Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
25 July 2010
Warning
This document is not yet approved. It is distributed for review and comment. It is subject to
change without notice and may not be referred to as a CEN Workshop Agreement.
Recipients of this interim draft are invited to submit their comments and documented supporting
suggestions, using the template provided.
This CEN Workshop Agreement has been drafted and approved by a Workshop of representatives of interested parties,
the constitution of which is indicated in the foreword of this Workshop Agreement.
The formal process followed by the Workshop in the development of this Workshop Agreement has been endorsed by
the National Members of CEN but neither the National Members of CEN nor the CEN Management Centre can be held
accountable for the technical content of this CEN Workshop Agreement or possible conflicts with standards or
legislation.
This CEN Workshop Agreement can in no way be held as being an official standard developed by CEN and its
Members.
This CEN Workshop Agreement is publicly available as a reference document from the CEN Members National
Standard Bodies.
CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Cyprus, Czech Republic, Denmark,
Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta,
Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland and United Kingdom.
Page 2
Document History:
CEN Workshop Agreement for 'Responsible Remote Gambling Measures’
Document Location: To be assigned.
Validity: To be assigned.
File name: To be assigned
Change History:
Contents
Contents ......................................................................................................................................... 3
Foreword ........................................................................................................................................ 4
Introduction ..................................................................................................................................... 6
1 Scope .................................................................................................................................... 7
2 Normative References ........................................................................................................... 8
3 Definitions .............................................................................................................................. 9
4 Responsible Remote Gambling Control Measures .............................................................. 13
5 Annex A (Informative) – Non-Exhaustive List of Existing Responsible Gambling
Regulations, Measures and Codes ...................................................................................... 29
Page 4
Foreword
This document is a working document.
The objective of the CEN Workshop on 'Responsible Remote Gambling Measures‟ is to create a
policy tool that can be used by policy makers to address the challenges of developing a safe and
secure remote gambling environment. By its nature, a CEN Workshop Agreement (CWA) is not
legally binding and will therefore be applied on a voluntary basis by participating operators.
Ultimately, the CWA has the potential to inform policy makers of the standards needed to maintain
a responsible, safe and secure remote gambling environment and be used as a benchmark for
compliance with best practices by operators, software providers, associated service providers and
other relevant industry stakeholders in the field of remote gambling.
This CEN Workshop commenced in May 2010 and held its final meeting in September 2010.
The CWA sets out the measures required to achieve the promotion of responsible remote
gambling.
(It went through a public comment phase from 25th July until 25th of September 2010)
The CEN Workshop included 27 participants from the remote gambling sector. This includes
representatives of trade associations, licensing authorities, experts on gaming behaviour,
associations of players and operators.
Ynze Remmers G4
Howard Shaffer Harvard Medical School -The Cambridge Health Alliance Division
on Addictions
Comments or suggestions from the users of the CWA are welcome and should be addressed to
the Secretariat.
Page 6
Introduction
The objective of the CEN Workshop on „Responsible Remote Gambling Measures‟ is to develop
Control Measures that are capable of adequately protecting customers and ensuring that the
remote gambling operators, software suppliers and associated service providers behave
responsibly.
The European gambling market has multiple different regulations, directives, standards, codes and
rules governing remote gambling and these frequently vary by Member State. In the absence of
pan-European regulation, the objective of this Workshop is to develop evidence-based and other
appropriate control measures, and self-regulation, as an effective complement to national
legislation in order to develop and maintain - cross border - a safe and secure environment for
customers throughout the EU.
This document outlines Control Measures that are intended to be reasonably practical and
operationally feasible for effective implementation by operators, software suppliers and associated
service providers. The objective is to enable customers and policy makers to have access to a set
of Control Measures that are easily and consistently understood.
Application
The requirements of this CWA are generic and are intended to be applicable to trade associations,
licensing authorities, operators, software providers and associated service providers in the field of
remote gambling.
This document does not in itself impose any obligation upon anyone to follow it. However, such an
obligation may be imposed, for example, by legislation or by a contract. In order to be able to claim
compliance with this document, the user needs to be able to identify the requirements he/she is
obliged to satisfy. The user also needs to be able to distinguish these requirements from other
provisions where there is a certain freedom of choice.
