* Emails point to data servers left "unsealed"
* Malta is a hub in global online gaming sector
* Sector watchdog says supervision is rigorous (Adds story first published on May 21 with further comment from regulator)
By Francesco Guarascio
BRUSSELS, May 26 (Reuters) - Malta let online gambling firms operate from the island across the European Union between at least 2012-2014 while failing to enforce its own rules on monitoring their computer servers, according to a former employee at Malta’s gaming regulator.
Malta has over the years attracted many foreign companies with low tax rates. In particular, the tiny Mediterranean country has become a hub for the thriving European online gambling industry, which includes online sports betting, web-based casinos, poker and other games.
Of the $38 billion of revenues generated worldwide in the sector in 2015, Europe alone accounted for 48 percent, industry data show. Malta has awarded around 500 online gaming licences, the highest number in Europe.
That means many international gaming companies use Malta-based servers to operate services across the EU – making the role of the Malta Gaming Authority (MGA) in overseeing the industry important not just locally but across Europe.
The MGA is charged with vetting applicants for gaming licences and ensuring against money-laundering and other suspicious transactions. An operating licence awarded in Malta allows an online gaming company to operate across the 28-country EU.
MGA monitors companies in part by telling its employees to attach stickers onto the computer servers used to run the gambling websites. Those stickers mark them with an ID number that must match the equipment registered with the MGA by the online operator.
This practice doesn’t modify the machine internally, but it enables the regulator to know which hardware a company is using for its online transactions, facilitating checks on that hardware if ever it suspected fraud or other illicit activity.
Such physical markers are a precondition for any gaming company to obtain a licence and be legally entitled to start operations, MGA rules state.
Yet three separate internal email exchanges shown to Reuters by Valery Atanasov, a former employee of the watchdog, showed representatives of three companies themselves referring to situations that were in breach of that system of markers, known as “seals”.
In at least a dozen other cases, Atanasov reported discrepancies at company sites to his managers at the MGA, which at the time was called the Lotteries and Gaming Authority (LGA), other emails showed.
Lax supervision “creates conditions that allow suspicious financial operations, money laundering and other criminal practices," Atanasov said, providing no specifics. The Bulgarian national was fired by the LGA in 2015 and is fighting his dismissal in the Maltese courts.
The regulator rejects Atanasov's accusations, saying it adheres to international standards in the fight against money-laundering and terror financing.
MGA chairman Joseph Cuschieri told Reuters there was no link between the practice of sealing and tax compliance and money-laundering.
"The MGA has other mechanisms in place to supervise tax compliance and money-laundering. The MGA audits its operators' information security procedures and processes against an internal manual largely adopted from international technical standards," he said.
Those procedures include third party technical audits and spot checks, data extractions, lab certificates of key equipment such as servers and other data traffic monitoring, he said.
Reuters has no evidence that any online gaming company engaged in wrongdoing and could not verify the assertions made by the participants in the email exchanges.
In one email 2012 exchange with an MGA official on which Atanasov was copied, Robert Zammitt, a consultant working for Swedish online gambling group Betsson said that most of the gambling servers used and registered by the firm's Maltese units had not been sealed for years.
"The majority of the servers were never sealed in the first place once installed," Robert Zammit, wrote in an email dated Feb. 1, 2012 to Jason Farrugia, an official at the-then LGA. Betsson had been operating in Malta since 2008. Zammit nonetheless wanted the computers to be sealed to make sure that Betsson could get a new 5-year licence, the exchange on regulatory requirements showed.
Cuschieri - Farrugia's manager - denied that Zammit’s email exposed a shortcoming. "All companies operating in and out of Malta undergo a rigorous licensing process and ongoing monitoring and supervision. Any claims to the contrary are simply unfounded," he told Reuters.
Zammit, senior associate at Maltese law firm WH Partners, said when contacted that he could not disclose information about the matter, citing Maltese law and client confidentiality.
Betsson Vice-President for Corporate Communication Pia Rosin told Reuters any allegations of non-compliance by the firm with Maltese rules had "no substance," and declined further comment.
In a separate exchange of emails dated March 13, 2013 of which Atanasov was one of the recipients, Angelo Dalli, director of Mr Green, an online casino whose parent company is Swedish, told Farrugia some of its equipment remained unsealed.
"I would like to set an appointment for equipment sealing for Mr Green – we have recently installed additional server equipment to improve our disaster recovery capabilities. Additionally there has been some equipment that has been unsealed for a long time as we had asked for a sealing appointment a long time (more than a year) ago but never got such an appointment."
