Registrar’s Standards for Internet Gaming
Introduction
The Standards-Based Approach
Under the Gaming Control Act, 1992 (GCA) the Registrar is authorized to establish risk-based standards to regulate Ontario’s gaming sector. The objective of a standards-based regulatory model is to shift the focus from requiring registrants to comply with a specific set of rules or processes, which tend to be prescriptive in nature, towards the broader regulatory outcomes or objectives they are expected to achieve. These regulatory outcomes are reflected in the “Standards” established herein.
In most cases, these Standards are drafted at a high level of generality, with the aim being to capture the purpose behind the rule. This offers greater flexibility for regulated entities to determine the most efficient and effective way of meeting the outcomes required, which in turn helps reduce regulatory burden and support market innovation. Since there may be many ways for a registrant to meet the Standards, they have the flexibility to determine what works best for their business, thereby strengthening regulatory outcomes without needlessly burdening regulated entities. Further, the flexibility inherent in a Standards-Based model allows the Alcohol and Gaming Commission of Ontario (AGCO) to focus its resources on key risks and to deliver a modernized approach to gaming regulation in a rapidly evolving industry.
Registrar's Authority
OLG (Ontario Lottery and Gaming Corporation), iGaming Ontario, Operators, and gaming-related suppliers are required to comply with the GCA and Regulation 78/12. Specifically, Sections 3.8 and 3.9 of the GCA require registrants, employees and other persons retained by OLG and iGaming Ontario to comply with the Standards and Requirements established by the Registrar. The GCA provides the Registrar with the authority to establish Standards and Requirements for the conduct, management and operation of gaming sites, lottery schemes or businesses related to a gaming site or a lottery scheme or for related goods or services.
To Whom the Standards Apply
Standards and Requirements established by the Registrar will apply to OLG with respect to its internet gaming site, to iGaming Ontario with respect to its activities, and to all registered internet gaming Operators in Ontario. Additionally, certain Standards and Requirements also apply to registered gaming-related suppliers.
Operators are expected to ensure that the Standards related to the operation of their gaming site are met, regardless of the entity that is carrying out the related activities. Depending on the circumstances, the Registrar may hold an Operator, a gaming-related supplier, or both, accountable for meeting a particular Standard.
The Registrar may direct any registered supplier to comply with any additional Standards and Requirements, as considered necessary to enhance and preserve the integrity of and public confidence in gaming in Ontario. The Registrar may also propose additional terms of registration specific to an Operator or other registrant to give effect to the purposes of the GCA.
The Registrar may refuse a registration if the applicant is carrying on activities that would be in contravention of the Standards, if the applicant were registered.
Standards and Requirements for Sport and Event Betting
The AGCO recognizes that sport and event betting is an integral part of internet gaming. The AGCO has taken an integrated approach where the standards and requirements for sport and event betting are embedded within the Registrar’s Standards for Internet Gaming. This integrated structure means that the Registrar’s Standards for Internet Gaming will generally apply to sport and event betting. The standards and requirements apply to all sports, esports, novelty, betting exchange, and fantasy sports products, and includes various bet types such as single-event, in-game, pool, parlay, and exchange bets. Virtual sports are not a type of sport and event betting, thus standards specific to sport and event betting do not apply.
The Registrar's Standards for Internet Gaming — Composition
This document includes only the Registrar’s Standards for Internet Gaming, applicable to regulated internet gaming sites in Ontario.
The “Standards and Requirements” are divided into the six identified risk themes, under which theme-specific Standards and Requirements are provided. The six identified risk themes which make up the “Standards and Requirements” include:
- Entity Level
- Responsible Gambling
- Prohibiting Access to Designated Groups and Player Account Management
- Ensuring Game Integrity and Player Awareness
- Information Security and Protection of Assets
- Minimizing Unlawful Activity Related to Gaming
Requirements
For certain Standards, further and more explicit direction is provided through one or more specific “Requirements”. These Requirements establish the minimum obligations a registrant must achieve to fulfill the corresponding Standard.
Guidance
Included as part of a number of the Standards and Requirements is a corresponding section which provides regulatory guidance specific to the given standard or requirement. Guidance serves to provide registrants with greater clarity as to the purpose or intent behind a given Standard or Requirement.
Definitions
[Amended: February, 2022]
Term |
Definition |
---|---|
AGCO |
AGCO means the Alcohol and Gaming Commission of Ontario. |
Authenticator |
Authenticator is the means or mechanism by which an individual is identified and verified by the system. |
Auto-wagering |
Auto-wagering is a game feature whereby the player can elect to bet during a game without having to manually activate the betting feature each time a bet is made. |
Bet |
A Bet is an amount of money at risk in a wager. |
Board |
Board refers to either the entire Board of Directors of an Operator or gaming-related supplier (as the case may be) or a committee of the Board that has been delegated a particular element of Board oversight (e.g. audit, compliance, etc.) For purposes of clarity, “Board” does not include the iGaming Ontario Board. |
Bot |
A Bot is a software application that runs automated tasks over the internet. |
Control Activity Matrix | A summary of all control activities used to address the regulatory risks identified by the AGCO and achieve the regulatory outcomes reflected in the Standards and Requirements. |
Controls or Control Activities |
Controls or control activities include the individual policies, procedures, business processes, monitoring systems, structures, accountabilities, tools and instruments that comprise the control environment management establishes to address the regulatory risks identified by the AGCO and achieve the regulatory objectives reflected in the Standards and Requirements. |
Deactivated Account |
A Deactivated account is a player account which has been made no longer available to the player for log on and use. |
Dormant Account |
A Dormant account is a player account which has been temporarily frozen due to inactivity and made unavailable for player log on and use. |
Eligible Individuals |
Eligible individuals are those persons who are not prohibited from accessing gaming sites or playing lottery schemes under Standard 3.1. |
eSports | Multiplayer video games played competitively for spectators; eSports are considered a sport for the purpose of these Standards. |
Fantasy Sports | Any pay-to-play sport betting product (fantasy sports contests are considered a type of sport betting for the purpose of these Standards) provided by an operator wherein consumers can assemble a virtual team composed of real in a given sport and compete against other virtual teams based on the performance of those players in real matches. |
FINTRAC |
FINTRAC means the Financial Transactions and Reports Analysis Centre of Canada. |
Free-to-play Games |
Free-to-play Games refer to games, including those offered for promotional purposes, that provide players the option to play without paying or betting. |
Gaming-related supplier |
Gaming-related supplier has the same meaning as it does in Ontario Regulation 78/12, made under the Gaming Control Act, 1992. |
Game outcome |
The result of a wager. |
Game session |
A game session is the playing of any of the applicable lottery schemes, and begins when a player starts playing a game for real money. A gaming session ends when a player exits a game. |
Gaming site |
Gaming site means an electronic channel maintained for the purpose of playing or operating a lottery scheme. |
Gaming supplies |
Gaming supplies refers to gaming equipment that could influence or is integral to the conduct, management or operation of a lottery scheme. |
Gaming system |
Gaming system includes hardware, software, applications and all associated components of gaming supplies and the technology environment. |
GCA |
GCA means the Gaming Control Act, 1992. |
igaming |
igaming refers to lottery schemes conducted and managed by OLG or iGaming Ontario that are played or operated through the internet, but does not include OLG lottery products. |
Independent Integrity Monitor | Any supplier registered by the Registrar to perform the Independent Integrity Monitor role pursuant to Standard 4.32, which provides services to, among others, regulators, or operators to receive, assess, and distribute unusual/suspicious betting alerts and has the expertise to analyze and evaluate the accuracy and severity of received unusual/suspicious betting alerts. |
Independent oversight function |
Independent oversight function has the meaning ascribed to it in Standard 1.02. |
Lottery scheme |
Lottery scheme has the same meaning as in subsection 207(4) of the Criminal Code (Canada). |
Manual controls |
Manual controls are human-performed control activities. |
Notification Matrix |
Notification matrix is the policy document that lists the obligations of Operators and gaming-related suppliers to notify the AGCO in specifically delineated circumstances. |
Novelty Events | Any bet placed on a non-sporting event where real-world factual occurrences are the contingency on which an outcome is determined and in accordance with Standard 4.34. |
OLG |
OLG means the Ontario Lottery and Gaming Corporation. |
OPP |
OPP means the Ontario Provincial Police. |
Operator |
Operator has the same meaning as it does in Ontario Regulation 78/12, made under the Gaming Control Act, 1992, and further includes OLG and iGaming Ontario. |
Peer-to-peer games |
Peer-to-peer games are a type of lottery scheme where players gamble against each other rather than against the house. |
Randomness or Chance |
Randomness or Chance is observed unpredictability and absence of a pattern in a set of events that have definite probabilities of occurrence. |
Registrar |
Registrar means the Registrar established under the Alcohol, Cannabis and Gaming Regulation and Public Protection Act, 1996. |
Self-excluded persons |
Self-excluded persons are individuals who participate in a process to exclude themselves voluntarily from gaming sites. |
Sensitive Data |
Sensitive data includes but is not limited to player information and data relevant to determining game outcomes. |
Single-player games |
Single player games are any games which are not considered to be peer-to-peer games. |
Slots |
Casino games of a reel-based type (includes games that have non-traditional reels). |
Sport and Event Betting | Any bet on occurrences related to sports, competitions, matches, and other types of activities which meet the criteria articulated in Standard 4.34, and which excludes games or events where the outcome is determined or controlled by a random number generator, peer-to-peer play, or an operator. Sport and event betting includes: • Bets on fantasy sports, esports, and novelty events, but does not include bets on virtual sports. • Sport and Event Bets include, but are not limited to, single-game bets, teaser bets, parlays, over-under, moneyline, pools, exchange betting, in-game betting, proposition bets, and straight bets. |
Sport/Event Governing Body |
An organization that prescribes final rules and enforces codes of conduct (including prohibitions on betting by insiders on events overseen by the sport governing body) for a sporting event and the participants in the event. |
Synthetic Lottery Products | Any bet that is part of a scheme operated by a third-party where the outcome is derived from a separate underlying lottery draw operated by a different operator. |
iGaming Ontario |
iGaming Ontario means the lottery subsidiary as set out in the Alcohol, Cannabis and Gaming Regulation and Public Protection Act, 1996 and under its regulation. |
System Accounts |
System accounts are all accounts that are used to manage the system. |
Virtual Sports | A computer-generated presentation of a random number draw that provides sport-like visual presentation for entertainment purposes only. The outcome of the “event” is determined by a random number generator, rather than real-world sport or novelty events or players. Virtual sports are not considered a type of sport and event betting. |
Entity Level
The intent of this risk theme is to ensure that regulated entities have a sound control environment, and an organizational structure that promotes good governance, accountability and oversight, as well as transparency in dealings with the AGCO.
