Internet Gaming Go-Live Compliance Guide
Introduction
This guide describes the go-live compliance requirements for most internet gaming (igaming) operators and gaming-related suppliers (“GRSs”) in order to participate in Ontario's igaming market.
Please note that AGCO registration and successful completion of our go-live compliance requirements will not constitute permission for operators and their GRSs to begin gaming operations in Ontario's igaming market. That authority rests with iGaming Ontario (iGO), the body responsible for conducting and managing internet gaming in Ontario, including establishing operating agreements with AGCO-registered operators, which include additional requirements as established by iGO.
The compliance requirements in this Guide were described previously in the AGCO’s June 2021 igaming Regulatory Compliance engagement paper, and, based on input received through that engagement process, have since been finalized.
The information in this Guide will be of interest to all types of igaming registrants. However, many of the individual requirements apply to two specific types of registrants: a) operators; and b) gaming-related suppliers who run critical gaming systems1.
Also, this Guide does not include information about go-live requirements and processes that apply to Independent Testing Laboratories (ITLs) because compliance requirements have been communicated directly to them and a special ITL governing policy is in place (see Appendix C).
Within the AGCO, the Technology Regulation and iGaming Compliance Branch is responsible for ensuring that operators and GRSs have met the go-live compliance measures described below. Contact information for questions and clarification is provided at the end of this section. In the future, the Branch will add to this compliance guide with content related to ongoing (post go-live) compliance requirements and key processes.
What’s in this guide?
This guide has five sections:
- Section 1 – AGCO Compliance Approach: How the igaming compliance approach fits within the AGCO’s risk-based and outcome-focused regulatory framework, including a number of high priority Registrar’s Standards for Internet Gaming and other themes that will be areas of special compliance focus before and after the launch of Ontario's igaming market.
- Section 2 – Technology Compliance Confirmation: The requirements for each operator and gaming-related supplier (“GRS”) who runs critical gaming systems to provide a Technology Compliance Confirmation for review by the AGCO.
- Section 3 – Control Activity Matrix (CAM) Requirements: The requirements for each operator and GRS who runs critical gaming systems to develop a Control Activity Matrix (“CAM”) and for operators to submit their CAMs for review by the AGCO.
- Section 4 – Requirements for Certification of Technology by a Registered ITL: A summary of the requirements to ensure that ITL certifications are in place before going live.
- Section 5 – Notification Requirements and AGCO Secure Data Exchange: An overview of go-live activities and requirements related to the AGCO Internet Gaming Notification Matrix (“Notification Matrix”) and AGCO Secure Data Exchange.
There are also three appendices:
- Appendix A: A brief summary of the go-live compliance requirements for four specific types of Registrants.
- Appendix B: Information about which Registrar’s Standards for Internet Gaming might be commonly applicable to various types of Registrants.
- Appendix C: A copy of the AGCO’s ITL Certification Policy.
Need additional information?
If you need more information or have any questions after reviewing this guide, please contact the AGCO's Technology Regulation and iGaming Compliance Branch by e-mail at iGamingCompliance@agco.ca.
1Critical gaming systems are a sub-set of “gaming equipment”, which is in turn defined in the Gaming Control Act 1992. The components of these systems include certified games, random number generators, and components of igaming systems that accept, process, determine the outcome of, display, and log details about player bets and wagers.
Section 1 - AGCO Compliance Approach
1.1 Risk and Outcomes based Standards
The Registrar’s Standards for Internet Gaming (the “Standards”) are risk-based and outcome-focused.
Risk-based refers to the regulatory risks underlying the Standards. It is expected that by achieving the regulatory objectives reflected in the Standards, the registrant’s established control environment will address these regulatory risks.
Outcome-focused means that our Standards emphasize the results that igaming operators and GRSs are expected to achieve, rather than prescriptive activities that must be carried out. Accordingly, we expect operators and GRSs to have effective control activities in place to achieve the outcomes set out in the Standards.
