GLI-19 v3.0: What Every Online Casino Game Must Meet to Pass Certification

GLI-19: Standards for Interactive Gaming Systems version 3.0, revised July 17, 2020, is the global technical reference against which online casino games and the platforms that run them are certified. Across four core chapters and three operational audit appendices, the standard defines what an independent test laboratory (ITL) must verify before a product can legally go live in any jurisdiction that adopts or references GLI-19. That includes Ontario under the AGCO’s Registrar’s Standards, the UKGC through its Remote Gambling and Software Technical Standards (RTS), and Spillemyndigheden through its SCP certification programme. Compliance teams preparing a game or platform for multi-market release need to understand what each chapter demands, because failures at the testing stage are not administrative: they delay market entry, sometimes by months.

What GLI-19 v3.0 Actually Governs

GLI-19’s scope covers the full technical stack of a conventional online casino operation: the random number generator and its statistical validation, game server logic, game client presentation, account management systems, transaction processing, and responsible gambling controls embedded at the system level. The standard applies to both software suppliers building game content and operators configuring and hosting those games. GLI-19 makes this dual applicability explicit, noting that “because of the integrated nature of an Interactive Gaming System, there are several requirements in this document which may apply to both operators and suppliers.”

Where a product is offered as a white-label configuration, the final configuration to be used in the production environment must be communicated to the ITL. Certification of a platform does not automatically certify the games on top of it, and vice versa. Suppliers who assume a certified platform extends coverage to their game content frequently discover this boundary during scope discussions with the ITL.

Chapter 3: Random Number Generator Requirements

Chapter 3 is the highest-scrutiny section of GLI-19 for most game products. The standard classifies RNGs into three types: software-based RNGs that derive randomness from a computer algorithm without hardware input, hardware-based RNGs that use physical phenomena such as thermal noise, electric circuit feedback, or radioactive decay, and mechanical RNGs that generate outcomes through physical laws. Each type carries its own testing protocol.

Section 3.2.1 requires the ITL to review the source code for all core randomness algorithms, including scaling algorithms, shuffling algorithms, and any other function that plays a critical role in the final random outcome. This source code review is not optional and cannot be substituted by black-box statistical testing alone. Suppliers must provide access to proprietary code, and the ITL will assess it against the full requirements of the chapter.

Section 3.2.3 establishes the distribution requirement: each possible RNG selection must be equally likely to be chosen. Where the game design specifies a non-uniform distribution, the final outcome must conform to the intended distribution, and all scaling, mapping, and shuffling algorithms must be verified as unbiased. Discarding RNG values is permissible where necessary to eliminate bias, but the mechanism must be documented.

Section 3.2.4 governs independence: knowledge of the numbers chosen in one draw must not provide information on numbers chosen in a future draw. If the RNG selects multiple values within a single draw, knowing one value must not reveal any other value within that draw, unless the game design specifically provides for that correlation.

For physical randomness devices used in live casino and some specialised game formats, Sections 3.3 and 3.4 impose additional requirements. The device must not allow players or gaming attendants to manipulate or influence the physical randomness mechanism in any way that affects outcome data, except as intended by the game design. Approved components of a certified physical randomness device cannot be swapped for unapproved equivalents: a shuffler certified for plastic cards cannot be treated as equivalent to the same shuffler using paper cards.

Chapter 4: Game Requirements and the Outcome Integrity Rules

Chapter 4 covers the full breadth of game-level requirements: the player interface, rules of play, game fairness, outcome determination, RTP, progressive jackpots, game recall, and specialised game types. The chapter’s central principle is that outcomes of chance must be determined solely by an approved RNG, without any adaptive or outcome-biasing mechanism interfering between the RNG call and the result shown to the player.

Section 4.6 sets out the outcome integrity rules that ITLs test directly:

“The game shall not modify or discard outcomes selected by the RNG due to adaptive behavior… After selection of the game outcome, the game shall not display a ‘near miss’ where it makes a variable secondary decision which affects the result shown to the player. For example, if the RNG chooses a losing outcome, the game shall not substitute a different losing outcome to show to the player than that originally selected.”, GLI-19 v3.0, Section 4.6

The near-miss prohibition is absolute. A game that applies any secondary selection process to modify the displayed losing outcome, regardless of how the artwork presents it, fails this test. Section 4.6 also prohibits a game from adjusting the likelihood of a bonus or feature occurring based on award history from previous games, and from adapting its theoretical return based on past payouts. These adaptive behaviour rules are among the most scrutinised during certification and among the most common reasons for initial failures in complex, feature-heavy slots.

