Testing strategy for compliance with remote gambling and software technical standards First published August 2009 Updated July 2015
1 Introduction 1.1 Sections 89 and 97 of the Gambling Act 2005 enable the Commission to set technical standards for remote gambling systems and gambling software respectively, to make arrangements for the administration of tests of compliance with standards and to provide for the enforcement of standards and submission to tests by attaching conditions to operating licences. Condition 2.3 of the Commission s Licence conditions and codes of practice (LCCP) requires gambling software and remote operating licensees (including betting ancillary remote licensees) to comply with the Commission s technical standards and with requirements set by the Commission relating to the timing and procedures for testing. 1.2 This document sets out the Commission s current requirements for the timing and procedures for testing referred to in that Condition. It discusses the testing strategy for assessing compliance with the Remote gambling and software technical standards (RTS). 1.3 The Commission s approach to setting technical standards is outcome based to allow licensees flexibility as to the means of achieving the desired outcome. In a similar manner, the Commission takes a risk based approach to producing the testing strategy to ensure that its approach is reasonable, taking into account: the likelihood of non-compliance occurring the impact (on customers) of non-compliance the means available to assess compliance, and the likely burden imposed by the approach. 1.4 This document sets out: what the Commission would normally consider to be the types of testing required in order for it to be satisfied that the technical standards are being met who the Commission considers appropriate to carry out that testing the procedures for testing. 1.5 This is based on the potential impact of non-compliance on the customer and how obvious or easy it would be to determine whether a licensee and/or their systems are compliant. 1.6 There is scope for moderation or enhancement of the level of assurance required on these matters dependent on the Commission s view of the likelihood that any particular risk will crystallise for an individual licensee. The Commission will also have regard to a licensee s compliance record when determining if the current level of assurance is adequate. 2 Approach 2.1 In deciding what, and the level of, testing licensees are required to submit to we have categorised the visibility (vis) of compliance. That is, how easy it is to see whether a system or licensee is compliant. For example, it is easy to see whether an operator has mitigated the risk that a customer will not understand the rules of the game by providing easily accessible information, whereas the underlying fairness of the game is more difficult to observe. 2
Table 1: How visible is compliance? Visibility Description Low Visibility Moderate Compliance is difficult to determine by external observation functionality is within a technical solution rather than obvious procedural solution, eg do games operate fairly? Does the game correctly implement the rules? Description Moderately easy to spot non-compliance, eg does the operator have an internal policy and procedure that they follow or not? High Easy to spot non-compliance - it is obvious whether something is compliant or not, eg are terms and conditions accessible on a website? 2.2 We have also categorised the potential impact (imp) on the customer of non-compliance into three levels I, II, or III set out below. Table 2: Degree of potential customer impact Impact Description Unfair financial impact on customer(s). III Potentially significant negative impact on responsible gambling. Loss of personal data. II Easily rectifiable financial impact, eg incorrectly settled bets. Game rules misleading to the player. I Inconvenience to customer(s), eg disabled website hyperlink. Temporary loss of access. 2.3 Using these criteria we have categorised the risks and associated mitigating requirements and controls into three categories (cat). Table 3: Compliance assurance categories Category Assurance category description 3 Strongest degree of assurance required - normally requiring submission to a testing regime involving approved third parties. 2 Moderate amount of assurance required - normally requiring operator to present evidence that appropriate procedures are in place to assure compliance. 1 Lightest touch, compliance to be assessed by Commission, by for example, checking that operators have published the required information. 3
2.4 The individual technical requirements have been categorised into groups of requirements which can be treated in a similar way in terms of the category of assurance that is required and the timing of any testing or other assessment. For each group of requirements we set out the proposed type of assessment and timing of assessment. Table 4: Mapping of risk and visibility to assurance categories Impact III 2 2 3 1 1 2 II 1 1 1 I high moderate low visibility 2.5 The following table sets out the Commission s current requirements. These will be kept under review. 2.6 The table is divided into three colours, Green, Yellow and Red which determine the risk and therefore the extent of the testing required against the relevant standard. Green categories contain requirements which are capable of being tested and verified by the licensee Yellow categories contain requirements which are capable of being tested and verified by the licensee only where the licensee complies with the good practice guidelines (detailed in Section 6) and has provided the declaration of good practice as detailed in Section 3. Where licensees do not meet the good practice guidelines and/or have not provided a declaration to the Commission, testing of these categories must be carried out by an approved third party. Red categories contain requirements which must be tested and verified by an approved third party. 2.7 Evidence of all testing by the licensee for categories 1 and 2 must be retained. The Commission may require evidence of the testing upon request. Game/RNG test reports by external third parties must be submitted to the Commission prior to release of the game/rng as detailed in Section 3. 4