This focus on risks and outcomes in the Standards provides greater flexibility for individual operators and GRSs to design control activities that fit their business operations and then to adapt those controls quickly and cost-effectively as those operations change over time – always ensuring that our outcome-based Standards are being met. It also means that our regulatory program maintains its relevance, even in sectors where change is fast paced, including where technology is deeply integrated in how the business is delivered.
1.2 Risk and Outcomes based compliance
The igaming compliance program is also risk and outcomes-based, and that has important implications for operators and GRSs as described below.
Familiar with all relevant and applicable regulatory requirements
Operators and GRSs are expected to be familiar and in compliance with all requirements of the Gaming Control Act 1992 and all Standards that are relevant and applicable to them, given their type of business, role, and the products and services they provide.
For example: almost all of the Standards will apply to an igaming operator and their platform provider, while GRSs who run critical gaming systems or independent integrity monitors (IIM)2 in sport and event betting will be subject to more focused subsets of the Standards.
Information on which standards might be commonly applicable to different types of registrants is provided in Appendix B. This information is for general guidance purposes only and should not be taken as conclusive direction from the AGCO. The circumstances of each registrant are different and registrants are responsible for identifying the standards and requirements that apply to them.
Effective Controls to be in place
The AGCO’s regulatory framework provides greater flexibility but also comes with heightened accountability for those we regulate. We expect igaming operators and GRSs to have control environments in place that are consistently capable of achieving the AGCO’s regulatory outcomes and that they:
- Regularly assess and validate the effectiveness of their control environments against the Standards, proactively addressing issues or gaps, and reporting substantial changes in the control environment to the AGCO.
- Regularly assess and validate that their technology meets the Standards, providing the AGCO with appropriate evidence
-
Provide the AGCO with key indicators, information, and documentation to support our understanding of their risk profile.
- Have robust internal compliance monitoring and reporting mechanisms in place.
- Report compliance incidents to the AGCO in a timely and transparent manner as per our Notification Matrix and take steps to ensure that the root causes of non-compliance are accurately determined and addressed in a timely manner that minimizes the likelihood of recurrence.
- Understand that they are responsible for meeting the Standards, regardless of whether they have contracted out functions to third parties.
- Pay particular attention to the key compliance priorities that the AGCO will identify on an ongoing basis (see #4 below)
Our compliance approach involves working collaboratively with operators and GRSs to maintain or, if necessary, re-establish compliance. Where regulatory expectations are not met, the AGCO may use a full spectrum of compliance responses to achieve those goals, including education, warnings, financial penalties, suspensions, and, in the most serious cases, revocations. In cases where severe incidents occur, the AGCO will act proportionately to ensure the public is protected.
Our assessment of compliance risk begins when an application for registration is submitted
Once an application is received, the AGCO assesses risks associated with that application. Considerations include operational and regulatory experience in other jurisdictions, track record of compliance, the applicant’s gap analysis with respect to the Standards (see below), and issues or concerns about individuals or technology. That risk assessment becomes part of the applicant’s ongoing compliance profile and will be used by our compliance teams to inform their monitoring activities.
As part of the registration process, all applicants must confirm they will abide by the Standards. This includes confirming that goods, services, and technology deployed by or provided to the applicant by third party GRSs will be in compliance.
In addition, because of their central role, operators are asked at this stage to submit an analysis of their current controls, processes, technology, etc., against the Standards, to identify any gaps, and provide evidence that they have developed a plan to address those gaps. This gap analysis also becomes part of the applicant’s ongoing compliance profile.
Igaming compliance themes and priorities
The Technology Regulation and iGaming Compliance Branch’s responsibilities include:
-
Identifying compliance themes and priorities that will be special areas of interest and focus for the AGCO and its compliance teams; and
-
Designing effective, targeted, and proactive compliance and risk mitigation activities to address these themes and priorities.
Our compliance priorities will be assessed and updated as the environment evolves. From time to time, the AGCO will communicate additional areas of interest and focus to operator and GRSs to help increase operational awareness.
