A searchable, filterable index of every Registrar's Standard for Internet Gaming in Ontario. Each standard is grouped by the risk theme the Registrar has published, tagged editorially for the player-protection categories our team tracks most closely, and presented with its principle and supporting requirements. Use it to orient on the rules that govern Ontario's regulated iGaming market.
Ensure registered operators and gaming-related suppliers maintain sound governance, honest dealings with the Registrar, and a control environment that supports the integrity of Ontario's iGaming market.
Applicable personnel must demonstrate character, integrity and high ethical values through attitude and action.
Operators and suppliers must build formal control activities addressing regulatory risks, with periodic effectiveness reviews and adjustments.
Any control activity override must be clearly documented, reported to governance, and approved by at least two senior managers.
Operators must operate controls that ensure financial reports comply with applicable accounting standards and practices.
A screening process appropriate to each role must cover directors, officers, employees, agents and consultants.
Employees must have the competence, skills, experience and training needed to execute their assigned control activities.
Structures must promote sound control environments with duty segregation that minimizes collusion and unauthorized activities.
Management must understand its accountability and authority for the control environment through appropriate training and knowledge.
Compliance logs and related information must be retained for a minimum of three years unless otherwise specified.
Standards compliance must be documented and organized so independent oversight functions can review and audit it.
Primary compliance accountability sits with the Board or governance structure, with documented evidence of execution.
An independent anonymous reporting process must let employees raise control deficiencies, non-compliance or legal violations.
Registrants must engage transparently with the Registrar on compliance, integrity and operations.
Operators must ensure OPP or Registrar investigators can monitor and participate in games.
A timely mechanism must let players contact operators about accounts, funds, gameplay or Standards compliance, with Registrar notification per the matrix.
Player complaints, disputes and inquiries must be recorded and addressed in a timely, fair, transparent and appropriate manner.
Relevant information about the AGCO must be displayed and easily accessible to players.
Operators and suppliers must contract only with reputable counterparties.
Operators bear responsibility for third-party actions and must require contractors to comply as if bound by the same laws, regulations and standards.
Operators and suppliers must maintain supplier lists for goods or services related to lottery schemes and make them available to the Registrar on request.
Operators must ensure compensated third-party marketers do not provide direct-to-consumer services for unregistered Ontario gaming sites.
Operators and suppliers must stop unregulated activities that require registration and not contract with unregistered providers of registrable goods or services.
Prevent and minimize gambling-related harm through policy, marketing restraints, informed-decision tools, harm-identification monitoring, self-exclusion and game-design constraints that slow play and reveal net position.
Operators must implement policies identifying, preventing and minimizing gaming harms, reviewed regularly and communicated to all staff.
Provincial agencies must implement policies that identify and prevent player harm across their gaming operations.
Marketing materials cannot target minors, high-risk persons or self-excluded individuals, and cannot include underage imagery.
All marketing must be truthful and cannot mislead regarding products, odds or outcomes.
Advertising gambling inducements, bonuses and credits is prohibited except on an operator's gaming site and to consenting direct-marketing recipients.
Any bonus or credit advertising must disclose material conditions prominently and avoid misleading "free" or "risk-free" language.
Players must actively opt in to receive inducement marketing and must be able to withdraw consent at any time.
Operators must systematically provide accessible information enabling informed responsible-play choices.
Registration pages and pages within the player account must prominently display an RG statement, online link and the ConnexOntario number.
Operators must monitor player risk profiles and behaviours to detect signs of potential harm.
Help for potentially harmed players must be readily available and systematically delivered.
All staff must understand RG's importance and recognize problem-gambling signs.
Players must have access to short-term play breaks separate from formal self-exclusion.
Operators must offer an accessible, well-promoted voluntary self-exclusion program letting players exclude themselves permanently or temporarily.
Game designs must be clear and truthful, not misleading on outcome determinants or speed-of-play effects.
The method of making bets in sport and event betting must be straightforward and understandable, with clear player communication.
Players must access betting information without placing bets, including odds, payouts and current pool values.
Reputable and legitimate data sources must be used to determine bet outcomes and must be disclosed on request.
Game features must prevent extended or impulsive play and encourage lower-risk behaviours.
The gaming system must not offer functionality facilitating play of multiple slots games at the same time, including split-screen features.
A minimum of 2.5 seconds must elapse between game cycles; players must consciously initiate each cycle through a button release-and-depress action.
For slots, the gaming system must not permit a customer to reduce the time until the result is presented (no turbo or quick-spin).