Contents of the informative Annex shall not in any way be construed as being requirements.
The main activity of a CEN Workshop is the development and publication of the CWA. The CWA
is a voluntary standard applicable internationally and does not have the force of regulation.
Page 7
1 Scope
This CWA specifies the Responsible Remote Gambling Measures for operators, software
providers, associated service providers and other relevant industry stakeholders.
The Workshop only concerns remote gaming and betting, and the scope does not include land-
based gambling activities. Remote gambling is defined as gaming and betting activities accessed
by the customers via the use of the internet, telephone, television and other electronic devices
used for facilitating communication.
The Control Measures contained within this CWA are not intended to replace existing legislation,
but rather guide and facilitate future regulatory efforts.
Page 8
2 Normative References
Not applicable.
Page 9
3 Definitions
For the purposes of this CWA the following definitions apply:
Term Definition
“account” Means a record kept by the operator, which record shall at all times be
accessible to the customer, which shows the customer‟s credit against the
operator, taking into account all wagers placed and all prizes won by the
customer and any other debits or credits as may be permitted by the
applicable terms and conditions.
“affiliate” Means a third party website administrator providing marketing for an
operator for which the affiliate it in turn receives financial gain.
“AML” Means anti-money laundering.
“bonus” Means the provision of additional economic benefits to a customer as
encouragement for further customer activity, not necessarily linked to the
customer‟s transaction history.
“company” Means either an operator or software provider, as applicable.
“complaint” Means a matter of dissatisfaction expressed by a customer and operator
which is required to be resolved by the operator.
“compliance officer” Means a person who has been authorised to act on behalf of a company,
in a capacity of ensuring compliance with applicable laws and regulations.
“cooling-off” Means the process by which a customer voluntarily requests their own
account be temporarily locked in order to prevent them from further game
play.
“counter terrorism Means money laundering to support terrorist financing. However terrorist
financing” financing can also occur when money earned legitimately is provided to
terrorist groups for an illegitimate purpose.
“cryptographic Means controls to hide or obscure the contents of information transfer.
controls” Includes encryption and hash functions
“CTF” Means counter terrorism financing.
“customers” Means any person who is over the legal age of majority, and participates
in remote gambling.
“deposit” Means funding paid by the customer via a payment service provider into
the customer‟s gaming account.
“director” Means a member of the Board of Directors.
“disputes” Means a complaint submitted by a customer which has not been resolved
by the operator to either parties‟ satisfaction and is consequently escalated
to a third party mediator or arbitrator.
“dormant account” Means a customer‟s account that has no transactions initiated by the
customer for a stipulated period.
“employees” Means all persons actively employed or engaged with a remote gambling
operation.
Page 10
Term Definition
“FAFT” Means Financial Action Task Force.
“fees” Means the costs levied to a customer as a result of a funding transaction
(deposit or withdrawal) from their gaming account.
“financial Means the matching of transactions with an economic value and noting
reconciliation” those transactions where a corresponding match does not exist, for future
investigation.
“free play” Means the participation in games where no deposit was required from the
customer and no actual monetary value is attributable to the customer.
“full exclusion” Means the process by which a customer‟s own account is permanently
locked in order to prevent them from further game play.
“gambling software” Means the application from which the customer accesses the games,
player account information and payment facilities.
“gambling” Means all types of games involving wagering or betting a stake with
monetary value in games in which participants may win, in full or in part, a
monetary prize based, totally or partially, on chance or uncertainty of an
outcome.
“game pay tables” Means the illustration, in tabular format, of the game outcome and
associated payout.
“gambling site” Means the website of the operator from which customers can access
and/or download gambling software.
“inactive customer See “dormant account”
account”
“jurisdiction” Means the practical authority granted to a formally constituted legal body
to deal with and make pronouncements on legal matters and, by
implication, to administer justice within a defined area of responsibility.
“licence holder” Means a company that has received explicit permission to operate one or
various games in a specific territory or jurisdiction by a regulator or by the
government.
