CHEAP Call Girls in Malviya Nagar, (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
Regulators' traceability requirements and solutions for i gambling operators on new regulated markets 2013
1. DICTAO
152, avenue Malakoff
75116 PARIS, France
+33 1 73 00 26 00
www.dictao.com
Regulators’ Traceability Requirements
and Solutions for iGambling operators
on New Regulated Markets in Europe
Denmark, Spain, France & Schleswig-Holstein cases.
2013
Copyright Dictao 2012
1
2. Executive Summary
Dictao, leading supplier of iGambling IT Requirement-compliant solutions
Fact: Traceability is a key regulatory requirement in each new regulated market
Problem: Data traceability is complex, and increases costs & time
Solution: Dictao simplifies operators’ life, hides complexity, and reduces TCO
Operator benefits
Compliance, flexibility and cost-effectiveness
Market Cases of traceability requirements and gaming system architectures
Denmark, Spain, France and Schleswig-Holstein cases
Regulators’ Frequently Asked Questions
Next step : Dictao iGambling data traceability model
Copyright Dictao 2012 2
4. Dictao
Specialized in 3 areas:
Data traceability
Strong authentication
Electronic signatures
Dictao products power mission-critical applications across multiple sectors
Gaming, banking, industry, defense, government, …
Dictao products are certified EAL3+ by the French Network and Information Security
Agency (ANSSI), SigG and SigV by the Bundesnetzagentur in Germany, and 3-D
Secure by Visa and MasterCard.
4Copyright Dictao 2012
5. Dictao in the iGaming industry
Main traceability offer built to answer compliance requirements:
E-vault product
Hosted services
Consulting services
But also player authentication and registration where eID can be used
Dictao is the industry’s leading technical compliance solution provider:
The only offer covering Spain, Denmark, France and Schleswig-Holstein
40+ operators are clients
9 out of the top 10 operators from eGaming Review’s Power50 list
45% of the first licensed operators in France
45% of the first licensed operators in Denmark
28 operators chose Dictao in Spain
First supplier in Schleswig Holstein
5Copyright Dictao 2012
7. Fact: Traceability is a key regulatory requirement
Regulators see traceability as mean to achieve :
Consumer protection
Anti money laundering
Fight against fraud
Tax control
Traceability : Pervasive in all regulated markets
Italy AAMS* and SOGEI’s centralized system (2009)
France ARJEL* ‘Frontal’ (2010)
Denmark DGA* ‘SAFE’ (2011)
Spain CNJ* ‘Almacen’ (2011)
Schleswig-Holstein ‘Kontrollsystem’ (2012)
Greece GSCC* ‘Supervision and Control IT System’
(2012 – est.)
Next EU markets
“E15” Germany, the Netherlands, Poland, Bulgaria…
(I) AAMS: Amministrazione autonoma dei monopoli di Stato
(II) ARJEL: Autorité de Régulation des Jeux en Ligne
(III) DGA: Danish Gaming Authority
(IV) CNJ: Comisión Nacional del Juego
(V) GSCC: Games of Chance Supervision and Control
Commission
Copyright Dictao 2012
8. Problem: Traceability is complex, and increases costs & time
8
Especially when each jurisdiction
requires distinct and specific:
Data formats
Server location
Backup location
Certifications
Secure storage
Data retention policies
Language
…
This wide heterogeneity
Creates additional complexity
Delays go-to-market
Increases running costs
Capteur
.FR
Core Gaming Platforms
.DE.DK
.ES
Capturador
Copyright Dictao 2012
9. Solution: Dictao simplifies operators’ life
A single partner for every regulation
For all jurisdictions that do not impose a
central system
For all games
Dictao focuses on traceability only
We are regulation and traceability
experts
We only extract operator’s data
We manage traceability data storage
and download by the local regulator
9
Operator platform
Dictao
DGAARJEL S-HCNJ
Casino Sports
book
Poker
Copyright Dictao 2012
…
11. Operators’ benefits (1/3): Guaranteed compliance
We nurture close relationships with local regulators
Compliance with current regulations
First ARJEL-compliant ‘frontal’ in France
DGA-compliant SAFE in Denmark
DGOJ-compliant Internal Control System (ICS) in Spain
First Schleswig Holstein-compliant SAFE
Strategic commitment to comply with future regulatory requirements
100% compliant with next generation European (DE, NL, UK, …) requirements
Dictao guarantees compliance with future regulation modifications
11Copyright Dictao 2012
12. Operators’ benefits (2/3): Flexibility
Business model flexibility
Software license: operator integrates and operates the service
Software as a Service (SaaS): Dictao hosts and operates the service on behalf of the
operator
