As the gaming industry matures and flourishes, outsourcing a whole host of services, from regulatory compliance to marketing, to third party service providers has become the norm, with the industry becoming increasingly interdependent on a host of B2B services accessible across the supply chain. The reasons behind this are numerous, including cost control and the acquisition of expertise which is not available in house. Also numerous are the risks, or possible risks, associated with such outsourcing including regulatory, operational and reputational risks.
In view of this, and of the incumbent Gaming Act (the “Act”), set to come into force in August of 2018, which looks to revolutionise Malta’s igaming legislative framework, the Malta Gaming Authority (the ”Authority” or ”MGA”) released a Policy on Outsourcing by Authorised Persons (the “Policy”), wherein the Authority outlines its concerns that the outsourcing of certain management and operational functions to third parties has the potential to present various risks to remote gaming operators, hereinafter referred to as ”authorised persons”.
With regard to the outsourced functions, a distinction has been made between what have been termed as “material” and “critical” supplies;
- “Material supply” means a gaming supply of such importance that any weakness or failure in its provision could have a significant impact on the operator’s i) ability to meet obligations under the Act and all applicable regulatory instruments; ii) to manage the risks related to such supply; or iii) to continue in business.
Examples include the provision of risk management services for the operation of a licensable game; provision of events, content and/or odds; holding and/or managing player funds and services relating to customer due diligence amongst others.
- “Critical supply” means a material supply which is i) indispensable in determining the outcome of a game or games forming part of the gaming service; ii) an indispensable component in the processing in, or management of, essential regulatory data.
This includes the supply and management of material elements of a game and/or the supply and management of software, whether as a standalone or as part of a system, to generate, capture, control or otherwise process any essential regulatory record and, or the supply and management of the control system on which such software resides.
In an effort to provide further clarification, the First Schedule to the Policy outlines a non-exhaustive list of material and critical supplies. It is worth noting that whilst all critical supplies are material supplies, not all material supplies are critical supplies.
Regulatory Oversight and MGA Requirements
Whilst the authorised person is free to outsource the services and activities as delineated in the Policy, the responsibility for regulatory compliance shall continue to reside with the board of directors and senior management of the operator. The authorised person must necessarily assign an employee with the overall responsibility of the outsourced service, which employee is fit and proper and possesses adequate knowledge and experience with regards to the outsourced service, such as to be in a position to challenge performance.
The Authority’s approach to oversight shall be carried out through the assessment of any outsourcing arrangements at the pre-licensing stage or during post-licensing oversight of the operator. The details of the third-party service provider, the material or critical supplies outsourced, the details of the persons assigned with overseeing the outsourced activity, a copy of the proposed agreement between the parties and any other relevant information are to be provided to the Authority. Moreover, authorised persons are now required to have a written outsourcing policy, irrespective of whether any outsourcing will take place within the same corporate group. Where the outsourcing service provider is already licensed or holds a material supply recognition, issued by the MGA, the process is further simplified and less information is required.
Authorised persons are not required to obtain approval from the MGA with regards to outsourcing of non-material functions or services.
A further development is the departure from the post of the key official towards a system of key functions. The following roles and responsibilities, when performed in connection with the gaming activity of a licensee, are deemed to constitute a key function:
- Chief Executive;
- Responsibility for gaming operations;
- Responsibility for legal affairs and compliance with the applicable regulatory instruments;
- Responsibility for finance;
- Responsibility for marketing and advertising;
- Responsibility for player support;
- Responsibility for technology;
- Responsibility for the prevention of money laundering and the funding of terrorism;
- Responsibility for risk management and fraud prevention;
- Responsibility for internal audit.
Whilst it is possible for key functions to be outsourced to third parties, only natural persons holding a certificate of approval issued by the MGA may perform a key function. Such certificate is valid for three years.
It is possible for one person to hold more than one key function within an authorised person, the Authority recognises that the holding of certain positions can conflict with the holding of others. By way of example, the individual responsible for the prevention of money laundering and financing of terrorism is expected to refrain from takin on other responsibilities which may conflict with their role, similarly, the data protection officer role is not compatible with any other role which involves the management or control of personal data.