This guide describes the go-live compliance requirements for most internet gaming (igaming) operators and gaming-related suppliers (“GRSs”) in order to participate in Ontario’s igaming market.
Please note that AGCO registration and successful completion of our go-live compliance requirements will not constitute permission for operators and their GRSs to begin gaming operations in Ontario’s igaming market. That authority rests with iGaming Ontario (iGO), the body responsible for conducting and managing internet gaming in Ontario, including establishing operating agreements with AGCO-registered operators, which include additional requirements as established by iGO.
The compliance requirements in this Guide were described previously in the AGCO’s June 2021 igaming Regulatory Compliance engagement paper, and, based on input received through that engagement process, have since been finalized.
The information in this Guide will be of interest to all types of igaming registrants. However, many of the individual requirements apply to two specific types of registrants: a) operators; and b) gaming-related suppliers who run critical gaming systems1.
Also, this Guide does not include information about go-live requirements and processes that apply to Independent Testing Laboratories (ITLs) because compliance requirements have been communicated directly to them and a special ITL governing policy is in place (see Appendix C).
Within the AGCO, the Technology Regulation and iGaming Compliance Branch is responsible for ensuring that operators and GRSs have met the go-live compliance measures described below. Contact information for questions and clarification is provided at the end of this section. In the future, the Branch will add to this compliance guide with content related to ongoing (post go-live) compliance requirements and key processes.
This guide has five sections:
There are also three appendices:
If you need more information or have any questions after reviewing this guide, please contact the AGCO’s Technology Regulation and iGaming Compliance Branch by e-mail at iGamingCompliance@agco.ca.
1Critical gaming systems are a sub-set of “gaming equipment”, which is in turn defined in the Gaming Control Act 1992. The components of these systems include certified games, random number generators, and components of igaming systems that accept, process, determine the outcome of, display, and log details about player bets and wagers.
The Registrar’s Standards for Internet Gaming (the “Standards”) are risk-based and outcome-focused.
Risk-based refers to the regulatory risks underlying the Standards. It is expected that by achieving the regulatory objectives reflected in the Standards, the registrant’s established control environment will address these regulatory risks.
Outcome-focused means that our Standards emphasize the results that igaming operators and GRSs are expected to achieve, rather than prescriptive activities that must be carried out. Accordingly, we expect operators and GRSs to have effective control activities in place to achieve the outcomes set out in the Standards.
This focus on risks and outcomes in the Standards provides greater flexibility for individual operators and GRSs to design control activities that fit their business operations and then to adapt those controls quickly and cost-effectively as those operations change over time – always ensuring that our outcome-based Standards are being met. It also means that our regulatory program maintains its relevance, even in sectors where change is fast paced, including where technology is deeply integrated in how the business is delivered.
The igaming compliance program is also risk and outcomes-based, and that has important implications for operators and GRSs as described below.
Operators and GRSs are expected to be familiar and in compliance with all requirements of the Gaming Control Act 1992 and all Standards that are relevant and applicable to them, given their type of business, role, and the products and services they provide.
For example: almost all of the Standards will apply to an igaming operator and their platform provider, while GRSs who run critical gaming systems or independent integrity monitors (IIM)2 in sport and event betting will be subject to more focused subsets of the Standards.
Information on which standards might be commonly applicable to different types of registrants is provided in Appendix B. This information is for general guidance purposes only and should not be taken as conclusive direction from the AGCO. The circumstances of each registrant are different and registrants are responsible for identifying the standards and requirements that apply to them.
The AGCO’s regulatory framework provides greater flexibility but also comes with heightened accountability for those we regulate. We expect igaming operators and GRSs to have control environments in place that are consistently capable of achieving the AGCO’s regulatory outcomes and that they:
Provide the AGCO with key indicators, information, and documentation to support our understanding of their risk profile.
Our compliance approach involves working collaboratively with operators and GRSs to maintain or, if necessary, re-establish compliance. Where regulatory expectations are not met, the AGCO may use a full spectrum of compliance responses to achieve those goals, including education, warnings, financial penalties, suspensions, and, in the most serious cases, revocations. In cases where severe incidents occur, the AGCO will act proportionately to ensure the public is protected.
