Under the Gaming Control Act, 1992 (GCA) the Registrar is authorized to establish risk-based standards to regulate Ontario’s gaming sector. The objective of a standards-based regulatory model is to shift the focus from requiring registrants to comply with a specific set of rules or processes, which tend to be prescriptive in nature, towards the broader regulatory outcomes or objectives they are expected to achieve. These regulatory outcomes are reflected in the “Standards” established herein.
In most cases, these Standards are drafted at a high level of generality, with the aim being to capture the purpose behind the rule. This offers greater flexibility for regulated entities to determine the most efficient and effective way of meeting the outcomes required, which in turn helps reduce regulatory burden and support market innovation. Since there may be many ways for a registrant to meet the Standards, they have the flexibility to determine what works best for their business, thereby strengthening regulatory outcomes without needlessly burdening regulated entities. Further, the flexibility inherent in a Standards-Based model allows the Alcohol and Gaming Commission of Ontario (AGCO) to focus its resources on key risks and to deliver a modernized approach to gaming regulation in a rapidly evolving industry.
OLG (Ontario Lottery and Gaming Corporation), iGaming Ontario, Operators, and gaming-related suppliers are required to comply with the GCA and Regulation 78/12. Specifically, Sections 3.8 and 3.9 of the GCA require registrants, employees and other persons retained by OLG and iGaming Ontario to comply with the Standards and Requirements established by the Registrar. The GCA provides the Registrar with the authority to establish Standards and Requirements for the conduct, management and operation of gaming sites, lottery schemes or businesses related to a gaming site or a lottery scheme or for related goods or services.
Standards and Requirements established by the Registrar will apply to OLG with respect to its internet gaming site, to iGaming Ontario with respect to its activities, and to all registered internet gaming Operators in Ontario. Additionally, certain Standards and Requirements also apply to registered gaming-related suppliers.
Operators are expected to ensure that the Standards related to the operation of their gaming site are met, regardless of the entity that is carrying out the related activities. Depending on the circumstances, the Registrar may hold an Operator, a gaming-related supplier, or both, accountable for meeting a particular Standard.
The Registrar may direct any registered supplier to comply with any additional Standards and Requirements, as considered necessary to enhance and preserve the integrity of and public confidence in gaming in Ontario. The Registrar may also propose additional terms of registration specific to an Operator or other registrant to give effect to the purposes of the GCA.
The Registrar may refuse a registration if the applicant is carrying on activities that would be in contravention of the Standards, if the applicant were registered.
The AGCO recognizes that sport and event betting is an integral part of internet gaming. The AGCO has taken an integrated approach where the standards and requirements for sport and event betting are embedded within the Registrar’s Standards for Internet Gaming. This integrated structure means that the Registrar’s Standards for Internet Gaming will generally apply to sport and event betting. The standards and requirements apply to all sports, esports, novelty, betting exchange, and fantasy sports products, and includes various bet types such as single-event, in-game, pool, parlay, and exchange bets. Virtual sports are not a type of sport and event betting, thus standards specific to sport and event betting do not apply.
This document includes only the Registrar’s Standards for Internet Gaming, applicable to regulated internet gaming sites in Ontario.
The “Standards and Requirements” are divided into the six identified risk themes, under which theme-specific Standards and Requirements are provided. The six identified risk themes which make up the “Standards and Requirements” include:
For certain Standards, further and more explicit direction is provided through one or more specific “Requirements”. These Requirements establish the minimum obligations a registrant must achieve to fulfill the corresponding Standard.
Included as part of a number of the Standards and Requirements is a corresponding section which provides regulatory guidance specific to the given standard or requirement. Guidance serves to provide registrants with greater clarity as to the purpose or intent behind a given Standard or Requirement.
[Amended: February, 2022]
Term |
Definition |
---|---|
AGCO |
AGCO means the Alcohol and Gaming Commission of Ontario. |
Authenticator |
Authenticator is the means or mechanism by which an individual is identified and verified by the system. |
Auto-wagering |
Auto-wagering is a game feature whereby the player can elect to bet during a game without having to manually activate the betting feature each time a bet is made. |
Bet |
A Bet is an amount of money at risk in a wager. |
Board |
Board refers to either the entire Board of Directors of an Operator or gaming-related supplier (as the case may be) or a committee of the Board that has been delegated a particular element of Board oversight (e.g. audit, compliance, etc.) For purposes of clarity, “Board” does not include the iGaming Ontario Board. |
Bot |
A Bot is a software application that runs automated tasks over the internet. |
Control Activity Matrix | A summary of all control activities used to address the regulatory risks identified by the AGCO and achieve the regulatory outcomes reflected in the Standards and Requirements. |
Controls or Control Activities |
Controls or control activities include the individual policies, procedures, business processes, monitoring systems, structures, accountabilities, tools and instruments that comprise the control environment management establishes to address the regulatory risks identified by the AGCO and achieve the regulatory objectives reflected in the Standards and Requirements. |
Deactivated Account |
A Deactivated account is a player account which has been made no longer available to the player for log on and use. |
Dormant Account |
A Dormant account is a player account which has been temporarily frozen due to inactivity and made unavailable for player log on and use. |
Eligible Individuals |
Eligible individuals are those persons who are not prohibited from accessing gaming sites or playing lottery schemes under Standard 3.1. |
eSports | Multiplayer video games played competitively for spectators; eSports are considered a sport for the purpose of these Standards. |
Fantasy Sports | Any pay-to-play sport betting product (fantasy sports contests are considered a type of sport betting for the purpose of these Standards) provided by an operator wherein consumers can assemble a virtual team composed of real in a given sport and compete against other virtual teams based on the performance of those players in real matches. |
FINTRAC |
FINTRAC means the Financial Transactions and Reports Analysis Centre of Canada. |
Free-to-play Games |
Free-to-play Games refer to games, including those offered for promotional purposes, that provide players the option to play without paying or betting. |
Gaming-related supplier |
Gaming-related supplier has the same meaning as it does in Ontario Regulation 78/12, made under the Gaming Control Act, 1992. |
Game outcome |
The result of a wager. |
Game session |
A game session is the playing of any of the applicable lottery schemes, and begins when a player starts playing a game for real money. A gaming session ends when a player exits a game. |
Gaming site |
Gaming site means an electronic channel maintained for the purpose of playing or operating a lottery scheme. |
Gaming supplies |
Gaming supplies refers to gaming equipment that could influence or is integral to the conduct, management or operation of a lottery scheme. |
Gaming system |
Gaming system includes hardware, software, applications and all associated components of gaming supplies and the technology environment. |
GCA |
GCA means the Gaming Control Act, 1992. |
igaming |
igaming refers to lottery schemes conducted and managed by OLG or iGaming Ontario that are played or operated through the internet, but does not include OLG lottery products. |
Independent Integrity Monitor | Any supplier registered by the Registrar to perform the Independent Integrity Monitor role pursuant to Standard 4.32, which provides services to, among others, regulators, or operators to receive, assess, and distribute unusual/suspicious betting alerts and has the expertise to analyze and evaluate the accuracy and severity of received unusual/suspicious betting alerts. |
Independent oversight function |
Independent oversight function has the meaning ascribed to it in Standard 1.02. |
Lottery scheme |
Lottery scheme has the same meaning as in subsection 207(4) of the Criminal Code (Canada). |
Manual controls |
Manual controls are human-performed control activities. |
Notification Matrix |
Notification matrix is the policy document that lists the obligations of Operators and gaming-related suppliers to notify the AGCO in specifically delineated circumstances. |
Novelty Events | Any bet placed on a non-sporting event where real-world factual occurrences are the contingency on which an outcome is determined and in accordance with Standard 4.34. |
OLG |
OLG means the Ontario Lottery and Gaming Corporation. |
OPP |
OPP means the Ontario Provincial Police. |
Operator |
Operator has the same meaning as it does in Ontario Regulation 78/12, made under the Gaming Control Act, 1992, and further includes OLG and iGaming Ontario. |
Peer-to-peer games |
Peer-to-peer games are a type of lottery scheme where players gamble against each other rather than against the house. |
Randomness or Chance |
Randomness or Chance is observed unpredictability and absence of a pattern in a set of events that have definite probabilities of occurrence. |
Registrar |
Registrar means the Registrar established under the Alcohol, Cannabis and Gaming Regulation and Public Protection Act, 1996. |
Self-excluded persons |
Self-excluded persons are individuals who participate in a process to exclude themselves voluntarily from gaming sites. |
Sensitive Data |
Sensitive data includes but is not limited to player information and data relevant to determining game outcomes. |
Single-player games |
Single player games are any games which are not considered to be peer-to-peer games. |
Slots |
Casino games of a reel-based type (includes games that have non-traditional reels). |
Sport and Event Betting | Any bet on occurrences related to sports, competitions, matches, and other types of activities which meet the criteria articulated in Standard 4.34, and which excludes games or events where the outcome is determined or controlled by a random number generator, peer-to-peer play, or an operator. Sport and event betting includes: • Bets on fantasy sports, esports, and novelty events, but does not include bets on virtual sports. • Sport and Event Bets include, but are not limited to, single-game bets, teaser bets, parlays, over-under, moneyline, pools, exchange betting, in-game betting, proposition bets, and straight bets. |
Sport/Event Governing Body |
An organization that prescribes final rules and enforces codes of conduct (including prohibitions on betting by insiders on events overseen by the sport governing body) for a sporting event and the participants in the event. |
Synthetic Lottery Products | Any bet that is part of a scheme operated by a third-party where the outcome is derived from a separate underlying lottery draw operated by a different operator. |
iGaming Ontario |
iGaming Ontario means the lottery subsidiary as set out in the Alcohol, Cannabis and Gaming Regulation and Public Protection Act, 1996 and under its regulation. |
System Accounts |
System accounts are all accounts that are used to manage the system. |
Virtual Sports | A computer-generated presentation of a random number draw that provides sport-like visual presentation for entertainment purposes only. The outcome of the “event” is determined by a random number generator, rather than real-world sport or novelty events or players. Virtual sports are not considered a type of sport and event betting. |
The intent of this risk theme is to ensure that regulated entities have a sound control environment, and an organizational structure that promotes good governance, accountability and oversight, as well as transparency in dealings with the AGCO.
The regulatory risks associated with this theme are:
1.01 There shall be a commitment to character, integrity and high ethical values demonstrated through attitude and actions. (Also applicable to Gaming-Related Suppliers)
Requirements – At a minimum:
Guidance: Management in the context of this Standard refers to executives and senior- level management who have the day-to-day responsibility of managing the business of the organization.
1.02 Operators and gaming-related suppliers shall develop, document and implement formal control activities to address the regulatory risks identified by the AGCO and achieve the regulatory objectives reflected in the Standards and Requirements. Control activities must be authorized by the appropriate level of management. (Also applicable to Gaming-Related Suppliers) [Amended: February, 2022]
Requirements – At a minimum:
Guidance: Independent oversight may be exercised by an internal audit body and/or external auditor, as considered appropriate by the Operator and as acceptable to the Registrar. The Registrar recognizes that oversight practices may vary by Operator depending on their size, ownership structure, scope and complexity of operations, corporate strategy and risk profile. Whatever the case, the independent oversight function should be responsible for auditing the organization’s compliance management framework, identifying, managing and reporting on risks the organization is or might be exposed to and exercising oversight that is independent from operational management. It should also have direct and unrestricted access to the Board.
1.03 Management overrides of the control activities shall be clearly documented and made available to the Registrar upon request. (Also applicable to Gaming-Related Suppliers)
Requirements – At a minimum:
1. Approval from at least two senior-level managers is required in order to override any control activity, and in each instance the override shall be reported to the Board or other governance structure where a Board does not exist.
Guidance: The intent of this Standard is to allow senior-level management to override controls on a one-off basis in necessary circumstances and to ensure that appropriate documentation is maintained for auditing purposes. This Standard is not intended to address permanent changes to the control environment.
1.04 Operators must establish, implement and maintain controls to support preparation of financial reports which comply with all applicable accounting standards, rules and good practices.
1.05 A personnel security screening process shall be in place for any director or officer, and any employee, agent or consultant, at a level that is appropriate for the individual’s role in the organization. (Also applicable to Gaming-Related Suppliers)
1.06 Employees must have the competence, skills, experience and training required to execute control activities that are relevant to their responsibilities. (Also applicable to Gaming-Related Suppliers)
Requirements – At a minimum:
1.07 Organizational structures shall be designed to promote a sound control environment and proper segregation of duties to ensure that the possibility for collusion or unauthorized or illegal activities is minimized. (Also applicable to Gaming-Related Suppliers)
Requirements – At a minimum:
1.08 Management clearly understands its accountability and authority for the control environment. (Also applicable to Gaming-Related Suppliers)
Requirements – At a minimum:
1. Management shall have been trained and have knowledge of the organization’s control environment, the regulatory risks that the controls are designed to mitigate, and the regulatory objectives reflected in the Standards and Requirements.
