MGA Audit Prep: One Session, Complete Evidence Package
BastionPlay is an MGA-licensed iGaming operator headquartered in Malta, serving approximately twenty-five thousand monthly active players across the European and UK markets. The platform operates three verticals — online casino, sportsbook, and poker — generating around $8M per week in gross gaming revenue, primarily settled in EUR and GBP. Two weeks from today, MGA auditors will walk through the door. Elena Vasquez, Head of Risk and Compliance, is the one who has to make sure they find exactly what they need to find.
Products used: Compliance Dashboard, Regulatory Reporting, Player Protection Analytics
40 minutes | complete audit evidence package, compiled in one session
12 | compliance areas covered end to end
2 weeks | the time this previously took, now done in a single morning
Challenge
Every MGA compliance audit follows the same basic architecture: twelve areas of scrutiny, each requiring documented evidence, timestamped logs, and quantified outcomes. AML program effectiveness. Player protection measures — self-exclusion, deposit limits, cooling-off periods. RTP verification across every live game title. Transaction monitoring coverage. Responsible gambling compliance rates. For a multi-vertical operator at BastionPlay's scale, assembling that evidence package has historically been a two-week project involving three departments, four data exports, and more spreadsheet hours than anyone on the compliance team wants to count.
Elena joined BastionPlay eighteen months ago from a UK Gambling Commission-regulated operator, and her first audit cycle under MGA rules was a crash course in how operationally punishing the process could be. The prior compliance team had assembled everything manually — one analyst pulling player protection data from the player management system, another cross-referencing transaction monitoring logs from the payments platform, a third exporting RTP reports directly from each game provider's portal. The outputs arrived in incompatible formats, dated differently, and nobody had a single view of whether everything was actually consistent. The final package went to the auditors two days late with a cover letter apologizing for two figures that couldn't be reconciled before the deadline. Auditors noted the gaps.
"The data existed. It always existed. But it lived in seven different systems that had never been made to talk to each other, and reconciling them manually was like trying to edit a document where each paragraph lives in a different application. You spend two weeks on logistics when the auditors actually want to assess your compliance posture, not your formatting."
— Elena Vasquez, Head of Risk & Compliance, BastionPlay
This audit cycle, the timeline is the same — two weeks' notice, twelve areas, a complete evidence package required — but Elena's approach is different. She opens Gaming Mind AI on a Tuesday morning, makes herself a second espresso, and works through the entire package in a single session.
Solution
Gaming Mind AI holds BastionPlay's compliance data across all three verticals, integrated with the player management system, transaction monitoring layer, game provider feeds, and the responsible gambling platform. Elena doesn't have to specify which system to query or how to join the datasets. She asks questions the way she would brief a senior analyst — and the AI responds with the evidence, the commentary, and the context auditors will actually want to read.
Here is what the session looks like:
Elena: "Pull the MGA compliance audit checklist and show me current status across all 12 areas."
| # | Compliance Area | Status | Evidence Completeness | Gap / Action |
|---|---|---|---|---|
| 1 | AML Program Effectiveness | 🟢 Green | 100% | None |
| 2 | Player Protection (Self-Exclusion, Limits) | 🟢 Green | 100% | None |
| 3 | Transaction Monitoring Coverage | 🟡 Amber | 85% | GBP >£5K config narrowed 2 weeks ago — remediate |
| 4 | Responsible Gambling Compliance | 🟢 Green | 100% | None |
| 5 | RTP Verification — Casino & Slots | 🟢 Green | 100% | None |
| 6 | RTP Verification — Poker Vertical | 🟡 Amber | 78% | 17 new table variants added in last 90 days not formally logged |
| 7 | KYC Process Records | 🟢 Green | 100% | None |
| 8 | Data Protection Compliance | 🟢 Green | 100% | None |
| 9 | Game Fairness Attestations | 🟢 Green | 100% | None |
| 10 | Operator Licence Condition Adherence | 🟢 Green | 100% | None |
| 11 | Marketing Compliance Records | 🟢 Green | 100% | None |
| 12 | Technical Standard Certification Index | 🟢 Green | 100% | None |
⚠️ Gaming Mind flags: 10 of 12 compliance areas are green. Two amber gaps identified: (1) RTP documentation for 17 new poker table variants added in the past 90 days, and (2) a transaction monitoring configuration update 2 weeks ago that inadvertently narrowed the GBP >£5,000 deposit rule scope. Neither is a substantive compliance failure — both are documentation gaps. Estimated remediation time: 4 hours, not 4 days.
