Software Supplier Approvals: NJ DGE, PA PGCB, MI MGCB, and AGCO Compared
Four regulated iGaming markets, four distinct supplier approval frameworks. Compare scope, suitability depth, waiver options, fees, and timelines before you file.
A software supplier that clears regulatory approval in New Jersey cannot carry that determination into Pennsylvania, Michigan, or Ontario. Each jurisdiction conducts its own suitability investigation, applies its own fee schedule, and issues its own category of credential. For vendors planning multi-state or cross-border deployments, the sequencing of those applications, and the structural differences between them, determines both time-to-revenue and total compliance cost.
This article sets out the supplier approval frameworks in all four markets side by side: scope of the obligation, the depth of suitability investigation each regulator conducts, whether a provisional or waiver route exists, applicable fees, and realistic timelines. It draws on primary regulatory text from N.J.A.C. 13:69O, 58 Pa. Code, the Michigan Lawful Internet Gaming Act, and the AGCO’s Registrar’s Standards for Internet Gaming.
Who Needs Supplier Approval in Each Market?
The threshold question in every jurisdiction is whether your product or service touches the gaming system directly enough to trigger a licensing or registration obligation. Each regulator draws that line differently.
In New Jersey, the Division of Gaming Enforcement (DGE) administers internet gaming under N.J.A.C. 13:69O, adopted under the Internet Gaming Regulations framework authorised by the Casino Control Act (N.J.S.A. 5:12). A party supplying hardware, software, or services that form part of the internet gaming system must obtain DGE approval before providing those goods or services to a permit holder. The DGE distinguishes between entities that qualify as vendors under the Casino Control Act and those that qualify as full gaming-related qualifiers. Software studios, platform providers, geolocation suppliers, and random number generator vendors typically fall within the qualifier category and face the full investigative process. Lower-involvement service providers may be eligible for a transactional waiver.
In Pennsylvania, the Gaming Control Board (PGCB) administers online gaming under the Race Horse Development and Gaming Act (Act 71 of 2004) as amended by Act 42 of 2017, which added interactive gaming. The PGCB has established a multi-tier system under 58 Pa. Code that distinguishes slot machine manufacturers, table game manufacturers, gaming service providers (certified under Chapter 437a), and interactive gaming suppliers. A supplier whose software or platform directly conducts interactive gaming must obtain an interactive gaming supplier certificate. A supplier providing supporting services to a certificate holder may qualify for registration rather than certification, with a reduced investigation burden.
In Michigan, the Michigan Gaming Control Board (MGCB) administers internet gaming under the Lawful Internet Gaming Act of 2019 (LIGA) and its implementing rules. LIGA requires that persons supplying internet gaming systems, or material components of such systems, to a licensed internet gaming operator must obtain a supplier licence from the MGCB. The Act distinguishes between internet gaming suppliers and internet gaming platform providers, with the platform provider route carrying the heaviest investigation burden.
In Ontario, the Alcohol and Gaming Commission of Ontario (AGCO) issues gaming-related supplier registrations under the Gaming Control Act, 1992 (GCA). Suppliers providing, installing, testing, maintaining, or repairing gaming equipment, or providing consulting services directly related to the operation of a gaming site, must register with the AGCO before providing those services. The AGCO’s Registrar’s Standards for Internet Gaming (last updated May 2025) classify suppliers into those who run critical gaming systems and those who do not, with materially different go-live compliance requirements flowing from that classification.
Threshold rule: In all four jurisdictions, the obligation to seek approval arises before services commence, not after. Operating without the requisite credential exposes both the supplier and the connected operator to regulatory sanction.
Structural Comparison: Credential Types and Scope
| Jurisdiction | Enabling Law | Credential Type | Threshold Trigger | Provisional/Waiver Route |
|---|---|---|---|---|
| NJ (DGE) | N.J.S.A. 5:12, N.J.A.C. 13:69O | Qualifier / Vendor Approval | Supply of hardware, software, or services to internet gaming permit holder | Transactional waiver available for lower-involvement vendors |
| PA (PGCB) | Act 71 (2004) + Act 42 (2017); 58 Pa. Code | Interactive Gaming Supplier Certificate or Gaming Service Provider Registration | Direct supply of interactive gaming software or systems | Registration (not certification) for supporting services |
| MI (MGCB) | Lawful Internet Gaming Act 2019, LIGA rules | Internet Gaming Supplier Licence | Supply of internet gaming system or material component | Platform provider track vs. standard supplier track |
| ON (AGCO) | Gaming Control Act, 1992, Registrar’s Standards | Gaming-Related Supplier Registration | Provision, installation, testing, or maintenance of gaming equipment | Temporary approval for critical systems (case-by-case) |
New Jersey: The Qualifier and Transactional Waiver Model
New Jersey’s supplier approval framework is rooted in the Casino Control Act and administered by the DGE under N.J.A.C. 13:69O. An internet gaming system under that chapter encompasses all hardware, software, and communications that comprise the server-based gaming infrastructure used to offer authorised internet games. Any entity supplying a material component of that system to a casino permit holder must obtain DGE approval before doing so.
