License renewals and inspections

1) Purpose and area

Ensure timely renewal of current licenses and successful completion of scheduled/unscheduled inspections without business disruption and risk to brand/players. Coverage: B2C/B2B licenses, gaming/payment permits, RG/AML/GDPR/information security contours, technical certifications (RNG/PCI/SOC/ISO), local advertising permits/affiliates.

2) Principles

Zero delinquency risk. Deadlines in the calendar, duplicate reminders and reserve owners.
One source of truth. Unified register of requirements, document versions and statuses.
Evidence. Each statement is confirmed by an artifact (file/log/screen/ticket number).
Continuous readiness. "Always ready" for inspection: compliance dashboard, current policies, audit logs.
Transparent CAPA. Any comment of the regulator is closed by measurable actions in the SLA.

3) Roles and RACI

License Program Owner (Head of Compliance) - strategy, registry of requirements, calendar. (A)

Legal Counsel - legal forms, affidavits, interpretation of norms. (R/C)

Finance/CFO - fees/duties, bank guarantees, reporting. (R)

AML Officer/RG Lead/DPO/CISO - meaningful correspondence by direction. (R)

Payments Lead/Game Providers Ops - evidence on PSP/PCI and game integrity. (R)

Internal Audit - pre-assessment, independent reviews, CAPA control. (C/R)

Exec Sponsor (CEO/COO) - S1 escalations, high-level interaction. (I/A)

4) License Renewal Lifecycle

T-120...T-90 days: requirements audit, readiness audit (gap analysis), confirmation of financial indicators/ownership structure/beneficiaries.
T-90...T-60: collection and updating of documents (policies, reports, certificates), approval of forms, preparation of payments and guarantees.
T-60...T-30: uploading the package to the portal/SFTP/by mail, clarification requests, fixing receipts, pre-booking on-site/remote slots.
T-30...T-0: closure of regulator issues, confirmation of payment, publication/receipt of a new certificate/letter of extension.
T +: post-check: update showcases, statuses on the site/in partner offices, save artifacts, retro.

5) Register of requirements (card structure)

LIC-ID: <code >/Jurisdiction: <regulator >/Type: B2C    B2B    other
Valid from <date> to <date >/Renewal Deadline: <date, TZ>
Compliance formulas: GGR/capital/guarantees/technical certs
List of documents: policies/reports/certificates/questionnaires/affidavits
Feed Channel: Portal    API    SFTP    Mail/Format: PDF    CSV    XML    XLSX
Fees/guarantees: amount, currency, invoice, payment terms
Regulator contacts: email/portal ID/phone
Special conditions: localization of language, certification, notary/apostille
Package version: vX. Y/Owner/Reserve/Last Check

6) Documents and evidence (typical list)

Corporate: statutory documents, ownership structure/beneficiaries (UBO), Good Standing.
Finance: audited accounts, proof of payment of fees/taxes, bank guarantees/insurance.
Operations/Compliance: current policies (KYC/KYB, AML/CFT, RG, GDPR/PII, marketing/affiliates), personnel training logs.
Technique/information security: zone architectures, PCI segmentation, SOC/ISO, pentest reports, ASV vulnerabilities, change/access logs.
Game honesty: RNG register/build versions, RTP reports, provider incidents and freeze procedures.
Incident processes: status page, notification templates, DPA/regulator reports, MTTA/MTTR/TTS logs.
Reports to regulators: register of deadlines, receipts, reconciliations with GL/PSP.

7) Inspections: formats and expectations

Remote review: correspondence/portal, video sessions, demonstration of systems (screen-share), uploading logs and configurations.
On-site: interviews (Compliance, AML, RG, DPO, Tech/Payments, IA), walkthrough demos, case samples (KYC, SAR/STR, DSAR, RG interventions, chargebacks), access policy checks, PCI inspection - zones/DR-rooms.
Sampling & Evidence: the regulator selects the sample; willingness to provide anonymized/pseudonymized data, ticket numbers, screenshots with time stamps.

8) Readiness checklists (abbreviated)

8. 1 General before serving

• Calendar and deadline confirmed; A dunning duplicate has been created (T-90/T-60/T-30).
• Fees/warranties paid; receipts and bank advice saved.
• Policy/procedure versions are up-to-date and signed.
• Certificates (PCI/SOC/ISO/RNG) are valid as of the renewal date.
• The package is localized (language, format), assurances/apostille are completed.
• All forms are completed without gaps; control of "four eyes."

