PAM Provider Compliance Burden: What Platform Vendors Inherit From Their Operators

Player Account Management platforms sit at the operational core of virtually every licensed online gambling product. They control registration flows, KYC status flags, wallet balances, responsible gambling limits, session data, and every account transaction a player ever makes. Compliance officers and legal counsel instinctively understand that the licensed operator is accountable for all of that. What is less well understood is the degree to which the PAM provider, as a B2B supplier, inherits direct regulatory exposure through both primary-source standards and the contractual obligations those standards impose on the operator-vendor relationship.

Across multiple major licensing jurisdictions, including Ontario, Malta, Great Britain, Alberta, and Gibraltar, regulators have constructed frameworks that explicitly extend compliance obligations toward platform vendors. The mechanism differs by jurisdiction, but the direction of travel is consistent. Where a PAM provider controls the infrastructure through which regulated activity occurs, regulators hold both the licensee and, in some cases, the supplier directly accountable for what that infrastructure does and how it logs, reports, and enforces controls.

How Regulators Define the Supplier’s Regulatory Position

The AGCO Registrar’s Standards for Internet Gaming (last amended May 2025) address the B2B question directly. Standard 1.19 states that operators are responsible for the actions of third parties with whom they contract for the provision of any aspect of the operator’s business related to gaming in Ontario, and must require those third parties to conduct themselves, in so far as they carry out activities on behalf of the operator, as if they were bound by the same laws, regulations, and standards. PAM providers are not excluded from this. Where a PAM provider is registered in Ontario as a gaming-related supplier, the AGCO Registrar’s Standards apply to it independently, and the Registrar may hold an operator, a gaming-related supplier, or both accountable for meeting a particular Standard.

“Operators are expected to ensure that the Standards related to the operation of their gaming site are met, regardless of the entity that is carrying out the related activities. Depending on the circumstances, the Registrar may hold an Operator, a gaming-related supplier, or both, accountable for meeting a particular Standard.”
, AGCO Registrar’s Standards for Internet Gaming, Introduction

The MGA reaches a structurally similar conclusion through a different route. Under the Gaming Authorisations and Compliance Directive (Directive 3 of 2018, v2 October 2021), article 28 provides that outsourcing service providers that manage one or more websites pertaining to a B2C licensee are deemed to be acting for and on behalf of that licensee, who remains responsible for their actions insofar as the licence is concerned. A PAM provider running the front-end account environment of an MGA-licensed B2C operator sits squarely within that definition. The operator cannot transfer its regulatory accountability to the PAM vendor, but the PAM vendor’s actions are attributed to the operator.

In Gibraltar, the AML Code of Practice for Remote Gambling (2026 update) reinforces the same principle from an AML perspective. Where a licence holder uses third parties to provide information for due diligence purposes, the licence holder remains responsible for the outcome of that process. Third-party reliance does not discharge CDD obligations. A PAM provider supplying KYC data pipelines or wallet transaction history to the operator does not make itself the AML-responsible entity, but it does become the operational counterparty whose data quality and log integrity determine whether the operator can demonstrate compliance.

What the Contract Must Contain: MGA Article 27 Requirements

The MGA Gaming Authorisations and Compliance Directive, article 27, specifies the minimum contractual provisions that must appear in every outsourcing agreement where a B2C or B2B licensee relies on a third party to perform regulated activities. These are not aspirational drafting standards, they are mandatory terms. Any outsourcing contract must oblige the service provider to carry out the outsourced activity in compliance with regulatory instruments, as if the outsourcing service provider were bound by the same regulatory instruments as the licensee. The contract must also oblige the provider to supply information to the licensee as necessary to satisfy its regulatory obligations, and must enable the licensee to terminate immediately for just cause where the MGA has determined that the outsourced activity is in breach of applicable regulatory instruments.

The practical implication for PAM vendors operating in the MGA ecosystem is that their master service agreements with operators must contain these clauses as a minimum. An MGA-licensed B2C operator whose PAM contract lacks these provisions is itself in breach of article 27. PAM vendors drafting standard contracts for the MGA market therefore need to ensure their template agreements are compliant with the directive, not merely commercially protective of their own interests.

Logging Obligations: Who Controls the Log, Who Owns the Obligation

Transaction and game-state logging is where the PAM provider’s technical control over infrastructure translates most directly into regulatory obligation. The AGCO Registrar’s Standards section 4.02 requires that accurate and complete records of transaction and game state and play information be kept and made available for the purposes of ensuring timely investigations can be performed by the Registrar, capturing information needed to continue a partially complete game within a reasonably defined time, resolving disputes fairly, ensuring player complaints can be resolved, and tracking all relevant player information including funds information. Section 4.02 applies to gaming-related suppliers as well as operators.