While registrants are required to comply with the Gaming Control Act, 1992 and all relevant Standards, the following are some of the priority areas from the Standards that the AGCO will be paying particular attention to as we assess applications and review each operator’s Control Activity Matrix and Technology Compliance Confirmation (see Section 3), and then as we monitor ongoing compliance once the Ontario market is underway.
Priority |
Description |
---|---|
Effective Internal Control Environment |
|
Responsible Gambling |
|
Game Design and Integrity |
|
Suspicious or Criminal Activities |
|
Minors |
|
Security and Privacy |
|
In addition to the priorities identified in the table above, we will be closely monitoring for:
- Exiting the unregulated igaming market in Ontario:
- We will be monitoring registrant compliance with the requirement that a) they cease unregulated market operations in Ontario and b) terminate any association they may have with any other company that operates an unregulated scheme in Ontario.
- Advertising, marketing and promotional activity, and exposure of minors:
- The AGCO has not established specific regulatory limits or restrictions on advertising and marketing around overall volume, types of channels, or timing. However, based on our monitoring of industry activity in the months ahead, we will consider additional measures if warranted.
- As part of promotional partnerships, igaming operators or other businesses cannot provide gaming devices or gaming equipment to players to access an igaming site at a physical premises.
- Under Ontario’s legal framework, igaming operators are only permitted to operate gaming sites that are electronic channels. The provision of gaming equipment, such as devices to access gaming (e.g., a tablet or a kiosk) creates a land-based gaming site and is not permitted.
- In Ontario, OLG conducts and manages lottery schemes offered at land-based gaming sites (including casinos, cGaming sites, and lottery), and on its own electronic channel, olg.ca. iGaming Ontario (iGO) conducts and manages the online lottery schemes that are not conducted and managed by OLG, and does not conduct and manage any land-based gaming sites.
2 IIMs receive, assess, and distribute unusual/suspicious betting alerts to entities with which they have an information sharing relationship, including their member sport and event betting operators, the AGCO, and the relevant sport/event governing body. In addition, as directed by the Registrar, IIMs are responsible for facilitating collaboration and information sharing to support the investigation of, and response to, prohibited activity associated with suspicious betting. IIMs may provide their services to, among others, regulators, operators, or gaming related suppliers, but must not have any perceived or real conflicts of interests in performing their role (such as acting as an operator or oddsmaker).
Section 2 - Technology Compliance Confirmation
Operators and GRSs who run critical gaming systems must provide the AGCO with confirmation their technology is compliant with applicable AGCO Standards prior to going live in the igaming market in Ontario.
- For operators: The scope of the Technology Compliance Confirmation must include the whole technology solution that will be deployed for Ontario igaming operations, including but not necessarily limited to, the platform and underlying infrastructure, network devices, operating systems and databases, as well as gaming software and other applications. If an operator is using a third-party GRS platform, that operator’s Technology Compliance Confirmation should include confirmation for that GRS platform as well. If an operator is using third-party GRSs who run critical gaming systems, that operator’s Technology Compliance Confirmation does not include confirmation for those GRSs’ technologies, as those aspects of the solution are covered by the third-party GRSs’ Technology Compliance Confirmations but does include the integration of these systems to the platform.
Please note: Platforms are a subset of “gaming equipment”, which is in turn defined in the Gaming Control Act, 1992. Platforms provide numerous functions, including player account management, payments, player wallets, and responsible gaming controls, and are integrated with critical gaming systems to deliver the gaming site’s offerings. Platforms do not require ITL certification. - For GRSs who run critical gaming systems (this category does not include platforms, as noted in the bullet point above): the scope of the Technology Compliance Confirmation must include the infrastructure (gaming servers, Operating systems and databases, and network devices) and games (software) pertaining to offerings to Ontario.
Please note: Critical gaming systems are a sub-set of “gaming equipment”, which is in turn defined in the Gaming Control Act 1992. The components of these systems include games, random number generators, and components of igaming systems that accept, process, determine the outcome of, display, and log details about player bets and wagers – all of which require ITL certification.
