11-Mar-2010
|
|
|
IGC Regulation Position Statement ~ Considerations for Industry |
IGC Regulation Position Statement ~ Considerations for Industry
Objective
The birth of any new industry is generally accompanied by growing pains and more often than not severely conflicting interests. The online gaming industry is no exception. There are those who would prefer that the industry not grow and become established and there are those who wish to see it not only survive but thrive and prosper. Those seeking to nurture and
develop the industry, establish ground rules for its operation and more times than not, so many ground rules are put forth that they become confusing and sometimes contradictory. Nevertheless, over time major concerns are made apparent and responses to those concerns coalesce.
It is the objective hereof, therefore, to identify those major concerns and provide a reasonable and sensible response and position regarding those concerns with an eye toward the eventual adoption and formulation these responses into a recognized set of International Standards.
1. Guiding Principles
At an operational level, the principles of fairness, security and accountability are commonly held to be the key concerns to be addressed. Protection of revenue, freedom from criminal association and public policy issues will also have an impact on an operator, varying in priority from jurisdiction to jurisdiction. In the context of a broader global market there will be additional considerations, for example, appropriate anti-money laundering compliance procedures, possible tax remittance, mutual recognition of licenses / approvals, portability of approvals / transfers and multi-jurisdiction jackpots to name a few, significant considerations in terms of reducing the cost of compliance for operators and providing a commercially viable environment for both the operator and the jurisdiction, at the same time ensuring appropriate levels of compliance are satisfied and appropriate player protection measures are in place.
The criteria discussed in this document are intended as high-level, minimum requirements and are not intended to be an exhaustive list of specific requirements. Where technical criteria of the jurisdiction in which an operator is licensed need to be satisfied, for example, as a condition of license, the criteria of the licensing jurisdiction shall always take precedence.
General background guiding principles that are critical to ensuing the suitability of online gambling operations include, but are not limited to:
· Probity of operator, including honesty and integrity of key individuals, games software developers / providers and payment processors.
· Integrity of product – fairness, accountability, security.
· Financial viability of operator.
· Expertise of operator.
· Player protection measures - including, but not limited to dispute resolution, blocking of access by minors and procedures to curtail problem / compulsive gambling.
· Advertising controls – agreement on an industry standard for appropriate advertising (refer to the IGC Advertising Code of Practice -- http://www.igcouncil.org/read_news2.php?id=212).
· Anti-money laundering compliance program (FATF requirements—see also IGC’s submission to FATF for further clarification of the IGC’s position — http://www.igcouncil.org/read_news2.php?id=76).
Operators must comply with each of these requirements prior to accreditation being forthcoming and must demonstrate continuing compliance on a regular basis. This should be accomplished by the licensing authority itself, a government agency, a testing facility recognized by the licensing authority or another body recognized by the licensing authority as being appropriately skilled for specific tasks.
Recognition of the issues created by cross-border operations plus the difference among products (e.g. casinos, P2P, lottery, bingo, poker, sports betting, other) will also have an impact, as will the difference in the cultural acceptance of gambling and product types particular to jurisdictions. Technology should not influence the legality and or acceptance of gambling, or particular types of gambling, within a particular jurisdiction. In simple terms, games that are available to consumers in a regulated environment should also be available via the Internet.
Ultimately, the licensing authority, acting on behalf of a particular jurisdiction, must determine the methodology to be applied in assessing compliance.
2. Goals And Objectives
The following points are provided in an attempt to expand the Guiding Principles into more concrete terms. For example, these include provisions relating to minors, money-laundering, responsible gambling, good business practices, etc.
Regulatory Compliance: Evidence of a gaming license issued by the licensing jurisdiction should be clearly displayed to the consumer as well as access to the law and regulations of the jurisdiction in which the operator and / or software developer is licensed. Best efforts should be made to maintain an awareness of any binding legislative or judicial determinations that prohibit or limit operation in another jurisdiction. An operator shall abide by those limitations to the greatest extent technically feasible and shall make every reasonable effort to keep abreast of these requirements.
Equally, software developers are accountable for the integrity of the product that they license / sub-licence to operators and should be subjected to the same level of oversight. In some circumstances the software developer also provides behind the scenes support in the form of marketing and / or transaction processing / account maintenance. Software developers should therefore be aware of their responsibilities.
Payment processors should comply with, and be subjected to, the same level of scrutiny as other businesses involved in the financial sector, and ensure that adequate funds are available to honour commitments in a timely manner and in compliance with applicable rules and regulations of the financial sector / institutions. Payment processors have a specific responsibility to comply with anti-money laundering measures.
Accountability: the integrity of systems, algorithms and practices should be verified in accordance with best practices methodologies deemed acceptable by the licensing jurisdiction and in a manner that best protects proprietary information. This should be as transparent as is possible, having regard to commercial sensitivity, proprietary matters and privacy.