Table 5: General risk and compliance assurance activities General risk description Detailed risk examples (not exhaustive) Imp Vis Relevant standard Cat Testing required/ assurance activities Customers are not provided with sufficient information about their gambling activity, pertinent information about the site/operator's policies, and/or the rules of the gambling. Customers do not understand what they are betting on Customers are not aware of their previous betting activity Customers are not made aware of pertinent information about the site (eg the use of automated gambling software) Customers are not made aware of the likelihood of winning Customers not easily able to keep track of their current balance. II H RTS 1A, 1B, 2A, 2B, 3A, 3B, 3C, 3D, 9A IPA 1-7 1 Licensee verifies presence of required material accompanying live* gambling products, eg on websites, mobile phones, or in printed material. Customers suffer financial loss because the results of virtual games or other virtual events are not generated fairly. Customers suffer unfair financial loss because the random number generator (RNG) is not random Customers suffer unfair financial loss because scaling/mapping components do not produce the expected ( random ) distribution of game outcomes. III L RTS 7A, 7B (except mechanical RNGs and lotteries that use external events) 3 Approved third party test house performs statistical analysis of RNG and game outputs, prior to release. Customers suffer financial loss because games or virtual events contain incorrect/malicious code components that do not operate in accordance with the published rules of the game. Customers suffer unfair financial loss because RNG contains incorrect/malicious code causing non-random output Customers suffer unfair financial loss because scaling and/or mapping components contain incorrect/malicious code that causes the game to operate outside the published rules Customers do not understand game operation due to the game not implementing the rules correctly. III L RTS 7A, 7B, 7C 3 Approved third party test house examines RNG, scaling and mapping components, source code and game play to assess whether they operate in accordance with the rules of the virtual game or event, prior to release. 5
Customers suffer financial loss because the results of the mechanical RNG is not fair and external events used to determine the result can be influenced. Customers suffer unfair financial loss because the RNG is not random Customers suffer unfair financial loss because the external event used to determine the result can be influenced. III M RTS 7A (only mechanical RNG and lotteries that use external events) 2 Licensee must satisfy themselves and provide evidence that the mechanical RNG meets the guidelines set out in the standards. Lotteries will need to retain evidence that the event is external and cannot be influenced. Customers are unfairly disadvantaged or misled by game design or functionality. Customers are not aware of the result of the game Customers do not know what rules apply because rules are changed during play Customers are misled about the likelihood of winning because games that appear to simulate real devices do not accurately reflect the probabilities of the real device Customers unfairly disadvantaged by games that are affected by network or end-user systems performance. III M RTS 4A, 7C, 7D, 7E 2 Where relevant (eg result display duration), product testing must be conducted prior to release by licensee**. Internal control procedures, for example, game configuration change control, release and performance management. Customers are able to exploit methods of cheating and collusion to disadvantage other customers. Customers experience unfair financial losses because other customers cheat or collude. III M RTS 11A 2 Where technical solutions are implemented, testing must be conducted prior to release by licensee**. Customer's gambles are not settled in accordance with the operator's rules, game rules and/or bet rules. Customer suffers financial loss because bets are settled incorrectly (and not identified) or Customer is temporarily inconvenienced where bets are settled incorrectly and have to be adjusted at a later time. III M RTS 5A 2 Product testing must be conducted prior to release by licensee**. 6
Customers are misled about the likelihood of winning due to behaviour of play-for-fun games. Play-for-fun games do not implement the same rules as the corresponding play-for-money games. III M RTS 6A 2 Product testing must be conducted prior to release by licensee**. Customers are placed at a higher risk from irresponsible gambling because responsible gambling facilities do not work correctly or are not provided. Customers suffer financial loss because systems are unable to adequately recover from or deal with the effects of service interruptions. Customers are treated unfairly in the event of a service interruption. Customers placed at greater degree of risk from irresponsible gambling because products are designed to exploit or encourage problem gambling behaviour. Customers who want to use some form of personal spending limit to control the amount that they gamble are unable to do so because they are not provided Customers using spending limits spend more than they intended because the limit is not properly enforced. Customers suffer unfair financial loss because they are unable to remove a bet offer when a betting market changes Customers suffer unfair financial loss because they are unable to complete a multi-state game due to insufficient data being appropriately stored. Customers are unable to make an informed choice about whether to gamble on multi-state games or events, because the operator s policies are not published Operator policy is systematically unfair in the event of a service interruption, that is, always operates in the operators favour. Irresponsible product design encourages customers to gamble more than they intended or to continue gambling after they have indicated that they wish to stop Customers spend more than they intended because auto-play restrictions not in place to limit the number of transactions that can take place without customer interaction. III H RTS 12A, 12B, 13A, 13B III M RTS 10A 2 II H RTS 10B 1 III H RTS 8A, 14A 2 2 Product testing must be conducted prior to release by licensee**. Product testing must be conducted prior to release by licensee**. Licensee verifies that policies are easily available and accompany live* gambling products. Licensee verifies performance management of system availability. Where appropriate (eg auto-play implementation), product testing must be conducted prior to release by licensee**. 7
