26 April 2017 EFFECTIVE REGULATION THROUGH RISKBASED APPROACH

26 April 2017 EFFECTIVE REGULATION THROUGH RISK-BASED APPROACH IN THE ARTIFICIAL INTELLIGENCE, CLOUD OR DIGITAL SPACE BONGA JAXA - SENIOR MANAGER: COMPLIANCE AND LICENCING 2

CONTENTS • Purpose • Background • Effective regulation • Risk-Based Approach • Traditional vs Risk-based approach • Cloud • Artificial intelligence • Regulatory environment • ECGBB Methodology • Conclusion 3

PURPOSE • To provoke a debate on how the current controversial topic in business across the globe “artificial intelligence, cloud computing and digital” directly or indirectly affects effective regulation of the Gaming industry • To encourage colleagues and other relevant stakeholders to start a conversation on this issue, its impact on regulation and how are we to respond to its inevitable growth as well as risks attached 4

BACKGROUND • In South Africa, the SMMEs in general, gambling industry in particular, play an important role in the country’s economy • The gambling industry has been recognized as one of the key drivers of economic growth, innovation and job creation • One of our strategic outcome-oriented objectives is the implementation of socio-economic development opportunity projects in order to empower communities 5

Analytical capabilities Good Corporate Governance Public inclusion Enhanced requirements on roles of approved systems & suppliers Effective Regulation Rigorous reviews & stress testing Constant global and one on one stakeholder engagement Risk-based operation Risk-based regulation 6

RISK-BASED REGULATION • Black (2008) define risk-based regulation “is systematised decision making frameworks and procedures to prioritise regulatory activities and deploy resources, principally relating to inspection and enforcement, based on an assessment of the risks that regulated firms pose to the regulator’s objectives. ” • Black & Baldwin (2010) argue that the challenges of regulation to which regulators have to respond vary across the different regulatory tasks of detection, response development, enforcement, assessment, and modification 7

RISK-BASED REGULATION – MAIN ELEMENTS According to (Black, 2008), the following are the riskbased regulation main elements: • Setting the risk tolerance • Risk identification and risk assessment • Assigning scores and ranking firms or sites • Linking supervisory resources and responses to the risk scores 8

RISK-BASED APPROACH – FINANCIAL ACTION TASK FORCE A Risk-Based Approach to Anti-Money Laundering (“AML”) or Counter-Terrorism Financing (“CTF”) means that countries, competent authorities and financial institutions, are expected to identify, assess and understand the ML/TF risks to which they are exposed and take AML/CFT measures commensurate to those risks in order to mitigate them effectively 9

RISK-BASED AUDIT – INSTITUTE OF INTERNAL AUDITORS • IIA defines risk based internal auditing (RBIA) as a methodology that links internal auditing to an organisation's overall risk management framework • RBIA allows internal audit to provide assurance to the board that risk management processes are managing risks effectively, in relation to the risk appetite 10

TRADITIONAL APPROACH RISK-BASED APPROACH Preservation of reputation Skilled risk analysis Compliance controls Proactive risk management Legal review and enforcement Preventative compliance Tactical Champion Management Enterprise Historical Consult strategy risk on Risk management 11

12

GAMBLING INDUSTRY GONE CLOUD What is cloud computing? Arora & Parashar (2013) define cloud computing as “the ability to access a pool of computing resources owned and maintained by a third party via the Internet. It is not a new technology but a way of delivering computing resources based on long existing technologies such as server virtualization. ” • The gambling industry is evolving with time and technology as a result its business models are now electronic and or virtual gaming • It uses best technology for data storage & operating of the games 13

CLOUD COMPUTING IN GENERAL • While cloud computing may have a potential to provide users with incredible benefits, it is however important to note that there are still overwhelming challenges attached to it • This is despite work that has been done and progress made in mitigating the security concerns attached to cloud computing. As a result as regulators we remain reluctant to trust cloud computing 14

CLOUD COMPUTING CHALLENGES OR RISKS According to Arora & Parashar (2013) the following are some of the challenges or risks in cloud computing: • Security • Segregation • Capacity • Confidentiality • Trust • Privacy • Reliability • Storage 15

16

ARTIFICIAL INTELLIGENCE (AI) What is AI? According to (https: //www. merriam- webster. com) artificial intelligence is “a branch of computer science dealing with the simulation of intelligent behaviour in computers or the capability of a machine to imitate intelligent human behaviour. ” • Advantages: error reduction, digital assistants, etc • Disadvantages: Unemployment, high cost, etc 17

