GLI-19 & GLI-33 Affiliate Tracking Standards: Audit Readiness Guide

GLI-19 (interactive gaming) Section 4 and GLI-33 (sports betting) Section 6 specify affiliate-tracking requirements often missed: data integrity (every click→FTD must be auditable), retention (5+ years for licensed jurisdictions), separation of duty (affiliate manager cannot modify tracking data), and external audit support. Operators audited by GLI for license renewal frequently fail on affiliate-data-retention - 4-of-10 audited iGaming operators in 2025 had findings here.

Understanding GLI-19 and GLI-33 Standards

affiliate trackingaudit support

Why does this matter for CTOs? Because affiliate platforms sit at the intersection of two compliance worlds: marketing (affiliate recruitment, promotional compliance) and gaming (money flow, fraud detection). GLI standards treat affiliate data as part of the critical transaction log. A click, an FTD (first time deposit), a bonus award, and a payout - all must trace back to the same user, the same affiliate, the same session. If any link breaks, the audit finding sticks. If affiliate managers can modify tracking data post-facto, separation of duty fails. If records are deleted after 2 years instead of retained for 5+, record-retention compliance fails.

Affiliate-Tracking Requirements Across 8 GLI Sections

Both GLI-19 and GLI-33 distribute affiliate-tracking requirements across core sections. Most operators identify Sections 4 and 6 immediately, but miss implications in Sections 2, 3, 5, 7, 8, and 9. Below is the cross-reference map.

Section 4 is the affiliate-tracking nucleus. But Section 2 (System Integrity) and Section 3 (Data Protection) force architecture: every click logged, every log immutable, every role segregated. Section 8 (Audit Trail) is the execution layer - auditors will request exports, and your affiliate platform must produce them in the format GLI testers expect.

Affiliate Platform Mapping to GLI Requirements

Affiliate platforms like Track360 map to GLI standards via core infrastructure:

• Immutable Click Log (Sections 2, 4, 8). Every inbound click records timestamp, affiliate ID, source URL, device fingerprint, user IP, session cookie. Logs append-only (no modification post-facto). Exports include all fields in standardized CSV format for audit teams.
• S2S Postback Verification (Section 4). Operator sends FTD confirmation back to affiliate platform. Platform cross-references click→FTD timestamp; flags gaps >30 seconds (potential click-stuffing). Postback marked as received; stored immutably.
• Role-Based Access Control (Section 3). Affiliate managers view commission dashboard but cannot edit transaction logs or export raw data. Audit-manager role can export; compliance role can certify exports. Logs track who accessed what, when.
• Retention Policy Enforcement (Sections 7, 8). Platform auto-archives records at 5-year thresholds per jurisdiction (MGA=7yr, GGL/ADM=5yr). Archive logs include deletion timestamp and reason.
• Commission Reconciliation Module (Section 9). Monthly settlement report matches tracked commissions to payouts; variance flags trigger investigation workflow. PDF export includes attestation line ("Reviewed by [Compliance Officer] on [Date]").
• Audit Trail Export (Section 8). Scheduled export (daily, weekly, on-demand) in GLI-approved format (XML or CSV). Includes filtering by date range, affiliate, product, transaction type. Exports are signed (hash verified) to prevent tampering in transit.
• Fraud Detection Rules (Sections 3, 4, 9). Behavior-based flagging: multi-accounting, cookie-stuffing, bonus-stacking. Flagged records held from commission payout pending review.
• External Audit Support (Sections 5, 8). Platform provides audit-specific role (read-only access to all logs), export scheduling, and PDF audit reports. GLI testers authenticate directly into platform to verify logs match system behavior.

Common Audit Findings from 2025 GLI Reviews

Operators preparing for GLI renewal audits have reported 4 recurring findings in 2025. Understanding these patterns helps CTOs prioritize remediation.

1. Affiliate Data Retention Gap (40% of audited operators). Affiliate platforms delete click logs after 2 years; GLI requires 5-7 years per jurisdiction. Finding: "Affiliate click and commission records not retained per Section 7." Remediation: Extend retention policy, backfill historical logs if possible, or document archive procedure for auditor.
2. Missing Affiliate Source Attribution (35%). Operators issue signup bonuses without capturing affiliate source; bonus audit trail incomplete. Finding: "Bonus awards not traceable to affiliate source per Section 6 (GLI-33)." Remediation: Tag all promos with affiliate ID; cross-reference bonus-code redemption to affiliate postback.
3. Affiliate Manager Access to Transaction Logs (25%). Affiliate platform grants affiliate managers read access to raw transaction ledger (should be read-only audit role only). Finding: "Separation of duty violated; affiliate manager can export transaction data per Section 3." Remediation: Revoke transaction-log access from affiliate-manager role; audit-manager role only.
4. Audit Trail Export Format Mismatch (20%). Operators export affiliate logs in custom CSV with missing fields or non-standard date format; GLI testers cannot parse. Finding: "Audit trail export does not comply with standardized format per Section 8." Remediation: Align export schema to GLI-approved format (consult your affiliate platform or GLI tester for specification).

Each finding delays license renewal by 3-6 months and requires audit-firm re-engagement. Proactive mapping prevents this cost.

12-Point Pre-Audit Compliance Checklist

Use this checklist 8-12 weeks before your GLI audit. Assign each to a responsible owner (CTO, Compliance Officer, Affiliate Manager) and validate by your audit-firm liaison.

1. Verify affiliate retention policy matches your licensed jurisdiction (MGA=7yr, GGL/ADM=5yr). Document in writing; attach to audit brief.
2. Export a sample of 100 clicks from last 30 days. Verify timestamp, affiliate ID, source URL, device fingerprint, and user IP are all populated. No missing fields.
3. Cross-reference 10 sample clicks to FTD records. Confirm timestamp gap ≤30 seconds (click time to deposit time). Flag any outliers.
4. Test S2S postback endpoint. Send test FTD confirmation; verify platform receives and logs within 60 seconds. Check postback log format matches GLI specification.
5. Audit role access: Confirm audit-manager and compliance-manager roles can export logs; affiliate-manager role cannot export or edit logs. Test login.
6. Commission reconciliation: Run last 12 months' settlement reports. Verify variance ≤0.5% (tracked commissions vs. paid). Investigate any gap >1%.
7. Bonus attribution: Test bonus-code redemption. Confirm bonus awards link to affiliate ID and affiliate postback. No orphaned bonuses.
8. Fraud detection logs: Review last 30 days of fraud flags. Verify flagged transactions held from payout; unflagged commissions settled. Check procedure documented.
9. Audit trail export: Request export in GLI-approved format (XML or CSV, to be confirmed with your affiliate platform). Verify schema and row count against expected volume.
10. Log immutability: Review system configuration. Confirm affiliate platform logs are append-only; no edits or deletions post-facto. Document control procedure (e.g., role-based access to delete function).
11. Jurisdiction-specific fields: Confirm logs include jurisdiction identifier (e.g., MGA license ID, GGL license ID). Auditor will spot-check matching.
12. Audit firm walkthrough: Schedule 2-hour session with your GLI auditor-to-be. Review affiliate platform demo, sample logs, export format. Resolve any questions before formal audit.

FAQ: GLI Standards and Affiliate Tracking

Affiliate tracking is no longer a marketing afterthought. GLI standards embed it into the core transaction log, audit trail, and compliance record. CTOs who invest 8-12 weeks in pre-audit mapping - verifying retention policy, testing S2S postbacks, validating role-based access, and aligning export schemas - avoid the majority of audit findings. Start with the 12-point checklist above; engage your affiliate platform vendor or audit firm for Section 4 and Section 8 specifics.