The following are registration requirements for ATFs:
a) Prior to issuing certifications, ATFs must provide AGLC with independent confirmation (internal audit is acceptable) that their testing methodologies have been updated and validated against AGLC's Standards and Requirements for Internet Gaming.
b) Following any relevant revisions to AGLC's Standards and Requirements for Internet Gaming, ATFs must ensure that their test methods are revised and validated as necessary prior to issuing any certifications to the new version.
c) AGLC's Standards and Requirements for Internet Gaming must be added to the ATF's scope of ISO accreditation within one year of being registered as an iGaming Goods or Services Supplier in Alberta (within the next accreditation audit schedule).
d) ATFs must identify any real or potential conflicts of interest and manage them appropriately to ensure independence and impartiality. AGLC may request records related to identified conflicts of interest and actions taken to manage them.
e) Upon identification of any issues in certified games or game systems that materially impact the certification, ATFs must suspend any issued certifications and notify the affected registered iGaming Supplier.

Registered Operators and registered Goods or Services Suppliers must cease all unregulated gaming activities in Alberta's iGaming market if, to carry out those activities in Alberta's regulated online lottery scheme, those activities would otherwise require registration under the iGaming Alberta Act or Gaming, Liquor and Cannabis Act.

A personnel security screening process must be in place for any director or officer, and any employee, agent or consultant, at a level that is appropriate for the individual's role in the organization.

Registered Operators and registered Goods or Services Suppliers must not enter into any agreements or arrangements with any unregistered person who is providing any goods or services that would otherwise require registration in Alberta.

Registered Operators must ensure police or AGLC inspectors are able to monitor and participate in games.

Registered Operators and registered Goods or Services Suppliers must comply with all conditions placed on the iGaming registration.

Minors must not enter or remain on an iGaming site.

Minors must not be facilitated to engage in an iGaming activity.

The registered Operator or their employees are prohibited from extending credit in any form, or lending money to players, or referring players to credit providers, or inferring that a player should seek additional credit to play games.

Registered Operators must have responsible gambling policies and procedures in place which reflect industry best practices to prevent harm and to minimize the risk of harm from internet gaming. These policies and procedures must be reviewed and evaluated regularly for effectiveness to ensure that they follow industry best practices and that the stated objectives of the policies and procedures are achieved.

In the interest of harm prevention, and to ensure responsible gambling practices are adequately employed, AGLC may direct a registered Operator to make changes or enhancements to their program for responsible gambling.

Registered Operators must ensure management and staff receive mandatory training on responsible gambling policy and procedures. Training must be provided at the start of employment and repeated at a minimum of every 24 months throughout the employment.

Responsible gambling training must (see also Attachment 3.3):
a) provide employees with a variety of help resources that may be provided to players or affected others; and
b) include:
i) contact information for resources dedicated to treating and assisting people experiencing harm from internet gaming;
ii) how to identify and respond appropriately to players who may be showing signs of problem gambling and to assist players who may be experiencing harm from internet gaming; and
iii) training on responsible gambling controls available to players;
c) identify the harms associated with internet gaming as well as essential prevention and mitigation concepts; and
d) communicate the organization's commitment to responsible gambling and how it is integrated throughout the organization's operations

Responsible gambling information must be readily available, visible and accessible to all players. At a minimum, responsible gambling information must include, but is not limited to:
a) how games work and common misconceptions;
b) lower risk gambling behaviors, including how responsible gambling tools work;
c) gambling harms;
d) support services available to players, including specialized tools (e.g., self-assessment and responsible gambling tools);
e) information about financial and time-based gambling limits;
f) provision of financial activity statements; and
g) information about the self-exclusion (SE) program.

Advertising and marketing materials must contain a responsible gambling message.

Responsible gambling information and materials must be periodically reviewed and updated to ensure minimum requirements are met and that industry best practices are reflected.

Players must be provided with responsible gambling controls that are system enforced, including:
b) the ability to set loss and deposit limits at registration or at any time after registration:
i) deposit limits means the amount a player deposits into their account is limited over a period of time chosen by the player; and
ii) loss limits means the amount lost (winnings less the amount spent) is restricted.
c) the period or duration of the financial or time-based limits offered must include: 24 hours, 7 days and one month. Where a player sets simultaneous periods (e.g., a deposit limit for a day and for a week), the lowest limit must apply.
d) financial and time limit functions must be easy to find and initiate, as well as easy to change at any time after the player has registered and opened an account.

Registered Operators must make available the option for players to take a short-term break in play, in addition to the option of AGLC's self-exclusion program. Break in play requirements at a minimum must include:
a) Players must have the option to initiate a short-term break in their play.
b) Registered Operators must provide the option for players to take a one day, one week, one month, two month, or three month break.
c) Once a player initiates a break, they must be unable to place further wagers during the time period of the break.

Where an internet gaming limit has been previously established by a player, a request to relax or eliminate that limit must:
a) only be made by the player; and
b) only be implemented after a cooling-off period of at least 24 hours.

Registered Operators must have policies and a program in place to assess and monitor player risk profiles in order to:
a) support the identification of players at moderate or high risk (see also Subsection 3.3.13); and
b) provide appropriate assistance to players who may be experiencing harm from online gaming (see also Subsection 3.3.14).

Registered Operators must have in place an effective mechanism for monitoring player behaviour in a way that proactively identifies those who may be at risk of harm, enabling timely support once signs of risk emerge. The mechanism should address the different ways in which gambling-related harm can occur and draw on all available data sources to assess risk on a player-by-player basis. Identifying players who exhibit signs of at-risk behaviour is a key part of an Operator's responsibility to minimize gambling-related harms. See also Additional Requirements For Identifying and Supporting Players At Risk Of Harm (Attachment 3.3).

Based on players' risk profiles, Operators are required to intervene in a manner that is timely, commensurate with the level of risk, and believed to have the desired effect of reducing that player's risk of harm. Further, Operators are expected to build processes to evaluate the impact of the intervention to support ongoing improvement. See also Additional Requirements For Identifying and Supporting Players At Risk Of Harm (Attachment 3.3).

AGLC will maintain a centralized list of prohibited persons who are convicted or legally excluded (as per section 34.1 and 34.3 GLCR) or have otherwise been determined to be inadmissible for entry to an iGaming site (see also Subsection 3.5.1 and 5.8.4).

All registered Operators must:
a) have effective application programming interfaces (API) connection (also see Subsection 5.1.6 for security requirements) to AGLC's centralized information system on persons who are prohibited from entry to an iGaming site. The iGaming site must have effective controls in place to prevent any individual not cleared by AGLC's centralized system from registering an account or from logging into an existing account.

Discrepancy reports (see Section 5.7.4) must be submitted to AGLC within 72 hours on all prohibited persons who attempt to enter or remain on an iGaming site.

As AGLC updates the centralized list of banned and/or self-excluded individuals, all registered player information must be re-verified to ensure that all registered players are still eligible to play, and if they are not eligible, they are prohibited from gaming.

Pursuant to section 34.2 of the Gaming, Liquor and Cannabis Regulation, registered Operators must not permit a person who is enrolled in AGLC's self-exclusion program to enter or remain in their iGaming site.

