Regulators' traceability requirements and solutions for i gambling operators on new regulated markets 2013
Upcoming SlideShare
Loading in...5
×
 

Regulators' traceability requirements and solutions for i gambling operators on new regulated markets 2013

on

  • 628 views

 

Statistics

Views

Total Views
628
Views on SlideShare
628
Embed Views
0

Actions

Likes
0
Downloads
7
Comments
0

0 Embeds 0

No embeds

Accessibility

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Regulators' traceability requirements and solutions for i gambling operators on new regulated markets 2013 Regulators' traceability requirements and solutions for i gambling operators on new regulated markets 2013 Presentation Transcript

  • DICTAO 152, avenue Malakoff 75116 PARIS, France +33 1 73 00 26 00 www.dictao.com Regulators’ Traceability Requirements and Solutions for iGambling operators on New Regulated Markets in Europe Denmark, Spain, France & Schleswig-Holstein cases. 2013 Copyright Dictao 2012 1
  • Executive Summary Dictao, leading supplier of iGambling IT Requirement-compliant solutions Fact: Traceability is a key regulatory requirement in each new regulated market Problem: Data traceability is complex, and increases costs & time Solution: Dictao simplifies operators’ life, hides complexity, and reduces TCO Operator benefits  Compliance, flexibility and cost-effectiveness Market Cases of traceability requirements and gaming system architectures  Denmark, Spain, France and Schleswig-Holstein cases Regulators’ Frequently Asked Questions Next step : Dictao iGambling data traceability model Copyright Dictao 2012 2
  • Agenda 3 Dictao Regulators’ Frequently Asked Questions Market cases Copyright Dictao 2013 Facts, Problem and Solution Operators’ Benefits
  • Dictao Specialized in 3 areas:  Data traceability  Strong authentication  Electronic signatures Dictao products power mission-critical applications across multiple sectors  Gaming, banking, industry, defense, government, … Dictao products are certified EAL3+ by the French Network and Information Security Agency (ANSSI), SigG and SigV by the Bundesnetzagentur in Germany, and 3-D Secure by Visa and MasterCard. 4Copyright Dictao 2012
  • Dictao in the iGaming industry Main traceability offer built to answer compliance requirements:  E-vault product  Hosted services  Consulting services But also player authentication and registration where eID can be used Dictao is the industry’s leading technical compliance solution provider:  The only offer covering Spain, Denmark, France and Schleswig-Holstein  40+ operators are clients  9 out of the top 10 operators from eGaming Review’s Power50 list  45% of the first licensed operators in France  45% of the first licensed operators in Denmark  28 operators chose Dictao in Spain  First supplier in Schleswig Holstein 5Copyright Dictao 2012
  • Agenda 6 Dictao Regulators’ Frequently Asked Questions Market cases Copyright Dictao 2013 Fact, Problems and Solution Operators’ Benefits
  • Fact: Traceability is a key regulatory requirement Regulators see traceability as mean to achieve :  Consumer protection  Anti money laundering  Fight against fraud  Tax control Traceability : Pervasive in all regulated markets  Italy AAMS* and SOGEI’s centralized system (2009)  France ARJEL* ‘Frontal’ (2010)  Denmark DGA* ‘SAFE’ (2011)  Spain CNJ* ‘Almacen’ (2011)  Schleswig-Holstein ‘Kontrollsystem’ (2012)  Greece GSCC* ‘Supervision and Control IT System’ (2012 – est.) Next EU markets  “E15” Germany, the Netherlands, Poland, Bulgaria… (I) AAMS: Amministrazione autonoma dei monopoli di Stato (II) ARJEL: Autorité de Régulation des Jeux en Ligne (III) DGA: Danish Gaming Authority (IV) CNJ: Comisión Nacional del Juego (V) GSCC: Games of Chance Supervision and Control Commission Copyright Dictao 2012
  • Problem: Traceability is complex, and increases costs & time 8 Especially when each jurisdiction requires distinct and specific:  Data formats  Server location  Backup location  Certifications  Secure storage  Data retention policies  Language  … This wide heterogeneity  Creates additional complexity  Delays go-to-market  Increases running costs Capteur .FR Core Gaming Platforms .DE.DK .ES Capturador Copyright Dictao 2012
  • Solution: Dictao simplifies operators’ life A single partner for every regulation  For all jurisdictions that do not impose a central system  For all games Dictao focuses on traceability only  We are regulation and traceability experts  We only extract operator’s data  We manage traceability data storage and download by the local regulator 9 Operator platform Dictao DGAARJEL S-HCNJ Casino Sports book Poker Copyright Dictao 2012 …
  • Agenda 10 Dictao Regulators’ Frequently Asked Questions Market cases Copyright Dictao 2013 Facts, Problem and Solution Operators’ Benefits
  • Operators’ benefits (1/3): Guaranteed compliance We nurture close relationships with local regulators Compliance with current regulations  First ARJEL-compliant ‘frontal’ in France  DGA-compliant SAFE in Denmark  DGOJ-compliant Internal Control System (ICS) in Spain  First Schleswig Holstein-compliant SAFE Strategic commitment to comply with future regulatory requirements  100% compliant with next generation European (DE, NL, UK, …) requirements  Dictao guarantees compliance with future regulation modifications 11Copyright Dictao 2012