The first screen gives Elena what she needs before she's halfway through her espresso. Ten of twelve compliance areas show green — evidence available, complete, and current. Two are amber: RTP verification for the poker vertical, where a new provider integration added seventeen table variants in the last ninety days that haven't been formally logged yet, and transaction monitoring coverage for GBP deposits above £5,000, where a configuration update two weeks ago narrowed the rule scope inadvertently. Neither is a substantive compliance failure. Both are documentation gaps that become audit findings if left unaddressed. Gaming Mind flags them with the specific remediation steps required and estimates that closing both gaps will take four hours of work, not four days. Elena marks them for action at the end of the session and moves to the areas auditors always scrutinize most closely.
Elena: "Walk me through AML program effectiveness — suspicious transaction reports, investigation closure rates, SAR filings, the works."
| AML Metric | Value | Benchmark / Context |
|---|---|---|
| SARs filed (trailing 12 months) | 23 | 0.019% of active accounts — consistent with MGA expectations |
| Open investigations — Level 1 (pattern detected, monitoring) | 8 | Normal operating load |
| Open investigations — Level 2 (enhanced due diligence) | 2 | In progress |
| Open investigations — Level 3 (SAR submitted, law enforcement) | 1 | Liaison ongoing |
| Average days-to-close (full year) | 5.4 days | Down from 8.1 days 12 months ago |
| Days-to-close improvement (12-month trend) | 33% reduction | Attributable to Q2 workflow changes |
| False positive rate — current | 14% | Down from 31% twelve months ago |
| False positive improvement | −17 pp | Demonstrates genuine program maturity |
⚠️ Gaming Mind flags: AML picture is strong across all dimensions. SAR filing rate of 0.019% of active accounts is consistent with MGA expectations for BastionPlay's transaction volume. False positive rate improvement from 31% to 14% over 12 months demonstrates genuine program maturity — not just filing volume. Average days-to-close has improved 33% year-over-year. Full 12-month trend data exported with MGA audit template headings pre-populated.
The AML picture is strong, and Gaming Mind presents it in the language MGA auditors use. BastionPlay filed 23 Suspicious Activity Reports over the trailing twelve months — a filing rate of 0.019% of active accounts, consistent with MGA expectations for an operator at this transaction volume. The investigation pipeline currently carries 11 open cases: 8 at Level 1 (pattern detected, monitoring active), 2 at Level 2 (enhanced due diligence in progress), and 1 at Level 3 (SAR submitted, law enforcement liaison ongoing). Average days-to-close across the full year came in at 5.4 days, down from 8.1 days twelve months ago — a 33% improvement attributable to workflow changes implemented in Q2. The false positive rate on the transaction monitoring ruleset has fallen from 31% to 14% over the same period, a figure that demonstrates genuine program maturity rather than just filing volume. Gaming Mind packages all twelve months of trend data into a single exportable summary with the MGA audit template headings already populated.
Elena: "Show me player protection coverage — self-exclusion, deposit limits, cooling-off. Enrollment rates, uptake, how they're performing."
| Protection Measure | Active / Count | % of 25,000 MAU | Key Metric |
|---|---|---|---|
| At least one active limit or restriction | 1,847 players | 7.4% | Across all tool types |
| Self-exclusion (active accounts) | 312 accounts | 1.2% | — |
| Self-exclusion — new enrolments (trailing 30 days) | 89 enrolments | — | Avg activation time: 6.2 min (MGA requires <24 hr) |
| Deposit limits (active) | 2,380 players | 9.5% | Limit-users wager at 43% lower intensity vs. unprotected peers |
| Cooling-off period (trailing 12 months) | 294 players | 1.2% | 71% elected to return after period expired |
| At-risk proactive outreach — Q4 contacts | 1,640 accounts | 6.6% | 22% accepted a protection measure within 30 days of first contact |
⚠️ Gaming Mind flags: Player protection compliance is strong and demonstrably effective. Self-exclusion activation averages 6.2 minutes — well inside the 24-hour MGA requirement. Deposit limit data shows tools are genuinely changing behaviour (43% lower wager intensity). Proactive outreach reached 1,640 accounts in Q4 with a 22% uptake rate — exactly the initiative type MGA auditors have recently been requesting evidence of.
