“Any entity that is regulated in Malta and ends up in the news for the wrong reasons damages Malta’s reputation, this is a fact,” says Alan Alden, Director of Kyte Consultants. “Any service provider, director, payment processor, bank, involved with this entity will also have its reputation tainted in some way or another. So it is in the interest of all stakeholders to ensure that regulated entities comply with all requirements in a serious and effective manner to reduce their compliance and reputation risk. Most companies do not have persons trained in risk assessments and risk management but they all need to do it to comply with the regulations. Without a risk assessment and risk management processes a company cannot be sure that it is compliant and remains compliant. Risk management is a continuous process that needs someone to own it and manage it regularly.”
Kyte Consultants was incorporated in late 2006 and officially started operating in January 2007. However, Mr Alden and his business partner Trevor Axiak have been involved in IT audit and security for 18 and 27 years respectively and in gaming since 2000. The company works mostly with the gaming industry, although it also has a number of payment service providers and banks among its clients. “Most of our clients are non-residents and need feet on the ground in Malta that have good relationships with the relevant authorities, banks and suppliers as they would rely on us for most of their local requirements.” Kyte provides a range of services for licensing and post-licensing, and its latest service line focuses solely on the AML/CFT regulations and requirements. It is the only company in Malta that is a Qualified Security Assessor company – approved by the major cards brands to audit companies for PCI DSS compliance, and the main reseller of a state of the art AI fraud and compliance tool called Featurespace.
“Risk management involves finding out the threats to your assets through exploitation of existing vulnerabilities (known and unknown) and then finding ways to reduce the impact on the vulnerabilities by the threats and consequently reducing the overall risk,” Mr Alden says. “It also involves identifying an entity’s compliance requirements and the threats and vulnerabilities that would lead to compliance risk where possible fines, actions against a company and potentially even suspension or cancellation of a license could result. In order to determine the risks, a risk assessment must be carried out and remedial actions implemented where vulnerabilities are noted to remove them or reduce the potential impact of threats from exploiting the vulnerabilities. Kyte can assist with the risk assessments as well as designing controls, selecting tools, internal audit function, policies and procedures, audits, and so on, which are all measures to reduce risk.” In order to provide these kinds of specialised services, all Kyte’s staff have internationally recognised certifications and qualifications such as CISA, CISSP, SSCP, ISO27001 Lead Auditors, ISO9001 Lead Auditor and QSA (PCI DSS), and training in specific areas, such as AML/CFT, is always provided.
Mr Alden says that the 4th AML Directive is planned to come into force as law in Malta in the coming months. “For the first time, Remote Gaming Operators will become obliged entities and will have to be compliant with the regulations and follow FIAU and MGA guidelines. This means that operators have to create AML/CFT-specific policies and procedures, employ or entrust an existing employee to become an MLRO who must register on the FIAU website and submit an Annual Compliance Report. The operators must carry out a risk assessment and monitor their customers on an ongoing basis, carry out due diligence and so on. Next year, May 2018, the General Data Protection Regulations will come into force and changes will have to be made there, both procedural changes and system changes to ensure compliance. Fines are hefty and consequences can be serious. Over and above these things the MGA has launched a white paper to change the whole legal structure that regulates land based and online gaming. So there is a lot happening and a lot to contend with. The question is can the smaller companies comply? Will they be prepared? Has all this made start-ups impossible? Will this see the end of the SMEs in the gaming sector?”
Mr Alden wants the industry to see Kyte as their one-stop-shop for anything to do with compliance, risk and information security. “From the provision of training in the various subjects to certification of companies for PCI DSS, Kyte’s vision is to be a quality supplier of all services required by a regulated entity, not only for the Maltese market but everywhere. We already operate in over 30 countries, and our offices in Kiev, London and Australia are our stepping stones into other jurisdictions as our services are needed there too.”