Game Round Logging Requirements: What UKGC, MGA, and AGCO Each Demand

Game round logging sits at the intersection of player protection, AML compliance, and dispute resolution. Get it wrong and a single regulator request can expose gaps that cascade into enforcement. Get it right across multiple licences and you need to hold three distinct rule sets in your head simultaneously: the UK Gambling Commission’s customer-facing access requirements under the Remote Technical Standards, the Malta Gaming Authority’s availability and replication architecture mandates, and the AGCO’s prescriptive records framework under its Registrar’s Standards for Internet Gaming. Each framework takes a different angle on the same underlying obligation, and the differences matter operationally.

What Does a Complete Game Round Log Actually Contain?

All three regulators require that game records be accurate, complete, and capable of reconstructing a game in sufficient detail to resolve a dispute or support an investigation. The AGCO’s Registrar’s Standards for Internet Gaming is the most explicit about the functional purposes a log must serve. Standard 4.02 states that accurate and complete records of transaction and game state and play information must be kept and made available for the following purposes: ensuring timely investigations can be performed by the Registrar, capturing information needed to continue a partially complete game within a reasonably defined time, resolving disputes in a fair and timely manner, ensuring player complaints can be resolved, tracking all relevant player information including funds information, tracking all relevant individual gaming sessions and game play information, and tracking all relevant information related to events including significant events.

The AGCO’s companion standard, 4.01, requires continuous logs for critical gaming systems, specifically to track financial accounting and game state history. Standard 3.13 adds that all player account transactions must be recorded and logged in an accurate and complete manner, with the same obligation extended to gaming-related suppliers.

The UKGC approaches the content question through RTS 1B, which defines the gambling and account history that must be available to customers. The requirement covers bets placed and results of bets, winnings paid, credit and debit information including deposits, withdrawals, movement of funds between products, entry fee deductions, and bonus information, and for gaming including bingo, full or summarised gaming information such as funds taken into a game, total amount turned over, and amount returned. Where detailed historic game information is not directly accessible to customers, licensees must at minimum provide easy access to details of the last game played and summarised information for previous activity.

The MGA’s Compliance Audit Manual (MGA/G/001, August 2018 v1) sets out what auditors will check. Under procedure 5.4.5, the back-office is required to keep a list of all registered players, a list of all game outcomes, and a gaming transaction history in which each transaction is identifiable via a unique transaction ID. Under procedure 5.4.4, the back-office must maintain gaming activity history with both set and ad hoc reporting functionality covering large volumes of wagers placed, large wins, financial statements of gaming transactions, changes to game parameters, large deposits, and large withdrawal requests. Under procedure 4.1.5, auditors must confirm that audit trails and logs of any changes to regulatory data, covering player data, financial data, and game data, are maintained.

Retention Periods: Where the Three Frameworks Diverge

Retention is where operators running multi-licence operations most often find themselves holding conflicting obligations.

The AGCO is explicit. Standard 1.09 of the Registrar’s Standards for Internet Gaming states that information, including logs, related to compliance with the law, the Standards and Requirements, and adherence with control activities must be retained for a minimum of three years, unless otherwise stated. The standard is marked as applicable to gaming-related suppliers as well as operators, meaning the obligation flows down the supply chain. The AGLC’s Standards and Requirements for Internet Gaming (SRIG, issued 14 January 2026, effective for the Alberta market opening 13 July 2026) mirrors this three-year minimum with identical language.

The UKGC does not set a single retention period for game round data in the RTS. RTS 1B requires that a minimum of 12 months of gambling and account history must be made available on request, and at least three months must be available without the customer needing to contact the licensee. Those are customer-access obligations, not a data-destruction floor. The effective retention floor for most licensees comes from Licence Condition 12 and the associated AML obligations under the Proceeds of Crime Act 2002, which require AML records to be kept for five years. Given that game round logs frequently serve as evidence in AML investigations, compliance teams should treat five years as the working retention minimum for UKGC-licensed operations rather than relying solely on the RTS customer-access window.

The MGA’s framework is grounded in a separately named instrument: the Retention of Data (MGA) Regulations, which form part of the Gaming Act, 2018 (Cap. 583) framework. The MGA Technical Infrastructure Guidelines (December 2015 v1) compound the retention question with an availability requirement: gaming and financial transaction logs must be accessible at all times. The Compliance Audit Manual instructs auditors to verify that regulatory data including player data, financial data, and game data is being replicated to servers located in Malta, and to confirm that replication is occurring in real time. Operators hosting infrastructure outside Malta, including in cloud environments, must address this through a live replication server in Malta.