“media” Means the medium by which the operator distributes communications to
customers. For example: SMS, email, printed documents, website display,
pop-ups, etc.
“money laundering” Means the process(s) by which criminals conceal or attempt to conceal the
origin of the proceeds of their or others‟ criminal activities.
“officer” Means a person who has been authorised to act on behalf of a company,
in a capacity of authority.
“operator” Means a company conducting remote gambling activities.
“outstanding Means the balance in a customer‟s account of economic value, due to the
balance” customer.
“payment requests” Means a request submitted by a customer to have funds paid out to him
from his account.
Page 11
Term Definition
“payout percentage” Means the expected percentage of wagers a specific game will return to
the customer in the long run. The payout percentage can also be
calculated via either a theoretical or simulated approach. The method used
for calculation depends on the game type.
“payout” Means the economic value gained by the customer occurring from a
favourable outcome of a game.
“play for gain” See “real money”
“poker robots” Means computer software utilised in a poker game to simulate customer
activity.
“prize” Means credits with an economic value presented to a customer in
recognition of the occurrence of a pre-defined event, in favour of the
customer.
“products” Means the various types of remote gambling offerings, including, but not
limited to, casino, poker, bingo and sportsbook.
“promotion” Means the provision of additional economic benefits to a customer as
encouragement for further customer activity.
“promotional Means the distribution of information to customers relating to offers and
material” incentives for the customers to gamble at the operator.
“RA” Means Regulatory Authority.
“rake” Means the scaled commission fee taken by an operator operating a poker
game.
“random number Means a computational or physical device designed to generate a
generator” sequence of numbers or symbols that lack any pattern.
“real money” Means the participation in games utilising funds and promotions
attributable to the customer.
“registration” Means the process of a customer providing the required information and
taking the appropriate steps in order to open a customer account.
“Regulatory Means a local, regional or national authority giving explicit permission to
Authority” operate one or various games on a specific territory or jurisdiction.
“rules” Means any terms and conditions applicable to a participant of a game.
Rules detail the expected action and consequential result of a game.
“self-exclusion” Means the process by which a customer voluntarily requests their own
account be locked in order to prevent them from further game play.
“software providers” Means a company which develops and manages the remote gambling
software.
“stake” Means the economic value which the customer, or any third party on his
behalf, has to commit in order for the customer to participate in a game
and which he can lose, wholly or in part, following the result of the game.
“system-wide Means any type of software testing that seeks to uncover software errors
regression test” by partially retesting a modified program. The intent of regression testing
is to provide a general assurance that no additional errors were introduced
Page 12
Term Definition
in the process of fixing other problems.
“territories” Means an area marked off for administrative or other purposes under the
jurisdiction of a governing body.
“theoretical statistical Means the expected payout percentage from a game to a customer using
return percentage” optimal strategy.
“timeout receipts” Means deposits made by a customer where the payment processor
experienced a communication error while the transaction was pending.
The customer‟s deposit has been deducted from their funding account but
does not reflect on the recipient account.
“uncontested funds” Means funding with an economic value in a customer‟s account for which
the operator has no claim in favour of these funds.
“underage Means any person who is not over the legal of age majority and who takes
individuals” part in remote gambling.
“users” Means operators, software providers and participants supporting and
subscribing to these Control Measures.
“verification” Means the process of obtaining evidence, often identification
documentation, substantiating an individual‟s claims of identity.
“virus” Means a software program capable of reproducing itself and usually
capable of causing great harm to files or other programs on the same
computer.
“winnings” Means monetary and non-monetary rewards in favour of the customer,
arising from remote gambling activity.
“wins” See “payout”.
“withdrawal” Means the funding withdrawn by a customer from their gambling account
to be paid by the operator in favour of the customer.
Page 13
6. Fair gaming
Users are committed to ensuring that gambling products are subjected to continuous and rigorous
independent assessment to ensure products continue to operate in a fair and random manner, and
in accordance with published rules.
Page 14
1.06 All links to problem gaming counselling services provided by third parties should be
tested and maintained by the operator. Records of tests should be established and
maintained.
