Compliance dashboard and monitoring

1) Purpose and area of responsibility

Single dashboard for daily compliance monitoring: licenses and regulators, data protection (GDPR/PII), payments and PCI, AML/CFT, responsible gaming (RG), marketing and affiliate policies, game providers, mandatory notifications and reporting. Dashboard serves as the source of truth for Compliance/Legal/Security/Payments/RG/AML and audit materials.

2) Roles and RACI

Product owner (Head of Compliance) - vision, priorities, release of versions. (A)

Data Owner (DWH Lead) - schemes, SLA freshness, lineage. (R)

Compliance Analysts/AML/RG - setting up KPI/KRI, alerts, interpretation. (R)

Security/DPO - GDPR/PII/incidents, rights of data subjects. (R)

Payments Lead - PSP/PCI, returns, chargebacks. (R)

CS/CRM - communications to affected customers. (C)

Legal - interpretation of norms, coordination of notification texts. (C)

Engineering - collection of telemetry, integration of providers. (R)

3) Dashboard framework: sections and key widgets

3. 1 KYC/KYB

KYC Completion Rate (D-1) = verified accounts/new registrations.
Pending> SLA (pcs.): requests in the queue longer than X hours.
Tier Escalations: transfers to an increased level of verification.
False Positive Rate (KYC fraud flags).
Documents expiring ≤30 days (passport/address).

3. 2 AML/CFT

SAR/STR Queue: open cases by stage.
High-Risk Segments:% turnover of HR country/method customers.
Unusual Patterns (velocity/structuring): anomaly detector (day).
PEP/Sanctions Hits: New Matches, time-to-review.
Average Case Closure Time и % в SLA.

3. 3 Responsible Play (RG)

Self-Exclusion/Timeouts: new/active, deposit returns.
Loss/Session Limits Breaks: violations,% of notifications processed.
Vulnerable Players Outreach: Reach and contact time.
RG Interventions Efficacy: reduction of post-intervention losses.

3. 4 Payments and PCI

PSP Health: auth-rate, decline-rate, latency by method/geo.
Chargeback Ratio (М-к), Refund SLA, Disputes Age.
PCI Events: vulnerability scan, key rotation, pan tokenization.
Anomalous Cashouts: exceeding thresholds/scoring.

3. 5 GDPR/PII and Incidents

Data Access Requests (DSAR): inbound/inbound SLAs, delinquencies.
Privacy Incidents: open/closed, TTS (time-to-statement), MTTR.
PII Inventory Drift: changes to the field/retentions registry.
Breach Notification Timeliness:% of notifications on time.

3. 6 Regulator/Licenses

Mandatory reports: deadline calendar (30/7/1 day).
Advertising/Bonus Compliance: Non-conformance Flags by Market.
Log of interaction with regulators: status of tickets/requests.

3. 7 Marketing/Affiliates

Attribution Integrity: postback/pixel discrepancies, "missing clicks."

Compliance Flags: banned creatives/target groups.
Partner Score: partner discipline index (KPI/deadlines/complaints).

3. 8 Game Providers and Honesty

RTP Drift Monitor: deviations from the declared RTP (granularity title/studio).
Fairness Incidents: stops/misalignments of rounds, balance-errors.
Game Provider Health: API errors, share of unavailability.

4) Thresholds and severity (example)

S1 (critical): auth-rate by top PSP <60% ≥ 15 min; confirmed PII leakage; massive RG impairment.
S2 (high): chargeback ratio> 1. 5% in 7 days; DSAR> SLA for 48 hours; KYC conversion drop> 20% d/d.
S3 (average): increase in failures of the game provider> 5% hour to hour; 2 + partners with banned creatives.
S4 (low): local defects, single complaints.

Update SLA: S1 - first message ≤15 min; S2 - ≤30 min; S3 - according to the shift schedule.

5) Rules of the Alerts (skeleton)

Detect - The X metric exceeds the Y threshold in the Z window.
Suppress/Dedupe: group by market/method/provider.
Route: channel (war-room/on-call/status), RACI recipients.
Escalate: auto-escalation at duration> T or repeat N times/day.
Explain: Playbook reference and FAQ for CS.
Record: autologating to the incident log + snapshot of graphs.

6) Data sources and architecture

Transaction logs: deposits/outputs/gaming sessions.
KYC/KYB providers: check statuses, reasons for failures.
AML systems/SIEM: alerts, cases, scoring.
PSP/Acquirer/Card Schemes: API of reports and statuses.
CRM/CS: cases, macros, outbound notifications.
Status page/incident bot: timelines, message texts.
GDPR/PII registers: DSAR, retentions, handlers.
Game Providers: API telemetry, RTP, statuses.

