Written by: Nicole Ogonowska, IT Growth Manager, Digital Colliers
If your compliance analysts are pulling CSVs at 11pm before an audit, the fine isn't the first cost you're paying. It's the second. The first one is already on your P&L, and it's growing.
Let's do the math out loud, because most operators haven't.
The analyst-hour math nobody puts on a slide
Picture a mid-sized UK-licensed operator with a compliance team of twenty. Kindred publicly reported a £14M compliance-team cost in 2023, so scale that down to whatever headcount you actually run. Now ask what fraction of those hours goes to judgment, and what fraction goes to fetching data.
In most operators I've seen, the split is genuinely ugly:
- Analysts write ad-hoc SQL against three or four different databases
- They wait for platform engineering to grant access to a new table
- They reconcile deposit data from the payments system against session data from the game server, by hand
- They rebuild the same affordability report every month because nobody productionised it
With the UK affordability trigger sitting at £150 net deposits per rolling 30 days, that reconciliation isn't optional. You have to catch every player who crosses it. If your analysts are catching them by running a query on Tuesday morning, you've already missed the ones who crossed on Monday night.
That's not a compliance problem. That's a data integration problem wearing a compliance hat.
Up-stack work versus down-stack work
Here's the framing that helps. Compliance work splits into two layers.
Down-stack work is plumbing. Joining tables, pulling logs, reconciling identifiers across systems, normalising currency, deduping player records, running the same query on a schedule. This work has a right answer. A machine should do it.
Up-stack work is judgment. Looking at a flagged player and deciding whether the pattern is problem gambling or a stag do. Reading a source-of-funds document and deciding whether the story holds. Interpreting a new piece of UKGC guidance and deciding what it means for your product. This work does not have a right answer. A human has to do it, and you want your best humans doing it.
Roughly 1 in 4 UK-licensed operators fails to get a satisfactory AML rating on first assessment. Ask any of them where the failure was, and it's almost never at the judgment layer. It's at the plumbing layer. The analyst couldn't see the pattern because the data was in six places.
The UKGC's RCI guidance came into force in August 2022 and expanded again in 2024. Every expansion adds more down-stack work. If you don't automate the plumbing, you either hire more analysts or you miss things.
What compliance actually looks like with data engineering behind it
The operators who've figured this out don't have bigger compliance teams. They have compliance teams that spend their day on judgment.
What that setup tends to look like in practice:
- A single player-360 view that pulls deposits, sessions, KYC status, self-exclusion history, and interaction logs into one place
- Affordability thresholds monitored continuously, not queried
- RCI markers computed on stream, so an analyst opens a case with the evidence already attached
- Every regulator query answerable in an afternoon because the audit trail was built into the pipeline, not bolted on
The analyst's job in this world is to review, decide, and document. Not to fetch.
The ROI, and the cost of waiting
Around 95% of enterprise AI projects don't reach production. The ones that do, in compliance, tend to share a boring trait: somebody fixed the data plumbing first. You cannot layer a machine learning risk model on top of six disconnected databases and expect it to hold up in a regulator meeting.
Now the cost-of-inaction side. UK penalties for the most serious AML breaches reach up to 15% of gross gaming yield. GDPR fines run up to €20M or 4% of global turnover. And the EU AI Act adds a new layer: transparency obligations from 2 August 2026, high-risk obligations from 2 December 2027, with fines up to €15M or 3% of global turnover for high-risk violations.
If any part of your player-risk stack is going to fall under high-risk when the Act lands, you have about two years to get the data lineage into a state a regulator will accept. That's not a long runway when you're starting from CSVs.
The operators who'll be fine in 2027 are the ones treating this as a data engineering problem in 2025. The ones still running SQL by hand at audit time are quietly paying the fine already. They just haven't received the letter yet.