Player protection is where MGA auditors spend disproportionate time, and Elena wants the evidence to be airtight. Gaming Mind surfaces a compliance picture that goes well beyond headcount. Of BastionPlay's 25,000 MAU, 1,847 players — 7.4% — currently have at least one active limit or restriction in place. Self-exclusion covers 312 active accounts; 89 new enrolments were processed in the trailing 30 days, with an average activation time of 6.2 minutes from request submission, well inside the 24-hour MGA requirement. Deposit limits are set by 2,380 players, with a quarterly analysis showing limit-users wager at 43% lower intensity than unprotected players in the same behavioral risk tier — evidence that the tools are actually changing behavior. Cooling-off period usage sits at 294 players over the past 12 months, with 71% electing to return after the period expired, a figure that demonstrates the measure is genuinely protective rather than used primarily to bypass self-exclusion. Gaming Mind flags that MGA auditors have recently requested evidence of proactive outreach — BastionPlay's at-risk player contact program reached 1,640 accounts in Q4, with 22% accepting a protection measure within 30 days of first contact. Elena hadn't planned to lead with the outreach data, but it's exactly the kind of initiative auditors reward.
Elena: "I need RTP verification across all live casino and slots titles — provider certificates, actual observed RTP, variance from stated."
| RTP Metric | Value | Status |
|---|---|---|
| Total live game titles | 847 | Across 12 providers |
| Stated RTP range (portfolio) | 94.8% – 99.1% | Varies by variant |
| Observed RTP (trailing 12 months, full catalogue) | 96.2% | Within normal distribution |
| Variance from stated RTP | ±0.3 pp | 🟢 Consistent with statistically normal play |
| Titles with <30 days observed data (new poker variants) | 2 | 🟡 Documentation gap — flagged in checklist |
| Provider RTP certificates expiring within 60 days | 3 | 🟡 Renewal requests submitted same session |
| Provider certificates current and valid | 844 | 🟢 No action required |
⚠️ Gaming Mind flags: Portfolio-wide RTP is healthy — 96.2% observed vs. 94.8–99.1% stated, variance within ±0.3 pp (statistically normal). Two titles in the poker vertical (added within 90 days) have fewer than 30 days of observed RTP data — the documentation gap flagged in the opening audit checklist. Three provider certificates expiring within 60 days identified; renewal requests submitted before session ended. All findings formatted to MGA specifications with certificate expiry cross-references.
This is where the two-week manual process used to hurt most. BastionPlay runs 847 live game titles across twelve providers, and historically each provider sent RTP certificates in a different format, at different times, through different contacts. Gaming Mind aggregates the full matrix into a single view. Stated RTP across the portfolio ranges from 94.8% to 99.1% depending on variant; observed RTP over the trailing twelve months averages 96.2% across the full catalogue, within a 0.3 percentage point variance band that is consistent with statistically normal play distribution. Two titles — both in the poker vertical, both added within the last ninety days — show observed RTP data for fewer than 30 days, which is the documentation gap flagged in the opening audit checklist. Gaming Mind generates a variance report formatted to MGA specifications, cross-references certificate expiry dates, and identifies three provider certificates expiring within 60 days that need renewal before the audit closes. Elena forwards the renewal requests before the session is over.
Elena: "What does our responsible gambling compliance record look like? Affordability checks, safer gambling interactions, self-assessment tool usage."
| RG Compliance Metric | Value | Context / Outcome |
|---|---|---|
| Affordability checks triggered (trailing 12 months) | 2,140 accounts | 8.6% of player base — triggered by deposit velocity or behavioural threshold |
| Affordability checks completed | 1,978 | 92.4% completion rate |
| Affordability checks declined → default deposit limit | 162 accounts | 7.6% — restricted as protective default measure |
| Safer gambling interactions initiated by compliance team | 3,247 contacts | Categorised by risk tier and interaction type |
| Session frequency reduction (post-interaction, 90 days) | 31% reduction | vs. matched control group |
| Deposit intensity reduction (post-interaction, 90 days) | 19% reduction | vs. matched control group |
| At-risk proactive outreach — Q4 (accounts contacted) | 1,640 accounts | 22% accepted a protection measure within 30 days |
⚠️ Gaming Mind flags: Responsible gambling tools demonstrably work — not just in place. Players who received a proactive safer gambling interaction showed a 31% reduction in session frequency and a 19% reduction in deposit intensity over the following 90 days vs. a matched control group. This outcome data — joining the interaction log to behavioural data that previously sat in separate systems — is the strongest evidence an operator can bring to an MGA audit. This analysis was not available before this session.
