Under the recently enacted Gaming Act, Licensees that have been authorised by the Malta Gaming Authority are required to undergo a periodic audit to ensure appropriate levels of compliance with the Act. Auditors are also expected to carry out additional tests to ascertain whether the Licensed entity is in line with other regulations including inter alia the Companies Act, the Prevention of Money Laundering Act, and regulations governing Player Protection, Gaming Tax, and Gaming License Fees.
The Compliance Audit will be undertaken on all licensed operators periodically and it can also be requested on behalf of the Authority at any time during the license period. The Authority has the right to demand that any authorised person or licensee undergo the Compliance Audit process on a regular or ad hoc basis, but the audit must be carried out by an auditor such as BDO Malta that is authorised to do so.
Content of the Compliance Audit
The Compliance Audit consists of seven different sections, each containing a number of additional sections that need to be addressed and satisfied in order to pass the audit. They include the following:
Standing information - This must include Entity Changes, the checking of Licensee information, and an analysis of previous findings and follow-up action that should have been taken.
Human Resources - A copy of all HR roles and responsibilities to ensure that the MGA has the most up-to-date version, and the noting and highlighting of any discrepancies. Checks will also be made on the corporate group chart including parent entities, and whether the Group is offering services to other operators licensed by the MGA and therefore requires a B2B license. Key Persons will also be scrutinised including their duties, their qualifications, whether they are actually undertaking the role, and ensuring that all Key Functions are correctly assigned.
Financial Analysis - All player funds must be covered by declarations and it must be confirmed that the Licensee has the necessary liquidity to fulfil the player funds. Checks will also be made on Gaming Tax, License and Compliance Contributions, Audited Financial Statements, accounting software, the business plan, and any financial procedures and processes.
IT - The System Access Control Policy will be reviewed along with the Licensees compliance with it. In addition to this, audit trails, system access requests, the Information Security policy, protection of equipment, disciplinary actions, and the incident response policy will also come under scrutiny. Third party business partners that are involved in outsourced agreements must be investigated, as will suppliers, vendors, and the outsourcing policy. Checks will also be made to the backup procedure and the business continuity and disaster recovery procedures.
Gaming Operation - The User Management Policy, all matters pertaining to the Random Number Generator, gaming procedures, back-office (for B2Cs and B2Bs offering back-office to B2Cs) information, gaming transactions, remote access, and credit card processes will be analysed in detail.
B2C Checks - Players complaints, complaint procedures, and complaint responses will all be evaluated, as will commercial communications such as advertising and marketing. Websites and apps will have to comply with all provisions made under the Act, as will Terms and Conditions, responsible gaming pages, games’ rules and players’ accounts. Player protection is also considered within this section as is the protection of minors and vulnerable people. Checks are also made on Type 2, Type 2 and Type 4 games, as well as KYC and AML procedures.
B2B Checks - All of the Licensee’s websites are checked for compliance as well as any standing service agreements with BC2 Operators who are not licensed by the MGA but that are consuming services offered by the licensee.
Compliance Audit Procedure
The Compliance Audit procedure is of course highly technical and can only be carried out by an entity with the relevant knowledge, experience, and approval to do so.
The procedure to carry out the Compliance Audit is defined by the MGA and is as follows:
- The Authority must be notified of the appointment of an auditor by the Service Provider;
- A statement must be submitted by the auditor to state that it, along with any affiliated entities and employees are free from any actual or possible conflict of interest. A conflict of interest can extend to consultants, assistance in application processes, bookkeeping, accounting, internal audit services, or implementation of systems provided to the License by the Service Provider.
- An Authorisation to Release Information form must be submitted by the Licensee.
- The time frame of the Compliance Audit must be confirmed.
- The Compliance Audit must be carried out by the auditor.
- The Compliance Audit report must be submitted to the MGA.
BDO Malta are authorised by the Malta Gaming Authority to undertake Compliance Audits on behalf of Licensee’s. We also carry out mock audits to help Licensees to prepare for an upcoming compliance audit.
To find out more about the process, or to get the ball rolling, contact a member of our team today.