Registered Operators must:
a) have effective application programming interfaces (API) connection (also see Subsection 5.1.6 for security requirements) to AGLC's centralized information system on persons who are self-excluded. The iGaming site must have effective controls in place to prevent any individual not cleared by AGLC's centralized system from registering an account or from logging into an existing account.

All registered Operators must:
a) promote AGLC's self-exclusion program and responsible gambling materials;
b) allow players to easily access AGLC's centralized self-exclusion tool through the iGaming site;
c) have controls to prevent self-excluded players from accessing their iGaming account or from engaging in gaming activities;
d) exclude any self-excluded players from all marketing efforts once the Operator has been notified; and
e) provide a mechanism to facilitate the return of the balance of unused funds, when
requested, to a player who has self-excluded.

Once a player self-excludes, the wager is brought to an end.
a) Operators must refund a player's wager if the player enrolls in a self-exclusion program prior to the commencement of an event or series of events on which the outcome of the wager is determined.
b) Operators are not required to refund a player's wager if the player enrolls in a selfexclusion program after the commencement of an event or series of events on which the outcome of the wager is determined.

Registered Operators must ensure games are provided only within Alberta unless they are conducted in conjunction with the government of another province. At a minimum, the
gaming system must:
a) ensure only players physically located in Alberta can participate and block play when location cannot be verified;
b) implement controls to detect and block location-evasion methods (including known VPNs/proxies, remote desktop or virtualization, and rooted/jail-broken devices);
c) perform periodic re-verification of player location and log each verification in a timestamped, tamper-evident manner for audit per 4.16.1.

All gaming activities and financial transactions must be conducted fairly and honestly and be independently verifiable, including, but not limited to, the following minimum requirements:
a) Continuous independent monitoring and recording of lottery schemes and cash (and cash equivalent) handling must be in place to support the verification of:
i) adherence to required game rules by players and employees or, in Sport and Event Betting, the processing and redemption, if any, of the bet fairly, honestly and in accordance with the terms of the bet placed by the player, including applicable betting rules;
ii) confirmation of outcomes of lottery schemes;
iii) prize payment to the proper person;
iv) accuracy of financial transactions.
b) Continuous logs must be maintained for critical gaming systems including the tracking of financial accounting and game state history;
c) Logs must be protected against alteration (e.g., WORM/immutability or cryptographic signing with SHA-256), transmitted and stored over TLS 1.2+;
d) Access to logs must be role-based, with segregation of duties between operations and monitoring;
e) Logs must be retained per 4.16.1 and made available to AGLC on request; and
f) Implementation of a monitoring function (e.g., SIEM) to correlate and alert on integrity events, with remediation tracked to closure.

Accurate and complete records of transaction and game state and play information must be kept as prescribed in Subsection 4.16.1 and made available for the purposes of:
a) ensuring timely investigations can be performed by AGLC;
b) capturing information needed to continue a partially complete game within a reasonably defined time;
c) resolving disputes in a fair and timely manner;
d) ensuring player complaints can be resolved;
e) tracking all relevant player information (including funds information);
f) tracking all relevant individual gaming sessions and game play information;
g) tracking all relevant information related to events (including significant events); and
h) tracking of game enabling, disabling and configuration changes.

There must be a mechanism in place to ensure that if logging is interrupted, compensating manual controls are used, where reasonable

The gaming system must be capable of providing custom and on-demand reports to AGLC.

Game specifications must be documented to clearly indicate:
a) the objective of the game;
b) the wagers that may be made;
c) how the game is operated and played;
d) odds of winning for each prize available to players;
e) the advantage of the Operator registered in relation to each wager.

Prior to placing a bet or wager, the player must be provided with sufficient game information to make informed decisions about betting or wagering based on chances of winning, the way the game is played, and how prizes and payouts are made. Required gaming information includes, but is not limited to, the following requirements:
a) Comprehensive and accurate information that explains the applicable terms governing play must be easily available to the player prior to placing of a bet or wager through such supports as "game rules", "help" or "how to play" pages placed prominently to allow players to easily locate them. All reasonable steps must be taken to ensure that content is understandable;
b) The explanatory content must:
i) indicate the methods of how players may participate in the game and provide instructions and any terms for each of these methods;
ii) provide clear instructions on how to interact with the game;
iii) provide clear descriptions of what constitutes a winning outcome;
iv) indicate any restrictions on play or betting (e.g., play duration limits, maximum wins);
v) contain comprehensive, accurate and understandable information on the odds of winning, payout odds or returns to players;
vi) indicate prize value units (e.g., currency or credits);
vii) provide any other information on elements that will affect play (e.g., the number of decks or frequency of shuffles in virtual card games, the method of in-game betting) or results (e.g., how progressive jackpots work, number and kind of tokens to be collected to enter a bonus round, the rules and behaviour in a bonus round, how the results of pool betting in Sport and Event Betting work, the procedures for confirming the results); and
viii) contain the same information and be consistent across all languages it is provided in.
c) If certain outcomes, prizes or features are only available under limited circumstances, the explanatory content must clearly indicate what these circumstances are;
d) Where speed of interaction has an effect on the player's chances of winning, players must be informed that the speed of connection or processor may have an effect on the game;
e) Where player skill and/or strategy has an impact on the player's chances of winning, players must be informed that their skill and/or strategy will have an impact on their chances of winning;
f) For all peer-to-peer games, players must be informed of possible communication loss and the impact to the player in such an event;
g) The denomination of each credit must be clearly displayed;
h) The units of displayed prizes and payouts (e.g., denominational units, currency) must be clear;
i) Cash out options and how to redeem winning bets in Sport and Event Betting; and
j) Players must be provided with information that indicates circumstances in which a game can be declared void.

Information provided to players prior to and during game play must not mislead or misrepresent games. At a minimum, game play information must not:
a) describe any outcomes, prizes, or features that are not achievable;
b) encourage play as a means of recovering past gambling or other financial losses;
c) be designed so as to make false promises or present winning as the probable outcome;
d) imply that chances of winning increase:
i) the longer one plays;
ii) the more one spends; or
iii)suggest that skills can influence the outcome (for games where skill is not a factor);
e) use language that suggests the probability of a particular outcome is more likely to occur than its actual probability. Examples include the use of the terms, "due", "overdue", "ready", and "ready to hit";
f) mischaracterize the nature of the game by giving it a commonly accepted name, such as "European Roulette", if the game does not operate as a player would reasonably expect.

All iGaming games, random number generators and components of iGaming systems that accept, process, determine outcome of, display, and log details about player bets, including any subsequent modifications, must be tested in accordance with Section 4.12 prior to being provided for any game or game site.

Gaming systems and gaming supplies must be provided, installed, configured, maintained, repaired, stored and operated in a way that ensures the integrity, safety and security of the gaming supplies and systems.

