Skip to main content

Testing strategy for compliance with remote gambling and software technical standards

Contents

Summary

The Testing strategy for compliance with remote gambling and software technical standards (the testing strategy) sets out the Gambling Commission’s requirements for the timing and procedures for the testing of remote gambling products (ie games and software). This sets out: 

  • what the Commission considers to be the types of testing required in order for it to be satisfied that the technical standards are being met 
  • the circumstances in which independent third party testing is required and who the Commission considers appropriate to carry out that testing 
  • the procedures for testing. 

This is issued in accordance with sections 89 and 97 of the Gambling Act 2005 and Condition 2.3 of the Commission’s Licence conditions and codes of practice (LCCP). The Act allows for the Commission to set technical standards and allows for administration of testing, whilst the LCCP requires relevant licensees to comply with the Commission’s technical and testing requirements (non-compliance with the RTS would be considered a breach of a licence condition and therefore reportable as an LCCP event notification).

The Commission has an outcome based approach to compliance with its technical standards. In a similar manner, the Commission takes a risk based approach to producing the testing requirements taking into account:

  • the likelihood of non-compliance occurring 
  • the impact of non-compliance
  • the means available to assess compliance, and the burden imposed by the approach.  

Remote technical standards (RTS)

This testing strategy should be read in conjunction with the Remote gambling and software technical standards (RTS). The RTS can be categorised into two main areas: 

  • The technical standards covering how remote gambling should be offered including the fairness of games, player account functionality and other information provision aspects.
  • Security standards covering the licensee’s Information Security Management System.

While we would expect licensees to at all times ensure they are compliant with all aspects of the RTS we have designated certain aspects for which an element of independent compliance assurance is required. Table 1 sets out the level of assurance required for testing against different technical standards. 

Pre-release testing and annual game testing audits

The testing strategy sets out the circumstances in which independent third party testing is required. The Commission maintains and has published a list of approved test houses that can perform third party testing. Licensees and their chosen test house will need to agree the scope of testing and this must be sufficient to ensure that testing will adequately assess compliance with the Commission’s standards and meet the level of testing required under this strategy.

For the technical standards this external assurance mainly applies to the fairness elements of RNG driven products such as casino, bingo and virtual betting. Licensees must ensure that all new products have been adequately tested by an approved test house prior to release and evidence of this (test report) has been supplied to the Gambling Commission (where a licensee relies on a B2B for the provision of games they will receive a games register reference from the B2B which, once uploaded to their games register in eServices, links test reports).

Some retesting will be required for updates to existing games that affect a game’s fairness. This strategy outlines what type of updates will generally constitute something requiring external retesting (called a major change) and what can be updated solely in reliance on internal processes and testing (minor changes). 

To ensure licensees are correctly categorising changes (ie major or minor) and following defined procedures for the development, testing, release and RTP monitoring of games an annual games testing audit will be required (Section 4). This audit will be conducted by an approved test house and will apply to those licensees who develop, update and procure the external testing of RNGs and games.

Security standards – annual security audit

The information security standards are based on the international standards ISO 27001 and cover all critical gambling systems and operations. Applicable remote licensees need to undergo an annual security audit conducted by an independent and suitably qualified auditor. Results of the audit, along with a management response to any findings, need to be submitted to the Commission (Section 7). 

Live dealer operations – compliance inspections

The June 2017 RTS introduced standards (RTS 17) for the operation of live dealer studios. The new requirements will apply to any live dealer licensed by us. For compliance assurance purposes, where the studio has been audited by another jurisdiction, and that audit sufficiently covers the provisions set out in RTS 17, then it won’t be necessary to obtain another audit just for our purposes. If no relevant audit has been performed then one will be required to satisfy our compliance purposes.