Consumer Privacy and Data Protection: the privacy and confidentiality of consumers is to be protected and controls established to detect and eliminate fraud and to protect data and the system from internal and external breaches. Industry representatives should adhere to the privacy and data protection requirements of applicable laws, or, if silent, to requirements such as included in the British Code of Advertising, Sales Promotion and Direct Marketing (The CAP Code -- http://www.asa.org.uk/index.asp).
Truth in Advertising: refer to the IGC’s Advertising Code of Practice as a standard (http://www.igcouncil.org/read_news2.php?id=212).
Dispute Resolution and Audit Trails: prompt and efficient dispute resolution is to be provided, assisted by the retention of detailed transaction records which will be archived, accessible and auditable by any authorized licensing or governmental authority within a jurisdiction in which an operator holds a gaming licence. Complainants should have ready recourse to customer service and, failing resolution, to the licensing authority or appropriate mediating body.
Limiting Access by Minors: controls to prohibit minors from accessing gaming systems are to be implemented. Procedures are to be in place to make every reasonable effort to verify age and identity and to corroborate this information whenever a customer accesses an online gambling site. The necessary age information, and potential legality, should be submitted by players during the registration process and verified by appropriate identification presented at the time of each gaming session and withdrawal. Operators should clearly state on each gaming site that underage gambling is not permitted and withdrawals will not be processed with out sufficient proof of identity. Operators should work closely with organizations such as the Internet Content Rating Association (ICRA - www.icra.org) that provide tools to assist with restricting access by minors to specific Internet content.
Excluded Persons: systems should provide for the exclusion of a player at the player’s request or as determined by the operator or licensing authority.
Problem / Compulsive Gambling: there should be in place systems and controls to identify and curtail compulsive gambling. The procedures instituted should include the ability for a player to set bet / loss limits, possibly win limits and provision of referral and direct access to help and counselling organizations. Operators should strongly consider problem gambling training for staff, and assignment of a key contact person for issues involving compulsive gambling. Consideration should also be given to cooperation within industry, including regulators, to establish a system whereby problem gamblers cannot simply hop from one site to another.
Anti-Money Laundering Requirements. Banking and financial affairs will be conducted in accordance with generally accepted standards of internationally recognized banking institutions. Operators shall ensure compliance with applicable laws pertaining to transaction reporting and anti-money laundering with appropriate internal control programs implemented. Compliance with the FATF Forty Recommendations, if not a result of the licensing jurisdiction’s requirements, should be adopted by operators. The revised Forty Recommendations (http://www1.oecd.org/fatf/pdf/40Recs-2003_en.pdf) now apply not only to money laundering but also to terrorist financing, and when combined with the Eight Special Recommendations on Terrorist Financing (http://www1.oecd.org/fatf/SRecsTF_en.htm) provide an enhanced, comprehensive and consistent framework of measures for combating money laundering and terrorist financing.
Prize Payouts: ensure there is adequate financing available to pay all current and potential obligations and that working capital (irrespective of rolling reserves unless due for monthly release) is adequate to finance ongoing operations. Winnings and account balances should be paid promptly on demand unless legitimately disputed. The processing of withdrawals should occur within 24 hours of a request.
Corporate Citizenship: endeavour to design and implement their services in order that they preserve and protect environmental resources, avoid depiction of violence, hateful or offensive material and so that the services are user friendly and generally accessible to, and usable by, the handicapped.
3. System / Game Criteria
The laws and regulations of the licensing jurisdiction shall apply to all transactions, with all gaming deemed to occur at the operator’s server(s). The system is to be evaluated as required by the licensing authority before being made available to the public. The aim is to ensure the security of all transactions and to protect and secure the privacy of all data and information, specifically, from any unauthorized access or modification. Recognition of the internal Quality Assurance processes of the software developer may be required.
All gaming transactions are to be fully logged, both inputs and outputs, for singular and multi-level games, and not able to be altered without providing an audit trail of any change.
All financial transactions are to be fully logged, both inputs and outputs, and not able to be altered without providing an audit trail of any change. These are to be date and time stamped and able to identify participants involved in the transactions.
All games results are to be logged and not able to be altered without providing an audit trail of any change.
An operator is to retain information about all games played, including, but not limited to:
· The identity of the player, including the player account;
· The date and time each game, and gaming session, was initiated and completed, ideally with the ability to compare with GMT but identifying server time for the adjustment to be made as required;
· The currency being used during any conversion to / from “credits” and accounts, including the exchange rate used (if applicable);
· The balance on the player's account at the start and at the end of each game, and gaming session;
· The wager made in each game, including additional / incremental bets during the game (date and time stamped);
· The game status (in progress, complete, etc.);
· The result of the game (date and time stamped);
· Amount won or lost by the player; and
· Significant events (for example, large wins, abnormal events, changes to game parameters and due process) should be date and time stamped. A large win should be considered $10,000 as is consistent with cash transaction reporting or a monetary jackpot minimum consistent with land-based casino industry’s requirements for jackpot verifications.