To ensure the integrity, safety and security of the gaming supplies and systems, Operators must ensure the following requirements are met:

Only games certified by an Accredited Testing Facility registered in Alberta must be used on the gaming site;

AGLC must be immediately notified where there is any problem with the integrity or security of the gaming system or gaming supplies;

Monitoring and testing must be performed throughout the life of the gaming system and supplies to ensure they are operating as approved;

In the event any suspected integrity or security problem with a gaming system or gaming supply, logs of the current state of the gaming system and gaming supply, and any supportive evidence must be preserved (see Subsection 4.16.1);

Monitor the playback of live games to detect any behavior that may indicate faulty performance;

Where there are suspected game or system faults that may impact game integrity or fairness including the integrity or fairness of Sport and Event Betting (e.g., influencing a player's chances of winning or the return to player), Operators must make the game unavailable to players until the issue has been resolved. In the case of Sport and Event Betting, making a game unavailable may include the suspension of betting, the withholding of funds, and the refund of any bet until a gaming system fault has been resolved. Operator decisions must be fair, reasonable and made in good faith.

Production, testing and development systems must be logically separated.

Game outcomes and Sport and Event Betting transactions must be recoverable, where technically possible, so that player bets can be settled appropriately.

In any case where there is a game or system fault, including where game outcomes or Sport and Event Betting transactions are not recoverable, the Operator must have clearly defined policies and processes in respect of treating the player fairly when resolving the player's transactions. These policies and processes must be made available to the player.

Mechanisms must be in place to allow a game to be recreated up to and including the last communicated state to the player, including:
a) selected electronic game elements and game outcomes must be logged before they are displayed to the player;
b) information must be captured that is needed to continue a partially complete game as soon as practicable.

A player's bet and the outcome of the game must be clearly displayed, easy to understand, and available for a sufficient length of time for the player to review.

Games must pay out accurately and completely within a reasonable time of winning, subject to checks and verification.

Operators must have policies, procedures and mechanisms in place to appropriately deter, prevent and detect collusion and cheating.

All relevant activities performed by a registered Operator relating to the detection and response of collusion and cheating must be logged.

Players must be provided with clear information on the process to report activities related to collusion and cheating, including the suspected use of bots. The process must be simple to use and accessible to a player seeking to make a report. Operators must meet the following requirements:
a) Complaints by players about unfair treatment, cheating and collusion must be investigated;
b) Information about the Operator's policies and procedures to deter, prevent and detect unfair behavior, cheating and collusion, including the suspension or disabling accounts and any recovery of funds, must be made available to the public on request;
c) Where an investigation, whether initiated by an Operator or as a result of a player complaint, results in the suspension or disabling of a player account, records of the investigation identifying the activities, the reason for the investigation (including whether it was initiated as the result of a player complaint) and any relevant evidence should be retained in accordance with Subsection 4.16.1.
d) AGLC must be informed, in accordance with the Notification Matrix, of any incident that an Operator reasonably believes constitutes an incident of cheating while playing a lottery scheme.

The registration page and pages within the player account must prominently display a responsible gambling statement, the online link, as well as the number for GameSense, and provide a link to a page that provides responsible gambling materials, information, resources and support for people experiencing problems with gambling.

Only eligible individuals are permitted to create a player account, and only individuals who hold a valid player account are permitted to log on to their account and play games.
The following individuals are not eligible to play games on a gaming site:
a) an individual under 18 years of age;
b) any individual that is participating in a self-exclusion process that applies to the site;
c) an individual who is known by the Operator to have been restricted from accessing the gaming site or playing a lottery scheme as a condition of a court order;
d) prohibited persons who are legally excluded, self-excluded or who have otherwise been determined to be inadmissible for entry to an iGaming site (see Subsection 3.4.1
and Subsection 3.5.1).
e) officers, members of the board of directors or partners of the Operator that is providing or operating the gaming site; and
f) employees of registered iGaming Suppliers.

Individuals described as not eligible to play games in Subsection 4.4.2 are not eligible for prizes.

Relevant player information must be collected and saved upon registration and must be demonstrated to be complete, accurate and validated before a player account is created for
the player. At a minimum, the following required information must be gathered upon registration:
a) full name as it appears exactly on FINTRAC compliant government issued identification;
Note: Provincial healthcare cards are not an acceptable form of identification.
b) date of birth matched to FINTRAC compliant government issued identification;
c) FINTRAC compliant physical address;
Note: only physical address or legal land description is acceptable.
d) method of identification for subsequent log on, such as unique username;
e) player contact information, including valid email address and phone number;
f) all information and results of reasonable measures taken that are required by the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) and associated regulations.

Before a player account is created, players must affirm that all player information provided upon registration is complete and accurate.

Player information must be kept complete and accurate.

Prior to participating in game play, players must affirm that they are fit for play.

All player accounts must be uniquely identifiable.

Players may have only one player account per gaming site.

There must be an auditable trail of events that is logged and available relating to account creation and activation, account deactivation and account changes. Information required includes, but is not limited, to:
a) information relating to player identification and verification;
b) information regarding or related to contracts with the player.

Players must acknowledge and accept the terms of the contract governing the player's account and game player prior to account creation and must acknowledge and accept any subsequent material changes to the terms of the contract when logging in. At all times, the terms of the contract and the operation of the contract must comply with the Standards and Requirements and applicable Alberta laws.

All players must be authenticated prior to accessing their player account and being permitted to gamble. Third parties are not permitted to access a player's account.
a) Players must be given the option to use multi-factor authentication when logging in.

All player account transactions must be recorded and logged in an accurate and complete manner.

Player account information must be made readily available to the player.

Information about player account transactions must be made readily available and clear to the player. The gaming system must give the player access to the following information:
a) deposit and withdrawal history, and current balance;
b) method and source of funds used for transactions;
c) date and time of previous login;
d) gaming event and transaction history (game session and game transaction) including, Sports and Event Betting, the date and time of past and current bets, and the date and
time at which past bets were settled, and information about current bets;
e) total monies wagered for session and/or period of time;
f) total monies won or lost for session and/or period of time; and
g) account balance at start and end of session.

All player account transactions must be uniquely identifiable and traceable to a unique individual player account.

Reasonable efforts must be made to inform players of player funds remaining in dormant accounts.

Players may elect to deactivate their player account at any time and, once the selection is made, the account is deactivated.

Where necessary, a player account may be deactivated by the Operator.

A player account must be deactivated if requested by AGLC or AiGC.

If player information is removed, it must be retained in accordance with Subsection 4.16.1 or other records retention requirements that may apply.

Where an account becomes dormant or is deactivated by a player or another authorized individual, the player must be able to recover the balance of their account owing to them.

Players may be permitted to deposit funds into or withdraw funds from their player accounts only after:
a) deposits made have been verified by an authorized financial services provider.
b) withdrawals have been verified and authorized to ensure the following, before a withdrawal is permitted:
i) the withdrawal is being made by a holder of the account; and
ii) the withdrawal is being transferred to an account of which the player is a legal holder.

Note: Cryptocurrency is not legal tender and must not be accepted.

Registered Operators must ensure that players receive their funds related to a withdrawal in a reasonable and timely manner. Players are permitted to withdraw funds from their player account in an accurate and complete fashion and as soon as is practicable, subject to appropriate authorization and verification.

No player's account is permitted to have a negative funds balance. No bet will be accepted that could result in a negative funds balance.

