This box is not visible in the printed version.
Remote gambling and software technical standards under section 89 and section 97 of the Gambling Act 2005.
Published: 2 February 2021
Last updated: 15 December 2021
This version was printed or saved on: 11 May 2024
Online version: https://www.gamblingcommission.gov.uk/standards/remote-gambling-and-software-technical-standards
1.1 This document sets out remote gambling and software technical standards issued by the Gambling Commission (the Commission) under section 89 and section 97 of the Gambling Act 2005 (opens in new tab) (the Act).
1.2 The RTS is drafted in a format that sets out the key principles, without being overly prescriptive as to how these must be met. The general makeup and format of each requirement is structured as follows:
1.3 The Commission’s Testing strategy for compliance with the remote gambling and software technical standards (PDF) (testing strategy) sets out the Commission’s current requirements for the timing and procedures for testing. Compliance with the RTS and testing strategy is a licence condition1.
1.4 Importantly the testing strategy sets out the circumstances in which independent third party testing is required. The relevant standards are given in chapter 3 - Remote gambling and software technical standards and chapter 4 - security requirements.
1.5 The testing strategy and accompanying security audit advice (opens in new tab) also sets out the independent audit requirements that licence holders should fulfil. This is based on the relevant sections of ISO/IEC 27001: 2013, which are summarised in chapter 4 - security requirements.
1.6 Licensees that are responsible for procuring games testing will also need to submit a Games testing annual audit. Further details are provided in the testing strategy.
1.7 For ease of reference, annex A lists all technical standards and their applicability to different gambling products. The summary should be treated as a high-level overview and be considered in conjunction with the relevant sections of the RTS.
1.8 The following standards apply to holders of remote bingo licences when making facilities available by means of remote communication in respect of games of bingo played on more than one set of premises:
1.9 Where bingo is offered across multiple premises the entity that holds the full remote operating licence will be responsible for ensuring compliance with the RTS. However, we would expect the ancillary licence holder (or individual premises) to have received sufficient assurance that the content offered via remote terminals is compliant with the relevant standards, as listed previously. Ancillary licence holders will still be required to comply with the bingo equipment specifications - Licence condition 2.3.2.
1.10 The Commission has adopted a risk based approach to lotteries – exempting from the technical standards lotteries offered under an ancillary remote licence2. Subscription lotteries, those products where customer spend is often controlled, are exempt from some aspects of the RTS (for example, RTS 12). The technical standards are primarily aimed at high frequency products offered under a full remote lottery licence, that enable consumers to participate in multiple draws in a relatively short space of time. These products present similar risks as instant lotteries (see definition of terms) and will need to adhere to the relevant technical standards.
1.11 In the case of gambling software, these technical standards only apply to manufacture, supply, installation or adaptation of software for use in connection with remote gambling which takes place in reliance on an operating licence issued by the Commission.
1Licence condition 2.3.1
in Licence Conditions and Codes of Practice (LCCP).
2 The ancillary remote licence is only suitable for holders of a non-remote society lottery operating licence who want to accept payment for participation in a lottery by remote means, up to a maximum of £250,000 in remote proceeds per annum. If you do not hold a non-remote society lottery operating licence and wish to take payments by remote means, you must hold a full remote licence. If you currently hold a non-remote and ancillary remote society lottery licence, but your remote proceeds are expected to exceed £250,000 per annum, a full remote society lottery operating licence will be required. Products offered under a non-remote society lottery operating licence and an ancillary remote licence must adhere to the relevant sections of the LCCP.
2.1 In this document the following terms have the following meanings.
All links open in a new tab.
The Gambling Act 2005 defines gambling as follows:
As described by section 253 of the Act and a reference in this document to a lottery ticket includes:
A device such as a mobile phone which has limited space on which to display information, when used to access gambling facilities that the operator intends a customer to use by means of such a device.
