GLI-33 v1.1 Event Wagering Systems: Sports Betting Platform Certification Requirements Explained

GLI-33: Standards for Event Wagering Systems, version 1.1 (revised May 14, 2019) is the primary technical benchmark against which sports betting platforms are evaluated for independent certification by Gaming Laboratories International (GLI). The standard spans system architecture, control program integrity, wagering device classifications, player account management, operational procedures, and security controls. Compliance teams preparing a platform for regulatory approval in jurisdictions that reference GLI standards need a precise, chapter-level understanding of what the evaluation covers, not a summary of what makes GLI-33 different from GLI-19, but a working map of the specific obligations the standard imposes on the Event Wagering System itself.

What GLI-33 v1.1 Certifies, and What It Does Not

The standard defines an Event Wagering System as a technology platform that accepts wagers on the outcome of real-world events: sports contests, pari-mutuel races, and similar competitions where outcomes are determined independently of any random number generator. GLI-33 v1.1 was developed by consulting regulatory frameworks from the Nevada Gaming Commission and Gaming Control Board, British Columbia’s Gaming Policy and Enforcement Branch (GPEB), the Association of Racing Commissioners International (ARCI), the Tasmanian Liquor and Gaming Commission, the Victorian Commission for Gambling and Liquor Regulation, the Danish Gambling Authority, and the Spanish Directorate General for the Regulation of Gambling (DGOJ), among others.

The standard is explicit on one structural point that has direct operational consequences: it is not a prescriptive universal ruleset. GLI-33 section 1.3.1 states that the document “does not represent a set of prescriptive requirements that every Event Wagering System and operator shall comply with,” but rather establishes the technology and procedural baseline against which a specific system is measured. Regulatory bodies may adopt the standard in whole or in part, and they routinely add jurisdiction-specific overlays. Teams preparing for certification must therefore identify which version of the standard applies in their target jurisdiction, along with any local modifications.

Operators and suppliers building platforms that combine event wagering with RNG-based casino games need to be aware that GLI-33 alone does not cover the casino component. A hybrid platform will require certification under both GLI-33 and GLI-19 (Standards for Interactive Gaming Systems, currently v3.0), and the two certification engagements run independently with separate scope agreements and test environments.

Chapter 2: System Architecture and Control Program Integrity

Chapter 2 of GLI-33 v1.1 sets the technical foundation for the Event Wagering System as a whole. Section 2.1.1 establishes that where the system is distributed across multiple sites, every component and every communication link between them must conform to the applicable technical requirements. This is significant for cloud-hosted sportsbook architectures: the certification perimeter does not shrink because components are geographically dispersed or operated by third parties.

Section 2.3.2 governs control program authentication. The authentication mechanism must use a hash algorithm with a key length of at least 128 bits and must cover all critical control program components that could affect wagering operations. These include executables, libraries, wagering and system configurations, operating system files, components that control required reporting, and database elements that affect system operations. If any component fails authentication, the system must provide an explicit authentication failure indication rather than failing silently.

Section 2.3.3 requires that each critical control program component be verifiable via an independent third-party verification procedure. The third-party process must operate independently of any process or security software within the system itself. The independent test laboratory approves the integrity check method prior to system approval. Section 2.3.4 adds that after any shutdown, automatic restart is permitted only after all program resumption routines and self-tests have completed successfully and all critical components have been re-authenticated.

“Each critical control program component of the Event Wagering System shall have a method to be verified via an independent third-party verification procedure. The third-party verification process shall operate independently of any process or security software within the system.”, GLI-33 v1.1, Section 2.3.3

What Does GLI-33 Require for Player Account Management?

GLI-33 v1.1 Appendix A, section A.3, governs the full lifecycle of a player account. Player registration requires a documented process for identity verification, where registration is performed manually by the operator, procedures must satisfy the document’s “Registration and Verification” requirements. The player must agree to the operator’s terms and conditions at registration and again whenever those terms are materially updated.

Section 2.5.3 requires multi-factor authentication for resetting passwords and for unlocking accounts that have been locked due to suspicious activity (such as repeated failed login attempts). The system must be able to lock an account automatically upon detection of suspicious activity. Once locked, only a multi-factor authentication process can unlock it.