The regulatory risks associated with this theme are:
- Lack of appreciation and understanding of critical elements of a risk-based control environment
- Lack of defined Board mandate and independent oversight of management
- No mechanism for reporting wrong-doing
- Inadequately documented management policies and procedures to define and align accountability skills and competence
- Lack of understanding about expected ethical behaviour
- Lack of transparency in decision-making
- Individual knowingly fails to comply
Management Integrity
1.01 There shall be a commitment to character, integrity and high ethical values demonstrated through attitude and actions. (Also applicable to Gaming-Related Suppliers)
Requirements – At a minimum:
- All applicable laws and regulations shall be adhered to.
- Matters identified in management letters from internal and external auditors and matters identified by the Registrar shall be responded to in a timely manner.
- Operators and gaming-related suppliers shall create and abide by a code of conduct which addresses, at a minimum, conflicts of interest and transparency in dealings with the Registrar. Operators and gaming-related suppliers will be responsible for employee compliance with the code, where such employees play games provided by the Operator or supplier. The code of conduct must be regularly reviewed by the organization’s senior management.
Guidance: Management in the context of this Standard refers to executives and senior- level management who have the day-to-day responsibility of managing the business of the organization.
Sound Control Environment
1.02 Operators and gaming-related suppliers shall develop, document and implement formal control activities to address the regulatory risks identified by the AGCO and achieve the regulatory objectives reflected in the Standards and Requirements. Control activities must be authorized by the appropriate level of management. (Also applicable to Gaming-Related Suppliers) [Amended: February, 2022]
Requirements – At a minimum:
- A process shall be in place to periodically review control activities for effectiveness in meeting the Standards and Requirements and to document, remedy and adjust the controls where deficiencies or gaps are found.
- Substantial changes to the Operator's control environment shall be communicated to the Registrar in a timely manner.
- Control activities must be available to the AGCO (or its designate) for regulatory assurance purposes.
- Operators and gaming related suppliers who run critical gaming systems shall develop a control activity matrix. An operator’s control activity matrix shall summarize all controls related to the gaming site, including where the operator works with third-party suppliers, including platform providers.
- Operators shall have their control activities assessed by an independent oversight function for alignment with the Standards and Requirements.
Guidance: Independent oversight may be exercised by an internal audit body and/or external auditor, as considered appropriate by the Operator and as acceptable to the Registrar. The Registrar recognizes that oversight practices may vary by Operator depending on their size, ownership structure, scope and complexity of operations, corporate strategy and risk profile. Whatever the case, the independent oversight function should be responsible for auditing the organization’s compliance management framework, identifying, managing and reporting on risks the organization is or might be exposed to and exercising oversight that is independent from operational management. It should also have direct and unrestricted access to the Board.
1.03 Management overrides of the control activities shall be clearly documented and made available to the Registrar upon request. (Also applicable to Gaming-Related Suppliers)
Requirements – At a minimum:
1. Approval from at least two senior-level managers is required in order to override any control activity, and in each instance the override shall be reported to the Board or other governance structure where a Board does not exist.
Guidance: The intent of this Standard is to allow senior-level management to override controls on a one-off basis in necessary circumstances and to ensure that appropriate documentation is maintained for auditing purposes. This Standard is not intended to address permanent changes to the control environment.
1.04 Operators must establish, implement and maintain controls to support preparation of financial reports which comply with all applicable accounting standards, rules and good practices.
Organizational Structure and Capabilities
1.05 A personnel security screening process shall be in place for any director or officer, and any employee, agent or consultant, at a level that is appropriate for the individual’s role in the organization. (Also applicable to Gaming-Related Suppliers)
1.06 Employees must have the competence, skills, experience and training required to execute control activities that are relevant to their responsibilities. (Also applicable to Gaming-Related Suppliers)
Requirements – At a minimum:
- Employees involved in performing control activities must be trained and have knowledge of the organization’s control environment, the regulatory risks that the controls are designed to mitigate, and the regulatory objectives reflected in the Standards and Requirements.
1.07 Organizational structures shall be designed to promote a sound control environment and proper segregation of duties to ensure that the possibility for collusion or unauthorized or illegal activities is minimized. (Also applicable to Gaming-Related Suppliers)
Requirements – At a minimum:
- Employees shall be given the appropriate and documented authority and responsibility to carry out their job functions, subject to supervision.
- The adequacy of segregation of duties as they relate to player protection, game integrity and protection of assets shall be regularly reviewed by the organization’s internal audit group or other independent oversight function acceptable to the Registrar.
- Operators must maintain an up to date organizational chart showing key reporting lines and relationships, and make it available to the Registrar upon request.
1.08 Management clearly understands its accountability and authority for the control environment. (Also applicable to Gaming-Related Suppliers)
Requirements – At a minimum:
1. Management shall have been trained and have knowledge of the organization’s control environment, the regulatory risks that the controls are designed to mitigate, and the regulatory objectives reflected in the Standards and Requirements.
1.09 Information, including logs, related to compliance with the law, the Standards and Requirements and/or adherence with control activities shall be retained for a minimum of three (3) years, unless otherwise stated. (Also applicable to Gaming-Related Suppliers)
Oversight
1.10 Compliance with the Standards and Requirements shall be documented in an organized manner to ensure that the information is capable of being reviewed and audited by an independent oversight function. (Also applicable to Gaming-Related Suppliers)
Requirements – At a minimum:
- Documentation shall be reviewed and analyzed to ensure compliance with the Standards and Requirements, and approved by management.
- Internal and external auditors shall be granted access to all relevant systems, documentation (including control activities) and resources for the purpose of conducting an audit.
- Where directed, Operators and gaming-related suppliers shall retain an independent auditor acceptable to the Registrar to carry out audits required by the Registrar and provide copies of the audit reports to the Registrar.
Guidance: The intent of this Requirement is to allow the Registrar to direct third party audits where considered necessary for regulatory assurance purposes. Although the auditor would be retained by the Operator or gaming-related supplier in these circumstances, it would report directly to the Registrar. - In reviewing control activities for compliance with the Standards and Requirements, internal and external auditors shall take into account the Registrar’s expectations, as articulated herein.
1.11 Primary accountability for compliance resides with the Board, or other governance structure, where a Board does not exist, and there shall be evidence that the Board, or other governance structure, has carried out its responsibility in this respect. (Also applicable to Gaming-Related Suppliers)
Requirements – At a minimum:
- A compliance oversight function shall be established that is independent of the activities it oversees.
Guidance: Overall responsibility for compliance monitoring should ideally rest with a chief compliance officer or if such person does not exist, a member of senior management. - An internal audit function shall be established that regularly audits the organization’s control environment and compliance management framework and exercises oversight that is independent from operational management. The internal audit function shall have the authority to independently review any aspect of the operations.
Guidance: Where this is not feasible given the organization’s size or structure, audits should be carried out by another independent oversight function. - The compliance oversight function and internal audit or other independent oversight function shall have direct and unrestricted access to the Board, or other governance structure, and shall report on all important issues regarding compliance on a regular basis or as necessary.
- The Board, or other governance structure, shall establish a committee or committees to oversee the organization’s compliance and audit oversight functions, with appropriate terms of reference addressing composition and accountabilities.
- Members of the Board, or other governance structure, and of any committees established to oversee the organization’s compliance and audit oversight functions shall understand the business’s operations, initiatives and major transactions, and shall have the skills, training, experience and independence to carry out their fiduciary responsibilities.
1.12 There shall be an independent “whistleblowing” process to allow employees to anonymously report deficiencies or gaps in the control environment as well as incidents of possible non-compliance with the controls, Standards and Requirements, or the law. (Also applicable to Gaming-Related Suppliers)
Requirements – At a minimum:
- Operators shall ensure issues raised through the “whistleblowing” process are addressed and communicated to the Board in a timely manner.
1.13 Registrants shall engage with the Registrar in a transparent way. (Also applicable to Gaming-Related Suppliers)
Requirements – At a minimum, Operators shall:
- Provide reports regarding any incident or matter that may affect the integrity or public confidence in gaming, including any actions taken to prevent similar incidents from occurring in the future, in accordance with the established notification matrix.
- Provide reports regarding any incident of non-compliance with the law, Standards and Requirements or control activities, including any actions taken to correct the cause of non- compliance, in accordance with the established notification matrix.
- Make available any data, information and documents requested by the Registrar.
1.14 The Operator shall ensure that investigators (OPP or Registrar) are able to monitor and participate in games.
Customer Service
1.15 A mechanism shall be in place to allow players to contact the Operator in a timely fashion with issues and complaints relating to their player account, funds management, game play or any matter related to compliance with the Standards and Requirements. The Registrar shall be notified of any such issues or complaints, in accordance with the established notification matrix.
1.16 Player complaints, disputes and inquiries must be recorded and addressed in a timely, fair, transparent and appropriate manner.
Requirements - At a minimum;
- Operators must have clear service standards and must make these available to players.
- Disputes must be resolved under Ontario and Canadian law.
1.17 Relevant information about the AGCO shall be displayed and easily accessible to the player.
Third Party Management
1.18 Operators and gaming-related suppliers shall only contract with reputable suppliers. (Also applicable to Gaming-Related Suppliers)
1.19 Operators are responsible for the actions of third parties with whom they contract for the provision of any aspect of the Operator’s business related to gaming in Ontario and must require the third party to conduct themselves in so far as they carry out activities on behalf of the operator as if they were bound by the same laws, regulations, and standards.
1.20 Operators and gaming-related suppliers shall maintain a list of suppliers that provide them with goods or services in relation to lottery schemes and shall make it available to the Registrar upon request. (Also applicable to Gaming-Related Suppliers)
1.21 Operators must ensure that no independent third parties that engage in direct-to-consumer marketing, direct-to-consumer promotion, or player referral services for the Operator under contract, in exchange for commissions, or for any other form of compensation also undertake such activities related to online gaming sites that facilitate or accept wagers from players in Ontario without an AGCO registration.
Guidance: This Standard covers the activities of those entities that Operators and others in the gaming industry commonly refer to as “affiliates” or “marketing affiliates”, which are often paid or otherwise compensated to refer to customers to another business’ products, services, or websites through direct-to-consumer marketing services. This commonly understood term used among gaming registrants and other entities involved in gaming, and known as “affiliates” or “marketing affiliates”, is used here for guidance purposes only, and is distinct from how that term may be used in any other regulatory scheme.
Unregulated Activities
1.22 Operators and gaming-related suppliers must cease all unregulated activities if, to carry out those same activities in iGaming Ontario’s regulated online lottery scheme, it would require registration under the GCA.
Operators and gaming-related suppliers shall not enter into any agreements or arrangements with any unregistered person who is providing the operator or gaming-related supplier with any goods or services if, to provide those goods and services in iGaming Ontario’s regulated online lottery scheme, it would require registration under the GCA. [Added: October, 2022]
Note: For greater certainty, and without limiting the generality of any other Standard, this Standard applies to and governs applicants.