The Technology Compliance Confirmation must be provided to the AGCO prior to going live, and include the following components:
-
A letter to the AGCO signed by the Registrant’s CEO (or equivalent) and Chief Compliance Officer (or equivalent) that includes an explicit statement confirming the technology that will be used to provide products and services in Ontario's igaming market is compliant with all related Standards. This letter must also include specific confirmation that all games to be offered in Ontario will, prior to deployment in Ontario, be certified by an ITL registered by the AGCO or approved by the Registrar and be provided by AGCO-registered suppliers.
For GRSs who run critical gaming systems, this letter must also include an explicit statement that they have a CAM in place that meets all applicable and relevant Standards. -
An appendix containing the following key supporting evidence, as applicable (depending on the products and services to be offered), must be provided to the AGCO prior to going live:
-
For operators: an overview of the full technology solution of the gaming site that identifies all Gaming-Related Suppliers, along with other third-party technology integrations to the gaming site.
-
Results from security vulnerability assessments of Ontario production infrastructure and applications, conducted by an independent and qualified security firm. In addition, results from internal and external penetration testing of their Ontario production infrastructure and applications, conducted by an independent and qualified security firm, must be provided.
-
These results are to be accompanied by management responses indicating the company’s risk assessment, remediation plans and compensating controls.
-
It is expected remediation plans will be commensurate with risk, and that severe security risks will be addressed prior to gaming systems going live in Ontario.
-
For example, an operator may choose to remediate vulnerabilities with a National Vulnerability Database Common Vulnerability Scoring System (NVD CVSS) score of 7 within 30 days and vulnerabilities with a score of 4 within 90 days.
-
-
Remediations should be verified through an additional scan.
-
-
A description of the planned use for any third-party data center/cloud service providers. This must include the name of the provider, type of service model, and current Service Organization Control 2 (SOC 2) reports or ISO 27001 certification for each provider.
-
For operators, a description of how the controls implemented to meet Standard 3.02 (players must be within the borders of Ontario) have been validated to ensure:
-
Accuracy and effectiveness of the controls across the majority of expected player device and network connection types including:
-
Compliance with requirement 3.02.1 dynamic monitoring of player location.
-
Compliance with requirement 3.02.2 common methods to circumvent controls are detected and/or prevented.
-
-
-
A description of the mechanisms in place to meet Standards 5.17.1 (validation that installed software is ITL certified) and 5.62 (verification of the integrity of deployed software).
Registrants are responsible for ensuring any activities they deem necessary to support their confirmation are completed to their satisfaction. This may include third-party testing. Registrants are also expected to maintain all related records and evidence that support their Technology Compliance Confirmation. If requested, Registrants must make records and evidence available to the AGCO.
-
Section 3 - Control Activity Matrix (“CAM”) Requirements
3.1 CAM requirements for operators
All operators are required to design and implement control activities in order to comply with the Registrar’s Standards. Operators are expected to have those controls in place in advance of going live in Ontario's igaming market. Any exceptions should be discussed on a case-by-case basis with the AGCO Technology Regulation and iGaming Compliance Branch. These processes and controls are to be summarized in a CAM. Each operator’s CAM must be independently audited to ensure the controls have been designed to meet the Registrar's Standards, and then submitted to the AGCO for review in accordance with the timing described below.
An operator’s CAM must summarize all controls related to the gaming site, including the following:
-
Since major technology controls are contained within igaming platforms, operators are expected to work with their third-party platform providers, where applicable, to make sure their CAMs reflect the full spectrum of controls that are in place to meet the Registrar’s Standards for Internet Gaming.
-
An operator’s CAM is not required to include controls in place by third-party GRSs who run critical gaming systems or by game suppliers who develop games. These registrants have their own CAM requirements, as described below.
Subject to independent audit
The operator must subject the CAM to an independent audit. The independent audit should be carried out by a unit or function within the operator’s organization that was not involved in developing the CAM, like the Internal Audit function, or a designated external auditor. The independent audit results, confirming compliance, must be included with the operator’s CAM submission.
