There are two common misconceptions about iGaming compliance. The first comes from operators who think compliance is mostly operational: hire the right person, set up the right software, run the right procedures, and you are compliant. The second comes from consultants who pitch compliance as mostly documentation: get the right policies drafted, file them with the regulator, and you are compliant.

Both views are incomplete in the same way. They each capture half of what compliance actually is and treat that half as the whole.

Real compliance is the alignment between what your documents say and what your operation does, plus everything that keeps that alignment current as your operation grows and as the rules change. It is not document-heavy work or operations-heavy work. It is alignment work.

This is the part most early-stage operators do not get told clearly when they engage a consultant or hire their first compliance officer. They are told either "build the documents" or "build the operation". Neither instruction is wrong. Both are insufficient.

The five things that have to run in parallel

A functioning compliance framework has five components, and all five have to be operating at the same time. Drop any one and the whole framework loses integrity.

Documented policies that match what the operator actually does. This is the part most consultants focus on. AML policy, KYC procedures, responsible gaming framework, internal controls framework, operations manual. Twenty or more documents for a typical offshore licensee. Each has to describe what the operator genuinely does, not what a generic template says a similar operator might do. The documents are the legal record of how the business operates.

Procedures and internal controls that staff can actually execute. Documented policies that nobody on the team can perform are not policies. They are aspirations. The KYC procedure has to match the actual screening tool the operator uses, the verification thresholds the team is trained on, and the escalation path that fits the operator's actual headcount. A KYC procedure that requires a four-person team to operate is useless to a six-person operator. Either the procedure is rewritten to fit the team or the team is grown to fit the procedure. Aspirational procedures are documented misalignment, which is worse than no procedure at all.

Staff training that keeps procedures executable. Compliance officers, customer service staff, finance staff, and engineering staff all have compliance touchpoints. AML training is required by most regulators on at least an annual cadence and has to be evidenced. Sanctions screening training is similar. Responsible gaming training is mandatory in most jurisdictions and increasingly audited. Training is not an event. It is an annual cycle with refreshers when procedures change.

Ongoing AML and regulatory reporting. Most jurisdictions require periodic reports. Suspicious activity reports filed with the financial intelligence unit when triggered. Monthly or quarterly regulatory reports on player activity, complaints, ADR cases, and tax. Annual audited financial statements. The reporting cadence is not optional and the deadlines are firm. Operators who treat these as paperwork to be done in arrears get warning letters. Then they get fines.

Active monitoring of regulatory and legislative change. The rules move. The MGA published 2026 priorities in March. The Dutch KSA recently set a precedent that crypto payments to unlicensed markets count as deliberate circumvention. The FATF added two countries to the grey list in February. Curacao continues its LOK transition. An operator who sets up their compliance framework in March and does not look at regulator output again until renewal is operating with stale rules. The framework has to be reviewed against current regulator output on at least a quarterly cadence, and updated when material changes hit the operator's jurisdiction.

All five components run in parallel, all the time, for the life of the licence. Compliance is not a project that ends. It is an operating discipline.

Where the alignment most often fails

Four failure patterns recur across the operators I work with.

The first is documents that describe a more mature business than the operator runs. This usually happens when a consultant gives the operator a templated compliance pack designed for a larger or more established operation. The policies look impressive. The procedures are too complex for the operator's actual headcount. When the regulator audits, the operator cannot demonstrate execution against the documented procedures, because no team of three people can run procedures designed for a team of fifteen. The documents become evidence against the operator instead of evidence for them.

The second is operational drift. The operator builds a compliant framework at licence issuance. Twelve months later, the team has changed, the platform has changed, the payment stack has changed, and the player base has shifted geographically. The documents have not changed. The operation no longer matches the policies. Drift accumulates silently until something triggers an audit or a PSP review, and then the gap is suddenly visible.

The third is missing the regulatory updates. The operator is running their original compliance framework competently. They have not seen that the regulator has published new guidance, or that a relevant law has changed, or that their jurisdiction has been added to a watch list. They are compliant with rules that no longer exist. This is increasingly common as regulators publish more frequently and faster than they used to.

The fourth is undocumented operational improvements. The team realises a procedure is inefficient and changes how they do it. The change is sensible. Nobody updates the documented procedure. Now the operation is better but the documents are wrong. When the regulator audits, the documents say one thing and the team does another. The audit finds the gap and reports it as a deficiency, even though the actual operation is sound.

All four failures share the same root cause. Compliance is treated as a state rather than a process. The state of being compliant is achieved at licence issuance and assumed to persist. It does not. The framework needs maintenance.

The find-and-replace problem

I mention this one specifically because it is the failure pattern I see most often when operators come to me to clean up someone else's work.

An operator has worked with a previous consultant. The consultant gave them a compliance pack. The pack was templated. It was probably written for a Curacao operator originally, then adapted by find-and-replace for Anjouan or Malta or wherever the operator ended up.

The consultant searched for "Curacao" and replaced with "Anjouan". They searched for "GCB" and replaced with "AGA". They updated the cover page. They sent the pack.