For slots, winning audio and visual effects cannot accompany returns equal to or less than the wager amount.
For slots, gaming sessions must clearly display the customer's net position (total winnings minus total losses since session start).
Players must have a visible means to track elapsed time during gaming sessions.
Players must easily set financial and time-based limits at registration and at any time afterwards.
Any player request to relax or remove a limit requires a 24-hour minimum cooling-off period before implementation.
Restrict gaming to eligible individuals in Ontario, collect and validate registration data, authenticate players before play, maintain auditable account records, and provide deactivation and fund-recovery rights.
Only eligible individuals are permitted to create a player account; only valid account holders are permitted to log on and gamble.
Operators must actively prevent individuals with insider information or decision-making authority from betting on events they influence, and meet sport-governing-body integrity standards.
Games on gaming sites may only be provided within Ontario, unless conducted jointly with another provincial government.
When prohibited/excluded lists change, all registered players must be re-verified for continued eligibility and removed if necessary.
Relevant player information must be collected and saved upon registration and demonstrated to be complete, accurate and validated before a player account is created.
Players must confirm that all registration information provided is complete and accurate before account creation.
Player information must be kept complete and accurate.
Players must confirm they are fit to participate before engaging in gameplay.
All player accounts must be uniquely identifiable.
Players may have only one player account per gaming site.
There must be an auditable, logged trail of events relating to account creation, activation, deactivation and changes.
Players must acknowledge and accept the account and gameplay terms before account creation, and accept material changes when logging in.
All players must be authenticated before accessing their account and gambling; third parties may not access a player's account.
All player account transactions must be recorded and logged accurately and completely.
Player account information must be made readily available to the player.
Players must easily access clear information about all account transactions and activities.
All player account transactions must be uniquely identifiable and traceable to a single player account.
Reasonable efforts must be made to inform players of player funds remaining in dormant accounts.
Players may deactivate their account at any time; once elected, the account is deactivated.
Operators may deactivate accounts when necessary for compliance or protection purposes.
Accounts must be deactivated upon Registrar direction.
Removed player information must be retained per Standard 1.09 or other applicable retention requirements.
Players whose accounts become dormant or are deactivated must be able to recover the balance owing to them.
Ensure games are fair, honest and independently verifiable; that players get accurate pre-wager information; that outcomes are random, recoverable and settled per stated terms; and that betting integrity risks, faults and peer-to-peer manipulation are actively managed.
Gaming must be conducted fairly, honestly and independently verifiable through continuous monitoring.
Complete and accurate records must support investigations, dispute resolution and complaint handling.
When logging fails, compensating manual controls must be used where technically feasible.
Gaming systems must provide flexible reporting capabilities to regulators in appropriate formats.
Game specifications must document objectives, wagers, operation methods, winning odds and operator advantage.
Players need comprehensive information about chances, gameplay and payouts before wagering.
In-play information must not misrepresent games or encourage harmful play patterns.
All games and RNG systems must be Registrar-approved or certified by an independent testing lab prior to provision.
Gaming systems must be provided and maintained to ensure integrity, safety and security.
Games with suspected fairness faults must be unavailable until resolved, with fair and reasonable decisioning.
Production, testing and development systems must be logically separated.
Game outcomes should be recoverable where technically possible to enable fair player settlement.
Operators must have defined, fair policies for treating players when faults occur.
Games must be recreatable to their last communicated state to resolve incomplete transactions.
Bets and outcomes must be clearly displayed with sufficient time for player review.
Games must pay out accurately, completely and within reasonable time after winning.
Operators must have mechanisms to appropriately deter, prevent and detect collusion and cheating.
All detection activities must be logged for regulatory review and investigation.
Players need a clear, accessible process to report suspected cheating, collusion or bot activity.
Where interaction speed affects winning chances, operators must prevent unfair disadvantage from performance issues.
Service interruptions must be handled without disadvantaging players.
Operators must prevent the use of automated software providing unfair play advantages.
Peer-to-peer games must ensure players are treated fairly without disadvantage.
Games must operate exactly as specified and bets settled per stated terms.
Bets must be committed before outcome determination; later wagers are voided and refunded.
Sport and event bets must settle fairly per terms and rules available to players when placed.
Bet results and changes must be provided and account balances updated.
Controls must ensure accuracy and timeliness of results data used for settlement.
A mechanism must randomly select game elements determining outcomes, independently and without correlation to play style or system load.
