Staff compliance awareness

1) Objective and coverage area

To form a sustainable culture of compliance, in which each employee understands "what is possible/impossible," knows how to recognize risks and knows how to act (escalation, channels of assistance). Coverage: all functions (Operations, Payments, RG/AML/KYC/KYB, Marketing/Affiliates, Game Ops, Data/Engineering, CS, Finance, Legal/DPO, IS), contractors and temporary workers.

2) Program principles

Tone from the top: public support from CEO/Exec.

Simplicity and applicability: "what to do tomorrow at the shift."

Micro-format: short modules 5-10 min, regularity.
Localization: market language, local cases/rules.
Evidence: log of passages, artifacts, certification.

Continuity: the cycle "learn → apply → measure → improve."

3) Roles and RACI

Owner: Head of Compliance/Compliance Awareness Lead - strategy, content, calendar. (A)

L & D/Training Lead: LMS, schedule, attendance control. (R)

Process Owners (KYC/AML/RG/Payments/Marketing/Game Ops/Data/Legal/InfoSec): expertise and cases. (R)

DPO/Legal: wording correctness, privacy, localization. (C)

Internal Audit: independent verification of completeness/records. (C)

HR: onboarding/offboarding, passing discipline. (R)

Comms/Brand: visual design, campaigns. (R)

Exec Sponsor: public messages, resources, escalations. (I/A)

4) Content framework (awareness modules)

1. Code of conduct and channels of assistance (whistleblowing, without repression).
2. KYC/KYB and protecting vulnerable players (the role of each).
3. AML/sanctions/PEP (signals, prohibition of tipping-off, escalation).
4. RG is a responsible game (limits, self-exclusion, correct scripts).
5. GDPR/PII (minimization, DSAR, "do not share superfluous").
6. PCI/Payments (pan data, tokenization, chat/ticket bans).
7. Marketing/Affiliates/Advertising (age filters, prohibited creatives).
8. Incidents and notifications (when and what to report, first steps).
9. Anti-phishing/information security hygiene (passwords, MFA, phishing simulations).
10. Conflicts of interest/gifts/ethics.

Each module: 5-7 slides + mini-case 2-3 questions + "what to do tomorrow" (checklist for shift).

5) Formats and frequencies

Onboarding (T + 14 days): basic package (modules 1-7), short test ≥ 85%.
Quarterly campaigns: thematic (GDPR week, AML week...).
Monthly micro lessons: 5-10 min with 1 case and 3 questions.
Table-top/role-play (quarter): end-to-end scenario by function.
Phishing simulations (2-4 times/year): with training after clicking.

Posters/intranet/bot: "Rule of 3 steps," "What can not be written in a ticket."

Vendor workshops: KYC/PSP/game providers - 1-2 times/year.

6) Campaigns and messaging (examples)

GDPR week: "Do not store - do not lose" → checklist: do not send PII in the mail, disguise screenings, DSAR ≤ 30 days.
AML-week: "Notice the structure - save the license" → checklist: velocity/structuring signals, where to escalate.
RG-week: "Play responsibly, support players" → correct CS answers, procedure for dealing with limit breakers.
PCI week: "PCI starts with you" → prohibited fields in chat/tickets, secure replacements.
Ads/Affiliates-week: "Advertising without fines" → prohibited creatives, age filters, complaint about "toxic" traffic.

7) Tools

LMS: courses, tests, certificates, coverage/on-time reports.
Communication bot (Slack/Teams): quizzes of 1-2 questions per week, reminders.
Intranet hub: "1-pages" by topic, FAQ, message templates.
Posters/screensavers: short rules, QR per hub.
Phishing platform: simulations, personal tips.
"Ask compliance" form: quick response/escalation.

