1. Entity Level

Management Integrity

1.1 There shall be a commitment to character, integrity and high ethical values demonstrated through attitude and actions.

Requirements – At a minimum:

  1. Matters identified in management letters from internal and external auditors and matters identified by the Registrar shall be responded to in a timely manner.
  2. All applicable laws and regulations shall be adhered to.
  3. Operators and gaming-related suppliers shall create and abide by a code of conduct which addresses at a minimum conflicts of interest and transparency in dealings with the Registrar. The code of conduct must be regularly reviewed by the organization’s senior management.

    Guidance: Management in the context of this Standard refers to executives and senior level management who have the day-to-day responsibility of managing the business of
    the organization.

Sound Control Environment

1.2 Formal control activities shall be submitted to the Registrar which have been assessed by an independent oversight function acceptable to the Registrar for alignment with the Standards and Requirements and authorized by the appropriate level of management.

Requirements – At a minimum:

  1. A process shall be in place to periodically review control activities for effectiveness in fulfilling the Standards and Requirements and to document, remedy and adjust the controls where deficiencies or gaps are found.
  2. Substantial changes to the control environment shall be communicated to the Registrar in a timely manner.
  3. Control activities must be available to the AGCO (or its designate) for regulatory assurance purposes.

    Guidance: Independent oversight may be exercised by an internal audit body and/or external auditor, as considered appropriate by the Operator or gaming-related supplier and as acceptable to the Registrar. The Registrar recognizes that oversight practices may vary by Operator / gaming-related supplier depending on their size, ownership structure, scope and complexity of operations, corporate strategy and risk profile. Whatever the case, the independent oversight function should be responsible for auditing the organization’s compliance management framework, identifying, managing and reporting on risks the organization is or might be exposed to and exercising oversight that is independent from operational management. It should also have direct and unrestricted access to the Board.

    Additional Guidance for Gaming-Related Suppliers: In the application of the entity level Standards and Requirements, it is recognized that some gaming-related suppliers, particularly suppliers of gaming equipment, operate in jurisdictions in addition to Ontario and may be limited in their ability to design and implement control activities based solely on the Standards and Requirements. The intent is that these Standards and Requirements apply to gaming-related suppliers in respect of their conduct in Ontario. At a minimum, the entity level Standards and Requirements seek assurance that gaming-related suppliers, including suppliers operating in multiple jurisdictions, will have acceptable control activities and that periodic review for gaps in control activities is carried out and that the suppliers ensure that the control activities are followed where such control activities affect the respective supplier’s conduct in Ontario.

1.2.1 Removed, March 2022.

1.3 Removed, September 2020.

1.4 Removed, September 2020.

1.5 Removed, September 2020.

1.6 Removed, September 2020.

1.7 Management overrides of the control activities shall be clearly documented and made available to the Registrar upon request.

Requirements – At a minimum:

  1. Approval from at least two senior-level managers is required in order to override any
    control activity, and in each instance the override shall be reported to the Board or other
    governance structure where a Board does not exist

    Guidance: The intent of this Standard is to allow senior-level management to override
    controls on a one-off basis in necessary circumstances and to ensure that appropriate
    documentation is maintained for auditing purposes. This Standard is not intended to
    address permanent changes to the control environment.

​1.8 Operators must establish, implement and maintain controls to support preparation of financial reports which comply with all applicable accounting standards, rules and good practices.

Organizational Structure and Capabilities

1.9 Employees must have the competence, skills, experience and training required to execute control activities that are relevant to their responsibilities.

Requirements – At a minimum:

  1. Employees involved in performing control activities must be trained and have knowledge of the organization’s control environment, the regulatory risks that the controls are designed to mitigate and the regulatory objectives reflected in the Standards and Requirements.

1.10 Organizational structures shall be designed to promote a sound control environment and proper segregation of duties to ensure that the possibility for collusion or unauthorized or illegal activities is minimized.

Requirements – At a minimum:

  1. Employees shall be given the appropriate and documented authority and responsibility to carry out their job functions, subject to supervision.
  2. The adequacy of segregation of duties as they relate to player protection, game integrity and protection of assets shall be regularly reviewed by the organization’s internal audit group or other independent oversight function acceptable to the Registrar.
  3. Operators must maintain an up to date organizational chart showing key reporting lines and relationships, and make it available to the Registrar upon request.

1.11 Management clearly understands its accountability and authority for the control environment.

Requirements – At a minimum:

  1. Management shall have been trained and have knowledge of the organization’s control environment, the regulatory risks that the controls are designed to mitigate and the regulatory objectives reflected in the Standards and Requirements.