ARTIFICIAL INTELLIGENCE – SCHOLARLY ARGUEMENTS • Dubhashi & Lappin (2017), state that some thinkers do warn of serious dangers as posed by artificial intelligence silently invoking the notion of technological singularity to ground their fears • They argue that according to this idea, the machines will reach a point where they correct their own defects and program themselves to produce super intelligent agents that surpass human capabilities • They further argue that governments and public planners have not developed plausible programs that deal with the massive social upheaval as suggested that the artificial intelligence is to cause economic dislocation 18

19

REGULATORY ENVIRONMENT • Gambling Act, Regulations, Rules, Conditions of Licence • B-BBEE Act and Regulations • Financial Intelligence Centre Act • Companies Act • Income Tax Laws • Employment Equity and Labour Relations Laws • Promotion of Administration Justice Act • Protection of Personal Information Act 20

GAMBLING REGULATORY REQUIREMENT The current regulatory best practice requires that servers be based in South Africa and accessible in the case that a need arises for security verification for the purposes of ensuring protection of public interest (privacy) 21

PROMOTION OF ADMINISTRATIVE JUSTICE ACT The Act says that all administrators must: • follow fair procedure when making a decision and clearly explain any decisions taken; • allow relevant parties to voice their opinion before making any decision that might affect their rights; • inform people about any redress mechanisms in their apartment. If there is no internal appeal system, they must tell citizens of their right to ask the courts to review the decision; and • tell people that they have the right to ask for the reasons for any decision taken to be given to them in writing 22

PROTECTION OF PERSONAL INFORMATION ACT Eight principles of POPI: • Accountability • Processing limitation • Purpose specification • Further processing limitation • Information quality • Openness • Security safeguards • Data subject participation 23

24

OUR METHODOLOGY • Risk-rating & compliance-based incentive (guarantee) • Pre-opening audits/inspections & Systems Audits • Compliance quarterly self-monitoring and reporting tool • Quarterly submission of Internal Audit Reports • Review of quarterly reports & Monthly financial data analysis • Internal & External Auditors’ review of ICS 25

OUR METHODOLOGY-CONTINUED • Quarterly & Biannual Revenue Audits • Updated Compliance Barometer & development of Noncompliance register • Interpretive analysis of the Barometer results • Sharing the individual licensee Barometer results • Engagement sessions with licensees to strengthen effective regulation • Deployment of more resources to high risk licensees 26

27

COMPLIANCE BAROMETER • Provides the Management and the Board with a statistical and graphical glimpse in respect of the compliance level by the various licence holders in the Province in all aspects required by the Board to be complied with • Enables the Board to determine whether its strategic goals or objectives will be or are met and whether additional mechanisms are necessary in order to ensure that its strategic goals or objectives are met • Enables the Board to better manage and control enterprise potential or emerging risks • Enables the CEO to measure whether the operational methods, tools or resources are adequately and effectively employed 28

202016/2017 FINANCIAL YEAR OVERALL COMPLIANCE 29

20 GENERIC LICENCE TYPE RISK-RATING - REVENUE Probability Impact Rating Bookmaker 4 2 8 Casino 3 4 12 3 3 9 Bingo Route Operator Tote Risk Loss of Revenue Licence Type 30

20 GENERIC LICENCE TYPE RISK-RATING – COMPLIANCE MONITORING Probability Impact Rating Bookmaker 4 2 8 Site A 4 2 8 Site B 4 3 12 4 2 8 2 4 8 3 4 12 Route Operator 2 4 8 Tote 2 3 6 Site C Casino Bingo Risk Compliance Licence Type 1 Acceptable 1 2 Low 2 -5 3 Medium 6 - 11 4 High 12 - 16 31

FINANCIAL GUARANTEE REVIEW – COMPLIANCE INCENTIVE Licence Type RFP Guarantee Value Compliance level Bingo 1, 500, 000. 00 Low Casino 2, 000. 00 Route Operator Bookmaker Revised Guarantee - 1, 500, 000. 00 2 1, 000, 000. 00 2, 000. 00 3 600, 000. 00 1, 400, 000. 00 250, 000. 00 1 187, 500. 00 62, 500. 00 Compliance Level Applicable Reduction % 1 75% 2 50% 3 30% Low Reduction Value Risk-rating Risk code % Score Levels Low 80%-100% Medium High 70%-79% 60%-69% below 60% 32

CONCLUSION • Times have changed, thus while we remain within our mandate, however our approach must be aligned with and informed by the pace of industry and technological developments • The time for us to start our conversation on the effects and impact of the evolution of technology in general and in the industry in particular has come • Either we move swiftly or we are left behind and have a self-regulated industry • We have an opportunity to have an effectively regulated and equally an economically inclusive gambling industry. 33

THANK YOU 34