Compliance by design: engineering a platform for the new rules

You cannot bolt compliance onto a finished product. In a regulated setting it has to be part of the architecture, present from the first line of code.

Most software treats compliance as a late addition: build the product, then add the checks a regulator asks for. In a regulated sector that order is backwards, and expensive. The controls a regulator, an auditor and a bank will ask about touch the deepest parts of a system, how data is stored, how money is counted, how activity is recorded. Adding them late means rebuilding. Building for them from the start is what we mean by compliance by design.

Here is what that looks like in practice.

Keep personal data where it belongs

Customer information should stay inside the jurisdiction that governs it, and only the systems that genuinely need it should ever see it. A well-designed platform draws a hard boundary: the parts that handle identity and money are separated from the parts that do not need personal data at all. When that boundary is enforced in the structure of the system rather than by policy alone, a whole class of privacy and data-residency problems simply cannot occur.

Verify and monitor as core services

Know-your-customer checks, anti-money-laundering screening and monitoring are not features to sprinkle on top. They are services the platform runs as a matter of course: identity and eligibility confirmed at onboarding, activity watched for the patterns that matter, and every decision written down. When a compliance officer or an examiner asks what happened, the answer is already recorded, not reconstructed.

Protect the customer by default

Responsible-gambling tools only work if they are enforced. Deposit and loss limits, cool-off periods and self-exclusion should be built into the flow so that they hold, automatically, rather than depending on someone remembering to apply them. Designing for the customer's protection is both the right thing and a regulatory expectation.

Count money exactly

Money handled as approximate numbers eventually drifts, and drift in a regulated ledger is a serious problem. A sound platform uses exact decimal arithmetic throughout, so balances, bets and payouts always reconcile to the cent. Allocation and rounding are handled in ways that can be explained precisely, with no invented or lost value anywhere in the system.

Make the record tamper-evident

The heart of an auditable system is a log that cannot be quietly rewritten. A hash-chained, append-only record links each entry to the one before it, so the whole history is sealed together. Change or remove a single record and a verification routine detects it immediately. That one property underwrites everything downstream: the reports a regulator receives, the transaction history a bank asks for, and the evidence an operator needs to demonstrate control.

Tamper-evidence is not about distrust. It is about being able to prove, to anyone with the right to ask, that the record is exactly what it says it is.

Move money deliberately, not automatically

Where funds cross a border, they should never move on a per-transaction basis in the dark. A well-built platform nets a whole period into a single instruction, produces a clear report, and waits for a person to authorise it. Nothing important happens without a human decision and a record of it.

Reporting the regulator can actually use

Finally, all of this has to come out in a usable form. Structured exports in the operator's reporting identity, ready for the authority and the bank, turn a pile of internal data into something an examiner can review without argument. When the underlying records are sound, the report is simply a view of them.

Why it matters under the new framework

Sri Lanka's 2025 reform raises the bar for the software behind gambling products. A platform built this way meets that bar as a matter of course, because the properties a regulator will look for are already true of the system. For a licensed operator, that is the difference between a product that is ready for examination and one that has to be made ready under pressure. Compliance by design is not a slogan. It is the cheapest and most credible way to be ready.

Read next

Sri Lanka's Gambling Regulatory Authority Act, explained How a technology partner helps a local operator launch a regulated platform All insights