Regulation

Promoted feature: Advice on entering locally regulated markets

Vlad Hveckovics of SoftGamings provides a range of advice for entry into various locally regulated markets

Over the last five years, there has been a significant increase in the number of new local licences introduced by countries all around the world. As a game content aggregator and platform provider, we need to ensure that our software solution is fully compliant and ready to be used when our clients decide to start their operations in any of the new jurisdictions. In recent years, we have amassed substantial experience in helping our clients enter locally regulated markets, and we would like to share some of the findings.

Secret to success – a dedicated project manager

Entering a newly regulated market is a daunting task, especially when you are unsure who should lead the effort. Usually, entering a new market requires both legal and IT expertise, and rarely can you find both in a single person. Likely, your IT will not understand legal/administrative/operational requirements, and your legal team will not feel competent in getting the IT requirements right.

The best option is to dedicate a project manager who has a strong background in technology and does not shy away from reading long requirements. If you already have someone with similar experience, then you’re all set. If you do not have such a person, a senior project manager from your PMO or product development might be a good choice.

Do not think that your platform provider will cover everything for you, as there are many things that fall outside of the platform’s scope. Having a project manager who can keep every party in check will help smooth out the process by a lot.

Regulatory requirements – an enigma

When a new jurisdiction decides to regulate the igaming market, they will prepare a regulation listing the requirements that operators need to fulfil. Such new regulations are usually open to interpretation and raise many questions; they are not usually provided as detailed technical specifications. Further to that, a regulator will usually not have its own IT personnel in-house, so it will often rely on third-party testing labs to fill the gaps.

So, the first thing that we do is read the regulations carefully and discuss any vague or unclear requirements with the regulator. And if/when the regulator tells us to take it up with the testing lab, we need to select the right partner for the process. The good thing is that there are few global testing labs, and they usually are on the short-lists of most regulators. This means you’ve probably worked with them before (even if it’s a different geographic team, it still helps when you have some successful projects with them under your belt).

Once we understand the requirements better, we create a gaps analysis document, listing things that we need to add or modify in our system to pass the certification process successfully. If it’s a jurisdiction that we feel has a great potential for our business, we may even waive the fees to our clients, keeping the project costs down for them.

B2B vs B2C licensing, licensing versus certification

There are basically three types of parties needed to launch a successful casino: an operator, a platform, game and payment providers. The operator almost always has to be licensed. Often, the operator will need to create a Special Purpose Company in the jurisdiction; this makes it easier for the regulator to assess and request payment of taxes, check the financial information, etc. Often an operator does not even have a choice – only a local company can get a licence.

The longest part of the process of getting an operator licence is the due diligence process – usually, your lawyers need to provide a lot of documentation on the ultimate beneficiaries of the company and notarised copies of the supporting documents.

Game providers often need to be licensed (or at least certified), as local regulations will usually require some adjustments to the games, such as a maximum bet or maximum exposure of a slot, some rules on responsible gaming, and so on.

A platform is often certified in the scope of the operator’s licensing. Often, there is no special B2B licensing for a platform. The platform needs to fully match the requirements of the regulations, but the responsibility will lie on the operator to ensure that. However, many jurisdictions also either license or register trusted third parties, mostly platform providers, but often also KYC and due diligence providers, payment systems, and so on.

Some examples from our experience: the UK and Malta have B2B licensing for platforms, Belgium and Latvia do not, and jurisdictions like Tennessee in the US have registration for platform providers, which is a cheaper and faster process than getting an operator’s licence.

Hidden costs

It’s easy to understand the costs of a licence; usually, it’s a percentage of GGR and an annual fixed fee. We haven’t seen any cases of VAT being imposed on igaming services, but in the case of the EU, you might find that you will not be able to get back input VAT because you sell a non-VAT service. This can have a negative impact on your bottom line.

There might be requirements that might lead to substantial expenses; for example, a regulator can request all software to be hosted within the jurisdiction. As one consultant once told us: “Regulators love to be able to send in police and arrest the servers if something really bad happens.” As usual, you are sharing the costs of servers with other operators on the platform; you might find that the platform will require you to foot the bill if they do not yet have infrastructure there.