Responsible Gambling
Responsible gambling is a key AGCO priority and central to the public interest. The intent of this risk theme is to ensure that gaming is provided in a way that seeks to minimize potential harm and promote a responsible gaming environment.
Regulatory Risks associated with this theme include:
- Inappropriate advertising practices targets minors.
- Advertising is false and misleadingly deceptive to attract the public.
- Advertising deemed to promote excessive play.
- Players allowed to play excessively.
- Responsible gaming controls not designed into environment and product.
- Players are unaware of risks to problem gambling and options to self- control.
Policies and Culture
2.01 Operators shall implement and follow policies and procedures that will identify, prevent and minimize the risks of harm from gaming to players. These policies and procedures shall be reviewed and evaluated regularly for effectiveness to ensure that they follow industry best practices and that the stated objectives of the policies and procedures are achieved. All staff, including senior management staff, shall be trained on the content and application of the policies and procedures at the time they are retained by the Operator and at regular intervals after.
Requirements – At a minimum:
- Policies and procedures for responsible gambling must be integrated into the control activities, forming a part of the control activities.
- Training for managers and staff on responsible gambling policies and procedures should be in addition to any training on the control activities. These training programs should be regularly evaluated to include current best practice research and employee feedback.
- As part of regular review of responsible gambling policies and procedures to ensure that they meet industry best practices, Operators and the provincial agencies shall consult with stakeholders, including players and responsible gambling practitioners and researchers, to assess, improve and address the harms associated with gaming.
- As part of the regular review of responsible gambling policies and procedures, staff understanding of the policies and procedures, the fundamental concepts of responsible gambling and problem gambling and the impact of their job duties on player protection shall be assessed. Any gaps identified must be addressed.
2.02 The OLG and iGaming Ontario shall implement and follow policies and procedures to ensure that their activities facilitate and support the identification, prevention and minimization of the risks of harm of gaming to players.
Requirements – At a minimum:
- Policies and procedures for responsible gambling must be integrated into the control activities, forming a part of the control activities.
- Training for managers and staff on responsible gambling policies and procedures should be in addition to any training on the control activities. These training programs should be regularly evaluated to include current best practice research and employee feedback.
Marketing and Advertising
2.03 Advertising, marketing materials and communications shall not target high-risk, underage or self-excluded persons to participate in lottery schemes, shall not include underage individuals, and shall not knowingly be communicated or sent to high-risk players. (Also applicable to Gaming-Related Suppliers)
Requirements – At a minimum, materials and communications shall not:
- Be based on themes, or use language, intended to appeal primarily to minors.
- Appear on billboards or other outdoor displays that are directly adjacent to schools or other primarily youth-oriented locations.
- Use or contain cartoon figures, symbols, role models, social media influencers, celebrities, or entertainers who would likely be expected to appeal to minors.
- Use active or retired athletes, who have an agreement or arrangement made directly or indirectly between an athlete and an operator or gaming-related supplier, in advertising and marketing except for the exclusive purpose of advocating for responsible gambling practices.
- Use individuals who are, or appear to be, minors to promote gaming.
- Appear in media and venues, including on websites, and in digital or online media, directed primarily to minors, or where most of the audience is reasonably expected to be minors.
- Exploit the susceptibilities, aspirations, credulity, inexperience or lack of knowledge of all potentially high-risk persons, or otherwise extoll the virtues of gaming.
- Entice or attract potentially high-risk players. Instead, measures shall be in place to limit marketing communications to all known high-risk players.
Guidance: Where cartoons are used, they may not primarily appeal to minors.
2.04 Marketing, including advertising and promotions, shall be truthful, shall not mislead players or misrepresent products.
Requirements – At a minimum, materials and communications shall not:
- Imply that playing a lottery scheme is required in order to fulfill family or social obligations or solve personal problems.
- Promote playing a lottery scheme as an alternative to employment, as a financial investment, or as a requirement for financial security
- Contain endorsements by well-known personalities that suggest that playing lottery schemes has contributed to their success.
- Encourage play as a means of recovering past gaming or other financial losses.
- Be designed so as to make false promises or present winning as the probable outcome.
- Imply that chances of winning increase:
- The longer one plays;
- The more one spends; or
- Suggest that skill can influence the outcome (for games where skill is not a factor);
- Portray, suggest, condone or encourage gaming behaviour that is socially irresponsible or could lead to financial, social or emotional harm.
- Suggest that gaming can provide an escape from personal or professional problems.
- Portray gaming as indispensable or as taking priority in life; for example, over family, friends or professional or educational commitments,
- Suggest that gaming can enhance personal qualities, for example, that it can improve self-image or self-esteem, or is a way to gain control, superiority, recognition or admiration,
- Suggest peer pressure to gamble nor disparage abstention,
- Link gaming to seduction, sexual success or enhanced attractiveness,
- Portray gaming in a context of toughness or link it to resilience or irresponsible play, or
- Suggest gaming is a rite of passage.
- Offer a product or promotion that is not reasonably attainable without incurring substantial losses.
2.05 Advertising and marketing materials that communicate gambling inducements, bonuses and credits are prohibited, except on an operator’s gaming site and through direct advertising and marketing, after receiving active player consent.
Guidance:
- This standard does not prohibit the use of inducements, bonuses and credits.
- This standard prohibits all public advertising, including targeted advertising and algorithm-based ads.
- Direct marketing and advertising includes but is not limited to: direct messaging via social media, emails, texts, and phone calls.
2.06 Permitted advertising and marketing materials that communicate gambling inducements, bonuses and credits must, at a minimum:
- Disclose all material conditions and limitations of the offer at its first presentation on the gaming site, with all other conditions and limitations no more than one click away.
- Not be described as free unless the inducement, bonus or credit is free. If the player has to risk or lose their own money or if there are conditions attached to their own money, the offer must disclose those terms and may not be described as free.
- Not be described as risk-free if the player needs to incur any loss or risk their own money to use or withdraw winnings from the risk-free bet.
2.07 Players must be provided an opt-in process whereby they actively consent to receiving any direct advertising and marketing of inducements, bonuses and credits, and must be provided a method to withdraw their consent at any time, where such marketing and advertising materials are available.
Guidance: direct marketing and advertising includes but is not limited to: direct messaging via social media, emails, texts, and phone calls.
Supporting Informed Decision Making
2.08 A systematic approach is used to support, integrate, and disseminate information to enable players to make informed decisions and encourage safer play.
Requirements – At a minimum:
- Responsible gambling materials and information about obtaining help shall be available, visible and accessible to all players. Responsible gaming material should include information about:
- How games work and about common misconceptions,
- Lower risk gaming behaviours including how responsible gambling tools work,
- Gaming harms, and
- The variety of support services available to players, including information and support services available to players that may provide specialized information (e.g., self-assessment, and play management tools)
- Information about financial and time-based gaming limits shall be made available to all players.
- Information about self-exclusion programs shall be available, visible and accessible to all players.
- Advertising and marketing materials shall contain a responsible gambling message.
- All information related to responsible gambling shall be regularly and periodically reviewed and updated to ensure that it is accurate, up to date and in line with industry good practice.
- Operators will periodically measure whether players are aware of the information provided and whether they considered the information to be readily available. Any gaps must be addressed.
2.09 The registration page and pages within the player account shall prominently display a responsible gambling statement, the online link, as well as the number for Connex Ontario, and provide a link to a page that provides responsible gambling materials, information, resources and support for people experiencing problems with gaming.
Guidance: The referral to the page that provides responsible gambling materials and information about obtaining help in Ontario may be a page maintained by the Operator or a third party.
Identifying and Assisting Individuals Who May Be Experiencing Harm
2.10 A mechanism shall be in place to monitor player risk profiles and behaviours for the purpose of detecting signs of players potentially experiencing harm.
Requirement – At a minimum,
- Operators shall include a risk profile for players at high-risk of experiencing gambling-related harm.
2.11 Assistance for players who may be experiencing harms from gaming is readily available and systematically provided.
Requirements – At a minimum:
- All employees who interact with players shall be knowledgeable about a variety of help resources and are able to provide that information upon request from players or affected others.
- Players shall be provided with easily accessible contact information of at least one organization in Ontario, dedicated to treating and assisting people experiencing harm from gaming.
- Operators shall develop and implement responsible gambling policies, procedures and training to assess, detect and address situations where players may be experiencing harm. In these cases, operators shall implement interventions that are tailored to the severity of the situations in which players may be experiencing harm.
- Responsible gambling policies shall be reviewed periodically for effectiveness.
- Live customer support shall be made available 24/7.
Employee Training
2.12 Employees shall understand the importance of responsible gambling and how their jobs impact player protection as well as the fundamental concepts of responsible gambling and problem gambling.
Requirements – At a minimum:
- All employees shall receive mandatory training which is refreshed regularly, to include current best practice research and employee feedback.
- All employees who interact with players shall receive training in a program designed to identify and respond appropriately to players who may be showing signs of problem gambling and to assist players who may be experiencing harm from gaming.
- Training for managers and staff for responsible gambling policies and procedures should be in addition to any training on the control activities. These training programs should be regularly evaluated to include current best practice research and employee feedback.
- Employees shall understand the operator’s commitment to responsible gambling and how it is integrated throughout operations.
- Employees shall understand the harms associated with gaming as well as essential prevention and mitigation concepts.
Self-Exclusion and Breaks in Play
2.13 Individuals shall have the option to take a break in play, in addition to a formal self-exclusion program. (Also applicable to Gaming-Related Suppliers)
Requirements – At a minimum:
- Users shall have the option to initiate a short-term break in their play.
- Operators shall provide the option to take a one day, one week, one month, two month, or three month break.
- Once an individual initiates a break, they shall be unable to place further wagers during the time period of the break.
2.14 Operators shall provide a voluntary self-exclusion program for their site. [Amended February 2023]
Requirements – At a minimum:
- Operators’ self-exclusion programs shall be well promoted and easily accessible.
- The self-exclusion registration process shall be efficient and support-oriented, and shall include the provision of resources and information about where to get help.
- The terms and conditions of the self-exclusion program shall be clearly worded, including: the player’s obligations under the agreement, the consequences of self exclusion, and the process for returning to play safely.
- Clearly defined term lengths that must include options for terms lasting six months, one year and five years.
- Once an individual self-excludes, they shall be immediately logged out of their account and unable to login in for the duration of their exclusion.
- Operators must, as soon as is practicable, take all reasonable steps to prevent any marketing material, incentives or promotions from being sent to the self-excluded individual for the duration of the self-exclusion period.
- Once a player self excludes, the wager is brought to an end.
- Operators shall refund a player’s wager if the player enrolls in a self-exclusion program prior to the commencement of an event or series of events on which the outcome of the wager is determined.