Once an application is received, the AGCO assesses risks associated with that application. Considerations include operational and regulatory experience in other jurisdictions, track record of compliance, the applicant’s gap analysis with respect to the Standards (see below), and issues or concerns about individuals or technology. That risk assessment becomes part of the applicant’s ongoing compliance profile and will be used by our compliance teams to inform their monitoring activities.
As part of the registration process, all applicants must confirm they will abide by the Standards. This includes confirming that goods, services, and technology deployed by or provided to the applicant by third party GRSs will be in compliance.
In addition, because of their central role, operators are asked at this stage to submit an analysis of their current controls, processes, technology, etc., against the Standards, to identify any gaps, and provide evidence that they have developed a plan to address those gaps. This gap analysis also becomes part of the applicant’s ongoing compliance profile.
The Technology Regulation and iGaming Compliance Branch’s responsibilities include:
Identifying compliance themes and priorities that will be special areas of interest and focus for the AGCO and its compliance teams; and
Designing effective, targeted, and proactive compliance and risk mitigation activities to address these themes and priorities.
Our compliance priorities will be assessed and updated as the environment evolves. From time to time, the AGCO will communicate additional areas of interest and focus to operator and GRSs to help increase operational awareness.
While registrants are required to comply with the Gaming Control Act, 1992 and all relevant Standards, the following are some of the priority areas from the Standards that the AGCO will be paying particular attention to as we assess applications and review each operator’s Control Activity Matrix and Technology Compliance Confirmation (see Section 3), and then as we monitor ongoing compliance once the Ontario market is underway.
Priority |
Description |
---|---|
Effective Internal Control Environment |
|
Responsible Gambling |
|
Game Design and Integrity |
|
Suspicious or Criminal Activities |
|
Minors |
|
Security and Privacy |
|
In addition to the priorities identified in the table above, we will be closely monitoring for:
2 IIMs receive, assess, and distribute unusual/suspicious betting alerts to entities with which they have an information sharing relationship, including their member sport and event betting operators, the AGCO, and the relevant sport/event governing body. In addition, as directed by the Registrar, IIMs are responsible for facilitating collaboration and information sharing to support the investigation of, and response to, prohibited activity associated with suspicious betting. IIMs may provide their services to, among others, regulators, operators, or gaming related suppliers, but must not have any perceived or real conflicts of interests in performing their role (such as acting as an operator or oddsmaker).
Operators and GRSs who run critical gaming systems must provide the AGCO with confirmation their technology is compliant with applicable AGCO Standards prior to going live in the igaming market in Ontario.
Please note: Platforms are a subset of “gaming equipment”, which is in turn defined in the Gaming Control Act, 1992. Platforms provide numerous functions, including player account management, payments, player wallets, and responsible gaming controls, and are integrated with critical gaming systems to deliver the gaming site’s offerings. Platforms do not require ITL certification.
Please note: Critical gaming systems are a sub-set of “gaming equipment”, which is in turn defined in the Gaming Control Act 1992. The components of these systems include games, random number generators, and components of igaming systems that accept, process, determine the outcome of, display, and log details about player bets and wagers – all of which require ITL certification.
The Technology Compliance Confirmation must be provided to the AGCO prior to going live, and include the following components:
A letter to the AGCO signed by the Registrant’s CEO (or equivalent) and Chief Compliance Officer (or equivalent) that includes an explicit statement confirming the technology that will be used to provide products and services in Ontario’s igaming market is compliant with all related Standards. This letter must also include specific confirmation that all games to be offered in Ontario will, prior to deployment in Ontario, be certified by an ITL registered by the AGCO or approved by the Registrar and be provided by AGCO-registered suppliers.
For GRSs who run critical gaming systems, this letter must also include an explicit statement that they have a CAM in place that meets all applicable and relevant Standards.
An appendix containing the following key supporting evidence, as applicable (depending on the products and services to be offered), must be provided to the AGCO prior to going live:
For operators: an overview of the full technology solution of the gaming site that identifies all Gaming-Related Suppliers, along with other third-party technology integrations to the gaming site.
