The License application is made up of three primary stages. The first stage looks at the business aspects of the application and the people behind the business. The business plan and personal information on the share holders and other key personnel is at the core of this process. The type of gaming activity, the fairness of the games, the risk to the operator - these are the obvious questions that the LGA is seeking answers for in the business plan. The business plan needs to also give a viable plan on how to reach the business objectives in terms of capturing market share and funding the business activities to achieve this growth and then to support this growth in terms of infra structure, support and other activities required to deliver the service expected by players.
The second stage deals with the operational side and this is what this article will focus on primarily. A lot of the information now routinely collected during stage two used to be collected during the third stage when the business was already operational. Applicants do complain of a chicken and egg situation since a lot of the information asked for is better understood when operations have started. On the other hand, the LGA needs the reassurance that the licensee will be able to operate a properly run business. It is the principal aim of this article to address this seemingly irreconcilable deadlock between the information needed by the LGA and the ability of the applicant to supply this information.
The final third stage is an audit. An auditor appointed by the LGA will collect information and present a report to the LGA. The primary aim of the audit is to verify that the information presented during stage two is accurate and implemented. Based on the feedback from the report, the LGA will then ask for corrections to be carried out and will issue the full and proper license.
So on to a closer look at the second stage and what is all about. The documents asked for at this stage are grouped into Policies, Procedures, Schematics Gaming System and Website/Online. Let have a look at each in turn.
Policies
- Information Security Policy
- Incident Response and Asset Removal Policy
- User Management Policy
Information Security Policy
The information security policy (ISP) is a document that should be circulated to everyone in the organization and a signature collected from each employee to testify that they have received a copy and understand its contents.
At its simplest level, an ISP covers things like 'Do not open an email attachment if you do not understand its origin'. Other issues like use of memory sticks, sharing of passwords, use of personal laptops, use of IT infra structure for personal use, installation of unauthorized software. These have all become very important issues which, if ignored, can cause very serious disruption, destruction or disclosure of data and in general put the business at financial, reputational or even criminal indictment risk.
The ISP document has become sufficiently important that it's referred to in the employment contract. In fact, if an employee ignores the policies in this document, disciplinary action can and should be taken including termination of employment.
Incident Response and Asset Removal Policy
Things go wrong from time to time and with a business so dependants on technology, typical incidents are loss of internet and hardware failure. With hardware in particular it is important that no data is intentionally or inadvertently destroyed or disclosed.
User Management Policy
A gaming business has access to personal data. Funds are also flowing in both directions, in many ways it's similar to a banking operation. We all use banking services and have funds entrusted with these organizations. It's probably fair to say that we have certain expectations on how our information is handled and who has access to our information within the bank. It's only too fair to expect a gaming company to have a clear policy on who has access to information, prevent sharing of passwords, remove password no longer in use and in general act responsibly with the information and ultimately the funds in the company's trust.
Procedures
- Human Resources Roles and Responsibilities
- System Access Control Procedures
- Financial Accounting Procedures
- Business Continuity and Disaster Recovery
- Data Backup Procedures
- Change Management Procedures
- Fraud Management Procedures
Human Resources Roles and Responsibilities
What it simply means is 'who is responsible for what?' If you want to assign responsibility the first thing to do it to define what is expected from a role. Finally a simple organizational chart wraps it all up by assigning real people to the roles.
System Access Control Procedures
Its all about making sure that employees have access to only the information they need for their work, ensuring accountability and to properly manage and control access to business and gaming systems.
Financial Accounting Procedures
A requirement for any business, it's especially important when your 'stock in trade' is money itself. This is where the licensee acknowledges to the LGA that they are fully aware of their responsibilities with regards to Key Official Monthly reports, Management Accounts and bi-annual submission of accounts to the LGA.
Business Continuity and Disaster Recovery
Anytime you have a situation that stops normal business activities, the time it takes to get back to a normal or acceptable level of operation is inversely proportional to the amount of pre-planning. A business should understand what its tolerance is to disruption - a decision based on risk, reputation and loss of revenue. Cost factors always play a role and in some cases, it might be more desirable to have partial recovery then full recovery. For example, in the case of a power cut there may be one or two laptops working without the costs of getting the whole office powered up.
Security issues make it especially important to plan ahead. It might be possible in theory to work from an internet café - but what does that say about your overall security? And what if the data you need to work is all on a computer that is now powered off?
Some issues related to 'Business Continuity and Disaster Recovery' need to be handled long before going operational. Co-location is one case. Making sure that you have bandwidth redundancy is something that gets investigated before contracts are signed and equipment installed.