• Freshness SLA: KYC/PSP - ≤15 min; AML/SIEM - ≤5 min; DSAR — D-1; RTP — D-1; RG - ≤15 min.
• Lineage: each field with a source/transform.
• Quality: schema validators (required fields, code registers, deduplication).

7) Formulas and KPI/KRI definition (sample)

Auth Rate (method/geo): 'approved/attempts'.
Chargeback Ratio (мес): `chargebacks / successful transactions`.
KYC Completion Rate: `verified_accounts / new_registrations`.
SAR Submission Timeline: '% of SARs sent ≤ X hours after trigger'.
SLA DSAR: '% of requests closed ≤ 30 days'.
RTP Drift (тайтл): `|observed_RTP − declared_RTP|`.
RG Outreach SLA: `median(time_contacted − time_triggered)`.

8) Widgets (templates)

8. 1 "Regulatory deadlines" (calendar):

List of reports with deadline, owner, readiness (%), risk of delay.
Filters: jurisdiction, type (license/AML/games).

8. 2 "PSP Map" (geo/methods):

Heat map auth-rate, latency, incidents in 24 hours

Click → detail by provider/method → link to playbooks.

8. 3 “GDPR/DSAR Pipeline”:

Funnel: received → in operation → pending verification → closed.
Delays with reasons.

8. 4 “AML Caseboard”:

Kanban by stage: Detection → Review → SAR → Closed.
SLA timer, auto-backlight delays.

8. 5 “RG Risk Monitor”:

Limit-brits, self-exceptions, contacts; effectiveness of interventions.

9) Access policies and auditing

RBAC/ABAC: Analysts see aggregates; access to PII - only through masking/DPO layer.
Activity log: who opened/changed thresholds and rules.
Versioning: KPI alert and formula configurations in Git; releases with changelog.

10) Integration with incident process

The "Declare Incident" button from the widget → a pre-filled ticket (ID, screenshots, levels S1-S4).
Auto-generation holding statement (status page/CS macro).
Links to: Incident playbooks, Notifications and deadlines, Crisis management.

11) Data quality control (DQ)

Coverage: completeness of events vs. reference (PSP report).
Consistency: amounts/currencies/timezones.
Outliers: IQR/3σ, visual flag.
Backfill: reload procedures and retro change marks.
DQ alerts: when freshness falls/fraction null/discrepancy of aggregates.

12) Checklists

Before the release of dashboard

• Approved KPI/KRI and formulas.
• Alert thresholds and routing are configured.
• Owners of widgets and SLA freshness are registered.
• Enabled logging of actions and export of artifacts.

Weekly

• Revision of thresholds by incident of the week.
• False positives/omissions check.
• Reconciliation to regulator/PSP reports.

Quarterly

• Audits PII access and masking.
• Revised KPI/KRI for new license requirements.
• Exercise test: AML SAR, GDPR DSAR, PSP failure.

13) Artifacts and exports

Dashboard snapshots during S1/S2 (PNG/PDF).
Export KPI (CSV/Parquet) with hashes and time signature.

Alert logs with cause/button "link to incident."

Register of deadlines/notifications (connection with tickets and confirmations).

14) Alert set (example rules)

PSP. AuthRate <70% (15 min, 3 zones) → S2, "Payments On-Call" channel, escalation after 30 min.
GDPR. DSAR> 30 days (≥10 pieces) → S2, "DPO On-Call," Legal report.
AML. PEP Matches New> 0 (day) → S3, AML channel, auto-creation of cases.
RG. SelfExceptions Spike> p95 (day) → S3, RG channel + CS brief.
Game. RTP Drift > 0. 7 p.p. (7 days) → S2, Provider Ops, freeze title.
Compliance. Report Deadline ≤ 7 days & Progress <50% → S3, Compliance Channel.

15) Fast start (30 days)

Week 1

1. Agree on the list of KPI/KRI and thresholds (sections 3-7).
2. Identify freshness SLAs and storefront owners.
3. Lift the skeleton of the dashboard (empty widgets + sources).

Week 2

4. Connect PSP/KYC/AML/RG streams.
5. Configure 6 critical alerts (item 14).
6. Link to bot incident and status page.

Week 3

7. Data quality validation (DQ-checklist).
8. Pilot on on-call week, collecting feedback.
9. Formula/threshold documentation in Git.

Week 4

10. Release v1. 0, user training.
11. Post-release retro, threshold adjustment.
12. Plan v1. 1-New widgets (RTP, Partners Score) and reports.

• Incident playbooks and scripts
• Notices of Violations and Reporting Deadlines
• Crisis management and communications
• Business Continuity Plan (BCP )/DRP
• Transaction Audit Logs
• Notification and alert system