Game integrity compromised because operators do not implement adequate security. Customers suffer unfair financial loss because weaknesses in game security are exploited. III L Security 3 Annual security audit carried out by qualified and independent third party***. Customer data or information is disclosed to unauthorised entities because system security is inadequate. Customer information is lost due to inadequate security, backup or recovery provisions. Confidential customer information is disclosed to unauthorised entities leading to criminal or inappropriate use of customer information. Customers suffer unfair financial loss where the content and/or value of customer transactions (gambles) is irrecoverably lost due to inadequate system security, backup and/or recovery provisions Customers suffer unfair financial loss where customer account information is irrecoverably lost, for example, the current value of their deposits with the operator, due to inadequate system security, backup and/or recovery provisions. III L Security 3 III L Security 3 Annual security audit carried out by qualified and independent third party***. Annual security audit carried out by qualified and independent third party***. * Remote gambling products that are available to customers. All licensees are responsible for meeting and verifying these requirements (in Green). ** Section 3 of this document sets out the circumstances in which operators will be permitted to carry out their own testing of gambling products (in Yellow). *** Section 5 of this document explains security auditor requirements. 8
3 Procedure for testing Third party test houses 3.1 The Commission has published a list of approved test houses that can perform third party testing. This will be updated as new test houses are approved. Licensees and their chosen test house will need to agree the scope of testing and this must be sufficient to ensure that testing will adequately assess compliance with the Commission s standards and meet the level of testing required under this strategy. 3.2 To assist in understanding what level of testing will be accepted by the Commission and what would require approved external third party testing, we have detailed these below: Level 1: Testing of RNG, including source code review, scaling where appropriate and where the digital signature taken on the test platform is the same as that taken on the live environment). This testing must be conducted by an approved external third party test house. Level 2: Review of game designs. This includes artwork, maths and theoretical RTP (no output testing). Level 3: Full testing of game operation integrated on platform. This involves verifying the software implementation of the game artwork, maths and theoretical RTP through testing of the game on the live environment (or development/staging environment which is essentially the same as the live environment), verification of game rules, actual RTP using simulation 1 and emulation 2 testing utilising the RNG tested under Level 1, and where the digital signatures taken on the test platform are the same as those taken on the live environment). This testing must be conducted by an approved external third party test house. 3.3 Additionally, section 3.17 of the testing strategy sets out the circumstances when additional testing by an approved test house will be required. Additional third party testing of a game is required where the operating environment is different from the original testing environment, so where changes to the operating environment have occurred, additional external testing is required. This could be due to the testing being conducted on the game running on a platform or RNG that is different to the one intended for live operation (eg it was originally tested for use by a different operator using a different platform/rng). It could also mean that since the game was tested the game/rng/platform or other environmental variables have changed in a way that renders the original testing invalid (as the differences may affect the fairness of the game or the game may no longer operate in accordance with the rules), hence testing under the new environment is required. 3.4 Where changes to a game or gambling system may affect game fairness and critical files and their relevant digital signatures change (including changes to games rules), these changes must be tested by an approved test house. 3.5 Licensees 3 must send the results of testing (ie a test house s game/rng report) to the Commission on completion of satisfactory testing (but prior to release). 1 Simulation (output) testing setting the game up to play automatically for a high number of games (actual number will depend on volatility of the game as per the game maths) to verify that the actual RTP is within an acceptable range of the expected RTP. Sample data should be tester generated, unless supervised in a controlled environment for the purposes of meeting specific regulatory requirements. Software modified from the original to enable rapid play is permitted provided the tester has confidence that the modifications do not impact on the assessment of game fairness. 2 Emulation testing is used to replicate certain rare game outcomes (such as jackpots, infrequent features and maximum prize). 3 The following categories of licences require games and RNG testing by an independent test house (subject to a best practice declaration): Remote betting general (but not telephone only or trading rooms), and pool, remote casino, remote bingo and remote lotteries (entries greater than 250,000 per year). Remote betting (if on virtual events) general (but not telephone only or trading rooms), pool, remote casino, remote bingo and remote lotteries (sales greater than 250,000 per year). 9