- Operators are not required to refund a player’s wager if the player enrolls in a self-exclusion program after the commencement of an event or series of events on which the outcome of the wager is determined.
- Operators must maintain a register of those excluded with appropriate records (name, address, other details, and any membership or account details that may be held by the registrant)
- Operators shall take active steps to identify, and if required, remove self-excluded persons from the gaming site when they are found to be in breach of their self-exclusion agreement.
- A mechanism shall be in place to facilitate the return of the balance of unused funds to a self-excluded individual, when requested by the individual.
Note: Once directed by the Registrar, Operators will be required to participate in a coordinated, centralized self-exclusion program, that shall be in place to allow players to automatically exclude themselves from all online Operator platforms, including OLG.
Game Design and Features
2.15 Game designs and features shall be clear and shall not mislead the player. This Standard does not apply to sport and event betting products. (Also applicable to Gaming-Related Suppliers)
Requirements – At a minimum:
- Game design shall not give the player the perception that speed of play or skill affects the outcome of the game when it does not.
- After the selection of game outcome, the game shall not make a variable secondary decision which affects the result shown to the player. If the outcome is chosen that the game will lose then the game shall not substitute a particular type of loss to show to the player (i.e. near miss).
- Where the game requires a pre-determined pattern (for example, hidden prizes on a map), the locations of the winning spots shall not change during play, except as provided for in the terms governing play.
- Games shall not display amounts or symbols that are unachievable.
- Free-to-play games available through the gaming site or related websites shall not misrepresent or mislead players as to the likelihood of winning or prize distribution of similar games, and shall have the same odds of winning as games played for money.
- The denomination of each credit shall be clearly displayed on game screens.
2.15.1 The method of making bets in sport and event betting must be straightforward and understandable. Information must be made available so that the player is clearly informed of the details of the bet prior to making the bet. All selections in a bet must be displayed to the player. (Also applicable to Gaming-Related Suppliers) [Amended: February, 2022]
Requirements — At a minimum:
- Bets on multiple events (parlays) must be identified as parlays.
- The player must be informed that a bet selected by the player has or has not been accepted.
- Where the player has placed a bet and the odds, payout odds, or prices of the bet change prior to the bet being confirmed by the operator, the player must have the option of confirming or withdrawing the bet (with refund of the bet). This requirement may not apply to an option for automatic acceptance of changes in bets described in Requirement 4 below.
- Where operators offer an option of automatic acceptance of changes in bets offered, the player must manually opt in to activate this this functionality and must be able to opt out at any time. The details of this auto-accept function and any options for the function must be clearly explained to the player prior to their consent to the application of the function.
- The player must be informed of the period in which bets can be made on an event or series of events and bets cannot be placed after the close of the betting period.
- Free to play sport and event betting games must not mislead players about the odds, payouts or any element of a bet for value available in sport and event betting.
- All bets and payouts must be expressed in Canadian currency.
Guidance: This Standard is not intended to prohibit or preclude in-play betting.
2.15.2 Players must be able to access information regarding available sport and event bets without having to place a bet. This information includes:
Requirements — At a minimum:
- Information on the bets available;
- Odds, payouts and prices for available bets;
- In a dynamic betting environment, including those where individuals’ wagers are gathered into pools:
- The most up-to-date odds and payouts;
- The up-to-date total value of the pool for market pools and pool bets that are offered.
2.15.3 Reputable and legitimate data source(s) must be used to determine the outcome of a bet. These data source(s) shall be made available to the player upon request. (Also applicable to Gaming-Related Suppliers) [Amended: February, 2022]
2.16 Game designs and features shall help to prevent extended, continuous and impulsive play and facilitate low risk play behaviours. (Also applicable to Gaming-Related Suppliers)
Requirements – At a minimum:
- Games shall not encourage players to chase their losses, or increase the amount they have decided to gamble, or continue to gamble after they have indicated that they want to stop.
- Games shall not provide auto-play features for slots.
- Game play shall be initiated only after the player has placed a wager and activated play. No player shall be forced into game play by selecting the game for review or reviewing information about how the game is played or how bets are made.
- A player should commit to each game individually, releasing and then depressing the 'start button’ or taking equivalent action. Continued contact with a button, key or screen should not initiate a new game.
2.17 The gaming system must not offer functionality which facilitates playing multiple slots games at the same time. This includes, but is not limited to, split screen or multi-screen functionality. (Also applicable to Gaming-Related Suppliers)
Combining multiple slots titles in a way which facilitates simultaneous play is not permitted.
2.18 It must be a minimum of 2.5 seconds from the time a game is started until the next game cycle can be commenced. It must always be necessary to release and then depress the 'start button’ or take equivalent action to commence a game cycle. (Also applicable to Gaming-Related Suppliers)
A game cycle starts when a player depresses the ‘start button’ or takes equivalent action to initiate the game and ends when all money or money’s worth staked or won during the game has been either lost or delivered to, or made available for collection by the player and the start button or equivalent becomes available to initiate the next game.
A player should commit to each game cycle individually, continued contact with a button, key or screen should not initiate a new game cycle.
2.19 For slots games, the gaming system must not permit a customer to reduce the time until the result is presented. (Also applicable to Gaming-Related Suppliers)
Requirements: At a minimum:
- Features such as turbo, quick spin and slam stop are not permitted. This is not intended to be an exhaustive list but to illustrate the types of features the requirement is referring to.
Note: This Standard does not apply to bonus/feature games where an additional stake is not wagered.
2.20 For slots games, the gaming system must not use auditory or visual effects that are associated with a win for returns which are less than or equal to last total amount wagered. (Also applicable to Gaming-Related Suppliers) [Amended: February, 2022]
2.21 For slots games, gaming sessions must clearly display a customer’s net position (the total of all winnings minus the sum of all losses since the start of the session), in Canadian dollars. (Also applicable to Gaming-Related Suppliers) [Amended: February, 2022]
2.22 Players shall have the means to track the passage of time. (Also applicable to Gaming-Related Suppliers)
Limit Setting Features
2.23 Players shall be provided with an easy and obvious way to set gaming limits (financial and time-based) upon registration and at any time after registration. (Also applicable to Gaming-Related Suppliers) [Amended: February, 2022]
Requirements – At a minimum:
- Players shall be provided with the option to set loss and deposit limits during registration.
- Operators must offer players the options of setting limits on any number of the following:
- Deposit limits, where the amount a player deposits into their account is limited over a period of time chosen by the player,
- Loss limits, where the amount lost (i.e., winnings subtracted from the amount spent) is restricted.
- The period or duration of the financial or time-based limits offered must include, 24 hours, 7 days and one month. Where the player sets simultaneous periods (e.g., a deposit limit for a day and for a week), the lowest limit must apply.
- Financial and time limit functions must be easy to find, reach and initiate or change at any time after the player has registered and opened an account.
2.24 Where a gaming limit has been previously established by a player, a request by the player to relax or eliminate that limit shall only be implemented after a cooling-off period of at least 24 hours. (Also applicable to Gaming-Related Suppliers)
Requirements – At a minimum:
- The Operator must not relax or eliminate a gaming limit without a request from the player and only after the expiry of the cooling-off period.
- Gaming limits must be enforced by the gaming system.
Prohibiting Access to Designated Groups and Player Account Management
The overall intent of this theme is to protect the public interest and game integrity by ensuring that those individuals set out in Ontario Regulation 78/12 of the Gaming Control Act, 1992 are prohibited from participating in lottery schemes and that lottery schemes are conducted in accordance with the Criminal Code of Canada (i.e., within the province of Ontario).
The identified regulatory risks under this theme are:
- Individuals prohibited from games of chance have access
- Selling product outside jurisdiction
Eligibility
3.01 Only eligible individuals are permitted to create a player account, and only individuals who hold a valid player account are permitted to log on to their account and gamble.
Requirements – At a minimum:
- The following individuals are not eligible to play games on a gaming site:
- An individual under 19 years of age except where the individual is at least 18 years of age and is accessing the gaming site solely for the purpose of purchasing a lottery ticket;
- Every individual who advises the Operator that the individual is participating in a self-exclusion process that applies to the site;
- An individual who is known by the Operator to have been restricted from accessing the gaming site or playing a lottery scheme as a condition of a court order;
- Individuals who the Operator has reason to believe have been excluded from the site under subsection 3.6(1) of the GCA;
- Officers, members of the board of directors or partners of the Operator;
- Executives or staff of a trade union who represent or negotiate on behalf of employees employed at the site;
- Employees of registered suppliers who maintain or repair gaming equipment at the site;
- Members or employees of the AGCO;
- Officers, members of the board of directors, or employees of OLG or iGaming Ontario, unless they are within the description set out in subsection 22(6) of Ontario Regulation 78/12.
- Individuals described in Requirement 1 above are not eligible for prizes, with the exception of self-excluded individuals.
3.01.1 Operators shall not knowingly permit an individual to engage in any of the following prohibited activities and shall take steps to actively monitor and prevent such prohibited activity from occurring:
- An individual with access to non-public information related to an event or an individual who may impact the outcome of an event or bet type is prohibited from betting on any event overseen by the relevant sport/event governing body.
- Athletes, coaches, managers, owners, referees, and anyone with sufficient authority to influence the outcome of an event are prohibited from betting on events overseen by the relevant sport or event governing body.
- Owners (any person who is a direct or indirect legal or beneficial owner of 10 percent or greater) of a sport governing body or member team are prohibited from betting on any event overseen by the sport governing body or any event in which a member team of that sport or event governing body participates.
- Those involved in a sport or event may not be involved in compiling betting odds for the competition in which they are involved.
Requirements – At a minimum:
- Operators must make reasonable efforts to inform any entity with which they have an information sharing relationship, including independent integrity monitors, sport betting operators, the appropriate governing authority for the sport or event and any other organizations or individuals identified by the Registrar if an individual is found to have engaged in prohibited activity under Standard 3.01.1.
- Individuals found to have engaged in prohibited activity in Standard 3.01.1 shall not be eligible for prizes.
3.02 Games on gaming sites shall be provided only within Ontario, unless they are conducted in conjunction with the government of another province. (Also applicable to Gaming-Related Suppliers)
Requirements — At a minimum:
- Operators must put in place mechanisms to detect and dynamically monitor the location of a player attempting to play a game and to block unverified attempts to play a game. Player location checks subsequent to the initial location check shall occur at reasonable intervals determined by the Operator that minimize the risk of play outside of Ontario. Depending on the location of the player/device, longer or shorter periods may be justified.
- Operators must put in place mechanisms to detect software, programs, virtualization and other programs capable of circumventing player location detection.
Note: If a lottery scheme is being provided in conjunction with another province, individuals in that province may be permitted to be on the gaming site.