Approach 

In deciding which aspects of the RTS will require an element of independent assurance, we considered the following:

  • The visibility of compliance. That is, how easy it is to see whether a system or game is compliant. For example, it is easy to see whether a licensee has mitigated the risk that a consumer will not understand the rules of the game by providing easily accessible information, whereas the underlying fairness of the game is more difficult to observe.
  • Potential impact of non-compliance.

Using these criteria, Table 1 sets out our current testing strategy and is divided into bold and not bold. These determine the risk and therefore the extent of the testing required against the relevant standard.

  • Not bold categories contain requirements which are capable of being tested and verified by the licensee.  
  • Bold categories contain requirements which must be assessed by a third party.

Table 1: General risk and compliance assurance activities

General risk description

Detailed risk examples (not exhaustive)

Relevant standard

Testing required/

assurance activities

Consumers are not provided with sufficient information about their gambling activity, pertinent information about the site/licensee's policies, and/or the rules of the gambling.

Consumers do not understand what they are gambling on

Consumers are not aware of their previous gambling activity

Consumers are not made aware of pertinent information about the site (eg the use of automated gambling software)

Consumers are not made aware of the likelihood of winning

Consumers not easily able to keep track of their current balance.

RTS 1A, 1B, 1C, 2A, 2B, 2D, 3A, 3B, 3C, 3D, 4B 9A, 11B, 15A, 16A, 16B, 16C

 

Licensee verifies presence of required material accompanying live* gambling products, eg on websites, mobile phones, or in printed material.

Consumers suffer financial loss because the results of virtual games or other virtual events are not generated fairly.

Consumers suffer unfair financial loss because the random number generator (RNG) is not ‘random’

Consumers suffer unfair financial loss because scaling/mapping components do not produce the expected (‘random’) distribution of game outcomes.

RTS 7A (including mechanical RNGs except for exempt lotteries and live dealer physical devices such as roulette wheels and decks of cards)

Approved third party test house performs statistical analysis of RNG and outputs (including scaling and mapping if included within RNG), prior to release.

Consumers suffer financial loss because games, progressive jackpots or virtual events contain incorrect/malicious code components that do not operate in accordance with the published rules of the game.

Consumers suffer unfair financial loss because scaling and/or mapping components contain incorrect/malicious code that causes the game to operate outside the published rules

Consumers suffer unfair financial loss because the actual RTP% is not in line with the expected value/s.

Consumers are misled about the likelihood of winning because games display unrealistic ‘near misses’, or do not accurately reflect the probabilities of simulated real devices

Consumers do not understand game operation due to the game not implementing the rules correctly, or by not displaying results clearly.

Progressive jackpot’s do not increment or trigger as per the rules.

 

RTS 7B, 7C, 7E, 9B(b) and 9B(d)

Approved third party test house examines the game (including any scaling and mapping components) via maths verification, source code analysis and game play to assess whether they operate in accordance with the rules of the virtual game or event, prior to release. 

RTS 3A-C and RTS 7B: While test houses aren’t expected to assess how game rules are made available to players (rules easily accessible via hyperlinks etc), it is expected that they review the game display and content of player facing rules to see they accord with the maths and enable players to verify game outcomes. 

RTS 9 Progressive Jackpots: Test houses should verify the designs and jackpot trigger functionality to ensure it is capable of delivering the stated RTP.

Consumers’ gambles are not settled in accordance with the licensee's rules, game rules and/or bet rules

Consumer suffers financial loss because games don’t operate in accordance with the rules.

RTS 5A

In addition to pre-release in-house and any required external testing licensees must monitor the performance of games to ensure they operate in accordance with the rules. Approved third party test house assesses performance monitoring measures in place annually. Refer to Section 5 – Live RTP Monitoring.

Consumers are unfairly disadvantaged or misled by system design or functionality.

Betting odds fluctuate after consumer request is made.

Consumers unfairly disadvantaged by games that are affected by network or end-user systems performance.

Consumers do not know what rules apply because rules are changed during play.

Progressive jackpot parameters are altered affecting RTP.