Section 2.5.4 imposes a 30-minute inactivity timeout for player accounts accessed remotely. After 30 minutes of inactivity, or a shorter period specified by the regulatory body, the player must re-authenticate before further wagering or financial transactions are permitted. A simplified re-authentication method such as a PIN or operating system-level biometrics is permitted as an alternative to full credential re-entry.

Player account information that must be maintained and backed up by the system includes the unique player ID, player data and verification method, date of agreement to the operator’s terms, all financial transaction records, and associated wagering transaction detail. The standard cross-references section 2.8.5 for the complete list. For promotions and bonuses, section 2.8.6 requires separately maintained records covering the promotion period, current balance, total amounts issued and redeemed, total expired, adjustments, and a unique promotion ID.

Wager Records, Event Data, and the Settlement Audit Chain

Settlement integrity under GLI-33 v1.1 is enforced through an exhaustive wager record requirement. Section 2.8.2 specifies that for each individual wager, the system must maintain and back up: the date and time the wager was placed, the market and line posting (money line, point spread, over/under, win/place/show); the wager selection (athlete or team name and number); any special conditions, the results of the wager (blank until confirmed); total amount wagered including any promotional or bonus credits, total amount won including any promotional or bonus credits, commission or fees collected, the date and time the winning wager was paid to the player, a unique identification number for the wager, the user identification or unique device ID that issued the wager record, relevant location information, event and market identifiers, and the current wager status.

The wager status field is a compliance control point, not a display convenience. The standard lists the permissible status values: active, cancelled, unredeemed, pending, void, invalid, redemption in progress, and redeemed. Any settlement workflow that does not progress wagers through defined, logged status transitions will fail the audit review.

Section 2.8.3 sets corresponding event record requirements. For each event, the system must maintain: the event name, event type, event and market identifiers, the date and time the event started and ended or is expected to occur, the date and time results were confirmed (blank until confirmed); player choices including market and line postings and any special conditions, results (blank until confirmed); total amount wagered, total amount won, commission or fees, the date and time winning wagers were paid, and event status (in progress, complete, confirmed, and so forth).

“The results of the wager [shall remain] blank until confirmed.”, GLI-33 v1.1, Section 2.8.2, describing the settlement status requirement that prohibits premature result population in wager records.

Market Suspension and Wager Cancellations

For live and pre-event markets alike, GLI-33 v1.1 Appendix A, section A.6.3 sets the procedural floor for market and event suspension. The operator must have established procedures for suspending markets or events. When wagering is suspended on an active event, a log entry must be created in the audit log recording the date and time of suspension and the reason for it. The reason requirement is operationally significant: a bare timestamp without a stated cause will not satisfy the standard’s audit trail obligations.

Section A.6.4 addresses wager cancellations. Wagering transactions cannot be modified except to be voided or cancelled under the operator’s published cancellation policy. A cancellation grace period may be offered, permitting players to request cancellation shortly after wager placement. For player-initiated cancellations, authorization must follow the published cancellation policy. Operator-initiated cancellations must carry a stated reason, distinguishing them from player-initiated voids in the audit record.

The standard also addresses the mechanics of line and statistics services. Appendix A, section A.6.2 requires controls for reviewing the accuracy and timeliness of any statistics or line services relied on by the system. When a loss of communication with those services occurs, the incident must be logged with the date, time, duration, nature of the interruption, and its impact on system performance. Incident logs of this type must be maintained for at least 90 days, unless the regulatory body specifies a longer retention period.

Host and Guest Wagering System Architecture

Chapter 4 of GLI-33 v1.1 governs platforms that operate as either a host wagering system or a guest wagering system in an interconnected architecture. This structure is common in pari-mutuel networks and in sportsbook aggregation models where a platform relays wagers to an upstream pool or liquidity source.

Section 4.6.2 specifies the information flow obligations. For pari-mutuel pools, the guest system must be able to receive current dividends for active pools from the host, and the host must pass current dividends to all connected guest systems. For fixed-odds wagering where odds and prices are dynamically updated, the host must pass current odds and prices to all guest systems whenever any change occurs. Changes in event status must be transmitted from host to guest whenever any change takes place, including suspensions, cancellations, and confirmations.

The financial settlement obligations in section 4.6.3 require that when wagers are placed in bulk by a guest system, any interruption to the wager stream must be identified at the point of interruption so that no wager is lost or duplicated. The account balance on the guest system must be debited immediately when a wager offer is submitted, with the funds held as a pending transaction. Only upon confirmed acknowledgment from the host system are the appropriate adjustments made to both the pending and live account balances. Section 4.6.4 states that when results are entered and confirmed on the host, each winning wager must be transferred to the guest system with the win amount, and the guest system must confirm receipt. Players are not to be credited by the guest system until final confirmation is received from the host, including the voided or cancelled wager amount where applicable.