Section 4.6.4 addresses live game correlation: unless the artwork indicates otherwise, where a Gaming Platform offers a game recognisable as a simulation of a live casino game such as poker, blackjack, or roulette, the same probabilities associated with the live game must be evident in the simulation. A single-zero European roulette simulation must reflect 1-in-37 odds per number, a double-zero American version, 1-in-38.

What Does GLI-19 Require for RTP?

Section 4.7.1 states that the minimum RTP requirement for a game “shall be met using a strategy of play that provides the greatest return to the player over a period of continuous play.” For games with progressive or incrementing jackpots that factor into the RTP calculation, the minimum percentage must be met using the lowest available jackpot parameters during the expected lifetime of the game, not average values or peak jackpot projections. This is a critical detail for suppliers designing games where the RTP depends substantially on a progressive jackpot contribution.

Section 4.7.2 governs RTP display. At a regulatory body’s discretion, the artwork may be required to display the RTP for each house-banked game. When displayed, the artwork must fully explain how the displayed RTP was determined, whether minimum, maximum, or average, and for games affected by player skill, the displayed RTP must be based on a specific strategy advertised in the game rules.

Ongoing monitoring obligations flow through Appendix A Section 6.2: operators must have procedures in place to periodically compare theoretical and actual RTP percentages, identify variances, and investigate any abnormalities. Any deviation where the actual RTP for a period falls outside the expected range must be logged as an error and escalated. The standard notes that best practice monitoring includes independent mapping between RNG output and game symbols to verify game symbol usage.

Player Interface and Game Information Obligations

Section 4.2 establishes the player interface requirements. The default game display upon entering from a main menu or game chooser screen must not correspond to the highest advertised award unless that was the outcome of the player’s last game. This prevents misleading presentation that implies the highest award is the default state of the game.

Game information and rules of play must be accessible to the player. Section 2.6.9 of the standard requires that player software be able to display, either directly from the player interface or via an accessible page, the gaming rules, paytable information, return to player data where required by the regulatory body, and responsible gambling controls. Where screen real estate is limited, an abridged version of game information may be presented directly, provided the full version is accessible through a clearly identified secondary screen or help interface.

Section 4.3 governs the gaming session. A game cycle consists of all player actions from wager to wager. Amounts wagered at any point during a game cycle must be immediately subtracted from the player’s credit meter or account balance, and a wager must not be accepted if it would cause a negative balance. The standard specifies that certain game elements must be treated as part of a single game cycle: games that trigger free spin bonuses and subsequent free games, second-screen bonus features, and any other linked feature games.

Section 4.14.1 mandates a game recall facility. A player must be provided with a recall function, either as a real-time display or a retrievable record, covering the most recent completed game cycles. The recall must include the results associated with the final outcome, the funds available for wagering, total amounts wagered and won, the results of any player choices, and any progressive or incrementing jackpot awards. This recall obligation is directly tested during the certification engagement.

Account Management, Player Protection, and Responsible Gambling Controls

Chapter 2 and Appendix A Section 3.8 of GLI-19 embed responsible gambling and player protection requirements at the system level. Section 2.5.1 requires player account registration and verification before a player may participate in interactive gaming. The system must collect personally identifiable information (PII) prior to account registration and support multi-factor authentication for account unlocking after a lock event such as three consecutive failed access attempts within a 30-minute period.

Section 2.5.4 requires automatic re-authentication after 30 minutes of inactivity on a remote player device, or a shorter period if required by the regulatory body. No further games or financial transactions are permitted until the player re-authenticates.

Appendix A Section 3.8 covers limitation and exclusion systems. Where a player reduces the severity of a self-imposed limitation, for example by raising a deposit limit, the system must enforce a minimum 24-hour delay before the relaxed limit takes effect. Operator-imposed limits must be communicated to players in advance with effective dates. Upon receiving any exclusion order, no new wagers or deposits may be accepted from the excluded player, and the system must implement the exclusion immediately. The excluded player must not be prevented from withdrawing their available account balance, provided the operator has cleared the funds and exclusion reasons do not prohibit withdrawal.