Players must be provided with a clear and accurate representation of their funds account balance that is easily accessible and readily available at all times.
a) The player balance must be displayed in Canadian dollars.

Players must be provided with unambiguous information about all player account fees prior to making a withdrawal or deposit.

Players must be informed clearly and specifically of all rules and restrictions regarding deposits and withdrawals and access to funds in connection with deposits and withdrawals.

Funds must not be transferred between player accounts.

Adjustments to player accounts must be made accurately and only by authorized individuals.

Adjustments to player accounts must be recorded and logged in an accurate and complete manner.

Players must be provided with accurate, clear and specific reasons for any adjustments made to their accounts.

Player funds must be clearly and appropriately managed.

All player funds deposited in respect of iGaming lottery schemes conducted and managed by the AGLC must be held in an AGLC designated account. AiGC must take steps to ensure
that all player funds deposited in respect of iGaming lottery schemes conducted and managed by AiGC are subject to oversight by AiGC and available to players.

Access to live dealer gaming supplies must be restricted to authorized individuals with a business need, subject to the following requirements:
a) Access privileges are granted, modified, and revoked based on employment status and job requirements and all activities associated with these actions logged.
b) Access privileges are independently reviewed and confirmed on a periodic basis.

Registered Operators are responsible for protecting the integrity of live dealer games by ensuring:
a) adequate table game supervision is provided at all times; and
b) employees conducting or supervising live table games are appropriately trained and have the skills required to perform their assigned duties.

Registered Operators must have controls in place to ensure live dealer game presenters do not compromise the integrity of a game.

Table games run by live dealers must comply with the requirements for rules of play as prescribed in AGLC's Casino Terms & Conditions and Operating Guidelines Section 6.1.

Registered Operators must not knowingly permit an individual to engage in any of the following prohibited activities and must take steps to actively monitor and prevent such
prohibited activity from occurring:
a) An individual with access to non-public information related to an event or an individual who may impact the outcome of an event or bet type is prohibited from betting on any event overseen by the relevant sport/event governing body.
b) Athletes, athletic trainers, coaches, managers, owners, referees and anyone with sufficient authority to influence the outcome of an event are prohibited from betting on events overseen by the relevant sport or event governing body.
c) Owners (any person who is direct or indirect legal or beneficial owner of 10 per cent or greater) of a sport governing body or any event in which a member team of that sport event governing body participates are prohibited from betting.
d) Those involved in a sport or event may not be involved in compiling betting odds for the competition in which they are involved.

At a minimum:
a) registered Operators must make reasonable efforts to inform any entity with which they have an information sharing relationship, including Independent Integrity Monitors, Sport and Event Betting Operators, the appropriate governing authority for the sport or event and any other organizations or individuals identified by AGLC if an individual is found to have engaged in prohibited activity under Subsection 4.6.1.
b) Individuals found to have engaged in prohibited activity in Subsection 4.6.1 must not be eligible for prizes.

Operators that provide Sports and Event Betting must have risk management measures in place to mitigate the betting integrity risk associated with Sport and Event Betting, including insider betting and event manipulation. Requirements include, but are not limited to:
a) Registered Operators must establish controls to identify unusual or suspicious betting activity and report such activity to an Independent Integrity Monitor.
b) Independent Integrity Monitors must not have any perceived or real conflicts of interest in performing the Independent Integrity Monitor role, including acting as a registered Operator or registered Goods or Services Supplier (e.g., an oddsmaker);
c) Independent Integrity Monitors must promptly disseminate reports of unusual betting activity to all member Sport and Event Betting Operators;
d) All Sport and Event Betting Operators must review such reports and notify their Independent Integrity Monitor of whether they have experienced similar activity;
e) If an Independent Integrity Monitor finds that previously reported unusual betting activity rises to the level of suspicious activity, they must immediately notify any entity with which they have an information sharing relationship, including Independent Integrity Monitors, sport betting Suppliers, the appropriate governing authority for the sport or event, and any other organization or individuals identified by AGLC;
f) All Independent Integrity Monitors receiving such a report must share such report with their member sport betting Suppliers;
g) Independent Integrity Monitors must facilitate collaboration and information sharing to enable the investigation of and response to prohibited activity associated with the
suspicious betting activity as directed by AGLC;
h) Independent Integrity Monitors must provide, in accordance with the Notification Matrix, AGLC with:
i) All reports of unusual betting activity;
ii) If the activity was determined to be suspicious; and
iii) The actions taken by the Independent Integrity Monitor.
Note: AGLC will publish a list of registered Independent Integrity Monitors.

An Operator receiving a report of suspicious activity as described in Section 4.6 may suspend or cancel Sport and Event Betting on events related to the report or withhold associated customer funds provided the Operator has reserved itself the authority to suspend betting, void bets, and withhold associated customer funds. The decision to suspend or cancel Sport and Event Betting, or withhold associated customer funds, on events related to the report must be fair, reasonable and made in good faith.

Sport and Event Betting Operators must ensure that all bets offered meet the following
criteria:
a) the outcome of the event being bet on can be documented and verified;
b) the outcome of the event being bet on can be generated by a reliable and independent
process;
c) the outcome of the event being bet on is not affected by any bet placed;
d) the majority of participants in the event or league are 18 years of age or older; event must be broadly defined as assessing total participants in the event/league, rather than in a particular heat, game, match or final contest in the overall sporting event;
e) for sporting events being bet on, the event must be effectively supervised by a sport governing body which must, at a minimum, prescribe final rules and enforces codes of conduct that include prohibitions on betting by insiders (not applicable to novelty bets);
f) there are integrity safeguards in place which are sufficient to mitigate the risk of match-fixing, cheat-at-play, and other illicit activity that might influence the outcome of bet upon events;
g) the bet is not on a past event for which the outcome is publicly known;
h) the bet is not reasonably objectionable;
i) the event being bet on does not involve animal fighting or cruelty;
j) bets on assets and financial markets (e.g., stocks, bonds, currencies, real property) are prohibited;
k) bets which expose players to losses greater than the amount wagered are prohibited;
l) bets which mimic the structure of financial instruments, products or markets are prohibited;
m) bets on synthetic lottery products and bets on lottery outcomes are prohibited;
n) the event being bet on is conducted in conformity with all applicable laws;
o) bets on minor league sports in Canada, including the Canadian Hockey League (CHL),are prohibited.

Notes:
- For the purpose of 4.6.5 h), reasonably objectional bets include bets on events
which are unethical, allow entertainment to be derived from human suffering or
death or involve non-consensual violence or injury.
- 4.6.5 l) applies to contracts for difference including spread betting.

Game outcomes and Sport and Event Betting transactions must be recoverable, where technically possible, so that player bets can be settled appropriately.

Odds in Sports and Event Betting sometimes change prior to or during an event. Changes in odds must be updated and publicly available to all players. This is not intended to entitle a player who has previously placed a bet to receive new odds on that bet.