1.09 Information, including logs, related to compliance with the law, the Standards and Requirements and/or adherence with control activities shall be retained for a minimum of three (3) years, unless otherwise stated. (Also applicable to Gaming-Related Suppliers)
1.10 Compliance with the Standards and Requirements shall be documented in an organized manner to ensure that the information is capable of being reviewed and audited by an independent oversight function. (Also applicable to Gaming-Related Suppliers)
Requirements – At a minimum:
Guidance: The intent of this Requirement is to allow the Registrar to direct third party audits where considered necessary for regulatory assurance purposes. Although the auditor would be retained by the Operator or gaming-related supplier in these circumstances, it would report directly to the Registrar.
1.11 Primary accountability for compliance resides with the Board, or other governance structure, where a Board does not exist, and there shall be evidence that the Board, or other governance structure, has carried out its responsibility in this respect. (Also applicable to Gaming-Related Suppliers)
Requirements – At a minimum:
Guidance: Overall responsibility for compliance monitoring should ideally rest with a chief compliance officer or if such person does not exist, a member of senior management.
Guidance: Where this is not feasible given the organization’s size or structure, audits should be carried out by another independent oversight function.
1.12 There shall be an independent “whistleblowing” process to allow employees to anonymously report deficiencies or gaps in the control environment as well as incidents of possible non-compliance with the controls, Standards and Requirements, or the law. (Also applicable to Gaming-Related Suppliers)
Requirements – At a minimum:
1.13 Registrants shall engage with the Registrar in a transparent way. (Also applicable to Gaming-Related Suppliers)
Requirements – At a minimum, Operators shall:
1.14 The Operator shall ensure that investigators (OPP or Registrar) are able to monitor and participate in games.
1.15 A mechanism shall be in place to allow players to contact the Operator in a timely fashion with issues and complaints relating to their player account, funds management, game play or any matter related to compliance with the Standards and Requirements. The Registrar shall be notified of any such issues or complaints, in accordance with the established notification matrix.
1.16 Player complaints, disputes and inquiries must be recorded and addressed in a timely, fair, transparent and appropriate manner.
Requirements - At a minimum;
1.17 Relevant information about the AGCO shall be displayed and easily accessible to the player.
1.18 Operators and gaming-related suppliers shall only contract with reputable suppliers. (Also applicable to Gaming-Related Suppliers)
1.19 Operators are responsible for the actions of third parties with whom they contract for the provision of any aspect of the Operator’s business related to gaming in Ontario and must require the third party to conduct themselves in so far as they carry out activities on behalf of the operator as if they were bound by the same laws, regulations, and standards.
1.20 Operators and gaming-related suppliers shall maintain a list of suppliers that provide them with goods or services in relation to lottery schemes and shall make it available to the Registrar upon request. (Also applicable to Gaming-Related Suppliers)
1.21 Operators must ensure that no independent third parties that engage in direct-to-consumer marketing, direct-to-consumer promotion, or player referral services for the Operator under contract, in exchange for commissions, or for any other form of compensation also undertake such activities related to online gaming sites that facilitate or accept wagers from players in Ontario without an AGCO registration.
Guidance: This Standard covers the activities of those entities that Operators and others in the gaming industry commonly refer to as “affiliates” or “marketing affiliates”, which are often paid or otherwise compensated to refer to customers to another business’ products, services, or websites through direct-to-consumer marketing services. This commonly understood term used among gaming registrants and other entities involved in gaming, and known as “affiliates” or “marketing affiliates”, is used here for guidance purposes only, and is distinct from how that term may be used in any other regulatory scheme.
1.22 Operators and gaming-related suppliers must cease all unregulated activities if, to carry out those same activities in iGaming Ontario’s regulated online lottery scheme, it would require registration under the GCA.
Operators and gaming-related suppliers shall not enter into any agreements or arrangements with any unregistered person who is providing the operator or gaming-related supplier with any goods or services if, to provide those goods and services in iGaming Ontario’s regulated online lottery scheme, it would require registration under the GCA. [Added: October, 2022]
Note: For greater certainty, and without limiting the generality of any other Standard, this Standard applies to and governs applicants.
Responsible gambling is a key AGCO priority and central to the public interest. The intent of this risk theme is to ensure that gaming is provided in a way that seeks to minimize potential harm and promote a responsible gaming environment.
Regulatory Risks associated with this theme include:
2.01 Operators shall implement and follow policies and procedures that will identify, prevent and minimize the risks of harm from gaming to players. These policies and procedures shall be reviewed and evaluated regularly for effectiveness to ensure that they follow industry best practices and that the stated objectives of the policies and procedures are achieved. All staff, including senior management staff, shall be trained on the content and application of the policies and procedures at the time they are retained by the Operator and at regular intervals after.
Requirements – At a minimum:
2.02 The OLG and iGaming Ontario shall implement and follow policies and procedures to ensure that their activities facilitate and support the identification, prevention and minimization of the risks of harm of gaming to players.
Requirements – At a minimum:
2.03 Advertising, marketing materials and communications shall not target high-risk, underage or self-excluded persons to participate in lottery schemes, shall not include underage individuals, and shall not knowingly be communicated or sent to high-risk players.
Requirements – At a minimum, materials and communications shall not:
Guidance: Where cartoons are used, they may not primarily appeal to minors.
2.04 Marketing, including advertising and promotions, shall be truthful, shall not mislead players or misrepresent products.
Requirements – At a minimum, materials and communications shall not:
2.05 Advertising and marketing materials that communicate gambling inducements, bonuses and credits are prohibited, except on an operator’s gaming site and through direct advertising and marketing, after receiving active player consent.
Guidance:
2.06 Permitted advertising and marketing materials that communicate gambling inducements, bonuses and credits must, at a minimum:
2.07 Players must be provided an opt-in process whereby they actively consent to receiving any direct advertising and marketing of inducements, bonuses and credits, and must be provided a method to withdraw their consent at any time, where such marketing and advertising materials are available.