RTS 2C, 4A, 7D, 9B(a), 9B(c)

Product testing must be conducted prior to release by licensee**.

Internal control procedures, for example, game configuration change control, release and performance management.

Consumers are able to exploit methods of cheating and collusion to disadvantage other consumers.

Consumers experience unfair financial losses because other consumers cheat or collude.

RTS 11A

Where technical solutions are implemented, testing must be conducted prior to release by licensee**.

Consumers are misled about the likelihood of winning due to behaviour of play-for-free games.

Play-for-free games do not implement the same rules as the corresponding play-for-money games.

RTS 6A

Product testing must be conducted prior to release by licensee**.

Consumers are placed at a higher risk from irresponsible gambling because responsible gambling facilities do not work correctly or are not provided.

Consumers who want to use some form of personal spending limit to control the amount that they gamble are unable to do so because they are not provided

Consumers using spending limits spend more than they intended because the limit is not properly enforced.

RTS 12A, 12B, 13A, 13B

Product testing must be conducted prior to release by licensee**.

Consumers suffer financial loss because systems are unable to adequately recover from or deal with the effects of service interruptions.

Consumers suffer unfair financial loss because they are unable to remove a bet offer when a betting market changes

Consumers suffer unfair financial loss because they are unable to complete a multi-state game due to insufficient data being appropriately stored.

RTS 10B

Product testing must be conducted prior to release by licensee**.

Consumers are treated unfairly in the event of a service interruption.

Consumers are unable to make an informed choice about whether to gamble on multi-state games or events, because the licensee’s policies are not published

Licensee’s policy is systematically unfair in the event of a service interruption, that is, always operates in the licensees favour.

RTS 10A, 10C

Licensee verifies that policies are easily available and accompany live* gambling products.

Licensee verifies performance management of system availability.

Consumers placed at greater degree of risk from irresponsible gambling because products are designed to exploit or encourage problem gambling behaviour.

Irresponsible product design encourages consumers to gamble more than they intended or to continue gambling after they have indicated that they wish to stop

Consumers spend more than they intended because auto-play restrictions not in place to limit the number or value of transactions that can take place without consumer interaction.

RTS 8A, 8B, 14A

Where appropriate (eg auto-play implementation), product testing must be conducted prior to release by licensee**.

Consumers suffer financial loss because the results of live dealer operations are not generated fairly.

Live dealer equipment contains bias or dealer procedures flawed resulting in unfair gambling provision.

RTS 17A

Licensees administering live dealer operations must seek independent assurance their operation conforms to requirements. Assessment to be conducted by a gambling regulator or test house.

Game integrity compromised because licensees do not implement adequate security.

Consumers suffer unfair financial loss because weaknesses in game security are exploited.

Security

Annual security audit carried out by qualified and independent third party***.

Consumer data or information is disclosed to unauthorised entities because system security is inadequate.

Confidential consumer information is disclosed to unauthorised entities leading to criminal or inappropriate use of consumer information.

Security

Annual security audit carried out by qualified and independent third party***.

Consumer information is lost due to inadequate security, backup or recovery provisions.

Consumers suffer unfair financial loss where the content and/or value of consumer transactions (gambles) is irrecoverably lost due to inadequate system security, backup and/or recovery provisions

Consumers suffer unfair financial loss where consumer account information is irrecoverably lost, for example, the current value of their deposits with the licensee, due to inadequate system security, backup and/or recovery provisions.

Security

Annual security audit carried out by qualified and independent third party***.

* Remote gambling products that are available to consumers. All licensees are responsible for meeting and verifying these requirements (not in bold).

** Good practice sets out the circumstances in which licensees will be permitted to carry out their own testing of gambling products.

*** Third party annual security audit explains security auditor requirements.

 

Back to contents list

Testing strategy for compliance with remote gambling and software technical standards

387 KB Download

The changes in the November 2018 version of the testing strategy

PDF with tracked changes

292 KB Download

Annual games testing audit template

90 KB Download