The DGE operates a two-track structure. Entities whose relationship with the casino is sufficiently integral to gaming operations are required to qualify as gaming-related qualifiers under the Casino Control Act. The qualifier process involves a full suitability investigation conducted by the DGE’s Investigations Bureau, covering corporate structure, beneficial ownership, financial condition, criminal background, and regulatory history across all jurisdictions where the applicant or its principals hold or have held a licence. Principals must individually qualify if they hold sufficient ownership or control positions.
The transactional waiver is the DGE’s mechanism for lower-risk vendors whose product or service is less integral to gaming operations. A permit holder may apply to the DGE for a transactional waiver on behalf of a proposed vendor, providing documentation that the vendor’s services do not rise to the threshold requiring full qualification. Approved waivers allow the vendor to supply services while the DGE retains the right to demand full qualification at any time. The DGE may impose conditions on the waiver, including limiting the vendor’s access to gaming data or restricting the nature of the services provided. Waivers are not automatically renewed and must be reassessed if the scope of the vendor’s services changes materially.
For full qualifiers, the DGE’s investigation timeline has historically ranged from six to eighteen months depending on the complexity of the entity’s ownership structure, the number of jurisdictions requiring background coordination, and the completeness of the initial submission. New Jersey’s position as one of the first US states to regulate internet gaming means the DGE has more accumulated vendor investigation experience than most US state regulators, which in practice allows well-prepared applications to move faster than the statutory maximum suggests.
The DGE requires that all primary gaming equipment be located within Atlantic City, either on casino premises or in a secure facility owned or leased by the casino licensee, pursuant to N.J.A.C. 13:69O. This server-location requirement has compliance implications for cloud-hosted gaming infrastructure and must be addressed in any vendor’s technical architecture before the application is submitted.
Under N.J.A.C. 13:69O, all hardware, software, and communications comprising the internet gaming system must meet DGE approval, with primary gaming equipment physically located within the territorial limits of Atlantic City unless the Division has specifically approved an alternative arrangement.
Pennsylvania: The Certificate and Registration Tiers
Pennsylvania’s interactive gaming supplier framework is the most granular of the four jurisdictions. Act 42 of 2017 added interactive gaming to the Race Horse Development and Gaming Act, and the PGCB promulgated detailed regulations under 58 Pa. Code to govern both the operator (certificate holder) and supplier layers.
A supplier whose software or platform directly facilitates interactive gaming must obtain an interactive gaming supplier certificate. The PGCB’s investigation for certification covers suitability of the applicant entity and all required principals, including a review of regulatory history, financial condition, litigation history, and source of business financing. The Board applies the same “good character, honesty and integrity” standard that applies to casino licensees, making the suitability bar substantively equivalent to what operators face.
Under 58 Pa. Code Chapter 437a, entities providing supporting services to an interactive gaming certificate holder, such as payment processing, KYC verification, or customer support technology, may be eligible for gaming service provider certification or registration rather than the full interactive gaming supplier certificate. Chapter 437a distinguishes between gaming service providers that require certification (those whose services are more directly tied to gaming outcomes or financial flows) and those that require only registration. The investigation depth and fee obligations differ between the two tracks.
The PGCB’s regulations under 58 Pa. Code Chapter 812A make clear that interactive gaming certificate holders may utilise third-party vendors to verify player information, provided those vendors are licensed by the Board when required, and that the agreements governing those services are submitted to the Board. This means the operator’s contractual framework with a vendor must itself be reviewed by the PGCB, adding a document-submission layer that vendors should anticipate.
Pennsylvania also requires an annual security audit conducted by an independent third party approved by the PGCB, including verification that player electronic files are properly encrypted, per 58 Pa. Code Chapter 812A. Vendors supplying components of the interactive gaming system that touch player data or financial flows will fall within the scope of that audit obligation, as the certificate holder will require contractual cooperation from suppliers to discharge it.