Results from security vulnerability assessments of Ontario production infrastructure and applications, conducted by an independent and qualified security firm. In addition, results from internal and external penetration testing of their Ontario production infrastructure and applications, conducted by an independent and qualified security firm, must be provided.
These results are to be accompanied by management responses indicating the company’s risk assessment, remediation plans and compensating controls.
It is expected remediation plans will be commensurate with risk, and that severe security risks will be addressed prior to gaming systems going live in Ontario.
For example, an operator may choose to remediate vulnerabilities with a National Vulnerability Database Common Vulnerability Scoring System (NVD CVSS) score of 7 within 30 days and vulnerabilities with a score of 4 within 90 days.
Remediations should be verified through an additional scan.
A description of the planned use for any third-party data center/cloud service providers. This must include the name of the provider, type of service model, and current Service Organization Control 2 (SOC 2) reports or ISO 27001 certification for each provider.
For operators, a description of how the controls implemented to meet Standard 3.02 (players must be within the borders of Ontario) have been validated to ensure:
Accuracy and effectiveness of the controls across the majority of expected player device and network connection types including:
Compliance with requirement 3.02.1 dynamic monitoring of player location.
Compliance with requirement 3.02.2 common methods to circumvent controls are detected and/or prevented.
A description of the mechanisms in place to meet Standards 5.17.1 (validation that installed software is ITL certified) and 5.62 (verification of the integrity of deployed software).
Registrants are responsible for ensuring any activities they deem necessary to support their confirmation are completed to their satisfaction. This may include third-party testing. Registrants are also expected to maintain all related records and evidence that support their Technology Compliance Confirmation. If requested, Registrants must make records and evidence available to the AGCO.
All operators are required to design and implement control activities in order to comply with the Registrar’s Standards. Operators are expected to have those controls in place in advance of going live in Ontario’s igaming market. Any exceptions should be discussed on a case-by-case basis with the AGCO Technology Regulation and iGaming Compliance Branch. These processes and controls are to be summarized in a CAM. Each operator’s CAM must be independently audited to ensure the controls have been designed to meet the Registrar’s Standards, and then submitted to the AGCO for review in accordance with the timing described below.
An operator’s CAM must summarize all controls related to the gaming site, including the following:
Since major technology controls are contained within igaming platforms, operators are expected to work with their third-party platform providers, where applicable, to make sure their CAMs reflect the full spectrum of controls that are in place to meet the Registrar’s Standards for Internet Gaming.
An operator’s CAM is not required to include controls in place by third-party GRSs who run critical gaming systems or by game suppliers who develop games. These registrants have their own CAM requirements, as described below.
The operator must subject the CAM to an independent audit. The independent audit should be carried out by a unit or function within the operator’s organization that was not involved in developing the CAM, like the Internal Audit function, or a designated external auditor. The independent audit results, confirming compliance, must be included with the operator’s CAM submission.
The required timing for submission of the CAM will vary depending on the level of risk assessed during the AGCO’s registration process.
Operators that are assessed during the eligibility review as potentially posing elevated risk:
The operator may be required to submit their CAM as part of their application for registration before their registration is issued.
A determination of elevated risk may be based on several factors. For example, operators new to igaming with minimal to no experience, operators that hold no licences/registrations in other jurisdictions, operators that have a history of significant non-compliance, and operators whose gap analysis demonstrates a poor understanding of the Standards or significant gaps with respect to the Standards.
Operators that do not pose an elevated risk:
The operator will be required to submit the CAM within three months of their go-live date in the Ontario market. More details about the submission process for these Operators will be provided as part of future additions to this guide related to ongoing (post go-live) compliance requirements and processes.
Operators are encouraged to prioritize the development and independent audit of their CAM to prevent registration delays. Each operator will receive notification in writing of applicable CAM submission timing requirements from the AGCO.
Before going live in the Ontario igaming market, GRSs who run critical gaming systems must confirm to the AGCO that they have a CAM in place that meets all applicable and relevant Standards.
