Internal controls 101: A checklist for online gaming companies

Orange highlighter checking off checklist
Image: Shutterstock

Odds On Compliance Director of Regulatory Affairs John Wellendorf has vast experience in risk management, compliance, and government relations in both the gaming and financial industries. He was Head of US Compliance at Tipico and Senior Compliance Officer at PointsBet, leading compliance efforts in new state launches, operational compliance, technical compliance, licensing, regulatory affairs, and government relations. He imparts some of his knowledge and experience with these tips for regulated online gaming companies in the US market.

As all industry veterans know, internal controls are vital to launching an online gaming operation in new jurisdictions. But the internal control drafting and implementation process should be seen as more than a tick box on the checklist to launch in the new jurisdiction. If appropriately implemented, internal controls can play a critical role in promoting accountability, transparency, and ethical behavior within an organization, ensuring that it operates in a manner that complies with relevant laws and regulations.

In addition to staying out of regulatory trouble, a stable internal control environment also prevents fraud and errors from occurring in trading and payments teams, helps ensure the accuracy and completeness of financial reporting, and can even increase operational efficiency by reducing redundancy within the organization. These high-level tips can greatly improve the internal control process for online gaming operators.

Tip 1: Use available information when drafting internal controls

There is no need to guess what a regulator looks for regarding an internal control submission. The requirements are almost always laid out in jurisdictional statutes, regulations, or through guidance published by the regulator. This information should be the baseline for all internal control submissions. For jurisdictions that require a singular internal control submission that documents compliance with all laws and regulations, you can use each published requirement as a “chapter” in your submission.

Tip 2: Horizontally integrate compliance across your organization

Horizontal integration of compliance means ensuring compliance requirements are embedded and integrated into every aspect of an organization’s operations, processes, and functions. By horizontally integrating compliance across an entire organization, compliance becomes a part of the organization’s DNA, all employees understand their role in maintaining compliance, and they take ownership of the outcome. For example, compliance should work with finance to understand how taxes should be reported and remitted in a jurisdiction. If either compliance or finance works independently on the task without communicating, mistakes are more likely to occur. This is similar in trading departments. Compliance should work with trading to ensure a process is in place as to what markets and wager types can be offered, which cannot, and how to get approval from the regulator for new sports or bet types. Building a culture of trust between operational departments and compliance leads to more regulatory certainty.

Tip 3: Take a segregation of duties and internal control seriously

Segregation of duties is essential for regulated companies because it helps prevent fraud, errors, and other financial irregularities and ensures every individual knows their role in a regulated process. Separating essential duties within a company ensures that no individual has too much control over a specific process, which reduces the risk of errors, omissions, and other irregularities. Using tech releases as an example, create a documented change process where particular individuals are responsible for 1) coding, 2) merging code, 3) QA testing, 4) overall signoff of a release package, 5) regulatory approval of a release, and 6) pushing the release to production. This will result in a more efficient and specialized use of the employee’s time as the expectation of each participant’s outcome is clear.

Tip 4: Continuously review internal control processes

What worked for an organization when it entered a new jurisdiction might only work for a while. Internal control processes should be reviewed periodically to ensure they remain effective in the current business environment. As businesses grow and evolve, processes and procedures may become outdated or no longer applicable, leading to inefficiencies or control weaknesses. Laws and regulations are subject to change, and it is essential to ensure that internal control processes are updated accordingly. Failure to comply with new regulations can lead to financial penalties, legal liabilities, and reputational damage. Reviewing internal control processes can help to identify potential risks and control weaknesses that may have gone unnoticed. Finally, reviewing internal control processes reinforces the importance of accountability and ensures that individuals responsible for key processes are aware of their responsibilities.

In summary, implementing strong internal controls is not only a requirement for launching an online gaming operation in new jurisdictions but is also critical for promoting accountability, transparency, and ethical behavior within an organization. By using available information, horizontally integrating compliance, taking segregation of duties seriously, and continuously reviewing internal control processes, online gaming companies can ensure that they comply with relevant laws and regulations, prevent fraud and errors, ensure accurate financial reporting, and increase operational efficiency. Internal controls should be seen as an ongoing process. Online gaming companies need to take internal controls seriously to maintain regulatory compliance, protect their reputation, and achieve long-term success in the industry.