RNG mechanisms must be capable of being monitored and inspected to verify integrity.
Play terms must not change mid-session unless players are aware before wagering.
Game sessions must be secured and verified as authentic.
Automatic session time-outs must protect inactive players.
All critical functions, including game outcome generation, must originate from the gaming system, not end devices.
Operators must mitigate integrity risks including insider betting and event manipulation.
Operators may suspend betting or withhold funds for events with suspicious activity reports, fairly and reasonably.
Only bets meeting criteria for outcome verification and integrity safeguards are permitted.
Access to live dealer gaming supplies must be restricted to those with a business need.
Controls must prevent live dealer presenters from compromising game integrity.
Protect gaming data, systems and assets through an industry-standard IT control environment: access management, authentication, encryption, logging, change and incident response, resilience, and periodic assurance. Player funds deposits and withdrawals are gated on identity verification and financial-services authorization.
A recognized industry standard framework shall be used to manage the information technology (IT) control environment to support compliance with the Standards and Requirements. (Also applicable to Gaming-Related Suppliers)
Users shall be granted access to the gaming system based on business need. (Also applicable to Gaming-Related Suppliers)
Access to gaming information systems shall be monitored, logged and shall be traceable to a specific individual, either through the assignment of uniquely assigned accounts to individual users or such other reasonable method. (Also applicable to Gaming-Related Suppliers)
Processes shall be in place to ensure that only authorized individuals are permitted to open system accounts. (Also applicable to Gaming-Related Suppliers)
Industry accepted components, both hardware and software, shall be used where possible. (Also applicable to Gaming-Related Suppliers)
Any connection or interface between the gaming system and any other system, whether internal or external third party, shall be monitored, hardened and regularly assessed to ensure the integrity and security of the gaming system. (Also applicable to Gaming-Related Suppliers)
Mechanisms shall be in place to ensure the reliability, integrity and availability of the gaming system. (Also applicable to Gaming-Related Suppliers)
There shall be a suitably secure physical environment in place to prevent unauthorized access to the gaming system and to ensure the protection of assets. (Also applicable to Gaming-Related Suppliers)
Gaming systems, infrastructure, data, activity logs and all other related components shall be protected from threats, vulnerabilities, attacks or breaches. (Also applicable to Gaming-Related Suppliers)
Security monitoring activities shall be logged in an auditable manner, monitored, promptly analyzed and a report prepared and escalated as appropriate. (Also applicable to Gaming-Related Suppliers)
Independent assessments shall be regularly performed by a qualified individual to verify the adequacy of gaming system security and all of its related components. (Also applicable to Gaming-Related Suppliers)
Operators and gaming related suppliers must inform themselves of the current threats and risks to the security, integrity, and availability of the gaming systems and related components that they operate or supply. Operators must have in place policies and procedures to mitigate such risks and threats. Gaming related suppliers must inform their customers of any material threat or risk to the security or integrity of the gaming systems that they supply or operate. (Also applicable to Gaming-Related Suppliers)
A system development lifecycle that considers security and processing integrity shall be in place for gaming system technology developed in-house. (Also applicable to Gaming-Related Suppliers)
Due diligence must be performed on all acquired gaming system technology to ensure security and processing integrity requirements are met. (Also applicable to Gaming-Related Suppliers)
A testing strategy to address changes in technology shall be in place to ensure that deployed gaming systems operate as intended. (Also applicable to Gaming-Related Suppliers)
All gaming system changes shall be appropriately, consistently and clearly documented, reviewed, tested and approved. (Also applicable to Gaming-Related Suppliers)
Operators must have both preventative and detective measures in place to ensure that no unauthorized or unintentional changes are made to the gaming system.
Post implementation reviews shall be performed to ensure that changes have been correctly implemented and the outcomes shall be reviewed and approved. (Also applicable to Gaming-Related Suppliers)
All change related documentation and information shall be captured, stored and managed in a secure and robust manner. (Also applicable to Gaming-Related Suppliers)
The implementation of software related updates, patches or upgrades shall be regularly monitored, documented, reviewed, tested and managed with appropriate management oversight and approval. (Also applicable to Gaming-Related Suppliers)
A mechanism shall be in place to regularly monitor, document, review, test and approve upgrades, patches or updates to all gaming-related hardware components as they become end of life, obsolete, shown to have weaknesses or vulnerabilities, are outdated or have undergone other maintenance. (Also applicable to Gaming-Related Suppliers)
Appropriate release and configuration management processes with support systems shall be in place to support both software and hardware related changes. (Also applicable to Gaming-Related Suppliers)
Only dedicated and specific accounts may be used to make changes. (Also applicable to Gaming-Related Suppliers)
Data governance shall be in place to address data processing integrity and protection of sensitive data. (Also applicable to Gaming-Related Suppliers)
Sensitive data, including player information and data relevant to determining game outcomes, shall be secured and protected from unauthorized access or use at all times. (Also applicable to Gaming-Related Suppliers)
Player information shall be securely protected and its usage controlled.
