1.1 There shall be a commitment to character, integrity and high ethical values demonstrated through attitude and actions.
Requirements – At a minimum:
Guidance: Management in the context of this Standard refers to executives and senior level management who have the day-to-day responsibility of managing the business of
the organization.
1.2 Formal control activities shall be submitted to the Registrar which have been assessed by an independent oversight function acceptable to the Registrar for alignment with the Standards and Requirements and authorized by the appropriate level of management.
Requirements – At a minimum:
Guidance: Independent oversight may be exercised by an internal audit body and/or external auditor, as considered appropriate by the Operator or gaming-related supplier and as acceptable to the Registrar. The Registrar recognizes that oversight practices may vary by Operator / gaming-related supplier depending on their size, ownership structure, scope and complexity of operations, corporate strategy and risk profile. Whatever the case, the independent oversight function should be responsible for auditing the organization’s compliance management framework, identifying, managing and reporting on risks the organization is or might be exposed to and exercising oversight that is independent from operational management. It should also have direct and unrestricted access to the Board.
Additional Guidance for Gaming-Related Suppliers: In the application of the entity level Standards and Requirements, it is recognized that some gaming-related suppliers, particularly suppliers of gaming equipment, operate in jurisdictions in addition to Ontario and may be limited in their ability to design and implement control activities based solely on the Standards and Requirements. The intent is that these Standards and Requirements apply to gaming-related suppliers in respect of their conduct in Ontario. At a minimum, the entity level Standards and Requirements seek assurance that gaming-related suppliers, including suppliers operating in multiple jurisdictions, will have acceptable control activities and that periodic review for gaps in control activities is carried out and that the suppliers ensure that the control activities are followed where such control activities affect the respective supplier’s conduct in Ontario.
1.2.1 Removed, March 2022.
1.3 Removed, September 2020.
1.4 Removed, September 2020.
1.5 Removed, September 2020.
1.6 Removed, September 2020.
1.7 Management overrides of the control activities shall be clearly documented and made available to the Registrar upon request.
Requirements – At a minimum:
Guidance: The intent of this Standard is to allow senior-level management to override
controls on a one-off basis in necessary circumstances and to ensure that appropriate
documentation is maintained for auditing purposes. This Standard is not intended to
address permanent changes to the control environment.
1.8 Operators must establish, implement and maintain controls to support preparation of financial reports which comply with all applicable accounting standards, rules and good practices.
1.9 Employees must have the competence, skills, experience and training required to execute control activities that are relevant to their responsibilities.
Requirements – At a minimum:
1.10 Organizational structures shall be designed to promote a sound control environment and proper segregation of duties to ensure that the possibility for collusion or unauthorized or illegal activities is minimized.
Requirements – At a minimum:
1.11 Management clearly understands its accountability and authority for the control environment.
Requirements – At a minimum:
1.12 Information, including logs, related to compliance with the law, the Standards and Requirements and/or adherence with control activities shall be retained for a minimum of three (3) years, unless otherwise stated.
1.13 All surveillance recordings shall be retained for a minimum period as specified by the Registrar.
1.14 Compliance with the Standards and Requirements shall be documented in an organized manner to ensure that the information is capable of being reviewed and audited by an independent oversight function.
Requirements – At a minimum:
Guidance: The intent of this Requirement is to allow the Registrar to direct third party audits where he considers necessary for regulatory assurance purposes. Although the auditor would be retained by the Operator or gaming-related supplier in these circumstances, it would report directly to the Registrar.
1.15 Primary accountability for compliance resides with the Board, or other governance structure, where a Board does not exist, and there shall be evidence that the Board, or other governance structure, has carried out its responsibility in this respect.
Requirements – At a minimum:
Guidance: Overall responsibility for compliance monitoring should ideally rest with a chief compliance officer or if such person does not exist, a member of senior management.
Guidance: Where this is not feasible given the organization’s size or structure, audits should be carried out by another independent oversight function.
1.16 There shall be an independent “whistleblowing” process to allow employees to anonymously report deficiencies or gaps in the control environment as well as incidents of possible non-compliance with the controls, Standards and Requirements, or the law.
Requirements – At a minimum, Operators shall:
1.17 Registrants shall engage with the Registrar in a transparent way.
Requirements – At a minimum, Operators shall:
1.18 A recognized industry standard framework shall be used to manage the information technology (IT) control environment to support compliance with the Standards and Requirements.
1.19 Users shall be granted access to the gaming system based on business need.
Requirements – At a minimum:
1.20 Access to gaming information systems shall be monitored, logged and shall be traceable to a specific individual.
Requirements – At a minimum:
1.21 Processes shall be in place to ensure that only authorized individuals are permitted to open system accounts.
1.22 Industry accepted components, both hardware and software, shall be used where possible.
1.23 Any connection or interface between the gaming system and any other system, whether internal or external third party, shall be monitored, hardened and regularly assessed to ensure the integrity and security of the gaming system.
1.24 Mechanisms shall be in place to ensure the reliability, integrity and availability of the gaming system.
1.25 There shall be a suitably secure physical environment in place to prevent unauthorized access to the gaming system and to ensure the protection of assets.
1.26 Gaming systems, infrastructure, data, activity logs and all other related components shall be protected from threats, vulnerabilities, attacks or breaches.
Requirements – At a minimum:
1.27 Security activities shall be logged in an auditable manner, monitored, promptly analyzed and a report prepared and escalated as appropriate.
Requirements – At a minimum:
1.28 Independent assessments shall be regularly performed by a qualified individual to verify the adequacy of gaming system security and all of its related components.
1.29 Operators and gaming-related suppliers shall stay current on security trends, issues and solutions.
1.30 A system development lifecycle that considers security and processing integrity shall be in place for gaming system technology developed in-house.
1.31 Due diligence must be performed on all acquired gaming system technology to ensure security and processing integrity requirements are met.
1.32 A testing strategy to address changes in technology shall be in place to ensure that deployed gaming systems operate as intended.
1.33 All gaming system changes shall be appropriately, consistently and clearly documented, reviewed, tested and approved.
Requirements – At a minimum:
1.34 The gaming system shall be able to detect unauthorized changes.
1.35 Data governance shall be in place to address data processing integrity and protection of sensitive data.
1.36 Sensitive data, including player information and data relevant to determining game outcomes, shall be secured and protected from unauthorized access or use at all times.
Requirements – At a minimum:
1.37 Player information shall be securely protected and its usage controlled by OLG.
Requirements – At a minimum:
1.38 Removed January 2022.
1.39 Communication of sensitive game data shall be protected for integrity.
1.40 Procedures shall be established and documented for IT operations and incident management, including managing, monitoring and responding to security and processing integrity events.
Requirements – At a minimum:
1.41 Gaming applications on all portable devices shall be appropriately secured.
Guidance: This Standard is not intended to capture players using their own portable devices such as their smartphones, but rather employees or players using portable devises to access the Operator’s gaming system.
1.42 Operators and gaming-related suppliers shall only contract with reputable suppliers.
1.43 Removed, September 2020
1.44 Operators and gaming-related suppliers shall provide the Registrar with a list of suppliers that provide them with goods or services in relation to lottery schemes and shall ensure that this list is kept up to date.
1.45 Operators and gaming-related suppliers shall comply with applicable technical standards issued by the Registrar.
1.46 All registrants and non-gaming-related suppliers who are exempt from registration will comply with all applicable OLG policies and procedures to the extent that they are consistent with these Standards and Requirements.