Another hidden cost is in the recertification of software. As it is customary to have monthly, weekly or even daily updates to a modern platform, some jurisdictions do not allow a new release to be used unless it is recertified. This recertification process usually takes substantial time and requires a payment of a recertification fee to the test labs and often requires approval from the regulator as well. This might mean that you won’t be able to introduce new functionality easily, and you might think twice before introducing something that is not really important.

A jurisdiction might specify particular due diligence suppliers to be used, and those will often charge you annual and per-check fees. This is quite important for the US, as you need to ensure not only that your players come from the US but also that they are resident of a particular state, which is not that trivial a process.

A jurisdiction can require you to hire local personnel, which also needs to be taken into account when calculating your budget. This goes on top of other local fees, like office rent, accounting, local lawyers, and so on. You might also need to create a business plan, which might need to be outsourced if you have no experience doing them.

You can also be required to get ISO 27001 certification prior to receiving your licence, which is something to keep in mind when thinking of timelines. Also, you might be required to submit your solution for a vulnerability test (usually black-box hacking simulation); this can be done either as a part of the certification or separately.

Finally, in new jurisdictions, you should expect additional requirements to come quite often (we have seen some jurisdictions change their regulations at least quarterly). This requires work both on the operator’s and platform’s side, and the platform may need to charge you for such additional development, especially if there is a strict and challenging deadline for the implementation.

New functionality

From our experience, the specific functionality that the regulator will require will usually lie in these areas:

  1. Responsible gaming
  2. KYC and due diligence
  3. Reports to the regulator
  4. Personal data protection
  5. IT security and separation of duties.

Responsible gaming will usually require some sort of blocks/warnings to the players, the ability to self-exclude, and so on. In our experience, once you’ve developed requirements for three to four jurisdictions, you have covered most of the requirements, and you will most likely need to make just minor adjustments to the existing functionality.

KYC and due diligence usually are quite specific to the particular jurisdiction, but often require simple changes to the software or integration with some external provider. Some jurisdictions might require you to integrate the country-wide exclusion database to prevent people with gambling problems from accessing your site.

Reports to the regulators are the field with the widest and the wildest differences. Some regulators require real-time per-bet access; some will need you to send data dumps at specified periods; others will require you to develop an API so they can access the data as much as they like whenever they need it. The data in reports can also be very varied. Some regulators just want basic information; others might need almost an entire warehouse amount of data, with many different facets of the information required.

IT security usually does not give you surprises, but sometimes it does. We haven’t yet seen any vetoes on particular technologies used, but we have seen some requirements that usually cannot be feasibly implemented using specific software, which can be a significant setback. Standard requirements of encryption, best practices for storing sensitive data, backup policies, storing raw data for a number of years at an off-site storage facility are usually required, but again, do not give you trouble, as they should already be implemented anyhow.

After go-live

Once you have received the licence and start operating, you should have your country manager keep an eye on any developments and have an open communication channel with the regulator to ensure that you do not miss any additional requirements or clarifications.

One area that is understandably very sensitive to the regulators is preventing access to gambling by minors. We have seen much stricter requirements being imposed by regulators around the world there. What was sufficient several years ago is now considered inadequate.

Even if the process seems daunting, we can assure you that it gets easier with experience. Once you have your project managers and legal teams more experienced in the area, entering the next market becomes much less stressful and more streamlined. With local regulation becoming so popular, we think operators that invest in building this expertise will find themselves at the forefront of the industry in many lucrative jurisdictions.

Vlad Hveckovics, Softgamings

Vladislavs Hveckovics is a gaming systems integrator, casino back-office software developer and the CIO and co-founder at SoftGamings, a B2B igaming software company founded in 2008. SoftGamings offers online casino platform solutions, including development of white label, turnkey and self-service casinos and advanced bonus and loyalty engines.

Licensing | Regulation | Responsible gambling

Latest