Managed service: Dictao operates the service hosted in operator’s premises
Integration flexibility
Standard Webservices API
Managed test environment
Connection link
over the internet
over dedicated leased line
Technical flexibility
Scalable : from a few to several thousands of events per second
Reliable: high availability (>99.99%) and multiple sites
12Copyright Dictao 2012
13. Operators’ benefits (3/3): Cost-effectiveness
Low investment costs
The solution is based on existing in-house products
The development costs are spread across multiple customers
The SaaS platform shares infrastructure
Low recurring costs
One dedicated compliance team operates the vaults of several customers
Evolutions in regulation included
13Copyright Dictao 2012
18. Spain – Authentication
Spain is introducing electronic IDs for its citizens ("DNIe" – Documento
Nacional the Identidad). One of the authorized player registration
mechanisms is the digital certificate from the electronic ID.
The Spanish regulator has set up an online service to check personal
details and verify player’s age using a national citizen database.
The Spanish regulator has set up an online service to check the banned
player register. The register is updated hourly.
18Copyright Dictao 2013
19. Spain – Traceability
Operators must implement a control and supervision system (internal
control system)
Operators are responsible to run their internal control system
Transactions must be stored in near real-time in a Safe on Spanish soil
The regulator (CNJ) has real-time access to the Safe
Game software and hardware and the organization of the operator must be
audited by an officially approved test lab
19Copyright Dictao 2013
20. Spain – Traceability
Data is securely stored in a digital Safe:
Standardized XML-format to allow uniform processing by regulator
Main storage site located on Spanish soil
Digital signature to seal records (XAdES BES 1.3.2)
Timestamps from an approved TSA (RFC3161)
Encryption of records (AES-256)
Guarantee that regulator has real-time access via a secure channel to the data
Data archived one year online
Data archived six years offline
Internal control system must be certified
20Copyright Dictao 2013
21. Examples of Control Systems
21
Spain
France
Denmark
Schleswig-Holstein
Copyright Dictao 2013
23. France – Technical architecture
Front-End
In standard web architecture, this is the presentation layer. This module implements the gambling site
interface in French, including all the moderators required by the authority (e.g. pop-ups, warnings).
Data extraction („Capteur”)
This module retrieves the information relevant for control and oversight by the regulator. The regulator
defines the nature and format of the data (XML).
Back-end relay
This module transfers the transactions initiated by gamblers to the operator's back-end gambling
engines. Back-end servers may be located outside of France.
Digital Safe
The vault module collects the records produced by the capteur to preserve them in a secure manner. If
required, the future authority must be able to access the electronic vault either on site or remotely. The
Safe must be certified (CSPN) by the French IT-security government agency (ANSSI).
23Copyright Dictao 2013
24. France – Authentication
Player registration is a complex paper-based process. One step of the
process is a letter sent by physical mail to the player‘s address with an
activation code.
The regulator manages a national banned player register. Each operator
must check his entire player base against that register at least once a
month.
24Copyright Dictao 2013
25. France – Traceability
Gaming activity is stored in real-time in a digital Safe. Data reflects the
player‘s perspective.
Standardized XML-format to allow uniform processing by regulator
“Frontal” (Safe and capture device) located on French soil
Digital signature to seal records (XAdES)
Data protected with strong authentication mechanisms
Data encrypted with regulator public key (RSA). Only the regulator can decrypt records.
Operators are responsible for running the “Frontal”
Synchronous real-time processing
Data archived one year online
Data archived five years offline
Safe must be certified (CSPN) by the French IT-security government agency (ANSSI)
25Copyright Dictao 2013
26. Examples of Control Systems
26
Spain
France
Denmark
Schleswig-Holstein
Copyright Dictao 2013
28. Denmark – Authentication
Regulator provides a central online service to check players against banned
player register (ROFUS/LUR)
The regulator manages this central register. Each operator is required to
check through the online service whether a player is banned or not.
