Anti-Corruption Standards and ISO 37001

1) Introduction: why ISO 37001

Corruption risks in iGaming/fintech are amplified by complex supply chains, affiliates, licenses and marketing in different markets. ISO 37001 (Anti-Bribery Management System, ABMS) is an international standard that defines a management system for preventing, detecting and responding to bribery/extortion. Its goal is to reduce the likelihood of incidents and prove to regulators/partners that the company manages risks systematically.

2) ABMS key principles

Tone at the top: the board/top management accept and demonstrate zero tolerance.
Risk-based approach: identification, assessment, treatment plan, prioritization of high exposure areas.
Proportional measures: Controls are consistent with scale and risk profile.
Independence of the compliance function: sufficient authority and resources.
Continuous improvement: monitoring, audits, corrective actions.

3) Scope of corruption risks

Direct/indirect bribery, commercial bribery, "lubrication" (facilitation payments, where prohibited), kickbacks.
Gifts, hospitality, sponsorship, charity - as channels of covert bribery.
Affiliates/agents/intermediaries, licensing consultants, marketing partners.
Public sector: licenses, inspections, permits, state partnerships, state casinos/lotteries.
Conflicts of interest and insider arrangements.
Mergers and Acquisitions (M&A) and Joint Ventures (JV).

4) System framework: what ISO 37001 requires in practice

1. Anti-Corruption Policy and Code + Gift/Conflict of Interest/Donation and Sponsorship Policy.
2. Role of the "Anti-Corruption Officer" (ABCO) and distribution of responsibilities.
3. Risk assessment by business lines, geography, types of counterparties.
4. Due diligence of third parties (risk-based) with sanctions and judicial screening.
5. Transaction control and red flag monitoring.
6. Training and communications for employees and partners.
7. Whistleblower lines and prohibition of repression (related to whistleblower policy).
8. Investigations, disciplinary action and remediation.
9. Internal audit/monitoring, management review and CAPA (Corrective and Preventive Actions).
10. Preparation for certification by an external body.

5) Risk matrix (example)

6) Gifts, Hospitality and Expenses (G&H) Policy

Limits: cash equivalents and "in kind" (e.g. up to X EUR per person/event; annual limit).
Prohibition of cash, gift cards, luxury trips without official justification.
Approval: all those who exceeded the threshold - through ABCO; mandatory registry entry.
Public sector: stricter rules/complete ban.
Transparency: Gift and hospitality registries are available for internal audit.

7) Conflict of interest

Annual declaration in all managers/procurement/BD/marketing/lawyers.
Event declaration when hiring/moving to a new role/starting a project.
Measures: retsuzal (self-withdrawal), rotation, prohibition of servicing "their" suppliers.

8) Due diligence of third parties (especially affiliates and intermediaries)

Screening: sanctions, PEP, legal cases, negative media, beneficiaries.
Questionnaire and supporting documents: registration, licenses, tax status, anti-corruption policy, code.
Contractual obligations: anti-corruption clause, right to audit, prohibition of sub-intermediaries without approval, break in case of violation.
Risk gradation: KYC levels of counterparties (low/medium/high), frequency of revisions (for example, annually for high risk).
Payment features: prohibition of payments to offshore/personal accounts, mandatory invoice/acts.

9) Red flags (operational indicators)

"Consultant" without an explicit examination, requires cash/high commission, insists on "early results."

Requests to split a payment or send money to third-party accounts.
Insistence on "no name" affiliates/agents and reporting.
Exclusion of competition in tenders under a far-fetched pretext.
Activity in countries with high corruption exposure without enhanced controls.

10) Training and Communications

Annual mandatory training + interactive cases (G&H, government agencies, affiliates, M&A).
Onboarding module for new employees and refreshing tests for high-risk roles.
Communications from above: regular letters from the CEO/board, ABMS internal page, FAQ.