A new or updated game or RNG cannot be released until the testing has been completed and the report provided to the Commission. 3.6 For games, the report should include at least: test house details including the test supervisor that signed off the testing licensee name date of testing certificate reference game details including game name, return to player (RTP), software number and digital signature scope and approach to testing ie testing completed against the Gambling Commission s technical standards, for example, Level 3 testing of RTS 7B 7D, 5A, 10A, etc and a description of all tests applied platform supplier and platform version result of testing details of games/versions of games that the game supersedes where a limited scope of testing has occurred (such as testing changes to critical files/games rules) due to changes within a game, an updated games test report must be provided to the Commission, making reference to the original games test report, changes made, testing completed and new digital signatures. 3.7 For RNGs, the report should include: test house details including the test supervisor that signed off the testing licensee name date of testing certificate reference RNG details brief description of the RNG and its use including RNG version, whether it is hardware and/or software and digital signature scope and approach to testing ie testing completed against the Gambling Commission s technical standards, in particular Level 1 testing of RTS 7A, 7B and a description of all tests applied platform supplier and platform version result of testing. 3.8 The games/rng reports should be emailed to: gamestesting@gamblingcommission.gov.uk 3.9 We have developed a remote games information (RGI) spreadsheet. On this spreadsheet, licensees are required to provide specific details for the platform, the RNG and each game offered under their licence. It contains the game, the RNG, the name of the software provider, the level of testing completed and who conducted it, amongst other items. The games and products documented on the spreadsheet must comply with the RTS. 3.10 For each new game or RNG released or withdrawn, changes to the games, platform or further testing of existing games under the transitional provisions, the RGI spreadsheet, detailing the additions, deletions and/or changes in the relevant columns must be updated. Columns AB to AD have been added to the spreadsheet to identify and date the changes. 3.11 An updated RGI spreadsheet should be emailed to the Commission at gamestesting@gamblingcommission.gov.uk at least every three months. 3.12 The RGI spreadsheet version maintained by the licensee must at all times reflect the RNGs, the games (as well as the changes made to these) being offered to customers in reliance on the Commission licence. The version maintained by the licensee must be made available to the Commission upon request. 10
3.13 Once the testing certification report has been provided, the successfully tested product can be released into the live environment. 3.14 Licensees also need to make the full test and change control documentation available to the Commission on request. This would include all of the information required to complete the RGI spreadsheet along with the details of the test information and the internal change control process followed including management signoff to release the product. 3.15 If a licensee intends to run an off-the-shelf product (eg a game developed by a Commission licensed third party software developer) they must ensure that the product is tested to Level 3 to confirm it meets the Commission s requirements. 3.16 If a Commission licensed third party software developer has already obtained satisfactory testing for its product by a Commission approved test house the licensee can only rely on this testing if it is able to demonstrate that the testing conducted is sufficient for the environment the product or game will operate in. If the testing obtained by the Commission licensed software developer is sufficient for the environment the product will operate in, the licensee must send the test house report to the Commission prior to release and make available full results to the Commission on request. 3.17 In circumstances where the operating environment differs from the testing environment the licensee will be required to obtain further testing by an approved third party test house. The Commission must receive all relevant testing reports to show the testing is sufficient to cover the product or game in the operational environment prior to release. The licensee will also need to make the full test results available to the Commission on request. 3.18 Where the licensee contracts with another Commission licensed business which is providing facilities for gambling by managing or administering aspects of the gambling activity on behalf of the licensee then both licensees must provide an RGI spreadsheet detailing all the games each party is offering. A copy of the game or RNG report is required to be supplied to the Commission by each licensee prior to that licensee releasing a new product such as a new/changed game or RNG. An updated RGI spreadsheet clearly highlighting the additional/changed game(s)/rng must be provided to the Commission at least each quarter. 3.19 The licensee s overall compliance with the technical standards and testing requirements (including those aspects requiring test house testing as well as internal testing) is the responsibility of the licensee. Testing conducted by licensee 3.20 To be permitted to carry out their own testing of gambling products licensees will be required to provide a declaration to the Commission that they follow good practice in development, testing and release control of gambling products and/or systems. This declaration should be provided to the Commission prior to any internal testing taking place. More details on what the Commission considers to be good practice can be found in section 6. 3.21 Table 5 details what testing can be carried out by licensees where this declaration has been provided to the Commission. Where the declaration has not been provided, the required testing must be carried out by an approved third party test house. 3.22 The Commission may, on request, require evidence from the licensee that it complies with its good practice guidelines. 3.23 All results from licensee testing must be retained and made available to the Commission on request. 11