Responsible gambling compliance is increasingly the area where MGA auditors probe hardest, and Gaming Mind produces a report that addresses every dimension of the framework. Affordability checks were triggered for 2,140 accounts over the trailing twelve months — the 8.6% of the player base whose deposit velocity or behavioral pattern met the threshold criteria. Of those, 1,978 completed the check process; 162 declined and were restricted to deposit limits as a default protective measure. The safer gambling interaction log shows 3,247 customer contacts initiated by the compliance team over twelve months, categorized by risk tier and interaction type. Gaming Mind cross-references the interaction log against subsequent behavioral outcomes: players who received a proactive safer gambling interaction showed a 31% reduction in session frequency and a 19% reduction in deposit intensity over the following 90 days, measured against a matched control group. That outcome data is the strongest evidence an operator can bring to an MGA audit — not just that the tools exist, but that they demonstrably work. Elena didn't have this analysis before the session. It exists because Gaming Mind joined the interaction log to behavioral data that previously sat in separate systems.
"The regulators don't just want to see that you enrolled players in the tools. They want to know the tools are working. That outcome analysis — the 31% session reduction after proactive contact — that's what changes an audit from a paperwork exercise to a demonstration of genuine compliance culture. I didn't know we had that story to tell until this morning."
— Elena Vasquez
Elena: "Transaction monitoring — show me rule coverage, alert volume, and whether we have any gaps in our monitoring perimeter."
| Risk Category | Active Rules | Trailing 12-Month Alerts | Escalation Rate | Coverage Status |
|---|---|---|---|---|
| Structuring | 9 | 1,420 | 5.1% | 🟢 Full coverage |
| Layering | 8 | 1,180 | 6.2% | 🟢 Full coverage |
| Smurfing | 7 | 980 | 4.4% | 🟢 Full coverage |
| Politically Exposed Persons (PEP) | 8 | 610 | 7.8% | 🟢 Full coverage |
| High-velocity micro-transactions | 8 | 1,440 | 3.9% | 🟢 Full coverage |
| Unusual withdrawal patterns | 7 | 1,210 | 4.3% | 🟢 Full coverage |
| GBP deposits >£5,000 (config gap) | — | 0 (past 2 weeks) | — | 🟡 Gap — 31 qualifying transactions missed; 8 warrant retrospective review |
| Total | 47 rules | 6,840 alerts | 4.8% escalation | — |
⚠️ Gaming Mind flags: 94% of alerts closed within 48 hours; 4.8% escalated to Level 2 investigation — both within expected range for a 25,000 MAU platform. The GBP >£5,000 configuration gap (inadvertently narrowed 2 weeks ago) generated 0 alerts during that window despite 31 qualifying transactions. Gaming Mind quantifies the impact precisely: 8 of those 31 transactions show patterns warranting manual review. Retrospective review request submitted immediately — gap will enter the audit package as identified, remediated, and closed.
BastionPlay's transaction monitoring framework runs 47 active rules across six risk categories: structuring, layering, smurfing, politically exposed person activity, high-velocity micro-transactions, and unusual withdrawal patterns. Total alert volume over the trailing twelve months was 6,840 — a rate that Gaming Mind benchmarks against operator peer data as within the expected range for a 25,000 MAU platform with BastionPlay's vertical mix. Of those alerts, 94% were closed within 48 hours; escalation to Level 2 investigation occurred in 4.8% of cases. The configuration gap flagged in the opening checklist — the narrowed GBP threshold for deposits above £5,000 — accounts for an estimated 12 coverage alerts that should have been generated over the past two weeks and weren't. Gaming Mind quantifies the gap precisely: 31 qualifying transactions occurred during the coverage window, of which 8 show patterns that would have warranted manual review. Elena submits a retrospective review request for those 8 accounts immediately. By the time auditors arrive, the gap will be closed, documented, and remediated — which is a materially better position than presenting it as an open deficiency.
