You have the platform. You have the games, the payment processor, the brand. You sit down to look at the licence application and realise it is forty pages long, references four pieces of legislation you have never heard of, and expects a Board-approved AML policy within thirty days. There is a fit-and-proper questionnaire that wants five years of source-of-wealth documentation. There is a section on technical standards that references a form number with no further explanation.

That moment is usually when people call us.

This article explains what an iGaming compliance consultant actually does, when you need one, and what to watch out for when you are choosing between them. If you already know what the role is and you are just trying to figure out whether we might be the right fit, skip to the last section. If you are still working out whether you need any consultant at all, start here.

The Role, Plainly Stated

A compliance consultant is not a lawyer. A lawyer handles disputes, formal legal advice, and anything that ends up in front of a regulator or a court. You still need one of those. A compliance consultant is also not a corporate services agent. A corporate services agent forms your company, files your annual returns, and manages your registered office. You probably need one of those too.

A compliance consultant sits between those two. They perform the operational regulatory work: writing the policies, managing the application process, tracking your ongoing obligations, getting you ready for audits, preparing your staff training and evaluation materials. It is the part of the process that is neither strictly legal nor strictly administrative, and it is the part most operators underestimate.

The reason you hire someone dedicated for this is not that you are incapable of doing it yourself. It is that the cost of getting it wrong (a rejected application, a licence suspension, a fine) is considerably higher than the cost of getting the work done properly the first time.

It is also a question of time. A first-time applicant who tries to work through an MGA application without support will spend a significant number of hours getting up to speed on requirements that an experienced consultant already knows. That time has a cost, even if it does not appear on an invoice. Of course your legal firm can also do this work for you if you are happy paying those legal firm invoices.

What the Work Actually Looks Like

When a new operator comes to me, the first thing I do is learn in detail about their business and produce a concrete document checklist customised to their specific needs. Not a generic list of compliance documents. It is a checklist that maps directly to what that specific regulator will expect from this operator, referenced against the actual legislation and regulations.

From there, the core work is drafting. The AML/CFT policy, KYC procedures, responsible gaming policy, data protection framework, risk assessments, information security policies etc. These need to be written to the standard the regulator actually checks against. A generic AML policy template will not pass a serious review. If your document does not cite the specific legislation in the jurisdiction you are applying to, it was not written for your licence. It was written for nobody's licence and adapted with a find-and-replace.

I then manage the application process end to end: submission, tracking regulator queries, filling documentation gaps, following up when responses are slow. Regulators ask questions. They request additional information. They issue clarification requests at unexpected moments. Someone needs to be monitoring that and responding within the required timeframes.

After the licence is issued, the work does not stop. Ongoing obligations include monthly reports, annual renewals, regulatory updates, and in some jurisdictions, periodic audits. Missing a reporting deadline or failing to update your policies when the rules change can put your licence at risk even after you have it.

Anjouan is often seen as a lighter-touch jurisdiction, and relatively speaking it is. But even there, operators have ongoing obligations that require attention. The value of having someone track these on your behalf is simple: things do not slip through.

MGA Compliance: A Specific Note

The Malta Gaming Authority licence is one of the more demanding in the industry. The application process can runs twelve to eighteen months in some cases. Part of that process is a formal System Audit (MGA-F-016), a technical review of your live platform conducted by a regulator-approved Approved Service Provider (ASP). The documentation required for that audit is substantial, and operators who have not prepared for it properly often find themselves in a delays spiral just as they think they are close to the finish line.

Operators who try to manage MGA compliance without support frequently hit problems at the System Audit stage because the technical documentation has not been prepared to the right standard. Coordinating between the ASP, the regulator, and the operator's technical team is a significant piece of work in its own right.

If you are targeting an MGA licence, the question is not whether you need compliance support. It is how much of that support you want to handle in-house versus outsource.

Curaçao Post-LOK: What Changed

Curaçao implemented significant reforms to its licensing framework in December 2024. The new law, the LOK, replaced the previous master licence structure and introduced direct licensing under a new regulatory body. Existing licensees had to transition within a fixed window. New applicants apply under the new framework from the outset.

The physical presence requirement is one of the areas where operators most commonly have questions. The LOK requires a genuine local presence, not just a registered address. What that means in practice (the structure of the local entity, the staffing requirements, the substance criteria) is not always obvious from reading the legislation directly.

If you are applying to Curaçao under the new framework, understanding what the physical presence requirement actually demands before you start building your corporate structure will save you significant time and cost later.

When You Need a Consultant and When You Do Not

You probably need one if you are applying for your first licence and have no in-house compliance resource. You also need one if you are entering a complex jurisdiction like the MGA, or if you are a platform operator whose B2C clients require compliant policy documentation as part of their own regulatory obligations.

You probably do not need one if you already have a qualified MLRO and an experienced in-house compliance team who have been through this process before. If you are renewing an existing Anjouan licence and your documentation is already in good shape, you may just need a review rather than a full engagement.

Be honest with yourself about what your team knows how to do. The application fee is only one cost in the process. The cost of a rejected application or a delayed launch is considerably larger.

There is also a middle ground that operators sometimes overlook: a compliance review rather than a full engagement. If your documentation is mostly in order but you want an experienced eye on it before submission, that is a much smaller piece of work than starting from scratch. It is worth asking about that option if you think you are close to ready.

What to Look for and What to Watch Out For

The most common problem I see is operators hiring a consultant who cannot tell them upfront what the work costs. Vague pricing, scopes that shift, invoices that grow. This is not uncommon in the industry, which is why ICOS publishes fixed pricing for our services.

Watch out for consultants who promise a specific outcome. No responsible practitioner will guarantee that your application will succeed. That decision belongs to the regulator, not the consultant. If someone is promising approvals, that is a problem.

Ask to see the jurisdiction-specific regulatory citations in the AML policy they would produce for you. If the citations are not there, the document was not written for your licence.

Look for someone who can answer specific technical questions about your jurisdiction before you sign anything. Can they tell you what MGA-F-001 is? Do they know the difference between the System Audit and the System Review? Do they have a view on the physical presence question in Curaçao, or do they give vague answers until the invoice is signed?

Look for clear scope, fixed or capped pricing, and ongoing compliance support, not just application support. Getting the licence is the beginning, not the end.

How ICOS Works

ICOS is a compliance consultancy. That offers fixed pricing that is publicly listed on this website without discovery calls or custom scoping exercises before you know what anything costs.

We currently work across Anjouan, Curaçao (post-LOK), and MGA. UKGC, Nevis and Tobique support is in preparation. The pricing for each jurisdiction is published on the website without any requirement to speak to anyone first. Knowing what something costs before you commit should not require a sales conversation.

If your circumstances are unique and you want a fixed-price quote for your specific situation, our intake form takes three minutes and you will have a quote within 24 hours. No call required.

John is a compliance practitioner and the founder of ICOS. He has worked across multiple regulated iGaming jurisdictions.