Case study
iGaming Licensing Academy — Operator Onboarding Across Three Jurisdictions
We embedded a certification track into an existing partner portal, cut operator onboarding from six weeks to eleven days, and passed two regulator inspections with zero training-record findings.
Summary
An iGaming B2B platform provider needed to systematise operator onboarding across three regulatory jurisdictions. We integrated a certification track into their existing partner portal — operators' compliance staff complete jurisdiction-specific training before go-live, the platform releases licensing tooling automatically on completion, and the audit trail satisfies regulator inspections.
Headline
Operator onboarding cut from 6 weeks to 11 days · 80% reduction in success-team time · 0 audit findings
Industry
iGaming
Engagement
Integration
The challenge
Operator onboarding was a manual marathon — the partner success team walked each new operator through compliance requirements over six weeks of calls and email threads. The process did not scale, regulator audits required reassembling evidence from email, and operator staff turnover meant the same training happened over and over.
How we approached it
- Audited the existing partner portal, identified integration points and the tenant model
- Embedded a certification module into the partner portal under SSO — operator staff sign in once and see training, products and compliance docs in one place
- Built per-jurisdiction course tracks: Malta MGA, Curaçao GCB, Isle of Man GSC, with shared modules for general AML
- Wired completion events into the platform's product release flow — passing the cert unlocks licensing tooling for that jurisdiction automatically
- Audit trail exports nightly to the operator's compliance archive via SFTP, format agreed with the regulator's inspection team
Timeline
- 1
Audit phase
Weeks 1–2
- Existing partner portal architecture documented
- Integration touch points identified (SSO, product release flow, audit trail)
- Tenant model decision (operator-as-tenant vs. shared catalogue)
- 20-page audit report with risk register and migration plan
- 2
Build & integration
Weeks 3–6
- Certification module on Cloudflare Workers + Postgres
- Okta SSO integration with existing portal session
- Per-jurisdiction course tracks (MGA, Curaçao GCB, IoM GSC)
- Product release webhook — passing cert unlocks licensing tooling
- 3
Cutover & audit trail
Weeks 7–8
- Pilot operator onboarded end-to-end (under 14 days)
- Nightly SFTP audit trail export to operator compliance archive
- Regulator inspection audit-pack format agreed with MGA team
- Cutover for full operator base over a planned weekend
Outcomes
- Operator onboarding reduced from ~6 weeks to 11 days median
- Partner success team time on routine onboarding cut by ~80%
- 3,200 operator staff certified in the first 6 months
- Two regulator inspections passed with the new audit trail with zero findings on training records
- Platform extended to two additional jurisdictions on the same architecture in 2026
The shape of the problem
iGaming operator onboarding sits at an awkward intersection of regulation, product, and partner success. The B2B vendor has dozens of operator clients, each with their own compliance officers, each going live in one or more jurisdictions, each subject to a slightly different set of regulator-driven training requirements. The vendor’s partner success team had absorbed all of that complexity manually, which worked while there were a handful of operators and stopped working as the operator count crossed forty.
The problem we were asked to solve was deceptively simple: make this scale. The actual problem was the audit trail. Regulators were starting to ask for evidence that operator staff had completed compliance training before specific licensing tools went live. Reconstructing that evidence from email threads and CRM notes was the kind of work that destroys teams.
Why integration, not a fresh build
The vendor already ran a B2B partner portal that operators logged into daily. It hosted product documentation, licensing tooling, support ticketing, and compliance documents. Adding another portal — a separate certification site that operator staff had to log into separately — would have doubled the onboarding friction the project was meant to remove.
So this was an integration project, not a build. We embedded the certification module inside the existing portal, sharing the Okta SSO session, sharing the operator-as-tenant data model, and adding a single new section to the navigation. From the operator staff’s point of view, certification became a tab in the portal they already used. From the audit team’s point of view, the certification audit trail joined the same event log as every other portal action.
The webhook that runs the business
The integration that mattered most was the smallest one to describe: a webhook from the certification module to the product release flow. When an operator’s compliance officer passes the jurisdiction-specific exam, the certification module fires a signed webhook to the partner portal. The portal verifies the signature, looks up the operator’s tenant, and unlocks the corresponding licensing tooling for that jurisdiction.
It’s two API calls and a database update. It also ate something like 40% of the onboarding time and put the partner success team out of the role of being a manual gatekeeper for things a regulator could check automatically.
We treated this webhook as the riskiest piece of the integration from day one. It has its own monitoring, its own alerting, a circuit breaker for failed signatures, and a manual-override flow for the support team in case it ever silently fails. So far, in production, the manual override has been used twice — both legitimate exceptions, neither caused by a webhook failure.
What changed in week three
The original design had three independent course tracks: Malta MGA, Curaçao GCB, and Isle of Man GSC. After the discovery phase we noticed that maybe 60% of the content was shared — general AML, KYC, transaction monitoring, basic compliance hygiene — and only 40% was jurisdiction-specific.
In week three of the build we refactored to a shared catalogue with jurisdiction overrides. Authors maintain a single core curriculum and a separate, smaller jurisdiction module per regulator. When MGA updates a regulation, only the jurisdiction module changes; the rest of the platform stays still. The vendor’s content team estimates this saves about 40% of their time on every update cycle. It also makes it easier to add new jurisdictions — which has now happened twice in the year since the original cutover.
Cutover
We cut over on a planned weekend in week eight. The pilot operator had been live in parallel for two weeks; their data was the canary. Cutover itself was three hours: DNS update, portal redeploy with the new section enabled, smoke test on a subset of operators, full rollout. The Monday morning support load was lower than a normal Monday; the partner success team had nothing to do during the cutover window because the operators were already logging into the same portal they always logged into.
The first regulator inspection arrived four months later. The audit-pack export — generated nightly to the operator’s compliance archive — had every piece of evidence the inspection team asked for, in the format they had agreed in advance. Zero findings on training records. Six months later, a second inspection in a different jurisdiction; same result.
Where it is now
The platform has been extended twice since the original launch — once to add a fourth jurisdiction, once to add a recertification cycle for operator staff who originally certified more than 18 months ago. Both extensions reused the existing architecture; neither required a re-architecture. That’s the test we apply to integrations: did the foundations hold?
For this project, they did.
What we learned
- Embedding inside the existing portal was the right call. We considered launching a standalone certification site; it would have doubled the onboarding friction the project was trying to remove.
- The product release webhook (cert pass → tooling unlock) was the highest-leverage integration we built. It's also the one most likely to break silently — we added monitoring on it before any other observability.
- Per-jurisdiction course tracks share more than they differ. We initially designed three independent tracks, then refactored to a shared catalogue with jurisdiction overrides — saved 40% of content-team time on every update.
- SFTP audit export is unromantic but it's what the regulator's inspection team actually wanted. We had pushed for an API; the team had pushed back. They were right.
Want fuller details under MNDA?
On request we share extended versions of NDA cases with named clients, architecture diagrams and full delivery numbers, under a mutual non-disclosure.