Guidance: direct marketing and advertising includes but is not limited to: direct messaging via social media, emails, texts, and phone calls.
2.08 A systematic approach is used to support, integrate, and disseminate information to enable players to make informed decisions and encourage safer play.
Requirements – At a minimum:
2.09 The registration page and pages within the player account shall prominently display a responsible gambling statement, the online link, as well as the number for Connex Ontario, and provide a link to a page that provides responsible gambling materials, information, resources and support for people experiencing problems with gaming.
Guidance: The referral to the page that provides responsible gambling materials and information about obtaining help in Ontario may be a page maintained by the Operator or a third party.
2.10 A mechanism shall be in place to monitor player risk profiles and behaviours for the purpose of detecting signs of players potentially experiencing harm.
Requirement – At a minimum,
2.11 Assistance for players who may be experiencing harms from gaming is readily available and systematically provided.
Requirements – At a minimum:
2.12 Employees shall understand the importance of responsible gambling and how their jobs impact player protection as well as the fundamental concepts of responsible gambling and problem gambling.
Requirements – At a minimum:
2.13 Individuals shall have the option to take a break in play, in addition to a formal self-exclusion program. (Also applicable to Gaming-Related Suppliers)
Requirements – At a minimum:
2.14 Operators shall provide a voluntary self-exclusion program for their site. [Amended February 2023]
Requirements – At a minimum:
Note: Once directed by the Registrar, Operators will be required to participate in a coordinated, centralized self-exclusion program, that shall be in place to allow players to automatically exclude themselves from all online Operator platforms, including OLG.
2.15 Game designs and features shall be clear and shall not mislead the player. This Standard does not apply to sport and event betting products. (Also applicable to Gaming-Related Suppliers)
Requirements – At a minimum:
2.15.1 The method of making bets in sport and event betting must be straightforward and understandable. Information must be made available so that the player is clearly informed of the details of the bet prior to making the bet. All selections in a bet must be displayed to the player. (Also applicable to Gaming-Related Suppliers) [Amended: February, 2022]
Requirements — At a minimum:
Guidance: This Standard is not intended to prohibit or preclude in-play betting.
2.15.2 Players must be able to access information regarding available sport and event bets without having to place a bet. This information includes:
Requirements — At a minimum:
2.15.3 Reputable and legitimate data source(s) must be used to determine the outcome of a bet. These data source(s) shall be made available to the player upon request. (Also applicable to Gaming-Related Suppliers) [Amended: February, 2022]
2.16 Game designs and features shall help to prevent extended, continuous and impulsive play and facilitate low risk play behaviours. (Also applicable to Gaming-Related Suppliers)
Requirements – At a minimum:
2.17 The gaming system must not offer functionality which facilitates playing multiple slots games at the same time. This includes, but is not limited to, split screen or multi-screen functionality. (Also applicable to Gaming-Related Suppliers)
Combining multiple slots titles in a way which facilitates simultaneous play is not permitted.
2.18 It must be a minimum of 2.5 seconds from the time a game is started until the next game cycle can be commenced. It must always be necessary to release and then depress the ‘start button’ or take equivalent action to commence a game cycle. (Also applicable to Gaming-Related Suppliers)
A game cycle starts when a player depresses the ‘start button’ or takes equivalent action to initiate the game and ends when all money or money’s worth staked or won during the game has been either lost or delivered to, or made available for collection by the player and the start button or equivalent becomes available to initiate the next game.
A player should commit to each game cycle individually, continued contact with a button, key or screen should not initiate a new game cycle.
2.19 For slots games, the gaming system must not permit a customer to reduce the time until the result is presented. (Also applicable to Gaming-Related Suppliers)
Requirements: At a minimum:
Note: This Standard does not apply to bonus/feature games where an additional stake is not wagered.
2.20 For slots games, the gaming system must not use auditory or visual effects that are associated with a win for returns which are less than or equal to last total amount wagered. (Also applicable to Gaming-Related Suppliers) [Amended: February, 2022]
2.21 For slots games, gaming sessions must clearly display a customer’s net position (the total of all winnings minus the sum of all losses since the start of the session), in Canadian dollars. (Also applicable to Gaming-Related Suppliers) [Amended: February, 2022]
2.22 Players shall have the means to track the passage of time. (Also applicable to Gaming-Related Suppliers)
2.23 Players shall be provided with an easy and obvious way to set gaming limits (financial and time-based) upon registration and at any time after registration. (Also applicable to Gaming-Related Suppliers) [Amended: February, 2022]
Requirements – At a minimum:
2.24 Where a gaming limit has been previously established by a player, a request by the player to relax or eliminate that limit shall only be implemented after a cooling-off period of at least 24 hours. (Also applicable to Gaming-Related Suppliers)
Requirements – At a minimum:
The overall intent of this theme is to protect the public interest and game integrity by ensuring that those individuals set out in Ontario Regulation 78/12 of the Gaming Control Act, 1992 are prohibited from participating in lottery schemes and that lottery schemes are conducted in accordance with the Criminal Code of Canada (i.e., within the province of Ontario).
The identified regulatory risks under this theme are:
3.01 Only eligible individuals are permitted to create a player account, and only individuals who hold a valid player account are permitted to log on to their account and gamble.
Requirements – At a minimum:
3.01.1 Operators shall not knowingly permit an individual to engage in any of the following prohibited activities and shall take steps to actively monitor and prevent such prohibited activity from occurring:
Requirements – At a minimum:
3.02 Games on gaming sites shall be provided only within Ontario, unless they are conducted in conjunction with the government of another province. (Also applicable to Gaming-Related Suppliers)
Requirements — At a minimum:
Note: If a lottery scheme is being provided in conjunction with another province, individuals in that province may be permitted to be on the gaming site.
3.03 If the list of prohibited and excluded individuals changes, all registered player information shall be re-verified to ensure that all registered players are still eligible to play, and if they are not eligible, they are prohibited from gaming. The accuracy of the list maintained by the Operator should be periodically reviewed by the Operator.
3.04 Relevant player information shall be collected and saved upon registration and shall be demonstrated to be complete, accurate and validated before a player account is created for the player.
Requirements – At a minimum, the following information shall be gathered upon registration:
3.05 Before a player account is created, players shall affirm that all player information provided upon registration is complete and accurate.