Regulator	Minimum Retention	Customer Access Window	Effective AML Floor
UKGC	Not specified in RTS	3 months self-service, 12 months on request (RTS 1B)	5 years (POCA 2002 / LCCP 12)
MGA	Retention of Data (MGA) Regulations	Accessible at all times to MGA (Technical Infrastructure Guidelines)	5 years (AML / Prevention of Money Laundering Act Cap. 373)
AGCO	3 years (Standard 1.09)	Player access to account info and transaction history (Standard 3.15)	Governed by Ontario AML obligations
AGLC (Alberta)	3 years (SRIG Section 4)	Player access to account info and transaction history	Governed by Alberta AML obligations

Immutability and Tamper-Evidence

The strongest explicit language on immutability comes from Alberta. The AGLC’s SRIG 2026-03-17 states that logs must be protected against alteration, naming WORM storage or cryptographic signing with SHA-256 as acceptable controls. Logs must be transmitted and stored over TLS 1.2 or higher. Access to logs must be role-based, with segregation of duties between operations and monitoring personnel. These are requirements, not guidance.

“Continuous logs must be maintained for critical gaming systems including the tracking of financial accounting and game state history, Logs must be protected against alteration (e.g., WORM/immutability or cryptographic signing with SHA-256), transmitted and stored over TLS 1.2+; Access to logs must be role-based, with segregation of duties between operations and monitoring.”

The AGCO’s own Registrar’s Standards for Internet Gaming does not prescribe the technical mechanism for tamper-evidence in the same explicit terms, but Standard 4.03 requires a mechanism to ensure that if logging is interrupted, compensating manual controls are used where reasonable. The accompanying guidance states that adequate storage capacity and retention must be in place to ensure logging is not interrupted for a technical reason that could have been prevented. The AGCO’s Go-Live Compliance Guide requires operators to document a Control Activity Matrix demonstrating how each standard is met, which means the choice of immutability controls must be documented, justified, and independently verifiable.

The UKGC’s Technical Standards do not prescribe a specific tamper-evidence mechanism for game round logs in the RTS text, but the RTS security requirements, which form part of Licence Condition 2.3.1, are based on the relevant sections of ISO/IEC 27001:2022 Annex A. The Commission requires licensees to meet those security controls, which include asset management and log management obligations. For live dealer studios specifically, the UKGC’s RTS 17 states that game logs should be maintained and game events collated into statistics which can be analysed for trends, and that video surveillance to record all dealer activity should be in place.

The MGA’s Technical Infrastructure Guidelines place the immutability question under their integrity principle: the integrity of regulatory data, including transaction logs and gaming functionality, must be ensured at all times. The Compliance Audit Manual procedure 4.1.5 instructs auditors to check whether audit trails and logs of changes to regulatory data databases are maintained. The accountability principle then ensures there is no route to a contractual escape: “The responsibility for the attainment of the established and desired standards on these regulatory principles will remain that of the licensee at all times.”

Regulator Access: How Each Framework Operationalises Inspection Rights

All three regulators assert on-demand access rights, but the mechanisms differ.

The AGCO requires, under Standard 4.04, that the gaming system must be capable of providing custom and on-demand reports to the Registrar. The standard is marked as applicable to gaming-related suppliers. The infrastructure itself must be able to surface any combination of game round data on request, not simply produce a fixed-format export. Standard 4.02 ties the logging architecture back to the Registrar’s investigative function explicitly, listing “ensuring timely investigations can be performed by the Registrar” as the first named purpose of the records obligation.

The MGA’s approach centres on real-time data availability. The Technical Infrastructure Guidelines state that the Authority requires access to real time information for regulatory purposes. Where infrastructure is hosted outside Malta or in cloud environments, MGA requires a real-time replication server in Malta. Compliance auditors under MGA/G/001 conduct tests to confirm that data is being replicated in real time and assess the replication latency against what the licensee has documented. The MGA’s accountability principle means a licensee cannot point to a cloud provider’s uptime agreement as a substitute for demonstrating that the MGA itself can access the data at any moment.