Timing for submitting the CAM
The required timing for submission of the CAM will vary depending on the level of risk assessed during the AGCO’s registration process.
-
Operators that are assessed during the eligibility review as potentially posing elevated risk:
The operator may be required to submit their CAM as part of their application for registration before their registration is issued.
-
A determination of elevated risk may be based on several factors. For example, operators new to igaming with minimal to no experience, operators that hold no licences/registrations in other jurisdictions, operators that have a history of significant non-compliance, and operators whose gap analysis demonstrates a poor understanding of the Standards or significant gaps with respect to the Standards.
-
Operators that do not pose an elevated risk:
The operator will be required to submit the CAM within three months of their go-live date in the Ontario market. More details about the submission process for these Operators will be provided as part of future additions to this guide related to ongoing (post go-live) compliance requirements and processes.
Operators are encouraged to prioritize the development and independent audit of their CAM to prevent registration delays. Each operator will receive notification in writing of applicable CAM submission timing requirements from the AGCO.
3.2 CAM requirements for GRSs who run critical gaming systems
Before going live in the Ontario igaming market, GRSs who run critical gaming systems must confirm to the AGCO that they have a CAM in place that meets all applicable and relevant Standards.
As noted earlier, critical gaming systems are a sub-set of “gaming equipment”, which is in turn defined in the Gaming Control Act 1992. The components of these systems include certified games, random number generators, and components of igaming systems that accept, process, determine the outcome of, display, and log details about player bets and wagers.
This confirmation shall be included in the Technology Confirmation Letter discussed in Section 2.
These GRSs are not required to submit these CAMs for the AGCO’s review. However, in response to identified risks, and for compliance purposes, the AGCO may at any time request the CAM.
3.3 CAM requirements for other types of GRSs
Other types of GRSs are not required to prepare a CAM or to submit a CAM for review to the AGCO. However, these GRSs are required to have effective control activities and related documentation in place. The AGCO may request evidence of appropriate control activities from any GRS at any time.
Section 4 - Requirements for Certification of Technology by a Registered ITL
Before applicable technologies can be deployed in Ontario's market, operators and GRSs who run critical gaming systems must ensure the following types of technology have been certified against the applicable Standards by an AGCO registered ITL:
-
Games, random number generators, and components of igaming systems that accept, process, determine the outcome of, display, and log details about player bets and wagers. This includes, but is not limited to, slot games, table games, sport and event betting, poker, and other card games.
In certain low-risk circumstances and on a case-by-case basis, the Registrar will consider providing gaming related suppliers with temporary approval for critical gaming systems to facilitate operations at launch. Requests for temporary approval should be discussed on a case-by-case basis with the AGCO Technology Regulation and igaming Compliance Branch.
Recognizing that registered ITLs may have tested many items for use in other regulated jurisdictions, ITLs may consider such prior testing in their determination as to whether tested components meet the AGCO Standards. In doing so, however, ITLs must ensure that any prior testing was relevant to our Standards.
These same technologies must be recertified by a registered ITL when subsequent modifications are made that render the previous certification no longer valid, including but not limited to, modifications related to responsible gaming, game integrity, fairness, and security. See Appendix C – ITL Certification Policy for additional details.
Testing and certification may be performed at any time, including before an Operator or GRS has received a registration from the AGCO. However, ITLs may not issue certifications until they have:
-
Completed registration with the AGCO as a Gaming-Related Supplier; and
-
Submitted confirmation, such as an independent audit, that their testing methodology has been configured to the Registrar’s Standards for Internet Gaming.
Please note: Even though the GRS who manufacturers the game will likely be the entity that obtains the certification, the obligation to assure the AGCO that the game is certified rests with operators and GRSs who run critical gaming systems.
Section 5 - Notification Requirements and AGCO Secure Data Exchange
The AGCO Internet Gaming Notification Matrix defines three categories of information that must be provided by registrants on an ongoing basis. These include:
- Incident-based notifications,
- Scheduled reports of data indicators, and
- Other regulatory submissions.
