Regulators' traceability requirements and solutions for i gambling operators on new regulated markets 2013

DICTAO

152, avenue Malakoff

75116 PARIS, France

+33 1 73 00 26 00

www.dictao.com

Regulators’ Traceability Requirements

and Solutions for iGambling operators

on New Regulated Markets in Europe

Denmark, Spain, France & Schleswig-Holstein cases.

2013

Copyright Dictao 2012

1

Executive Summary

Dictao, leading supplier of iGambling IT Requirement-compliant solutions

Fact: Traceability is a key regulatory requirement in each new regulated market

Problem: Data traceability is complex, and increases costs & time

Solution: Dictao simplifies operators’ life, hides complexity, and reduces TCO

Operator benefits

Compliance, flexibility and cost-effectiveness

Market Cases of traceability requirements and gaming system architectures

Denmark, Spain, France and Schleswig-Holstein cases

Regulators’ Frequently Asked Questions

Next step : Dictao iGambling data traceability model

Copyright Dictao 2012 2

Agenda

3

Dictao


Market cases


Facts, Problem and Solution

Operators’ Benefits

Dictao

Specialized in 3 areas:

Data traceability

Strong authentication

Electronic signatures

Dictao products power mission-critical applications across multiple sectors

Gaming, banking, industry, defense, government, …

Dictao products are certified EAL3+ by the French Network and Information Security

Agency (ANSSI), SigG and SigV by the Bundesnetzagentur in Germany, and 3-D

Secure by Visa and MasterCard.

4 Copyright Dictao 2012

http://www.google.fr/imgres?imgurl=http://burobertdesorbon.univ-reims.fr/wp-content/uploads/2009/10/drapeau_allemand.jpg&imgrefurl=http://burobertdesorbon.univ-reims.fr/?tag=allemand&usg=__7LFuWydi6sQD67Fb0wnVnVo2k50=&h=371&w=600&sz=9&hl=fr&start=3&sig2=BTZHBtW00x7Df0GeEdO_VA&zoom=1&itbs=1&tbnid=_W-6P60D8iYZdM:&tbnh=83&tbnw=135&prev=/images?q=drapeau+allemand&hl=fr&gbv=2&tbs=isch:1&ei=ve3rTMDCNseH4gb20uV_

Dictao in the iGaming industry

Main traceability offer built to answer compliance requirements:

E-vault product

Hosted services

Consulting services

But also player authentication and registration where eID can be used

Dictao is the industry’s leading technical compliance solution provider:

The only offer covering Spain, Denmark, France and Schleswig-Holstein

40+ operators are clients

9 out of the top 10 operators from eGaming Review’s Power50 list

45% of the first licensed operators in France

45% of the first licensed operators in Denmark

28 operators chose Dictao in Spain

First supplier in Schleswig Holstein


Agenda

6

Dictao


Market cases


Fact, Problems and Solution


Fact: Traceability is a key regulatory requirement

Regulators see traceability as mean to achieve :

Consumer protection

Anti money laundering

Fight against fraud

Tax control

Traceability : Pervasive in all regulated markets

Italy AAMS* and SOGEI’s centralized system (2009)

France ARJEL* ‘Frontal’ (2010)

Denmark DGA* ‘SAFE’ (2011)

Spain CNJ* ‘Almacen’ (2011)

Schleswig-Holstein ‘Kontrollsystem’ (2012)

Greece GSCC* ‘Supervision and Control IT System’

(2012 – est.)

Next EU markets

“E15” Germany, the Netherlands, Poland, Bulgaria…

(I) AAMS: Amministrazione autonoma dei monopoli di Stato

(II) ARJEL: Autorité de Régulation des Jeux en Ligne

(III) DGA: Danish Gaming Authority

(IV) CNJ: Comisión Nacional del Juego

(V) GSCC: Games of Chance Supervision and Control

Commission


Problem: Traceability is complex, and increases costs & time

8

Especially when each jurisdiction

requires distinct and specific:

