3 things we can all learn from SkyCity’s compliance failures

What happened? 

SkyCity has been making the news for all the wrong reasons this week as word of its compliance failures following a regulator audit hit the headlines. The audit revealed problems in nine out of 10 compliance areas and failure to rectify similar issues that had been revealed by previous audits. The Department of Internal Affairs (DIA, the regulator of casinos) has also come under fire for not taking enforcement action. 

Bridging the gap between regulatory requirements and operational practices

Compliance can be visualised as a pyramid, with the laws and regulations at the bottom, and operational practice and implementation at the top. Operational practice is the front line where it becomes quickly apparent whether and how you have successfully operationalised everything that sits below in the pyramid. 

In practice, it can be hard to get from the bottom of the pyramid to the top. Many of the ‘host responsibility’ breaches identified in the SkyCity audit rely on front-line employees working on the casino floor to take specific actions in response to a set of circumstances. Staff training is required under the regulations to ensure that employees understand the requirements and their responsibilities. But let’s not pretend this is easy. 

While there is also criticism of DIA for not coming down harder on earlier non-compliances, they also probably recognise the challenges of getting this right every time. It relies on people making judgment calls, having potentially challenging interactions with customers, and watching player behaviour to a level that might be impractical. Having written policies and procedures and training is one thing. Making sure the requirements are implemented at the top of the pyramid is another. 

This is particularly true when the requirements might be at odds with the customer’s desired experience. There is also an inherent commercial tension in what is being asked of the regulated entity here, and these issues are not limited to casinos. Ask anyone who has been on the receiving end of the intrusive financial questions banks have been asking lately to comply with lending rules. The Commerce Minister, David Clarke, suggested that this was due to banks interpreting the rules too narrowly. And who can blame them? No company wants to find themselves where Skycity is now, headline news for regulatory compliance failures. These laws are often designed to protect us but that doesn’t mean they are not frustrating or intrusive. Look no further than Covid-19 response requirements. It hasn’t been easy for businesses trying to enforce them in situations where they have come at the cost of our usual customer experience expectations. 

What’s the point in the laws if they aren’t followed or enforced?

I think we are all on board with avoiding the harm that the gambling laws seek to address. It is important that the right regulatory settings are in place and enforced. However, not all laws are written with operational practice top of mind. As part of the policy development and review processes, sector participants need to be actively involved in raising these types of issues. In addition, they need to have open conversations with regulators about how they operate on the ground. It is never acceptable to decide not to comply because it is difficult. Having worked for a regulator, I know that these conversations with regulated entities are invaluable and taken into account. It is in everyone’s interest to have workable laws. SkyCity says that it has employed new technologies such as face recognition software and that may go some way to reducing the difficult task of employees of trying to police the behaviours of customers. In reality, though, there is no silver bullet, regardless of how deep a company’s pockets are. Good regulation shouldn’t require the implementation of very expensive systems. There are probably other ways to achieve the objectives of the legislation in a less financially burdensome manner. 

So, what can we learn from all this? 

1. Lead from the top of the organisation to the top of the pyramid.

Company value is won or lost at the top of the pyramid. It determines your customer experiences, perception in the community, investor confidence, regulator satisfaction and the sentiment of your partners. To excel here requires top management commitment to embedding a compliance culture in the organisation. Every single employee must know the “what”, “when” and “how” of their role in ensuring compliance. 

2. Raise operational compliance challenges with your regulator and engage in the legislative process.  

We’ve seen this work with great effect in the recent government ‘clarification’ of the lending laws following feedback from financial institutions and customers to make the rules more workable. Don’t sit back and rely on others to raise issues. The more voices that raise the same issues, the more likely a regulator will sit up and take notice. 

3. Don’t wait for a regulator audit to identify the flaws.  

There shouldn’t be any surprises revealed on an audit. Companies that take a proactive approach to compliance management and ongoing self-assessment are aware of operational issues in real-time. They will be taking steps to address problems long before an auditor finds them. A good compliance management system delivers the right systems, processes, ongoing verification and evaluation to deliver insights. These insights enable your operational practice to be regularly tweaked, adapting quickly as regulatory requirements and business environments change. If Covid-19 has taught us anything it is that even the biggest organisations, that might usually employ complex change management processes, need to be agile to survive. 

Caroline Taylor is a compliance and risk specialist and the co-founder and CEO of Totum Compliance.