1.07 Gambling software should contain a clear reminder to the customer about responsible
gambling and a link to the responsible gambling page.
1.08 Warnings and Links about Risks Associated with Remote Gaming. The operator
should display, on the login screen, a link to responsible gaming advice. The link
should have the same importance as other content offered on the login screen. The
login screen should also include text advising the player that the site contains links to
competent problem gaming counselling service providers.
1.09 Promotional material should not be displayed on the operator‟s responsible gambling
page.
1.10 Direct communication with the customer should carry a responsible gambling
message, where practical.
1.11 Free play games websites should provide links to the same age restriction,
responsible gambling, and customer protection information as the real money sites.
1.12 In an attempt to mitigate problem gambling, customers should be able to request the
setting of wagering/deposit limits.
1.13 Customers should be able to request the setting of their own deposit limits per day,
week and month.
1.14 There should be a clear link from the deposit page to the facility to set deposit limits or
as a minimum, to the Responsible Gaming page.
1.15 The customer should be introduced to the opportunity to set a deposit limit either
during registration or at first deposit.
1.16 The company should enable the customer to set and review their deposit limit through
the site and/or through contact with customer services. If there is a delay when a
customer sets a deposit limit the company should confirm to the customer from when
the limit will take effect.
1.17 If a customer wants to increase a deposit limit previously set, a minimum waiting
period of 24 hours should apply.
1.18 A request to decrease a deposit limit should be implemented immediately.
1.19 Operators should have systems in place to deal with deposit limit requests in timely
manner.
1.20 The company should ensure that an appropriately robust system is in place to ensure
that deposit limits are enforced. On reaching the set limit the customer should not be
able to make further deposits during the specified time period.
1.21 The customer has the possibility to set stake limits related to a defined time unit
(day/week/month) separated into the type of game.
1.22 Consumer ...[protection] measures have to cover: limits of daily and monthly ... losses
1.23 After each hour of continuous play a message should be displayed advising the
customer of the length of time they have been playing. (Casino)
1.24 Where time session limits are available the customer should have an option to set a
limit on the amount of time they spend participating in casino games in any 24 hour
Page 16
period. (Casino)
1.25 On completion of the last wager within the previously set time limit the customer
should be presented with a message clearly informing them of the length of time they
have been playing. The customer should be required to acknowledge the message
and agree to continue playing or stop. (Casino)
1.26 Operators‟ procedures for self-exclusion and temporary cooling-off should be clearly
communicated on the website. Procedures should clearly state the conditions of self-
exclusion.
1.27 Easy to use options of self-exclusion, separated into the type of game and for account
closure for a minimum duration of 3 months and up to 2 years, are available for the
customer.
1.28 Enable players to „self-exclude‟. An operator should provide the player with the option
to self-exclude himself for a definite or indefinite period of time from: a particular
gaming type (e.g. Poker, fixed odds, casino, etc.); and/or the gaming site.
1.29 The operator should set up a policy on self-exclusion which should be made
accessible to the player. As a minimum, the policy should provide for a set of pre-
defined time-frames increasing with every subsequent self-exclusion up to the time
when the indefinite self-exclusion is invoked. The policy should also include the
handling of outstanding balances and bets.
1.30 The period of self exclusion must be for a minimum of six months. The customer
should, in addition, be able to identify a longer period of time for the exclusion within
operator defined increments (such as 1 year, 2 years or 5 years).
1.31 Customers should be given the opportunity to self-exclude or cool-off by contacting
customer services or requesting self-exclusion, or cooling off via the operator‟s
website.
1.32 Once the customer has selected the self-exclusion option, the account should be
locked and any funds in the account paid out.
1.33 Operators should offer customers the ability to self-exclude from gambling activity and
best endeavours should be made to prevent marketing to these customers.
1.34 Once a customer has requested to be excluded ... the customer should also be
provided with contact information for accessible help services, (such as GamCare)
and encouraged to seek support should they recognise that their gambling is
problematic for them.
1.35 Operators should offer customers a “cooling-off” exclusion period from gambling
activity, and best endeavours should be made to prevent marketing to these
customers.
