GLI-16 Cashless Systems v3.0: TITO, Digital Wallets, and Voucher Certification Requirements

GLI-16: Standards for Cashless Systems and Technologies Version 3.0, carrying a revision date of 31 July 2024, is the governing technical standard for every layer of a certified cashless gaming environment. It applies to operators and suppliers deploying ticket-in/ticket-out (TITO) systems, player account-linked digital wallets, electronic funds transfer (EFT) channels, mobile authentication, kiosks, and voucher-issuance infrastructure. Compliance teams scoping a cashless deployment that do not map their architecture against GLI-16 v3.0 before engaging an independent test laboratory risk scope disputes, delayed certifications, and market-entry setbacks.

Scope and Architecture: What GLI-16 Actually Covers

The standard’s formal definition makes the breadth of its coverage explicit. A Cashless System is defined under GLI-16 v3.0 as “the hardware, software, firmware, communications technology, other equipment, as well as operator procedures implemented in order to allow players to participate in wagering activities using an approved authentication method, which accesses a player account at the Cashless System of the operator or an electronic payment account of the player.” The inclusion of “operator procedures” is deliberate: certification under GLI-16 does not apply only to software or hardware in isolation. The totality of the cashless environment, including the processes that surround it, is within scope.

A Cashless System may be entirely integrated into an existing Gaming System, such as a Monitoring and Control System, or exist as a fully separate Gaming System. GLI-16 section 2.1.1 specifies that its requirements apply in addition to the applicable General Gaming System Requirements within GLI-13: Standards for Monitoring and Control Systems and Validation Systems. Operators and suppliers should therefore treat GLI-16 and GLI-13 as complementary instruments, not alternatives. Where Interface Elements connect Cashless Devices to the Cashless System, those elements must satisfy the Interface Element Requirements contained in GLI-13.

A Cashless Device under the standard encompasses any electronic device facilitating financial transactions between a player account or electronic payment account and gaming equipment maintained by the operator. This definition covers slot machines equipped with cashless capability, electronic table game stations, live game management components, and kiosks. Any additional device or software used to meet a regulatory requirement may also fall within the standard’s technical controls based on functionality.

Chapter 2: Cashless System Requirements, the Communications Foundation

Chapter 2 of GLI-16 v3.0 governs the Cashless System itself. The system must be equipped to correctly read and store applicable significant events, cashless transaction information, and specific cashless meter values from all connected Cashless Devices, in accordance with the secure communication protocol implemented (section 2.2.1). Where Interface Elements carry device-to-system communications, those elements must meet GLI-13’s Interface Element Requirements.

Cashier-level controls receive dedicated treatment. For each cashier session at a Cashier Station, the system must record the cashier balances at the start and end of the session, and for each financial transaction: a unique transaction ID, a unique player account ID, the transaction type (deposit, withdrawal, adjustment), the transaction value, and the date and time of the transaction. Cashier session reconciliation is therefore a certified system obligation, not a matter of internal policy design.

Chapter 3: Cashless Device Requirements, TITO, Vouchers, and Authentication

What is the certification requirement for TITO under GLI-16?

Ticket-in/ticket-out systems fall within the Cashless Device requirements of Chapter 3. Once game play is completed, the player must have the option to transfer some or all funds from the Cashless Device’s credit meter back to their player account, or to cash out via voucher issuance or another approved method (section 3.4.3). Funds may not be transferred from a Cashless Device to a different player account. This one-to-one account binding is a hard technical requirement, not a policy recommendation.

The communication-failure scenario is directly addressed. Where a player attempts to transfer funds to their player account and a communication failure occurs, and voucher issuance or another payout method is not available, the Cashless Device must result in a handpay lockup or tilt (section 3.4.3(e)). Systems that silently drop transactions during communication loss do not satisfy GLI-16 v3.0.

Transaction Authentication Requirements

Section 3.4.1 governs authentication for all cashless transactions between a Cashless Device and the Cashless System. Accepted methods include a credit or debit instrument, card insertion or contactless “tap” using a player identification component, a software application on a player’s mobile device that allows authentication of the account and source of funds, biometric recognition such as fingerprint, or a secure alternative means approved by the regulatory body. The standard explicitly permits multiple authentication methods to coexist, so operators offering both card-tap and mobile app access are not required to select one.

If authentication fails, an explanatory message must be displayed to the player. Upon successful authentication, current account balance information must be made available, and all discretionary account funds must be indicated separately from cashable funds.