As noted earlier, critical gaming systems are a sub-set of “gaming equipment”, which is in turn defined in the Gaming Control Act 1992. The components of these systems include certified games, random number generators, and components of igaming systems that accept, process, determine the outcome of, display, and log details about player bets and wagers.
This confirmation shall be included in the Technology Confirmation Letter discussed in Section 2.
These GRSs are not required to submit these CAMs for the AGCO’s review. However, in response to identified risks, and for compliance purposes, the AGCO may at any time request the CAM.
Other types of GRSs are not required to prepare a CAM or to submit a CAM for review to the AGCO. However, these GRSs are required to have effective control activities and related documentation in place. The AGCO may request evidence of appropriate control activities from any GRS at any time.
Before applicable technologies can be deployed in Ontario’s market, operators and GRSs who run critical gaming systems must ensure the following types of technology have been certified against the applicable Standards by an AGCO registered ITL:
Games, random number generators, and components of igaming systems that accept, process, determine the outcome of, display, and log details about player bets and wagers. This includes, but is not limited to, slot games, table games, sport and event betting, poker, and other card games.
In certain low-risk circumstances and on a case-by-case basis, the Registrar will consider providing gaming related suppliers with temporary approval for critical gaming systems to facilitate operations at launch. Requests for temporary approval should be discussed on a case-by-case basis with the AGCO Technology Regulation and igaming Compliance Branch.
Recognizing that registered ITLs may have tested many items for use in other regulated jurisdictions, ITLs may consider such prior testing in their determination as to whether tested components meet the AGCO Standards. In doing so, however, ITLs must ensure that any prior testing was relevant to our Standards.
These same technologies must be recertified by a registered ITL when subsequent modifications are made that render the previous certification no longer valid, including but not limited to, modifications related to responsible gaming, game integrity, fairness, and security. See Appendix C – ITL Certification Policy for additional details.
Testing and certification may be performed at any time, including before an Operator or GRS has received a registration from the AGCO. However, ITLs may not issue certifications until they have:
Completed registration with the AGCO as a Gaming-Related Supplier; and
Submitted confirmation, such as an independent audit, that their testing methodology has been configured to the Registrar’s Standards for Internet Gaming.
Please note: Even though the GRS who manufacturers the game will likely be the entity that obtains the certification, the obligation to assure the AGCO that the game is certified rests with operators and GRSs who run critical gaming systems.
The AGCO Internet Gaming Notification Matrix defines three categories of information that must be provided by registrants on an ongoing basis. These include:
Operators and GRSs will use two secure data exchange mechanisms to provide the information described in the Notification Matrix:
The information provided by registrants through each of these mechanisms will be used to inform AGCO compliance planning and monitoring activities.
Before going live in Ontario’s market:
Operators |
|
---|---|
GRS who provide platforms |
|
GRS who run critical gaming systems
The components of these systems include certified games, random number generators, and components of igaming systems that accept, process, determine the outcome of, display, and log details about player bets and wagers – all of which are technologies that require ITL certification.
|
|
All other Gaming-Related Suppliers |
|
The following information is intended to provide guidance for common applicability of the Registrar’s Standards for Internet Gaming for four specific types of registrants that play key roles in the delivery of gaming in Ontario.
This information is for general guidance purposes only and should not be taken as conclusive direction from the AGCO.
The circumstances of each registrant are different and all registrants, including those not listed below, are responsible for identifying the standards and requirements applicable to them.
Type of Registrants |
Applicable igaming Standards |
---|---|
Operators and their platform providers |
In general, all of the igaming Standards will apply to registered operators and their platform providers. |
GRSs who run critical gaming systems |
Gaming-related suppliers who run critical gaming systems are responsible for ensuring that gaming technology is operated in a way that meets the Standards.