3.06 Player information shall be kept complete and accurate.
3.07 Prior to participating in game play, players must affirm that they are fit for play.
3.08 All player accounts shall be uniquely identifiable. (Also applicable to Gaming-Related Suppliers)
3.09 Players may have only one player account per gaming site.
3.10 There shall be an auditable trail of events that is logged and available relating to account creation and activation, account deactivation and account changes. (Also applicable to Gaming-Related Suppliers)
Requirements – At a minimum, an auditable trail of events shall be available for the following:
3.11 Players shall acknowledge and accept the terms of the contract governing the player’s account and game play prior to account creation and shall acknowledge and accept any subsequent material changes to the terms of the contract when logging in. At all times, the terms of the contract and the operation of the contract must comply with the Standards and Requirements and applicable Ontario laws.
3.12 All players shall be authenticated prior to accessing their player account and being permitted to gamble. Third parties are not permitted to access a player’s account. (Also applicable to Gaming-Related Suppliers)
Requirements: At a minimum,
3.13 All player account transactions shall be recorded and logged in an accurate and complete manner. (Also applicable to Gaming-Related Suppliers)
3.14 Player account information shall be made readily available to the player. (Also applicable to Gaming-Related Suppliers)
3.15 Information about player account transactions shall be made readily available and clear to the player. (Also applicable to Gaming-Related Suppliers) [Amended: February, 2022]
Requirements – At a minimum, the gaming system shall give the player access to the following information:
Deposit and withdrawal history, and current balance.
Method and source of funds used for transactions.
Date and time of previous login.
Gaming event and transaction history (game session outcomes and game transactions) including, in sport and event betting, the date and time of past and current bets, and the date and time at which past bets were settled, and information about current bets.
3.16 All player account transactions shall be uniquely identifiable and traceable to a unique individual player account. (Also applicable to Gaming-Related Suppliers)
3.17 Reasonable efforts shall be made to inform players of player funds remaining in dormant accounts.
3.18 Players may elect to deactivate their player account at any time and, once the election is made, the account is deactivated.
3.19 Where necessary, a player account may be deactivated by the Operator.
3.20 A player account shall be deactivated if requested by the Registrar.
3.21 If player information is removed, it must be retained in accordance with Standard 1.09 or other records retention requirement that may apply.
3.22 Where an account becomes dormant or is deactivated by a player or another authorized individual, the player shall be able to recover the balance of their account owing to them.
The overall intent of this theme is to ensure that gaming in Ontario is conducted with honesty and integrity and that players have sufficient information to make informed decisions prior to gaming.
The identified regulatory risks under this theme are:
4.01 All gaming activities and financial transactions shall be conducted fairly and honestly, and must be independently verifiable. (Also applicable to Gaming-Related Suppliers)
Requirements – At a minimum:
4.02 There shall be appropriate, accurate and complete records of transaction and game state and play information kept and made available for the purposes of (Also applicable to Gaming-Related Suppliers):
Guidance: There should be an adequate amount of storage, capacity and retention of logged information. The appropriate capacity, design and monitoring of the logging facilities should be in place to ensure that logging is not interrupted for a technical reason that could have been prevented.
4.03 There shall be a mechanism in place to ensure that if logging is interrupted, compensating manual controls are used, where reasonable. (Also applicable to Gaming-Related Suppliers)
4.04 The gaming system shall be capable of providing custom and on-demand reports to the Registrar. (Also applicable to Gaming-Related Suppliers)
Guidance: the intent is to ensure that the Registrar can receive information in an appropriate format when necessary. Examples are: a list of all games hosted by the website, or a list of all active player accounts.
4.05 Game specifications must be documented that clearly indicate (Also applicable to Gaming-Related Suppliers):
4.06 Prior to placing a bet or wager, the player shall be provided with sufficient information to make informed decisions about betting or wagering based on chances of winning, the way the game is played, and how prizes and payouts are made. (Also applicable to Gaming-Related Suppliers)
Requirements – At a minimum:
Cash out options and how to redeem winning bets in sport and event betting.
Players shall be provided with information that indicates circumstances in which a game can be declared void.
4.07 Information provided to players prior to and during game play shall not mislead players or misrepresent games. (Also applicable to Gaming-Related Suppliers)
Requirements – At a minimum, information shall not:
4.08 All igaming games, random number generators and components of igaming systems that accept, process, determine outcome of, display, and log details about player bets, including any subsequent modifications, must either be approved by the Registrar or certified by an independent testing laboratory registered by the Registrar, as per the AGCO’s ITL Certification Policy, prior to being provided for any gaming site. [Amended: April, 2023]
Guidance: For greater certainty, this Standard applies to gaming equipment used in Live Dealer games that contains electronic components.
4.09 Gaming systems and gaming supplies shall be provided, installed, configured, maintained, repaired, stored, and operated in a way that ensures the integrity, safety and security of the gaming supplies and systems. (Also applicable to Gaming-Related Suppliers) [Amended: October, 2022]
Requirements – At a minimum:
4.10 Where there are suspected game or system faults that may impact game integrity or fairness including the integrity or fairness of sport and event betting (e.g., influencing a player’s chances of winning or the return to players), Operators shall make the game unavailable to players until the issue has been resolved. In the case of sport and event betting, making a game unavailable may include the suspension of betting, the withholding of funds, and the refund of any bet until a gaming system fault has been resolved. Operator decisions must be fair, reasonable, and made in good faith.
4.11 Production, testing and development systems shall be logically separated. (Also applicable to Gaming-Related Suppliers)
4.12 Game outcomes and sport and event betting transactions shall be recoverable, where technically possible, so that player bets can be settled appropriately. (Also applicable to Gaming-Related Suppliers)
4.13 In any case where there is a game or system fault, including where game outcomes or sport and event betting transactions are not recoverable, the Operator shall have clearly defined policies and processes in respect of treating the player fairly when resolving the player’s transactions. These policies and processes shall be made available to players. (Also applicable to Gaming-Related Suppliers)
4.14 Mechanisms shall be in place to allow a game to be recreated up to and including the last communicated state to the player. (Also applicable to Gaming-Related Suppliers)
Requirements – At a minimum:
4.15 A player’s bet and the outcome of the game shall be clearly displayed, easy to understand, and available for a sufficient length of time for the player to review. (Also applicable to Gaming-Related Suppliers)
4.16 Games shall pay out accurately, completely and within a reasonable time of winning, subject to checks and verifications. (Also applicable to Gaming-Related Suppliers)
4.17 Operators shall have mechanisms in place to appropriately deter, prevent and detect collusion and cheating.
4.18 All relevant activities related to the detection of collusion and cheating shall be logged.
4.19 Players shall be provided with clear information on the process to report activities related to collusion and cheating, including the suspected use of bots. The process must be simple to use and readily accessible to a player seeking to make a report.
