EEG Review Testing Certifications in the EU – (EEGReport – Magazine – Issue3 – June – September 2016)

EEGReport Magazine: Which legal acts of EU (laws, regulations, rules, ordinances, interpretations, instructions, letters and others) contain requirements and standards for certification/testing of the products of online betting (virtual games, races, wheel of fortune, poker) and online gambling (slots, live casino, poker)? (Please specify the type).

Andrew-Rosewarne-NMi-890x395_cAndrew Rosewarne: All the countries in Europe that have regulated online gaming have produced their own regulations and have their own licencing and enforcement bodies. NMi are approved to provide testing and certification in all 14 EU member states, that allow online gaming activity by international operators. There are also another half a dozen European jurisdictions that are not part of the EU. The remaining member states either have restricted operations or prohibit the activity. The most recent member states to regulate have been Portugal, Romania, and Lithuania.

EEGReport Magazine: Which requirements apply to the laboratories that carry out the above said certification/testing?

Andrew Rosewarne: The minimum requirement to be approved as a testing laboratory in most jurisdictions is accreditation to ISO 17025, the general requirements for the competence of testing and calibration laboratories. This is the same accreditation that is held by laboratories in other industries, drug testing for elite athletes being one that most people are aware of.

Some jurisdictions allow ISO 17020 as an alternative to ISO 17025 and many also require individual qualifications of the laboratory staff, some to masters level or beyond, mathematics being a common specified requirement.

Of course there are extensive background checks into owners and staff as well and some jurisdictions are requiring monetary guarantees to assure the company is on a strong financial footing, Romania being the most recent, asking for assurances of a quarter of a million Euros.

ISO 27001 seems to be emerging as the default security standard that regulators impose on online gaming licencees, either specifying a subset of that standard themselves or accepting full certification as an alternative.

In most cases the regulators are happy to have qualified ISO 27001 lead auditors or equivalent (CISA, CISSP) carry out the work, although an audit firm requires an ISO 17021 accreditation to certify an operator to ISO 27001.

EEGReport Magazine: Are there any universal standards/requirements for all or most EU member states?

Andrew Rosewarne: Gaming is not subject to the EU principle of mutual recognition, whereby if a product can be lawfully sold in one EU member state, it can automatically be sold in all others. Therefore, a license in the UK does not automatically allow operators to serve Portuguese citizens.

Having said this, there are two ways to potentially reduce the cost of certification across multiple regulated jurisdictions. Firstly is the International Association of Gaming Regulators (IAGR) Multi-Jurisdictional Testing Framework (MJTF), newly agreed upon by the UK, Denmark, Alderney, and The Isle of Man. The IAGR is an international body, but all regulators that have signed up for the MJTF are coincidentally based in Europe, with two member state gaming commissions present. A regulator participating in this scheme will recognise testing performed to this standard as sufficient for their jurisdiction without the need for unnecessary testing duplication or reporting requirements. It is anticipated that future phases of the framework will incorporate additional participating jurisdictions and scope of activities as only the Random Number Generator (RNG) portion if testing currently falls under the MJTF.

Secondly, whilst there isn’t a single Europe-wide technical standard for either the land based sector or igaming, there has been some convergence of standards across many regulated jurisdictions worldwide.  This has meant that at an operational level, it is possible for test labs to offer Transfers of Approval (ToA) across many regulated jurisdictions. In essence, this means testing a particular game for several jurisdictions at the same time. This ensures savings for the operators as any requirements that are repeated across any jurisdictions are only tested once. The test lab will then provide a set of test reports for each jurisdiction. This ensures significant savings as well as being able to launch games across many jurisdictions at the same time.

As previously mentioned the widespread adoption of ISO 27001 as a universal security standard is another example of this. After some initial work in aligning the time frames, it would not be unreasonable for a typical international operator to expect a single annual audit to cover the requirements for all jurisdictions in which they operate and full ISO 27001 would mitigate the need for any additional reporting to many regulators.

EEGReport Magazine:  If each EU country has its own standards/requirements regarding the above said certification/testing, is it possible upon completion of the certification/testing in the EU country with the strictest requirements to use further those certificates in the other EU member country with milder requirements? Or shall the operator carry out the above said certification/testing every time in each EU country he wants to operate?

Andrew Rosewarne: There is plenty of scope for re-using testing carried out in one jurisdiction for the purpose of certification in another. Examination of the game engine and underlying game mathematics is a common example of where this is possible, and with some jurisdictions requiring extensive reports around randomness and volatility, well beyond simple returns analysis, testing to the highest standard initially ensures, as long as the maths remain the same, we don’t need to visit the game maths again for future certifications. We can generally find savings anywhere where software components can be demonstrated to be unchanged.

Of course starting with the most stringent requirements involves extra effort on both sides so it is helpful if our customers understand which markets they are targeting early by defining a regulatory roadmap so we can tailor our testing accordingly.