Elena: "Generate the full audit evidence package — all 12 areas, MGA-formatted, with citations."
| Compliance Area | Documents | Status | Notes |
|---|---|---|---|
| AML Program Documentation | 14 | 🟢 Complete | 12-month trend data, SAR log, investigation pipeline |
| Player Protection Evidence | 12 | 🟢 Complete | Self-exclusion, deposit limits, cooling-off, proactive outreach |
| RTP Certificates + Variance Analysis | 18 | 🟢 Complete | 847 titles; 3 renewal requests submitted |
| Responsible Gambling Interaction Outcomes | 9 | 🟢 Complete | Interaction log + behavioural outcome analysis |
| Transaction Monitoring Coverage Report | 8 | 🟢 Complete | 47 rules; gap remediated + retrospective review logged |
| KYC Process Records | 7 | 🟢 Complete | — |
| Data Protection Compliance Summary | 6 | 🟢 Complete | — |
| Game Fairness Attestations | 5 | 🟢 Complete | — |
| Operator Licence Condition Adherence Log | 4 | 🟢 Complete | — |
| Marketing Compliance Records | 4 | 🟢 Complete | — |
| Technical Standard Certification Index | 4 | 🟢 Complete | — |
| Remediation Notes (Amber Items) | 3 | 🟢 Closed | Poker RTP gap + GBP monitoring gap — both addressed |
| Total | 94 documents | 🟢 12/12 areas complete | Session time: 40 minutes |
⚠️ Gaming Mind flags: Complete 94-document audit package compiled in 40 minutes. Every section carries MGA audit template headings; every data point includes a source citation with timestamp. The two amber items from the opening checklist are presented as identified, addressed, and closed — not as outstanding findings. This is a materially better regulatory position than presenting open deficiencies on the day auditors arrive.
The final output is what used to take two weeks and still arrived imperfect. Gaming Mind compiles all twelve compliance areas into a single structured package: AML program documentation, player protection evidence, RTP certificates with variance analysis, responsible gambling interaction outcomes, transaction monitoring coverage report, KYC process records, data protection compliance summary, game fairness attestations, operator licence condition adherence log, marketing compliance records, technical standard certification index, and the remediation note for the two amber items identified at the start of the session. Every section carries the MGA audit template headings, every data point includes a source citation with timestamp, and the two remediation actions — the poker RTP documentation and the GBP monitoring gap — are presented as identified, addressed, and closed rather than as outstanding findings. Total document count: 94. Total session time: 40 minutes.
Results
A two-week process completed in one 40-minute session
Elena's full audit preparation — twelve compliance areas, 94 source documents, a complete evidence package formatted to MGA specifications — took forty minutes from first query to final export. No cross-department email chains, no waiting on data exports from three separate systems, no Sunday-evening reconciliation work. The same session that used to require two weeks and contributions from three departments was completed before the second espresso was finished.
Two compliance gaps identified and closed before the audit
The transaction monitoring configuration gap and the poker RTP documentation shortfall were identified, quantified, and remediated within the same session. The retrospective review of the 31 GBP transactions was submitted the same morning. Both items entered the audit package as closed findings with remediation evidence, rather than as active deficiencies. An auditor finding a gap that the operator already identified and fixed is a fundamentally different regulatory outcome than an auditor finding a gap the operator didn't know about.
Responsible gambling outcome data surfaced for the first time
The finding that proactive safer gambling interactions produced a 31% measurable reduction in session frequency had never been analyzed before — not because the data didn't exist, but because the interaction log and the behavioral data lived in separate systems that nobody had joined. Gaming Mind surfaced it as a natural output of the player protection query. Elena built the audit section around it. It became the centrepiece of BastionPlay's responsible gambling compliance narrative.
Certificate renewals caught before the deadline
Three provider RTP certificates scheduled to expire within 60 days were identified and renewal requests submitted the same morning. None of those expiries would have been caught by the manual process until the next scheduled certificate review, which runs quarterly. An expired RTP certificate presented to an auditor as current documentation is a straightforward compliance failure. All three were addressed before the auditors arrived.
Auditors noted it was the most organized submission they had reviewed
The MGA audit completed without a single request for supplementary documentation — an outcome BastionPlay had not achieved in its previous two audit cycles. The lead auditor noted in the post-audit letter that the evidence package was the most systematically organized submission the team had reviewed, with particular commendation for the responsible gambling outcome analysis and the proactive identification and remediation of the monitoring configuration gap. BastionPlay received a clean audit outcome with no formal findings.
"Auditors aren't trying to catch you out — they're trying to assess whether your compliance program is real. The question is whether you can prove it. Before Gaming Mind, I could prove pieces of it, pulled from different systems, with gaps I hoped they wouldn't notice. Now I can prove all of it, in one document, with citations, before they walk in the door. That's not just efficiency. That's what a mature compliance program actually looks like."
— Elena Vasquez, Head of Risk & Compliance, BastionPlay
Read in another language
Want to see how Gaming Mind AI can help your operation?
Get a Demo