Requirements – At a minimum:
4.20 Where speed of interaction has an effect on the player’s chances of winning, the Operator shall take reasonable steps to ensure the player is not unfairly disadvantaged due to gaming system related performance issues.
4.21 Service interruptions shall be responded to and dealt with in a way that does not disadvantage players. (Also applicable to Gaming-Related Suppliers)
Requirements – At a minimum, the gaming system shall:
4.22 In peer-to-peer games, Operators must implement measures intended to deter, prevent and detect the use by players of software programs to automatically participate in game play (referred to as a bot) or to provide the player with an unfair advantage over other players.
Requirements – At a minimum:
4.23 Games must be conducted in a manner that ensures players are treated fairly and not unfairly disadvantaged by other players. (Also applicable to Gaming-Related Suppliers)
Requirements – At a minimum:
4.24 Games must operate according to their game specifications and the outcomes must be determined in accordance with the terms governing play and prevailing payouts as they are described to the player. Sport and event betting must be conducted fairly, honestly and in accordance with the terms of the bet placed by the player. (Also applicable to Gaming-Related Suppliers)
Requirements – At a minimum:
4.25 Bets shall be committed before the determination of game outcomes. Any wager received after the determination of game outcomes associated with the wager shall be voided and returned to the player. (Also applicable to Gaming-Related Suppliers)
4.25.1 In sport and event betting, bets must be settled fairly and in accordance with the terms of the bet placed by the player and any applicable betting rules that were available to the player when the bet was placed. Where raised, the reasons for the settlement must be clearly and promptly provided to the player. (Also applicable to Gaming-Related Suppliers)
4.25.2 The results of bets on sporting or other events must be provided to players making bets on the events. Any change of results must be made available. Account balances will be updated as the results of wagers are confirmed. (Also applicable to Gaming-Related Suppliers)
4.25.3 Sport and event betting operators shall have controls in place to ensure the accuracy and timeliness of sport and event results data. (Also applicable to Gaming-Related Suppliers)
4.26 A mechanism shall be in place to randomly select game elements used to determine game outcomes. This Standard does not apply to sport and event betting products.(Also applicable to Gaming-Related Suppliers)
Requirements – At a minimum:
4.27 Mechanisms used to select game elements and their associated game outcome must be capable of being monitored and inspected to ensure the integrity of the mechanisms and its component devices and the randomness of the generated outcomes. This Standard does not apply to sport and event betting products. (Also applicable to Gaming-Related Suppliers)
4.28 Terms governing play must not be changed during a game session unless the player is made aware of the change before the player places any wagers in the game. (Also applicable to Gaming-Related Suppliers)
Requirements – At a minimum:
4.29 Game sessions must be appropriately secured and checked for authenticity. (Also applicable to Gaming-Related Suppliers)
4.30 There shall be a player activity time-out that automatically logs the player out or ends the player’s session after a specified period of inactivity. (Also applicable to Gaming-Related Suppliers)
4.31 All critical functions, including the generation of the outcome of any game, shall be generated by the gaming system, independent of the end player device.
Guidance: The intent is for the Operator to maintain control (i.e., security, integrity) of all critical game functions.
4.32 Sport and event betting operators shall have risk management measures in place to mitigate the betting integrity risk associated with sport and event betting, including insider betting and event manipulation. (Also applicable to Gaming-Related Suppliers)
Requirements – At a minimum:
Guidance: The Registrar will publish a list of registered independent integrity monitors.
4.33 An operator receiving a report of suspicious activity under Standard 4.32 may suspend or cancel sport and event betting on events related to the report or withhold associated customer funds. To this end, an Operator must ensure that it has reserved itself the authority to suspend betting, void bets, and withhold associated customer funds. The Operator’s decision to suspend or cancel sport and event betting, or withhold associated customer funds, on events related to the report must be fair, reasonable, and made in good faith.
4.34 Operators offering sport and event betting products shall ensure that all bets offered meet the following criteria [Amended: February, 2022]:
Guidance:
4.35 Access to live dealer gaming supplies shall be restricted to individuals with a business need. (Also applicable to Gaming-Related Suppliers). [Added: October, 2022]
Requirements – At a minimum:
4.36 Operators must have controls in place to ensure live dealer game presenters do not compromise the integrity of a game. [Added: October, 2022]
The overall intent of this theme is to ensure that assets (e.g., gaming equipment and systems) are protected and that customer information and funds are safeguarded.
The identified regulatory risks under this theme are:
5.01 A recognized industry standard framework shall be used to manage the information technology (IT) control environment to support compliance with the Standards and Requirements. (Also applicable to Gaming-Related Suppliers)
5.02 Users shall be granted access to the gaming system based on business need. (Also applicable to Gaming-Related Suppliers)
Requirements – At a minimum:
5.03 Access to gaming information systems shall be monitored, logged and shall be traceable to a specific individual, either through the assignment of uniquely assigned accounts to individual users or such other reasonable method. (Also applicable to Gaming-Related Suppliers)
Requirements – At a minimum:
5.04 Processes shall be in place to ensure that only authorized individuals are permitted to open system accounts. (Also applicable to Gaming-Related Suppliers)
5.05 Industry accepted components, both hardware and software, shall be used where possible. (Also applicable to Gaming-Related Suppliers)
5.06 Any connection or interface between the gaming system and any other system, whether internal or external third party, shall be monitored, hardened and regularly assessed to ensure the integrity and security of the gaming system. (Also applicable to Gaming-Related Suppliers)
5.07 Mechanisms shall be in place to ensure the reliability, integrity and availability of the gaming system. (Also applicable to Gaming-Related Suppliers)
Requirements – At a minimum:
5.08 There shall be a suitably secure physical environment in place to prevent unauthorized access to the gaming system and to ensure the protection of assets. (Also applicable to Gaming-Related Suppliers)
5.09 Gaming systems, infrastructure, data, activity logs and all other related components shall be protected from threats, vulnerabilities, attacks or breaches. (Also applicable to Gaming-Related Suppliers)
Requirements – At a minimum:
5.10 Security monitoring activities shall be logged in an auditable manner, monitored, promptly analyzed and a report prepared and escalated as appropriate. (Also applicable to Gaming-Related Suppliers)
Requirements – At a minimum:
5.11 Independent assessments shall be regularly performed by a qualified individual to verify the adequacy of gaming system security and all of its related components. (Also applicable to Gaming-Related Suppliers)
5.12 Operators and gaming related suppliers must inform themselves of the current threats and risks to the security, integrity, and availability of the gaming systems and related components that they operate or supply. Operators must have in place policies and procedures to mitigate such risks and threats. Gaming related suppliers must inform their customers of any material threat or risk to the security or integrity of the gaming systems that they supply or operate. (Also applicable to Gaming-Related Suppliers)
5.13 A system development lifecycle that considers security and processing integrity shall be in place for gaming system technology developed in-house. (Also applicable to Gaming-Related Suppliers)
5.14 Due diligence must be performed on all acquired gaming system technology to ensure security and processing integrity requirements are met. (Also applicable to Gaming-Related Suppliers)
5.15 A testing strategy to address changes in technology shall be in place to ensure that deployed gaming systems operate as intended. (Also applicable to Gaming-Related Suppliers)
5.16 All gaming system changes shall be appropriately, consistently and clearly documented, reviewed, tested and approved. (Also applicable to Gaming-Related Suppliers)
Requirements – At a minimum:
5.17 Operators must have both preventative and detective measures in place to ensure that no unauthorized or unintentional changes are made to the gaming system.