Games must operate according to their game specifications and the outcomes must be determined in accordance with the terms governing play and prevailing payouts as they are described to the player. Sport and event betting must be conducted fairly, honestly and in accordance with the terms of the bet placed by the player.
At a minimum:

1.All possible game outcomes (winning and losing outcomes) shall be available in each play, unlessclearly explained to the player.
2.The probability of game outcomes in virtual games shall be the same as in the associated live game (e.g., card games), unless the differences are set out in the terms governing play and communicated to players.
3.The probability of achieving a specifi c game outcome shall be constant and independent of gamehistory, player or any other factor, unless clearly explained in the terms governing play. Where the game outcome is intended to be random (e.g., dice games or slot games), the outcome must not be dependent or based upon any history or other factors.
4.Sport and event bets shall be accepted, processed, and settled in accordance with the terms of the betplaced by the player, including any applicable betting rules.

Bets must be committed before the determination of game outcomes. Any wager received after the determination of game outcomes associated with the wager must be voided and returned to the player.

In Sports and Event Betting, bets must be settled fairly and in accordance with the terms of the bet placed by the player and any applicable betting rules that were available to the player when the bet was placed. Where raised, the reasons for the settlement must be clearly and promptly provided to the player.

The results of bets on sporting or other events must be provided to players making bets on the events. Any change of results must be made available. Account balances will be updated as the results of wagers are confirmed.

Operators that provide Sports and Event Betting must have controls in place to ensure the accuracy and timeliness of sport and event results data.

A mechanism must be in place to randomly select game elements used to determine game outcomes. This Standard does not apply to Sports and Event Betting products. At a minimum:
a) Initial values and conditions must be selected and used to seed the random selection process in a way that ensures the randomness of the resulting game outcomes and avoids any correlation of selected game elements with elements selected by any otherinstances of the mechanism.
b) The selected game elements and their associated game outcomes must not be influenced, affected or controlled by the amount wagered, or by the style or method of play unless the conditions are changed and are disclosed clearly to the player.
c) The mechanism used to select game elements and their associated game outcomes must be impervious to outside influences (such as electro-magnetic interference, devices within or external to the gaming system; the characteristics of the communication channel between the system and the end player device, the player or the Operator and its components must not be subject to deterioration that impacts, before any scheduled replacement lifecycle, the randomness of selection.
d) The selected game elements and their associated game outcomes must not be altered, discarded or otherwise manipulated through a secondary decision by the game program and must not be impacted by load on the gaming system.
e) Any failure by the mechanism to randomly select game elements, including an interruption in the selection process, must be identified and responded to quickly and appropriately to minimize the effect on players.

Mechanisms used to select game elements and their associated game outcome must be capable of being monitored and inspected to ensure the integrity of the mechanisms and its component devices and the randomness of the generated outcomes. This requirement does not apply to Sports and Event Betting products

Terms governing play must not be changed during a game session unless the player is made aware of the change before the player places any wagers in the game. At a minimum, the
following requirements must be met:
a) Where applicable, game interface changes made by the player must be appropriately limited by the gaming system to ensure that information and representation of the game remains fair and accurate and in accordance with the terms governing play.
b) Information on the current state of multi-state games must be clearly displayed.
c) Displays of jackpot amounts that change over time should be updated as frequently as practicable and particularly after the amount has been reset after a win.

Game sessions must be appropriately secured and checked for authenticity.

There must be a player activity time-out that automatically logs the player out or ends the player's session after a specified period of inactivity.

All critical functions, including the generation of the outcome of any game, must be generated by the gaming system, independent of the end player device.

Where speed of interaction has an effect on the player's chances of winning, the Operator must take reasonable steps to ensure the player is not unfairly disadvantaged due to gaming system related performance issues.

Service interruptions must be responded to and dealt with in a way that does not disadvantage players. At a minimum, the gaming system must:
a) inform players that the speed of connection or processor may have, or appear to have, an effect on the game;
b) recover from failures that cause interruptions to the game in a timely fashion;
c)where appropriate, void bets;
d) retain sufficient information to be able to restore events to their pre-failure state, if
possible;
e) pay players the amount won up to that point, or return bets to players where a game cannot be continued after a service interruption, whichever is the better outcome for the player.

In peer-to-peer games, registered Operators must implement measures intended to deter, prevent and detect the use by players of software programs to automatically participate in game play (referred to as bot) or to provide the player with an unfair advantage over other players. At a minimum:
a) Operators must clearly provide notice to players of peer-to-peer games that the use of such software is not permitted and, if a player is found to have used such software, it will be considered cheating and the player may be sanctioned by the registered gaming Supplier accordingly.

Games must be conducted in a manner that ensures players are treated fairly and not unfairly disadvantaged by other players. At a minimum:
a) measures intended to deter, prevent, and detect unfair behavior, collusion and cheating, including the suspected use of bots, must be implemented;
b) information regarding specific game elements (such as a player's hand or cards) must not be accessible to give advantage to any player during games, unless by the player themselves;
c) a mechanism must be in place to ensure that a player cannot play against themselves or occupy more than one seat at an individual table;
d) gaming systems must retain a record of relevant activities to facilitate investigation and be capable of suspending or disabling player accounts and player sessions;
e) Operators must monitor the effectiveness of their policies and procedures;
f) as a minimum deterrent, players must be informed that accounts may be closed if the player has cheated, colluded or acted unfairly towards another player.

Players must be able to access information regarding available sport and event bets without having to place a bet. This information includes at a minimum:
a) Information on the bets available;
b) Odds, payouts and prices for available bets;
c) In a dynamic betting environment, including those where individuals' wagers are gathered into pools:
i) The most up-to-date odds and payouts;
ii) The up-to-date total value of the pool for market pools and pool bets that are offered.

Reputable and legitimate data source(s) must be used to determine the outcome of a bet. These data source(s) must be made available to the player upon request.

Game designs and features must help to prevent extended, continuous and impulsive play and facilitate low risk play behaviors. At a minimum:
a) Games must not encourage players to chase their losses, or increase the amount they have decided to gamble, or continue to gamble after they have indicated that they want to stop.
b) Games must not provide auto-play features for slots.
c) Game play must be initiated only after the player has placed a wager and activated play. No player shall be forced into game play by selecting the game for review or reviewing information about how the game is played or how bets are made.
d) A player must commit to each game individually, releasing and then depressing the 'start button' or taking equivalent action. Continued contact with a button, key or screen must not initiate a new game.

The gaming system must not offer functionality which facilitates playing multiple slots games at the same time. This includes, but is not limited to, split screen or multi-screen functionality.

Combining multiple slots titles in a way which facilitates simultaneous play is not permitted.

It must be a minimum of 2.5 seconds from the time a game is started until the next game cycle can be commenced. It must always be necessary to release and then depress the 'start button' or take equivalent action to commence a game cycle. A player should commit to each game cycle individually, continued contact with a button, key or screen should not initiate a new game cycle.

Note: A game cycle starts when a player depresses the 'start button' or takes equivalent action to initiate the game and ends when all money or money's worth staked or won during the game has been either lost or delivered to, or made available for collection by the player and the start button or equivalent becomes available to initiate the next game.

For slots games, the gaming system must not permit a customer to reduce the time until the result is presented. At a minimum:
a) Features such as turbo, quick spin and slam stop are not permitted. This is not intended to be an exhaustive list but to illustrate the types of features the requirement is referring to.

Note: This Standard does not apply to bonus/feature games where an additional stake is not wagered.