The operator is to have a disaster recovery capability sufficient to ensure that player entitlements and an audit trail up to the point of a disaster are protected and available.
A malfunction of equipment, including games, will result in the voiding of the game and the return of affected bets to the player(s).
An interrupted game, unless not possible due to the type of the game, should have the ability to be completed the next time the player logs on to the site. For a multiple player game where at least one player is not able to continue, the game should be voided, unless the game outcome will not be affected by the inability of the player to continue. Where a game is voided any wager is to be retained by the operator and is to be made available for use by the player the next time the player logs on to the site.
Each game, including each version of a particular game, is to be uniquely identifiable for each transaction (including where one game comprises multiple transactions). Transactions data should be available for 12 months at a minimum notwithstanding other requirements placed on the operator and the consideration of the timeframe in which chargebacks or legal action could arise. FATF requires this information to be retained for five years.
Each game is to clearly display instructions on how to play the game and, if required, rules of play for a game, including the pay-table for all prizes and any special features, or is to have the rules readily accessible (provided separate to the game or within the game), including clearly stated minimum and maximum wager amounts. Each game must follow the instructions and game rules for the conduct of that game in respective licensing jurisdictions.
A player is to be able to withdraw his/her funds at any time other than where funds are in dispute.
The currency utilized during any conversion to / from “credits” and accounts, including the exchange rate used, is to be clearly advised to the player (if applicable).
Results of games, including events and games of skill and / or chance, are to be conveyed to the player in a timely manner.
Prizes for a game are to be clearly displayed to a player.
Any prize is only to be paid once and only paid to the player who won the prize(s), never to a third party. The prize(s) is only payable by the means displayed for that game and not in some other manner. Payments must be sent to the address given by the player upon registration, or as subsequently updated.
The player registration process must utilize every reasonable effort to uniquely identify the player to ascertain correct age and jurisdiction of residence. This can be used to prevent play by minors and to exclude a person.
A player, unless otherwise provided for in the rules, is to utilize only the one account that is personal to the player.
The player verification and registration processes must be able to decline participation by specified individuals, for example minors and excluded persons. The registration process must include a step in which the player is provided with the full text of the terms and conditions governing the account and the player must indicate his or her acceptance of those terms and conditions before an account can be established. An entry page to a registration or verification process should make mention that minors are not permitted to play. Any age verification process should ensure that a registrant cannot back track on an entry if the date is too recent i.e. the process should apply to a session and not allow somebody to click on the “Back” button and correct an erroneous date. The rationale for this requirement is that once the player hits “submit” or “register” or whatever such wording a site uses, they cannot re-submit the form within a certain time period but should be able to correct genuine mistakes. Where possible, real time age and identity verification should be applied.
The system is to have the ability to decline participation by residents of a particular jurisdiction. Ideally, restricted jurisdictions should be clearly stated to players on the operator’s web site or advised to a customer before registering as a player.
The operator is to have their records, including gaming related and financial records, audited in accordance with GAAP at least once a year.
On an ongoing basis, actual game results should be independently checked to ensure fairness. Actual game results should be checked against publicly available pay-out percentages and games criteria. Fairness is determined by assessing actual performance against a theoretical return to player or by ensuring that each game returns above a stipulated percentage return to player for that particular game and that, over time, after an acceptably high level of game play, the game should return no more than the expected house advantage to the operator. Again, the methodology applied is dependent upon acceptance by the applicable licensing authority.
Game results should not be able to be predetermined. Specifically, where utilized, the Random Number Generator, or any other “result generator” should be regularly evaluated to ensure results can not be predetermined. Special consideration is required for the likes of “in-play” betting and multi-player games.
The theoretical return to player (RTP) for a game is to be clearly displayed or readily identifiable. Regular audits of actual performance may also be made available to players. Play for free/fun games should have the return to player clearly available, at a minimum, in instances where the return to player for the play for fun/free version of the game differs from that of the “for real money” version of that game. There could be a case for the RTP for fun/free games to be the same as money games where that game is played for money. If a play for fun/free game is available and is not available as a “for real money” game the return to player should be displayed. Consideration should also be given to preventing minors from be able to participate in free play games.
The operator is to have in place a dispute resolution process that is clearly available to a player (for example, via a complaint email or live chat facility). Contact details for the licensing jurisdiction or a method agreeable to the licensing authority must also be readily available to the player to enable the player to take further action if not satisfied with the decision of the operator.