3.03 If the list of prohibited and excluded individuals changes, all registered player information shall be re-verified to ensure that all registered players are still eligible to play, and if they are not eligible, they are prohibited from gaming. The accuracy of the list maintained by the Operator should be periodically reviewed by the Operator.
Registration and Account Creation
3.04 Relevant player information shall be collected and saved upon registration and shall be demonstrated to be complete, accurate and validated before a player account is created for the player.
Requirements – At a minimum, the following information shall be gathered upon registration:
- Name.
- Date of birth.
- Address.
- Method of identification for subsequent log on, such as user name.
- Player contact information.
- Information required by the Proceeds of Crime (Money Laundering) and Terrorist Financing Act and the regulations under it.
3.05 Before a player account is created, players shall affirm that all player information provided upon registration is complete and accurate.
Player Account Maintenance and Transactions
3.06 Player information shall be kept complete and accurate.
3.07 Prior to participating in game play, players must affirm that they are fit for play.
3.08 All player accounts shall be uniquely identifiable. (Also applicable to Gaming-Related Suppliers)
3.09 Players may have only one player account per gaming site.
3.10 There shall be an auditable trail of events that is logged and available relating to account creation and activation, account deactivation and account changes. (Also applicable to Gaming-Related Suppliers)
Requirements – At a minimum, an auditable trail of events shall be available for the following:
- Information relating to player identification and verification.
- Information regarding or related to contracts with the player.
3.11 Players shall acknowledge and accept the terms of the contract governing the player’s account and game play prior to account creation and shall acknowledge and accept any subsequent material changes to the terms of the contract when logging in. At all times, the terms of the contract and the operation of the contract must comply with the Standards and Requirements and applicable Ontario laws.
3.12 All players shall be authenticated prior to accessing their player account and being permitted to gamble. Third parties are not permitted to access a player’s account. (Also applicable to Gaming-Related Suppliers)
Requirements: At a minimum,
- Players must be given the option to use multi-factor authentication when logging in.
3.13 All player account transactions shall be recorded and logged in an accurate and complete manner. (Also applicable to Gaming-Related Suppliers)
3.14 Player account information shall be made readily available to the player. (Also applicable to Gaming-Related Suppliers)
3.15 Information about player account transactions shall be made readily available and clear to the player. (Also applicable to Gaming-Related Suppliers) [Amended: February, 2022]
Requirements – At a minimum, the gaming system shall give the player access to the following information:
-
Deposit and withdrawal history, and current balance.
-
Method and source of funds used for transactions.
-
Date and time of previous login.
-
Gaming event and transaction history (game session outcomes and game transactions) including, in sport and event betting, the date and time of past and current bets, and the date and time at which past bets were settled, and information about current bets.
- Total monies wagered for session and/or period of time.
- Total monies won or lost for session and/or period of time.
- Account balance at start and end of session.
3.16 All player account transactions shall be uniquely identifiable and traceable to a unique individual player account. (Also applicable to Gaming-Related Suppliers)
Deactivation and Dormant Accounts
3.17 Reasonable efforts shall be made to inform players of player funds remaining in dormant accounts.
3.18 Players may elect to deactivate their player account at any time and, once the election is made, the account is deactivated.
3.19 Where necessary, a player account may be deactivated by the Operator.
3.20 A player account shall be deactivated if requested by the Registrar.
3.21 If player information is removed, it must be retained in accordance with Standard 1.09 or other records retention requirement that may apply.
3.22 Where an account becomes dormant or is deactivated by a player or another authorized individual, the player shall be able to recover the balance of their account owing to them.
Ensuring Game Integrity and Player Awareness
The overall intent of this theme is to ensure that gaming in Ontario is conducted with honesty and integrity and that players have sufficient information to make informed decisions prior to gaming.
The identified regulatory risks under this theme are:
- Inability to regulate all components.
- Related parties winning at a higher relative percentage than the public.
- Players have insufficient information to make an informed choice.
- Game and system lack integrity.
- Game procedures not followed.
- Game and systems fail.
- Potential compromising of betting markets through activities such as insider betting or game manipulation.
Game Integrity
4.01 All gaming activities and financial transactions shall be conducted fairly and honestly, and must be independently verifiable. (Also applicable to Gaming-Related Suppliers)
Requirements – At a minimum:
- Continuous independent monitoring and recording of lottery schemes and cash (and cash equivalent) handling must be in place to support the verification of:
- Adherence to required game rules by players and employees or, in sport and event betting, the processing and redemption, if any, of the bet fairly, honestly and in accordance with the terms of the bet placed by the player, including applicable betting rules;
- Confirmation of outcomes of lottery schemes;
- Prize payment to the proper person;
- Accuracy of financial transactions.
- Continuous logs shall be maintained for critical gaming systems including to track financial accounting and game state history.
4.02 There shall be appropriate, accurate and complete records of transaction and game state and play information kept and made available for the purposes of (Also applicable to Gaming-Related Suppliers):
- Ensuring timely investigations can be performed by the Registrar.
- Capturing information needed to continue a partially complete game within a reasonably defined time.
- Resolving disputes in a fair and timely manner.
- Ensuring player complaints can be resolved.
- Tracking all relevant player information (including funds information).
- Tracking all relevant individual gaming sessions and game play information.
- Tracking all relevant information related to events (including significant events).
- Tracking of game enabling, disabling and configuration changes.
Guidance: There should be an adequate amount of storage, capacity and retention of logged information. The appropriate capacity, design and monitoring of the logging facilities should be in place to ensure that logging is not interrupted for a technical reason that could have been prevented.
4.03 There shall be a mechanism in place to ensure that if logging is interrupted, compensating manual controls are used, where reasonable. (Also applicable to Gaming-Related Suppliers)
4.04 The gaming system shall be capable of providing custom and on-demand reports to the Registrar. (Also applicable to Gaming-Related Suppliers)
Guidance: the intent is to ensure that the Registrar can receive information in an appropriate format when necessary. Examples are: a list of all games hosted by the website, or a list of all active player accounts.
4.05 Game specifications must be documented that clearly indicate (Also applicable to Gaming-Related Suppliers):
- The objectives of the game;
- The wagers that may be made;
- How the game is operated and played;
- Odds of winning for each prize available to players;
- The advantage of the operator in relation to each wager.
4.06 Prior to placing a bet or wager, the player shall be provided with sufficient information to make informed decisions about betting or wagering based on chances of winning, the way the game is played, and how prizes and payouts are made. (Also applicable to Gaming-Related Suppliers)
Requirements – At a minimum:
- Comprehensive and accurate information that explains the applicable terms governing play must be easily available to the player prior to the placing of a bet or wager through such supports as “game rules”, “help” or “how to play” pages placed prominently to allow players to easily locate them. All reasonable steps must be taken to ensure the content is understandable.
- The explanatory content shall:
- indicate the methods of how players may participate in the game and provide instructions and any terms for each of these methods,
- provide clear instructions on how to interact with the game,
- provide clear descriptions of what constitutes a winning outcome,
- indicate any restrictions on play or betting (e.g., play duration limits, maximum wins),
- contain comprehensive, accurate and understandable information on the odds of winning, payout odds, or returns to players,
- indicate prize value units (e.g., currency or credits),
- provide any other information on elements that will affect play (e.g., the number of decks or frequency of shuffles in virtual card games, the method of in-game betting) or results (e.g., how progressive jackpots work, number and kind of tokens to be collected to enter a bonus round, the rules and behaviour in a bonus round, how the results of pool betting in sport and event betting work, the procedures for confirming the results),
- contain the same information and be consistent across all languages it is provided in.
- If certain outcomes, prizes or features are only available under limited circumstances, the explanatory content must clearly indicate what these circumstances are.
- Where speed of interaction has an effect on the player’s chances of winning, players must be informed that the speed of connection or processor may have an effect on the game.
- Where player skill and/or strategy has an impact on the player’s chances of winning, players must be informed that their skill and/or strategy will have an impact on their chances of winning.
- For all peer-to-peer games, players must be informed of possible communication loss and the impact to the player in such an event.
- The denomination of each credit shall be clearly displayed.
- The units of displayed prizes and payouts (e.g. denominational units, currency) must be clear.
-
Cash out options and how to redeem winning bets in sport and event betting.
-
Players shall be provided with information that indicates circumstances in which a game can be declared void.
4.07 Information provided to players prior to and during game play shall not mislead players or misrepresent games. (Also applicable to Gaming-Related Suppliers)
Requirements – At a minimum, information shall not:
- Describe any outcomes, prizes, or features that are not achievable.
- Encourage play as a means of recovering past gambling or other financial losses.
- Be designed so as to make false promises or present winning as the probable outcome.
- Imply that chances of winning increase:
a. The longer one plays;
b. The more one spends; or
c. Suggest that skill can influence the outcome (for games where skill is not a factor); - Use language that suggests the probability of a particular outcome is more likely to occur than its actual probability. Examples include the use of the terms, “due”, “overdue”, “ready”, and “ready to hit”.
- Mischaracterize the nature of the game by giving it a commonly accepted name, such as “European Roulette”, if the game does not operate as a player would reasonably expect.
4.08 All igaming games, random number generators and components of igaming systems that accept, process, determine outcome of, display, and log details about player bets, including any subsequent modifications, must either be approved by the Registrar or certified by an independent testing laboratory registered by the Registrar, as per the AGCO’s ITL Certification Policy, prior to being provided for any gaming site. [Amended: April, 2023]
Guidance: For greater certainty, this Standard applies to gaming equipment used in Live Dealer games that contains electronic components.
4.09 Gaming systems and gaming supplies shall be provided, installed, configured, maintained, repaired, stored, and operated in a way that ensures the integrity, safety and security of the gaming supplies and systems. (Also applicable to Gaming-Related Suppliers) [Amended: October, 2022]
Requirements – At a minimum:
- Only games and remote gaming servers approved by the Registrar or certified by an independent testing laboratory registered by the Registrar shall be used on the gaming site.
- The Registrar shall be immediately notified where there is any problem with the integrity or security of the gaming system or gaming supplies.
- Monitoring and testing shall be performed throughout the life of the gaming system and gaming supplies to ensure they are operating as approved.
- In the event of any suspected integrity or security problem with a gaming system or gaming supply, logs of the current state of the gaming system and gaming supply, and any supportive evidence shall be preserved.
- Operators shall monitor the payback of their live games to detect any behaviour that may indicate faulty performance.
- Gaming suppliers shall take immediate action, conduct timely investigations, and make any necessary corrections when there is a problem with the integrity or security of gaming systems.
4.10 Where there are suspected game or system faults that may impact game integrity or fairness including the integrity or fairness of sport and event betting (e.g., influencing a player’s chances of winning or the return to players), Operators shall make the game unavailable to players until the issue has been resolved. In the case of sport and event betting, making a game unavailable may include the suspension of betting, the withholding of funds, and the refund of any bet until a gaming system fault has been resolved. Operator decisions must be fair, reasonable, and made in good faith.