Player protection information covering risks of excessive gaming, underage exclusion, available self-limitation tools, and complaint contact details must be available at all times, and all links to third-party problem gambling services must be regularly tested by the operator. Interactive gaming cannot occur where those links are non-functional.

The Three Operational Audit Appendices

GLI-19’s operational audit appendices are frequently underweighted by suppliers focused on game-level testing but carry direct compliance significance for operators in regulated markets. The UKGC’s RTS and the MGA’s technical infrastructure requirements both use frameworks consistent with these appendices.

Appendix A: Operational Audit for Internal Controls covers the internal controls, procedures, and practices for gaming operations, including establishing gaming rules, managing games, handling gaming and financial transactions, creating and managing progressive jackpots, player account management, and fundamental practices relevant to risk limitation. This appendix defines the scope of the operational audit that regulators or their designated ITLs conduct against operator implementations.

Appendix B: Operational Audit for Technical Security Controls includes review of operational processes critical to compliance, penetration testing of external and internal infrastructure, and assessment of applications transferring, storing, or processing PII and other sensitive information. Section 2.3.2 of the standard requires critical control program components to be verified as authentic using a cryptographic hash algorithm producing a message digest of at least 128 bits, at minimum once every 24 hours. Appendix B Section B.7.5 requires firewalls to log all configuration changes and all successful and unsuccessful connection attempts, and to allow remote access only using encryption meeting current accepted standards such as ISO/IEC 19790, FIPS 140-2, or equivalent.

Appendix C: Operational Audit for Service Providers covers location services, payment processors, cloud services, and live game service providers. Section C.5.2 requires location service providers to maintain a real-time data feed of all location checks, offer an alert system for unauthorised or improper access, and deliver routine supplemental fraud reports covering suspicious activity and malicious players. For operators relying on third-party location verification to enforce jurisdictional access controls, this appendix defines what the provider must demonstrate during audit.

Which Regulators Mandate or Reference GLI-19

GLI-19 was, on its release, the world’s first global interactive gaming standard. The standard itself acknowledges the regulators whose documentation informed its development, including the UK Gambling Commission, the Malta Lottery and Gaming Authority, the Danish Gambling Authority (Spillemyndigheden), Spain’s DGOJ, and the Alderney Gambling Control Commission. That developmental input translates directly into adoption patterns.

The AGCO’s Registrar’s Standards for Internet Gaming, Standard 4.08 (last amended April 2025), states explicitly: “All igaming games, random number generators and components of igaming systems that accept, process, determine outcome of, display, and log details about player bets, including any subsequent modifications, must either be approved by the Registrar or certified by an independent testing laboratory registered by the Registrar, as per the AGCO’s ITL Certification Policy, prior to being provided for any gaming site.” In practice, GLI is the primary ITL registered with the AGCO for this purpose, and GLI-19 is the standard against which game and RNG certification is conducted. For compliance professionals working on Ontario market entry, understanding GLI-19’s Chapter 3 and Chapter 4 requirements is inseparable from meeting Standard 4.08. For a broader view of Ontario regulatory obligations, see our guide to AGCO compliance lessons for new entrants.

The UKGC’s Remote Gambling and Software Technical Standards do not mandate GLI-19 by name, but RTS 7 (Generation of random outcomes) and the associated RTS requirements for game fairness align materially with GLI-19 Chapter 3 and Chapter 4. The UKGC permits licensees to use certified ITL reports as evidence of compliance with the RTS, and GLI is an approved testing facility for UKGC purposes. RTS 7A requires that a software RNG be such that it is computationally infeasible to predict the next number without complete knowledge of the algorithm and seed value, a requirement mirrored in GLI-19 Section 3.2.4. The RTS also requires that random number generation does not reproduce the same output stream or cause two RNG instances to synchronise, consistent with GLI-19’s independence requirements.