For slots games, the gaming system must not use auditory or visual effects that are associated with a win for returns which are less than or equal to last total amount wagered.

For slots games, gaming sessions must clearly display a customer's net position (the total of all winnings minus the sum of all losses since the start of the session), in Canadian dollars.

Players must have the means to track the passage of time.

Registered Operators and registered Goods or Services Suppliers must develop, document and implement formal control activities (see also Section 4.14) to address the regulatory risks identified by AGLC and achieve the regulatory objectives reflected in the Standards and Requirements. Control activities must be the appropriate level of management, including, but not limited to, the following requirements:

A process must be in place to periodically review internal controls and processes for effectiveness in meeting the Standards and Requirements and to document, remedy and adjust the controls or processes where deficiencies or gaps are found.

Substantial changes to the Operator's control environment must be communicated to AGLC in a timely manner.

Internal controls must be documented and available to AGLC for regulatory purposes.

Registered Operators and registered Goods or Services Suppliers that run critical gaming systems must develop an internal Control Matrix to:
a) summarize all controls related to the gaming site; and
b) identify where third-party Suppliers are involved, including platform providers.

Management overrides of the control activities must be clearly documented and made available to AGLC upon request. This requirement includes, but is not limited to:
a) approval from at least two senior-level management to override any control activity, and in each instance the override must be reported to the board or other governance structure where a board does not exist.

Note: This requirement is intended to allow senior-level management to override controls on a one-off basis in necessary circumstances. It is not intended to address permanent changes to internal controls.

Registered Operators must establish, implement and maintain controls to support preparation of financial reports which comply with all applicable accounting standards, rules and best practices.

Compliance with the Standards and Requirements must be documented in an organized manner to ensure that the information is capable of being reviewed and audited by an independent oversight function. Minimum requirements include, but are not limited to:

a) Documentation must be reviewed and analyzed to ensure compliance with the Standards and Requirements and approved by management.

b) Internal and external auditors must be granted access to all relevant systems, documentation (including internal controls) and resources for the purpose of conducting an audit.

c) When directed, registered Operators and registered Goods or Services Suppliers must retain an independent auditor to carry out audits and provide audit reports.

Note: The intent of this requirement is to allow AGLC to direct third party audits, where considered necessary for regulatory assurance purposes. Although the auditor would be retained by the registered Operator or registered Goods or Services Supplier in these circumstances, it would report directly to AGLC.

d) In reviewing internal control activities for compliance with the Standards and Requirements, internal and external auditors must take into account AGLC's expectations, as articulated herein.

Primary accountability for compliance resides with the board, or other governance structure, where a board does not exist, and there must be evidence that the board, or other governance structure, has carried out its responsibility in this respect, which includes, but is not limited to:

a) A compliance oversight function must be established that is independent of the activities it oversees.

Note: overall responsibility for compliance monitoring should ideally rest with a chief compliance officer or if such a person does not exist, a member of senior management

b) An internal audit function must be established that regularly audits the organization's control environment and compliance management framework and exercises oversight that is independent from operational management. The internal audit function must have the authority to independently review any aspect of the operations.

Note: Where this is not feasible given the organization's size or structure, audits should be carried out by another independent oversight function.

c) The compliance oversight function and internal audit or other independent oversight function must have direct and unrestricted access to the board, or governance structure, and must report on all important issues regarding compliance on a regular basis or as necessary.

d) The board, or other governance structure, must establish a committee or committees to oversee the organization's compliance and audit oversight functions, with appropriate terms or reference addressing composition and accountabilities.

e) Members of the board, or other governance structure, and any committees established to oversee the organization's compliance and audit oversight functions must understand the business's operations, initiatives and major transactions, and must have the skills, training, experience and independence to carry out their fiduciary responsibilities.

There must be an independent "whistleblowing" process to allow employees to anonymously report deficiencies or gaps in the control environment as well as incidents of possible non-compliance with the controls, Standards and Requirements, or the law. Registered Operators must ensure issues raised through the "whistleblowing" process are addressed and communicated to the board in a timely manner.

Registered Operators must offer reasonable customer support.

A mechanism must be in place to allow players to contact the Operator in a timely fashion with issues and complaints relating to their player account, funds management, game play or any matter related to compliance with the Standards and Requirements. AGLC must be notified of any such issues or complaints, in accordance with the established Notification Matrix.

Registered Operators are the first point of contact in resolving customer disputes for routine transactions. Player complaints, disputes and inquiries must be recorded and addressed in a
timely, fair, transparent and appropriate manner, including, but not limited to the following:
a) Registered Operators must provide 24-hour customer care for players to report a dispute.
b) Registered Operators must have clear service standards and must make these available to players on their gaming site.
c) Disputes must be resolved under Alberta and Canadian law.
d) Resolution of routine disputes must be resolved within a reasonable timeframe.
e) Disputes involving game malfunction or a violation of these Standards and
f) Requirements or Operator integrity must be escalated to AGLC immediately.
g) Players must be provided AGLC's number for Gaming Irregularities: 1-800-742-7818.
h) Registered Operators must escalate unresolved customer disputes to AGLC.

Relevant information about AGLC and AiGC must be displayed and easily accessible to the player.

Registered Operators and registered Goods or Services Suppliers are responsible for the actions of third parties with whom they contract for the provision of any aspect of their business related to gaming in Alberta and must require the third party to conduct themselves in so far as they carry out activities on behalf of the Operator as if they were bound by the same laws, regulations and standards.

Registered Operators and registered Goods or Services Suppliers must maintain a list of Suppliers that provide them with goods or services in relation to lottery schemes and must make it available to AGLC upon request.

Registered Operators must ensure that no independent third parties that engage in directto-consumer marketing, direct-to-consumer promotion, or player referral services for the Operator under contract, in exchange for commissions, or for any other form of compensation also undertake such activities related to online gambling sites that facilitate or accept wagers from players in Alberta without AGLC registration.

Registered Operators and registered Goods or Services Suppliers who run critical gaming systems must provide AGLC with an annual confirmation their technology is compliant with all applicable AGLC Standards and Requirements.

For registered Goods or Services Suppliers, the scope of the Technology Compliance Confirmation must include the infrastructure (gaming servers, operating systems, databases and network devices) and games (software) pertaining to offerings in Alberta (see also Subsection 4.12.5).

The Technology Compliance Confirmation must include:
a) A letter signed by the registered Supplier's CEO (or equivalent) and Chief Compliance Officer (or equivalent) that includes an explicit statement confirming the technology that will be used to provide products and services in Alberta is compliant with all related Standards and Requirements. This letter must include specific confirmation that all games to be offered in Alberta will, prior to deployment, be certified by an AGLC registered ATF and will be supplied by an AGLC registered Goods or Services Supplier.
b) For registered Goods or Services Suppliers who run critical gaming systems, this letter must also include an explicit statement that they have a CAM in place that meets all applicable and relevant Standards and Requirements;

c) The letter must be accompanied by the following supporting key information or evidence, as applicable:
i) Registered Operators must include an overview of the full technology solution of the gaming site that identifies all registered Goods or Services Suppliers, along with other third-party technology integrations to the gaming site.
ii) Provide verification of the applicable security requirements prescribed at Subsection 5.1.6.
iii) Results from security vulnerability assessments of Alberta production infrastructure and applications, conducted by an independent and qualified security firm.
iv) Results from internal and external penetration testing of Alberta production infrastructure and applications, conducted by an independent and qualified security firm.
d) A description of the mechanisms in place to verify: installed software is ATF certified (see Subsection 5.1.5); and integrity of deployed software (see Subsection 5.5.14).