Data formats

Server location

Backup location

Certifications

Secure storage

Data retention policies

Language

…

This wide heterogeneity

Creates additional complexity

Delays go-to-market

Increases running costs

Capteur

.FR

Core Gaming Platforms

.DE .DK

.ES

Capturador


Solution: Dictao simplifies operators’ life

A single partner for every regulation

For all jurisdictions that do not impose a

central system

For all games

Dictao focuses on traceability only

We are regulation and traceability

experts

We only extract operator’s data

We manage traceability data storage

and download by the local regulator

9

Operator platform

Dictao

DGA ARJEL S-H CNJ

Casino Sports

book

Poker


…

Agenda

10

Dictao


Market cases




Operators’ benefits (1/3): Guaranteed compliance

We nurture close relationships with local regulators

Compliance with current regulations

First ARJEL-compliant ‘frontal’ in France

DGA-compliant SAFE in Denmark

DGOJ-compliant Internal Control System (ICS) in Spain

First Schleswig Holstein-compliant SAFE

Strategic commitment to comply with future regulatory requirements

100% compliant with next generation European (DE, NL, UK, …) requirements

Dictao guarantees compliance with future regulation modifications


http://www.skat.dk/SKAT.aspx?oId=398

Operators’ benefits (2/3): Flexibility

Business model flexibility

Software license: operator integrates and operates the service

Software as a Service (SaaS): Dictao hosts and operates the service on behalf of the

operator

Managed service: Dictao operates the service hosted in operator’s premises

Integration flexibility

Standard Webservices API

Managed test environment

Connection link

over the internet

over dedicated leased line

Technical flexibility

Scalable : from a few to several thousands of events per second

Reliable: high availability (>99.99%) and multiple sites


Operators’ benefits (3/3): Cost-effectiveness

Low investment costs

The solution is based on existing in-house products

The development costs are spread across multiple customers

The SaaS platform shares infrastructure

Low recurring costs

One dedicated compliance team operates the vaults of several customers

Evolutions in regulation included


Agenda

14

Dictao


Market cases





Spain

France

Denmark

Schleswig-Holstein

Examples of Control Systems

16

Spain

France

Denmark

Schleswig-Holstein


Spain – Technical architecture


Spain – Authentication

Spain is introducing electronic IDs for its citizens ("DNIe" – Documento

Nacional the Identidad). One of the authorized player registration

mechanisms is the digital certificate from the electronic ID.

The Spanish regulator has set up an online service to check personal

details and verify player’s age using a national citizen database.

The Spanish regulator has set up an online service to check the banned

player register. The register is updated hourly.


Spain – Traceability

Operators must implement a control and supervision system (internal

control system)

Operators are responsible to run their internal control system

Transactions must be stored in near real-time in a Safe on Spanish soil

The regulator (CNJ) has real-time access to the Safe

Game software and hardware and the organization of the operator must be

audited by an officially approved test lab


Spain – Traceability

Data is securely stored in a digital Safe:

Standardized XML-format to allow uniform processing by regulator

Main storage site located on Spanish soil

Digital signature to seal records (XAdES BES 1.3.2)

Timestamps from an approved TSA (RFC3161)

Encryption of records (AES-256)

Guarantee that regulator has real-time access via a secure channel to the data

Data archived one year online

Data archived six years offline

Internal control system must be certified



21

Spain

France

Denmark

Schleswig-Holstein


France – Technical Architecture


France – Technical architecture

Front-End

In standard web architecture, this is the presentation layer. This module implements the gambling site

interface in French, including all the moderators required by the authority (e.g. pop-ups, warnings).

Data extraction („Capteur”)

This module retrieves the information relevant for control and oversight by the regulator. The regulator

defines the nature and format of the data (XML).

Back-end relay

This module transfers the transactions initiated by gamblers to the operator's back-end gambling

engines. Back-end servers may be located outside of France.

Digital Safe

The vault module collects the records produced by the capteur to preserve them in a secure manner. If

required, the future authority must be able to access the electronic vault either on site or remotely. The

Safe must be certified (CSPN) by the French IT-security government agency (ANSSI).


France – Authentication

Player registration is a complex paper-based process. One step of the

process is a letter sent by physical mail to the player‘s address with an

activation code.