Communication of sensitive game data shall be protected for integrity. (Also applicable to Gaming-Related Suppliers)
Procedures shall be established and documented for IT operations and incident management, including managing, monitoring and responding to security and processing integrity events. (Also applicable to Gaming-Related Suppliers)
The gaming system architecture and all its related components shall demonstrate security in depth. (Also applicable to Gaming-Related Suppliers)
All gaming systems and devices shall validate inputs before inputs are processed. (Also applicable to Gaming-Related Suppliers)
The gaming system shall only display the minimum information about the gaming system to unauthorized users and during system malfunctions to minimize the risk of compromising the gaming system or the privacy of information. (Also applicable to Gaming-Related Suppliers)
All remote access methods shall be appropriately secured and managed. (Also applicable to Gaming-Related Suppliers)
Use of wireless communication shall be secured and only used where appropriate. (Also applicable to Gaming-Related Suppliers) Guidance: the intent is to ensure that wireless communication is not present in areas where it could be potentially harmful (e.g. data centres).
All components shall be hardened as defined by industry and technology good practices prior to going live and as part of any changes. (Also applicable to Gaming-Related Suppliers)
Access shall be appropriately restricted to ensure that the domain name server records are kept secure from malicious and unauthorized changes. (Also applicable to Gaming-Related Suppliers)
All private encryption keys shall be stored on secure and redundant media that are only accessible by authorized management personnel. (Also applicable to Gaming-Related Suppliers)
Encryption algorithms and key lengths shall be regularly assessed for security vulnerabilities. (Also applicable to Gaming-Related Suppliers)
The gaming system architecture shall limit the loss of data and session information. (Also applicable to Gaming-Related Suppliers)
The gaming system shall be able to change, block, deactivate or remove system accounts in a timely manner upon termination, change of role or responsibility, suspension or unauthorized usage of an account. (Also applicable to Gaming-Related Suppliers)
A secure authenticator that meets industry good practices shall be used to identify users and their accounts to ensure that only authorized individuals are permitted to access their system account on the gaming system. (Also applicable to Gaming-Related Suppliers)
The gaming system shall ensure that all access to the system is fully attributable to, and logged against, a unique user identification. (Also applicable to Gaming-Related Suppliers)
Only the minimum access rights shall be granted to each system account on the gaming system and access rights shall be clearly documented. (Also applicable to Gaming-Related Suppliers)
All temporary and guest accounts shall be disabled immediately after the purpose for which the account was established is no longer required. (Also applicable to Gaming-Related Suppliers)
System accounts and system access rights for the gaming system shall be regularly reviewed and updated. (Also applicable to Gaming-Related Suppliers)
A log of account owners shall be kept and regularly reviewed and updated. (Also applicable to Gaming-Related Suppliers)
A mechanism shall be in place to ensure that the assignment of administrator accounts is approved by the Operator's management and that usage is monitored for appropriateness. (Also applicable to Gaming-Related Suppliers)
Inappropriate use of system accounts on the gaming system shall be logged, reviewed and responded to within a reasonable period of time. (Also applicable to Gaming-Related Suppliers)
Inappropriate use of administrator accounts shall be reported to the Registrar in accordance with the notification matrix. (Also applicable to Gaming-Related Suppliers)
Software used for the gaming system shall be developed using industry good practices. (Also applicable to Gaming-Related Suppliers) Note: these software Standards apply to modified commercial off-the-shelf software, proprietary developed software, and software specifically developed by the OLG or iGaming Ontario.
Software development methodologies used shall be clearly documented, regularly updated and stored in an accessible, secure and robust manner. (Also applicable to Gaming-Related Suppliers)
An appropriate system shall be in place to manage the software development and ongoing software management lifecycle. (Also applicable to Gaming-Related Suppliers)
All software development roles shall be segregated during and after release of code to a production environment. (Also applicable to Gaming-Related Suppliers)
An appropriate audit trail of authority and management review of code for software shall be established. (Also applicable to Gaming-Related Suppliers)
Controls shall be in place to ensure software is appropriately secured and access is appropriately restricted throughout development. (Also applicable to Gaming-Related Suppliers)
Authorized management staff shall review and approve software documentation to ensure that it is appropriately and clearly documented.
