Former LGA employee Valery Atanasov taken lightly over alleged irregularity reports

The  Lotteries and Gaming Authority’s preceding employee, Valery Atanasov  (now the Malta Gaming Authority), revealed to the Malta Independent on Sunday that in spite of him contacting a number of authorities, including the Internal Audit and Investigations Department (IAID), the police and the FIAU over alleged irregularities at his workplace. He felt they took him lightly and showed a nonchalant attitude towards his allegation. Atanasov filed an application in the Law Courts recently to be recognised as a whistleblower. He affirmed not only about his speaking to the aforementioned authorities about the alleged irregularities, but also about the handing over of a file of documents during a meeting held with an official at the Office of the Prime Minister. The Bulgarian national held his office with the Lotteries and Gaming Authority (LGA) between 2008 and 2015.

He told this newsroom: “As the only employee of the LGA responsible for the inspection and sealing of all Remote Gaming Operators (RGO) based in Malta for the period from May 2011 to July 2014, I established and duly informed my supervisors of a number of violations of the Remote Gaming Act. More precisely, violations relating to the fact that no changes to gaming systems can be made without the Authority’s prior approval, and that no gaming equipment can be used in the operation of an authorised game pursuant to an online betting or online gaming licence, without the prior approval of the Authority. Тhe law explicitly requires that all IT equipment of an RGO must be registered and approved by the LGA before it is used online.”

The sealing process, he explained, involves going on site to inspect servers. A sticker is placed on the server, which forms part of the gaming system, in order to know that the server is registered with a particular gaming company and has been certified by the LGA. If a server is replaced, the company is obliged to inform the LGA to reseal the server. In order to change a server, the company has to submit details regarding the new gaming system infrastructure to be reviewed by the authority and, if approved, would be given permission to install the new servers. Finally, the servers are sealed (using the stickers) to confirm that the new servers can go live.

Atanasov held that sealing is an important part of the procedure to ensure that no gaming equipment is used in the operation without the prior approval of the Authority, that the LGA has information for all the servers used for Remote Gaming from Malta and that there was no tampering with the Remote Gaming Systems.

Atanasov said he noted a number of irregularities, including companies that were operating without having their servers sealed, and others that spent periods of time operating on a Letter of Intent basis, without having a full licence. While this was practice at the time, some companies operated on a letter of intent for years, with some of them being closed down before they got their licence. That system ended in 2012.

Atanasov stated, he had been reporting irregularities to his superiors for quite some time and, in 2013, he approached the Internal Audit and Investigations Department (IAID). Atanasov showed this newsroom signed declarations he made before the IAID, where he had mentioned a number of cases.

One such case involves a major betting company. Atanasov claims that he had gone on-site to a data centre housing their servers, and together with another inspector found 10 racks of unsealed servers. He maintained that the company’s key official told him that the servers had not been sealed since 2008. He told the IAID that he had informed his supervisors about the situation and that a few days later the company received approval from the LGA for new seals. He also highlights that a second company was discovered to be in a similar situation.

Atanasov said he had taken his vacation in June, and upon his return, he found that “everything was cleaned in the LGA’s system and these two companies had passed the system review”. Atanasov mentioned a number of other examples, including one instance where he says he discovered a company in the process of transferring its business to another company without having notified the LGA.

Atanasov had a number of meetings with the IAID in January and February 2013 with his final meeting held in April 2013 as he felt the unit was not taking any action. In one meeting dated February 2013, the IAID declaration report read that on the “Attorney General’s instructions in writing dated 11 February 2013, IAID will try to verify the reliability of the information received through our powers as auditors/investigators and ‘that the matter should be referred to the police if concrete evidence is found which gives rise to a reasonable suspicion that a criminal offence has been committed’”.

Atanasov was called in by the Police Economic Crimes Unit, and a declaration signed 1 May 2013 details a question and answer session he had there. At that meeting, he mentioned some of the alleged irregularities. He was also asked by the unit whether the LGA had a system of monitoring remote gaming companies (at the time), like surprise visits, and he said he had no knowledge of it. He mentioned noticing that the LGA had two systems to monitor network devices constantly, “but most of the time they are switched off and only switched on when there are EU visitors.” Atanasov says he never heard again from the police unit.

In February 2013, he also contacted the Ombudsman, over both the alleged irregularities, as well as issues regarding alleged harassment. He was told that the Office of the Ombudsman does not investigate allegations of corruption as these fall within the competence of the Permanent Commission against Corruption. He was also told to contact the Occupational Health and Safety Authority (OHSA) with regard to his harassment allegations.

Atanasov contacted the Ombudsman again in 2016, sending his “official Protected External Disclosure” in terms of the Protection of the Whistleblower Act. The Ombudsman’s letter read: “As you were an employee of the Malta Gaming Authority, a public entity, the Whistleblowing Unit in the Office of the Ombudsman cannot accept your document as a protected external disclosure, as the issue does not fall within the remit of this Office… you should submit your protected External Disclosure to the External Whistleblowing Officer, at the Cabinet Office in the Office of the Prime Minister, as stipulated in Part 2 of the First Schedule of the Act.”