Spillemyndigheden’s certification programme for online casinos (SCP.07.03.EN, Requirements for Games, Online Casino) and the companion SCP.01.00.EN (Requirements for RNG) constitute Denmark’s mandatory technical certification framework for onlinekasino licenceholders. Game suppliers providing content to Danish licenceholders must hold current SCP.07.03 game certificates. While Spillemyndigheden’s programme uses its own document structure, the RNG and game fairness requirements it imposes draw from the same regulatory principles codified in GLI-19, and GLI holds accreditation to conduct SCP testing for the Danish market.

The MGA, as part of its technical infrastructure requirements for remote gaming licensees, requires that the integrity of gaming and financial transaction logs be ensured at all times, and that game integrity be validated via audits and independent testing facilities confirming the randomness of results. MGA-licensed B2B game suppliers must hold certificates from an approved testing laboratory for their game content before that content can be offered through an MGA-licensed platform. GLI-19 certification satisfies that requirement for the vast majority of game types.

GLI-19 certification functions as a passport: operators in Ontario, Malta, Denmark, and the UK all need to confirm game-level compliance before market access, and a current GLI-19 certificate from a recognised ITL addresses the technical game fairness and RNG integrity obligations across all four jurisdictions simultaneously, provided the certificate covers the specific game configuration deployed.

What the Certification Audit Actually Checks

The certification engagement begins with scope agreement. The ITL and the submitting party define the system boundaries: which components are being evaluated, what configurations are in scope, and whether the submission relates to a platform, a game, or both. Suppliers submitting a game for certification against GLI-19 must provide documentation, credentials, and access to a production-equivalent test environment.

For the RNG chapter, the ITL conducts source code review of all core randomness and scaling algorithms, applies the relevant statistical test battery, and tests the independence and distribution properties of the RNG output. For hardware-based RNGs, the ITL also assesses the physical entropy source and its resistance to degradation over time. For mechanical RNGs including live game shuffle machines, physical data collection protocols apply under Section 3.4.2.

For game logic, the ITL verifies that outcome determination follows Section 4.6’s requirements precisely: no adaptive behaviour, no near-miss substitution, no correlation with prior game history. Paytable mathematics are validated against the claimed RTP, using the lowest jackpot parameter methodology for progressive games. The ITL checks that the game client does not influence outcome, the game server must hold authoritative game state, and the client must render results faithfully without the ability to affect what the server has computed.

The certification audit also covers the player interface requirements of Section 4.2 and the game information obligations of Section 2.6.9. Game recall (Section 4.14.1) is tested by the ITL to confirm the facility is present, accurate, and accessible. For complex multi-player or live game submissions, additional review applies under Section 4.18 and Appendix C respectively.

Upon successful completion of testing, the ITL issues a certificate of compliance. Any subsequent material change to the certified product, including changes to RNG implementation, paytable parameters, or game logic, triggers the need for re-evaluation under GLI-19’s change management principles, aligned with the regulatory body’s change management requirements such as Spillemyndigheden’s SCP.06.00.EN. Operators and suppliers should maintain a change log mapped against certified components so that re-submission triggers are identified before deployment, not after. For a detailed look at how system audit documentation obligations intersect with MGA requirements, see the MGA System Audit Requirements guide.

Qualified legal counsel should be consulted for jurisdiction-specific application of GLI-19 certification requirements, particularly where a regulator has supplemented or modified the standard’s provisions through local licensing conditions.

Key Resources

GLI-19: Standards for Interactive Gaming Systems v3.0 (July 17, 2020), available from Gaming Laboratories International at www.gaminglabs.com. The primary technical standard, distributed without charge.

UKGC Remote Gambling and Software Technical Standards, published by the UK Gambling Commission at gamblingcommission.gov.uk. RTS 7 covers random outcome generation, RTS 1 and RTS 4 cover account information and game information obligations respectively.

AGCO Registrar’s Standards for Internet Gaming, Standard 4.08 (amended April 2025) sets out the mandatory ITL certification requirement for all Ontario games and RNGs. Published at agco.ca.

Spillemyndigheden Certification Programme, SCP.01.00.EN (Requirements for RNG) and SCP.07.03.EN (Requirements for Games, Online Casino) constitute Denmark’s mandatory game certification framework. Published at spillemyndigheden.dk.

MGA Technical Infrastructure, Remote Gaming, the MGA’s technical infrastructure guidance sets out hosting, data integrity, and game certification requirements for B2B and B2C licensees. Published at mga.org.mt.