  • Operators’ benefits (2/3): Flexibility Business model flexibility  Software license: operator integrates and operates the service  Software as a Service (SaaS): Dictao hosts and operates the service on behalf of the operator  Managed service: Dictao operates the service hosted in operator’s premises Integration flexibility  Standard Webservices API  Managed test environment  Connection link  over the internet  over dedicated leased line Technical flexibility  Scalable : from a few to several thousands of events per second  Reliable: high availability (>99.99%) and multiple sites 12Copyright Dictao 2012
  • Operators’ benefits (3/3): Cost-effectiveness Low investment costs  The solution is based on existing in-house products  The development costs are spread across multiple customers  The SaaS platform shares infrastructure Low recurring costs  One dedicated compliance team operates the vaults of several customers  Evolutions in regulation included 13Copyright Dictao 2012
  • Agenda 14 Dictao Regulators’ Frequently Asked Questions Market cases Copyright Dictao 2013 Facts, Problem and Solution Operators’ Benefits
  • Copyright Dictao 2012 Spain France Denmark Schleswig-Holstein
  • Examples of Control Systems 16 Spain France Denmark Schleswig-Holstein Copyright Dictao 2013
  • Spain – Technical architecture 17Copyright Dictao 2013
  • Spain – Authentication Spain is introducing electronic IDs for its citizens ("DNIe" – Documento Nacional the Identidad). One of the authorized player registration mechanisms is the digital certificate from the electronic ID. The Spanish regulator has set up an online service to check personal details and verify player’s age using a national citizen database. The Spanish regulator has set up an online service to check the banned player register. The register is updated hourly. 18Copyright Dictao 2013
  • Spain – Traceability Operators must implement a control and supervision system (internal control system) Operators are responsible to run their internal control system Transactions must be stored in near real-time in a Safe on Spanish soil The regulator (CNJ) has real-time access to the Safe Game software and hardware and the organization of the operator must be audited by an officially approved test lab 19Copyright Dictao 2013
  • Spain – Traceability Data is securely stored in a digital Safe:  Standardized XML-format to allow uniform processing by regulator  Main storage site located on Spanish soil  Digital signature to seal records (XAdES BES 1.3.2)  Timestamps from an approved TSA (RFC3161)  Encryption of records (AES-256)  Guarantee that regulator has real-time access via a secure channel to the data  Data archived one year online  Data archived six years offline Internal control system must be certified 20Copyright Dictao 2013
  • Examples of Control Systems 21 Spain France Denmark Schleswig-Holstein Copyright Dictao 2013
  • France – Technical Architecture 22Copyright Dictao 2013
  • France – Technical architecture Front-End  In standard web architecture, this is the presentation layer. This module implements the gambling site interface in French, including all the moderators required by the authority (e.g. pop-ups, warnings). Data extraction („Capteur”)  This module retrieves the information relevant for control and oversight by the regulator. The regulator defines the nature and format of the data (XML). Back-end relay  This module transfers the transactions initiated by gamblers to the operator's back-end gambling engines. Back-end servers may be located outside of France. Digital Safe  The vault module collects the records produced by the capteur to preserve them in a secure manner. If required, the future authority must be able to access the electronic vault either on site or remotely. The Safe must be certified (CSPN) by the French IT-security government agency (ANSSI). 23Copyright Dictao 2013
  • France – Authentication Player registration is a complex paper-based process. One step of the process is a letter sent by physical mail to the player‘s address with an activation code. The regulator manages a national banned player register. Each operator must check his entire player base against that register at least once a month. 24Copyright Dictao 2013
  • France – Traceability Gaming activity is stored in real-time in a digital Safe. Data reflects the player‘s perspective.  Standardized XML-format to allow uniform processing by regulator  “Frontal” (Safe and capture device) located on French soil  Digital signature to seal records (XAdES)  Data protected with strong authentication mechanisms  Data encrypted with regulator public key (RSA). Only the regulator can decrypt records.  Operators are responsible for running the “Frontal”  Synchronous real-time processing  Data archived one year online  Data archived five years offline  Safe must be certified (CSPN) by the French IT-security government agency (ANSSI) 25Copyright Dictao 2013