Entity Level: 1.01, 1.02.3, 1.03, 1.05, 1.06, 1.07, 1.08, 1.09, 1.10, 1.11, 1.12, 1.13, 1.14, 1.18, 1.20 Responsible Gambling: 2.15.3, 2.15.5, 2.16.2 Ensuring Game Integrity and Player Awareness: 4.01, 4.02, 4.03, 4.04, 4.06, 4.07, 4.08, 4.09, 4.11, 4.12, 4.14, 4.15, 4.16, 4.21, 4.23, 4.24, 4.25, 4.27, 4.28, 4.29, 4.35 Public Safety and Protection of Assets: 5.01, 5.02, 5.03, 5.04, 5.05, 5.06, 5.07, 5.08, 5.09, 5.10, 5.11, 5.12, 5.13, 5.14, 5.15, 5.16, 5.17, 5.18, 5.19, 5.20, 5.21, 5.22, 5.23, 5.24, 5.25, 5.26, 5.27, 5.28, 5.29, 5.30, 5.31, 5.32, 5.33, 5.34, 5.35, 5.36, 5.37, 5.38, 5.39, 5.40, 5.41, 5.42, 5.43, 5.44, 5.45, 5.46, 5.47, 5.48, 5.58, 5.60, 5.62, 5.63, 5.64, 5.65, 5.66, 5.68
|
GRSs that develop but do not run critical gaming systems |
Entity Level: 1.01, 1.02.3, 1.05, 1.06, 1.07, 1.08, 1.09, 1.10, 1.12, 1.13, 1.18, 1.20 Responsible Gambling: 2.15, 2.16, 2.17, 2.18, 2.19, 2.20, 2.24.2 Prohibiting Access to Designated Groups and Player Account Management 3.15.3 Ensuring Game Integrity and Player Awareness 4.01, 4.02, 4.05, 4.06, 4.07, 4.08, 4.09.2, 4.09.6, 4.12, 4.14, 4.15, 4.16, 4.21, 4.24, 4.25, 4.26, 4.27, 4.28, 4.29, 4.31, 4.35 Public Safety and Protection of Assets: 5.05, 5.13, 5.14, 5.15, 5.16, 5.19, 5.20, 5.25, 5.27, 5.39, 5.40, 5.41, 5.49, 5.50, 5.51, 5.52, 5.53, 5.54, 5.55, 5.56, 5.57, 5.59, 5.61,5.64, 5.65, 5.66, 5.67
|
GRSs that are registered as independent integrity monitors
|
Entity Level: 1.01, 1.02.3, 1.05, 1.06, 1.07, 1.08, 1.09, 1.10, 1.12, 1.13, 1.18, 1.20 Ensuring Game Integrity and Player Awareness 4.32 Public Safety and Protection of Assets: 5.01, 5.02, 5.03, 5.04, 5.05, 5.09, 5.10, 5.11, 5.12, 5.24, 5.25, 5.26, 5.28
|
In general, the Registrar’s Standards for Internet Gaming apply to operators and GRSs involved in offering sport and event betting Ontario’s igaming market.
By way of additional clarification, the following table highlights those relatively few Standards that are a) uniquely applicable to sport and event betting only; b) relevant for internet gaming as a whole, but also contain one or more specific references to sport and event betting; and c) do not apply to sport and event betting.
|
Responsible Gambling: 2.15.1, 2.15.2, 2.15.3 Prohibiting Access to Designated Groups and Player Account Management 3.01.1 Ensuring Game Integrity and Player Awareness 4.25.1, 4.25.2, 4.25.3, 4.32, 4.33, 4.34 |
---|---|
|
Prohibiting Access to Designated Groups and Player Account Management 3.15 Ensuring Game Integrity and Player Awareness 4.01, 4.06, 4.10, 4.12, 4.13, 4.24, 4.28 Public Safety and Protection of Assets: 5.75 |
|
Responsible Gambling: 2.15 Ensuring Game Integrity and Player Awareness 4.26, 4.27 |
The 3 categories of modifications include:
Approach: These do not require recertification. The supplier can leverage the previous certification and confirm that all modifications between the two versions are non-regulatory in nature such that the previous certification holds and applies to the modified technology.
Approach: These must be certified before deployment.
Approach: To expedite regulatory fixes, they can be deployed prior to certification. The ‘fixed’ technology can be deployed immediately but must be submitted to an ITL for Ontario certification within 5 business days of release.
For the purposes of documenting that the relevant Standards have been met, an ITL certification instrument must include the following information:
The following additional information must be made available by the registered ITL to the AGCO upon request: