1.1 There shall be a commitment to character, integrity and high ethical values demonstrated through attitude and actions.
Requirements – At a minimum:
Guidance: Management in the context of this Standard refers to executives and senior level management who have the day-to-day responsibility of managing the business of
the organization.
1.2 Formal control activities shall be submitted to the Registrar which have been assessed by an independent oversight function acceptable to the Registrar for alignment with the Standards and Requirements and authorized by the appropriate level of management.
Requirements – At a minimum:
Guidance: Independent oversight may be exercised by an internal audit body and/or external auditor, as considered appropriate by the Operator or gaming-related supplier and as acceptable to the Registrar. The Registrar recognizes that oversight practices may vary by Operator / gaming-related supplier depending on their size, ownership structure, scope and complexity of operations, corporate strategy and risk profile. Whatever the case, the independent oversight function should be responsible for auditing the organization’s compliance management framework, identifying, managing and reporting on risks the organization is or might be exposed to and exercising oversight that is independent from operational management. It should also have direct and unrestricted access to the Board.
Additional Guidance for Gaming-Related Suppliers: In the application of the entity level Standards and Requirements, it is recognized that some gaming-related suppliers, particularly suppliers of gaming equipment, operate in jurisdictions in addition to Ontario and may be limited in their ability to design and implement control activities based solely on the Standards and Requirements. The intent is that these Standards and Requirements apply to gaming-related suppliers in respect of their conduct in Ontario. At a minimum, the entity level Standards and Requirements seek assurance that gaming-related suppliers, including suppliers operating in multiple jurisdictions, will have acceptable control activities and that periodic review for gaps in control activities is carried out and that the suppliers ensure that the control activities are followed where such control activities affect the respective supplier’s conduct in Ontario.
1.2.1 Removed, March 2022.
1.3 Removed, September 2020.
1.4 Removed, September 2020.
1.5 Removed, September 2020.
1.6 Removed, September 2020.
1.7 Management overrides of the control activities shall be clearly documented and made available to the Registrar upon request.
Requirements – At a minimum:
Guidance: The intent of this Standard is to allow senior-level management to override
controls on a one-off basis in necessary circumstances and to ensure that appropriate
documentation is maintained for auditing purposes. This Standard is not intended to
address permanent changes to the control environment.
1.8 Operators must establish, implement and maintain controls to support preparation of financial reports which comply with all applicable accounting standards, rules and good practices.
1.9 Employees must have the competence, skills, experience and training required to execute control activities that are relevant to their responsibilities.
Requirements – At a minimum:
1.10 Organizational structures shall be designed to promote a sound control environment and proper segregation of duties to ensure that the possibility for collusion or unauthorized or illegal activities is minimized.
Requirements – At a minimum:
1.11 Management clearly understands its accountability and authority for the control environment.
Requirements – At a minimum:
1.12 Information, including logs, related to compliance with the law, the Standards and Requirements and/or adherence with control activities shall be retained for a minimum of three (3) years, unless otherwise stated.
1.13 All surveillance recordings shall be retained for a minimum period as specified by the Registrar.
1.14 Compliance with the Standards and Requirements shall be documented in an organized manner to ensure that the information is capable of being reviewed and audited by an independent oversight function.
Requirements – At a minimum:
Guidance: The intent of this Requirement is to allow the Registrar to direct third party audits where he considers necessary for regulatory assurance purposes. Although the auditor would be retained by the Operator or gaming-related supplier in these circumstances, it would report directly to the Registrar.
1.15 Primary accountability for compliance resides with the Board, or other governance structure, where a Board does not exist, and there shall be evidence that the Board, or other governance structure, has carried out its responsibility in this respect.
Requirements – At a minimum:
Guidance: Overall responsibility for compliance monitoring should ideally rest with a chief compliance officer or if such person does not exist, a member of senior management.
Guidance: Where this is not feasible given the organization’s size or structure, audits should be carried out by another independent oversight function.
1.16 There shall be an independent “whistleblowing” process to allow employees to anonymously report deficiencies or gaps in the control environment as well as incidents of possible non-compliance with the controls, Standards and Requirements, or the law.
Requirements – At a minimum, Operators shall:
1.17 Registrants shall engage with the Registrar in a transparent way.
Requirements – At a minimum, Operators shall:
1.18 A recognized industry standard framework shall be used to manage the information technology (IT) control environment to support compliance with the Standards and Requirements.
1.19 Users shall be granted access to the gaming system based on business need.
Requirements – At a minimum:
1.20 Access to gaming information systems shall be monitored, logged and shall be traceable to a specific individual.
Requirements – At a minimum:
1.21 Processes shall be in place to ensure that only authorized individuals are permitted to open system accounts.
1.22 Industry accepted components, both hardware and software, shall be used where possible.
1.23 Any connection or interface between the gaming system and any other system, whether internal or external third party, shall be monitored, hardened and regularly assessed to ensure the integrity and security of the gaming system.
1.24 Mechanisms shall be in place to ensure the reliability, integrity and availability of the gaming system.
1.25 There shall be a suitably secure physical environment in place to prevent unauthorized access to the gaming system and to ensure the protection of assets.
1.26 Gaming systems, infrastructure, data, activity logs and all other related components shall be protected from threats, vulnerabilities, attacks or breaches.
Requirements – At a minimum:
1.27 Security activities shall be logged in an auditable manner, monitored, promptly analyzed and a report prepared and escalated as appropriate.
Requirements – At a minimum:
1.28 Independent assessments shall be regularly performed by a qualified individual to verify the adequacy of gaming system security and all of its related components.
1.29 Operators and gaming-related suppliers shall stay current on security trends, issues and solutions.
1.30 A system development lifecycle that considers security and processing integrity shall be in place for gaming system technology developed in-house.
1.31 Due diligence must be performed on all acquired gaming system technology to ensure security and processing integrity requirements are met.
1.32 A testing strategy to address changes in technology shall be in place to ensure that deployed gaming systems operate as intended.
1.33 All gaming system changes shall be appropriately, consistently and clearly documented, reviewed, tested and approved.
Requirements – At a minimum:
1.34 The gaming system shall be able to detect unauthorized changes.
1.35 Data governance shall be in place to address data processing integrity and protection of sensitive data.
1.36 Sensitive data, including player information and data relevant to determining game outcomes, shall be secured and protected from unauthorized access or use at all times.
Requirements – At a minimum:
1.37 Player information shall be securely protected and its usage controlled by OLG.
Requirements – At a minimum:
1.38 Removed January 2022.
1.39 Communication of sensitive game data shall be protected for integrity.
1.40 Procedures shall be established and documented for IT operations and incident management, including managing, monitoring and responding to security and processing integrity events.
Requirements – At a minimum:
1.41 Gaming applications on all portable devices shall be appropriately secured.
Guidance: This Standard is not intended to capture players using their own portable devices such as their smartphones, but rather employees or players using portable devises to access the Operator’s gaming system.
1.42 Operators and gaming-related suppliers shall only contract with reputable suppliers.
1.43 Removed, September 2020
1.44 Operators and gaming-related suppliers shall provide the Registrar with a list of suppliers that provide them with goods or services in relation to lottery schemes and shall ensure that this list is kept up to date.
1.45 Operators and gaming-related suppliers shall comply with applicable technical standards issued by the Registrar.
1.46 All registrants and non-gaming-related suppliers who are exempt from registration will comply with all applicable OLG policies and procedures to the extent that they are consistent with these Standards and Requirements.
2.1 Advertising and marketing materials and communications shall not target underage or self-excluded persons to participate in lottery schemes and shall not include underage individuals.