The regulator manages a national banned player register. Each operator

must check his entire player base against that register at least once a

month.


France – Traceability

Gaming activity is stored in real-time in a digital Safe. Data reflects the

player‘s perspective.


“Frontal” (Safe and capture device) located on French soil

Digital signature to seal records (XAdES)

Data protected with strong authentication mechanisms

Data encrypted with regulator public key (RSA). Only the regulator can decrypt records.

Operators are responsible for running the “Frontal”

Synchronous real-time processing


Data archived five years offline

Safe must be certified (CSPN) by the French IT-security government agency (ANSSI)



26

Spain

France

Denmark

Schleswig-Holstein


Denmark – Architecture


Denmark – Authentication

Regulator provides a central online service to check players against banned

player register (ROFUS/LUR)

The regulator manages this central register. Each operator is required to

check through the online service whether a player is banned or not.

Authentication at each login with NemID and an OCES digital signature.

This is the same mechanism used for banks and online services of the

public administration. The Danish service provider “DanID” runs this service

for the government.


Denmark – Traceability


Near real-time: Data must be stored within five minutes of an event happening

Safe location can be anywhere as long as the regulator has sufficient guarantees to get access

Digital seals using the regulator‘s central tamper proof system

Encrypted communication between digital Safe and regulator

Operators are responsible for running the “Frontal”


Data archived five years offline

End-of-day records




Spain

France

Denmark

Schleswig-Holstein (Germany)

Schleswig-Holstein – Technical architecture


Schleswig-Holstein – SAFE-server features


Location in Schleswig-Holstein

Near-real time data capture

Certification by accredited 3rd parties

Data encryption

Digital seals/signatures

Standards-based

36 months data storage

Standardized Data (XML)

Gameplay

Financial

Personal information

Agenda

33

Dictao


Market cases




FAQ about…

Preventing fraud/ AML

Real Time versus Near-Real Time data traceability

Control of data

Tax control

Minor and problem gambler protection

Dependency on the Authority

Service Providers’ Standard Compliancy

Technology suppliers & technology neutrality


Preventing fraud/ AML (1/2)

Q: How is the traceability of money flows regulated?

Each financial transaction is sealed and stored in a safe

Regular analysis is performed by the Authority

Operator cash account is separated from the player money account (escrow)

Money may not be transferred between players except through gaming

Money may only be withdrawn to the named bank account associated with the relevant

player account

In kind winnings are traced as well (prize description and estimated value)

Dictao recommends all of the above


Preventing fraud/ AML (2/2)

Q: How can the security and continuity best be secured?

Security principles (best practices, not specific to iGaming)

Integrity: data is sealed through digital signature and chaining

Confidentiality: data is encrypted so that only the regulator may access it

Authentication: use strong credentials like digital certificates

Non repudiability: data is signed

Availability: SLA requirements from operators and suppliers

Continuity and recovery

Require a “Business Continuity Plan” and a “Data Recovery Plan” from operators and suppliers

Require all data to be backed up on a secondary site and maximum delay of recovery



Control of data (1/3)

Q: option #1: All data flows through the server of the Gambling authority

(vault). What are the pros and cons?

MARKET CASE: Centralized solution only implemented in Italy

- COST: Very expensive for the regulator (platform to design and set up, maintain technical

operation team, ensure backup of the data, maintenance, several people to support

operators) SOGEI employs 500 persons to perform data control

- RESPONSABILITY: The regulator is responsible for tracing the data

- TIME: 6 to 12 months to setup the infrastructure

Dictao recommends not using this solution



Q: option #2 : the Gambling Authority provides access to a special server

that securely stores a copy of the data. What are the pros and cons?

+ BEST PRACTICE: Decentralized solution used in FR, DK, SP, DE (E15 + SH)

+ COST: very low cost for the regulator.

For example, ARJEL employs 6 persons to perform data control

+ TIMING: gaming operation may start, even if the regulator platform is not ready

+ SLA: gaming operation may carry on, even if regulator platform is down

- TCO / OPERATOR : standard TCO is < 1 to 0,5% of GGR

Dictao recommends the solution of a “distributed safe” placed under the

responsibility of the operator



Q: option#3 : the data and its back up data is located / hosted within the

national borders of the regulator. What are the pros and cons?