4.11 Production, testing and development systems shall be logically separated. (Also applicable to Gaming-Related Suppliers)
4.12 Game outcomes and sport and event betting transactions shall be recoverable, where technically possible, so that player bets can be settled appropriately. (Also applicable to Gaming-Related Suppliers)
4.13 In any case where there is a game or system fault, including where game outcomes or sport and event betting transactions are not recoverable, the Operator shall have clearly defined policies and processes in respect of treating the player fairly when resolving the player’s transactions. These policies and processes shall be made available to players. (Also applicable to Gaming-Related Suppliers)
4.14 Mechanisms shall be in place to allow a game to be recreated up to and including the last communicated state to the player. (Also applicable to Gaming-Related Suppliers)
Requirements – At a minimum:
- Selected electronic game elements and game outcomes shall be logged before they are displayed to the player.
- Information shall be captured that is needed to continue a partially complete game within a reasonable period of time.
4.15 A player’s bet and the outcome of the game shall be clearly displayed, easy to understand, and available for a sufficient length of time for the player to review. (Also applicable to Gaming-Related Suppliers)
4.16 Games shall pay out accurately, completely and within a reasonable time of winning, subject to checks and verifications. (Also applicable to Gaming-Related Suppliers)
Collusion and Cheating
4.17 Operators shall have mechanisms in place to appropriately deter, prevent and detect collusion and cheating.
4.18 All relevant activities related to the detection of collusion and cheating shall be logged.
4.19 Players shall be provided with clear information on the process to report activities related to collusion and cheating, including the suspected use of bots. The process must be simple to use and readily accessible to a player seeking to make a report.
Requirements – At a minimum:
- Complaints by players about unfair treatment, cheating and collusion must be investigated.
- Information about the Operator’s policies and procedures to deter, prevent and detect unfair behaviour, cheating and collusion, including the suspension or disabling or accounts and any recovery of funds, must be made available to the public on request.
- Where an investigation, whether initiated by the Operator or as a result of a player complaint, results in the suspension or disabling of a player account, records of the investigation identifying the activities, the reason for the investigation (including whether it was initiated as the result of a player complaint) and any relevant evidence should be retained in accordance with Standard 1.09.
- The Registrar shall be informed, in accordance with the notification matrix, of any incident that an Operator reasonably believes constitutes an incident of intentional cheating while playing a lottery scheme.
Speed and Interruption
4.20 Where speed of interaction has an effect on the player’s chances of winning, the Operator shall take reasonable steps to ensure the player is not unfairly disadvantaged due to gaming system related performance issues.
4.21 Service interruptions shall be responded to and dealt with in a way that does not disadvantage players. (Also applicable to Gaming-Related Suppliers)
Requirements – At a minimum, the gaming system shall:
- Inform players that the speed of connection or processor may have, or appear to have, an effect on the game;
- Recover from failures that cause interruptions to the game in a timely fashion;
- Where appropriate, void bets;
- Retain sufficient information to be able to restore events to their pre-failure state, if possible;
- Pay players the amount won up to that point, or return bets to players where a game cannot be continued after a service interruption, whichever is the better outcome for the player.
Peer-to-Peer Games
4.22 In peer-to-peer games, Operators must implement measures intended to deter, prevent and detect the use by players of software programs to automatically participate in game play (referred to as a bot) or to provide the player with an unfair advantage over other players.
Requirements – At a minimum:
- Operators must clearly provide notice to players of peer-to-peer games that the use of such software is not permitted and, if a player is found to have used such software, it will be considered to be cheating and the player may be sanctioned by the Operator accordingly.
4.23 Games must be conducted in a manner that ensures players are treated fairly and not unfairly disadvantaged by other players. (Also applicable to Gaming-Related Suppliers)
Requirements – At a minimum:
- Measures intended to deter, prevent, and detect unfair behaviour, collusion and cheating, including the suspected use of bots, must be implemented.
- Information regarding specific game elements (such as a player’s hand or cards) shall not be accessible to give advantage to any player during games, unless by the player themselves.
- A mechanism shall be in place to ensure that a player cannot play against themselves or occupy more than one seat at an individual table.
- Gaming systems must retain a record of relevant activities to facilitate investigation and be capable of suspending or disabling player accounts and player sessions.
- Operators must monitor the effectiveness of their policies and procedures.
- As a minimum deterrent, players must be informed that accounts may be closed if the player has cheated, colluded or acted unfairly towards another player.
Determination of Game Outcomes
4.24 Games must operate according to their game specifications and the outcomes must be determined in accordance with the terms governing play and prevailing payouts as they are described to the player. Sport and event betting must be conducted fairly, honestly and in accordance with the terms of the bet placed by the player. (Also applicable to Gaming-Related Suppliers)
Requirements – At a minimum:
- All possible game outcomes (winning and losing outcomes) shall be available in each play, unless clearly explained to the player.
- The probability of game outcomes in virtual games shall be the same as in the associated live game (e.g., card games), unless the differences are set out in the terms governing play and communicated to players.
- The probability of achieving a specific game outcome shall be constant and independent of game history, player or any other factor, unless clearly explained in the terms governing play. Where the game outcome is intended to be random (e.g., dice games or slot games), the outcome must not be dependent or based upon any history or other factors.
- Sport and event bets shall be accepted, processed, and settled in accordance with the terms of the bet placed by the player, including any applicable betting rules.
4.25 Bets shall be committed before the determination of game outcomes. Any wager received after the determination of game outcomes associated with the wager shall be voided and returned to the player. (Also applicable to Gaming-Related Suppliers)
4.25.1 In sport and event betting, bets must be settled fairly and in accordance with the terms of the bet placed by the player and any applicable betting rules that were available to the player when the bet was placed. Where raised, the reasons for the settlement must be clearly and promptly provided to the player. (Also applicable to Gaming-Related Suppliers)
4.25.2 The results of bets on sporting or other events must be provided to players making bets on the events. Any change of results must be made available. Account balances will be updated as the results of wagers are confirmed. (Also applicable to Gaming-Related Suppliers)
4.25.3 Sport and event betting operators shall have controls in place to ensure the accuracy and timeliness of sport and event results data. (Also applicable to Gaming-Related Suppliers)
Randomness of Game Outcomes
4.26 A mechanism shall be in place to randomly select game elements used to determine game outcomes. This Standard does not apply to sport and event betting products.(Also applicable to Gaming-Related Suppliers)
Requirements – At a minimum:
- Initial values and conditions shall be selected and used to seed the random selection process in a way that ensures the randomness of the resulting game outcomes and avoids any correlation of selected game elements with elements selected by any other instances of the mechanism.
- The selected game elements and their associated game outcomes shall not be influenced, affected or controlled by the amount wagered, or by the style or method of play unless the conditions are changed and are disclosed clearly to the player.
- The mechanism used to select game elements and their associated game outcomes shall be impervious to outside influences (such as electro-magnetic interference, devices within or external to the gaming system; the characteristics of the communication channel between the system and the end player device, the player or the Operator) and its components shall not be subject to deterioration that impacts, before any scheduled replacement lifecycle, the randomness of selection.
- The selected game elements and their associated game outcomes shall not be altered, discarded or otherwise manipulated through a secondary decision by the game program and shall not be impacted by load on the gaming system.
- Any failure by the mechanism to randomly select game elements, including an interruption in the selection process, must be identified and responded to quickly and appropriately to minimize the effect on players.
4.27 Mechanisms used to select game elements and their associated game outcome must be capable of being monitored and inspected to ensure the integrity of the mechanisms and its component devices and the randomness of the generated outcomes. This Standard does not apply to sport and event betting products. (Also applicable to Gaming-Related Suppliers)
Game Management
4.28 Terms governing play must not be changed during a game session unless the player is made aware of the change before the player places any wagers in the game. (Also applicable to Gaming-Related Suppliers)
Requirements – At a minimum:
- Where applicable, game interface changes made by the player shall be appropriately limited by the gaming system to ensure that information and representation of the game remains fair and accurate and in accordance with the terms governing play.
- Information on the current state of multi-state games must be clearly displayed,
- Displays of jackpot amounts that change over time should be updated as frequently as practicable and particularly after the amount has been reset after a win.
- Odds in sport and event betting sometimes change prior to or during an event. Changes in odds must be updated and publicly available to all players. This is not intended to entitle a player who has previously placed a bet to receive new odds on that bet.
4.29 Game sessions must be appropriately secured and checked for authenticity. (Also applicable to Gaming-Related Suppliers)
4.30 There shall be a player activity time-out that automatically logs the player out or ends the player’s session after a specified period of inactivity. (Also applicable to Gaming-Related Suppliers)
Downloadable Game Content
4.31 All critical functions, including the generation of the outcome of any game, shall be generated by the gaming system, independent of the end player device.
Guidance: The intent is for the Operator to maintain control (i.e., security, integrity) of all critical game functions.
Sport and Event Betting Integrity
4.32 Sport and event betting operators shall have risk management measures in place to mitigate the betting integrity risk associated with sport and event betting, including insider betting and event manipulation. (Also applicable to Gaming-Related Suppliers)
Requirements – At a minimum:
- Operators shall establish controls to identify unusual or suspicious betting activity and report such activity to an independent integrity monitor.
Unusual betting activity is a betting pattern that deviates, including statistically, from the activity otherwise exhibited by patrons and reasonably expected by an operator or independent integrity monitor, which may indicate potential suspicious activity in the betting or the underlying sport or other event. Unusual betting activity may include the size of a patron's wager or increased wagering volume on a particular event or wager type.
Suspicious betting activity is unusual betting activity that cannot be explained and is indicative of match fixing, the manipulation of an event, misuse of inside information, or other illicit activity. - Independent integrity monitors shall not have any perceived or real conflicts of interests in performing the independent integrity monitor role, including such as acting as an operator or as an oddsmaker.
- Independent integrity monitors shall promptly disseminate reports of unusual betting activity to all member sport betting operators.
- All sport and event betting operators shall review such reports and notify their independent integrity monitor of whether they have experienced similar activity.
- If an independent integrity monitor finds that previously reported unusual betting activity rises to the level of suspicious activity, they shall immediately notify any entity with which they have an information sharing relationship, including independent integrity monitors, sport betting operators, the appropriate governing authority for the sport or event, and any other organizations or individuals identified by the Registrar.
- All independent integrity monitors receiving such a report shall share such report with their member sport betting operators.
- Independent integrity monitors shall facilitate collaboration and information sharing to enable the investigation of and response to prohibited activity associated with the suspicious betting activity as directed by the Registrar.