Requirement — At a minimum:
5.18 Post implementation reviews shall be performed to ensure that changes have been correctly implemented and the outcomes shall be reviewed and approved. (Also applicable to Gaming-Related Suppliers)
5.19 All change related documentation and information shall be captured, stored and managed in a secure and robust manner. (Also applicable to Gaming-Related Suppliers)
5.20 The implementation of software related updates, patches or upgrades shall be regularly monitored, documented, reviewed, tested and managed with appropriate management oversight and approval. (Also applicable to Gaming-Related Suppliers)
5.21 A mechanism shall be in place to regularly monitor, document, review, test and approve upgrades, patches or updates to all gaming-related hardware components as they become end of life, obsolete, shown to have weaknesses or vulnerabilities, are outdated or have undergone other maintenance. (Also applicable to Gaming-Related Suppliers)
5.22 Appropriate release and configuration management processes with support systems shall be in place to support both software and hardware related changes. (Also applicable to Gaming-Related Suppliers)
5.23 Only dedicated and specific accounts may be used to make changes. (Also applicable to Gaming-Related Suppliers)
5.24 Data governance shall be in place to address data processing integrity and protection of sensitive data. (Also applicable to Gaming-Related Suppliers)
5.25 Sensitive data, including player information and data relevant to determining game outcomes, shall be secured and protected from unauthorized access or use at all times. (Also applicable to Gaming-Related Suppliers)
Requirements – At a minimum:
5.26 Player information shall be securely protected and its usage controlled.
Requirements – At a minimum:
5.27 Communication of sensitive game data shall be protected for integrity. (Also applicable to Gaming-Related Suppliers)
5.28 Procedures shall be established and documented for IT operations and incident management, including managing, monitoring and responding to security and processing integrity events. (Also applicable to Gaming-Related Suppliers)
Requirements – At a minimum:
5.29 The gaming system architecture and all its related components shall demonstrate security in depth. (Also applicable to Gaming-Related Suppliers)
5.30 All gaming systems and devices shall validate inputs before inputs are processed. (Also applicable to Gaming-Related Suppliers)
5.31 The gaming system shall only display the minimum information about the gaming system to unauthorized users and during system malfunctions to minimize the risk of compromising the gaming system or the privacy of information. (Also applicable to Gaming-Related Suppliers)
5.32 All remote access methods shall be appropriately secured and managed. (Also applicable to Gaming-Related Suppliers)
5.33 Use of wireless communication shall be secured and only used where appropriate. (Also applicable to Gaming-Related Suppliers)
Guidance: The intent is to ensure that wireless communication is not present in areas where it could be potentially harmful (e.g. data centres).
5.34 All components shall be hardened as defined by industry and technology good practices prior to going live and as part of any changes. (Also applicable to Gaming-Related Suppliers)
Requirements – At a minimum:
5.35 Access shall be appropriately restricted to ensure that the domain name server records are kept secure from malicious and unauthorized changes. (Also applicable to Gaming-Related Suppliers)
5.36 All private encryption keys shall be stored on secure and redundant media that are only accessible by authorized management personnel. (Also applicable to Gaming-Related Suppliers)
5.37 Encryption algorithms and key lengths shall be regularly assessed for security vulnerabilities. (Also applicable to Gaming-Related Suppliers)
5.38 The gaming system architecture shall limit the loss of data and session information. (Also applicable to Gaming-Related Suppliers)
5.39 The gaming system shall be able to change, block, deactivate or remove system accounts in a timely manner upon termination, change of role or responsibility, suspension or unauthorized usage of an account. (Also applicable to Gaming-Related Suppliers)
5.40 A secure authenticator that meets industry good practices shall be used to identify users and their accounts to ensure that only authorized individuals are permitted to access their system account on the gaming system. (Also applicable to Gaming-Related Suppliers)
Requirements – At a minimum:
5.41 The gaming system shall ensure that all access to the system is fully attributable to, and logged against, a unique user identification. (Also applicable to Gaming-Related Suppliers)
5.42 Only the minimum access rights shall be granted to each system account on the gaming system and access rights shall be clearly documented. (Also applicable to Gaming-Related Suppliers)
5.43 All temporary and guest accounts shall be disabled immediately after the purpose for which the account was established is no longer required. (Also applicable to Gaming-Related Suppliers)
5.44 System accounts and system access rights for the gaming system shall be regularly reviewed and updated. (Also applicable to Gaming-Related Suppliers)
5.45 A log of account owners shall be kept and regularly reviewed and updated. (Also applicable to Gaming-Related Suppliers)
5.46 A mechanism shall be in place to ensure that the assignment of administrator accounts is approved by the Operator’s management and that usage is monitored for appropriateness. (Also applicable to Gaming-Related Suppliers)
5.47 Inappropriate use of system accounts on the gaming system shall be logged, reviewed and responded to within a reasonable period of time. (Also applicable to Gaming-Related Suppliers)
5.48 Inappropriate use of administrator accounts shall be reported to the Registrar in accordance with the notification matrix. (Also applicable to Gaming-Related Suppliers)
Note: The following Standards apply to the following types of software: 1) Modified commercial off-the-shelf software, 2) Proprietary developed software, and 3) software specifically developed by the OLG or iGaming Ontario.