1.36 The site may also provide a shorter-term cooling-off period as well as a full exclusion.
The cooling off period may be made available for 24 hours and/or 7 days.
1.37 A third party making an application for a customer‟s exclusion should be properly
identified. Based on the circumstances and merit, the appropriate manager may give
due consideration to the course of action.
1.38 The provider of its own [accord] closes accounts of gamers ... based on conspicuous
gaming behaviour and further information ... [assuming] that the placed stakes ... are
not in an appropriate rake to his financial situation.
Page 17
1.39 According to defined indicators based on the monitoring of the individual gaming
behaviour the licence holder will exclude a consumer for certain time periods or
lifelong from all future gaming activities of the company, in order to protect vulnerable
consumers. These indicators and the exclusion process ought to be confirmed by the
RA, and the RA may request the implementation of new or modified exclusion
indicators and processes.
1.40 The provider [should make] ... data of customers who excluded themselves from
gaming due to problematic gaming behaviour or were blocked by the provider
available to a third party organization [while] maintaining privacy policies. ...A self-
exclusion database with other providers compliant with CEN standards, can be ...
[established].
1.41 Licence holders should have, and provide to Regulatory Authority defined systems in
place to enable customers to request to be self excluded. Such requests should be a
deliberate and considered action by the customer and should be implemented by the
licence holder within two hours and in compliance with the defined procedure.
Implementation should include confirming receipt of the request to self exclude via an
identified e-mail account or the means of correspondence/communication used by the
customer. Confirmation should include specific information on the process and
consequences of self exclusion, including the point at which self exclusion has
commenced.
1.42 Licence holders are expected co-operate with the Regulatory Authority, Gambling
Commissioner and other licence holders to develop techniques to identify and
discourage problem gambling.
1.43 Training should be provided to customer service employees to ensure the prompt and
efficient handling of correspondence relating to self-exclusion and cooling off.
1.44 Operators should not provide credit to customers - specifically, operators may not
permit a customer to wager, win and receive a payout where the funding of that wager
is obtained from the operator other than through existing client funds or the provision
of a promotion or bonus.
1.45 A player should not be given credit or allowed a negative balance unless adequate
measures have been taken to establish the financial liquidity and standing of the
player, and the player has clearly consented to honour consequential debts.
1.46 A clearly visible clock should be available for use by the customer at all times.
1.47 The denomination of each credit should be clearly displayed on the games screen.
1.48 The currency unit of the amount wagered should be clearly displayed on the games
screen.
1.49 If the site gives a customer the option of not displaying their balance, this should not
be set as default.
1.50 Customers should be provided with remote access to their account history dating back
for a minimum period of 60 days, and offline access dating back for a minimum period
of 6 months, including all deposits, withdrawals and wagers.
1.51 Maintain accessible and reliable player gaming accounts. Player balances on gaming
accounts should, without undue delays, accurately reflect the player‟s deposits, bets,
wins, withdrawals, fees and any bonuses.
1.52 Records of player‟s credits should be established and maintained.
Page 18
2.12 Consumer ...[protection] measures have to cover: a 72 hours waiting period for newly
registered consumers after the first deposit payment
2.13 Any free play customer winning a cash prize ought to be age verified prior to
withdrawal of winnings.
2.14 Underage gambling should be regularly monitored by conducting frequent checks of
customers to ensure compliance with age restrictions.
2.15 Operators should immediately close the account of any underage or suspected
underage person found to have accessed its services.
2.16 The company should have in place an appropriate system for refunding the value of
all deposits should a customer, subsequent to registration, be identified as underage.
2.17 Training should be provided to all employees involved in the operator‟s age
verification process, including training on the process to follow in the event that
instances of a need for additional verification are identified.
2.18 The provider establishes an independent registration office which parents and other
eligible persons can turn to if they suspect that minors have access to the gaming
site. This information is available on the provider‟s website.
2.19 Licence holders have to provide regular evaluations by independent third parties of
the effectiveness of their age verification systems and to report the results of these
measures to the R.A.