The AGLC Standards and Requirements for Internet Gaming (SRIG 2026-03-17, issued January 14, 2026) are more prescriptive on log architecture. Continuous logs must be maintained for critical gaming systems including the tracking of financial accounting and game state history. Those logs must be protected against alteration, with the SRIG specifying WORM or immutability controls or cryptographic signing with SHA-256. Logs must be transmitted and stored over TLS 1.2 or higher. Access to logs must be role-based, with segregation of duties between operations and monitoring. Logs must be made available to AGLC on request. The SRIG also requires implementation of a monitoring function, referencing SIEM capability, to correlate and alert on integrity events, with remediation tracked to closure.

For a PAM provider, these are not abstract data engineering requirements. They determine what the platform must be engineered to do from day one. A PAM system that stores account transaction records in a mutable database without cryptographic integrity controls, or that cannot produce on-demand reports to the regulator, fails to meet the technical requirements of the AGLC SRIG regardless of what the operator’s own internal controls say. Where the PAM is the system of record for player accounts and transactions, the PAM vendor is the entity that must engineer these controls, and the operator’s Control Activity Matrix (CAM) under AGCO Standard 1.02 must document exactly that, naming where the platform provider holds the relevant controls.

Responsible Gambling Hooks: The PAM as Enforcement Infrastructure

Responsible gambling controls in every major regulated jurisdiction are not documentary obligations. They are system-enforced requirements that must operate at the platform level. The AGLC SRIG mandates that players must be provided with system-enforced responsible gambling controls, including the ability to set time limits, deposit limits, and loss limits at registration or any time after registration. Where a player requests to relax or eliminate a previously established limit, the system must enforce a cooling-off period of at least 24 hours before implementing the change. The cooling-off period is not a customer service policy, it is a technical system requirement that the PAM infrastructure must enforce, and must not permit exceptions to.

The AGCO Registrar’s Standards impose parallel requirements, including RG Check accreditation for operators and a centralised self-exclusion requirement that operates across all Ontario-licensed sites simultaneously. Self-exclusion data flows require the PAM platform to receive, honour, and log exclusion instructions in real time. A PAM provider whose platform cannot integrate with Ontario’s centralised self-exclusion registry, or cannot enforce an immediate account suspension upon receipt of an exclusion signal, is delivering a non-compliant product into a regulated market regardless of what the operator promises in its application to the AGCO.

The UKGC Remote Gambling and Software Technical Standards (RTS, last updated 31 October 2025) impose their own technical layer. RTS 12, which has been updated with new deposit limit definitions effective 30 June 2026, requires that financial limit controls operate correctly at the system level. RTS 13A, 13B, and 13C address time requirements and reality check functionality that must be built into the remote gambling platform. RTS 14 addresses responsible product design across multiple sub-standards. Where a PAM provider supplies the account wallet, session management, and player limit enforcement infrastructure to a UKGC licensee, every one of these RTS requirements is an engineering specification the PAM must meet, tested and certified accordingly.

Change Control: A Shared Compliance Event

Regulatory change control obligations create one of the most operationally complex friction points between PAM vendors and their operator clients. Under AGCO Standard 1.02, substantial changes to an operator’s control environment must be communicated to the Registrar in a timely manner. An operator’s CAM must summarise all controls related to the gaming site, including where the operator works with third-party suppliers, including platform providers. A material change to the PAM platform, such as a new release that modifies limit enforcement logic, session management behaviour, or AML transaction flagging thresholds, is a change to the operator’s control environment, and depending on its materiality, may trigger a reporting obligation to the AGCO.

PAM vendors deploying SaaS platforms across multiple operators in Ontario simultaneously face a structural challenge here. A platform release deployed uniformly to all clients may trigger individual notification obligations for each operator, on different timelines, each of which the operator must satisfy independently. From the PAM vendor’s commercial perspective, release management must include a compliance communication component. Operators need sufficient notice and technical documentation of changes to assess whether a CAM update or Registrar notification is required before the change goes live.

The AGLC SRIG contains a parallel requirement: the gaming system must be able to change, block, deactivate, or remove system accounts in a timely and effective manner upon termination, change of role or responsibility, suspension, or unauthorised usage. This directly implicates PAM-level administrator account management. Where a PAM provider controls privileged access to the operator’s gaming system, the PAM’s access control architecture must support the operator’s ability to meet this obligation, and any delay in the PAM responding to an access revocation request becomes a regulatory exposure for the operator.

AML Logging and the Platform’s Data Architecture

AML obligations in every jurisdiction where PAM providers operate ultimately require a complete, auditable, and immutable record of player financial activity. The GLI-19 Standards for Interactive Gaming Systems (v3.0) specify that AML procedures must monitor player accounts for opening and closing in short time frames and for deposits and withdrawals without associated game play, and that aggregate transactions over a defined period may require further due diligence if they exceed the threshold prescribed by the regulatory body. These monitoring obligations require the platform to maintain structured, queryable transaction history, which is the PAM’s core data asset.

Gibraltar’s AML Code of Practice (2026 update) makes the architecture point explicit: transactional monitoring is an important part of the process, particularly in the case of customers who increase their rate of spend, and has been an area of historical weakness for some gambling operators. Where the PAM vendor holds the transaction ledger and the operator relies on the vendor’s reporting APIs to perform AML monitoring, any gap in the API’s completeness, latency, or query depth becomes a gap in the operator’s AML controls. Gibraltar’s Code states clearly that the licence holder remains responsible for the outcome even where third-party data sources are used, and that third-party reliance is viable only where the provider undertakes to make available immediately to the licence holder copies of the relevant information it holds.

“Where this is done, the Licence Holder remains responsible for the outcome of the process and it remains the case that they cannot ‘rely’ on third parties to have concluded CDD on their behalf.”
, Gibraltar AML Code of Practice for Remote Gambling, 2026 update, section 6.13

The AGLC SRIG requires that logs be retained for a minimum of three years unless otherwise stated, and that they be made available to AGLC on request. If the PAM provider controls the data infrastructure and the operator has no independent copy of transaction logs, the operator cannot satisfy a regulator’s data request without the PAM vendor’s cooperation. This dependency must be addressed contractually and technically before a market goes live, not after a regulatory inquiry arrives.

Contractual Risk Allocation: What Works and What Does Not

PAM vendors typically negotiate master service agreements that limit their liability for regulatory consequences of platform failures, cap damages at a multiple of annual contract value, and exclude consequential losses including regulatory fines. These commercial positions are understandable. They do not, however, change the regulatory accountability structure. A UKGC licensee fined for an RTS breach caused by a PAM configuration error remains the entity that receives and pays the fine. Its recourse against the PAM vendor is a contractual matter, and only exists if the contract addresses it.

The MGA framework’s mandatory article 27 contract terms provide a template for what effective contractual risk allocation requires: the PAM vendor must be obliged to act in compliance with regulatory instruments, must provide information to the operator to satisfy regulatory obligations, and must submit to immediate termination where the MGA has determined a regulatory breach. Those are minimum requirements under Maltese law, but they also represent a sensible floor for any regulated market. Operators entering new jurisdictions with an existing PAM vendor should review whether their MSA contains these provisions for each market, not just MGA-licensed deployments.

In Ontario, AGCO Standard 1.10 requires that compliance documentation be maintained in a way capable of being reviewed and audited by an independent oversight function, and that internal and external auditors be granted access to all relevant systems, documentation, and resources. Where the PAM vendor controls relevant systems, the MSA must grant the operator the right to provide that access. A vendor contract that reserves the right to refuse audit access to third parties, including AGCO-directed audits, is incompatible with the operator’s regulatory obligations. Compliance counsel reviewing a PAM MSA for an Ontario deployment must confirm that audit access provisions extend to AGCO-directed engagements, not merely to the operator’s own internal audit programme.

The MGA B2B Licence: When the PAM Vendor Holds Its Own Authorisation

The MGA gaming framework distinguishes between B2C licensees, who provide gaming services directly to players, and B2B licensees, who hold what the MGA terms a critical gaming supply licence. A PAM provider operating in the MGA ecosystem and providing back-end systems to multiple B2C licensees must hold a B2B licence in its own right. The MGA Compliance Audit Manual (MGA/G/001) addresses B2B obligations directly, including checks that any corporate group offering services to other MGA-licensed operators holds a valid B2B licence.

A B2B licensee has its own key function obligations under the Gaming Authorisations and Compliance Directive, its own reporting obligations, and its own exposure to MGA enforcement. The MGA’s enforcement register records the cancellation of authorisation MGA/B2B/726/2019 awarded to 4tune-Software GmbH, a B2B supplier whose authorisation the MGA cancelled, illustrating that the MGA does enforce directly against B2B licence holders, not only against the B2C operators they supply. PAM providers operating in the MGA ecosystem who supply critical gaming infrastructure must treat their B2B licence obligations as a direct regulatory exposure, not merely as a prerequisite to signing operator contracts.