Operators and GRSs will use two secure data exchange mechanisms to provide the information described in the Notification Matrix:
- iAGCO will be used for igaming incident notifications and regulatory submissions. iAGCO is the web-based system that operators and GRSs also use to submit their application for registration and will use for subsequent renewals and changes in registration information.
- The AGCO’s Secure File Transfer Protocol (SFTP) Data Exchange (igaming) will be used for all other regulatory data (ongoing data indicators, copies of required documents and reports, etc.),
The information provided by registrants through each of these mechanisms will be used to inform AGCO compliance planning and monitoring activities.
Before going live in Ontario’s market:
- Registrants must ensure they fully understand AGCO requirements related to incident notifications and regulatory submissions, as outlined in the AGCO Notification Matrix.
- The AGCO will set up accounts with appropriate access for registrants as needed on both the iAGCO and the AGCO SFTP data exchange (igaming).
- The AGCO will provide training on the Notification Matrix and the AGCO SFTP data exchange (igaming) to operators and GRSs.
Appendix A: Go-Live Compliance Requirements by Type of Registrant
Operators |
|
---|---|
GRS who provide platforms |
|
GRS who run critical gaming systems
The components of these systems include certified games, random number generators, and components of igaming systems that accept, process, determine the outcome of, display, and log details about player bets and wagers – all of which are technologies that require ITL certification.
|
|
All other Gaming-Related Suppliers |
|
Appendix B: Information on which Standards might be commonly applicable to certain types of Registrants
The following information is intended to provide guidance for common applicability of the Registrar’s Standards for Internet Gaming for four specific types of registrants that play key roles in the delivery of gaming in Ontario.
This information is for general guidance purposes only and should not be taken as conclusive direction from the AGCO.
The circumstances of each registrant are different and all registrants, including those not listed below, are responsible for identifying the standards and requirements applicable to them.
Type of Registrants |
Applicable igaming Standards |
---|---|
Operators and their platform providers |
In general, all of the igaming Standards will apply to registered operators and their platform providers. |
GRSs who run critical gaming systems |
Gaming-related suppliers who run critical gaming systems are responsible for ensuring that gaming technology is operated in a way that meets the Standards.
Entity Level: 1.01, 1.02.3, 1.03, 1.05, 1.06, 1.07, 1.08, 1.09, 1.10, 1.11, 1.12, 1.13, 1.14, 1.18, 1.20 Responsible Gambling: 2.15.3, 2.15.5, 2.16.2 Ensuring Game Integrity and Player Awareness: 4.01, 4.02, 4.03, 4.04, 4.06, 4.07, 4.08, 4.09, 4.11, 4.12, 4.14, 4.15, 4.16, 4.21, 4.23, 4.24, 4.25, 4.27, 4.28, 4.29, 4.35 Public Safety and Protection of Assets: 5.01, 5.02, 5.03, 5.04, 5.05, 5.06, 5.07, 5.08, 5.09, 5.10, 5.11, 5.12, 5.13, 5.14, 5.15, 5.16, 5.17, 5.18, 5.19, 5.20, 5.21, 5.22, 5.23, 5.24, 5.25, 5.26, 5.27, 5.28, 5.29, 5.30, 5.31, 5.32, 5.33, 5.34, 5.35, 5.36, 5.37, 5.38, 5.39, 5.40, 5.41, 5.42, 5.43, 5.44, 5.45, 5.46, 5.47, 5.48, 5.58, 5.60, 5.62, 5.63, 5.64, 5.65, 5.66, 5.68
|
GRSs that develop but do not run critical gaming systems |
Entity Level: 1.01, 1.02.3, 1.05, 1.06, 1.07, 1.08, 1.09, 1.10, 1.12, 1.13, 1.18, 1.20 Responsible Gambling: 2.15, 2.16, 2.17, 2.18, 2.19, 2.20, 2.24.2 Prohibiting Access to Designated Groups and Player Account Management 3.15.3 Ensuring Game Integrity and Player Awareness 4.01, 4.02, 4.05, 4.06, 4.07, 4.08, 4.09.2, 4.09.6, 4.12, 4.14, 4.15, 4.16, 4.21, 4.24, 4.25, 4.26, 4.27, 4.28, 4.29, 4.31, 4.35 Public Safety and Protection of Assets: 5.05, 5.13, 5.14, 5.15, 5.16, 5.19, 5.20, 5.25, 5.27, 5.39, 5.40, 5.41, 5.49, 5.50, 5.51, 5.52, 5.53, 5.54, 5.55, 5.56, 5.57, 5.59, 5.61,5.64, 5.65, 5.66, 5.67