We expect that a player using a restricted display device would still have the ability to use all required responsible gambling tools, such as financial limits or self-exclusion. We would not consider it acceptable to require a player to login via, for example, the desktop website version of the gambling facilities in order to access responsible gambling tools. Such an approach would create unreasonable barriers and may deter or prevent mobile users from utilising the available tools.
Applies to:
All gambling – except subscription lotteries.
To provide customers with easily accessible information about their current balances and facilities that enable them to review previous gambling and account transactions.
Where customers hold a credit or debit balance, the pages or screens used for gambling and to move money into and out of accounts must display the customer’s current account balance, in the currency of their account for example dollars, euros or pounds sterling, whenever that customer is logged in. Where it is not practical to display current balance from gambling screens then easily accessible links to this information must be provided.
Customers must have easy access to at least three months account and gambling history without having to contact the licensee. A minimum of 12 months of gambling and account history must be made available on request. The ability to request this information should be made clear to customers and be provided as soon as is practicable.
Customers must be able to access information about their net deposits.
Net deposits are defined as the running total of all deposits minus the sum of all withdrawals for the lifetime of the account. This should be displayed at an account level so the figure represents the net position of all payment methods. Where full account lifetime history is not possible then, as a minimum, the net deposits should be displayed from 1 April 2018, or the account opening date if after 1 April 2018. Information which explains the net deposit figure, including the timeframe it covers, should be provided.
Applies to:
In respect of requirements 2A to 2D - All gambling
In respect of requirements 2E - Slots. From 17 January 2025 this applies to Casino (excluding peer-to-peer poker).
To enable the customer to understand the value and content of their transactions.
The remote gambling system must make available clear information about the amount of money being gambled by the customer, including any conversions from one form of currency to another, or from currency to credits, chips or other tokens etc, at the point of conversion.
The gambling system must display sufficient relevant information about the customer’s gamble so that the content of the gamble is clear. This information must be made available before the customer commits to the gamble including, for example, in the artwork and textual information displayed during gaming, or on an electronic equivalent of a betting slip or lottery ticket.
These items, where relevant, are also required on applications designed for use on restricted display devices.
The gambling system must enable customers to choose whether to accept price fluctuations (in either direction) that occur after their bet is requested.
Customers who choose to use third party user interfaces must be informed that applications may not display full information about their gambles.
Information should be included in terms and conditions, rules or other general information about the gambling product that is made available to and/or sent out to customers.
All gaming sessions must clearly display a customer’s net position, in the currency of their account or product (for example, pounds sterling, dollar, Euro) since the session started.
Net position is defined as the total of all winnings minus the sum of all losses since the start of the session.
Applies to:
Gaming (including bingo), lotteries and betting on virtual events
To enable customers to make informed decisions about whether to gamble based on their chances of winning, the way the game, lottery or event works, the prizes or payouts on offer and the current state of multi-state games or events.
An explanation of the applicable rules must be easily available to the customer before they commit to gamble. The content including artwork and text must be accurate, and sufficient to explain all of the applicable rules and how to participate. All reasonable steps must be taken to ensure that the content is understandable.
Where relevant, as the game or event progresses, information that may reasonably be expected to enable the customer to understand the current state must be displayed.
The following items provide guidelines on the type of information that may be relevant.
For each virtual event, game (including bingo), or lottery, information that may reasonably be expected to enable the customer to make an informed decision about his or her chances of winning must be easily available before the customer commits to gamble. Information must include:
For each virtual event, game (including bingo), or lottery, content describing the potential prizes and payouts or the means by which these are calculated or determined must be easily available before the customer commits to gamble.
Applies to:
Gaming (including bingo), lotteries and betting on virtual events
To reduce the risk that customers are unfairly disadvantaged by technical factors that may affect speed of response, and to ensure customers are made aware of the risk.
Where speed of interaction has a significant effect on the customer’s chance of winning, operators must assess the level of risk and demonstrate to the Commission that they are taking reasonable steps to reduce the risk to customers.
Examples of possible approaches include:
For time-critical events, the customer should be informed that they might be at a disadvantage because of technical issues such as slower network speeds, or slower end user device performance.
Applies to:
All gambling
To ensure that the gambling system implements the operator’s rules, game rules and betting rules as they are described to the customer.
All reasonable steps should be taken to ensure that gambles are accepted, processed and settled in accordance with the operators’ published terms and rules, and the rules of the specific game, event, or bet.
Where unexpected system flaws, faults, or errors that affect the customer occur, steps are to be taken as soon as practicable to remedy the problem and ensure that the customer is treated fairly according to the circumstances.
Applies to:
Gaming (including bingo), lotteries and betting on virtual events.
To minimise the risk that customers are misled about the likelihood of winning due to the behaviour of play-for-free games.
Play-for-free games must implement the same game rules as the corresponding play-for-money games offered on the same facilities (that is, the same website). Operators must take all reasonable steps to ensure that play-for-free games accurately represent the likelihood of winning and prize distribution in the play-for-money game. For the purpose of this requirement playing a game includes participating in a lottery and/or betting on a virtual event.
Applies to:
Gaming (including bingo), lotteries, and betting on virtual events
To ensure that games and other virtual events operate fairly.
Random number generation and game results must be ‘acceptably random’. Acceptably random here means that it is possible to demonstrate to a high degree of confidence that the output of the RNG, game, lottery and virtual event outcomes are random through, for example, statistical analysis using generally accepted tests and methods of analysis. Adaptive behaviour (that is, a compensated game) is not permitted.
Where lotteries use the outcome of other events external to the lottery, to determine the result of the lottery the outcome must be unpredictable and externally verifiable.
As far as is reasonably possible, games and events must be implemented fairly and in accordance with the rules and prevailing payouts, where applicable, as they are described to the customer.
Game designs or features that may reasonably be expected to mislead the customer about the likelihood of particular results occurring are not permitted, including substituting losing events with near-miss losing events and simulations of real devices that do not simulate the real probabilities of the device.
The rules, payouts and outcome probabilities of a virtual event or game may not be changed while it is available for gambling, except as provided for in the rules of the game, lottery or virtual event. Such changes must be brought to customer’s attention.
Except in the case of subscription lotteries, the system clearly and accurately display the result of the game or event and the customer’s gamble. The result must be displayed for a length of time that may reasonably be expected to be sufficient for the customer to understand the result of the game or event in the context of their gamble.
The game artwork and text should be sufficient to provide the customer with all of the information required to determine whether they have lost or won, and the value of any winnings.
Applies to:
In respect of requirement RTS 8A and 8B – Gaming (except slots)
In respect of requirement RTS 8C – Slots
From 17 January 2025 the new requirement which proceeds the existing text will replace RTS 8.
To ensure that the customer is still in control of the gambling where auto-play functionality is provided and to minimise the risk that the functionality disadvantages a customer or that auto-play or other strategy advice is misleading.
The gambling system must provide easily accessible facilities that:
The number of autoplay gambles must not exceed 100 in one batch. During auto-play the customer must be able to stop the autoplay regardless of how many autoplay gambles they initially chose or how many remain.
In relation to skill and chance games, strategy advice and auto-play functionality must be fair, not misleading and must not represent a poor choice.
In implementing this control, the following should be considered, where appropriate:
The gambling system must require a customer to commit to each game cycle individually. Providing auto-play for slots is not permitted.
From 17 January 2025 the following requirement will replace RTS 8.
Applies to: Gaming (including bingo)
To make clear that auto-play cannot be offered for online gaming.
The gambling system must require a customer to commit to each game cycle individually.
This requirement does not prohibit offering functionality to automatically post blinds in peer-to-peer poker.
Applies to:
Gaming (including bingo)
To ensure that progressive jackpot systems operate fairly.
An explanation of the jackpot rules must be clearly available to the customer before they commit to gamble.
Jackpot systems must be configured and operated with adequate fairness and security.
Applies to:
Peer-to-peer betting and gaming (including bingo)
To ensure that customers are treated fairly in the event of interrupted play or betting and that they are aware of how they will be treated if interruptions occur.
Operators must take all reasonable steps to ensure that their policies for instigating or dealing with service interruptions are fair and do not systematically disadvantage customers.
Systems must be capable of recovering from failures that cause interruptions to gambling, including where appropriate, the capability to void gambles (with or without manual intervention), the capability to suspend betting markets, and taking all reasonable steps to retain sufficient information to be able to restore events to their pre-failure state.
Operators must make available information about their policies regarding service interruptions in various different circumstances.
Operators should make information available to customers about how they will be treated in various common scenarios. However, this does not mean that operators have to detail all possible scenarios or responses to service interruptions.
Applies to:
Peer-to-peer gaming
To reduce the risk that cheating or collusion by players unfairly disadvantages another player and to inform customers about the risks posed.
Measures intended to deter, prevent, and detect collusion and cheating must be implemented. Gambling systems must retain a record of relevant activities to facilitate investigation and be capable of suspending or disabling player accounts or player sessions. Operators must monitor the effectiveness of their policies and procedures.
Information must be made available about the operator’s policies and procedures with regard to cheating, recovered player funds and about how to complain if a customer suspects other participants are cheating.
Applies to:
All gambling - except subscription lotteries
To provide customers with facilities that may assist them in sticking to their personal budgets for gambling with the operator. Customers must be also be given the option to set financial limits at an account level.
The gambling system must provide easily accessible facilities that make it possible for customers to impose their own financial limits. Customers must be given the opportunity to set a limit as part of the registration process (or at the point at which the customer makes the first deposit or payment).
All reasonable steps must be taken to ensure that customer-led limits are only increased at the customer’s request, only after a cooling-off period of 24 hours has elapsed and only once the customer has taken positive action at the end of the cooling off period to confirm their request.
Where possible (for instance, unless systems/technical failures prevent it) limit reductions are to be implemented within 24 hours of the request being received. In addition, at the point at which the customer requests a decrease in their limit, they should be informed when the limit reduction will take effect.
Applies to:
In respect of requirement RTS 13A – All remote gambling except telephone gambling.
In respect of RTS 13B – Remote gaming (including bingo but excluding peer to peer gaming), remote instant win lotteries and high frequency lotteries.
In respect of RTS 13C – Slots. From 17 January 2025 this applies to Casino (excluding peer to peer poker).
To provide customers with facilities to assist them to keep track of the time they spend gambling.
Where the gambling system uses full screen client applications that obscure the clock on the customer’s device the client application itself must display the time of day or the elapsed time since the application was started, wherever practicable.
The gambling system must provide easily accessible facilities that make it possible for customers to set a frequency at which they will receive and see on the screen a reality check within a gaming session. A ‘reality check’ means a display of the time elapsed since the session began. The customer must acknowledge the reality check for it to be removed from the screen.
A clear explanation of how the reality check is implemented must be provided to players so they are aware of how they can use it to assist them in managing their gambling. Where possible a player’s preferences should be applied to all future account logins or gaming sessions (where applicable). If this is not possible players must be provided with clear information that explains that they will have to set a reality check for each account login or gaming session.
The elapsed time should be displayed for the duration of the gaming session.
Applies to:
In respect of requirements RTS 14A and 14B – All gambling
In respect of requirement RTS 14C – Slots. From 17 January 2025 this applies to Casino (excluding peer-to-peer poker).
In respect of requirement RTS 14D – Slots.
In respect of requirement RTS 14E and 14F – Slots. From 17 January 2025 this applies to Casino.
In respect of requirement RTS 14G – Casino (excluding slots and peer-to-peer poker). This requirement comes into force 17 January 2025.
To ensure that products are designed responsibly and to minimise the likelihood that they exploit or encourage problem gambling behaviour.
Gambling products must not actively encourage customers to chase their losses, increase their stake or increase the amount they have decided to gamble, or continue to gamble after they have indicated that they wish to stop.
Consumers must not be given the option to cancel their withdrawal request.
Once a customer has made a request to withdraw funds, they should not be given the option to deposit using these funds. Operators should make the process to withdraw funds as frictionless as possible.
The gambling system must not offer functionality which facilitates playing multiple slots games at the same time.
It must be a minimum of 2.5 seconds from the time a game is started until the next game cycle can be commenced. It must always be necessary to release and then depress the 'start button’ or take equivalent action to commence a game cycle.
A game cycle starts when a player depresses the ‘start button’ or takes equivalent action to initiate the game and ends when all money or money’s worth staked or won during the game has been either lost or delivered to, or made available for collection by the player and the start button or equivalent becomes available to initiate the next game.
A player should commit to each game cycle individually, continued contact with a button, key or screen should not initiate a new game cycle.
The gambling system must not permit a customer to reduce the time until the result is presented.
The gambling system must not celebrate a return which is less than or equal to the total stake gambled.
It must be a minimum of 5 seconds from the time a game is started until the next game cycle can be commenced. It must always be necessary to release and then depress the 'start button’ or take equivalent action to commence a game cycle.
A game cycle starts when a player depresses the ‘start button’ or takes equivalent action to initiate the game and ends when all money or money’s worth staked or won during the game has been either lost or delivered to, or made available for collection by the player and the start button or equivalent becomes available to initiate the next game.
A player should commit to each game cycle individually, continued contact with a button, key or screen should not initiate a new game cycle.
Applies to:
Betting and peer-to-peer betting
To make the customer aware that they may not have the latest information available when betting on live events, and that they may be at a disadvantage to operators or other customers who have more up-to-date information.
Information must be made available that explains that ‘live’ TV or other broadcasts are delayed and that others may have more up-to-date information. Main in-play betting pages must include this information where practicable.
Applies to:
Peer-to-peer gambling
To make customers in peer-to-peer gambling aware that they may be gambling against a software program (designed to automatically participate in gambling within certain parameters, sometimes referred to as a bot), or a human aided by third party software.
Where peer-to-peer customers may be gambling against programs deployed by other customers to play on their behalf, or customers assisted by third party software, information should be made available that describes that this is possible, and if it is against the operator’s terms and conditions, how to report suspected use.
Operators must make it clear to players whether the use of third party software is permitted and if so which types. Operators that prohibit certain types of third party software must implement measures intended to deter, prevent, and detect their use.
Clear, accessible information about the types of software that are permitted or prohibited should be included within terms and conditions and the players guide3 , as a minimum. This does not have to be an extensive list but could be a description of the key features of the software.
Where operators use programs to participate in gambling on their behalf in peer-to-peer gambling, easily accessible information must be displayed, which clearly informs customers that the operator uses this kind of software.
3LCCP Social responsibility code 4.2.3
Applies to:
Gaming (including bingo)
To ensure that live dealer operations are fair.
Live dealer operations must be fair and independently auditable.
The following new section 4 will replace this section after 31 October 2024.
Standard - A.5 Information security policies
Standard - A.6 Organisation of information security
Standard - A.7 Human resources security
Standard - A.8 Asset management
Standard – A.9 Access Control
Standard – A.10 Cryptography
Standard – A.11 Physical and environmental security
Standard – A.12 Operations Security
Standard – A.13 Communications Security
Standard – A.14 System acquisition, development and maintenance
Standard – A.15 Supplier Relationships
Standard – A.16 Information Security Incident Management
Standard – A.18 Compliance
4.1 This section sets out a summary of the RTS security requirements that licence holders must meet. The Commission has based the security requirements on the relevant sections of Annex A to the ISO/EIC 27001:20013 standard.
4.2 This 2013 standard replaces ISO/IEC 27001:2005.
4.3 The Commission’s aim in setting out the security standards is to ensure customers are not exposed to unnecessary security risks by choosing to participate in remote gambling. The Commission has highlighted those systems that are most critical to achieving the Commission’s aims and the security standards apply to these critical systems:
Objective A.5.1 Information security policy
Requirement A.5.1.1 Policies for information security
Requirement A.5.1.2 Review of the information security policy
Objective A.6.2 Mobile devices and teleworking
Requirement A.6.2.1 Mobile device policy
Requirement A.6.2.2 Teleworking
Objective A.7.2 During employment
Requirement A.7.2.2 Information Security Awareness, Education and Training.
Objective A.7.3 Termination or change of employment
Requirement 7.3.1 Termination or change of employment responsibilities
Objective A.8.2 Information classification
Requirement A.8.2.3 Handling of assets.
Objective A.8.3 Media Handling
Requirement A.8.3.1 Management of removable media
Requirement A.8.3.2 Disposal of media
Objective A.9.1 Business requirements of access control
Requirement A.9.1.1 Access control policy
Requirement A.9.1.2 Access to network and network services
Objective A.9.2 User access management
Requirement A.9.2.1 User registration and de-registration
Requirement A.9.2.2 User access provisioning
Requirement A.9.2.3 Management of privileged access rights
Requirement A.9.2.4 Management of secret authentication information of users
Requirement A.9.2.5 Review of user access rights
Requirement A.9.2.6 Removal or adjustment of access rights
Objective A.9.3 User responsibilities
Requirement A.9.3.1 Use of secret authentication information
Objective A.9.4 System and application access control
Requirement 9.4.1 Information access restriction
Requirement A.9.4.2 Secure log-on procedure
Requirement A.9.4.3 Password management system
Requirement A 9.4.4 Use of privileged utility programmes
Objective A.10.1 Cryptographic controls
Requirement A.10.1.1 Policy on use of cryptographic controls
Requirement A.10.1.2 Key management
Objective A 11.2 Equipment
Requirement A.11.2.1 Equipment siting and protection
Requirement A.11.2.7 Secure disposal or re-use of equipment.
Requirement A.11.2.8 Unattended user equipment
Objective A.12.1 Operational procedures and responsibilities
Requirement A.12.1.4 Separation of development, testing and operational environments.
Objective A.12.2 Protection from malware
Requirement A.12.2.1 Controls against malware
Objective A.12.3 Protect against loss of data
Requirement A.12.3.1 Information backup
Objective A.12.4 Logging and monitoring
Requirement A.12.4.1 Event logging
Requirement A.12.4.2 Protection of log information
Requirement A.12.4.3 Administrator and operator logs.
Requirement A.12.4.4 Clock synchronisation.
Objective A.13.1 Network security management
Requirement A.13.1.1 Network controls
Requirement A.13.1.2 Security of network services
Requirement A.13.1.3 Segregation in networks
Objective A.14.1 Security requirements of information systems.
Requirement A.14.1.2 Securing application services on public networks
Requirement A.14.1.3 Protecting application service transactions
Objective A. 14.2 Security in development and support processes
Requirement A. 14.2.1 Secure development policy
Requirement A. 14.2.2 System change control procedures
Requirement A. 14.2.3 Technical review of applications after operating platform changes
Requirement A.14.2.4 Restrictions on changes to software packages
Requirement A. 14.2.5 Secure system engineering principles
Requirement A. 14.2.6 Secure development environment
Requirement A. 14.2.7 Outsourced development
Requirement A. 14.2.8 System security testing
Requirement A. 14.2.9 System acceptance testing
Objective A. 14.3 Test Data
Requirement A. 14.3.1 Protection of test data
Objective A.15.1 Information security in supplier relationships.
Requirement A.15.1.1 Information security policy for supplier relationships.