4.07 Terms and conditions that require acceptance from customers during registration
should clearly state the operator‟s privacy policy. Customer consent of the terms and
conditions is required prior to successful registration.
4.08 Customers should be provided access to their confidential information and should be
permitted to request changes to inaccurate information.
4.09 The operator should take all reasonable steps to ensure that any information supplied
by customers is kept up to date.
4.10 Director, officer and employee contracts should contain a “confidentiality” clause
prohibiting the unauthorised or unnecessary disclosure of customer information.
5.17 The operator should demonstrate a clear ability to pay all prizes and outstanding
player balances.
5.18 In games of chance, all prizes offered to players should be backed by sufficient
operator means.
5.19 The operator should ensure that own funds are adequate for the financing of bonuses
and allocation of credit to players.
5.20 A procedure should be established and maintained to set up and manage client
account/s including any interest accrued and to record all transactions.
5.21 Client account/s should be kept and operated separately from Operator owned
accounts. Funds in the clients accounts should not be put at risk in any way. All
transactions made by the operator and having an effect on the balance in the client
account/s should be documented. Records of transactions should be maintained.
5.22 If the operator adopts a policy of clearing inactive customer accounts, then customers
should be informed prior to clearing of the account, and this policy should be clearly
stated in the operator‟s terms and conditions.
5.23 Records should be maintained for all customer accounts that have been cleared, and
any customer requesting a cashout from an account that has been cleared should be
settled according to the operator‟s terms and conditions.
6. Fair gaming
6.01 Operators should implement a product testing policy, approved and supported by its
senior management, which will provide for the testing of all products for fairness and
randomness.
6.02 The policy should make provision for the internal and external testing of product
fairness and randomness.
6.03 Testing of fairness and randomness of products should be conducted prior to, and
subsequent to the operation of the games and/or betting products.
6.04 All major changes should be individually tested and a system-wide regression test
should be completed annually.
6.05 Random number generators used in products should be tested at minimum, annually.
6.06 The results of games ought to be random, except where clearly disclosed if different
game-rules apply.
6.07 The output obtained through the use of the random number generator (“RNG”) in
games should be proven to be:
6.07.01 Statistically independent.
6.07.02 Uniformly distributed over their range.
6.08 Significant wins for slot games should be verified and distributed among an
acceptable population of customers.
6.09 Where a game simulates a physical device:
6.09.01 The visual representation of the device ought to correspond to the features of the
physical device.
Page 23
6.09.02 The probability of any event occurring should be as for the actual physical device
except where deviations are clearly displayed to the customers.
6.10 Where the game simulates multiple physical devices that would be expected to be
independent of one another, each simulated device should be independent of the
other simulated device.
6.11 Where the game simulates physical devices that have no memory of previous events,
the behaviour of the simulations should be independent of the behaviour of previous
simulations.
6.12 The financial data log files should be reconciled to movements on the
operator/customer accounts to ensure data completeness.
6.13 The theoretical statistical return percentage for a particular game type should be no
less than that of the equivalent game in free play mode.
6.14 Game rules should be available to the customer, and should be tested on an annual
basis.
6.15 The rules of the game or games should be documented and maintained inclusive of
issue date and version number. The rules should be made accessible to players at all
times.
6.16 The game pay tables should be available to the player during games of chance.
6.17 Any change to the published rules or pay tables should be notified to all players at
their next login after the change.
6.18 The design and operation of games should be strictly in accordance with the specified
game rules, and should not deviate from those rules.
6.19 Changes to rules and pay tables should not be retrospective in their effect.
6.20 Preventative and detective controls or technology should be in place to ensure that
the prospect of cheating through collusion (external exchange of information between
different customers) is prevented.
6.21 Poker rooms should not utilise software (for example poker robots that play poker
online with no or minimal human intervention) or other means to simulate increased
customer activity or provide misleading information about a site‟s popularity.
6.22 Poker rooms should not permit the use of robots or other devices by customers with a
view to providing them with an advantage over other customers, and should be
vigilant in monitoring and stopping the use of these robots and devices.
6.23 Effective risk control mechanisms should be in place for managing events offered, bet
sizes and prices, taking into consideration available liquid funds.
