1. Entity Level

Management Integrity

1.1    There shall be a commitment to character, integrity and high ethical values demonstrated through attitude and actions.

Requirements – At a minimum:

  1. Matters identified in management letters from internal and external auditors and matters identified by the Registrar shall be responded to in a timely manner.
  2. All applicable laws and regulations shall be adhered to.
  3. Operators and gaming-related suppliers shall create and abide by a code of conduct which addresses at a minimum conflicts of interest and transparency in dealings with the Registrar.  The code of conduct must be regularly reviewed by the organization’s senior management.

Sound Control Environment

1.2    Formal control activities shall be submitted to the Registrar which have been assessed by an independent oversight function acceptable to the Registrar for alignment with the Standards and Requirements and authorized by the appropriate level of management.

Requirements – At a minimum:

  1. A process shall be in place to periodically review control activities for effectiveness in fulfilling the Standards and Requirements and to document, remedy and adjust the controls where deficiencies or gaps are found. 
  2. Substantial changes to the control environment shall be communicated to the Registrar in a timely manner.
  3. Control activities must be available to the AGCO (or its designate) for regulatory assurance purposes.

1.3    Operators and gaming-related suppliers shall comply with their control activities and shall have in place measures to monitor compliance and to address failures to comply.

1.4    Employees shall comply with the control activities established by their employer to achieve the Standards and Requirements.

1.5    Operators and gaming-related suppliers are accountable for compliance with control activities by employees and those providing goods and service to operators and gaming-related suppliers, and should have in place measures to monitor compliance and to address failures to comply.  

1.6    Employees shall inform their employer if control activities are ineffective in achieving compliance with the Standards and Requirements.

1.7    Management overrides of the control activities shall be clearly documented and communicated to the Registrar.

Requirements – At a minimum:

  1. Approval from at least two senior-level managers is required in order to override any control activity, and in each instance the override shall be reported to the Board or other governance structure where a Board does not exist. 

Guidance: The intent of this Standard is to allow senior-level management to override controls on a one-off basis in necessary circumstances and to ensure that appropriate documentation is maintained for auditing purposes. This Standard is not intended to address permanent changes to the control environment.

1.8    Operators must establish, implement and maintain controls to support preparation of financial reports which comply with all applicable accounting standards and rules and good practices.

1.9    Employees must have the competence, skills, experience and training required to execute control activities that are relevant to their responsibilities.

Requirements – At a minimum:

  1. Employees involved in performing control activities must be trained and have knowledge of the organization’s control environment, the regulatory risks that the controls are designed to mitigate and the regulatory objectives reflected in the Standards and Requirements.

1.10    Organizational structures shall be designed to promote a sound control environment and proper segregation of duties to ensure that the possibility for collusion or unauthorized or illegal activities is minimized. 

Requirements – At a minimum:

  1. Employees shall be given the appropriate and documented authority and responsibility to carry out their job functions, subject to supervision.  
  2. The adequacy of segregation of duties as they relate to player protection, game integrity and protection of assets shall be regularly reviewed by the organization’s internal audit group or other independent oversight function acceptable to the Registrar.
  3. Operators must provide the Registrar with an organizational chart showing key reporting lines and relationships and shall ensure that it remains up to date.

1.11    Management clearly understands its accountability and authority for the control environment.

Requirements – At a minimum:

  1. Management shall have been trained and have knowledge of the organization’s control environment, the regulatory risks that the controls are designed to mitigate and the regulatory objectives reflected in the Standards and Requirements. 

1.12    Information, including logs, related to compliance with the law, the Standards and Requirements and/or adherence with control activities shall be retained for a minimum of three (3) years, unless otherwise stated.

1.13    All surveillance recordings shall be retained for a minimum period as specified by the Registrar.

Oversight

1.14    Compliance with the Standards and Requirements shall be documented in an organized manner to ensure that the information is capable of being reviewed and audited by an independent oversight function.

Requirements – At a minimum:

  1. Documentation shall be reviewed and analyzed to ensure compliance with the Standards and Requirements, and approved by management.
  2. Internal and external auditors shall be granted access to all relevant systems, documentation (including control activities) and resources for the purpose of conducting an audit.
  3. Where directed, Operators and gaming-related suppliers shall retain an independent auditor acceptable to the Registrar to carry out audits required by the Registrar and provide copies of the audit reports to the Registrar. 
  4. In reviewing control activities for compliance with the Standards and Requirements, internal and external auditors shall take into account the Registrar’s expectations, as articulated herein.