1.12 Information, including logs, related to compliance with the law, the Standards and Requirements and/or adherence with control activities shall be retained for a minimum of three (3) years, unless otherwise stated.

1.13 All surveillance recordings shall be retained for a minimum period as specified by the Registrar.

Oversight

1.14 Compliance with the Standards and Requirements shall be documented in an organized manner to ensure that the information is capable of being reviewed and audited by an independent oversight function.

Requirements – At a minimum:

  1. Documentation shall be reviewed and analyzed to ensure compliance with the Standards and Requirements, and approved by management.
  2. Internal and external auditors shall be granted access to all relevant systems, documentation (including control activities) and resources for the purpose of conducting an audit.
  3. Where directed, Operators and gaming-related suppliers shall retain an independent auditor acceptable to the Registrar to carry out audits required by the Registrar and provide copies of the audit reports to the Registrar.

    Guidance: The intent of this Requirement is to allow the Registrar to direct third party audits where he considers necessary for regulatory assurance purposes. Although the auditor would be retained by the Operator or gaming-related supplier in these circumstances, it would report directly to the Registrar.
  4. In reviewing control activities for compliance with the Standards and Requirements, internal and external auditors shall take into account the Registrar’s expectations, as articulated herein.

1.15 Primary accountability for compliance resides with the Board, or other governance structure, where a Board does not exist, and there shall be evidence that the Board, or other governance structure, has carried out its responsibility in this respect.

Requirements – At a minimum:

  1. A compliance oversight function shall be established that is independent of the activities it oversees.

    Guidance: Overall responsibility for compliance monitoring should ideally rest with a chief compliance officer or if such person does not exist, a member of senior management.
  2. An internal audit function shall be established that regularly audits the organization’s control environment and compliance management framework and exercises oversight that is independent from operational management. The internal audit function shall have the authority to independently review any aspect of the operations.

    Guidance: Where this is not feasible given the organization’s size or structure, audits should be carried out by another independent oversight function.
  3. The compliance oversight function and internal audit or other independent oversight function shall have direct and unrestricted access to the Board, or other governance structure, and shall report on all important issues regarding compliance on a regular basis or as necessary.
  4. The Board, or other governance structure, shall establish a committee or committees to oversee the organization’s compliance and audit oversight functions, with appropriate terms of reference addressing composition and accountabilities.
  5. Members of the Board, or other governance structure, and of any committees established to oversee the organization’s compliance and audit oversight functions shall understand the business’s operations, initiatives and major transactions, and shall have the skills, training, experience and independence to carry out their fiduciary responsibilities.

1.16 There shall be an independent “whistleblowing” process to allow employees to anonymously report deficiencies or gaps in the control environment as well as incidents of possible non-compliance with the controls, Standards and Requirements, or the law.

Requirements – At a minimum, Operators shall:

  1. Issues raised through the “whistleblowing” process must be addressed and communicated to the Board in a timely manner.

1.17 Registrants shall engage with the Registrar in a transparent way.

Requirements – At a minimum, Operators shall:

  1. Provide reports regarding any incident or matter that may affect the integrity or public confidence in gaming, including any actions taken to prevent similar incidents from occurring in the future, in accordance with the established notification matrix.
  2. Provide reports regarding any incident of non-compliance with the law, Standards and Requirements or control activities, including any actions taken to correct the cause of noncompliance, in accordance with the established notification matrix.
  3. [Removed September 2020.]
  4. Make available any data, information and documents requested by the Registrar.
  5. [Removed September 2020.]

Information Technology

1.18 A recognized industry standard framework shall be used to manage the information technology (IT) control environment to support compliance with the Standards and Requirements.

Security Management

1.19 Users shall be granted access to the gaming system based on business need.

Requirements – At a minimum:

  1. Access privileges are granted, modified and revoked based on employment status and job requirements and all activities associated with these actions are logged.
  2. Access privileges are independently reviewed and confirmed on a periodic basis.

1.20 Access to gaming information systems shall be monitored, logged and shall be traceable to a specific individual.

Requirements – At a minimum:

  1. All accounts for business users shall be uniquely assigned to an individual.
  2. All system accounts (or other accounts with equivalent privileges) shall be restricted to staff that provide IT support, and mechanisms shall be in place to secure and monitor use of those accounts.

1.21 Processes shall be in place to ensure that only authorized individuals are permitted to open system accounts.

1.22 Industry accepted components, both hardware and software, shall be used where possible.

1.23 Any connection or interface between the gaming system and any other system, whether internal or external third party, shall be monitored, hardened and regularly assessed to ensure the integrity and security of the gaming system.

