Entity Level
The intent of this risk theme is to ensure that regulated entities have a sound control environment, and an organizational structure that promotes good governance, accountability and oversight, as well as transparency in dealings with the AGCO.
The regulatory risks associated with this theme are:
- Lack of appreciation and understanding of critical elements of a risk-based control environment
- Lack of defined Board mandate and independent oversight of management
- No mechanism for reporting wrong-doing
- Inadequately documented management policies and procedures to define and align accountability skills and competence
- Lack of understanding about expected ethical behaviour
- Lack of transparency in decision-making
- Individual knowingly fails to comply
Management Integrity
1.01 There shall be a commitment to character, integrity and high ethical values demonstrated through attitude and actions. (Also applicable to Gaming-Related Suppliers)
Requirements – At a minimum:
- All applicable laws and regulations shall be adhered to.
- Matters identified in management letters from internal and external auditors and matters identified by the Registrar shall be responded to in a timely manner.
- Operators and gaming-related suppliers shall create and abide by a code of conduct which addresses, at a minimum, conflicts of interest and transparency in dealings with the Registrar. Operators and gaming-related suppliers will be responsible for employee compliance with the code, where such employees play games provided by the Operator or supplier. The code of conduct must be regularly reviewed by the organization’s senior management.
Guidance: Management in the context of this Standard refers to executives and senior- level management who have the day-to-day responsibility of managing the business of the organization.
Sound Control Environment
1.02 Operators and gaming-related suppliers shall develop, document and implement formal control activities to address the regulatory risks identified by the AGCO and achieve the regulatory objectives reflected in the Standards and Requirements. Control activities must be authorized by the appropriate level of management. (Also applicable to Gaming-Related Suppliers) [Amended: February, 2022]
Requirements – At a minimum:
- A process shall be in place to periodically review control activities for effectiveness in meeting the Standards and Requirements and to document, remedy and adjust the controls where deficiencies or gaps are found.
- Substantial changes to the Operator's control environment shall be communicated to the Registrar in a timely manner.
- Control activities must be available to the AGCO (or its designate) for regulatory assurance purposes.
- Operators and gaming related suppliers who run critical gaming systems shall develop a control activity matrix. An operator’s control activity matrix shall summarize all controls related to the gaming site, including where the operator works with third-party suppliers, including platform providers.
- Operators shall have their control activities assessed by an independent oversight function for alignment with the Standards and Requirements.
Guidance: Independent oversight may be exercised by an internal audit body and/or external auditor, as considered appropriate by the Operator and as acceptable to the Registrar. The Registrar recognizes that oversight practices may vary by Operator depending on their size, ownership structure, scope and complexity of operations, corporate strategy and risk profile. Whatever the case, the independent oversight function should be responsible for auditing the organization’s compliance management framework, identifying, managing and reporting on risks the organization is or might be exposed to and exercising oversight that is independent from operational management. It should also have direct and unrestricted access to the Board.
1.03 Management overrides of the control activities shall be clearly documented and made available to the Registrar upon request. (Also applicable to Gaming-Related Suppliers)
Requirements – At a minimum:
1. Approval from at least two senior-level managers is required in order to override any control activity, and in each instance the override shall be reported to the Board or other governance structure where a Board does not exist.
Guidance: The intent of this Standard is to allow senior-level management to override controls on a one-off basis in necessary circumstances and to ensure that appropriate documentation is maintained for auditing purposes. This Standard is not intended to address permanent changes to the control environment.
1.04 Operators must establish, implement and maintain controls to support preparation of financial reports which comply with all applicable accounting standards, rules and good practices.
Organizational Structure and Capabilities
1.05 A personnel security screening process shall be in place for any director or officer, and any employee, agent or consultant, at a level that is appropriate for the individual’s role in the organization. (Also applicable to Gaming-Related Suppliers)
1.06 Employees must have the competence, skills, experience and training required to execute control activities that are relevant to their responsibilities. (Also applicable to Gaming-Related Suppliers)
Requirements – At a minimum:
- Employees involved in performing control activities must be trained and have knowledge of the organization’s control environment, the regulatory risks that the controls are designed to mitigate, and the regulatory objectives reflected in the Standards and Requirements.
1.07 Organizational structures shall be designed to promote a sound control environment and proper segregation of duties to ensure that the possibility for collusion or unauthorized or illegal activities is minimized. (Also applicable to Gaming-Related Suppliers)
Requirements – At a minimum:
- Employees shall be given the appropriate and documented authority and responsibility to carry out their job functions, subject to supervision.
- The adequacy of segregation of duties as they relate to player protection, game integrity and protection of assets shall be regularly reviewed by the organization’s internal audit group or other independent oversight function acceptable to the Registrar.
- Operators must maintain an up to date organizational chart showing key reporting lines and relationships, and make it available to the Registrar upon request.
1.08 Management clearly understands its accountability and authority for the control environment. (Also applicable to Gaming-Related Suppliers)
Requirements – At a minimum:
1. Management shall have been trained and have knowledge of the organization’s control environment, the regulatory risks that the controls are designed to mitigate, and the regulatory objectives reflected in the Standards and Requirements.
1.09 Information, including logs, related to compliance with the law, the Standards and Requirements and/or adherence with control activities shall be retained for a minimum of three (3) years, unless otherwise stated. (Also applicable to Gaming-Related Suppliers)
Oversight
1.10 Compliance with the Standards and Requirements shall be documented in an organized manner to ensure that the information is capable of being reviewed and audited by an independent oversight function. (Also applicable to Gaming-Related Suppliers)
Requirements – At a minimum:
- Documentation shall be reviewed and analyzed to ensure compliance with the Standards and Requirements, and approved by management.