Requirements – At a minimum, materials and communications shall not:
2.2 Advertising and marketing materials and communications shall not be misleading.
Requirements – At a minimum, materials and communications shall not:
2.2.1 Advertising and marketing materials that communicate gambling inducements, bonuses and credits related to sport and event betting are prohibited, except in the following:
Guidance:
2.2.2 Permitted advertising and marketing materials that communicate gambling inducements, bonuses and credits must, at a minimum:
2.2.3 Players must be provided an opt-in process whereby they actively consent to receiving any direct advertising and marketing of inducements, bonuses and credits, and must be provided a method to withdraw their consent at any time, where such marketing and advertising materials are available.
Guidance:
2.3 Information about the risks of gambling and where to obtain additional information or assistance shall be made readily available to all patrons.
Requirements – At a minimum:
2.4 Patrons shall be provided with meaningful and accurate information to enable them to make informed choices.
Requirements – At a minimum:
Odds in sport and event betting sometimes change prior to or during an event. Changes in odds must be updated and publicly available to all players. This is not intended to entitle a player who has previously placed a bet to receive new odds on that bet.
2.5 Support shall be provided to persons showing signs of potentially problematic gambling behavior.
Requirements – At a minimum:
2.6 OLG shall provide a common voluntary self-exclusion program.
Requirements – At a minimum:
Guidance: OLG’s self-exclusion program may be executed in each of the gamingsectors using different processes and technologies to reflect the distinct operational circumstances of that sector.
2.7 Individuals who have decided to voluntarily self-exclude shall be removed from mailing lists and shall not receive incentives or promotions for any products and services during the period of self-exclusion.
2.8 Game designs and features shall be clear and shall not mislead the player. This Standard does not apply to sport and event betting products.
Requirements – At a minimum:
2.8.1 The method of making bets in sport and event betting must be straightforward and understandable. Information must be made available so that the player is clearly informed of the details of the bet prior to making the bet. All selections in a bet must be made clear to the player.
Requirements – At a minimum:
Guidance: This Standard is not intended to prohibit or preclude in-play betting.
2.8.2 Players must be able to access information regarding available sport and event bets without having to place a bet. This information includes:
2.8.3 Reputable and legitimate data source(s) must be used to determine the outcome of a bet. These data source(s) shall be made available to the player upon request.
2.8.4 In sport and event betting, bets shall not be given a commonly accepted name, such as “moneyline”, if the bet does not operate as a player would reasonably expect.
2.9 Free-to-play games shall provide the same responsible gambling and player protection information as games played for money.
2.10 Removed, July 2019.
2.11 Games shall not encourage players to chase their losses, or increase the amount they have decided to gamble, or continue to gamble after they have indicated that they want to stop.
2.11.1 Where an account is used, no player’s account is permitted to have a negative funds balance. A player’s account with a negative funds balance must be suspended and no transactions permitted after the negative funds balance arises. No transaction is permitted until the negative funds balance is eliminated. No bet will be accepted that could result in a negative funds balance.
Guidance: This Standard is not intended to prohibit the resettlement of bets when reasonable and necessary.
2.12 Players shall have the means to track the passage of time.
2.13 Games that are located in gaming sites that are not age-restricted shall not appeal primarily to, nor be associated with, underage individuals.
2.14 Credit shall not be extended or lent to patrons to gamble (not applicable to Casinos).
2.15 Operators shall ensure that credit services provided to patrons are carried out in a responsible manner (applicable to Casinos only).
Requirements – At a minimum:
3.1 Only eligible individuals are permitted access to a gaming site.
Requirements – At a minimum:
3.2 Only eligible individuals are permitted to play a lottery scheme.
Requirements – At a minimum:
Note: This Standard does not preclude the AGCO from participating in games for regulatory assurance purposes.
3.2.1 Operators shall not knowingly permit an individual to engage in any of the following prohibited activities and shall take steps to actively monitor and prevent such prohibited activity from occurring:
Requirements – At a minimum:
3.3 Lottery schemes shall be provided only within Ontario, unless the lottery scheme is conducted in conjunction with the government of another province.