8. 2 By discipline

AML/CFT: SAR/STR on time; PEP/Sanctions journals; scoring techniques; caseboard KPI.
KYC/KYB: verification levels, DPA with providers, queues ≤ SLAs, evidence of failures/escalations.
RG: self-exclusion/limits synchronized; communication templates; effectiveness of interventions.
GDPR/DPO: RoPA, DSAR ≤ 30 days, DPIA, handler contracts/SCC, incidents and notifications.
PCI/Payments: segmentation, tokenization, ASV/pentests, access logs, chargebacks/disputes, fallback PSP.
Game honesty: RTP-drift monitoring, RNG/build versions, provider incident logs.
Reporting: regulatory receipts; GL/PSP reconciliations circuit validators.
Incidents: TTS/MTTR in SLA, notification acknowledgements, artifact packages.

9) Risks and precautions

Renewal delay (S1): T-90/T-60/T-30 triggers, backup owner; "plan B" (temporary suspension of marketing/registrations in the jurisdiction, informing partners).
Incomplete package/form errors: pre-validation checklist + four-eye control, sandbox pilot, automatic format linters.
Failed audits/serts: early gap analysis and CAPA with buffer ≥ 30 days.
Managerial changes/UBO: preparation of affidavits/notaries in advance, tracking by Legal.

Change in tech landscape: release notes for the regulator, compliance map "what has changed and why it is safe."

10) CAPA on inspection comments

Finding Card: fact → criterion → risk → influence → recommendation → vorkplan → owner → term → success metrics.
Closing SLA: S1 ≤ 30 days; S2 ≤ 60; S3 ≤ 90; S4 - as agreed.
Verification: evidence of implementation (screens/logs/policies/test results), Internal Audit signature, Verified status.
Escalation: S1/S2 delays - to the weekly Management Review, quarterly report to the Audit Committee.

11) Renewal Finance

Fees/duties: rate table, exchange rates, recipient accounts, payment deadlines.
Guarantees/insurance: amounts, type (bank guarantee/insurance bond), expiration date, renewal conditions.
Budget: payment calendar by jurisdiction, buffer for unscheduled inspections/translations of documentation.

12) Dashboard "License & Inspections"

License Timeline: validity period, T-90/T-60/T-30 deadlines, package progress (% of documents ready).
Inspection Queue: upcoming visits/meetings, status checklists.
Evidence Coverage: Proportion of items with attached artifacts.
CAPA Progress Completed/In Progress/Expired, Median Closing Time.
Risk Heatmap: probability × impact by jurisdiction/direction.
Readiness Index: integrated readiness score (AML/KYC/RG/GDPR/PCI/Games/Reporting).

13) Templates (quick inserts)

A) Cover Letter (extension)

B) Response to Queries (RFI/RFQ)

C) On-site Agenda

D) Post-Inspection Update

14) Document and privacy management

DMS/Repo: structuring by jurisdictions, versions, document classes; RBAC/ABAC access control.
PII/confidentiality: pseudonymization/masking, separate storage area for sensitive data, encryption at-rest/in-transit.
Access logs: unchangeable, periodic revisions.

15) Interrelated processes

Regulatory reports and data formats - sources of uploads and receipts.
Compliance dashboard - inspection metrics.
Incident playbooks/Notifications - evidence of timeliness.
Internal/external audit - pre-assessment and readiness for certifications.

16) Frequent mistakes and how to avoid them

Send "policy on paper," but there are no operational logs → always apply evidence of operation (samples, logs, tickets).
Inconsistencies in dates/timezones → all timestamps in UTC, locale separately.
Expired certificates (PCI/SOC/ISO) in the package → 60 days buffer and reminders.
Unaccounted changes in the architecture of the changelog → and the map for the regulator.
No backup owner → assign a backup-owner for each license.

17) Implementation plan (30 days)

Week 1

1. Inventory of all licenses/permits and expiration dates.
2. Creation of a register of requirements and cards (Section 5).
3. Set up the deadline and reminder calendar (T-90/T-60/T-30).

Week 2

4. Gap analysis of readiness by direction (AML/KYC/RG/GDPR/PCI/Games/Reporting).
5. Collecting a basic package of documents; alignment of formats/locales.
6. Preparing Cover Letter/On-site Agenda/Response to Queries templates.

Week 3

7. Pilot "dry" inspection (table-top) and correction of gaps.
8. Setting up the License & Inspections dashboard and Readiness Index.
9. Create CAPA registry and reconciliation routes.

Week 4

10. Submitting the next extensions to the sandbox/portal (if available).
11. Retro by pilot, edits in packages and checklists, v1 approval. 0.
12. Approval of annual inspection calendar and designation of reserve owners.

• Regulatory reports and data formats
• Notices of Violations and Reporting Deadlines
• Compliance dashboard and monitoring
• Internal Audit and External Audit
• Audit checklists and reviews
• Crisis management and communications