  • Examples of Control Systems 26 Spain France Denmark Schleswig-Holstein Copyright Dictao 2013
  • Denmark – Architecture 27Copyright Dictao 2013
  • Denmark – Authentication Regulator provides a central online service to check players against banned player register (ROFUS/LUR) The regulator manages this central register. Each operator is required to check through the online service whether a player is banned or not. Authentication at each login with NemID and an OCES digital signature. This is the same mechanism used for banks and online services of the public administration. The Danish service provider “DanID” runs this service for the government. 28Copyright Dictao 2013
  • Denmark – Traceability Standardized XML-format to allow uniform processing by regulator Near real-time: Data must be stored within five minutes of an event happening Safe location can be anywhere as long as the regulator has sufficient guarantees to get access Digital seals using the regulator‘s central tamper proof system Encrypted communication between digital Safe and regulator Operators are responsible for running the “Frontal” Data archived one year online Data archived five years offline End-of-day records 29Copyright Dictao 2013
  • Examples of Control Systems Copyright Dictao 2013 30 Spain France Denmark Schleswig-Holstein (Germany)
  • Schleswig-Holstein – Technical architecture Copyright Dictao 2013 31
  • Schleswig-Holstein – SAFE-server features Copyright Dictao 2013 32 Location in Schleswig-Holstein Near-real time data capture Certification by accredited 3rd parties Data encryption Digital seals/signatures Standards-based 36 months data storage Standardized Data (XML)  Gameplay  Financial  Personal information
  • Agenda 33 Dictao Regulators’ Frequently Asked Questions Market cases Copyright Dictao 2013 Facts, Problem and Solution Operators’ Benefits
  • FAQ about… Preventing fraud/ AML Real Time versus Near-Real Time data traceability Control of data Tax control Minor and problem gambler protection Dependency on the Authority Service Providers’ Standard Compliancy Technology suppliers & technology neutrality Copyright Dictao 2012 34
  • Preventing fraud/ AML (1/2) Q: How is the traceability of money flows regulated?  Each financial transaction is sealed and stored in a safe  Regular analysis is performed by the Authority  Operator cash account is separated from the player money account (escrow)  Money may not be transferred between players except through gaming  Money may only be withdrawn to the named bank account associated with the relevant player account  In kind winnings are traced as well (prize description and estimated value) Dictao recommends all of the above 35Copyright Dictao 2013
  • Preventing fraud/ AML (2/2) Q: How can the security and continuity best be secured?  Security principles (best practices, not specific to iGaming)  Integrity: data is sealed through digital signature and chaining  Confidentiality: data is encrypted so that only the regulator may access it  Authentication: use strong credentials like digital certificates  Non repudiability: data is signed  Availability: SLA requirements from operators and suppliers  Continuity and recovery  Require a “Business Continuity Plan” and a “Data Recovery Plan” from operators and suppliers  Require all data to be backed up on a secondary site and maximum delay of recovery Dictao recommends all of the above 36Copyright Dictao 2013
  • Control of data (1/3) Q: option #1: All data flows through the server of the Gambling authority (vault). What are the pros and cons? MARKET CASE: Centralized solution only implemented in Italy - COST: Very expensive for the regulator (platform to design and set up, maintain technical operation team, ensure backup of the data, maintenance, several people to support operators) SOGEI employs 500 persons to perform data control - RESPONSABILITY: The regulator is responsible for tracing the data - TIME: 6 to 12 months to setup the infrastructure Dictao recommends not using this solution 37Copyright Dictao 2013
  • Control of data (2/3) Q: option #2 : the Gambling Authority provides access to a special server that securely stores a copy of the data. What are the pros and cons? + BEST PRACTICE: Decentralized solution used in FR, DK, SP, DE (E15 + SH) + COST: very low cost for the regulator. For example, ARJEL employs 6 persons to perform data control + TIMING: gaming operation may start, even if the regulator platform is not ready + SLA: gaming operation may carry on, even if regulator platform is down - TCO / OPERATOR : standard TCO is < 1 to 0,5% of GGR Dictao recommends the solution of a “distributed safe” placed under the responsibility of the operator 38Copyright Dictao 2013