8) Performance Metrics (KPI/KRI)

Coverage:% of employees with the current course (target ≥ 98%).
On-time Completion:% completed on time (target ≥ 95%).
Recall: proportion of correct responses after 30 days (> 80%).
Behavior change: reduction of tipping-off incidents, share of correct CS scripts.
Phishing resilience: CTR ↓, ↑ simulation reports.
Escalation quality: completeness of artifacts in escalations (template, ID, logs).
Whistleblowing: calls ≠ zero; reaction and closing times.

9) Checklists

9. 1 Before starting the program

• Approved "tone from the top."
• Annual Campaign Calendar theme owners are assigned.
• Content is localized; examples - by market and function.
• LMS is connected to HRIS (onboarding/offboarding).
• coverage/on-time/pass rate reports are configured.
• Ready posters, 1-pages, quiz bots.

9. 2 During the campaign

• Channel reminders (chat/mail/boards).
• Q&A session with experts (30 min).
• Short "Get the Point" survey (3 questions).
• Collecting feedback and questions "in the field."

9. 3 After the campaign

• Report: coverage/recall/behavior.
• CAPA by space (scripts, macros, processes).
• Updating FAQs and 1-pages.

10) Scripts (role-play) - quick inserts

• The player exceeded the loss limit.
• That's right: "We see that the limit you set has been reached. According to the rules of responsible play, we will temporarily restrict access to protect you. Here's how you can set limits.."

• Output for verification.
• That's right: "The payment passes the standard security check. We will notify you as soon as it is complete"

• Customer sent PAN to chat.
• Correct: "For security reasons, do not send a card number. Please use a secure payment form"

• Partner offers aggressive creative for 18-.
• That's right: "We need age filters and correct disclaimers. Otherwise - refusal"

• Colleague request for full PII export "for analysis."
• That's right: "Grounds and minimization are needed. Let's provide aggregates/aliases on demand via DPO"

11) Communications and "tone"

Quarterly video from Exec: "Why compliance is part of the strategy."

Success stories: "Employee N noticed the risk in time - avoided a fine."

Badges/gamification: points for quizzes, "Compliance Champion" of the month.
Safe environment: Mistakes are dealt with as learning, not as punishment (other than malice).

12) Artifacts and retention

Protocols of passage (LMS), test results, certificates.
Campaign materials (slides, records), Q&A, posters/1-pages.
KPI/KRI reports, CAPA plans and status of their implementation.
Shelf life - according to the training/audit policy (usually 5-7 years).

13) Content Change Management

Versioning (vMAJOR. MINOR. PATCH), changelog.
Update Triggers: New Rules/Incidents/Audit-Findings.
Process: Draft → Legal/DPO Review → Pilot → Release → Dimension.

14) Risks and prevention

"Pebble learning" → add cases and observed behavior metrics.
Overload with content → micro-lessons, 1-pages, repetition of the key.
Lack of localization → local examples/language/payment realities.
Zero calls to the hotline → remember: this is the risk of silence. Promote trust and anonymous channels.

15) Fast start (30 days)

Week 1

1. Assign an owner, approve KPI goals (coverage ≥ 98%, on-time ≥ 95%).
2. Create an annual calendar of campaigns and roles.

3. Prepare "tone from the top."

Week 2

4. Deploy the hub (intranet) and LMS; Connect HRIS/SSO.
5. Assemble the basic course (modules 1-6) + test; prepare posters/1-pages.
6. Set up bot quizzes and phishing simulation # 1.

Week 3

7. Pilot on 2-3 teams (CS, Payments, Marketing).
8. Collect feedback; adjust scripts and cases.
9. Launch weekly micro-lessons (for one question).

Week 4

10. Mass launch; daily coverage/on-time monitoring.
11. Management Report: First KPIs/Incidents-Behavior Changes.
12. Plan v1. 1-Add RG/Ads cases and localizations.

• AML training and employee training
• Incident playbooks and scripts
• Notices of Violations and Reporting Deadlines
• Compliance dashboard and monitoring
• Regulatory reports and data formats
• Internal Audit and External Audit
• Audit checklists and reviews
• License renewals and inspections
• Regulatory changes by region