Risks related to Electronic Raffles
The Issue
Identifying the risks related to electronic raffles is crucial for the development of the AGCO regulatory framework, which will be focused on mitigating those risks. A risk-based approach will allow the AGCO to direct its attention to the areas that matter most from a regulatory perspective.
What We Heard
Risks Related to Game Integrity and Cybersecurity
While electronic raffles have the potential to improve game integrity and security, there are also concerns and specific risks related to the use of computers. Participants brought up the following potential risk areas related to the use of technology.
- Cybersecurity issues may be a new and different risk to many of the charities that will be getting involved in electronic raffles.
- Cybersecurity issues are hard to predict and any indication that the security of a system can be compromised in regards to handling payments, deposits, and raffle and consumer information, or a weak random number generator may have a negative impact on the integrity of the raffle, may impact the success of the raffle, and could undermine the entire sector if public confidence is affected.
- It is important that the system has proper tracking and monitoring capabilities to ensure that all aspects of a raffle are conducted fairly and with integrity.
- Raffle activities suggested to be monitored or reported on include but are not limited to, the selection of winners, administration of tickets, distribution of prizes, expenses by operators, any suspected integrity issues with the raffle and the use of raffle proceeds.
- In addition to establishing a secure electronic environment, the physical environment must also be secure.
- If one charity has a high-profile problem with their electronic system, it could hurt the industry as a whole.
- Volunteers play an important role in charitable raffles. It is not uncommon for there to be regular turnover of volunteers, and this may pose challenges for charities to ensure that volunteers are properly trained on the electronic raffle solutions.
- Charities are unlikely to have the expertise to deal with potential technical issues with the electronic raffle solutions.
Mitigation strategies
Participants had a number of ideas for strategies for mitigating the risks that may accompany electronic raffles, including:
- The AGCO should ensure that suppliers develop electronic raffle systems using sound software development and testing methodologies.
- Designing the system from the ground-up will help to limit threats.
- Access to the IT infrastructure must be limited, and all access must be recorded and auditable.
- Implement a proper authentication (e.g., two factor authentication, strong password policies), authorization (e.g., role-based access control), and strong encryption (multiple levels).
- Servers, networks, and workstations must be hardened, patched and have anti-malware software installed, as well as intrusion detection and prevention systems.
- Random number generators must be thoroughly assessed prior to being permitted as part of an electronic raffle system.
- Tickets must contain security features to prevent the creation of fraudulent tickets.
- A backup could be provided both locally, and remotely via internet cloud, or offsite co-location remote server.
- AGCO should have clear technical standards, and ensure that suppliers understand what is required and that they are accountable for meeting the technical standards.
- AGCO should consider allowing for third party technical assessments as part of the regulatory framework.
- Ensure that all automated electronic raffle solutions adhere to industry standard best-practices. Examples include:
- Gaming Labs International Standards
- GLI-27 (Network Security Best-Practices)
- GLI-31 (Electronic Raffle Systems)
- The electronic raffle system should be able to generate financial records and reports in real-time.
- The ability to accept electronic payments is seen as a huge benefit by the industry, and will reduce the amount of cash on hand at events and provide a convenient way for customers to purchase raffle tickets. Participants did acknowledge that risk related to electronic payments would have to be mitigated to ensure payments are made by the authorized cardholder and not with stolen cards or by minors. Consider placing more stringent requirements for those running electronic raffles with larger prize boards.
- The AGCO should make public:
- The process to conduct technical assessments of electronic raffle solutions;
- The checks-and-balances required to ensure the solutions are secure;
- Third party testing (if any); and
- Resolutions to electronic raffle complaints.
- The technical standards should be the responsibility of the supplier. There should be a clear separation between the technical and any operational requirements, and operational standards should not be included in any AGCO Technical Standards.
- The AGCO should require charities to have a plan for responding to, escalating, and resolving cybersecurity and IT infrastructure issues related to electronic raffles.
- The AGCO should conduct random inspections/audits of suppliers and charities.
- The AGCO should consider requiring charities to have an expert available to help with any technical issues.
Participants indicated they would like the AGCO to provide information and supports to help charities engage productively with registered gaming related suppliers. Helpful information could include:
- an explanation of what certifications or required documentation charities should be looking for from a supplier;
- a list of approved suppliers complete with contact information;
- an example of a contract between a charity and supplier; and/or
- an explanation of charities’ rights and responsibilities.
Mitigating Training Concerns
- The AGCO should be the sole licensing authority, at least initially, to control the number and types of electronic raffles that are licensed. This may also help charitable organizations gain a better understanding of how the new licensing scheme will work, and lay the groundwork for municipal licensing moving forward.
- The AGCO should provide education and training for charities, suppliers and municipalities on their roles and responsibilities.
- Ensure that the Terms and Conditions for electronic raffles are clear so as to minimize confusion and inconsistent application.