6.24 Payout percentage reviews should be conducted on a monthly basis to verify the
actual return to the customer against the theoretical/estimated return.
6.25 Foreign language websites should aim to provide assistance and guidance to all
customers on foreign language related queries, where possible.
6.26 "Near-miss" game results should not be falsely displayed by substituting one losing
outcome with a different losing outcome.
6.27 “Play for free” offerings should not mislead customers. A operator offering both “play
for free” and “play for gain” games should ensure that the “play for free” reflects the
Page 24
7.17 If the operator becomes aware of an affiliate and/or third party behaving in a manner
that contravenes these Control Measures, the operator should take reasonable steps
to ensure that the affiliate ceases that behaviour or that the affiliate and/or third party
contract is terminated.
7.18 Direct advertisements and promotional communication with the customer should carry
a no under 18‟s or no under 21‟s warning where practical.
MSA EN ISO IEC 27001:2005 Annex A.6.1.7 Appropriate contacts with special
interest groups or other specialist security forums and professional associations
should be maintained.
9.20 Relevant third party and business partner contractual terms and conditions should
cover all appropriate security requirements.
9.21 Virus scanners and/or detection programs should be installed on all pertinent
information systems. These programs should be updated regularly to scan for new
strains of viruses.
9.22 Controls should be in place for changes to information processing facilities and
systems in order to reduce the risk of security or system failures.
Page 27
9.23 All customers should be verified through the use of an account identifier/password
pair, or by any other means that provide equal or greater security (e.g. digital
certificates), prior to being permitted to participate in gambling activities..
9.24 All system users should have their identity verified with an account identifier/password
pair, or by any other means that provide equal or greater security, prior to being
permitted to access the system.
9.25 All customer deposit, withdrawal or adjustment transactions should be subject to strict
security control and should be maintained in a system audit log.
9.26 MSA EN ISO IEC 27001:2005 Annex A.10.9.2 Information involved in on-line
transactions should be protected to prevent incomplete transmission, mis-routing,
unauthorized message alteration, unauthorized disclosure, unauthorized message
duplication or replay.
9.27 MSA EN ISO IEC 27001:2005 Annex A.11.7.1 A formal policy should be in place, and
appropriate security measures should be adopted to protect against the risks of using
mobile computing and communication facilities.
9.28 MSA EN ISO IEC 27001:2005 Annex A.12.3.1 A policy on the use of cryptographic
controls for protection of information should be developed and implemented.
9.29 Backup and recovery procedures should be in place to ensure data and information
(e.g. logs and financial information) are backed up on a regular basis and can be
restored in the event of a disaster.
9.30 Backup and disaster recovery responsibilities and procedures between software
providers and operators should be clearly defined.
9.31 The system should enable customers to complete interrupted games, within a
reasonable timeframe, whether from loss of communication with the end-player device
or an event on the system.
9.32 A development methodology for software and applications should be defined,
documented and implemented.
9.33 All documentation relating to software and application development should be
available and retained for the duration of its lifecycle.
9.34 Change control procedures should be implemented in line with the change
management policy and should cater for the following:
9.34.01 Approval procedures for changes to software.
9.34.02 A policy addressing emergency change procedures.
9.34.03 Procedures for testing and migration of changes.
9.34.04 Segregation of duties between the developers, quality assurance team, the migration
team and users.
9.34.05 Procedures to ensure that technical and user documentation is updated as a result of
a change.
9.34.06 Procedures to ensure that security control requirements are specified for new
information systems, or enhancements to existing information systems.
9.35 The appointed Compliance Officer should have the required authority within the
operator organisation to ensure processes, policies and procedures required for
Page 28
Malta Lotteries and Gaming Authority Remote Gaming Regulations (see link)
Swedish Presidency Progress Report ´Legal framework for gambling and betting in the
Member States of the European Union´, doc 16571/09 (see link)
European Lotteries
o Responsible Gaming Standards (see link)
o Code of Conduct on Sportsbetting (see link)
Ehrenkodex VEWU
Global Gambling Guidance Group (G4), e-Gambling Code of Practice (see link)