The UKGC’s access rights operate primarily through its information requirements under LCCP Section 15 and through the Commission’s powers under the Gambling Act 2005. The practical check at audit is whether the licensee can produce account and gambling history promptly on request. The RTS 1B requirement that history must be made available “as soon as is practicable” on request creates an implicit system-capability test: a licensee whose data is stored in a format requiring significant processing time before it can be surfaced is likely non-compliant with the spirit of that requirement.

The B2B Supplier Question: Where Accountability Falls

Multi-level supply chains are common in iGaming. Game rounds may be generated by a remote gaming server operated by a B2B supplier, with the operator having limited direct access to raw game data. Each framework addresses this differently.

The AGCO’s Registrar’s Standards explicitly extend the logging obligations to gaming-related suppliers. Standards 4.01, 4.02, 4.03, and 4.04 are each individually marked “Also applicable to Gaming-Related Suppliers.” The Registrar can hold either the operator or the gaming-related supplier, or both, accountable for meeting a particular standard. An operator cannot satisfy its Standard 4.02 obligation by pointing to a supplier contract, the supplier must also independently satisfy the standard.

The MGA’s accountability principle reaches the same destination from a different direction. The Technical Infrastructure Guidelines state that accountability for meeting the regulatory standards remains with the licensee at all times. A B2C licensee using a B2B-supplied platform is still responsible for ensuring that the B2B supplier’s game data infrastructure meets the MGA’s availability, integrity, and accessibility requirements. In practice this means licensees should contractually mandate specific SLAs from B2B suppliers aligned to the MGA’s real-time access requirement, and verify compliance through the Compliance Audit process under MGA/G/001.

“The responsibility for the attainment of the established and desired standards on these regulatory principles will remain that of the licensee at all times.”

The UKGC takes the same position through Licence Condition 2.3.1, which places the obligation to comply with the RTS on the licensee holding the remote licence, regardless of whether underlying technology is provided by a third party. For gambling software licensees, the obligation to comply with the RTS applies directly, which means B2B suppliers operating under a gambling software licence carry independent obligations alongside the operator.

Interrupted Games and Game State Recovery

A specific and often under-addressed logging requirement in all three frameworks concerns interrupted games: rounds that do not complete due to a connection failure, system error, or server interruption.

The AGCO’s Standard 4.02 specifically lists “capturing information needed to continue a partially complete game within a reasonably defined time” as one of the seven named purposes of the records obligation. This is a functional design requirement. The log must record enough state information, covering the wager amount committed, game elements revealed, and RNG outcome in progress, to allow game completion or appropriate settlement if the player reconnects within the operator’s defined recovery window.

The UKGC addresses interrupted gambling through RTS 10, which requires that if a gambling session is interrupted, on resumption the customer must be shown the current state of the interrupted session including any amounts staked and the latest game state. The logging architecture must therefore capture a recoverable game state snapshot at the point of interruption, timestamped and linked to the session record.

The MGA Compliance Audit Manual procedure 5.4.4 includes “changes to game parameters” in the list of gaming activity history that the back-office must maintain and be able to report on. While this addresses configuration-level events, the MGA’s broader Technical Infrastructure integrity principle requires that gaming functionality integrity is demonstrated at all times, which extends to preserving game state through any interruption.

Operational Architecture: What This Means for Storage Design

Compliance teams frequently underestimate the storage volume implications of game round logging. A single active player account on a high-frequency slot product can generate thousands of individual round records per hour. Across an operator’s full player base, the cumulative volume over a three-to-five-year retention period is substantial.

The AGCO’s Standard 4.02 guidance acknowledges this directly, stating that adequate storage capacity and retention should be in place to ensure logging is not interrupted for a technical reason that could have been prevented. The monitoring obligation in the AGLC’s SRIG is more explicit still, requiring implementation of a monitoring function, naming a SIEM as an example, to correlate and alert on integrity events, with remediation tracked to closure.

The MGA’s requirement for real-time replication to a Malta server adds a second dimension: operators cannot treat the replication server as a cold archive. It must be live. Cloud architectures that rely on eventual consistency or batched synchronisation do not satisfy the MGA’s real-time access requirement. Operators using cloud infrastructure should verify that their replication latency is tested and documented, as auditors under MGA/G/001 will perform tests to confirm real-time replication and record the latency figure.