Testing and audit requirements for remote lottery licensees 4 3.24 It is the Commission s view that lotteries in general pose a relatively low risk to the licensing objectives. This section sets out the criteria that applies to remote lottery licensees 4 (including external lottery managers) when determining specific testing and audit requirements. 3.25 Holders of remote lottery licences 4 that accept no more than 250,000 worth of entries per year by means of remote communication will not be required to submit their RNG for testing by a Commission approved test house or undertake a third party annual security audit. 3.26 Instead, and in terms of RNG testing, such licensees will need to demonstrate that: their RNG has been tested or verified as being fair and random by an independent and suitably qualified third party. This must be supported by documentary evidence they have policies and procedures in place which set out how they ensure the lottery draw is fair and open and can produce evidence that these procedures are followed. 3.27 In terms of the third party security audit requirement, such lottery licensees will instead be required to demonstrate to the Commission on request that they comply with the RTS security requirements as set out in section 5 of the RTS. 3.28 Holders of such licences that accept more than 250,000 worth of entries by remote means per year will be required to meet the full RNG testing and third party security audit requirements as set out in table 5 above. 4 Transitional licensees - on-going testing and reporting - existing and new games 4.1 Licensees who have provided the Commission with the Remote Games Information (RGI) spreadsheet under the transitional provisions for operators with continuation rights will require further testing of their games or RNGs where the existing testing does not meet Level 3 (for games) or Level 1 (for RNGs), or because of subsequent changes which affect the digital signatures. 4.2 In these circumstances, licensees must provide a copy of the games or RNG test report to the Commission once that testing has been completed. 4.3 As the Commission expects licensees to have games currently available to customers in Great Britain tested over a period of time up to the permitted 12 months, we will require licensees to provide the Commission with updated RGI spreadsheets at least every three months. Where a licensee has a significant number of games that require further testing the Commission may require more regular updates and details of the licensee s plans to ensure all games are tested within the 12 months. The transitional arrangements are intended to allow time for games that will continue to be offered to consumers after 1 November 2015 to be tested. They were not intended to be used to allow games not tested to Level 3 to be offered for the duration of the transitional period and removed from the British market at the end of that time. 4 By lottery licensees we mean, remote lottery operating licensees, converted lottery operating licensees (but only those licensees that run remote lotteries themselves or via a lottery manager) or remote lottery managers operating licensees (also known as external lottery managers) licensed under the Gambling Act 2005. 12
4.4 Where licensees intend to deploy new games onto their gambling systems, they must provide a copy of the game test report(s) detailing compliance with the RTS to Level 3 prior to release of the game(s). An updated RGI spreadsheet clearly highlighting the additional game(s) must be provided to the Commission at least every quarter. 4.5 Where licensees remove games from their gambling systems, they must include this on an updated RGI spreadsheet clearly highlighting the game(s) removed. 5 Third party annual security audit 5.1 Table 5 sets out that an annual security audit must be carried out 5 to assess compliance against the security requirements of the RTS. The security requirements are based on relevant sections of ISO/IEC 27001:2013 and these are listed in section 5 of the RTS. The Commission does not intend to approve security audit firms to perform the security audit as many licensees already have arrangements with appropriate security auditors. 5.2 Licensees must satisfy themselves that the third party security auditor is reputable, is suitably qualified to test compliance with ISO/IEC 27001:2013 and that the auditor is independent from the licensee. 5.3 In the case of all new licensees (whether or not they were issued with continuation licences) or existing licensees who have not been audited against these specific sections, or have not been certified against the full standard, the Commission expects that a copy of the third party annual security audit against ISO/IEC 27001:2013, or a copy of full certification against ISO/IEC 27001:2013 will be provided within 6 months of the issue of their licence or continuation licence or variation of their existing licence as the case may be. 5.4 Operators who have previously been certified against the full standard of ISO/IEC 27001:2005 will be able to be certified against the new standard ISO/IEC 27001:2013 upon expiry of their certification. They will also be required to provide copies of the interim reports until certification expiry. Operators who have previously been audited only against the specific sections of ISO/IEC 27001:2005 and who do not obtain full ISO/IEC certification will be required to be audited against the specific sections of the new standard ISO/IEC 27001:2013 within 12 months of that audit or within 6 months of issue of their operating licence (including continuation licence), whichever is the later. 5.5 Licensees must provide to the Commission copies of the full report produced by the security auditor on completion of their audit. 5.6 The security audit reports should be emailed to: securityaudit@gamblingcommission.gov.uk 5.7 The security auditor s report must comply with our Security audit advice. 5.8 The Commission is aware that many operators are also subject to PCI DSS 6 and are audited for those purposes. The Commission considers its security standards to be sufficiently broad that audits conducted against other standards may meet some of the Commission s requirements. Operators will need to ensure that their audits cover the scope of the security requirements as set out in section 5 of the RTS. 5 The following categories of licences require the full security audit by an independent auditor: Remote betting general (but not telephone only or trading rooms), pool and intermediary, remote casino, remote bingo and remote lotteries (sales greater than 250,000 per year). 6 (PCI DSS) Payment Card Industry Data Security Standard. 13