- Independent integrity monitors shall provide, in accordance with the notification matrix, the Registrar with:
- All reports of unusual betting activity;
- If the activity was determined to be suspicious; and
- The actions taken by the independent integrity monitor.
Guidance: The Registrar will publish a list of registered independent integrity monitors.
4.33 An operator receiving a report of suspicious activity under Standard 4.32 may suspend or cancel sport and event betting on events related to the report or withhold associated customer funds. To this end, an Operator must ensure that it has reserved itself the authority to suspend betting, void bets, and withhold associated customer funds. The Operator’s decision to suspend or cancel sport and event betting, or withhold associated customer funds, on events related to the report must be fair, reasonable, and made in good faith.
4.34 Operators offering sport and event betting products shall ensure that all bets offered meet the following criteria [Amended: February, 2022]:
- The outcome of the event being bet on can be documented and verified;
- The outcome of the event being bet on can be generated by a reliable and independent process;
- The outcome of the event being bet on is not affected by any bet placed;
- The majority of participants in the event or league are 18 years of age or older; event shall be broadly defined as assessing total participants in the event/league, rather than in a particular heat, game, match or final contest in the overall sporting event;
- For sporting events being bet on, the event must be effectively supervised by a sport governing body which must, at minimum, prescribe final rules and enforces codes of conduct that include prohibitions on betting by insiders (not applicable to novelty bets);
- There are integrity safeguards in place which are sufficient to mitigate the risk of match-fixing, cheat-at-play, and other illicit activity that might influence the outcome of bet upon events;
- The bet is not on a past event for which the outcome is publicly known;
- The bet is not reasonably objectionable;
- The event being bet on does not involve animal fighting or cruelty;
- Bets on assets and financial markets (e.g., stocks, bonds, currencies, real property) are prohibited;
- Bets which expose players to losses greater than the amount wagered are prohibited;
- Bets which mimic the structure of financial instruments, products, or markets are prohibited;
- Bets on synthetic lottery products and bets on lottery outcomes are prohibited;
- The event being bet on is conducted in conformity with all applicable laws;
- Bets on minor league sports in Canada, including the Canadian Hockey League (CHL), are prohibited.
Guidance:
- For the purpose of Req. 8, reasonably objectional bets include bets on events which are unethical, allow entertainment to be derived from human suffering or death or involve non-consensual violence or injury.
- Req. 12 applies to contracts for difference including spread betting.
Live Dealer Game Integrity
4.35 Access to live dealer gaming supplies shall be restricted to individuals with a business need. (Also applicable to Gaming-Related Suppliers). [Added: October, 2022]
Requirements – At a minimum:
- Access privileges are granted, modified, and revoked based on employment status and job requirements and all activities associated with these actions logged.
- Access privileges are independently reviewed and confirmed on a periodic basis.
4.36 Operators must have controls in place to ensure live dealer game presenters do not compromise the integrity of a game. [Added: October, 2022]
Public Safety and Protection of Assets
The overall intent of this theme is to ensure that assets (e.g., gaming equipment and systems) are protected and that customer information and funds are safeguarded.
The identified regulatory risks under this theme are:
- People are not safe;
- Assets and customer information are not safeguarded; and
- Unauthorized individuals have access to prohibited areas.
IT Standards
Information Technology
5.01 A recognized industry standard framework shall be used to manage the information technology (IT) control environment to support compliance with the Standards and Requirements. (Also applicable to Gaming-Related Suppliers)
Security Management
5.02 Users shall be granted access to the gaming system based on business need. (Also applicable to Gaming-Related Suppliers)
Requirements – At a minimum:
- Access privileges are granted, modified and revoked based on employment status and job requirements and all activities associated with these actions are logged.
- Access privileges are independently reviewed and confirmed on a periodic basis.
5.03 Access to gaming information systems shall be monitored, logged and shall be traceable to a specific individual, either through the assignment of uniquely assigned accounts to individual users or such other reasonable method. (Also applicable to Gaming-Related Suppliers)
Requirements – At a minimum:
- All system accounts (or other accounts with equivalent privileges) shall be restricted to staff that provide IT support, and mechanisms shall be in place to secure and monitor use of those accounts.
5.04 Processes shall be in place to ensure that only authorized individuals are permitted to open system accounts. (Also applicable to Gaming-Related Suppliers)
5.05 Industry accepted components, both hardware and software, shall be used where possible. (Also applicable to Gaming-Related Suppliers)
5.06 Any connection or interface between the gaming system and any other system, whether internal or external third party, shall be monitored, hardened and regularly assessed to ensure the integrity and security of the gaming system. (Also applicable to Gaming-Related Suppliers)
5.07 Mechanisms shall be in place to ensure the reliability, integrity and availability of the gaming system. (Also applicable to Gaming-Related Suppliers)
Requirements – At a minimum:
- Operators shall ensure that a disaster recovery site is in place.
5.08 There shall be a suitably secure physical environment in place to prevent unauthorized access to the gaming system and to ensure the protection of assets. (Also applicable to Gaming-Related Suppliers)
5.09 Gaming systems, infrastructure, data, activity logs and all other related components shall be protected from threats, vulnerabilities, attacks or breaches. (Also applicable to Gaming-Related Suppliers)
Requirements – At a minimum:
- All users shall be authenticated.
- The appropriateness and effectiveness of steps taken to harden technology components shall be regularly assessed.
- Patches to correct any security risks shall be updated regularly.
5.10 Security monitoring activities shall be logged in an auditable manner, monitored, promptly analyzed and a report prepared and escalated as appropriate. (Also applicable to Gaming-Related Suppliers)
Requirements – At a minimum:
- Attempts to attack, breach or access gaming system components in an unauthorized manner shall be responded to in a timely and appropriate manner.
- Intrusion attempts shall be actively detected and where possible prevented from causing disruption or outage of the gaming system.
- There shall be adequate logging to capture and monitor any attempts to attack, breach or access in an unauthorized manner any components of the gaming system. There shall be an appropriate escalation procedure.
5.11 Independent assessments shall be regularly performed by a qualified individual to verify the adequacy of gaming system security and all of its related components. (Also applicable to Gaming-Related Suppliers)
5.12 Operators and gaming related suppliers must inform themselves of the current threats and risks to the security, integrity, and availability of the gaming systems and related components that they operate or supply. Operators must have in place policies and procedures to mitigate such risks and threats. Gaming related suppliers must inform their customers of any material threat or risk to the security or integrity of the gaming systems that they supply or operate. (Also applicable to Gaming-Related Suppliers)
Change Management
5.13 A system development lifecycle that considers security and processing integrity shall be in place for gaming system technology developed in-house. (Also applicable to Gaming-Related Suppliers)
5.14 Due diligence must be performed on all acquired gaming system technology to ensure security and processing integrity requirements are met. (Also applicable to Gaming-Related Suppliers)
5.15 A testing strategy to address changes in technology shall be in place to ensure that deployed gaming systems operate as intended. (Also applicable to Gaming-Related Suppliers)
5.16 All gaming system changes shall be appropriately, consistently and clearly documented, reviewed, tested and approved. (Also applicable to Gaming-Related Suppliers)
Requirements – At a minimum:
- All gaming system technology components are installed and maintained in accordance with the appropriate change management procedures.
- Requests for changes and maintenance of the gaming system are standardized and are subject to change management procedures.
- Emergency changes are approved, tested, documented, and monitored.
- Change management procedures shall account for segregation of duties between development and production.
- Only dedicated and specific accounts may be used to make changes.
5.17 Operators must have both preventative and detective measures in place to ensure that no unauthorized or unintentional changes are made to the gaming system.
Requirement — At a minimum:
- There must be a mechanism to validate that installed software is the certified software.
5.18 Post implementation reviews shall be performed to ensure that changes have been correctly implemented and the outcomes shall be reviewed and approved. (Also applicable to Gaming-Related Suppliers)
5.19 All change related documentation and information shall be captured, stored and managed in a secure and robust manner. (Also applicable to Gaming-Related Suppliers)
5.20 The implementation of software related updates, patches or upgrades shall be regularly monitored, documented, reviewed, tested and managed with appropriate management oversight and approval. (Also applicable to Gaming-Related Suppliers)
5.21 A mechanism shall be in place to regularly monitor, document, review, test and approve upgrades, patches or updates to all gaming-related hardware components as they become end of life, obsolete, shown to have weaknesses or vulnerabilities, are outdated or have undergone other maintenance. (Also applicable to Gaming-Related Suppliers)
5.22 Appropriate release and configuration management processes with support systems shall be in place to support both software and hardware related changes. (Also applicable to Gaming-Related Suppliers)
5.23 Only dedicated and specific accounts may be used to make changes. (Also applicable to Gaming-Related Suppliers)
Data Governance
5.24 Data governance shall be in place to address data processing integrity and protection of sensitive data. (Also applicable to Gaming-Related Suppliers)
5.25 Sensitive data, including player information and data relevant to determining game outcomes, shall be secured and protected from unauthorized access or use at all times. (Also applicable to Gaming-Related Suppliers)
Requirements – At a minimum:
- The gaming system shall ensure that data is appropriately backed up in a manner that allows it to be completely and accurately restored.
- Data backups shall be stored off-site in a secure location and in accordance with applicable policies and laws.
5.26 Player information shall be securely protected and its usage controlled.
Requirements – At a minimum:
- Data collection and protection requirements for player personal information shall meet those set out in the Freedom of Information and Protection of Privacy Act.
- Player personal information shall only be used for the lottery schemes conducted and managed respectively by the OLG or iGaming Ontario, unless there is prior approval.
5.27 Communication of sensitive game data shall be protected for integrity. (Also applicable to Gaming-Related Suppliers)
5.28 Procedures shall be established and documented for IT operations and incident management, including managing, monitoring and responding to security and processing integrity events. (Also applicable to Gaming-Related Suppliers)
Requirements – At a minimum:
- Proactive monitoring and detection of errors in the gaming system and related components shall be in place. Action shall be immediately taken to correct incidents of non-compliance with the Standards and Requirements or control activities.
- There shall be time synchronization of the gaming system environment and related components.
- Event data shall be retained to provide chronological information and logs to enable the reconstruction, review and examination of the time sequences of processing.
Architecture and Infrastructure
5.29 The gaming system architecture and all its related components shall demonstrate security in depth. (Also applicable to Gaming-Related Suppliers)
5.30 All gaming systems and devices shall validate inputs before inputs are processed. (Also applicable to Gaming-Related Suppliers)
5.31 The gaming system shall only display the minimum information about the gaming system to unauthorized users and during system malfunctions to minimize the risk of compromising the gaming system or the privacy of information. (Also applicable to Gaming-Related Suppliers)
5.32 All remote access methods shall be appropriately secured and managed. (Also applicable to Gaming-Related Suppliers)
5.33 Use of wireless communication shall be secured and only used where appropriate. (Also applicable to Gaming-Related Suppliers)
Guidance: The intent is to ensure that wireless communication is not present in areas where it could be potentially harmful (e.g. data centres).