11) Whistleblower lines and investigations

Anonymous channel 24/7, no reprisals, SLA confirmations and responses (see separate whistleblower policy).
Legal hold and preservation of evidence, an independent investigation team.
Disciplinary actions up to and including termination of contracts; in severe cases - appeal to law enforcement officers.

12) Monitoring, audit and reporting

ABMS KPIs: training coverage, number/proportion of cases closed, reaction time, proportion of third parties with DD passed, G&H compliance test results.
Internal risk plan audits (quarterly/yearly).
Management Review: at least once a year - review of risks, incidents, CAPAs, resource decisions.
Continuous improvement: adjusting limits, updating the risk matrix, new controls.

13) Integration with iGaming/fintech processes

Affiliates and marketing: strict verification, transparent reporting, audit of grids and traffic sources.
Licensing and regulatory interactions: minutes of meetings, fourth-eye rule, ban on gifts to officials.
Payment partners/PSP: anti-corruption clauses in contracts, audit rights, prohibition of intermediaries without approval.
Game/studio providers: control over rewards, transparent discounts/rebates, exclusion of "gray" agreements.
M & A/JV: anti-corruption due diligence goals, integration plan for ABMS.

14) Roadmap for implementation and certification (6-9 months)

Stage 0 - Diagnostics (0-4 weeks): Gap analysis vs. ISO 37001, process map, risk matrix, project plan, ABCO assignment.
Phase 1 - Policies and Design Controls (1-2 months): Anti-Corruption Policy, G&H, Conflicts of Interest, Contractual Templates, DD Procedures, Investigations and Whistleblowers.
Stage 2 - Implementation and training (2-4 months): Register of gifts, register of contacts with government agencies, launch of the DD process, training, KPI dashboard.
Stage 3 - Monitoring and audit (4-6 months): Pilot checks, case test, ABMS internal audit, CAPA.
Stage 4 - Certification (6-9 months): Pre-audit, then Stage 1/Stage 2 at an external certification authority; issuing a certificate upon successful completion.
After - maintenance: annual supervisory audit, risk review and KPI.

15) Control matrix (simplified)

16) RACI by ABMS

17) Template clauses (fragments)

Anti-corruption clause in the contract: "The parties confirm compliance with applicable anti-bribery laws... the breach is material and entitles to immediate termination."

Gifts and hospitality: "Gifts/entertainment above limits or any form of cash payment are prohibited. Any exceptions shall be subject to prior written approval by ABCO."

Intermediaries/Affiliates: "It is prohibited to engage sub-intermediaries without written consent; The party provides access to documents for selective audit."

Whistleblowing: "The Company provides confidential channels and prohibits any retaliation against bona fide whistleblowers."

18) Frequent mistakes and how to avoid them

"Policies on paper" without registries and monitoring. Solution: KPI dashboard, quarterly checks.
No DD for affiliates/agents. Solution: standard questionnaires, sanction screening, audited reports.
There is no single ABMS owner. Solution: Appoint an ABCO with mandate and resources.
General "zero limits" for gifts. Resolution: reasonable limits + exclusions through committee.
Ignoring the "red flags." Solution: Alert automation and SLA escalation.

19) Artifact Pack (keep in repository)

ABMS Policy, G&H Policy, Conflicts of Interest Policy.
Contractual anti-corruption clause templates.
Registers of gifts/hospitality and contacts with government agencies.
Due Diligence procedure + forms and checklists.
Training plan + course content/tests.
Investigation Procedure + Informant Runbook.
Audit plan, internal audit reports, CAPA.
Risk Matrix and Control Matrix (ABMS ↔ ISO 37001).

Output

ISO 37001 is not only the certificate, and a steady administrative contour: risks → politicians → due diligence → training → monitoring → investigations → improvement. For an iGaming/fintech company, it disciplines work with affiliates, licensing and marketing, reduces the likelihood of incidents and increases the confidence of regulators and partners. Start with risk assessment and baseline policies, followed by registry and DD implementation, training, and internal audit; after the "run-in" of the processes, go to certification.