Contactless and Wireless Communications

Section 3.3.6 addresses transactions conducted via NFC, Bluetooth, Wi-Fi, or optical technologies. Such wireless communications must utilise secure communication methods to prevent unauthorised access to sensitive information, employ a method to detect data corruption and either correct the error or terminate the communication with an error message, employ a method to prevent unauthorised modification of sensitive information that impacts device integrity or represents secure player data, and only be possible with authorised player identification components.

Transaction Limits and Responsible Gambling at the Device Level

Section 3.4.6 requires that where a player initiates a cashless transaction that would exceed a Cashless Device or System configured limit, or any limit established for responsible gaming purposes, the transaction may only be processed with clear notification to the player that they have transacted less than requested. This integration of responsible gambling controls at the device level is architecturally significant: it is not sufficient to enforce limits only at the account management layer if the Cashless Device itself processes the transaction without the notification requirement being met.

Where the account balance is less than the amount requested, a partial transfer is permissible, provided the player is clearly notified of the shortfall (section 3.4.3(b)).

Direct Account Wagering: A Distinct Technical Mode

GLI-16 v3.0 section 3.4.4 addresses direct account wagering, where funds are not transferred to the credit meter of the Cashless Device but wagers are placed and wins credited directly from and to the player account balance. This architecture is increasingly common in digital wallet implementations and requires specific technical controls distinct from conventional WAT (Wallet Account Transfer) credit-meter models.

For direct account wagering, the Cashless Device must display the account balance to the player at all times and update it in real time as wagers are placed and wins awarded. The player must be able to exit the direct wagering mode and access their full account balance. These display and update requirements are distinct from the authentication and communication requirements applicable to conventional cashless transactions.

Electronic Accounting Meters: The Financial Integrity Architecture

GLI-16 v3.0 specifies mandatory electronic accounting meters for each Cashless Device. The required meters are as follows.

Meter Name	Abbreviation	What It Records
Electronic Funds Transfer In	EFT In	Cashable player funds transferred to the device from a financial institution or third-party provider through the Cashless System or a secure defined-protocol interface
Player Account Transfer In	WAT In	Cashable player funds transferred to the device from a player account (excludes promotional credits)
Player Account Transfer Out	WAT Out	Cashable player funds transferred from the device to a player account (excludes promotional credits)
Other Meters	As required	Cashless transactions not metered under EFT In, WAT In, or WAT Out must be recorded on sufficient additional meters

The separation of WAT meters from EFT meters reflects a structural distinction the standard draws throughout: player account transfers (player-to-device and device-to-player movements within the operator’s cashless environment) are metered separately from external funds arriving via financial institution channels. This separation is integral to audit trail integrity and directly supports AML monitoring obligations that regulators impose on top of the GLI-16 technical layer.

Electronic Funds Transfers: AML Controls Embedded in the Standard

Section 3.4.5 addresses EFT scenarios where funds are transferred between an electronic payment account (such as PayPal, Google Pay, or Apple Pay) and a player account. The standard embeds specific fraud-prevention and AML-aligned controls.

The Cashless System must not execute a transfer upon notification from the player’s financial institution or third-party provider that the available funds are less than the amount requested (section 3.4.5(b)). Funds deposited into a player account must not be available for wagering until received from the issuer or until the issuer provides an authorisation number indicating that the funds are authorised (section 4.4.2(b)). That authorisation number must be maintained in an audit log.

Where EFT fraud controls apply, the player account must be temporarily locked out for investigation after five consecutive failed EFT attempts within a ten-minute period (section 4.4.2(c)). Where no evidence of fraud exists following investigation, the account may be restored. These thresholds can be varied by the regulatory body, but the five-attempt/ten-minute default is the certified baseline.

“Where financial transactions are allowed through Electronic Funds Transfers (EFT), there shall be security measures and controls in place to prevent EFT fraud.”, GLI-16 v3.0, section 4.4.2(c)

The interaction between GLI-16’s EFT controls and jurisdiction-specific AML obligations deserves attention. GLI-16 establishes the technical floor: authorisation logging, lockout thresholds, and source-of-funds traceability. Jurisdictions such as Ontario (under AGCO’s Registrar’s Standards for Internet Gaming), the MGA (under its AML obligations enforced via the FIAU), or the UKGC (under LCCP social responsibility and AML codes) layer additional obligations above that floor. Certification under GLI-16 does not satisfy those regulatory AML requirements, but operating a non-GLI-16-compliant cashless system would make meeting them structurally impossible. For a broader treatment of AML obligations across regulated markets, the AML and Financial Compliance hub covers FATF, FINTRAC, FIAU, and FinCEN transaction monitoring requirements that interact with the technical controls GLI-16 mandates.

Chapter 4: Player Account Requirements

What does GLI-16 require for digital wallet account registration and KYC?