5.9 The Commission has highlighted those systems that are most critical to achieving the Commission s aims and the security standards will apply to these critical systems: electronic systems that record, store, process, share, transmit or retrieve sensitive customer information, eg credit/debit card details, authentication information, customer account balances electronic systems that generate, transmit, or process random numbers used to determine the outcome of games or virtual events electronic systems that store results or the current state of a customer s gamble; points of entry to and exit from the above systems (other systems that are able to communicate directly with core critical systems) communication networks that transmit sensitive customer information. 6 In-house development, testing and release - good practice 6.1 Good practice gambling software development should possess the elements below. These specific controls would already exist in an organisation compliant with ISO27001. 6.2 Development process: source code should be held in a secure environment an audit log of all accesses to program source should be maintained old versions of source code and the dates they were retired should be retained access to source code by developers should be well controlled and based on a minimum access required for the job approach access to platform source code should not be granted to those working only on game specific development changes to critical modules need to be peer reviewed by appropriately skilled but independent developers to ensure all changes made are appropriate and in line with the change documentation. Any suspicious or unauthorised changes must be explained. 6.3 Testing process: logically separate development and testing environments separate staff to those that developed should perform the testing an independent assessment of changes made by the developers should be performed to verify all changes are documented in the change documentation. This may involve the use of file comparison programs to quickly identify all changes. 6.4 Policies and processes should be in place for control of changes to operational environments including version control for software upgrades. To minimise threats to the operational environment operators should consider but not limit activities to ensuring: adequate testing and change control mechanisms and authorisations are in place for the migration of new or modified software into the operational environment; and appropriate testing, planning and migration control measures should be carried out when upgrading patches or new software versions to ensure the overall security of the operational environment is not adversely impacted. 14
7 Transitional provisions: Gambling (Licensing and Advertising Act) 2014 7.1 Following implementation of the Gambling (Licensing and Advertising) Act 2014 operators providing facilities for gambling to British customers who previously did so in reliance on their Gibraltar, EEA or White List jurisdiction licences or other permissions will be subject to the Gambling Act s licensing regime for the first time. Under transitional provisions, such operators who made advance applications for appropriate Commission licences will be entitled to continuation licences pending determination of those applications. 7.2 Annexes A and B are retained in this version of the Testing strategy for reference only. Transitional licensees are expected to follow the requirements for testing and documentation for products that are subject to the transitional requirements that require testing, for any new games and the security audit as detailed in sections 3, 4, 5 and 6 of the main document. Related documents Remote gambling and software technical standards Security audit advice Remote games information spreadsheet Licence conditions and codes of practice Gambling Commission July 2015 15
1 Annex A: Implementation guidance for testing - new licensees issued with continuation licences 1.1 The Commission s testing strategy provides that specific RTS requirements with high impact and low visibility (red category 3 in Table 4) be subject to approved third party test house examination and verification. 1.2 Additionally, section 3.17 of the testing strategy requires additional testing by an approved test house where the operating environment is different from the original testing environment, so where changes to the operating environment have occurred, additional external testing is required. This could be due to the testing being conducted on the game running on a platform or RNG that is different to the one intended for live operation (eg it was originally tested for use by a different operator using a different platform/rng). Or it could mean that since the game was tested the RNG/platform or other environmental variables have changed in a way that renders the original testing invalid (as the differences may affect the fairness of the game), hence testing under the new environment is required. 2 Test houses 2.1 Each EEA 7 or White List remote gambling regulatory jurisdiction has established proprietary technical standards and while much of the content is similar between jurisdictions, particularly in relation to the core components and operation of games, there are differences in some aspects between jurisdictions. This means that independent third party test houses are often required to test games against multiple sets of standards or undertake gap analysis to test what can be minor differences. Test houses usually must obtain approval to test against each jurisdiction s standards. 