  • Control of data (3/3) Q: option#3 : the data and its back up data is located / hosted within the national borders of the regulator. What are the pros and cons? + ENFORCEMENT: Location of safe in the regulated territory enables regulator to seize it + EU COMPLIANCE: Host of a safe in a national territory complies with EU jurisprudence, whereas requirements to locate the whole gaming server(s) does not comply Also avoids potentially complex and lengthy cross-border collaboration + CONVENIENCE: Country-hosted data facilitates the control of data completeness and data compliance with the Authority (or delegated third party) requirements - Back-up data is not supposed to be seized, but data recovery from back-up shall be quick Dictao recommends main data repository in the Authority’s territory, a back- up located in the EU, and a recovery delay of 48 hours 39Copyright Dictao 2013
  • Tax control Q: As lots of operators are located abroad, for tax control it is necessary for the Authority to access actual information. What are the best practices from other countries?  Require traceability of all money transactions (including bonus money, gaming network transactions)  Require agregated financial reports from the operator and reconcile those reports with the information available in the safe Q: Do you have any insight on how tax control is maintained in case of poker liquidity, where players from different jurisdictions participate in a game?  The only cross-country liquidity we are familiar with is Denmark  Only data regarding local players is traced in the safe, tax control is based on these data Dictao recommends all of the above 40Copyright Dictao 2013
  • Minor and problem gambler protection Q: Do you have any insight on how problem gambling is monitored in different countries?  Availability of a centralized authorization service maintained by the Authority  Problem gambler list shared with landbased casinos  Operators required to check the authorization service during player registration and regularly during player logon  Technical aspects  Preserve player confidentiality (operators shall not discover information about players they do not “know”)  Use open standards like webservice or DNS to allow all operator technologies to connect  High availability and performance Dictao recommends all of the above 41Copyright Dictao 2013
  • Dependency on the Authority Q: How to prevent that a dependency on the authority for the purpose of authenticity or communication will form a single point of failure for the industry?  Require a decentralized safe under the operator’s responsibility  The only dependency on the Authority regards the authorization (blacklist) service  For confidentiality, it should stay centralized  For availability reasons, it should be rendundant  When the service is down  Gaming operation is still allowed (thus downtime is not disruptive)  Account registration is temporary until the service is back up Dictao recommends all of the above 42Copyright Dictao 2013
  • Service Providers’ Standard Compliancy Q: Dictao’s strategy is to rely on standards. Could you elaborate on the standards?  The internet technology stack relies on standards at all levels, from hardware to application level.  Standards developed for e-commerce, e-government or e-banking applications are all applicable in the online gambling environment:  XSD/XML to define reporting formats  RFC3161 to define time stamps  XMLDSig for digital seals  X509 for digital certificates  ISO27001 for IT security management Dictao recommends using internationally recognized standards 43Copyright Dictao 2013
  • Technology suppliers & technology neutrality (1/2) Q: How can we prevent that requirements on the availability of data favor certain suppliers?  Authority should require the usage of open standards instead of proprietary formats, technologies and solutions  Require application of best practices recognized by everyone  Have the Authority’s technical experts assess the neutrality of the requirements Dictao recommends all of the above 44Copyright Dictao 2013
  • Technology suppliers & technology neutrality (2/2) Q: According to EU law, requirements may not be directed towards a certain technology of certain suppliers  Dictao does not recommend any technology, only standards  All standards Dictao recommends are open, patent-free and may be freely implemented by anyone  Dictao lobbies for European-wide standards Dictao competes on the market with technology-neutral differentiators  Turnkey SaaS infrastructure accelerates projects  Spreading investments over multiple clients lowers costs  Professional services to assist operators Dictao recommends using these internationally recognized standards 45Copyright Dictao 2013
  • Next step Based on strong experience and proximity with regulators and operators, Dictao has built a template model of an ideal traceability system that:  Covers the needs of tax and fraud control, AML, player protection  Facilitates integration by the operator  Is 100% technology-neutral We would like to introduce this model to you at your earliest convenience 46Copyright Dictao 2013
  • For more information, please contact: Frédéric Engel fengel@dictao.com +33 1 73 00 26 34 +33 6 13 42 38 98 (mobile) www.dictao.com http://www.dictao.com/en/solutions/online-gambling