Operational Audit Obligations: Appendix A and Appendix B

GLI-33 v1.1 structures its operational requirements in two appendices that form the backbone of the certification review. Appendix A covers wagering operations: the Minimum Internal Control Standards (MICS) and procedures for establishing wagering rules, creating markets, suspending events, handling financial transactions, settling wagers, closing markets, cancelling events, voiding wagers, managing player accounts, and risk limitation. Appendix B covers the technical security audit: an information security system (ISS) assessment, review of operational processes critical to compliance, and penetration testing of external and internal infrastructure, including applications that transfer, store, or process player data or sensitive information.

Section A.2.1 requires operators to establish, maintain, implement, and comply with internal control procedures for all wagering and financial transactions. Section A.2.2 specifies that internal controls must cover the maintenance of recorded information for a minimum of five years, unless the regulatory body prescribes a different period. Section A.2.3 sets the content requirements for the risk management framework within those controls: automated and manual risk management procedures, employee access controls and segregation of duties, procedures for identifying and reporting fraud and suspicious conduct, controls ensuring regulatory compliance, AML compliance standards including procedures for detecting structuring, a description of all software applications comprising the Event Wagering System, and a description of all wager types available.

The AML provisions in Appendix A, section A.8.2, require that the operator’s AML procedures address monitoring for collusion and fraud, suspicious account activity, and aggregate transaction thresholds that trigger further due diligence or reporting to the relevant regulatory or financial intelligence body. Geolocation obligations in section A.8.3 require operators offering remote wagering to maintain real-time feeds of location check data and to maintain an up-to-date list of location fraud risks including fake location applications, virtual machines, and remote desktop programs. Location detection services must use closed-source databases for IP, proxy, and VPN detection that are frequently updated and periodically tested for accuracy. Systems that cannot reliably establish player location must prevent wagering until location is confirmed.

Wagering Device Classifications and Remote Software Requirements

Chapter 3 of GLI-33 v1.1 classifies wagering devices into three categories. A Point-of-Sale (POS) Wagering Device is an attendant station used to execute or formalise wagers on behalf of a player. A Self-Service Wagering Device is a kiosk used directly by a player to execute wagers and, where supported, to redeem winning wager records. A Remote Wagering Device is a player-owned device operating either on an in-venue wireless network or over the internet. Any device type not falling into these three categories is reviewed on a case-by-case basis at the discretion of the regulatory body.

Section 3.3.1 notes that self-service wagering devices must meet the applicable requirements of GLI-20 (Standards for Kiosks) for proprietary kiosk components, in addition to GLI-33 requirements. This cross-standard dependency is worth noting during scope definition: a sportsbook that deploys in-venue kiosks will carry a GLI-20 obligation alongside its GLI-33 certification.

For remote wagering software specifically, section 3.5.4 requires that wagering software contain no malicious code, including unauthorised file extraction and transfers, unauthorised device modifications, unauthorised access to locally stored personal information, and malware. Section 3.5.5 requires that where cookies are used, players must be informed of cookie use at installation or registration, if cookies are required for wagering, wagering cannot proceed if the player has not accepted them. Section 3.2.7 requires that wagering software communicate only with authorised components through secure communications. If the communication link between the Event Wagering System and a wagering device is lost, the software must halt wagering operations and display an appropriate error message.

“If communication between the Event Wagering System and the Wagering Device is lost, the software shall prevent further wagering operations and display an appropriate error message.”, GLI-33 v1.1, Section 3.2.7

Security Architecture: Communications, Cryptography, and Cloud

Appendix B of GLI-33 v1.1 addresses the technical security architecture in detail. Section B.4.2 restricts connectivity to authorised devices only for all communications between system components. Third-party service provider connections (odds feeds, statistics providers, payment processors) are subject to strict network segregation rules under section B.5.1: third-party data must not affect player communications, third-party connections must not use the same network infrastructure as player connections, wagering must be disabled on all network connections except the player network, and the system must not route data packets between the third-party service provider network and the player network, nor act as an IP router between them. Financial transactions with financial institutions and payment processors must be reconciled daily, or at a frequency specified by the regulatory body.