2.3 Those test houses who are accredited to BS/EN ISO 17025 and wish to test against the Commission s RTS in future need to obtain confirmation, following an extension of scope where necessary, that the scope of their accreditation is sufficient to allow them to test to the Commission s standards. This should be obtained from either UKAS or an equivalent recognised international organisation. The independent third party test houses also require the extension of scope to the other jurisdictions they are accepted to be able to test against. 3 Transition requirements 3.1 The Commission is aware that many games currently available to British consumers via EEA or White List regulated operators have not been tested against the RTS and, in keeping with the intent to reduce the regulatory burden on the gambling industry where appropriate and justified, we have looked on a risk basis at ways to manage the transition of these games and products into the regulated British market. 3.2 We have taken into account the current requirements for testing under the RTS, examples of other jurisdictions practice when introducing legislation, and the risk to players and to the Commission of games currently available to players to which our standards do not apply. 3.3 On the basis of this assessment, we consider it appropriate that, under certain circumstances, some testing of games against other jurisdictional standards should be regarded by us as acceptable without the need for further testing. 7 For the purposes of this document, Gibraltar is included in this category. 16
3.4 Previous certification of products or games against other EEA or White list jurisdictions by independent test houses, including those that have not been approved by the Commission to test against the RTS, will be accepted (subject to conditions detailed below) where the testing and certifications have been conducted prior to implementation of the Gambling (Licensing and Advertising) Act. 3.5 Where testing is necessary, a transitional period of up to one year will be permitted to allow the industry and the independent test houses time to complete the testing. This should allow both operators and test houses adequate time to arrange for and undertake the required testing. 3.6 We have developed a spreadsheet (remote games information) that those operators with continuation rights will be required to complete and supply to the Commission as part of their advance application under the Gambling (Licensing and Advertising) Act 2014. This will document each RNG and each game they currently offer to, and intend to continue to provide to, British consumers, the name of the software provider, the level of testing completed and who conducted it, amongst other items. The games and products documented on the spreadsheet must comply with the RTS 8. Games and products that do not comply must be withdrawn from the British market and not included in the spreadsheet. We will require a declaration on the spreadsheet by a PML holder 9 or qualified person that each RNG and each game documented and offered complies with the RTS. 3.7 New licensees who have continuation rights and currently offer games into Britain will be able to continue to do so without further testing or certification if: the games meet the Commission s RTS the games have been independently tested on a platform which is materially the same as the production environment (Level 3 see below) they have evidence of this through test reports and matching digital signatures. 3.8 Whilst we make no specific reference in the RTS or the testing strategy to Levels 1, 2 and 3 of testing, we do refer to the testing of RNGs, scaling and mapping, game operation and the environment the product or game operates in. To assist in understanding what level of testing will be accepted by the Commission and what would require external third party testing, we have detailed these below: I. Level 1: External third party testing of RNG, including source code review, scaling where appropriate and where the digital signature taken on the test platform is the same as that taken on the live environment). II. Level 2: Review of game designs. This includes artwork, maths and theoretical RTP (no output testing). III. Level 3: Full testing of game operation integrated on platform. This involves verifying the software implementation of the game artwork, maths and theoretical RTP through testing of the game on the live environment (or development/staging environment which is essentially the same as the live environment), verification of game rules, actual RTP using simulation 10 and emulation 11 testing utilising the RNG tested under Level 1, and where the digital signatures taken on the test platform are the same as those taken on the live environment). This testing must be conducted by an approved external third party test house. 8 RTS 8A, and RTS 13B have been amended/added and come into force on 30 April 2016. RTS12 has been amended and comes into force on 31 October 2015. 9 Personal Management Licence. Also includes someone who has applied for a PML 10 Simulation (output) testing setting the game up to play automatically for a high number of games (actual number will depend on volatility of the game as per the maths) to then verify that the actual RTP is within acceptable range of the expected RTP. Sample data should be tester generated, unless supervised in a controlled environment for the purposes of meeting specific regulatory requirements. Software modified from the original to enable rapid play is permitted provided the tester has confidence that the modifications do not impact on the assessment of game fairness. 11 Emulation testing is used to replicate certain rare game outcomes (such as jackpots, infrequent features and maximum prize). 17