5.34 All components shall be hardened as defined by industry and technology good practices prior to going live and as part of any changes. (Also applicable to Gaming-Related Suppliers)
Requirements – At a minimum:
- All default or standard configuration parameters shall be removed from all components where a security risk is presented.
5.35 Access shall be appropriately restricted to ensure that the domain name server records are kept secure from malicious and unauthorized changes. (Also applicable to Gaming-Related Suppliers)
Data and Information Management
5.36 All private encryption keys shall be stored on secure and redundant media that are only accessible by authorized management personnel. (Also applicable to Gaming-Related Suppliers)
5.37 Encryption algorithms and key lengths shall be regularly assessed for security vulnerabilities. (Also applicable to Gaming-Related Suppliers)
5.38 The gaming system architecture shall limit the loss of data and session information. (Also applicable to Gaming-Related Suppliers)
System Account Management
5.39 The gaming system shall be able to change, block, deactivate or remove system accounts in a timely manner upon termination, change of role or responsibility, suspension or unauthorized usage of an account. (Also applicable to Gaming-Related Suppliers)
5.40 A secure authenticator that meets industry good practices shall be used to identify users and their accounts to ensure that only authorized individuals are permitted to access their system account on the gaming system. (Also applicable to Gaming-Related Suppliers)
Requirements – At a minimum:
- The gaming system shall automatically lock out accounts where any identification and authorization requirement is not met after a defined number of attempts.
- Multi-factor authentication shall be implemented as part of a secure authenticator.
5.41 The gaming system shall ensure that all access to the system is fully attributable to, and logged against, a unique user identification. (Also applicable to Gaming-Related Suppliers)
5.42 Only the minimum access rights shall be granted to each system account on the gaming system and access rights shall be clearly documented. (Also applicable to Gaming-Related Suppliers)
5.43 All temporary and guest accounts shall be disabled immediately after the purpose for which the account was established is no longer required. (Also applicable to Gaming-Related Suppliers)
5.44 System accounts and system access rights for the gaming system shall be regularly reviewed and updated. (Also applicable to Gaming-Related Suppliers)
5.45 A log of account owners shall be kept and regularly reviewed and updated. (Also applicable to Gaming-Related Suppliers)
5.46 A mechanism shall be in place to ensure that the assignment of administrator accounts is approved by the Operator’s management and that usage is monitored for appropriateness. (Also applicable to Gaming-Related Suppliers)
5.47 Inappropriate use of system accounts on the gaming system shall be logged, reviewed and responded to within a reasonable period of time. (Also applicable to Gaming-Related Suppliers)
5.48 Inappropriate use of administrator accounts shall be reported to the Registrar in accordance with the notification matrix. (Also applicable to Gaming-Related Suppliers)
Software
Note: The following Standards apply to the following types of software: 1) Modified commercial off-the-shelf software, 2) Proprietary developed software, and 3) software specifically developed by the OLG or iGaming Ontario.
5.49 Software used for the gaming system shall be developed using industry good practices. (Also applicable to Gaming-Related Suppliers)
5.50 Software development methodologies used shall be clearly documented, regularly updated and stored in an accessible, secure and robust manner. (Also applicable to Gaming-Related Suppliers)
5.51 An appropriate system shall be in place to manage the software development and ongoing software management lifecycle. (Also applicable to Gaming-Related Suppliers)
5.52 All software development roles shall be segregated during and after release of code to a production environment. (Also applicable to Gaming-Related Suppliers)
5.53 An appropriate audit trail of authority and management review of code for software shall be established. (Also applicable to Gaming-Related Suppliers)
5.54 Controls shall be in place to ensure software is appropriately secured and access is appropriately restricted throughout development. (Also applicable to Gaming-Related Suppliers)
5.55 Authorized management staff shall review and approve software documentation to ensure that it is appropriately and clearly documented.
5.56 Source code and compiled code shall be securely stored. (Also applicable to Gaming-Related Suppliers)
Guidance: Compiled code could be digitally signed or hashed (including each time there is a change) in a manner that allows for external verification.
5.57 The promotion or movement of code from testing through other environments to production shall be accompanied by the appropriate documentation and approvals. (Also applicable to Gaming-Related Suppliers)
5.58 All promotion of code from development to production shall only be performed by production support staff and not by development staff. (Also applicable to Gaming-Related Suppliers)
5.59 Appropriate testing environments shall be in place to allow for thorough testing of any code before it is put into production. (Also applicable to Gaming-Related Suppliers)
5.60 Access to production environments shall be restricted from development personnel. (Also applicable to Gaming-Related Suppliers)
Note: This does not preclude granting of temporary supervised access for conducting technical investigations that may only be performed on the production environment.
5.61 Development code shall not be present in the production environment. (Also applicable to Gaming-Related Suppliers)
5.62 A mechanism shall be in place to verify the integrity of the software that is deployed to production, including before changes are implemented, as well as on an ongoing basis. (Also applicable to Gaming-Related Suppliers)
5.63 Appropriate release and configuration management systems shall be in place to support software development. (Also applicable to Gaming-Related Suppliers)
5.64 All code developed by a third party shall be tested to ensure it meets industry good practices and that it performs to meet its purpose prior to being added to the testing environment and prior to integration testing. (Also applicable to Gaming-Related Suppliers)
5.65 All code developed by a third party shall pass integration testing before it is added to production. (Also applicable to Gaming-Related Suppliers)
5.66 Mechanisms shall be in place to ensure that bugs are identified and addressed prior to, and during, production. (Also applicable to Gaming-Related Suppliers)
5.67 Quality assurance processes, including testing, shall take place during development and prior to the release of any code. (Also applicable to Gaming-Related Suppliers)
5.68 All components, where appropriate, shall be tested for the purposes for which they will be used. (Also applicable to Gaming-Related Suppliers)
Funds Management
Deposits
5.69 Players may be permitted to deposit funds into their player accounts only after the appropriate verifications and authorization.
Requirements – At a minimum, deposits shall be verified and authorized to ensure the following:
- Deposits made are appropriately authorized by a financial services provider.
Note: Cryptocurrency is not legal tender and shall not be accepted.
Withdrawals
5.70 Players are permitted to withdraw funds from their player account only after the appropriate verifications and authorization.
Requirements – At a minimum:
- Withdrawals shall be verified and authorized to ensure the following, before a withdrawal is permitted:
- The withdrawal is being made by a holder of the account; and
- The withdrawal is being transferred to an account of which the player is a legal holder.
5.71 Players are permitted to withdraw funds from their player account in an accurate and complete fashion and as soon as is practicable, subject to appropriate authorization and verification.
Funds Maintenance and Transactions
5.72 Player funds shall be clearly and appropriately managed.
5.73 All player funds deposited in respect of igaming lottery schemes conducted and managed by the OLG shall be held in an OLG account. iGaming Ontario shall take steps to ensure that all player funds deposited in respect of igaming lottery schemes conducted and managed by iGaming Ontario are subject to oversight by iGaming Ontario and available to players.
5.74 Operators shall not extend credit or lend money to players or refer players to credit providers or imply or infer that a player should seek additional credit to play games.
5.75 No player’s account is permitted to have a negative funds balance. A player’s account with a negative funds balance must be suspended and no transactions permitted after the negative funds balance arises. No transaction is permitted until the negative funds balance is eliminated. No bet will be accepted that could result in a negative funds balance.
Guidance: This Standard is not intended to prohibit the resettlement of bets when reasonable and necessary.
5.76 Players shall be provided with a clear and accurate representation of their funds account balance that is easily accessible and readily available at all times. (Also applicable to Gaming-Related Suppliers)
Requirements – At a minimum:
- The player balance shall be displayed in Canadian dollars.
5.77 Players shall be provided with unambiguous information about all player account fees prior to making a withdrawal or deposit.
5.78 Players shall be informed clearly and specifically of all rules and restrictions regarding deposits and withdrawals and access to funds in connection with deposits and withdrawals.
5.79 Funds shall not be transferred between player accounts.
5.80 Adjustments to player accounts shall be made accurately and only by authorized individuals.
5.81 Adjustments to player accounts shall be recorded and logged in an accurate and complete manner. (Also applicable to Gaming-Related Suppliers)
5.82 Players shall be provided with accurate, clear and specific reasons for any adjustments made to their accounts. (Also applicable to Gaming-Related Suppliers)
Minimizing Unlawful Activity Related to Gaming
The overall intent of this theme is to protect the public interest and public safety by ensuring that unlawful and criminal activity does not take place in gaming in Ontario.
The identified regulatory risks under this theme are:
- Gaming used as a vehicle for money laundering
- Gaming used as a vehicle for fraud or theft
- Internal theft is occurring
- Cheat at play materializes within the gaming environment
6.01 Mechanisms shall be in place to reasonably identify and prevent unlawful activities at the gaming site.
Requirements – At a minimum, the Operator shall:
- Conduct periodic risk assessments to determine the potential for unlawful activities, including money laundering, fraud, theft and cheat at play.
- Ensure that all relevant individuals involved in the operation, supervision or monitoring of the gaming site shall remain current in the identification of techniques or methods that may be used for the commission of crimes at the gaming site.
- Appropriately monitor player and employee transactions, including the ongoing analysis of incident reports and suspicious transactions for possible unlawful activity.
- Report suspicious behaviour, cheating at play and unlawful activities in accordance with the established notification matrix.
6.02 Anti-money laundering policies and procedures to support obligations under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) shall be implemented and enforced.
Requirements – At a minimum:
- Copies of all reports filed with FINTRAC and supporting records shall be made available to the Registrar in accordance with the established notification matrix.
- Operators shall ensure their anti-money laundering internal controls align with those of the designated reporting entity under the PCMLTFA.
6.03 Reasonable measures shall be in place to identify and prevent suspected money laundering activities in the gaming site.
Requirements – At a minimum, the Operator shall:
- Implement policies, procedures and controls that specify times and situations, based on the assessment of risk, where the Operator will ascertain and reasonably corroborate a player’s source of funds.
- Implement risk-based policies and procedures that provide for escalating measures to deal with players who engage in behaviour that is consistent with money laundering indicators, including the refusal of transactions or exclusion of the player.
- Ensure that mechanisms are in place to share information, in a lawful manner, about high-risk or suspicious activities with other Operators which may also be subject to similar activity.
Appendix
[Amended: February, 2022]
Regulatory Risks
Risk Theme | Regulatory Risk |
---|---|
Entity Level |
|
Responsible Gambling |
|
Prohibiting Access to Designated Groups |
|
Ensuring Game Integrity and Player Awareness |
|
Public Safety and Protection of Assets |
|
Minimizing Unlawful Activity Related to Gaming |
|