Monday 12 May 2008

Regulators - Let's Be Friends

Working in online gambling, something I am often frustrated by is regulatory requirements.  I'm pretty lucky - our compliance department focuses on reaching win-win agreements with the various regulatory bodies that govern our products, meaning we still get to build our business and they still ensure we're looking after our customers and treating them fairly.

That doesn't sound too bad, so why am I frustrated?  Basically, a lot of regulatory requirements place restrictions on the configurations and architectures we can use.  As a businessman I completely understand the necessity, but as an engineer that really grinds - we're no longer selecting the best technical solution to our business problem, we're selecting the best solution we're allowed...

Examples of some of these restrictions are stipulation of where our data centers may reside (more correctly, where certain business processes are executed, which in turn infers DC location to some extent), what services are allowed to listen on certain networks and even extra steps to our SDLC such as code reviews and external auditor testing.

Regulators exist to enforce the legislation that our business is subject to; their role in this governance is to ensure the integrity of our systems (fairness to customers), protect those at risk and, let's be honest, ensure the proper receipt of taxes and levies.  All things Betfair is absolutely committed to.  As an organisation we've always had a strong moral stance on this stuff and I totally encourage raising the bar on these standards - that only strengthens the competitive advantage we get from our investment in these areas.

The only thing I want to see done differently is a stronger focus on what and a looser focus on how.  I can appreciate that the simplest way to make sure people measure up to these standards is a degree of influence over the technical solution, but easier compliance isn't the only effect of this control.  Telling us where to put our servers or what data we're allowed to store can also result in a material increase in the cost of doing business or force us to own a system that's significantly more difficult to scale.  Requiring software patches to be reviewed before they can ship adds an expensive step to the SDLC that might, one day, result in a longer delay before we're able to close a security vulnerability - doesn't that defeat the purpose?

Why can't we operate a trust based system?  Require us to demonstrate certain levels of organisational and technical controls while giving us freedom to choose how we achieve it.  Treat companies which regularly exceed these requirements with a lighter touch - that will allow regulators to invest more in auditing and advising the organisations that need the most help.  I'd prefer a more results-based system that rewards higher internal standards and offers greater support for those struggling to make the grade.  That would let us treat compliance as an important input to our product development rather than a difficult external constraint.

That may not be perfect either but there has be a better way...

No comments: