Remote gambling and software technical standards


 

Gambling software and remote operating licence holders (including ancillary remote betting licence holders) are required to comply with the Gambling Commission’s technical standards and requirements relating to the timing and procedures for testing. This requirement is set out in Condition 2.3 of the Licence conditions and codes of practice - consolidated May 2014.

What are the remote gambling and software technical standards?

Remote gambling and software technical standards - August 2009 details the specific technical standards and the security requirements that licensed remote gambling operators and gambling software operators need to meet.

The remote technical standards (RTS) comprises the following:

  • RTS including information provision requirements.
  • Security requirements.

Technical standards

The technical standards cover:

  • customer account information
  • displaying transactions
  • rules, game descriptions and the likelihood of winning (Please note: RTS requirement 3C concerning the display requirements for the likelihood of winning has been amended to clarify that only one method of information display is required for each product offered to customers)
  • time-critical events
  • result determination
  • result determination for play-for-fun games
  • generation of random outcomes
  • auto-play functionality
  • skill and chance games with auto-play
  • interrupted gambling
  • limiting collusion/cheating
  • financial limits
  • time requirements
  • responsible product design
  • information provision (Annex A).

Transitional provisions in respect of the Technical standards: Gambling (Licensing and Advertising Act) 2014

The Commission has identified that there is a significant difference in respect of the requirement on auto-play functionality between the Commission’s RTS and the technical standards in other jurisdictions from where operators can currently legally operate in the British market.

We have considered this position and as a result we will not require compliance with the auto-play requirement as set out in the RTS from the date that licences are issued. Therefore operators will not have to make changes to the auto-play functionality of their games until further notice. Information on this has been provided in the online gambling FAQs

Testing strategy for compliance with remote gambling and software technical standards

The Testing strategy for compliance with remote gambling and software technical standards - June 2014 details:

  • what we would normally consider to be the types of testing required in order for us to be satisfied that the technical standards are being met
  • who we consider appropriate to carry out that testing
  • the procedures for testing.

It discusses the testing strategy for assessing compliance with the Remote gambling and software technical standards - August 2009.

Transitional provisions in respect of the Technical standards: Gambling (Licensing and Advertising Act) 2014

Following implementation of the Gambling (Licensing and Advertising) Act 2014 operators providing facilities for gambling to British customers who currently do so in reliance on their EEA or White List jurisdiction licences or other permissions will be subject to the Gambling Act’s licensing regime for the first time. Under transitional provisions, such operators who make “advance applications” for appropriate Gambling Commission licences will be entitled to “continuation licences” pending determination of those applications.

The Commission is mindful that some such new licensees will not have had their gambling systems or products tested against the Commission’s Remote gambling and software technical standards in the precise manner, or at the level, detailed in sections 2 and 3 of the Testing strategy for compliance with remote gambling and software technical standards ( Testing strategy for compliance with remote gambling and software technical standards - June 2014).

The Commission has set out the transitional arrangements for third party testing in Annex A of the Testing strategy for compliance with remote gambling and software technical standards - June 2014.

Operators seeking to obtain a licence in accordance with the transitional provisions must include with their application a spreadsheet (Existing games information) and complete a declaration that the games comply with the Commissions RTS.

Security requirements

We have based the security requirements on the relevant sections of Annex A to the ISO/EIC 27001: 2005 standard. A full copy of the British Standards can be obtained from BSI Customer Services (cservices@bsigroup.com)

The security requirements detail information security standards with the aim of ensuring that operators have appropriate controls in place so that customers are not exposed to unnecessary risks when choosing to participate in remote gambling.

The requirements apply to:

  • electronic systems that record, store, process, share, transmit or retrieve sensitive customer information - for example,  credit/debit card details, authentication information, customer account balances
  • electronic systems that generate, transmit, or process random numbers used to determine the outcome of games or virtual events
  • electronic systems that store results or the current state of a customer’s gamble
  • points of entry to and exit from the above systems (other systems that are able to communicate directly with core critical systems) 
  • communication networks that transmit sensitive customer information.

Transitional provisions in respect of the Technical standards: Gambling (Licensing and Advertising Act) 2014

The Commission is aware that ISO/IEC 27001:2005 has been amended and updated to ISO/IEC 27001:2013 and that sections listed in section 5 of the RTS have been superseded with new sections. We are currently reviewing the impact of those changes and intend to update the RTS as soon as possible with the appropriate sections under ISO/IEC 27001:2013.

Meanwhile, in the case of all new licensees (whether or not they were issued with continuation licences) who have not been audited against these specific sections, or have not been certified against the full standard, the Commission expects that a copy of the third party annual security audit against ISO/IEC 27001:2005 or a copy of full certification against ISO/IEC 27001:2005 or ISO/IEC 27001:2013 will be provided within 6 months of the issue of their licence or continuation licence as the case may be.

The Commission has set out the transitional arrangements for compliance with the security audit requirements in Annex B of the of the Testing strategy for compliance with remote gambling and software technical standards - June 2014

Page last reviewed: June 2014

How do you rate this page?