The PGCB’s enforcement record illustrates the stakes. In February 2026, the Board levied fines totalling $112,500 in a single enforcement round. Separately, the Board imposed a $100,000 fine against BetMGM for KYC failures that allowed sustained fraudulent activity across its online wagering platforms, with investigations finding over $2 million in wagering linked to four distinct fraud operations spanning between 25 and 34 months. While these actions targeted operators rather than suppliers directly, suppliers whose technology contributed to a KYC gap would face parallel scrutiny under the relevant service provider agreement.
Michigan: The Lawful Internet Gaming Act Framework
Michigan legalised internet gaming through the Lawful Internet Gaming Act of 2019 (LIGA), with the market going live in January 2021. The MGCB administers supplier approvals under LIGA and its implementing rules, which distinguish between internet gaming suppliers and internet gaming platform providers.
An internet gaming platform provider is an entity that supplies the core technology platform through which a licensed internet gaming operator conducts its internet gaming operations. Platform providers face the deepest suitability review under LIGA, with the MGCB examining corporate ownership, financial history, regulatory standing in other jurisdictions, and the technical architecture of the platform itself. Principals holding five percent or more of equity must individually qualify.
An internet gaming supplier, as distinct from a platform provider, supplies components or services to the platform: game content, geolocation services, payment systems, or other material elements. The MGCB’s investigation for internet gaming suppliers is substantive but operationally lighter than the platform provider track. The distinction matters for studios supplying individual game titles through an already-approved platform, compared with studios supplying the platform infrastructure itself.
The MGCB has been active in responsible gambling enforcement, including its 2025 partnership with Gamban to provide free gambling-blocking software to Michigan residents. Vendors supplying responsible gambling tools to MGCB-licensed operators should be prepared for heightened scrutiny of those tools’ effectiveness and reliability.
Michigan does not impose the same physical-location mandate as New Jersey’s Atlantic City-specific rule, but the MGCB must approve the location of internet gaming system servers, and all systems must be technically accessible to the MGCB for monitoring and audit purposes. Cloud-hosted architectures are permitted subject to MGCB approval of the hosting arrangement and confirmation that MGCB inspection access is maintained.
Ontario (AGCO): The Standards-Based Registration Model
Ontario’s supplier framework operates on a materially different philosophical basis from the three US jurisdictions. The AGCO’s Registrar’s Standards for Internet Gaming, which came into force on 4 April 2022 and were most recently updated in May 2025, adopt a standards-based regulatory model rather than a prescriptive rules-based approach. The Registrar is authorised under the Gaming Control Act, 1992 to establish risk-based standards, and the Standards are deliberately drafted at a high level of generality to allow registrants to determine the most efficient means of meeting the required outcomes.
Under the GCA and the Registrar’s Standards, any supplier that provides, installs, tests, maintains, or repairs gaming equipment, or provides consulting services directly related to the operation of a gaming site, must hold a gaming-related supplier registration. The AGCO classifies gaming-related suppliers according to whether they run critical gaming systems. Suppliers running critical gaming systems face additional go-live compliance requirements, including submission of independent testing laboratory certification from an AGCO-registered ITL and completion of the AGCO’s go-live compliance process.
The registration application carries a non-refundable fee of C$100,000. The AGCO has also stated that applicants may be required to pay the reasonable costs of investigation beyond that base fee, and that those additional costs could be significantly greater. Suppliers should budget for investigation costs in excess of the base fee when the applicant’s structure is complex or involves principals with histories in multiple jurisdictions.
A critical structural distinction in Ontario is the dual-authority model. The AGCO issues the registration and enforces the Registrar’s Standards. iGaming Ontario (iGO), a subsidiary of the Ontario Lottery and Gaming Corporation, acts as the commercial counterparty and requires operators to enter an Operator Agreement before going live. That Agreement incorporates all AGCO Standards by reference. Suppliers providing services to AGCO-registered operators must be aware that their operator clients’ iGO obligations create downstream contractual requirements that can affect how the supplier’s product is deployed, what data is shared, and what reporting obligations flow from the commercial relationship. The full scope of those registration obligations is detailed in the AGCO registration requirements profile.
Standard 1.18 of the Registrar’s Standards requires that operators and gaming-related suppliers contract only with reputable suppliers. Standard 1.19 provides that operators are responsible for the actions of third parties with whom they contract for gaming-related activities in Ontario, and must require those third parties to conduct themselves as if they were bound by the same laws, regulations, and standards. Standard 1.20 requires operators and gaming-related suppliers to maintain a list of their own suppliers and make it available to the Registrar upon request. These standards mean that a supplier’s compliance posture is scrutinised not just at registration but on an ongoing basis through the operator’s own compliance obligations.