- Internal and external auditors shall be granted access to all relevant systems, documentation (including control activities) and resources for the purpose of conducting an audit.
- Where directed, Operators and gaming-related suppliers shall retain an independent auditor acceptable to the Registrar to carry out audits required by the Registrar and provide copies of the audit reports to the Registrar.
Guidance: The intent of this Requirement is to allow the Registrar to direct third party audits where considered necessary for regulatory assurance purposes. Although the auditor would be retained by the Operator or gaming-related supplier in these circumstances, it would report directly to the Registrar. - In reviewing control activities for compliance with the Standards and Requirements, internal and external auditors shall take into account the Registrar’s expectations, as articulated herein.
1.11 Primary accountability for compliance resides with the Board, or other governance structure, where a Board does not exist, and there shall be evidence that the Board, or other governance structure, has carried out its responsibility in this respect. (Also applicable to Gaming-Related Suppliers)
Requirements – At a minimum:
- A compliance oversight function shall be established that is independent of the activities it oversees.
Guidance: Overall responsibility for compliance monitoring should ideally rest with a chief compliance officer or if such person does not exist, a member of senior management. - An internal audit function shall be established that regularly audits the organization’s control environment and compliance management framework and exercises oversight that is independent from operational management. The internal audit function shall have the authority to independently review any aspect of the operations.
Guidance: Where this is not feasible given the organization’s size or structure, audits should be carried out by another independent oversight function. - The compliance oversight function and internal audit or other independent oversight function shall have direct and unrestricted access to the Board, or other governance structure, and shall report on all important issues regarding compliance on a regular basis or as necessary.
- The Board, or other governance structure, shall establish a committee or committees to oversee the organization’s compliance and audit oversight functions, with appropriate terms of reference addressing composition and accountabilities.
- Members of the Board, or other governance structure, and of any committees established to oversee the organization’s compliance and audit oversight functions shall understand the business’s operations, initiatives and major transactions, and shall have the skills, training, experience and independence to carry out their fiduciary responsibilities.
1.12 There shall be an independent “whistleblowing” process to allow employees to anonymously report deficiencies or gaps in the control environment as well as incidents of possible non-compliance with the controls, Standards and Requirements, or the law. (Also applicable to Gaming-Related Suppliers)
Requirements – At a minimum:
- Operators shall ensure issues raised through the “whistleblowing” process are addressed and communicated to the Board in a timely manner.
1.13 Registrants shall engage with the Registrar in a transparent way. (Also applicable to Gaming-Related Suppliers)
Requirements – At a minimum, Operators shall:
- Provide reports regarding any incident or matter that may affect the integrity or public confidence in gaming, including any actions taken to prevent similar incidents from occurring in the future, in accordance with the established notification matrix.
- Provide reports regarding any incident of non-compliance with the law, Standards and Requirements or control activities, including any actions taken to correct the cause of non- compliance, in accordance with the established notification matrix.
- Make available any data, information and documents requested by the Registrar.
1.14 The Operator shall ensure that investigators (OPP or Registrar) are able to monitor and participate in games.
Customer Service
1.15 A mechanism shall be in place to allow players to contact the Operator in a timely fashion with issues and complaints relating to their player account, funds management, game play or any matter related to compliance with the Standards and Requirements. The Registrar shall be notified of any such issues or complaints, in accordance with the established notification matrix.
1.16 Player complaints, disputes and inquiries must be recorded and addressed in a timely, fair, transparent and appropriate manner.
Requirements - At a minimum;
- Operators must have clear service standards and must make these available to players.
- Disputes must be resolved under Ontario and Canadian law.
1.17 Relevant information about the AGCO shall be displayed and easily accessible to the player.
Third Party Management
1.18 Operators and gaming-related suppliers shall only contract with reputable suppliers. (Also applicable to Gaming-Related Suppliers)
1.19 Operators are responsible for the actions of third parties with whom they contract for the provision of any aspect of the Operator’s business related to gaming in Ontario and must require the third party to conduct themselves in so far as they carry out activities on behalf of the operator as if they were bound by the same laws, regulations, and standards.
1.20 Operators and gaming-related suppliers shall maintain a list of suppliers that provide them with goods or services in relation to lottery schemes and shall make it available to the Registrar upon request. (Also applicable to Gaming-Related Suppliers)
1.21 Operators must ensure that no independent third parties that engage in direct-to-consumer marketing, direct-to-consumer promotion, or player referral services for the Operator under contract, in exchange for commissions, or for any other form of compensation also undertake such activities related to online gaming sites that facilitate or accept wagers from players in Ontario without an AGCO registration.
Guidance: This Standard covers the activities of those entities that Operators and others in the gaming industry commonly refer to as “affiliates” or “marketing affiliates”, which are often paid or otherwise compensated to refer to customers to another business’ products, services, or websites through direct-to-consumer marketing services. This commonly understood term used among gaming registrants and other entities involved in gaming, and known as “affiliates” or “marketing affiliates”, is used here for guidance purposes only, and is distinct from how that term may be used in any other regulatory scheme.
Unregulated Activities
1.22 Operators and gaming-related suppliers must cease all unregulated activities if, to carry out those same activities in iGaming Ontario’s regulated online lottery scheme, it would require registration under the GCA.
Operators and gaming-related suppliers shall not enter into any agreements or arrangements with any unregistered person who is providing the operator or gaming-related supplier with any goods or services if, to provide those goods and services in iGaming Ontario’s regulated online lottery scheme, it would require registration under the GCA. [Added: October, 2022]
Note: For greater certainty, and without limiting the generality of any other Standard, this Standard applies to and governs applicants.