1.15    Primary accountability for compliance resides with the Board, or other governance structure, where a Board does not exist, and there shall be evidence that the Board, or other governance structure, has carried out its responsibility in this respect.

Requirements – At a minimum:

  1. A compliance oversight function shall be established that is independent of the activities it oversees.
  2. An internal audit function shall be established that regularly audits the organization’s control environment and compliance management framework and exercises oversight that is independent from operational management.  The internal audit function shall have the authority to independently review any aspect of the operations.
  3. The compliance oversight function and internal audit or other independent oversight function shall have direct and unrestricted access to the Board, or other governance structure, and shall report on all important issues regarding compliance on a regular basis or as necessary.
  4. The Board, or other governance structure, shall establish a committee or committees to oversee the organization’s compliance and audit oversight functions, with appropriate terms of reference addressing composition and accountabilities.
  5. Members of the Board, or other governance structure, and of any committees established to oversee the organization’s compliance and audit oversight functions shall understand the business’s operations, initiatives and major transactions, and shall have the skills, training, experience and independence to carry out their fiduciary responsibilities.

1.16    There shall be an independent “whistleblowing” process to allow employees to anonymously report deficiencies or gaps in the control environment as well as incidents of possible non-compliance with the controls, Standards and Requirements, or the law.

Requirements – At a minimum: 

  1. Issues raised through the “whistleblowing” process must be addressed and communicated to the Board in a timely manner.

1.17    Registrants shall engage with the Registrar in a transparent way. 

Requirements – At a minimum, Operators shall: 

  1. Provide reports regarding any incident or matter that may affect the integrity or public confidence in gaming, including any actions taken to prevent similar incidents from occurring in the future, in accordance with the established notification matrix.
  2. Provide reports regarding any incident of non-compliance with the law, Standards and Requirements or control activities, including any actions taken to correct the cause of non-compliance, in accordance with the established notification matrix.
  3. Provide periodic reports demonstrating the performance over time of compliance with control activities.
  4. Make available any data, information and documents requested by the Registrar.
  5. Provide reports regarding any public complaints related to compliance with the Standards and Requirements, including any actions taken to resolve the complaints, in accordance with the established notification matrix. 

 

 

Information Technology

1.18    A recognized industry standard framework shall be used to manage the information technology (IT) control environment to support compliance with the Standards and Requirements.

1.19    Users shall be granted access to the gaming system based on business need.

Requirements – At a minimum:

  1. Access privileges are granted, modified and revoked based on employment status and job requirements and all activities associated with these actions are logged.
  2. Access privileges are independently reviewed and confirmed on a periodic basis.

1.20    Access to gaming information systems shall be monitored, logged and shall be traceable to a specific individual.

Requirements – At a minimum:

  1. All accounts for business users shall be uniquely assigned to an individual.
  2. All system accounts (or other accounts with equivalent privileges) shall be restricted to staff that provide IT support, and mechanisms shall be in place to secure and monitor use of those accounts.

1.21    Processes shall be in place to ensure that only authorized individuals are permitted to open system accounts.

1.22    Industry accepted components, both hardware and software, shall be used where possible.

1.23    Any connection or interface between the gaming system and any other system, whether internal or external third party, shall be monitored, hardened and regularly assessed to ensure the integrity and security of the gaming system.

1.24    Mechanisms shall be in place to ensure the reliability, integrity and availability of the gaming system.

1.25   There shall be a suitably secure physical environment in place to prevent unauthorized access to the gaming system and to ensure the protection of assets.

1.26    Gaming systems, infrastructure, data, activity logs and all other related components shall be protected from threats, vulnerabilities, attacks or breaches. 

Requirements – At a minimum:

  1. All users shall be authenticated.
  2. All components shall be hardened in accordance with industry and technology good practices prior to going live and prior to any changes. 
  3. The appropriateness and effectiveness of steps taken to harden technology components shall be regularly assessed.
  4. Patches to correct any security risks shall be updated regularly.

1.27    Security activities shall be logged in an auditable manner, monitored, promptly analyzed and a report prepared and escalated as appropriate. 