Section B.6.2 requires a documented cryptographic controls policy. Any player data or sensitive information traversing a lower-trust network must be encrypted. Authentication must use security certificates from approved organisations. Encryption algorithms must be reviewed periodically, and weaknesses addressed as soon as practical. Encryption keys must be stored on secure and auditable infrastructure.

The standard accommodates cloud-hosted environments but imposes specific obligations. Where a cloud service provider (CSP) is used, section B.3.4 permits backup storage on a cloud platform provided a separate copy is maintained on a different cloud platform. CSP arrangements do not transfer the operator’s responsibility for compliance: section B.6 makes clear that the allocation of security responsibilities between the CSP and operator does not exempt the operator from ensuring sensitive information is properly secured. Clear policies and procedures for all security requirements, including responsibilities for operation, management, and reporting, must be documented and agreed between the CSP and the operator.

Business continuity and disaster recovery obligations are set out in section B.3.9. The plan must address data storage methods to minimise loss, must delineate the circumstances that trigger plan activation, must require a recovery site physically separated from the production environment, must contain technical guides for re-establishing wagering functionality at the recovery site, and must address the processes required to resume administrative wagering operations for a range of scenarios appropriate to the operational context.

Jurisdictional Adoption and Practical Certification Engagement

GLI-33 v1.1 was released following a year-long collaborative development process and received immediate endorsement from several North American regulatory bodies. According to GLI’s published history, early adopters included the West Virginia Lottery, the Choctaw Gaming Commission of Choctaw Mississippi, and the Cherokee Tribal Gaming Commission of North Carolina. The West Virginia State Lottery Commission subsequently approved GLI as a certified sports-wagering equipment test laboratory for the state, reflecting the standard’s relevance in the first wave of regulated US sports betting markets.

The standard explicitly permits partial adoption: section 1.3.3 states that any regulatory body may adopt GLI-33 in whole or in part. In practice, this means the certification scope must be negotiated against the specific regulatory body’s adoption order, not assumed to match the standard verbatim. Operators entering multiple jurisdictions should conduct a jurisdiction-by-jurisdiction mapping of which sections and appendices have been adopted, particularly regarding whether Appendix A (operational audit) and Appendix B (technical security audit) are both required in full.

The certification engagement itself requires operators and suppliers to provide internal control documentation, credentials, and access to a production-equivalent test environment. The MICS documentation package covering risk management, AML procedures, event creation and settlement controls, and player account management procedures must be production-ready at the time of submission. A certificate issued by GLI upon completion of testing represents a formal statement of compliance for the system as evaluated. Any material change to the system after certification should be reported to the certifying laboratory and the relevant regulatory body, as changes to critical control program components may trigger re-evaluation.

Compliance professionals navigating multi-jurisdiction sportsbook launches should engage legal counsel qualified in each target jurisdiction to confirm which version of GLI-33 has been adopted, what supplemental requirements apply, and whether the regulatory body requires GLI certification as a condition of licensing or accepts it as an equivalency route to approval. The GLI-33 standard itself notes that additional jurisdiction-specific requirements will be imposed by the regulatory body beyond what the standard specifies.

For operators pursuing licensure in Ontario under the AGCO/iGaming Ontario framework, or evaluating the MGA’s system audit pathway, the technical platform requirements under those regimes intersect with the controls evidenced by a GLI-33 certification. A GLI-33 certificate does not automatically satisfy those regulators’ platform approval requirements, but the documentation produced during the certification process, particularly the MICS and the ISS assessment, forms a directly relevant evidence base for those applications.

Key Resources

GLI-33: Standards for Event Wagering Systems, Version 1.1, Gaming Laboratories International, revised May 14, 2019. Available free of charge at gaminglabs.com.

GLI-19: Standards for Interactive Gaming Systems, Version 3.0, Gaming Laboratories International. The companion standard for RNG-based interactive gaming components, required for hybrid platform certifications.

GLI-20: Standards for Kiosks, Gaming Laboratories International. Referenced by GLI-33 section 3.3.1 for Self-Service Wagering Device proprietary components.

For operators building and certifying sports betting platforms in regulated markets, our Ontario iGaming compliance guide for new entrants and the MGA system audit requirements article provide jurisdiction-specific context for how platform certification interacts with licensing obligations in two of the most active regulated markets.