Gaming Mechanics Limited
Back to Insights
Decision

When Compliance Becomes Personal.

Regulators are shifting liability from companies to the individual. Most directors in regulated industries have not changed how they assign resources, hire, or structure their teams, and that could be a big mistake.

By Gaming Mechanics4 min read

The Shift That Most Directors Haven’t Noticed

The Isle of Man’s Gambling Supervision Commission has proposed legislation that would allow it to fine individual executives, not just the companies they work for, when compliance failures occur. Directors, compliance officers, and senior managers could face personal civil penalties if breaches happen under their consent, connivance, or negligence. The Bill is currently in consultation, with the regulator publishing detailed guidance on how it would assess individual culpability and calculate fines.

This is not an isolated move. It follows a pattern that has already reshaped financial services. The UK’s Senior Managers and Certification Regime, introduced after the 2008 financial crisis, made individual executives at banks and financial firms personally liable for failures in their areas of responsibility. The former CEO of Barclays was fined £642,430 for failing to act with due diligence. The former CEO of Wyelands Bank was fined £118,808 for inadequate systems and controls. The regime now covers all FCA-regulated firms.

The direction is clear: regulators across industries are moving from punishing companies to punishing the people who run them. If you’re a director in a regulated market, the compliance risk is no longer just a cost to your business. It’s personal exposure.

What This Changes for Directors

When compliance failure is a company fine, it’s a line item. When it’s a personal fine, a potential ban from holding a directorship, or criminal liability, it changes how a director thinks about three things.

  1. 1

    What to spend on compliance, and why.

    Most directors in regulated industries treat compliance as overhead, something you invest enough in to pass inspections and avoid fines. The investment is calibrated against the risk to the company. Personal liability changes this completely. The question is no longer “can our business absorb this fine?” but “am I personally comfortable with the level of risk I am carrying?” The Isle of Man’s draft guidance explicitly states that personal penalties operate alongside company-level sanctions, not instead of them. You could face both.

  2. 2

    Who to hire and how to structure accountability.

    Under company-level liability, a compliance officer is someone who handles regulatory requirements so you don’t have to think about them. Under personal liability, a compliance officer is someone whose competence directly determines your personal exposure. The IoM Bill specifically names controllers, key persons, MLROs, deputy MLROs, and senior managers as “relevant persons” who can be fined. If your compliance function is understaffed, underqualified, or structurally unable to escalate problems, that is no longer just an operational weakness. It’s a personal risk you have chosen to accept.

  3. 3

    How much you actually know about your own compliance.

    The IoM guidance defines three levels of culpability: consent (you knew and approved), connivance (you knew and failed to act), and negligence (you should have known but didn’t). The third category is the one that catches most directors. “I didn’t know” is not a defence if the regulator determines you had a duty to know. Ignorance of what your compliance team is doing, or not doing, is itself a form of liability.

The Pattern Beyond iGaming

This is not an iGaming-specific trend. It’s a regulatory philosophy that’s spreading across industries where government licensing determines who can operate.

In financial services, SM&CR has been live since 2016 and has been progressively expanded. In data protection, GDPR allows supervisory authorities to hold data protection officers and company leadership personally accountable for systemic failures. In health and safety, directors have faced personal prosecution for years under the Corporate Manslaughter Act. The mechanism is the same each time: legislators conclude that company-level fines are not sufficient to change behaviour because companies treat fines as a cost of doing business. Personal liability by design makes the cost unignorable.

If you operate in any regulated sector, financial services, gaming, healthtech, fintech, cannabis, crypto, the trajectory is toward more personal accountability, not less. The IoM Bill is one aspect of a broader shift.

The Honest Check

Before your next board meeting, ask yourself three questions.

  1. 1

    If a compliance failure happened tomorrow, could the regulator demonstrate that it was attributable to my negligence?

    Not your compliance officer’s negligence. Yours. If you don’t have clear documentation showing that you actively oversaw the compliance function, requested updates, and acted on reported issues, the answer may be yes.

  2. 2

    Is my compliance function resourced to protect me, or just to protect the business?

    These are different standards. Protecting the business means meeting the minimum regulatory threshold. Protecting you, personally, means having systems robust enough that the regulator cannot attribute a failure to your neglect. If your MLRO is part-time, your compliance budget has not kept pace with your growth. If your AML monitoring is a manual spreadsheet, the gap between those two standards is where your personal exposure sits.

  3. 3

    Would I bet my own money on the competence of my compliance team?

    Under personal liability, that is exactly what you are doing.

Want to work with us?

We build software, strategy, and platforms for operators who want to win.