In an emailed response to Reuters inquiries, Dalli said Mr Green has always been in compliance with Maltese requirements. "The MGA was always kept aware of the situation and we were never in breach of any rules," Dalli said.
According to the MGA's website, any company setting up an online gaming operation must submit a diagram of its computer network to the MGA. Once approved by the MGA and the computers installed, an MGA official goes to the site to tag the hardware and check it corresponds to what was listed on the diagram.
The process involves placing a yellow inventory sticker on each piece of equipment and white stickers binding the hardware to the racks on which it is mounted. In the event of a broken sticker – which could point to an attempt to remove or replace the hardware in order to hide its transactions from supervision - a detailed incident report has to be filed with the MGA.
Even as some companies sought the stickers so they would be operating legally, Atanasov said he refused to put them on equipment on sites where there were discrepancies between the numbers of computers in operation and what was included on the diagram approved by the MGA. He says he feared that by ignoring such irregularities and sealing them anyway, he would be contributing to lax supervision.
His refusal, however, drew complaints from licensed companies and their consultants.
One such complaint was made by Anthony Axisa, a consultant working on behalf of the iGame gambling firm, in an email dated Jan. 18, 2013.
"It has come to my attention that for the umpteenth time you went to seal equipment belonging to a client and left without sealing on the pretext that there was a discrepancy between the diagram presented and the equipment on location," Axisa wrote to Atanasov, accusing him of going beyond his remit.
"I cannot be expected to keep track of the version of diagram that you turn up with on the day," said Axisa, who was chief regulatory officer for the LGA until 2007.
Atanasov said he found 11 servers that had not been sealed since March 2012 when iGame started its online betting. He refused to seal them because he said those servers did not match what iGame had declared for registration to obtain its licence.
Contacted by Reuters, Axisa said iGame, part of the Stockholm-listed Kindred Group, "has always been and continues to be fully compliant with each and all the laws of the land".
Sweden’s state monopoly on gambling has been a factor in the rise of online gambling there, with companies like Betsson and Kindred able to operate outside Sweden.
Sven Giegold, a German lawmaker who is a member of the European Parliament committee of inquiry into money laundering and tax evasion, said the emails provided by Atanasov raised serious concerns.
“Malta's strength as a location for online gambling is based on weak supervision," Giegold told Reuters.
The European Commission, in charge of monitoring the functioning of the European Union’s single market, declined to comment on Maltese supervisory practices. There is no EU law on gambling services, but national regulators meet regularly to improve cooperation.
Following complaints by operators about Atanasov, the LGA opened disciplinary procedures against him in 2013. This led to his suspension on July 1, 2014 and dismissal on Feb. 26, 2015, on grounds of insubordination, documents related to his lawsuit for unfair dismissal show. The MGA declined to comment on what it said was a pending case.
"Valery Atanasov was not given a managerial role (...). He simply had to record discrepancies and then seal all equipment," a document signed by a disciplinary board of lawyers appointed by LGA in Jan. 2015 said. "It was not up to him to evaluate whether any item of equipment should be sealed or otherwise," the document, signed by lawyers David Camilleri, Philip Magri and Alex Sciberras, said.
The lack of sealing "meant that the operators could not continue operating legally since their use of unsealed equipment was irregular and in breach of their license," the document added.
Atanasov said he had raised his concerns with Malta’s financial investigation body, the Internal Audit and Investigations Department (IAID), but had received no reply several months after his complaints. IAID declined to comment on the case.
The MGA to this day requires hardware to be marked with stickers as part of the registration process leading to a company being awarded a licence. However MGA head Cuschieri said the act of sealing was not a legal requirement in itself.
"Any procedure that is not mandated by law can in fact be delayed, postponed or done away with should the Authority be satisfied that other assurances are in place," he said.
While he asserts that there was no breach in the MGA’s supervision, Cuschieri said the arrangements in place at the time of the events described by Atanasov proved “outdated” and were upgraded around two years ago as part of a new system called "tagging".
Atanasov said there was no difference between the MGA website’s description of its current tagging practice as being based on white and yellow stickers, and what he performed when he was working for the watchdog.
"Sealing and tagging means the same,” he said.
Asked to respond to that point, Cuschieri repeated that the two systems were different but said he could not elaborate in an email exchange on what were commercially sensitive operational processes. (Editing by Mark John and David Stamp)