Requirements – At a minimum:

  1. Attempts to attack breach or access gaming system components in an unauthorized manner shall be responded to in a timely and appropriate manner.
  2. Intrusion attempts shall be actively detected and where possible prevented from causing disruption or outage of the gaming system. 
  3. There shall be adequate logging to capture and monitor any attempts to attack, breach or access in an unauthorized manner any components of the gaming system. There shall be an appropriate escalation procedure.

1.28    Independent assessments shall be regularly performed by a qualified individual to verify the adequacy of gaming system security and all of its related components.  

1.29    Operators and gaming-related suppliers shall stay current on security trends, issues and solutions.

Change Management

1.30    A system development lifecycle that considers security and processing integrity shall be in place for gaming system technology developed in-house.

1.31    Due diligence must be performed on all acquired gaming system technology to ensure security and processing integrity requirements are met.

1.32    A testing strategy to address changes in technology shall be in place to ensure that deployed gaming systems operate as intended.  

1.33    All gaming system changes shall be appropriately, consistently and clearly documented, reviewed, tested and approved.

Requirements – At a minimum:

  1. All gaming system technology components are installed and maintained in accordance with the appropriate change management procedures.
  2. Requests for changes and maintenance of the gaming system are standardized and are subject to change management procedures.
  3. Emergency changes are approved, tested, documented, and monitored.
  4. Change management procedures shall account for segregation of duties between development and production.
  5. Only dedicated and specific accounts may be used to make changes.

1.34    The gaming system shall be able to detect unauthorized changes.

Data Governance

1.35    Data governance shall be in place to address data processing integrity and protection of sensitive data.

1.36    Sensitive data, including player information and data relevant to determining game outcomes, shall be secured and protected from unauthorized access or use at all times. 

Requirements – At a minimum:

  1. The gaming system shall ensure that data is appropriately backed up in a manner that allows it to be completely and accurately restored.
  2. Data backups shall be stored off-site in a secure location and in accordance with applicable policies and laws.

1.37    Player information shall be securely protected and its usage controlled by OLG.

Requirements – At a minimum:

  1. Data collection and protection requirements for player personal information shall meet those set out in the Freedom of Information and Protection of Privacy Act.
  2. Player information shall only be used for OLG’s business unless there is prior approval from OLG.

1.38    Removed January 2022

1.39    Communication of sensitive game data shall be protected for integrity.

1.40    Procedures shall be established and documented for IT operations and incident management, including managing, monitoring, and responding to security and processing integrity events.

Requirements – At a minimum:

  1. Proactive monitoring and detection of errors in the gaming system and related components shall be in place. Action shall be immediately taken to correct incidents of non-compliance with the Standards and Requirements or control activities.
  2. There shall be time synchronization of the gaming system environment and related components. 
  3. Event data shall be retained to provide chronological information and logs to enable the reconstruction, review and examination of the time sequences of processing.

1.41    Gaming applications on all portable devices shall be appropriately secured.

Guidance: This Standard is not intended to capture players using their own portable devices such as their smartphones, but rather employees or players using portable devices to access the Operator’s gaming system.

1.42    Operators and gaming-related suppliers shall only contract with reputable suppliers.

1.43    Service levels for management of suppliers shall be established.

Requirements – At a minimum:

  1. Service levels must be documented and enforceable.
  2. Corrective action is taken to address non-compliance with established service levels.

1.44    Operators and gaming-related suppliers shall provide the Registrar with a list of suppliers that provide them with goods or services in relation to lottery schemes and shall ensure that this list is kept up to date.

Compliance; Policies and Procedures

1.45    Operators and gaming-related suppliers shall comply with applicable technical standards issued by the Registrar.

Policies and Procedures 

1.46    All registrants and non-gaming-related suppliers who are exempt from registration will comply with all applicable OLG policies and procedures to the extent that they are consistent with these Standards and Requirements.

1.47    The Operator shall develop policies and procedures regarding Sellers and Sellers’ employees’ roles and responsibilities to achieve the desired outcomes set out in the Standards that apply to Sellers:  

  • 1.1, 1.17, 1.46, 1.48
  • 2.3, 2.4, 2.5, 2.6, 2.10, 2.14
  • 3.2, 3.3
  • 4.1, 4.3, 4.4, 4.11, 4.13, 4.16, 4.23, 4.24
  • 5.11
  • 6.1

1.48    Sellers and Sellers’ employees shall comply with the Operator’s policies and procedures and the Seller’s contract with the Operator.