How the licensing and audit budget is formed

Introduction: why you need a "compliance contour"

Licensing and auditing is not a one-off "admission fee" but an ongoing risk management circuit: legal purity, cash flow transparency, data protection, and gaming integrity. The competent budget divides the costs into CAPEX (one-time) and OPEX (repeated), takes into account jurisdictional requirements, technical readiness and the calendar of control points (filing, pre-audit, issuance, supervision, renewals).

Budget structure: what it consists of

1) Licensing (jurisdictions and types)

Registration and state duties (application fee, license fee).

Legal support (filing, corporate structure, KID/KYB, contracts).

Corporate services (nominal directors/secretaries, office, accounting).

Financial requirements (authorized capital, guarantee deposits/insurance).

Local roles (MLRO/AML officer, DPO, RG responsible person).

Translations and notaries (statutes, policies, contracts, certificates).

2) Audits and certifications

Game auditing (RNG/math, RTP, integration tests).

Payment/processing (transaction track, sources of funds, SoF/KYC).

Information Security (ISO 27001/ISMS; when working with cards - PCI DSS).

Privacy and data (GDPR/UK GDPR, DPIA, privacy-by-design).

Operational compliance (SLA/incidents, change log, access log).

Responsible game (RGS policies, triggers, reporting, self-exclusion).

3) Technical preparation for audits

Infrastructure (segregation of environments, logs/observability, backup/DRP).

Documentation (ISMS, access policies, SDLC/CI-CD, change management).

Test stands and sandboxes (gaming, payment, KYC).

Software licenses (WAF, SIEM, DLP, vulnerability scanners, HSM for PCI).

4) Surveillance and extension

Annual inspections/monitoring, periodic pen-tests/scan-reports.

Reporting to regulators (game statistics, RG/AML events).

Maintenance of personnel (training, certification, rotation of shifts in live).

CAPEX vs OPEX: How to Split Costs

CAPEX (one-time): application fees, initial audits (RNG/ISO/PCI), development of missing policies/processes, procurement of HSM/equipment, integration work.

OPEX (recurring): annual licenses, surveillance/supervisory audits, MLRO/AML/DPO salaries, game/provider retests, ISMS/PCI support, insurance, accounting and corporate services.

Flow band benchmarks (approximate)

💡 Ranges are given as reference points for planning; actual amounts depend on jurisdiction, scale, providers, and current regulation.

Legal support of the application: from $20k to $120k + (structure, file, Q&A with regulator).

State. duties (filing/annual): from $25k to $500k + (varies greatly in license and vertical volume).

RNG/game audit of one title/package: $5k- $25k per title/release; package - cheaper.

Platform/Casino Integration Audit: $30k- $150k.

ISO 27001 (preparation + certification): $40k- $200k (incl. consultants/certification body).

PCI DSS (if applicable): $30k- $150k + (depends on level, TPV volume and perimeter).

GDPR/DPIA and privacy audit: $10k- $50k (excluding permanent DPO).

Corporate Services/Accounting/Office: $12k- $60k per year.

Compliance staff (MLRO/AML/DPO/RG): $180k- $600k per year cumulatively (depending on country and seniority).

Pen-tests/ASV-scans/retests: $10k- $60k per year.

Work calendar: from which the timeline and cache plan are built

1. Pre-gap analysis (2-4 weeks): requirements map, gap analysis, budget-skeleton.

2. Preparation (4-12 weeks): policies/processes, technical work, collection of evidence-based artifacts.

3. Submission and Q&A (4-16 weeks): regulator responses, adjustments.

4. Primary audits (2-8 weeks): RNG/integration/ISO/PCI.

5. Issue/conditional permission: elimination of conditions, launch of reporting.

6. Surveillance (quarterly/half year/year): supervisory audits, renewals and retests.

Example: 12-month cycle estimate for an online operator (conditional mid-size)

(USD; rounded for easy planning)