What they missed was the references inside the body of the documents. The AML policy referenced "GCB licensing conditions" three times in subsections nobody read carefully. The KYC procedure referenced Article 10 of a Curacao law that does not exist in Anjouan. The risk assessment used Curacao MCC codes that are not relevant for an Anjouan-licensed operation.

The operator did not catch this because they assumed the consultant had done the work properly. The consultant did not catch it because they did not actually re-read what they had produced. The regulator caught it. The application stalled quite seriously. The operator paid me to rebuild the framework from scratch.

The lesson is not that templates are bad. Templates are fine when used as starting points and then properly customised. The lesson is that templates without explicit customisation to the customers needs and a complete and detailed review are what is required, nothing less.

The minimum viable compliance documentation pack

A functioning offshore-licensee documentation pack contains around twenty documents. The list below is a starting baseline; specific jurisdictions add more.

1.      AML policy

2.     KYC procedures

3.     Sanctions screening procedures

4.     Politically Exposed Persons (PEP) handling procedures

5.     Risk assessment

6.     Responsible gaming framework

7.     Player protection policy

8.     Self-exclusion procedures

9.     Source of funds declaration

10.  Source of wealth declaration

11.   Transaction monitoring procedures

12.   Suspicious activity reporting procedures

13.   Data protection and GDPR notice

14.   Information security policy

15.   Business continuity plan

16.   Operations manual

17.   Third-party due diligence framework

18.  Internal controls framework

19.   Compliance officer appointment letter

20.  Personal declaration forms for each director, shareholder, and ultimate beneficial owner

Each has to match what the operator actually does. Each has to be internally consistent with the others. Each has to be current. Each has to be reviewable.

Documents are necessary. They are not sufficient. Once the documents exist, the next set of work begins.

What sits on top of the documents

A functioning compliance operation runs five rhythms on top of the documentation pack.

Daily KYC, transaction monitoring, and sanctions screening. Every player onboarded, every deposit, every withdrawal, every change of risk profile triggers procedural work. The team has to actually do it, log it, and be ready to evidence it.

Weekly compliance review. Compliance officer reviews the previous week's flags, escalations, and incidents. Decides which need follow-up, which need formal SAR filing, which need policy updates. Documented in a compliance log.

Monthly regulatory reporting. Whatever the licence requires, on the cadence the licence requires, by the deadline the licence requires. Player funds reports, tax reports, ADR reports, ad spend reports, complaint logs. Late filing is a regulatory finding.

Quarterly framework review. The compliance officer reviews the documented policies against current operational practice and against current regulator output. Identifies drift in either direction. Issues update tickets. Schedules training refreshers.

Annual full-framework audit. Independent or internal review of every document against every operational reality. Annual training cycle for all staff with compliance touchpoints. Renewal of all certifications and key function holder authorisations.

This is what compliance looks like when it is operating correctly. It is not paperwork. It is not vibes. It is a structured operating discipline that happens to produce a lot of documentation as evidence.

The PS test

A useful gut-check for whether your compliance framework is operating correctly is the payment processor test.

Apply for a PSP account. Show them your compliance documentation. Watch what happens.

If the PSP onboards you in two weeks, your framework is probably in reasonable shape. If they come back with twenty questions about specific clauses, your documentation has gaps. If they ask whether your team actually executes the procedures you have documented, they have spotted operational drift. If they reject you outright, the framework does not match what is expected for your jurisdiction and stage.

PSPs are pickier than most offshore regulators. They have less patience for inconsistency between documents and operation. If your framework passes a serious PSP review, it will probably pass a regulator audit.

What this means for budgeting

Three budget lines, not one.

The build of the documentation pack is one cost. Either the operator's team produces it or a consultant does. ICOS prices this as a fixed fee inside the application service. The work is predictable, the price should be predictable.

The operational execution is a recurring cost. Compliance officer time, screening tool subscriptions, training programme, audit fees. This is the part most operators underestimate hardest. The rule of thumb: if you priced the licence and corporate setup correctly, your annual operational compliance cost is similar to the recurring regulatory cost. For Anjouan and Nevis at the entry tier, that is roughly EUR 15,000 to EUR 25,000 per year on top of the regulator fee, depending on whether the compliance officer is in-house or outsourced.

The regulatory monitoring is the third cost, often hidden inside the second. Either the compliance officer keeps current with regulator output as part of their role, or the operator subscribes to a service that does it. Either way, the cost is real and the work is non-optional. ICOS includes regulatory monitoring inside the optional ongoing retainer because most operators do not have the bandwidth to do it themselves.

The bottom line

Operators who get compliance right are not the ones with the thickest binders. They are the ones whose binders match what their team does, whose team knows what the binders say, and who actively maintain the alignment as the operation and the rules both change.

The document and the operation have to match. That is the whole game. Everything else is in service of keeping them aligned.

If you want to talk about your specific compliance framework, tell us your situation. Recommended jurisdiction, fixed price, realistic timeline. Within 24 hours.