Authentication at each login with NemID and an OCES digital signature.
This is the same mechanism used for banks and online services of the
public administration. The Danish service provider “DanID” runs this service
for the government.
28Copyright Dictao 2013
29. Denmark – Traceability
Standardized XML-format to allow uniform processing by regulator
Near real-time: Data must be stored within five minutes of an event happening
Safe location can be anywhere as long as the regulator has sufficient guarantees to get access
Digital seals using the regulator‘s central tamper proof system
Encrypted communication between digital Safe and regulator
Operators are responsible for running the “Frontal”
Data archived one year online
Data archived five years offline
End-of-day records
29Copyright Dictao 2013
30. Examples of Control Systems
Copyright Dictao 2013 30
Spain
France
Denmark
Schleswig-Holstein (Germany)
32. Schleswig-Holstein – SAFE-server features
Copyright Dictao 2013 32
Location in Schleswig-Holstein
Near-real time data capture
Certification by accredited 3rd parties
Data encryption
Digital seals/signatures
Standards-based
36 months data storage
Standardized Data (XML)
Gameplay
Financial
Personal information
34. FAQ about…
Preventing fraud/ AML
Real Time versus Near-Real Time data traceability
Control of data
Tax control
Minor and problem gambler protection
Dependency on the Authority
Service Providers’ Standard Compliancy
Technology suppliers & technology neutrality
Copyright Dictao 2012 34
35. Preventing fraud/ AML (1/2)
Q: How is the traceability of money flows regulated?
Each financial transaction is sealed and stored in a safe
Regular analysis is performed by the Authority
Operator cash account is separated from the player money account (escrow)
Money may not be transferred between players except through gaming
Money may only be withdrawn to the named bank account associated with the relevant
player account
In kind winnings are traced as well (prize description and estimated value)
Dictao recommends all of the above
35Copyright Dictao 2013
36. Preventing fraud/ AML (2/2)
Q: How can the security and continuity best be secured?
Security principles (best practices, not specific to iGaming)
Integrity: data is sealed through digital signature and chaining
Confidentiality: data is encrypted so that only the regulator may access it
Authentication: use strong credentials like digital certificates
Non repudiability: data is signed
Availability: SLA requirements from operators and suppliers
Continuity and recovery
Require a “Business Continuity Plan” and a “Data Recovery Plan” from operators and suppliers
Require all data to be backed up on a secondary site and maximum delay of recovery
Dictao recommends all of the above
36Copyright Dictao 2013
37. Control of data (1/3)
Q: option #1: All data flows through the server of the Gambling authority
(vault). What are the pros and cons?
MARKET CASE: Centralized solution only implemented in Italy
- COST: Very expensive for the regulator (platform to design and set up, maintain technical
operation team, ensure backup of the data, maintenance, several people to support
operators) SOGEI employs 500 persons to perform data control
- RESPONSABILITY: The regulator is responsible for tracing the data
- TIME: 6 to 12 months to setup the infrastructure
Dictao recommends not using this solution
37Copyright Dictao 2013
38. Control of data (2/3)
Q: option #2 : the Gambling Authority provides access to a special server
that securely stores a copy of the data. What are the pros and cons?
+ BEST PRACTICE: Decentralized solution used in FR, DK, SP, DE (E15 + SH)
+ COST: very low cost for the regulator.
For example, ARJEL employs 6 persons to perform data control
+ TIMING: gaming operation may start, even if the regulator platform is not ready
+ SLA: gaming operation may carry on, even if regulator platform is down
- TCO / OPERATOR : standard TCO is < 1 to 0,5% of GGR
Dictao recommends the solution of a “distributed safe” placed under the
responsibility of the operator
38Copyright Dictao 2013
39. Control of data (3/3)
Q: option#3 : the data and its back up data is located / hosted within the
national borders of the regulator. What are the pros and cons?