|
GRSs that are registered as independent integrity monitors
|
Entity Level: 1.01, 1.02.3, 1.05, 1.06, 1.07, 1.08, 1.09, 1.10, 1.12, 1.13, 1.18, 1.20 Ensuring Game Integrity and Player Awareness 4.32 Public Safety and Protection of Assets: 5.01, 5.02, 5.03, 5.04, 5.05, 5.09, 5.10, 5.11, 5.12, 5.24, 5.25, 5.26, 5.28
|
Standards that are Specific to Sport and Event Betting
In general, the Registrar’s Standards for Internet Gaming apply to operators and GRSs involved in offering sport and event betting Ontario's igaming market.
By way of additional clarification, the following table highlights those relatively few Standards that are a) uniquely applicable to sport and event betting only; b) relevant for internet gaming as a whole, but also contain one or more specific references to sport and event betting; and c) do not apply to sport and event betting.
|
Responsible Gambling: 2.15.1, 2.15.2, 2.15.3 Prohibiting Access to Designated Groups and Player Account Management 3.01.1 Ensuring Game Integrity and Player Awareness 4.25.1, 4.25.2, 4.25.3, 4.32, 4.33, 4.34 |
---|---|
|
Prohibiting Access to Designated Groups and Player Account Management 3.15 Ensuring Game Integrity and Player Awareness 4.01, 4.06, 4.10, 4.12, 4.13, 4.24, 4.28 Public Safety and Protection of Assets: 5.75 |
|
Responsible Gambling: 2.15 Ensuring Game Integrity and Player Awareness 4.26, 4.27 |
Appendix C: ITL Certification Policy
What is an “ITL certification”?
- An ITL certification is a form of written assurance that is issued by registered independent test laboratories (“ITLs”) to indicate that they have tested and confirmed that the types of technology captured by this policy meet the relevant AGCO Registrar’s Standards for Internet Gaming (the “Standards”). Additionally, for Live Dealer games in the igaming space only, the relevant “Casino Electronic Gaming Devices and Gaming Systems Minimum Technical Standards” are also applicable.
- ITL certifications for Ontario's igaming market can only be issued by ITLs that are registered by the AGCO.
- ITL certification provides the AGCO with reasonable assurance that the technology being tested complies with the relevant Standards.
What technology needs to be certified?
- The specific types of technology that must be certified by a registered ITL are:
- All games, random number generators and components of igaming systems that accept, process, determine outcome, display and log details about player bets. This includes, but is not limited to, slot games, table games, sport and event betting, poker and other card games. For Live Dealer games, the requirement for certified technology extends to physical random number generators with electronic elements and similar physical equipment with electronic elements used to determine game outcome. This includes, but is not limited to, physical wheels (roulette), physical dice tables, and card shufflers that have electronic components.
What is required from a certification to be recognized by the Registrar?
- The technologies identified above must be certified by a registered ITL before they are deployed in the Ontario market. As noted in section 4, in certain low-risk circumstances and on a case-by-case basis, the Registrar will consider providing gaming-related suppliers with temporary approval for critical gaming systems to facilitate operations at launch. Requests for temporary approval should be discussed on a case-by-case basis with the AGCO Technology Regulation and igaming Compliance Branch.