Notes:
i) The results from ii) and iii) above are to be accompanied by management responses indicating the company's risk assessment, remediation plans and compensating controls.
ii) It is expected remediation plans will be commensurate with risk, and that severe security risks will be addressed prior to gaming systems going live in Alberta.
iii) Remediations should be verified through an additional scan.
v) A description of the planned use for any third-party data centre/cloud service providers. This must include the name of the provider, type of service model, and current Service Organization Control 2 (SOC 2) reports or ISO 27001 certification for each provider.
vi) For registered Operators, a description of how the controls implemented to meet geo-location requirements that players must be within the borders of Alberta have been validated to ensure:
- Accuracy and effectiveness of the controls across the majority of expected player device and network connection types including the compliance with Subsection 4.2.1 for dynamic monitoring of player location and that common methods to circumvent controls are detected and/or prevented.
vii) A description of the mechanisms in place to verify: installed software is ATF certified; and integrity of deployed software.

Registered Suppliers are responsible for:
a) ensuring any activities they deem necessary to support their confirmation are completed to their satisfaction. This may include third-party testing.
b) maintaining all related records and evidence that support their Technology Compliance Confirmation which must be provided to AGLC upon request.

Registered Operators must provide the Control Activity Matrix (CAM) as a summary of the Operators' processes and controls related to the iGaming site.

CAMs must be independently audited to ensure the controls have been designed to ensure compliance with the Standards and Requirements. The independent audit must be carried out by a unit or function within the Operator's organization that was not involved in developing the CAM (e.g., internal audit) or by a designated external auditor. The independent audit results, confirming compliance, must be included with the CAM submission.

Registered Goods or Services Suppliers who provide critical gaming systems must have a CAM in place that meets all applicable Standards and Requirements. These CAMs must be made available to AGLC upon request.

Note: Critical gaming systems include certified games, random number generators and components of iGaming systems that accept, process, determine the outcome of, display and log details about player bets and wagers.

Independent Integrity Monitors (IIMs) receive, assess and distribute unusual/suspicious betting alerts to entities with which they have an information sharing relationship, including their member Sport and Event Betting Operators, AGLC, and the relevant sport/event governing body. As directed by AGLC, IIMs are responsible for facilitating collaboration and information sharing to support the investigation of, and response to, prohibited activity associated with suspicious betting. IIMs may provide their services to, among others, regulators, registered Operators or registered Goods or Services Suppliers, but must not have any perceived or real conflicts of interests in performing their role (such as acting as an
Operator or oddsmaker).

Information, including logs, related to compliance with the law, the Standards and Requirements and/or adherence with Control Activities must be retained for a minimum of three years, unless otherwise stated.

A recognized industry standard framework must be used to manage the information technology (IT) control environment to support compliance with the Standards and Requirements.

Access privileges must be granted, modified and revoked based on employment status and job requirements. All activities associated with these actions must be logged.

Access privileges must be reviewed and certified by data owners on a quarterly basis. Reviews must confirm least privilege and separation of duties. Attestations and supporting evidence must be retained for at least two years.

Administrative and other privileged accounts must be limited to authorized personnel and protected by phishing resistant multi-factor authentication (MFA). Privileged access must be brokered through a Privileged Access Management (PAM) solution with session recording, command logging, and time bound, ticket referenced elevation.

Hardware and software components must be:
a) industry accepted components where possible;
b) provided by a registered Goods or Services Supplier; and
c) certified by a registered Accredited Testing Facility (ATF), if applicable.

Connections and interfaces must be monitored, hardened, and independently penetration tested at least annually and after any material change. Testing must include APIs, authentication flows, and ingress/egress controls. Findings rated High or Critical must be remediated per the vulnerability SLA.

Mechanisms must be in place to ensure the reliability, integrity and availability of the gaming system, including, but not limited, to:

a) registered Operators must ensure that a disaster recovery site is in place;

b) registered Operators must ensure a suitably secure physical environment is in place to prevent unauthorized access to the gaming system and to ensure the protection of assets;

c) Gaming systems, infrastructure, data, activity logs and all other related components must be protected from threats, vulnerabilities, attacks or breaches, and include the following:
i) All users must be authenticated;

c) Gaming systems, infrastructure, data, activity logs and all other related components must be protected from threats, vulnerabilities, attacks or breaches, and include the following:
ii) The appropriateness and effectiveness of steps taken to harden technology components must be evaluated through security testing at least annually; and

c) Gaming systems, infrastructure, data, activity logs and all other related components must be protected from threats, vulnerabilities, attacks or breaches, and include the following:
iii) Vulnerability remediation aligned to CVSS v3.1: Critical (9.0-10.0) within 48 hours, High (7.0-8.9) within 7 days, Medium (4.0-6.9) within 30 days. When patching is not feasible, implement documented compensating controls until remediation is completed.

d) Security monitoring activities must be logged in an auditable manner, monitored, promptly analyzed and a report prepared and escalated in an effective manner. These requirements include, but are not limited to:

i) Attempts to attack, breach or access gaming system components in an unauthorized manner must be responded to in a timely manner;

ii) Intrusion attempts must be actively detected and, where possible, prevented from causing disruption or outage of the gaming system; and

iii) Registered Operators must ensure adequate logging to capture and monitor any attempts to attack, breach or access any components of the gaming system in an unauthorized manner. There must be an appropriate escalation procedure.

e) Annual independent assessment of the gaming system and related components, with remediation tracked to closure.

Registered Operators and Goods or Services Suppliers must keep informed on the current threats and risks to the security, integrity and availability of the gaming systems and related
components that they operate or supply. Additional requirements include:
a) Registered Operators must have policies and procedures in place to effectively mitigate risks and threats; and
b) Registered Goods or Services Suppliers must make known any material threat or risk
to the security or integrity of the gaming systems that they supply.

A system development lifecycle that considers security and processing integrity must be in place for gaming system technology whether developed in-house or supplied.

Due diligence must be performed on all acquired gaming system technology to ensure security and processing integrity requirements are met.

A testing strategy to address changes in technology must be in place to ensure that deployed gaming systems operate as intended.

Registered Operators must develop and have in place effective change management procedures which reflect industry best practices.

All gaming system changes must be reviewed, risk assessed, tested, approved and verified with evidence linked to the change record.

Emergency changes must follow a documented post implementation review within two business days.
a) Dedicated change accounts must be least privilege, time bound and protected by MFA.

Registered Operators must have measures in place to detect and prevent unauthorized or unintentional changes being made to the gaming system, including a mechanism to validate that installed software is the certified software.

Post implementation reviews must be performed to ensure that changes have been correctly implemented, and the outcomes must be reviewed and approved.