Under AGCO Standard 1.19, operators must require their third-party suppliers to conduct themselves as if they were directly bound by Ontario’s gaming laws, regulations, and standards, making the operator’s supplier management programme a live compliance obligation, not a one-time due diligence check.
Suppliers currently holding a gaming-related supplier registration for Ontario’s land-based gaming sector who wish to extend into the iGaming market must discuss with the AGCO what additional requirements apply before providing iGaming-related services.
Suitability Investigation: Depth and Scope Compared
All four regulators apply a “fit and proper” or equivalent suitability standard, but the depth and documentary burden of the investigation varies materially.
| Regulator | Principal Disclosure Threshold | Background Check Scope | Financial Disclosure | Regulatory History Review |
|---|---|---|---|---|
| NJ DGE | All officers, directors, and significant owners (typically 5%+) | Criminal, civil litigation, regulatory across all jurisdictions | Full financial statements, source of funds, banking relationships | All jurisdictions where applicant or principals hold/held licences |
| PA PGCB | All required principals as defined under Act 71 | Criminal, civil, regulatory, PA State Police clearance required | Audited financials, source of business financing | All gaming jurisdictions, prior suspensions/revocations are disqualifying factors |
| MI MGCB | 5%+ equity holders for platform providers, lower threshold for suppliers | Criminal and regulatory background, FBI fingerprint requirement | Financial statements, solvency confirmation | All gaming jurisdictions, MGCB may rely on other states’ findings |
| ON AGCO | Officers, directors, and associates as defined under the GCA | Records check under GCA, integrity of background and associations assessed | Financial stability demonstration | Prior cancellations or suspensions in any jurisdiction within five years are grounds for refusal |
The AGCO’s suitability criteria under the Registrar’s Standards make explicit that an applicant whose background, reputation, or associations may result in adverse publicity for the gaming industry can be refused registration. That reputational dimension, which goes beyond pure regulatory compliance history, is a distinctive feature of the Canadian approach and one that US-focused suppliers often underestimate.
Fees, Timelines, and Reciprocity
What are the realistic timelines for supplier approval across these four jurisdictions?
Timelines reflect investigation complexity rather than administrative processing speed in all four markets. For well-prepared applications with complete documentation from comparable regulated markets, realistic timelines are approximately six to twelve months in New Jersey for full qualifier status (shorter where a transactional waiver bridges the gap), six to twelve months in Pennsylvania for certificate applications, four to nine months in Michigan, and three to nine months in Ontario. These are indicative ranges, and all four regulators retain discretion to extend timelines where additional information is required.
The US state regulators do not publish a single universal application fee for supplier qualification. Investigation costs in New Jersey, Pennsylvania, and Michigan are driven by the complexity of the entity’s structure and the scope of background investigation required. Applicants should budget for investigation fees ranging from several thousand dollars for simple single-entity structures to substantially more for complex corporate groups with multinational principal rosters.
Ontario’s C$100,000 non-refundable regulatory fee is the most clearly stated baseline in the four jurisdictions, though the AGCO’s explicit warning that additional investigation costs can be significantly greater means the true cost is variable. Suppliers with straightforward structures and clean regulatory histories in comparable jurisdictions typically progress faster and at lower total cost than those requiring extensive background coordination.
None of the four jurisdictions maintains formal reciprocity arrangements that automatically reduce the investigation burden for suppliers already approved elsewhere. All four regulators will accept evidence of regulatory approval in comparable jurisdictions as part of a suitability submission, and a well-documented compliance history in a mature market reduces the investigative workload in practice. The DGE and MGCB have accepted clean approval histories in jurisdictions such as the UK (under the UKGC) or Malta (under the MGA) as useful reference points, though they do not substitute for the state’s own investigation.
Cross-Use of Existing Approvals: Multi-State Deployment Considerations
A supplier deploying across NJ, PA, MI, and Ontario is managing four parallel regulatory relationships simultaneously. Several practical considerations apply to that multi-market posture.
Document standardisation is the most immediate efficiency gain. All four regulators require broadly similar disclosure packages covering corporate structure, principal biographies, financial statements, and regulatory history. A well-structured master disclosure document, built to satisfy the most demanding of the four (typically New Jersey for the US markets), can be adapted for each jurisdiction rather than rebuilt from scratch. The differences lie in formatting, notarisation requirements, and the specific forms each regulator mandates, not in the underlying substance.