- The AGCO does not prescribe which entity is required to request the ITL certification (e.g., operator, game manufacturer, etc.) although it is anticipated that it will most commonly be the game provider.
- A certification that contains a limitation on the Registrar’s use of the certification, or purports to disclaim the Registrar’s use of the certification, will not be a recognized certification by the Registrar.
When certified technology has been modified, does it need to be recertified?
- Recertification is required when any modification or subsequent discovery of an undetected issue impacts critical gaming system integrity, fairness, or security, or compliance with the Gaming Control Act, 1992, its regulation, and/or the Standards. The effect of the modification or discovery is to render the previous certification invalid.
- The gaming-related supplier is accountable for ensuring that all required certifications are obtained from AGCO-Registered ITLs. The GRS classifies the set of modifications (from the previous certified software to the current upgraded software) into one of three categories. All records of this classification shall be maintained and would be made available to the AGCO upon request. Based on the category of modifications, the supplier may or may not need to recertify the software with an ITL.
The 3 categories of modifications include:
- Non-Regulatory Modifications - modifications that are unrelated to compliance with the Standards (e.g., minor bugs that may impact user experience, cosmetic changes, new language added that is not used in Ontario, etc.).
Approach: These do not require recertification. The supplier can leverage the previous certification and confirm that all modifications between the two versions are non-regulatory in nature such that the previous certification holds and applies to the modified technology. - Regulatory Modifications – modifications that are related to compliance with the Standards (e.g., modification to game design which could also impact a standard) OR modifications that address regulatory concerns but do not require immediate action to correct (e.g., previous version is not live or problem is fully mitigated through some other control or action).
Approach: These must be certified before deployment. - Regulatory Fix (Emergency Fix) - Modifications that address regulatory concerns and require immediate action to correct a live issue (e.g., major impact to the Standards that question the integrity of the game).
Approach: To expedite regulatory fixes, they can be deployed prior to certification. The ‘fixed’ technology can be deployed immediately but must be submitted to an ITL for Ontario certification within 5 business days of release.
Against which Standards does certification need to be made?
- The scope of the certification is not “all” Standards, but rather those standards that are relevant to games, random number generators, remote gaming servers, and sport and event betting systems being tested.
- For Live Dealer games only, the relevant “Casino Electronic Gaming Devices and Gaming Systems Minimum Technical Standards” are also applicable.
- Each technology is different and so the AGCO cannot provide definitive direction that would cover all eventualities. However, AGCO’s Technology Regulation and iGaming Compliance Branch provides guidance to registered ITLs on specific Standards that will likely be of interest to the Registrar. Such guidance cannot be definitive in advance of a substantive review of the gaming equipment software under review for certification.
Will the AGCO permit “conditional” certifications by ITLs?
- As noted above, the technologies covered by this policy cannot be deployed in the Ontario market without an ITL certification.
- For regulatory purposes, an ITL may not issue a certification that is contingent on any future changes or modifications to the technology being carried out.
- An ITL may issue a certification that specifies one or more features that would need to be turned off or disabled in order for the technology to be compliant with the relevant Standards.
What information should an ITL certification instrument include?
For the purposes of documenting that the relevant Standards have been met, an ITL certification instrument must include the following information:
- AGCO-registered name of the registered ITL that completed the certification.
- AGCO-registered name of the registered operator or gaming-related supplier that requested the certification.
- Date the certification was issued.
- Some form of unique identifier that will allow the AGCO to track and follow-up on individual certifications with an operator, gaming-related supplier, or ITL.
- The name of the product, version number, and manufacturer.
- A list of the Standards against which the technology was certified.
- Whether any part of the certification was based on previous testing completed for regulatory requirements in another jurisdiction.
- For recertification of a previously certified product, a high-level description of the key changes made to the product that necessitated the recertification.
The following additional information must be made available by the registered ITL to the AGCO upon request:
- The results of any previous testing of the same product for the same registrant, including information about any previously identified areas of deficiency against the Standards.
- Information in response to AGCO inquiries about the testing environment, product configurations tests, and specific aspects of the testing methodology.