Atanasov says he sent an email to Prime Minister Joseph Muscat in February 2014, in an attempt to “make sure that he (the Prime Minister) was informed of irregular practices”. Atanasov said that he is willing to meet the Prime Minister to provide him with documents. The email does not contain a whistleblower request. In response, he said, the Prime Minister wrote: “What you are saying is a matter of concern and I thus urge you to report immediately to the Chairman of the LGA.”

Atanasov said he had been trying to discuss the situation with the LGA Executive Chairman and sent him an email. Atanasov said he was surprised when the chairman replied and “the Internal Auditor at the LGA was also copied in the reply I received, as he was one of the persons I was reporting. The next day a woman contacted me and heard me out.”

Atanasov claims, however, that he later realised that the woman was the wife of the very same internal auditor.

He had also contacted the Financial Intelligence Analysis Unit on 23 July 2014 and asked them for a meeting. In a document titled ‘whistleblower disclosure’, which he sent to the FIAU, he alleged that a group of gaming consultants had a certain amount of control over the licensing process for their clients.

He told the FIAU that on 18 July 18, he had a meeting at the Office of the Prime Minister with a certain official and that he had “presented a number of documents that provided evidence of specific people’s involvements in corruption schemes in the gaming sector”.

He also said in the document that he wanted to “provide the facts and a number of documents to support my statements which will prove: No control over gaming transactions; No control over money flow generated by Remote Gaming; Lack of control and monitoring in the Remote Gaming Sector – companies operating from Malta without their gaming systems being licensed; Ineffective systems and compliance audit of Remote Gaming Operators; Non-transparent procedures and unspecified rules in the sector; Unregulated lobbying in favour of certain persons and companies – companies receiving licenses without having complied with the procedures and requirements.”

In an email to him dated 21 August, an FIAU official said that he had been in contact with officials from the Office of the Prime Minister, the Office of the Attorney General and the Ministry for Justice, Culture and Local Government in order to definitively clarify reporting procedures insofar as such disclosures are concerned.

The FIAU told him that it could not accept his protected disclosure since he worked in the public sector and the FIAU “is an Authority prescribed to receive external disclosures from the private sector”. It told him that, as per the Whistleblower Act, an employee of the Lotteries and Gaming Authority should direct their submission to the External Disclosure Unit within the Government of Malta.”

He also contacted the Permanent Commission Against Corruption but was told in a letter that the Permanent Commission Against Corruption only investigates external allegations (in terms of the Whistleblower’s Act) from the private sector.

Atanasov told this newsroom that he did not file a whistleblower request with the Secretary at the Cabinet Office at the OPM because at this point he was discouraged after having gone around in circles and that he had already sent an email to the Prime Minister and spoken to an OPM official.

Allegations investigated in 2014, no irregularities found – MGA

The Malta Independent on Sunday contacted the Malta Gaming Authority and asked it a number of questions.

While Atanasov gave detailed accounts of the alleged irregularities in the sealing process to the authorities, the MGA, in its replies reproduced below, admits that there were “occasional” situations where servers were not tagged or sealed, but says that sealing itself was an “outdated and non-critical” process.

The MGA was asked what action it took on the allegations made by Atanasov, and what investigations took place.

“Valery Atanasov’s allegations were investigated by our Internal Auditor way back in 2014. As a result, no irregularities were found. It is unfortunate that Valery Atanasov keeps making such unfounded and baseless allegations against the MGA and its employees. We look forward to the opportunity to provide all the information, explanations and evidence in the Law Courts to clear this matter once and for all,” the MGA responded.

The MGA was asked to confirm or deny the irregularities and for their comments.

“Valery Atanasov’s allegations centre around an outdated and legacy process called ‘sealing’ which was only an internal, non-critical inventory control procedure which has since been discontinued and replaced by the process of tagging of equipment solely for inventory control purposes.

“The Authority employs other procedures which include third party technical audits and spot checks, data extractions (physical and remote), lab certificates of critical components (e.g. servers, random number generators), website/data centre traffic monitoring and verification of replication procedures for data not hosted in Malta.

“Furthermore, gaming companies are allowed to use cloud-based solutions which are approved by the MGA before going live. This provides the Authority with the required assurances and capability to conduct its supervisory functions effectively. The Authority also audits its licensees’ information security procedures and processes against an internal manual largely adopted from international technical standards. This provides a far more comprehensive control environment than any physical sealing. It is pertinent to point out that servers can also be located overseas in line with the freedoms established under the EU treaty and hence the shift in ensuring that such servers are located in ISO certified data centre facilities, having world-class standards, which includes ongoing surveillance and 24/7 CCTV monitoring.”

The MGA was also asked why some gaming companies, under the LGA’s time period, were allowed to operate without having their servers sealed, and what action was taken against said companies.

The MGA responded: “The sealing of servers was an internal, non-critical procedure which has since been discontinued. It was in place mainly for inventory control purposes and was not a legal requirement. It was never considered as a material breach from a regulatory standpoint so in the occasional event of servers not being sealed or tagged, explanations were always sought from the relevant licensee and matters regularised accordingly.”

This newsroom asked the MGA to confirm that some companies, during the LGA’s time period, were allowed to operate without a licence and just with a letter of intent, to which the MGA said: “The practice of letters of intent was discontinued more than five years ago. It was considered as a ‘testing licence’ by the previous management but have since been revoked and/or converted into full licences by June 2012.”

The MGA also said that today “all companies operate with a full licence”.