In areas of localisation many requirements cannot be defined as more or less strict, but rather just different, and it is difficult to define any one jurisdiction as the high bar.

EEGReport Magazine: What kind of certificates (RNG certificate, games report certificate) will be sufficient for owner of the online casino or owner of the betting shop to promote its products (slots, roulettes, virtual games for betting) in the frames of b2b contracts within EU in order to comply with the requirements of the EU legislation in this part?

Andrew Rosewarne: A B2B supplier should be able to have their content tested once by a reputable gaming laboratory, for a target jurisdiction, and expect that those results will be able to be used by multiple operators that they supply. Of course, it is essential that the laboratory acting for the B2B is approved in the jurisdiction where the certification is sought.

As previously mentioned EU legislation is not a factor in current gaming regulation and B2B suppliers are treated in a variety of ways among the jurisdictions regulating online gaming. While most jurisdictions licence B2B suppliers this often just takes into account probity checks and doesn’t cross over into the technical side of the business.

At one end of the scale, B2B suppliers hold no status with the regulator with responsibility for the certification of the software system, in its entirety, lying with the operator. In these cases, gaming labs have had to come together in a spirit of mutual respect with the lab carrying out the operator certification considering the acceptance of testing reports from other accredited laboratories acting for the B2Bs. Other jurisdictions licence B2B suppliers and acknowledge their status to varying degrees.

Most jurisdictions also require the operator to complete integration testing of the product on the operator platform to ensure the correct communications and allocation of responsibilities between the two systems.

EEGReport Magazine: Are there any EU member states recommendations made by the public authorities, expressed in any form, regarding addressing to specific laboratories performing testing / certification in the EU? Or does the choice of lab entirely depend on the owner of the online casino website or the owner of the online betting website. May it happen that some laboratories have accreditation in particular countries?

Andrew Rosewarne: The vast majority of EU member states where online gaming is regulated maintain a list of laboratories from which they will accept reports or certifications. As this requires an application from the lab to the regulator, and the level of probity varies, not all labs are approved in all areas, and many labs operate in only one jurisdiction.

Denmark has adopted a different approach, only requiring ISO 17025 or ISO 17020 approval, but has supplemented this with ongoing requirements around the qualifications of the people carrying out the work.

In a small number of cases the lab is contracted and paid by the regulator, allocating the project without any consultation with the operator. In these instances the report may be delivered directly to the regulator as well as the operator.

However in the vast majority of cases, it is up to the operator to select a lab from those approved by the regulator, negotiate the contract and receive the certification or test report themselves for filing or passing to the regulator.

EEGReport Magazine: Which of the products of online betting (live events (sport, poker, lottery), virtual games (racing, wheel of fortune, poker ) ) and online gambling (slots, live casino, poker ) are subject to the above testing/certification, and for which is this procedure not obligatory?

Andrew Rosewarne: Again this varies from jurisdiction to jurisdiction but most regulators are now consistent in requiring certification of all products.

The recently published certification requirements for Romania include a clause requiring the assurance of “the accuracy, integrity, reliability, safety, transparency and confidentiality of all the activities and functions performed” by the gaming platform.

There is a particular focus on activities that are not visible to the player so many regulators specify specific tests around randomness and player returns in online slots and casino gaming, The reasoning behind this is that a player not being paid correctly on a winning sports bet would have no difficulty recognising this and taking it up with the operator, but a departure from randomness in a roulette or slot game, or other manipulation of an electronic game, could take place out of the players sight and is unlikely to be detected in a normal gaming session.

Bingo maintains a special status, exempting it from certification or testing in some jurisdictions.

But regardless of what regulators require, more than ever we are seeing operators themselves raise the bar on testing activities as they seek to limit risk in what is becoming an increasingly mature financial services industry. The modern gaming compliance manager has little appetite for the risk involved in leaving areas of their business outside the scope of independent certification.

EEGReport Magazine: In which areas of the European Union is your company licensed to conduct testing and certify products?

Andrew Rosewarne: NMi are licenced to provide testing, or our reports are accepted without the requirement for a licence, in all EU member states allowing online gaming activity by international operators, as well as covering jurisdictions in Canada, South America, the Caribbean, and Asia.

NMi have recently been granted a Class 2 licence to certify and audit in Romania and we are very proud to be one of only two labs approved there to date and to be able to provide this continuity of service to our loyal customers. Many of our customers are global players with expansive business strategies so our ability to cover all areas is important to them.

Romania is the culmination of a lengthy and time-consuming process for NMi’s regulatory team, requiring significant investment, but the experience of achieving approval in more than 25 i-gaming jurisdictions has stood us in good stead.

NMi are accredited, or have reports accepted, in Belgium, Bulgaria, Croatia, Denmark, Estonia, Hungary, Italy, Latvia, Malta, Portugal, Spain, the United Kingdom and most recently Lithuania, and of course Romania.