CAPEX (first 6-9 months):

Lawyers and corporate structure: $70,000
Filing fees and primary license: $180,000
Preparation ISMS + ISO 27001 certification: $95,000
Platform integration audit and RNG package (10 titles): $110,000
PCI DSS (if storing/handling PAN): $80,000
Technical preparation (SIEM/WAF/scanners/log archiving): $60,000
Total CAPEX: $595,000

OPEX (year):

Annual License/Fees: $150,000
Supervisory audits/retests/pen-tests: $70,000
Compliance Staff (MLRO/AML/DPO/RG): $360,000
Corporate Services/Accounting/Office: $36,000
Consultants/Translations/Notaries (Buffer): $24,000
OPEX total (year): $640,000

Contingency (10-15% CAPEX + OPEX): ~ $123,000- $184,000

Full annual contour (with 12% reserve): $1. 39 million ($595k + $640k + $147k)

💡 Note: if payments are made to the PSP without storing cards and the perimeter is "facilitated," the PCI block can be reduced to annual ASV scans and SAQs - savings of up to $60-80k.

What makes a project more expensive (and how to avoid overspending)

Bloated audit perimeter. Minimize the scope of ISO/PCI: micro-segmentation, out-of-scope for unnecessary systems.

There is no "requirement owner." Assign a single Compliance PMO and quarterly policy/process release plan.

Late artifact collection. Keep an "evidence log" with links: policies, magazines, reports, screenshots.

Duplicate provider audits. Agree on the "offset" of artifacts (SOC 2/ISO from partners/hosting).

Single-threaded officers. Budget for replacement/outsourcing (illness/vacation) so as not to shift deadlines.

B2B Studio/Provider Cost Estimate (Differences)

Less payment perimeter, but more share of game auditіv (RNG/RTP/certification for each country).

ISO 27001 remains key (access to operator data, sources/builds).

OPEX-leverage - retests during updates, release cycle management (each release = potential retest).

Implement certifiable math: repeatable rule templates, validation library, kernel freeze.

Estimate for payment/orchestrator (fintech)

PCI DSS/card integrations, AML/SoF policies, independent anti-fraud checks.

A separate line is a reserve for risk/chargeback and professional liability insurance.

Increased load on logging/forensics (SIEM, log retention, investigation cases).

Management KPIs for compliance budget

Cost of Compliance/Net Revenue,% - the share of contour costs to net revenue.

Audit Pass Rate,% and corrective actions.

Scope Reduction Index - how many systems are derived from the perimeter.

Evidence Readiness SLA - the share of artifacts ready "on demand" in 48 hours.

RG/AML incidents - frequency/severity, trend after implementation of measures.

Documents and artifacts that always ask

Corporate documents, beneficiaries, sources of funds.

Policies: ISMS, access/encryption, logging, SDLC/CI-CD, vulnerability management, BCM/DRP.

Agreements with providers (PSP, KYC, hosting), SLA and reporting.

Data Map, DPIA, subject consent/rights records.

Responsible Gaming protocols (triggers, self-exclusions, limits).

Game mathematics/RNG reports, certification of content providers.

Incident logs, configuration changes, test results/pen-tests.

Quick start checklist (operator)

Gap analysis of jurisdiction requirements and map of artifacts.
CAPEX/OPEX budget + 10-15% reserve.
Compliance PMO assigned, quarterly milestones.
Accredited Auditor Contract (RNG/ISO/PCI).
ISMS package: policies, risk register, training plans.
Architecture with minimal audit perimeter.
Release retest plan and change-freeze window.
12-24 month supervision/extension calendar.

The licensing and auditing budget is a portfolio of managed liabilities, not just "spending on pieces of paper." Divide the costs into one-time and regular, narrow the audit perimeter, build an evidence base and an oversight calendar. So you turn compliance from a release brake into an asset that lowers the cost of capital, speeds up transactions and protects revenue.