5.49 Software used for the gaming system shall be developed using industry good practices. (Also applicable to Gaming-Related Suppliers)
5.50 Software development methodologies used shall be clearly documented, regularly updated and stored in an accessible, secure and robust manner. (Also applicable to Gaming-Related Suppliers)
5.51 An appropriate system shall be in place to manage the software development and ongoing software management lifecycle. (Also applicable to Gaming-Related Suppliers)
5.52 All software development roles shall be segregated during and after release of code to a production environment. (Also applicable to Gaming-Related Suppliers)
5.53 An appropriate audit trail of authority and management review of code for software shall be established. (Also applicable to Gaming-Related Suppliers)
5.54 Controls shall be in place to ensure software is appropriately secured and access is appropriately restricted throughout development. (Also applicable to Gaming-Related Suppliers)
5.55 Authorized management staff shall review and approve software documentation to ensure that it is appropriately and clearly documented.
5.56 Source code and compiled code shall be securely stored. (Also applicable to Gaming-Related Suppliers)
Guidance: Compiled code could be digitally signed or hashed (including each time there is a change) in a manner that allows for external verification.
5.57 The promotion or movement of code from testing through other environments to production shall be accompanied by the appropriate documentation and approvals. (Also applicable to Gaming-Related Suppliers)
5.58 All promotion of code from development to production shall only be performed by production support staff and not by development staff. (Also applicable to Gaming-Related Suppliers)
5.59 Appropriate testing environments shall be in place to allow for thorough testing of any code before it is put into production. (Also applicable to Gaming-Related Suppliers)
5.60 Access to production environments shall be restricted from development personnel. (Also applicable to Gaming-Related Suppliers)
Note: This does not preclude granting of temporary supervised access for conducting technical investigations that may only be performed on the production environment.
5.61 Development code shall not be present in the production environment. (Also applicable to Gaming-Related Suppliers)
5.62 A mechanism shall be in place to verify the integrity of the software that is deployed to production, including before changes are implemented, as well as on an ongoing basis. (Also applicable to Gaming-Related Suppliers)
5.63 Appropriate release and configuration management systems shall be in place to support software development. (Also applicable to Gaming-Related Suppliers)
5.64 All code developed by a third party shall be tested to ensure it meets industry good practices and that it performs to meet its purpose prior to being added to the testing environment and prior to integration testing. (Also applicable to Gaming-Related Suppliers)
5.65 All code developed by a third party shall pass integration testing before it is added to production. (Also applicable to Gaming-Related Suppliers)
5.66 Mechanisms shall be in place to ensure that bugs are identified and addressed prior to, and during, production. (Also applicable to Gaming-Related Suppliers)
5.67 Quality assurance processes, including testing, shall take place during development and prior to the release of any code. (Also applicable to Gaming-Related Suppliers)
5.68 All components, where appropriate, shall be tested for the purposes for which they will be used. (Also applicable to Gaming-Related Suppliers)
5.69 Players may be permitted to deposit funds into their player accounts only after the appropriate verifications and authorization.
Requirements – At a minimum, deposits shall be verified and authorized to ensure the following:
Note: Cryptocurrency is not legal tender and shall not be accepted.
5.70 Players are permitted to withdraw funds from their player account only after the appropriate verifications and authorization.
Requirements – At a minimum:
5.71 Players are permitted to withdraw funds from their player account in an accurate and complete fashion and as soon as is practicable, subject to appropriate authorization and verification.
5.72 Player funds shall be clearly and appropriately managed.
5.73 All player funds deposited in respect of igaming lottery schemes conducted and managed by the OLG shall be held in an OLG account. iGaming Ontario shall take steps to ensure that all player funds deposited in respect of igaming lottery schemes conducted and managed by iGaming Ontario are subject to oversight by iGaming Ontario and available to players.
5.74 Operators shall not extend credit or lend money to players or refer players to credit providers or imply or infer that a player should seek additional credit to play games.
5.75 No player’s account is permitted to have a negative funds balance. A player’s account with a negative funds balance must be suspended and no transactions permitted after the negative funds balance arises. No transaction is permitted until the negative funds balance is eliminated. No bet will be accepted that could result in a negative funds balance.
Guidance: This Standard is not intended to prohibit the resettlement of bets when reasonable and necessary.
5.76 Players shall be provided with a clear and accurate representation of their funds account balance that is easily accessible and readily available at all times. (Also applicable to Gaming-Related Suppliers)
Requirements – At a minimum:
5.77 Players shall be provided with unambiguous information about all player account fees prior to making a withdrawal or deposit.
5.78 Players shall be informed clearly and specifically of all rules and restrictions regarding deposits and withdrawals and access to funds in connection with deposits and withdrawals.
5.79 Funds shall not be transferred between player accounts.
5.80 Adjustments to player accounts shall be made accurately and only by authorized individuals.
5.81 Adjustments to player accounts shall be recorded and logged in an accurate and complete manner. (Also applicable to Gaming-Related Suppliers)
5.82 Players shall be provided with accurate, clear and specific reasons for any adjustments made to their accounts. (Also applicable to Gaming-Related Suppliers)
The overall intent of this theme is to protect the public interest and public safety by ensuring that unlawful and criminal activity does not take place in gaming in Ontario.
The identified regulatory risks under this theme are:
6.01 Mechanisms shall be in place to reasonably identify and prevent unlawful activities at the gaming site.
Requirements – At a minimum, the Operator shall:
6.02 Anti-money laundering policies and procedures to support obligations under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) shall be implemented and enforced.
Requirements – At a minimum:
6.03 Reasonable measures shall be in place to identify and prevent suspected money laundering activities in the gaming site.
Requirements – At a minimum, the Operator shall:
[Amended: February, 2022]
Risk Theme | Regulatory Risk |
---|---|
Entity Level |
|
Responsible Gambling |
|
Prohibiting Access to Designated Groups |
|
Ensuring Game Integrity and Player Awareness |
|
Public Safety and Protection of Assets |
|
Minimizing Unlawful Activity Related to Gaming |
|