4.1 All gaming activities and financial transactions shall be conducted fairly and honestly, and must be independently verifiable.
Requirements – At a minimum:
4.2 Rules of play, including any subsequent modifications, shall be submitted to the Registrar for approval. This Standard is not applicable to sport and event betting.
Requirements – At a minimum, the rules of play shall contain:
Guidance: Sport and event betting rules of play do not need to be submitted to the Registrar for approval.
4.3 Lottery schemes must be conducted in accordance with the approved rules of play. Sport and event betting must be conducted fairly, honestly and in accordance with the terms of the bet placed by the player.
Requirements – At a minimum:
4.4 [Removed, April 2017]
4.5 All gaming systems and gaming supplies, including any subsequent modifications, shall be submitted to the Registrar for assessment and approval, at the expense of the supplier, prior to being provided to any gaming site.
Requirements:
Guidance: Non-electronic or non-electromagnetic gaming supplies used in operation with table games in accordance with the Rules of Play (e.g. dice, cards) do not require additional assessment or approval by the Registrar, and can be made available for play.
4.6 Gaming systems and gaming supplies shall be provided, installed, configured, maintained, repaired, and operated in a way that ensures the integrity, safety and security of the approved gaming supplies and systems, and in accordance with the Registrar’s approval.
Requirements – At a minimum:
4.7 Production, testing and development systems shall be logically separated.
4.8 Game outcomes shall be recoverable, where technically possible, so that player bets can be settled appropriately.
4.9 Where game outcomes or sport and event betting transactions are not recoverable, the Operator shall have clearly defined policies in respect of treating the player fairly when resolving the player’s transactions. These policies and processes shall be made available to players.
4.10 Mechanisms shall be in place to allow a game to be recreated up to and including the last communicated state to the player.
Requirements – At a minimum:
4.10.1 Where there are suspected game or system faults that may impact game integrity or fairness including the integrity or fairness of sport and event betting (e.g., influencing a player’s chances of winning or the return to players), Operators shall make the game unavailable to players until the issue has been resolved. In the case of sport and event betting, making a game unavailable may include the suspension of betting, the withholding of funds, and the refund of any bet until a gaming system fault has been resolved. Operator decisions must be fair, reasonable, and made in good faith.
4.11 A player’s bet and the outcome of the game shall be clearly displayed and easy to understand.
4.11.1 In sport and event betting, details on placed bets shall be made readily available and clear to the player.
Requirements – At a minimum, the betting system shall give the player a record including the following information:
Guidance: Indicating where redemption instructions can be found satisfies the redemption portion of this requirement.
4.11.2 The results of a bet on a sport or event must be provided to players. Any change to the results of a sport or event must be made available. Sport and event bets must be settled fairly and in accordance with the terms of the bet placed by the player. Where raised, the reasons for the settlement must be clearly and promptly provided to the player.
4.11.3 If players are playing using an account, account balances will be updated as the results of bets are confirmed.
4.11.4 Sport and event betting Operators shall have controls in place to ensure the accuracy and timeliness of sport and event results data.
4.12 Patron complaints and any inquiries related to game integrity must be recorded and addressed in a timely and appropriate manner.
4.13 Games shall pay out accurately, completely and within a reasonable time of winning, subject to checks and verifications.
4.14 Operators shall have mechanisms in place to appropriately deter, prevent and detect collusion and cheating.
4.15 All relevant activities related to the detection of collusion and cheating shall be logged.
4.16 Players must be able to easily and readily report activities related to collusion and cheating.
4.17 Removed, July 2019.
4.18 Live table game (non-electronic) layouts must at a minimum display the following information in a manner identifiable through surveillance recording (applicable to Casinos only):
Guidance: This Standard is not intended to capture gaming layouts that are displayed electronically via a terminal, display, etc.