Chapter 4 governs player accounts maintained by the operator within the Cashless System. It does not apply to electronic payment accounts maintained by third parties.

Before a verified player account can be established, the system must collect personally identifiable information (PII) for the registration process. During registration, the player must be denied the ability to establish a duplicate account (section 4.2.2). Identity verification under section 4.2.3 must authenticate the player’s full legal name, date of birth, and full or partial government identification number (driver’s licence number, social security number, taxpayer identification number, passport number, or equivalent), as required by the regulatory body. Third-party identity verification service providers may be used.

Identity verification must also confirm that the player is not on any exclusion lists held by the operator or the regulatory body, and is not otherwise prohibited from establishing or maintaining an account. This exclusion-list check is a pre-condition to account activation under section 4.2.4, not an optional post-activation step.

Account records must maintain the player’s current and previous authentication credentials, encrypted or hashed to a cryptographic algorithm as allowed by the regulatory body. Personal financial information including credit or debit instrument numbers and bank account numbers must also be encrypted or hashed. The display masking requirement in GLI-16 v3.0 permits only the last four digits of an account type or source of funds identifier to be shown on a Cashless Device.

Account Management and Transaction Logging

Section 4.4.1 governs account access at the system level. Where the system does not recognise authentication credentials, the error message displayed must be identical regardless of which credential is incorrect, a security control designed to prevent credential enumeration attacks. The player account must be automatically locked out after three successive failed active access attempts in a thirty-minute period, or a period determined by the regulatory body (section 4.4.1(b)).

The system must be able to provide a transaction log or account statement history to a player upon request, containing sufficient information to allow the player to reconcile the statement against their own financial records (section 4.4.3). Security or authorisation procedures must ensure only authorised adjustments can be made to player account balances, and all such changes must be auditable (section 4.4.2(i)).

Funds transfers between two player accounts are prohibited (section 4.4.2(h)). For verified player accounts, withdrawals must be paid to an account with a financial institution or third-party provider in the name of the player, or made payable to the player and forwarded to their registered residential address via a secure delivery service (section 4.4.2(f)). The name and residential address used must match the registration details held by the operator.

“It shall not be possible to transfer funds between two player accounts.”, GLI-16 v3.0, section 4.4.2(h)

Promotional Credits and Discretionary Account Funds

GLI-16 v3.0 draws a consistent structural distinction between cashable player funds and discretionary account funds, defined as non-cashable promotional credits and promotional credits that have a possible expiration. This distinction must be maintained in display, metering, and transaction processing.

WAT In and WAT Out meters explicitly exclude promotional credit transfers, which are handled separately under the metering architecture. Account balance displays must indicate all discretionary account funds separately. Where a player account includes promotional credits, the system must not commingle those funds with cashable balances in any account statement, transaction log, or device display. Operators building promotional systems on top of their cashless infrastructure should treat this separation requirement as an integration constraint during system design, not a configuration option at deployment.

Limitations, Time-Outs, and Account Suspensions: The Responsible Gambling Layer

Section 4.5 of GLI-16 v3.0 applies where the Cashless System directly manages and implements limitations, time-outs, or suspensions. This is an increasingly common architecture in cashless-first environments, where the cashless system is the primary player interaction point rather than a legacy cage or floor-staff model.

Players must be provided with a method to impose limitations for account activity including, but not limited to, deposits and cashless transactions over a defined time period (day, week, or month) as required by the regulatory body (section 4.5.2). The system must also be capable of imposing operator- or regulatory-body-mandated limits. Once a player has set a self-imposed limit, it may only be reduced in severity after the time period of the previous limit has expired, or as otherwise required by the regulatory body. Players must be notified in advance of any system-imposed limits and their effective dates.

For account suspensions, the standard specifies that the minimum suspension period must not be less than seventy-two hours, or indefinite, as required by the regulatory body (section 4.5). While an account is suspended, the player must be prevented from performing cashless transactions other than transferring funds from the Cashless Device back to their account, depositing funds (except to settle a negative balance), and making changes to or closing the account without operator authorisation. The player must not be prevented from withdrawing cashable funds, provided the operator acknowledges the funds have cleared and the reason for suspension does not prohibit withdrawal.

This architecture ensures that responsible gambling-triggered suspensions do not inadvertently strand player funds, a design principle that regulators in most major iGaming markets also require at the product level. Compliance teams deploying cashless systems in jurisdictions such as Ontario, where AGCO’s Registrar’s Standards for Internet Gaming impose detailed responsible gambling obligations, should map GLI-16’s section 4.5 requirements against the applicable regulatory framework to confirm the cashless layer satisfies both the technical standard and the jurisdictional rule.

