Operators and GRSs who run critical gaming systems must provide the AGCO with confirmation their technology is compliant with applicable AGCO Standards prior to going live in the igaming market in Ontario.
- For operators: The scope of the Technology Compliance Confirmation must include the whole technology solution that will be deployed for Ontario igaming operations, including but not necessarily limited to, the platform and underlying infrastructure, network devices, operating systems and databases, as well as gaming software and other applications. If an operator is using a third-party GRS platform, that operator’s Technology Compliance Confirmation should include confirmation for that GRS platform as well. If an operator is using third-party GRSs who run critical gaming systems, that operator’s Technology Compliance Confirmation does not include confirmation for those GRSs’ technologies, as those aspects of the solution are covered by the third-party GRSs’ Technology Compliance Confirmations but does include the integration of these systems to the platform.
Please note: Platforms are a subset of “gaming equipment”, which is in turn defined in the Gaming Control Act, 1992. Platforms provide numerous functions, including player account management, payments, player wallets, and responsible gaming controls, and are integrated with critical gaming systems to deliver the gaming site’s offerings. Platforms do not require ITL certification. - For GRSs who run critical gaming systems (this category does not include platforms, as noted in the bullet point above): the scope of the Technology Compliance Confirmation must include the infrastructure (gaming servers, Operating systems and databases, and network devices) and games (software) pertaining to offerings to Ontario.
Please note: Critical gaming systems are a sub-set of “gaming equipment”, which is in turn defined in the Gaming Control Act 1992. The components of these systems include games, random number generators, and components of igaming systems that accept, process, determine the outcome of, display, and log details about player bets and wagers – all of which require ITL certification.
The Technology Compliance Confirmation must be provided to the AGCO prior to going live, and include the following components:
-
A letter to the AGCO signed by the Registrant’s CEO (or equivalent) and Chief Compliance Officer (or equivalent) that includes an explicit statement confirming the technology that will be used to provide products and services in Ontario's igaming market is compliant with all related Standards. This letter must also include specific confirmation that all games to be offered in Ontario will, prior to deployment in Ontario, be certified by an ITL registered by the AGCO or approved by the Registrar and be provided by AGCO-registered suppliers.
For GRSs who run critical gaming systems, this letter must also include an explicit statement that they have a CAM in place that meets all applicable and relevant Standards. -
An appendix containing the following key supporting evidence, as applicable (depending on the products and services to be offered), must be provided to the AGCO prior to going live:
-
For operators: an overview of the full technology solution of the gaming site that identifies all Gaming-Related Suppliers, along with other third-party technology integrations to the gaming site.
-
Results from security vulnerability assessments of Ontario production infrastructure and applications, conducted by an independent and qualified security firm. In addition, results from internal and external penetration testing of their Ontario production infrastructure and applications, conducted by an independent and qualified security firm, must be provided.
-
These results are to be accompanied by management responses indicating the company’s risk assessment, remediation plans and compensating controls.
-
It is expected remediation plans will be commensurate with risk, and that severe security risks will be addressed prior to gaming systems going live in Ontario.
-
For example, an operator may choose to remediate vulnerabilities with a National Vulnerability Database Common Vulnerability Scoring System (NVD CVSS) score of 7 within 30 days and vulnerabilities with a score of 4 within 90 days.
-
-
Remediations should be verified through an additional scan.
-
-
A description of the planned use for any third-party data center/cloud service providers. This must include the name of the provider, type of service model, and current Service Organization Control 2 (SOC 2) reports or ISO 27001 certification for each provider.
-
For operators, a description of how the controls implemented to meet Standard 3.02 (players must be within the borders of Ontario) have been validated to ensure:
-
Accuracy and effectiveness of the controls across the majority of expected player device and network connection types including:
-
Compliance with requirement 3.02.1 dynamic monitoring of player location.
-
Compliance with requirement 3.02.2 common methods to circumvent controls are detected and/or prevented.
-
-
-
A description of the mechanisms in place to meet Standards 5.17.1 (validation that installed software is ITL certified) and 5.62 (verification of the integrity of deployed software).
Registrants are responsible for ensuring any activities they deem necessary to support their confirmation are completed to their satisfaction. This may include third-party testing. Registrants are also expected to maintain all related records and evidence that support their Technology Compliance Confirmation. If requested, Registrants must make records and evidence available to the AGCO.
-