3.9 The Commission requires full Level 3 testing by an independent third party test house and for the digital signatures of the RNGs and games to be valid in order to accept the certifications for other jurisdictions and therefore not require re-testing under the RTS. 3.10 As stated in paragraph 3.6 of Annex A, the Commission will also require a declaration from the relevant PML holder or qualified person that they have assessed and confirm that each of the RNGs and games meet the Commission s RTS. This declaration is attached to the Remote Games Information spreadsheet. 3.11 Where test reports from independent test houses are not available, or where digital signatures have changed, new licensees who receive continuation rights will have up to 12 months from the date of implementation to ensure completion of testing against the Commission s RTS by a Commission approved independent third party test house and provide a copy of the test report. Where changes to the digital signatures of the RNGs and/or games are due to subsequent changes to the platform which has created new digital signatures, the independent third party test houses will be required to verify the changes and certify that the changes have not affected the integrity of the RNGs and/or games. 3.12 The Commission is aware that some gambling software developers undertake inhouse testing and provide games to operators in jurisdictions that do not require independent third party test houses to test against their regulatory standards. By providing the period of up to one year for those games to be tested against the Commission s standards by a Commission approved test house, we anticipate minimal impact on such new licensees ability to continue to offer those games to British consumers where they comply with the Commission s RTS. 3.13 Games that have not been tested by an independent third party test house but meet the RTS and continue to be offered to British customers under these transitional provisions must be independently tested within 12 months; otherwise they must be removed from the licensee s British facing offerings. Games not compliant with the RTS, or those which the licensee does not intend to obtain the required independent third party testing, must not be offered under a Commission licence. 3.14 Where those games have been provided to a number of operators, the Commission does not require test reports from each licensee, but a single report for each individual game. The Commission does not determine who should provide the reports but would expect that software providers and operators would make arrangements between themselves for the testing and provision of the reports. Each licence applicant, when completing the spreadsheet of games mentioned earlier in the document, must provide the appropriate details of the test report. 4 Self testing 4.1 The Commission s current requirements in the testing strategy detail specific RTS requirements with moderate to high impact (category 2 in Table 4) and allow certain operators the flexibility to carry out their own testing of gambling products against those specific requirements. 4.2 The Commission intends to allow those operators who can demonstrate they meet the Commission s good practice policies and processes detailed in Section 4 of the testing strategy to be able to carry out their own testing against those specific requirements. The Commission will require a declaration (as detailed in section 3.20 of the testing strategy) that they follow this good practice to accompany the advance application under the 2014 Act. 18
4.3 Operators who do not meet this standard or who do not provide the declaration will be expected to obtain independent third party testing for the relevant sections of the requirements. 19
1 Annex B: Implementation guidance for security audits new licensees issued with continuation licences 12 1.1 The Commission s testing strategy currently requires a third party annual security audit against particular sections of ISO/IEC 27001:2005. More information is available in section 5 of the RTS. 1.2 The Commission is aware that ISO/IEC 27001:2005 has been amended and updated to ISO/IEC 27001:2013 and that sections listed in section 5 of the RTS have been superseded with new sections. We are currently reviewing the impact of those changes and intend to update the RTS as soon as possible with the appropriate sections under ISO/IEC 27001:2013. 1.3 Meanwhile, in the case of all new licensees (whether or not they were issued with continuation licences) who have not been audited against these specific sections, or have not been certified against the full standard, the Commission expects that a copy of the third party annual security audit against ISO/IEC 27001:2005 or a copy of full certification against ISO/IEC 27001:2005 or ISO/IEC 27001:2013 will be provided within six months of the issue of their licence or continuation licence as the case may be. 1.4 Operators who have been certified against the full standard of ISO/IEC 27001:2005 will be able to be re-certified against this standard or against the new standard ISO/IEC 27001:2013 upon expiry of the certification. They will be required to provide copies of the interim reports until certification expiry. Operators who have been audited only against the specific sections of ISO/IEC 27001:2005 and who do not obtain full ISO/IEC certification will be required to be audited against the specific sections of the existing standard ISO/IEC 27001:2005 within 12 months of the audit or within 6 months of issue of their operating licence (including continuation licence), whichever is the later. 1.5 The Commission intends to undertake a consultation with the industry in the near future to review the scope of the existing security audit under ISO/IEC 27001:2005 with a view to enhancing the requirements for security and change management in conjunction with the move to the new standard ISO/IEC 27001:2013. Keeping gambling fair and safe for all For further information or to register your interest in the Commission please visit our website at: www.gamblingcommission.gov.uk Copies of this document are available in alternative formats on request. Gambling Commission Victoria Square House Victoria Square Birmingham B2 4BP T 0121 230 6666 F 0121 230 6720 E info@gamblingcommission.gov.uk ADV 15/04 12 This section has been updated as detailed in Section 5 of the RTS. 20