1.24 Mechanisms shall be in place to ensure the reliability, integrity and availability of the gaming system.

1.25 There shall be a suitably secure physical environment in place to prevent unauthorized access to the gaming system and to ensure the protection of assets.

1.26 Gaming systems, infrastructure, data, activity logs and all other related components shall be protected from threats, vulnerabilities, attacks or breaches.

Requirements – At a minimum:

  1. All users shall be authenticated.
  2. All components shall be hardened in accordance with industry and technology good practices prior to going live and prior to any changes.
  3. The appropriateness and effectiveness of steps taken to harden technology components shall be regularly assessed.
  4. Patches to correct any security risks shall be updated regularly

1.27 Security activities shall be logged in an auditable manner, monitored, promptly analyzed and a report prepared and escalated as appropriate.

Requirements – At a minimum:

  1. Attempts to attack, breach or access gaming system components in an unauthorized manner shall be responded to in a timely and appropriate manner.
  2. Intrusion attempts shall be actively detected and where possible prevented from causing disruption or outage of the gaming system.
  3. There shall be adequate logging to capture and monitor any attempts to attack, breach or access in an unauthorized manner any components of the gaming system. There shall be an appropriate escalation procedure.

1.28 Independent assessments shall be regularly performed by a qualified individual to verify the adequacy of gaming system security and all of its related components.

1.29 Operators and gaming-related suppliers shall stay current on security trends, issues and solutions.

Change Management

1.30 A system development lifecycle that considers security and processing integrity shall be in place for gaming system technology developed in-house.

1.31 Due diligence must be performed on all acquired gaming system technology to ensure security and processing integrity requirements are met.

1.32 A testing strategy to address changes in technology shall be in place to ensure that deployed gaming systems operate as intended.

1.33 All gaming system changes shall be appropriately, consistently and clearly documented, reviewed, tested and approved.

Requirements – At a minimum:

  1. All gaming system technology components are installed and maintained in accordance with the appropriate change management procedures.
  2. Requests for changes and maintenance of the gaming system are standardized and are subject to change management procedures.
  3. Emergency changes are approved, tested, documented, and monitored.
  4. Change management procedures shall account for segregation of duties between development and production.
  5. Only dedicated and specific accounts may be used to make changes.

1.34 The gaming system shall be able to detect unauthorized changes.

Data Governance

1.35 Data governance shall be in place to address data processing integrity and protection of sensitive data.

1.36 Sensitive data, including player information and data relevant to determining game outcomes, shall be secured and protected from unauthorized access or use at all times.

Requirements – At a minimum:

  1. The gaming system shall ensure that data is appropriately backed up in a manner that allows it to be completely and accurately restored.
  2. Data backups shall be stored off-site in a secure location and in accordance with applicable policies and laws.

1.37 Player information shall be securely protected and its usage controlled by OLG.

Requirements – At a minimum:

  1. Data collection and protection requirements for player personal information shall meet those set out in the Freedom of Information and Protection of Privacy Act.
  2. Player information shall only be used for OLG’s business unless there is prior approval from OLG.

1.38 Removed January 2022.

1.39 Communication of sensitive game data shall be protected for integrity.

1.40 Procedures shall be established and documented for IT operations and incident management, including managing, monitoring and responding to security and processing integrity events.

Requirements – At a minimum:

  1. Proactive monitoring and detection of errors in the gaming system and related components shall be in place. Action shall be immediately taken to correct incidents of non-compliance with the Standards and Requirements or control activities.
  2. There shall be time synchronization of the gaming system environment and related components.
  3. Event data shall be retained to provide chronological information and logs to enable the reconstruction, review and examination of the time sequences of processing.

1.41 Gaming applications on all portable devices shall be appropriately secured.
Guidance: This Standard is not intended to capture players using their own portable devices such as their smartphones, but rather employees or players using portable devises to access the Operator’s gaming system.

Third Party Management

1.42 Operators and gaming-related suppliers shall only contract with reputable suppliers.

1.43 Removed, September 2020

1.44 Operators and gaming-related suppliers shall provide the Registrar with a list of suppliers that provide them with goods or services in relation to lottery schemes and shall ensure that this list is kept up to date.

Compliance with Technical Standards

1.45 Operators and gaming-related suppliers shall comply with applicable technical standards issued by the Registrar.

Compliance with OLG Policies and Procedures

1.46 All registrants and non-gaming-related suppliers who are exempt from registration will comply with all applicable OLG policies and procedures to the extent that they are consistent with these Standards and Requirements.