+ ENFORCEMENT: Location of safe in the regulated territory enables regulator to seize it
+ EU COMPLIANCE: Host of a safe in a national territory complies with EU jurisprudence,
whereas requirements to locate the whole gaming server(s) does not comply
Also avoids potentially complex and lengthy cross-border collaboration
+ CONVENIENCE: Country-hosted data facilitates the control of data completeness and data
compliance with the Authority (or delegated third party) requirements
- Back-up data is not supposed to be seized, but data recovery from back-up shall be quick
Dictao recommends main data repository in the Authority’s territory, a back-
up located in the EU, and a recovery delay of 48 hours
39Copyright Dictao 2013
40. Tax control
Q: As lots of operators are located abroad, for tax control it is necessary for
the Authority to access actual information. What are the best practices from
other countries?
Require traceability of all money transactions (including bonus money, gaming network
transactions)
Require agregated financial reports from the operator and reconcile those reports with the
information available in the safe
Q: Do you have any insight on how tax control is maintained in case of poker
liquidity, where players from different jurisdictions participate in a game?
The only cross-country liquidity we are familiar with is Denmark
Only data regarding local players is traced in the safe, tax control is based on these data
Dictao recommends all of the above
40Copyright Dictao 2013
41. Minor and problem gambler protection
Q: Do you have any insight on how problem gambling is monitored in
different countries?
Availability of a centralized authorization service maintained by the Authority
Problem gambler list shared with landbased casinos
Operators required to check the authorization service during player registration and
regularly during player logon
Technical aspects
Preserve player confidentiality (operators shall not discover information about players they do
not “know”)
Use open standards like webservice or DNS to allow all operator technologies to connect
High availability and performance
Dictao recommends all of the above
41Copyright Dictao 2013
42. Dependency on the Authority
Q: How to prevent that a dependency on the authority for the purpose of
authenticity or communication will form a single point of failure for the
industry?
Require a decentralized safe under the operator’s responsibility
The only dependency on the Authority regards the authorization (blacklist) service
For confidentiality, it should stay centralized
For availability reasons, it should be rendundant
When the service is down
Gaming operation is still allowed (thus downtime is not disruptive)
Account registration is temporary until the service is back up
Dictao recommends all of the above
42Copyright Dictao 2013
43. Service Providers’ Standard Compliancy
Q: Dictao’s strategy is to rely on standards. Could you elaborate on the
standards?
The internet technology stack relies on standards at all levels, from hardware to
application level.
Standards developed for e-commerce, e-government or e-banking applications are all
applicable in the online gambling environment:
XSD/XML to define reporting formats
RFC3161 to define time stamps
XMLDSig for digital seals
X509 for digital certificates
ISO27001 for IT security management
Dictao recommends using internationally recognized standards
43Copyright Dictao 2013
44. Technology suppliers & technology neutrality (1/2)
Q: How can we prevent that requirements on the availability of data favor
certain suppliers?
Authority should require the usage of open standards instead of proprietary formats,
technologies and solutions
Require application of best practices recognized by everyone
Have the Authority’s technical experts assess the neutrality of the requirements
Dictao recommends all of the above
44Copyright Dictao 2013
45. Technology suppliers & technology neutrality (2/2)
Q: According to EU law, requirements may not be directed towards a
certain technology of certain suppliers
Dictao does not recommend any technology, only standards
All standards Dictao recommends are open, patent-free and may be freely implemented
by anyone
Dictao lobbies for European-wide standards
Dictao competes on the market with technology-neutral differentiators
Turnkey SaaS infrastructure accelerates projects
Spreading investments over multiple clients lowers costs
Professional services to assist operators
Dictao recommends using these internationally recognized standards
45Copyright Dictao 2013
46. Next step
Based on strong experience and proximity with regulators and operators,
Dictao has built a template model of an ideal traceability system that:
Covers the needs of tax and fraud control, AML, player protection
Facilitates integration by the operator
Is 100% technology-neutral
We would like to introduce this model to you at your earliest convenience
46Copyright Dictao 2013
47. For more information, please contact:
Frédéric Engel
fengel@dictao.com
+33 1 73 00 26 34
+33 6 13 42 38 98 (mobile)
www.dictao.com
http://www.dictao.com/en/solutions/online-gambling