All change related documentation and information must be captured and kept secure.

Manage updates, patches and upgrades with documented oversight and testing. Remediate per CVSS v3.1: Critical 48 hours, High 7 days, Medium 30 days. Where patching is not feasible, implement compensating controls and track to closure.

A documented mechanism must be in place to monitor, review, test and approve upgrades, patches or updates to all gaming-related hardware components. This process must occur at least quarterly, and immediately when components are identified as end-of-life, obsolete, vulnerable, or otherwise requiring maintenance. All actions must be logged and approved by authorized personnel.

Effective release and configuration management processes with support systems must be in place to support both software and hardware related changes.

Only dedicated and specific accounts may be used to make changes.

Registered Goods or Services Suppliers must adhere to data security standards and data requirements as published for the Application Programming Interfaces (APIs).

The gaming system architecture and all its related components must demonstrate security in depth.

All gaming systems and devices must validate inputs before the inputs are processed.

The gaming system must only display the minimum information about the gaming system to unauthorized users and during system malfunctions to minimize the risk of compromising the gaming system or the privacy of information.

All remote access methods must be secure and centrally managed, using zero-trust principles, device posture checks, MFA, and session recording for third-party access.

Use of wireless communication must be secured using industry-standard encryption, centrally managed, and only implemented with prior approval from AGLC.

All components must be hardened as defined by industry and technology best practices prior to going live or as part of any change. All default or standard configuration parameters must be removed from all components where a security risk is presented.

Access must be effectively restricted to ensure the domain name and server records are kept secure from malicious and unauthorized changes.

Data governance must be in place to address data processing integrity and the protection of sensitive data.

Sensitive data, including player information and data relevant to determining game outcomes, must at all times be secured and protected from unauthorized access or use.

Communication of sensitive game data must be protected for gaming integrity.

Establish and document IT operations and incident management procedures, including:
a) Proactively monitor and detect errors and take immediate action to correct incidents of non-compliance with these Standards.
b) Synchronize time across all components using authenticated NTP (e.g., NTS).
c) Retain event and security logs for at least one year online and seven years archive or as otherwise required by regulation.

All private encryption keys must be stored on secure and redundant media that are only accessible by authorized management personnel.

Encryption algorithms and key lengths must meet or exceed industry standards (e.g., AES256, RSA-2048) and be evaluated at least annually, or upon the emergence of new cryptographic vulnerabilities, to ensure continued protection against evolving threats.

The gaming system architecture must limit the loss of data and session information.

The gaming system must be able to change, block, deactivate or remove system accounts in a timely and effective manner upon termination, change of role or responsibility, suspension or unauthorized usage of an account.

A secure authenticator that meets industry best practices must be used to identify users and their accounts to ensure only authorized persons are permitted to access their system account on the gaming system. Minimum requirements include, but are not limited, to:
a) The gaming system must automatically lock out accounts where any identification and authorization requirement is not met after a defined number of attempts.
b) Multi-factor authentication must be implemented as part of a secure authenticator.

The gaming system must ensure that all access to the system is fully attributable to, and logged against, a unique user identification

Only the minimum access rights must be granted to each system account of the gaming system and access rights must be clearly documented.

All temporary and guest accounts must be disabled immediately after the purpose for which the account was established is no longer required.

Review all system and service accounts at least quarterly and upon role changes to confirm least privilege. Document changes and approvals; retain review evidence for two years.

A log of all account owners must be kept, maintained, reviewed at least quarterly, and promptly updated to reflect any changes in ownership or access rights. All reviews and updates must be documented and approved by authorized personnel.

Administrator account assignment must be approved by Operator management and enforced through PAM with continuous monitoring, session recording, and alerting on policy violations in accordance with these Standards and Requirements.

Inappropriate or unauthorized use of system accounts on the gaming system must be logged, reviewed and responded to within a reasonable period of time.

Inappropriate use of administrator accounts must be reported to AGLC in accordance with the Notification Matrix.

Software used for the gaming system must be developed using industry best practices.

Software development methodologies must be clearly documented, reviewed at least annually, updated to reflect current practices and stored in a secure and accessible location.

An effective system must be in place to manage the software development and ongoing software management cycle.

All software development must be segregated during and after the release of code to a production environment.

An effective audit trail of authority and management review of code for software must be established.

Controls must be in place to ensure software is effectively secured and access is effectively restricted throughout development.

Authorized management staff must review and approve software documentation to ensure it is effectively and clearly documented.

Source code and compiled code must be securely stored.

Note: Compiled code could be digitally signed or hashed (including each time there is a change) in a manner that allows for external verification.

The promotion or movement of code from testing through other environments to production must be accompanied by the required documentation and approvals.

All promotion of code from development to production must only be performed by production support staff and not by development staff.

Effective testing environments must be in place to allow for thorough testing of any code before it is put into production.

Access to production environments must be restricted from development personnel.

Note: This restriction does not preclude granting of temporary supervised access for conducting technical investigations that may only be performed on the production environment.

Development code must not be present in the production environment.

A mechanism must be in place to verify the integrity of the software that is deployed to production, including before changes are implemented, as well as on an ongoing basis.

Effective release and configuration management systems must be in place to support software development.

All code developed by a third party must:
a) be tested to ensure it meets industry best practices and that it performs to meet its purpose prior to being added to the testing environment and prior to integration
testing; and
b)pass integration testing before it is added to production.

Mechanisms must be in place to ensure that bugs are identified and addressed prior to, andduring, production.

Quality assurance processes, including testing, must take place during development and prior to the release of any code.

All components must be tested for the purposes for which they will be used.

Mechanisms must be in place to reasonably identify and prevent unlawful activities at the gaming site.

Periodic risk assessments must be conducted effectively to determine the potential for unlawful activities, including money laundering, fraud, theft and cheat at play.

All relevant individuals involved in the operation, supervision or monitoring of the gaming site must remain current in the identification of both internal and external techniques or methods that may be used for the commission of crimes at the gaming site.

Player and employee transactions must be effectively monitored, including the ongoing analysis of incident reports and suspicious transactions for possible unlawful activity.

Suspicious behavior (e.g., fraud), cheating at play and unlawful activities, attempted or completed, must be reported in accordance with the established Notification Matrix.

Registered Goods or Services Suppliers must comply with the notification requirements in AGLC's Notification Matrix.

Registered Goods or Services Suppliers must submit required discrepancy reports within 24 hours via the channels defined in the AGLC Notification Matrix. Where electronic submission
is required, use the secure portal designated by AGLC.

Note: With the exception of the provisions in Section 5.6 or as identified otherwise in these policies, all discrepancy reports must be submitted within 24 hours of an iGaming Supplier staff member becoming aware of an incident or suspected incident requiring the completion of a discrepancy report.

Discrepancy reports can be submitted to AGLC by:
a) email to: iGamingCompliance@aglc.ca
b) fax to: (780) 447-8912.

Discrepancy report forms are available at aglc.ca:
a) Discrepancy Report (form 5425) - for all non-electronic gaming discrepancies; and
b) Gaming Discrepancy Report Electronic Devices (Form 6619) - for all electronic gaming device discrepancies.