Source code and compiled code shall be securely stored. (Also applicable to Gaming-Related Suppliers) Guidance: compiled code could be digitally signed or hashed (including each time there is a change) in a manner that allows for external verification.
The promotion or movement of code from testing through other environments to production shall be accompanied by the appropriate documentation and approvals. (Also applicable to Gaming-Related Suppliers)
All promotion of code from development to production shall only be performed by production support staff and not by development staff. (Also applicable to Gaming-Related Suppliers)
Appropriate testing environments shall be in place to allow for thorough testing of any code before it is put into production. (Also applicable to Gaming-Related Suppliers)
Access to production environments shall be restricted from development personnel. (Also applicable to Gaming-Related Suppliers) Note: this does not preclude granting of temporary supervised access for conducting technical investigations that may only be performed on the production environment.
Development code shall not be present in the production environment. (Also applicable to Gaming-Related Suppliers)
A mechanism shall be in place to verify the integrity of the software that is deployed to production, including before changes are implemented, as well as on an ongoing basis. (Also applicable to Gaming-Related Suppliers)
Appropriate release and configuration management systems shall be in place to support software development. (Also applicable to Gaming-Related Suppliers)
All code developed by a third party shall be tested to ensure it meets industry good practices and that it performs to meet its purpose prior to being added to the testing environment and prior to integration testing. (Also applicable to Gaming-Related Suppliers)
All code developed by a third party shall pass integration testing before it is added to production. (Also applicable to Gaming-Related Suppliers)
Mechanisms shall be in place to ensure that bugs are identified and addressed prior to, and during, production. (Also applicable to Gaming-Related Suppliers)
Quality assurance processes, including testing, shall take place during development and prior to the release of any code. (Also applicable to Gaming-Related Suppliers)
All components, where appropriate, shall be tested for the purposes for which they will be used. (Also applicable to Gaming-Related Suppliers)
Players may be permitted to deposit funds into their player accounts only after the appropriate verifications and authorization.
Players are permitted to withdraw funds from their player account only after the appropriate verifications and authorization.
Players are permitted to withdraw funds from their player account in an accurate and complete fashion and as soon as is practicable, subject to appropriate authorization and verification.
Player funds shall be clearly and appropriately managed.
All player funds deposited in respect of igaming lottery schemes conducted and managed by the OLG shall be held in an OLG account. iGaming Ontario shall take steps to ensure that all player funds deposited in respect of igaming lottery schemes conducted and managed by iGaming Ontario are subject to oversight by iGaming Ontario and available to players.
Operators shall not extend credit or lend money to players or refer players to credit providers or imply or infer that a player should seek additional credit to play games.
No player's account is permitted to have a negative funds balance. A player's account with a negative funds balance must be suspended and no transactions permitted after the negative funds balance arises. No transaction is permitted until the negative funds balance is eliminated. No bet will be accepted that could result in a negative funds balance. Guidance: this Standard is not intended to prohibit the resettlement of bets when reasonable and necessary.
Players shall be provided with a clear and accurate representation of their funds account balance that is easily accessible and readily available at all times. (Also applicable to Gaming-Related Suppliers)
Players shall be provided with unambiguous information about all player account fees prior to making a withdrawal or deposit.
Players shall be informed clearly and specifically of all rules and restrictions regarding deposits and withdrawals and access to funds in connection with deposits and withdrawals.
Funds shall not be transferred between player accounts.
Adjustments to player accounts shall be made accurately and only by authorized individuals.
Adjustments to player accounts shall be recorded and logged in an accurate and complete manner. (Also applicable to Gaming-Related Suppliers)
Players shall be provided with accurate, clear and specific reasons for any adjustments made to their accounts. (Also applicable to Gaming-Related Suppliers)
Protect the integrity of Ontario's iGaming market from money laundering, terrorist financing and other unlawful activity through federal AML/CTF compliance, player identity verification, transaction monitoring and record retention.
Mechanisms shall be in place to reasonably identify and prevent unlawful activities at the gaming site.
Anti-money laundering policies and procedures to support obligations under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) shall be implemented and enforced.
Reasonable measures shall be in place to identify and prevent suspected money laundering activities in the gaming site.
No standards match your filters.