Requirement A.15.1.2 Addressing security within supplier agreements
Requirement A.15.1.3 Information and communication technology supply chain
Objective A.15.2 Supplier service delivery management.
Requirement A.15.2.1 Monitoring and review of supplier services
Requirement A 15.2.2 Managing changes to supplier services
Objective A. 16.1 Management of security incidents and improvements
Requirement A. 16.1.1 Responsibilities and procedures
Requirement A. 16.1.2 Reporting information security events
Requirement A. 16.1.3 Reporting information security weaknesses
Requirement A. 16.1.4 Assessment of and decision on information security events
Requirement A 16.1.5 Response to information security incidents
Requirement A. 16.1.7 Collection of evidence
Objective A.18.2 Information security review
Requirement A.18.2.1 Independent review of security policy
As an annual requirement, the last date for any licensee to complete a security audit against the 2013 standard will be 31 October 2024. All security audits conducted after 1 November 2024 must be conducted against the 2022 standard. This means by 31 October 2025 all relevant licensees will have completed a security audit based on the 2022 standard.
For clarity, any security audit up to 31 October 2024 can be against either the 2013 or 2022 standard.
The following section contains details of the relevant 2022 requirements which have been converted from the 2013 standard along with the addition of 5.23 ‘Information security for use of cloud services’ which was consulted on in summer 2023. The new section will replace the existing section 4 after 31 October 2024.
The following new section 4 will replace this section after 31 October 2024.
4.1 This section sets out a summary of the RTS security requirements that licence holders must meet. The Commission has based the security requirements on the relevant sections of Annex A to the ISO/EIC 27001:2022 standard.
4.2 This 2022 standard replaces ISO/IEC 27001:2013.
4.3 The Commission’s aim in setting out the security standards is to ensure customers are not exposed to unnecessary security risks by choosing to participate in remote gambling. The Commission has highlighted those systems that are most critical to achieving the Commission’s aims and the security standards apply to these critical systems:
5.1 Policies for information security
5.10 Acceptable use of information and other associated assets
5.15 Access control
5.16 Identity management
5.17 Authentication information
5.18 Access rights
5.19 Information security in supplier relationships
5.20 Addressing information security within supplier agreements
5.21 Managing information security in the ICT supply chain
5.22 Monitoring, review and change management of supplier services
5.23 Information security for use of cloud services
5.24 Information security incident management planning and preparation
5.25 Assessment and decision on information security events
5.26 Response to information security incidents
5.28 Collection of evidence
5.35 Independent review of information security
6.3 Information security awareness, education and training
6.5 Responsibilities after termination or change of employment
6.7 Remote working
6.8 Information security event reporting
7.8 Equipment siting and protection
7.10 Storage media
7.14 Secure disposal or re-use of equipment
8.1 User endpoint devices
8.2 Privileged access rights
8.3 Information access restriction
8.5 Secure authentication
8.7 Protection against malware
8.13 Information backup
8.15 Logging
8.17 Clock synchronisation
8.18 Use of privileged utility programs
8.20 Networks security
8.21 Security of network services
8.22 Segregation of networks
8.24 Use of cryptography
8.25 Secure development life cycle
8.26 Application security requirements
8.27 Secure system architecture and engineering principles
8.29 Security testing in development and acceptance
8.30 Outsourced development
8.31 Separation of development, test and production environments
8.32 Change management
8.33 Test information