Change notifications are ongoing obligations in all four markets. Material changes to corporate structure, ownership, key personnel, or regulatory status in any jurisdiction must be reported to each regulator within defined timeframes. Suppliers who acquire companies, complete corporate reorganisations, or face adverse regulatory actions in any jurisdiction must assess the notification obligations across all four markets simultaneously. Failure to notify proactively is treated as a compliance failure in its own right, independent of the underlying change.
Game-level certification is a separate process from entity-level supplier approval in all four jurisdictions. A supplier holding an approved entity credential still requires game-specific technical certification from an approved independent testing laboratory (ITL) before those games can go live with a licensed operator. GLI and BMM are the most widely accepted ITLs across all four markets, though each regulator publishes its own list of recognised testing laboratories. Suppliers must confirm ITL recognition status before commissioning certification work, as a certification from a non-recognised laboratory will not be accepted. For a detailed comparison of certification standards relevant to North American markets, the GLI Certification hub provides technical standard context that applies across all four jurisdictions covered here.
Entity-level supplier approval and game-level technical certification are separate regulatory requirements in all four markets. Holding one does not satisfy the other, and a failure to complete game certification before go-live will delay commercial launch regardless of how advanced the supplier approval process is.
Frequently Asked Questions
Does holding a UKGC or MGA supplier licence reduce the investigation burden in US states?
No formal reciprocity exists. Each of NJ, PA, MI, and Ontario conducts its own suitability investigation, and a UKGC or MGA approval does not substitute for a state or provincial credential. Regulators in all four markets will accept a documented compliance history in mature regulated jurisdictions as evidence of suitability, which can shorten the factual inquiry into a supplier’s background. Suppliers should include copies of foreign approvals and any associated investigation correspondence in their US or Ontario application packages.
Can a supplier begin providing services in New Jersey while a full qualification is pending?
Yes, subject to the DGE approving a transactional waiver on application by the casino permit holder. The waiver is not a right and is not available for suppliers whose services are integral to core gaming operations. The DGE retains discretion to condition, limit, or withdraw any waiver, and the full qualification process must still proceed. Suppliers relying on a transactional waiver to bridge to full qualifier status must not treat the waiver as a substitute for completing the investigation file promptly.
Key Resources
N.J.A.C. 13:69O, New Jersey Division of Gaming Enforcement, Internet Gaming Regulations (Chapter 69O). The primary operational rulebook for NJ internet gaming, covering system requirements, vendor approval, and ongoing compliance obligations. Available at njconsumeraffairs.gov/dge.
58 Pa. Code, Chapters 437a and 812A, Pennsylvania Gaming Control Board, Gaming Service Provider Certification and Registration (Chapter 437a) and Interactive Gaming Player Accounts (Chapter 812A). The primary supplier licensing and interactive gaming operational framework under Act 42 of 2017. Available at pacodeandbulletin.gov.
Michigan Lawful Internet Gaming Act of 2019 (LIGA), The primary enabling legislation for Michigan internet gaming, establishing the MGCB’s supplier licensing authority. Available at legislature.mi.gov.
AGCO Registrar’s Standards for Internet Gaming (updated May 2025), The primary compliance rulebook for Ontario’s internet gaming market, covering gaming-related supplier registration, go-live requirements, and ongoing standards obligations. Available at agco.ca.
AGCO Internet Gaming Go-Live Compliance Guide, Sets out the specific pre-launch compliance requirements for operators and gaming-related suppliers running critical gaming systems in Ontario. Available at agco.ca.
Source: New Jersey Division of Gaming Enforcement, N.J.A.C. 13:69O Internet Gaming Regulations, Pennsylvania Gaming Control Board, 58 Pa. Code Chapters 437a and 812A, Michigan Gaming Control Board, Lawful Internet Gaming Act 2019 and implementing rules, AGCO, Registrar’s Standards for Internet Gaming (May 2025 version) and Internet Gaming Go-Live Compliance Guide.
Operators and suppliers should consult qualified legal counsel in each jurisdiction before submitting applications. Regulatory frameworks and fee schedules are subject to amendment, and the information in this article reflects the regulatory position as of mid-2026. For guidance on prioritising your applications across jurisdictions or sequencing your deployment, review the cross-use considerations section above, or contact a gaming law specialist with experience in multi-state supplier approval.
Matt Denney
Editorial · gamingcompliance.io
Reads the primary source so you don't have to. Fifteen years inside iGaming compliance: operator, supplier, and crown-corporation lottery.
The Tuesday brief, every week.
One email. Every regulator change we surface, every standard we re-index, every enforcement decision we read. No marketing, no fluff.
Unsubscribe with one click. We'll never share your address.