Compliance officers at operators considering a new PAM vendor should verify the vendor’s MGA B2B licence status as part of due diligence. An operator running on a PAM platform operated by an entity without valid MGA authorisation is exposed to the same category of regulatory risk as one whose outsourcing contract lacks article 27 terms. For detailed guidance on navigating Ontario’s specific compliance obligations, including the dual-authority structure that affects both operators and their platform vendors, see our Ontario iGaming compliance lessons for new entrants.

Practical Implications for PAM Vendor Due Diligence

PAM providers entering regulated markets and operators procuring PAM solutions need to conduct a structured compliance assessment before contracts are signed. That assessment must address five distinct areas.

The platform’s technical architecture must be audited against the logging, encryption, and data retention requirements of each target jurisdiction. The AGLC SRIG’s SHA-256 log integrity requirement and TLS 1.2 transmission requirement are concrete engineering specifications that must be met, not aspirational security standards. The RTS security requirements published by the UKGC, which are based on ISO/IEC 27001:2022, similarly set a defined technical floor that PAM infrastructure must meet before going live with a UKGC licensee.

Responsible gambling control enforcement must be system-enforced rather than policy-documented. Where a PAM platform requires operator configuration to activate cooling-off periods, self-exclusion enforcement, or limit reduction delays, the configuration must be applied and auditable before market launch. The AGCO and AGLC both specify that these controls are system requirements, not implementation choices left to the operator’s discretion.

Change management protocols must be agreed between the PAM vendor and operator before the first release is deployed. The operator needs sufficient notice of platform changes to assess whether AGCO Standard 1.02 notification obligations are triggered and to update its CAM accordingly. A PAM vendor whose release cycle does not accommodate operator compliance review timelines is structurally incompatible with regulated markets where change notifications are mandatory.

Data access and portability must be addressed in the MSA. The operator must have the ability to extract complete transaction logs, player account records, and audit trails independently of the PAM vendor. This is both a regulatory requirement, given that regulators can demand data from the operator directly, and a commercial risk management requirement for the event of vendor relationship termination.

Audit access provisions must extend to regulator-directed reviews. AGCO Standard 1.10 makes this non-negotiable. A PAM MSA that limits audit access to the operator’s own internal teams and requires advance notice before regulator access is a compliance gap that must be corrected before registration is sought. Operators and their legal counsel should also review what the MGA’s system audit process requires from the operator’s tech stack, since the documentation expectations extend to platform vendor infrastructure.

The regulatory frameworks reviewed here uniformly confirm that contractual distance from a licensed operator does not equal regulatory distance for the platform sitting beneath it. The AGCO can hold gaming-related suppliers directly accountable. The MGA attributes outsourcing provider actions to the licensee and requires that contracts place regulatory obligations on the provider. Gibraltar’s AML Code requires that third-party data sources provide immediate access to the information they hold. Every one of these positions treats the PAM infrastructure as a regulatory fact, not merely a commercial arrangement. Compliance teams advising operators or vendors on platform procurement should consult qualified legal counsel in each jurisdiction before contracts are finalised and before any market goes live.

Key Resources

AGCO Registrar’s Standards for Internet Gaming (last amended May 2025): www.agco.ca. The primary standards document for Ontario’s regulated market, covering third-party management at Standards 1.18, 1.21 and logging at section 4.02.

MGA Gaming Authorisations and Compliance Directive (Directive 3 of 2018, v2 October 2021): Available via the MGA’s regulatory framework pages at mga.org.mt. Articles 27, 28 contain the mandatory outsourcing contract provisions applicable to all MGA licensees.

UKGC Remote Gambling and Software Technical Standards (last updated 31 October 2025): Published at gamblingcommission.gov.uk. RTS 12, 13, and 14 cover financial limit controls, time and session requirements, and responsible product design applicable to all remote gambling platforms.

AGLC Standards and Requirements for Internet Gaming (SRIG 2026-03-17, issued January 14, 2026): Published by the Alberta Gaming, Liquor and Cannabis Commission. Section 5 covers IT and security requirements including log integrity, access controls, and system account management obligations for critical gaming systems.

Gibraltar AML Code of Practice for Remote Gambling (2026 update): Published by the Gibraltar Gambling Commissioner. Section 6.13 addresses the limits of third-party reliance for CDD and the licence holder’s ongoing accountability for data quality.