KPMG: For Ontario’s iGaming operators, investing early in compliance pays off

KPMG discusses best practices for Ontario compliance

Regulatory compliance may be two words guaranteed to earn you some alone time at a party, but they also form a phrase that every operator targeting success in Ontario’s regulated sports betting and iGaming market needs to talk about. 

The province’s regulator, the Alcohol and Gaming Commission of Ontario (AGCO), has earned a reputation in the international industry as being flexible and communicative, an organization that operators can work hand-in-hand with. However, no one should assume the regulator’s open approach means that the regulation itself is simple to navigate. 

In fact, as KPMG’s Steve Hills (Audit Partner and National Industry Leader for Lottery and Gaming) and Joanna Hojjati (Partner, Risk Consulting in Governance, Risk & Compliance Services) told Canadian Gaming Business, internet gaming standards and the different ways they apply by operator depending on the underlying services, partners, technology and in-house abilities, can be complex. 

Explaining why the framework can be complicated, Hojjati said: “The Ontario market is unique, as we have iGaming Ontario (iGO), a separate conduct-and-manage entity with whom operators need to execute an operating agreement and meet contractual obligations in addition to the standards and requirements set out by AGCO, the regulator.”

The Registrar’s Standards for Internet Gaming are risk-based and outcome-focused. The benefit of this approach is that it provides operators and gaming-related suppliers with greater flexibility to design control activities that fit their business operations. 

The flip side, however, is that, unlike rules-based regulation where you are more so told what to do, this approach requires a strong compliance team and experienced advisors to understand the objectives behind the standards and Ontario-specific nuances. Operators need to find practical ways to best implement the requirements into their day-to-day operations.

A central pillar of the regulatory framework is that operators are responsible not only for their own actions and systems but also those of their suppliers and partners acting on their behalf, which adds a layer of risk and complexity to the work of a compliance team. 

“Investing early in regulatory compliance is important because as an operator you need to coordinate with your gaming and non-gaming related suppliers and partners on how they will support you in meeting regulatory obligations. From a regulatory standpoint, the regulator doesn’t care who provides what kind of service on your behalf, you are the one who is on the hook. From a business standpoint, it’s also the operator’s name and brand that is at risk if there is an issue with a supplier,” Hojjati continued. 

The danger is in the detail – and there’s a lot of detail

Even for multinational operators with large in-house compliance teams, there are elements of the Ontario framework that may come as a surprise. Hills and Hojjati gave three examples of intricacies in the regulations that have the potential to trip up operators, such as those relating to financial statements.

“Operators are required to annually submit their audited financial statements within 90 days of year end,” said Hills. “Given the process to capture revenue is substantially automated, it’s a heavy lift in the first year in terms of the auditor’s understanding of the controls and processes involved in auditing that revenue figure in the financial statements.”  

“The importance of the controls and reliance on service organizations can be critical as well. So there’s lots of moving pieces and 90 days is a tight timeframe for a first-time audit. It’s important to start the audit process early on before year end, so you’re in a position to meet those deadlines.”

He added that for larger players with US or globally consolidated reporting, the Canadian subsidiary reporting is likely to be out of scope of the consolidated audit in year one; however the requirement to submit local audited financial statements to the regulator still exists. In addition, those operators with smaller finance teams may struggle to meet the timescales while also dealing with day-to-day tasks if they don’t start early enough.

The second example relates to the rules for the Control Activity Matrix (CAM), which lists the controls and procedures operators have in place to meet the required standards for iGaming. Hojjati explained that when operators apply for a license, the AGCO will conduct an eligibility review and evaluate the applicant as posing an elevated or non-elevated risk, and that decision impacts the timeline of when a CAM must be independently audited.

“Operators categorized as non-elevated risk are typically well established and may have been licensed in another regulated market. In this scenario the requirement is to submit an independent audit of your CAM within three months of launch,” she said.

“For the elevated risk category, the CAM needs to be assessed by an independent auditor prior to launch. There are over 180 standards plus underlying requirements within Ontario’s iGaming standards, so if operators leave this until the last minute, it could significantly delay their market entry.”

The final example they gave is contained in standard number 1.02, which is the requirement for operators to have an independent oversight function in place to assess their control activities. This standard is also related to the CAM but goes beyond launch readiness and into ongoing regulatory requirements.

“That independent oversight refers to an internal audit function,” explained Hojjati. “If you don’t have your own internal audit department in place – and many of the smaller operators don’t – you are required to use an external provider, such as KPMG, to periodically audit the organization’s compliance management framework. Within AGCO’s notification matrix, you need to submit to the regulator any internal audit report that was produced pertaining to your operations in Ontario every quarter.”

“This is a little bit hidden. Unless you read the standards in detail and then connect the dots to the notification matrix, which is a separate document, it might not be that clear that operators need to have that internal audit function in place when considering launching in Ontario.”

How to prepare for the regulatory process

These three examples are just a snapshot of the intricacies of Ontario’s regulatory framework and the complexities facing operators as they attempt to remain compliant. They also need to consider the gambling advertising regulations (which a number of operators have already fallen foul of), taxation, and the anti-money laundering (AML) requirements of both FINTRAC and the iGO contract, to name only a few of the requirements.

With so much to get right, it’s clearly crucial for online gambling operators of all sizes to have the correct compliance skills at their disposal. Doing so will help them save money by being more efficient and to avoid the reputational and financial damage that comes with enforcement action by the regulator.

“Regulatory compliance is something that we feel is one of the keys to success,” Hojjati concluded. “It’s so important to invest in it early and to make sure you have the right advisors who understand the nuances because it’s not always so straightforward.”

“The best approach is to identify partnerships with the advisors and auditors that you require early on and consider investing in an upfront readiness assessment, so when the timelines come knocking, you are ready and you are confident that you have the right policies, procedures, controls, and technology in place to meet the requirements.”


You might also like