Unique Game Options was intended to capture any options unique to the game which is important for understanding how the outcome of the game will be determined. As an example, in Blackjack an indication of whether the Dealer stands on all point totals of seventeen (17) or hits on soft seventeen (17).
4.19 Sport and event betting Operators shall have risk management measures in place to mitigate the betting integrity risk associated with sport and event betting, including insider betting and event manipulation.
Requirements – At a minimum:
Guidance: The Registrar will publish a list of registered independent integrity monitors.
4.20 An Operator receiving a report of suspicious activity under Standard 4.19 may suspend or cancel sport and event betting on events related to the report or withhold associated customer funds. To this end, an Operator must ensure that it has reserved itself the authority to suspend betting, void bets, and withhold associated customer funds. The Operator’s decision to suspend or cancel sport and event betting, or withhold associated customer funds, on events related to the report must be fair, reasonable, and made in good faith.
4.21 An Operator offering sport and event betting products shall ensure that all bets offered meet the following criteria:
Guidance:
5.1 Operators shall have available for review by the AGCO accurate floor plans of the premises.
Requirements – At a minimum:
5.2 Only authorized individuals shall be permitted access to sensitive areas.
Requirements – At a minimum, Operators shall:
Guidance: There may be various levels of sensitivity in a gaming site. Dual authorization access will be appropriate for the highest risk areas, such as playing card vaults and cash count rooms, where strict controls are necessary to secure the gaming site and/ or safeguard gaming integrity or assets. Two factor access, on the other hand, may be appropriate for other types of sensitive areas or equipment. Each gaming site is unique and should define its sensitive areas as it deems appropriate. The Registrar, however, retains the authority to direct an Operator to adopt a certain form of access authorization for a certain area or equipment, as deemed necessary.
5.3 Individuals suspected of, or engaged in, creating a disturbance that could be harmful to the individual, to the public or to gaming-related assets shall be removed from the premises, and the occurrence shall be reported in accordance with the established notification matrix.
5.4 A policy and process shall be in place to provide individuals with security escorts to and from vehicles, where it is requested.
5.5 Areas under the control of the Operator shall be monitored for the presence of unattended children. All occurrences of unattended children shall be addressed and reported in accordance with the established notification matrix.
5.6 There shall be site emergency procedures to protect the public from personal harm and limit the damage to or loss of gaming-related assets
Requirements – At a minimum:
5.7 Security and surveillance shall be in place to protect the public and gaming-related assets and to record transactions.
Requirements – At a minimum:
Guidance: The intent of Requirement 1(d) is to ensure that all points of access, which directly or indirectly lead to the gaming floor or sensitive areas at a minimum have camera coverage or an alarm, which is actively monitored for unauthorized access.
The AGCO OPP Casino Enforcement Unit, a unit of the OPP Bureau assigned to the AGCO, must be provided with independent monitoring equipment with override capability within the Casino Enforcement Unit work area (applicable to Casinos only).
5.8 There shall be timely and accurate maintenance of gaming-related financial transactions, accounting information and data.
5.9 Lottery schemes shall be played only within designated areas of the premises.
6.1 Mechanisms shall be in place to reasonably identify and prevent unlawful activities at the gaming site.
Requirements – At a minimum, the Operator shall:
Not knowingly permit the structuring of transactions designed to avoid or circumvent reporting, record-keeping and patron identification requirements contained within these Standards or other regulations.
Report suspicious behaviour, cheating at play and unlawful activities in accordance with the established notification matrix.
6.2 Anti-money laundering policies and procedures to support obligations under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act shall be implemented and enforced.
Requirements – At a minimum:
Operators shall ensure their anti-money laundering internal controls align with those of the designated reporting entity under the PCMLTFA.
6.3 Reasonable measures shall be in place to identify and prevent suspected money laundering activities at the gaming site. *
Requirements – At a minimum:
*Section 6.3 does not currently apply to cGaming sites.