+ ENFORCEMENT: Location of safe in the regulated territory enables regulator to seize it

+ EU COMPLIANCE: Host of a safe in a national territory complies with EU jurisprudence,

whereas requirements to locate the whole gaming server(s) does not comply

Also avoids potentially complex and lengthy cross-border collaboration

+ CONVENIENCE: Country-hosted data facilitates the control of data completeness and data

compliance with the Authority (or delegated third party) requirements

- Back-up data is not supposed to be seized, but data recovery from back-up shall be quick

Dictao recommends main data repository in the Authority’s territory, a back-

up located in the EU, and a recovery delay of 48 hours


Tax control

Q: As lots of operators are located abroad, for tax control it is necessary for

the Authority to access actual information. What are the best practices from

other countries?

Require traceability of all money transactions (including bonus money, gaming network

transactions)

Require agregated financial reports from the operator and reconcile those reports with the

information available in the safe

Q: Do you have any insight on how tax control is maintained in case of poker

liquidity, where players from different jurisdictions participate in a game?

The only cross-country liquidity we are familiar with is Denmark

Only data regarding local players is traced in the safe, tax control is based on these data



Minor and problem gambler protection

Q: Do you have any insight on how problem gambling is monitored in

different countries?

Availability of a centralized authorization service maintained by the Authority

Problem gambler list shared with landbased casinos

Operators required to check the authorization service during player registration and

regularly during player logon

Technical aspects

Preserve player confidentiality (operators shall not discover information about players they do

not “know”)

Use open standards like webservice or DNS to allow all operator technologies to connect

High availability and performance



Dependency on the Authority

Q: How to prevent that a dependency on the authority for the purpose of

authenticity or communication will form a single point of failure for the

industry?

Require a decentralized safe under the operator’s responsibility

The only dependency on the Authority regards the authorization (blacklist) service

For confidentiality, it should stay centralized

For availability reasons, it should be rendundant

When the service is down

Gaming operation is still allowed (thus downtime is not disruptive)

Account registration is temporary until the service is back up



Service Providers’ Standard Compliancy

Q: Dictao’s strategy is to rely on standards. Could you elaborate on the

standards?

The internet technology stack relies on standards at all levels, from hardware to

application level.

Standards developed for e-commerce, e-government or e-banking applications are all

applicable in the online gambling environment:

XSD/XML to define reporting formats

RFC3161 to define time stamps

XMLDSig for digital seals

X509 for digital certificates

ISO27001 for IT security management

Dictao recommends using internationally recognized standards


Technology suppliers & technology neutrality (1/2)

Q: How can we prevent that requirements on the availability of data favor

certain suppliers?

Authority should require the usage of open standards instead of proprietary formats,

technologies and solutions

Require application of best practices recognized by everyone

Have the Authority’s technical experts assess the neutrality of the requirements



Technology suppliers & technology neutrality (2/2)

Q: According to EU law, requirements may not be directed towards a

certain technology of certain suppliers

Dictao does not recommend any technology, only standards

All standards Dictao recommends are open, patent-free and may be freely implemented

by anyone

Dictao lobbies for European-wide standards

Dictao competes on the market with technology-neutral differentiators

Turnkey SaaS infrastructure accelerates projects

Spreading investments over multiple clients lowers costs

Professional services to assist operators

Dictao recommends using these internationally recognized standards


Next step

Based on strong experience and proximity with regulators and operators,

Dictao has built a template model of an ideal traceability system that:

Covers the needs of tax and fraud control, AML, player protection

Facilitates integration by the operator

Is 100% technology-neutral

We would like to introduce this model to you at your earliest convenience


For more information, please contact:

Frédéric Engel

[email protected]

+33 1 73 00 26 34

+33 6 13 42 38 98 (mobile)

www.dictao.com

http://www.dictao.com/en/solutions/online-gambling





Entertainment & Humor

Regulators' traceability requirements and solutions for i gambling operators on new regulated markets 2013