Bingo* | Casino | Betting (Virtual) | Betting (Real event) | Betting (Peer-to- peer) | Subscription lotteries | Instant Win/High frequency lotteries | |
---|---|---|---|---|---|---|---|
RTS 1 – Customer account information | X | X | X | X | X | X | |
RTS 2 A-D – displaying transactions | X | X | X | X | X | X | X |
RTS 2E – displaying transactions (Slots) | X | ||||||
RTS 3 – Rules, game descriptions and likelihood of winning | X | X | X | X | X | ||
RTS 4 – time critical events | X | X | X | ||||
RTS 5 – result determination | X | X | X | X | X | X | X |
RTS 6 – Result determination for play for free games | X | X | X | X | X | ||
RTS 7 – Generation of random outcomes | X | X | X | X | X | ||
RTS 8 – Auto play functionality | X | ||||||
RTS 9 – Progressive jackpots | X | X | |||||
RTS 10 – Interrupted gambling | X | X | X | ||||
RTS 11 – Limiting collusion/cheating | X** | ||||||
RTS 12 – Financial Limits | X | X | X | X | X | X | |
RTS 13A – Time requirements | X | X | X | X | X | X | X |
RTS 13B – Reality checks | X*** | X*** | X | ||||
RTS 13C – Time requirements (Slots) | X | ||||||
RTS 14A&B – Responsible product design | X | X | X | X | X | X | X |
RTS 14C-F – Responsible product design (Slots) | X | ||||||
RTS 15 – In play betting | X | X | X | ||||
RTS 16 – Third party software | X** | X | |||||
RTS 17 – Live dealer studios | If applicable | If applicable | |||||
Security requirements**** | X | X | X | X | X | X | X |
The annex below will replace the existing annex after 17 January 2025.
Bingo* | Casino | Betting (Virtual) | Betting (Real event) | Betting (Peer-to-peer) | Subscription lotteries | Instant Win/High frequency lotteries | |
---|---|---|---|---|---|---|---|
RTS 1 – Customer account information | X | X | X | X | X | X | |
RTS 2 A-D – displaying transactions | X | X | X | X | X | X | X |
RTS 2E – displaying transactions | X | ||||||
RTS 3 – Rules, game descriptions and likelihood of winning | X | X | X | X | X | ||
RTS 4 – time critical events | X | X | X | ||||
RTS 5 – result determination | X | X | X | X | X | X | X |
RTS 6 – Result determination for play for free games | X | X | X | X | X | ||
RTS 7 – Generation of random outcomes | X | X | X | X | X | ||
RTS 8 – Auto play functionality | X | X | |||||
RTS 9 – Progressive jackpots | X | X | |||||
RTS 10 – Interrupted gambling | X | X | X | ||||
RTS 11 – Limiting collusion/cheating | X** | ||||||
RTS 12 – Financial Limits | X | X | X | X | X | X | |
RTS 13A – Time requirements | X | X | X | X | X | X | |
RTS 13B – Reality checks | X*** | X*** | X | ||||
RTS 13C – Time requirements | X | ||||||
RTS 14A&B – Responsible product design | X | X | X | X | X | X | |
RTS 14C – Responsible product design (excluding peer-to-peer poker) | X | ||||||
RTS 14D – Responsible product design (slots) | X | ||||||
RTS 14E and 14F – Responsible product design | X | ||||||
RTS 14G – Responsible product design (excluding slots and peer-to-peer poker) | X | ||||||
RTS 15 – In play betting | X | X | X | ||||
RTS 16 – Third party software | X** | X | |||||
RTS 17 – Live dealer studios | If applicable | If applicable | |||||
Security requirements**** | X | X | X | X | X | X | X |
* The following standards apply to holders of remote bingo licences when making facilities available by means of remote communication in respect of games of bingo played on more than one set of premises: RTS 3, RTS 4, RTS 5, RTS 7, RTS 10 and RTS 14.
** Peer-to-peer gaming only
*** Excluding peer-to-peer gaming
**** The following categories of licences require the full security audit by an independent auditor: Remote betting – general (but not telephone only or trading rooms), remote betting (virtual events) pool and intermediary, remote casino, remote bingo, all host licences and remote lotteries (with entries greater than £250,000 per year).
NB: The table lists the main gambling variants as set out in the RTS. The standards that apply to a specific products will vary based on the underlying event. For example, the underlying event of pool betting will determine whether it is caught as betting (real event) or betting (virtual).