The intent of this risk theme is to ensure that regulated entities have a sound control environment, and an organizational structure that promotes good governance, accountability and oversight, as well as transparency in dealings with the AGCO.
The regulatory risks associated with this theme are:
1.01 There shall be a commitment to character, integrity and high ethical values demonstrated through attitude and actions. (Also applicable to Gaming-Related Suppliers)
Requirements – At a minimum:
Guidance: Management in the context of this Standard refers to executives and senior- level management who have the day-to-day responsibility of managing the business of the organization.
1.02 Operators and gaming-related suppliers shall develop, document and implement formal control activities to address the regulatory risks identified by the AGCO and achieve the regulatory objectives reflected in the Standards and Requirements. Control activities must be authorized by the appropriate level of management. (Also applicable to Gaming-Related Suppliers) [Amended: February, 2022]
Requirements – At a minimum:
Guidance: Independent oversight may be exercised by an internal audit body and/or external auditor, as considered appropriate by the Operator and as acceptable to the Registrar. The Registrar recognizes that oversight practices may vary by Operator depending on their size, ownership structure, scope and complexity of operations, corporate strategy and risk profile. Whatever the case, the independent oversight function should be responsible for auditing the organization’s compliance management framework, identifying, managing and reporting on risks the organization is or might be exposed to and exercising oversight that is independent from operational management. It should also have direct and unrestricted access to the Board.
1.03 Management overrides of the control activities shall be clearly documented and made available to the Registrar upon request. (Also applicable to Gaming-Related Suppliers)
Requirements – At a minimum:
1. Approval from at least two senior-level managers is required in order to override any control activity, and in each instance the override shall be reported to the Board or other governance structure where a Board does not exist.
Guidance: The intent of this Standard is to allow senior-level management to override controls on a one-off basis in necessary circumstances and to ensure that appropriate documentation is maintained for auditing purposes. This Standard is not intended to address permanent changes to the control environment.
1.04 Operators must establish, implement and maintain controls to support preparation of financial reports which comply with all applicable accounting standards, rules and good practices.
1.05 A personnel security screening process shall be in place for any director or officer, and any employee, agent or consultant, at a level that is appropriate for the individual’s role in the organization. (Also applicable to Gaming-Related Suppliers)
1.06 Employees must have the competence, skills, experience and training required to execute control activities that are relevant to their responsibilities. (Also applicable to Gaming-Related Suppliers)
Requirements – At a minimum:
1.07 Organizational structures shall be designed to promote a sound control environment and proper segregation of duties to ensure that the possibility for collusion or unauthorized or illegal activities is minimized. (Also applicable to Gaming-Related Suppliers)
Requirements – At a minimum:
1.08 Management clearly understands its accountability and authority for the control environment. (Also applicable to Gaming-Related Suppliers)
Requirements – At a minimum:
1. Management shall have been trained and have knowledge of the organization’s control environment, the regulatory risks that the controls are designed to mitigate, and the regulatory objectives reflected in the Standards and Requirements.
1.09 Information, including logs, related to compliance with the law, the Standards and Requirements and/or adherence with control activities shall be retained for a minimum of three (3) years, unless otherwise stated. (Also applicable to Gaming-Related Suppliers)
1.10 Compliance with the Standards and Requirements shall be documented in an organized manner to ensure that the information is capable of being reviewed and audited by an independent oversight function. (Also applicable to Gaming-Related Suppliers)
Requirements – At a minimum:
Guidance: The intent of this Requirement is to allow the Registrar to direct third party audits where considered necessary for regulatory assurance purposes. Although the auditor would be retained by the Operator or gaming-related supplier in these circumstances, it would report directly to the Registrar.
1.11 Primary accountability for compliance resides with the Board, or other governance structure, where a Board does not exist, and there shall be evidence that the Board, or other governance structure, has carried out its responsibility in this respect. (Also applicable to Gaming-Related Suppliers)
Requirements – At a minimum:
Guidance: Overall responsibility for compliance monitoring should ideally rest with a chief compliance officer or if such person does not exist, a member of senior management.
Guidance: Where this is not feasible given the organization’s size or structure, audits should be carried out by another independent oversight function.
1.12 There shall be an independent “whistleblowing” process to allow employees to anonymously report deficiencies or gaps in the control environment as well as incidents of possible non-compliance with the controls, Standards and Requirements, or the law. (Also applicable to Gaming-Related Suppliers)
Requirements – At a minimum:
1.13 Registrants shall engage with the Registrar in a transparent way. (Also applicable to Gaming-Related Suppliers)
Requirements – At a minimum, Operators shall:
1.14 The Operator shall ensure that investigators (OPP or Registrar) are able to monitor and participate in games.
1.15 A mechanism shall be in place to allow players to contact the Operator in a timely fashion with issues and complaints relating to their player account, funds management, game play or any matter related to compliance with the Standards and Requirements. The Registrar shall be notified of any such issues or complaints, in accordance with the established notification matrix.
1.16 Player complaints, disputes and inquiries must be recorded and addressed in a timely, fair, transparent and appropriate manner.
Requirements - At a minimum;
1.17 Relevant information about the AGCO shall be displayed and easily accessible to the player.
1.18 Operators and gaming-related suppliers shall only contract with reputable suppliers. (Also applicable to Gaming-Related Suppliers)
1.19 Operators are responsible for the actions of third parties with whom they contract for the provision of any aspect of the Operator’s business related to gaming in Ontario and must require the third party to conduct themselves in so far as they carry out activities on behalf of the operator as if they were bound by the same laws, regulations, and standards.
1.20 Operators and gaming-related suppliers shall maintain a list of suppliers that provide them with goods or services in relation to lottery schemes and shall make it available to the Registrar upon request. (Also applicable to Gaming-Related Suppliers)
1.21 Operators must ensure that no independent third parties that engage in direct-to-consumer marketing, direct-to-consumer promotion, or player referral services for the Operator under contract, in exchange for commissions, or for any other form of compensation also undertake such activities related to online gaming sites that facilitate or accept wagers from players in Ontario without an AGCO registration.
Guidance: This Standard covers the activities of those entities that Operators and others in the gaming industry commonly refer to as “affiliates” or “marketing affiliates”, which are often paid or otherwise compensated to refer to customers to another business’ products, services, or websites through direct-to-consumer marketing services. This commonly understood term used among gaming registrants and other entities involved in gaming, and known as “affiliates” or “marketing affiliates”, is used here for guidance purposes only, and is distinct from how that term may be used in any other regulatory scheme.
1.22 Operators and gaming-related suppliers must cease all unregulated activities if, to carry out those same activities in iGaming Ontario’s regulated online lottery scheme, it would require registration under the GCA.
Operators and gaming-related suppliers shall not enter into any agreements or arrangements with any unregistered person who is providing the operator or gaming-related supplier with any goods or services if, to provide those goods and services in iGaming Ontario’s regulated online lottery scheme, it would require registration under the GCA. [Added: October, 2022]
Note: For greater certainty, and without limiting the generality of any other Standard, this Standard applies to and governs applicants.