For operators holding both UKGC and MGA licences, player populations and game round data are often siloed by jurisdiction, but the infrastructure design principles converge: immutable writes, real-time availability, multi-year hot or warm storage, and role-based access controls. Operators considering entry into the Ontario or Alberta markets should review their existing logging architecture against the AGCO and AGLC standards before registration rather than retrofitting post-launch. The MGA system audit requirements article on this site sets out the full scope of what MGA auditors test against the Technical Infrastructure Guidelines, including the server replication and clock synchronisation checks.

Operators assessing how game round logging obligations interact with broader Ontario and Alberta compliance architecture will find the AGCO vs AGLC regulatory differences comparison useful for understanding where the two Canadian frameworks converge and where they diverge on technical requirements. For the UKGC specifically, the RTS obligations for game logging sit within the broader framework of Licence Condition 2.3.1, which is explored alongside the MGA’s equivalent technical requirements in the UKGC vs MGA 2026 licence cost comparison. For practical implementation guidance tailored to your specific jurisdiction, review the control frameworks and supplier documentation requirements detailed in each regulator’s enforcement guidance and audit manual.

What UKGC, MGA, and AGCO Require at a Glance

Requirement	UKGC	MGA	AGCO / AGLC
Mandatory content	Bets, results, winnings, deposits/withdrawals, bonuses (RTS 1B)	All game outcomes, unique transaction IDs, gaming activity history (MGA/G/001 5.4.5)	Transaction and game state, seven named purposes (Standard 4.02)
Retention minimum	12 months on request (RTS 1B); 5 years effective (AML/LCCP 12)	Retention of Data (MGA) Regulations, AML 5 years	3 years (Standard 1.09 / SRIG Section 4)
Immutability control	ISO/IEC 27001:2022 Annex A controls via Licence Condition 2.3.1	Integrity principle, audit trail of all changes to regulatory data	WORM or SHA-256 signing, TLS 1.2+ (AGLC SRIG explicit); documented in CAM (AGCO)
Regulator access	UKGC powers under Gambling Act 2005, LCCP Section 15	Real-time access, live replication to Malta server	Custom on-demand reports to Registrar (Standard 4.04)
Supplier accountability	Licensee responsible, gambling software licensees carry direct RTS obligations	Accountability remains with licensee at all times	Standards explicitly extended to gaming-related suppliers
Interrupted game logging	RTS 10, game state snapshot required on interruption	Integrity principle, changes to game parameters logged	Standard 4.02, named purpose for partial game continuation

Key Compliance Questions for Multi-Licence Operations

How long must game round logs be retained across all three jurisdictions? The AGCO baseline is three years under Standard 1.09. The UKGC’s RTS 1B creates a 12-month customer-access window, but AML obligations under LCCP Section 12 and the Proceeds of Crime Act 2002 push the effective retention period to five years for most licensees. The MGA’s Retention of Data (MGA) Regulations govern the retention period for MGA-licensed operations, and the AML obligations under Cap. 373 also reach five years. An operator holding all three licences should design to a five-year retention architecture to satisfy the highest common denominator, and document the legal basis for that design in its Control Activity Matrix or equivalent.

Who is responsible for log integrity when the game is supplied by a B2B platform? All three regulators place ultimate accountability on the entity holding the B2C licence. The AGCO extends its logging obligations directly to gaming-related suppliers as named parties, meaning both the operator and the supplier carry obligations independently. The MGA’s accountability principle and the UKGC’s Licence Condition 2.3.1 both reject a contractual-delegation model. Operators should conduct due diligence on B2B suppliers’ logging infrastructure as part of the supplier selection and ongoing oversight process, and retain contractual rights to audit supplier log systems.

Operators and licensees should consult qualified legal counsel when applying these requirements to their specific technical architecture, especially where multi-jurisdiction data residency obligations intersect with the MGA’s Malta replication requirement and potential data protection constraints under GDPR or provincial privacy law.

Key Resources

UKGC Remote Gambling and Software Technical Standards (RTS 1): gamblingcommission.gov.uk

AGCO Registrar’s Standards for Internet Gaming: agco.ca

MGA Compliance Audit Manual MGA/G/001 (August 2018 v1): Available via the MGA Guidance Notes page at mga.org.mt

MGA Technical Infrastructure Guidelines for Remote Gaming (December 2015 v1): Available via the MGA Guidance Notes page.

AGLC Standards and Requirements for Internet Gaming (SRIG 2026-03-17, issued 14 January 2026): aglc.ca