In December of 2015, the Malta Gaming Authority (hereinafter referred to as the ‘MGA’) published a new set of guidelines dealing with the technical infrastructure, hosting gaming and control system, used by remote gaming licensees (the “Guidelines”). The guidelines were drawn up following a public consultation that was held on the use of cloud solutions by the remote gaming industry.
Online gaming operators often locate their servers in jurisdictions other than the one in which they are licensed. The infrastructure can be owned or outsourced – or a hybrid of both. This creates the need for different control and oversight requirements with regard to the proper governance of an online gaming operation. The introduction of cloud-based solutions offers a number of advantages for the operator. The operator’s choice often depends on a number of factors, such as costs, operational resources, reliability, and so on. The chosen solution will need to suit the operator’s regulatory, operational and technological situation.
As part of the MGA’s regulatory functions, in order to safeguard player and regulatory interests, the authority ensures adequate supervision over an operator’s gaming and control systems. The authority provides an environment with the necessary level of security and data integrity. Having the infrastructure located in Malta allows the MGA to carry out timely audits and investigations. The authority has adapted to the various technological changes and the increase in multi-jurisdictional operations, allowing operators to maximise on technological developments, such as cloud solutions, while continuing to ensure the required compliance.
The purpose of the guidelines is to underline and update the MGA’s approach when implementing its regulatory requirements and procedures with respect to technical infrastructure. The aim of the guidelines is to guide stakeholders, including operators and other providers, on the authority’s compliance objectives. This will highlight what goes into the authority’s evaluation of an applicant’s, or a licensee’s technical setup. The MGA understands the need for it to take a more principles-based approach, as opposed to a set of prescriptive rules. This approach will take into consideration risk evaluation, which is one of the main determining factors when it comes to accepting and approving a particular proposal. A key factor is the applicants’ & licensees’ willingness to mitigate risks. An open dialogue between the applicants/licensees and the MGA is necessary for the adoption and implementation of the principles-based approach. The effect the authority intends all of this to have is that of allowing operators to reap the benefits of technological developments, including cloud solutions, without jeopardising the authority’s regulatory interest and outcomes.
These guidelines will continue to apply to all remote gaming licensees and applicants – since these principles are already embedded in the MGA’s internal regulatory policies and administrative practices – but the authority is also urging service providers of co-location and cloud services to be guided by the same standards set forth in the guidelines.
High-Level Principles and Regulatory Objectives
The general principles that are found at the core of the guidelines are based on proportionality, consistency of outcomes, and suitability. The application and requirements of the MGA guidelines are to be proportionate to the risk posed by the technical infrastructure and configuration presented by the operator. The MGA intends to achieve consistent regulatory outcomes by ensuring consistent regulatory performance on the part of the operators. Having a principles-based approach in place will allow for adaptability in how the regulatory objectives and outcomes are met.
It is important to ensure that the physical infrastructure – and its location – can sufficiently guarantee that the regulatory data is safe, secure and accessible at all times for compliance, consumer protection and business continuity purposes. The MGA aims to ensure the integrity of regulatory data – including transaction logs and gaming functionality. For this to be possible, the MGA must have access to the gaming and transaction logs at all times. More specific regulatory objectives include ensuring that personal, financial, and gaming data comply with data protection rules. The licensee is responsible for the attainment of the established and desired standards of these principles.
Implementation and Conformity with Objectives
Specifically with regard to integrity and security relating to hosting architecture, the licensees and applicants are required to provide details of the technical infrastructure showing all the hardware and virtual machines in operation, as well as a list of all geographic locations and addresses of premises where the gaming systems and control systems are located and the regulatory data stored. The architecture has to be located in Malta, and/or in any EEA Member State, and or in any third country jurisdiction. The important factor is that the authority can ascertain that the same principles can be obtained in that location.
The hosting locations are required by the MGA to conform to a high level of information security as well as be subject to an Information Security Management System (‘ISMS’). This shall be the case for the period during which a license may be suspended. The MGA requires operators to abide by specific ISO Standards as well as PCI Security Standards. The latter are intended to enhance payment card data security. The application process for hosting locations that are certified as per the above standards will be facilitated, but hosting locations may still be subject to proving such certification.
Components with an increased risk in any of the following: Regulation; Business Integrity; Safety; Privacy; and Compliance, are considered to be critical in nature. The MGA Considers the following to be critical components: Random Number Generators; Jackpot Servers; Player Database Servers; Financial Database Servers; Gaming Database Servers; and any other component deemed to be critical by the authority.
Operators that would like to make use of cloud services for hosting any of their critical components must conduct a risk assessment that meets the ISO Standards required by the MGA. The assessment should include the core elements of the risk management. The risk assessment has to be carried out depending on the operator’s operational setup.
According to the authority, for the proposed architecture to meet the guidelines’ principles, the critical components must be hosted on a private cloud environment which is not shared with other tenants on the same cloud. The integrity and security of the critical components must not be at risk. The MGA requires the regulatory data to be accessible, available, and traceable in order for the authority to perform its regulatory function. The authority requires access to real time information, which can be difficult to obtain if the data is stored in a different jurisdiction or on the cloud. A real time replication of the data, on a live replication server in Malta, can combat this obstacle.
MGA Requirements for the Replication of Data
An application submitted to the MGA must include details about the replicated server and the connectivity to the live server. This includes details of the security protocols that are in place. In order to provide assurance that the data is being replicated in real time, details of the replication data and its transmission frequency need to be provided. A procedure needs to be set for the MGA to have access to the replication servers for electronic and physical inspections.
The MGA reserves the right to request additional information, other than that provided for in these guidelines, due to the differences in setups and the complexities this may lead to. Thus, specific adaptations may be required for their to be compliance to the law and the principles of the regulations.