Testing, Laboratory Submission, and the COTS Exemption

How does GLI-16 v3.0 certification actually work?

Section 1.5.1 of GLI-16 v3.0 sets out the laboratory testing framework. An independent test laboratory (ITL) tests and certifies the components of the Cashless System in accordance with each applicable chapter within a controlled test environment. Operators and suppliers must provide documentation, credentials, and access to a production-equivalent test environment. Upon successful completion of testing, the ITL provides a certificate of compliance evidencing certification to the standard. The GLI Certification hub provides an overview of the broader GLI standard family, certification process, and jurisdiction acceptance patterns relevant to teams new to the GLI testing framework.

GLI’s GLIAccess portal (access.gaminglabs.com) provides 24/7 tracking of submission status, real-time project management, and direct regulator-to-lab communication for certification approvals.

Two carve-outs apply unless the regulatory body directs otherwise. Unaltered commercial off-the-shelf (COTS) components, such as standard PCs or tablets, do not require certification. Modified off-the-shelf components are subject to review. The COTS exemption is narrow in practice: any hardware modified to meet a regulatory requirement or to implement cashless functionality falls outside the exemption and is subject to the full certification process.

GLI-16 v3.0 section 1.5 also addresses the shared-responsibility challenge of multi-party cashless environments. Because a cashless production environment typically involves both an operator and one or more suppliers, several requirements in the document apply to both. The standard notes explicitly that it does not define which parties are responsible for meeting individual requirements, and that determination rests with the stakeholders in each jurisdiction. In practice, operators and suppliers should resolve responsibility allocation contractually before certification begins, as post-submission scope disputes between parties are a recognised cause of certification delay.

GLI-16 in a Cashless-First Jurisdiction Context

The growth of cashless-first gaming floor designs, particularly in newer regulated markets and in land-based properties undergoing digital transformation, has elevated GLI-16 from a specialist standard to a primary certification path. Markets adopting cashless-first approaches require operators to demonstrate that every transaction pathway, including player account onboarding, EFT deposits, digital wallet fund transfers, voucher issuance, and device-level responsible gambling controls, is certified against a recognised technical standard.

For operators already certified under GLI-19 (Interactive Gaming Systems) or GLI-33 (Event Wagering Systems), GLI-16 represents an additional certification layer rather than a substitute. The three standards address different system boundaries: GLI-19 governs the online gaming platform and RNG, GLI-33 governs event wagering systems, and GLI-16 governs the cashless transaction infrastructure that may sit beneath or alongside either. In land-based environments integrating mobile wallet access with floor gaming, all three may be simultaneously in scope.

The standard’s technology-neutral design principle, codified in section 1.2.2 and reflected in its acceptance of biometric authentication, NFC, Bluetooth, and mobile device access, means GLI-16 v3.0 is architecturally capable of certifying systems that did not exist when earlier versions of the standard were drafted. Operators deploying novel authentication methods or emerging digital payment rails should confirm with the applicable regulatory body whether GLI-16 v3.0 has been formally adopted in that jurisdiction, and whether the regulatory body requires additional jurisdiction-specific requirements beyond the standard’s baseline.

GLI-16 v3.0 should be viewed as a living document that will be tailored periodically to align with this developing industry over time as gaming implementations and operations evolve.

Compliance teams should also note that GLI-16 certification addresses the technical integrity of the cashless system. It does not substitute for the operator’s AML programme, KYC obligations, or responsible gambling policy requirements imposed by the relevant regulatory body. Jurisdictions such as the UKGC, MGA, and AGCO impose obligations that operate independently of and above any GLI technical certification. Operators expanding to cashless-first environments should seek qualified legal counsel to map GLI-16 certification requirements against the applicable regulatory framework in each target jurisdiction. To begin your compliance review, consult the GLI Certification hub for jurisdiction-specific acceptance patterns and next steps in your certification pathway.

Key Resources

GLI-16: Standards for Cashless Systems and Technologies, Version 3.0 (Revision Date: 31 July 2024), Gaming Laboratories International. Available free of charge at www.gaminglabs.com.

GLI-13: Standards for Monitoring and Control Systems and Validation Systems, Version 3.0 (Revision Date: 31 July 2024), Gaming Laboratories International. Companion standard governing Interface Element requirements and cashier reporting in systems integrating with GLI-16-certified components.

GLIAccess Certification Portal, access.gaminglabs.com. Submission tracking, certification records, and regulator communication for GLI-16 and all associated standards.

GLI-20: Standards for Kiosks, Version 2.0, Gaming Laboratories International. Governs kiosk-level wagering instrument issuance, redemption, and player account management functionality where kiosks are deployed as Cashless Devices in GLI-16-certified environments.