UKGC: 54% of Operators Verified Security Compliance in 2023
Freedom of Information data reveals the scale of the regulator's sample-based approach to security audits.
A Freedom of Information request has revealed that the UK Gambling Commission verified the security compliance of 299 out of 550 required operators in 2023. The data highlights the regulator's sample-based review process, where not all operators are required to submit their annual security audit reports each year.
Article Content
A Freedom of Information (FOI) disclosure from the UK Gambling Commission (UKGC) has provided a new perspective on how the regulator monitors the security of online gambling operators. The data, covering the 2023 calendar year, shows that the Commission verified the security compliance of 299 out of 550 operators required to conduct an annual audit.
Why Security Audits Matter
All UK-licenced remote gambling operators and software providers must adhere to the Remote Gambling and Software Technical Standards (RTS). A key part of these standards is the requirement for an annual security audit conducted by an independent third party.
This audit is a critical consumer protection measure. It assesses an operator's information security controls, ensuring that systems are in place to protect player funds, safeguard personal data against breaches, and maintain the overall integrity of the gambling platform. For consumers, this audit provides assurance that the operator they are using meets the high security standards mandated by the UKGC.
Breakdown of the 2023 Data
The FOI request, dated 4 January 2024, sought to clarify how many operators were required to complete an audit and how many had demonstrated compliance to the regulator. The UKGC's response provided the following figures for the 2023 calendar year:
- 550 operators hold licenced products that require them to complete an annual security audit.
- 217 operators provided a full security audit report to the Commission demonstrating they had successfully met the RTS requirements.
- 82 operators provided other forms of "assurance that requirements have been met."
In total, this means the UKGC received and reviewed evidence of compliance from 299 operators, or approximately 54% of those required to have an audit performed.
Understanding the Regulatory Process
The data does not suggest that the remaining 251 operators (46%) failed to comply with the rules. Instead, it highlights the UKGC's sample-based approach to enforcement.
In its response, the Commission clarified its current process, which has been in place since April 2021. Operators are only required to submit their audit report to the UKGC under two conditions:
- If the Commission specifically requests it.
- If the audit identifies any major non-conformities.
The UKGC's Compliance Team conducts reviews based on a sample selection of operators each year. Therefore, the 251 operators who did not provide a report were not part of the 2023 sample and were not asked to submit one. However, the UKGC noted that these operators "should still have had a security audit report" on file.
This disclosure provides valuable transparency into the UKGC's regulatory oversight. It shows that while every operator is mandated to be secure, the Commission uses a risk-based, targeted approach to verify compliance annually, rather than collecting and reviewing reports from every single licence holder.