request to see updated documents and issue a further report. However, it should not be underestimated the potential of a poor visit where systematic deficiencies are identified or your own policies and procedures are not being adhered to. For the sake of completeness, we have listed below the potential consequences of a poor visit:

Licence Condition

• A licence could be suspended or revoked.
• A restriction could be placed on all or part of the business operations.
• The licence conditions initially granted could be added or amended
  
  

Directions

• You could be issued with a civil penalty
• You could be directed to appoint a subject matter expert
• You could be directed NOT to appoint someone
• You could be advised that persons holding key functions are deemed “not fit and proper”
• Failure to comply with a written direction is an offence and you could be liable to a fine of up to £5,000 or to custody for a term not exceeding 6 months (or both)
  
  

Public Statements

The Commission may issue a public statement with respect to or setting out any direction that has been given to you due to the results of the regulatory visit. This is usually only undertaken when the regulator has cause to suspect that the direction has not been adhered to or the AML/CFT legislation has been breached and it is the opinion of the Commission that it is in the public interest to bring it to their attention.

Civil Penalties

If the Commission are satisfied that you have contravened any provision of the Act, you have failed in any respect to comply with AML/CFT legislation or you have given the Commission false, inaccurate, or misleading information regarding AML/CFT legislation then a civil penalty may be imposed.

Warning Notices

A warning notice could be issued to a person who is or has been a director, senior manager, or controller during a period where adverse findings were uncovered during a regulatory inspection.

What can I do now to best ensure a successful future regulatory visit?

Establishing good regulatory compliance cannot be achieved overnight, however, we have outlined a few tips below to consider that will contribute towards a successful regulatory assessment:

• Undertake a regular review of policies, procedures and compliance frameworks to ensure up-to-date and accurate.
• Undertake a player dip sample across various risk rated players to ensure alignment to compliance frameworks and to monitor associated effectiveness.
• Consider training records and ensure all staff have received appropriate training and this remains up to date.

Amber Gaming can support you with all or any of the above.

If you would like to speak to us about regulatory visits or are interested to know how else we can support you and your business, feel free to get in touch with us.