Players are to be able to obtain a record of their participation over the previous 12 months, highlighting, at a minimum, the amount/s deposited and withdrawn or paid, amount/s bet, the win/loss, and current account status.
Game advertising is not to be false or misrepresent the fairness of the game (chance of winning). Refer to the IGC Advertising Code of Practice (http://www.igcouncil.org/read_news2.php?id=212).
Rules, registration procedures, deposit/withdrawal options and associated fees, and payout percentages are to be made readily available to the public.
An explanation of rules for special promotions is to be clearly available to the public. In the case where a matter cannot be resolved, the funds are to be forfeited and to be used for a charitable purpose.
The name of the licensing authority is to be made readily available at the site. To facilitate customer complaints and to allow a customer to authenticate a gaming license, the operator is to provide a complainant with contact details, for example, email address, phone number, “snail mail” address and contact name and title, for the licensing authority.
There is to be contact information for, or a link(s) to, bodies that provide problem / compulsive gambling services. Consideration should be given to the cross-border nature of the product and the potential for a problem to be exported beyond the boundaries of the jurisdiction in which an operator is licensed.
The site is to be able to exclude a player upon written (including electronic) request from the player and require a cooling off period after a request for reinstatement. Consideration should also be given for a player to nominate a loss, or perhaps win, limit, with a similar cooling off period before changing the limit. The debate about whether or not to impose loss or win limits depends upon the particular school of thought arguing for either case. It is suggested that either is based upon the correct motivation. According to some experts, when supporting loss limits, is that the real “problem” gambling occurs when the player runs out of money and resorts to crime or otherwise using money that would need to go toward paying living expenses (feeding children, etc.). Any regulation should only deal with compulsive gaming concerns that an operator might be able to address. Hence, the player should be the person setting these limits and not the operator. The operator should provide the player with the option. The operator should predominantly display problem / compulsive gambling help sites and contribute to some of these organizations. When a player limits bet size and / or amount of loss / win in any given period of time, such requests must be strictly enforced by the operator.
The system is such that the operator is able to produce reports on transactions if and when required by an appropriately authorized body. There is also an obligation on an operator to initiate a report on suspicious activity to appropriate governmental authority/authorities, even if no action is required within a specific licensing jurisdiction.
The operator only utilizes the player’s information for the purposes related to the conduct of the game unless otherwise approved in writing by the player.
Jackpots with the participation of operators from more than one licensing jurisdiction will also require additional attention, at the discretion of the regulator. The licensing authority would have the ultimate control over any multi-jurisdictional agreement between operators.
4. Risk Management
From a risk management perspective, operators should (directly or indirectly) “scrub” transactions for fraudulent activity. An internal risk management database (addressing any issues related to data protection and human rights for keeping a database of this kind without inadvertently falling into a category of business being regulated by another body, for example a financial services authority) is to be utilized to assess consumer credit risks associated with prospective purchase transactions.
At a minimum, the risk management system should be capable of retaining information about negative experiences, such as an experienced charge back, incidence or inference of fraudulent use, blocked cards, and so forth. The operator may also elect to utilize a “positive” database.
Information in the database should be retained for a minimum of 6 months. Operators should be aware of the retention requirements of the jurisdiction in which they operate and the potential for charge backs to occur, for example, up to 6 months and possibly longer after the transaction. There is the need to comply with applicable data protection and privacy requirements in effect in the operator’s jurisdiction.
All data and information must be kept strictly confidential and well secured in an appropriately secure building and office. Pooled data must be kept secure; and if an independent third-party is utilized, that third-party organization must have an audited level of security.
There should be included a means by which a player has the ability to challenge information in a negative database where the player disputes the information. This may be at the discretion of the licensing authority or under applicable privacy / data protection laws in the licensing jurisdiction.
5. Methodologies
Ultimately, it is the responsibility of jurisdictions to determine the specific methodologies that best satisfy the criteria included in the Goals and Objectives section.
Notwithstanding, there are some areas of methodology with which all would agree. For example, to achieve the "reputable operator" goal / objective there must be thorough background checks of the business entity and principal individuals; to prevent money laundering appropriate controls should be in place and digital records of all transactions should be kept for a minimum of five years and so on.
It is the IGC’s desire for policy makers and gaming regulators from throughout the world to recognize that the development of international standards and strict regulation will achieve important policy goals. It is our goal to foster debate on the effective regulation of Internet gaming and how this regulation will provide additional government resources to protect children and problem gamblers through education or other programs, prevent money laundering and support important player protection measures.
This industry is still a relatively new phenomenon and requires thoughtful study. The complexities of Internet gaming demonstrate the complexities of traditional, regulated businesses evolving to the new, truly global marketplace created by the Internet. The position paper is presented as a brief overview of the most important issues involved with regard to Internet gaming and regulation.
|
|
|
|