Data Backup Procedures
It's obvious that you would need to backup data. But achieving this is a lot harder then one might think. On the other hand, drawing on the parallels with banking, if you deposit money in the morning and the bank has a catastrophic failure that destroys the database recording your deposit by noon, what would be your expectation? You would certainly expect the money to appear on your bank account and you probably would tolerate 24 hours before you start to panic.
The same applies to gaming, you could possibly afford to loose a registration, but it is clear that anything related to bets, deposits and withdrawals must be recovered in its totality.
The strategies to accomplish total recovery are many. It really comes down to costs, volume of data and above all - PLANNING. A good general basic strategy for backups is Monthly (offsite), daily and quasi-real time (or low latency).
Change Management Procedures
Any properly run business has adopted change management procedures and when a change can loose the business a lot of money, create a deluge of complaints or allow fraud and theft to be propagated, than the need for change management becomes paramount. Change management is all about documentation and authorization and ultimately proper management control. Many tools are now available to make this process easy to manage.
Fraud Management Procedures
Let's face it, if you get your fraud management procedures wrong, keeping your license is the least of your problems. You are in the business of getting money off players and they are equally determined to do the same off you. Some may decide not to trust in skill and good luck alone. On the flip side, you could get a culture of allowing everything and anything as long as it turns a profit. This is clearly not the workings of a regulated industry. Therefore issues of identity confirmation, age verification and prevention of money laundering are an essential part of these procedures.
Schematics
- Application Architecture
- System Architecture
- Network Infrastructure
In short, diagrams is what is required here. The form of these diagrams is fairly well established and the technical people responsible will be able to come up with the diagrams showing how the servers are connected in a network and how the various parts of the gaming systems interact together.
Gaming System
- Random Number Generator (RNG)
- Games Rules and Parameters
- Ownership of Software
With some gaming operations, the fairness of the games depends on external events over which the licensee can have no possible influence. Sports betting would be a case in point. In other cases, such as Casino and Poker, the fairness comes from the UNPREDICTABILITY of the cards. Expressed mathematically, unpredictability is the randomness of the card numbers which makes it impossible to predict the next card. Given that the RNG, when applicable, is the lynch pin to the fairness of the games, the LGA will want to know what RNG is being used and if it's acceptable.
It's clear that the rules and parameter of the games need to be clearly documented in such a way as to leave no room for interpretation. A player needs to know what to expect when they choose to play a game and the operator wants to avoid disputes and behave transparently at all times. With many new types of games being constantly introduced a proper definition of the Games Rules and Parameters is a critical task.
The ownership of the software is a very important question. First of all, this raises questions on who has control over the software and ultimately the fairness of the games. Also if the gaming operator shares the software, makes copies of it or uses the software in a novel way, its more then likely that the software providers will feel cheated of their revenue or else wish to share in the success which they rightly feel they have contributed to. Getting these issues clarified while everyone is on the best of the terms is a highly recommended approach.
Website/Online
- Responsible gaming
- Terms & Conditions
- Logo of the LGA
The terms and conditions are the contract that exists between the player and the licensee. This makes it a very important document. This needs to be one water-tight complete document that leaves nothing to chance. Issues such as the time it takes for a payout, restrictions on how payouts are done because of money laundering, use or abuse of bonuses - these are amongst the most common issues that are primarily addresses by the terms and conditions.
The use of the LGA's logo and the ability of a player to make his complaint directly with the LGA, this is something not to be taken lightly. Implementation of Responsible Gaming functionality, such as the ability to limit one's losses and links on the website to organizations that help with gambling addiction - ultimately all these measures help protect the industry itself.
Conclusion
To warp up this article, an often heard complaint is about how drawn out the application process is and the delays at the LGA. While some of these complaints may be true one should appreciate that if the information submitted to the LGA is incomplete or even incorrect, then clarifications will be sought by the LGA and this invariably will create delays. It is not in the power of the applicant to make the LGA work faster for them, but it's certainly in the power of the applicant to avoid delays by present a proper and complete application to the LGA; my advice is that this is where the applicant should concentrate their energy.
I have also noticed that often times, having got the LOI, operations cannot start for another 3 months or even six months. This is not good business planning; ongoing monthly expenses would certainly be incurred at this stage and with no income its fair to assume that with each passing month the business has less financial resources available; My experience has been that those applicants who understand what stage two is all about are able to go operational very shortly after getting their LOI.
One other observation is that the LOI is valid for six months and the audit processed needs to be started within the second three months. It's also natural that the business is operational when the audit takes place. What this really means is that it's important to 'hit the ground running' when the LOI is issued.
One final advice is that the license application is a means to an end. I have noticed a number of applicants who by the time they achieve the license they are exhausted, frustrated and denude of funds. The LGA is interested in vibrant, successful gaming businesses operating responsibly and to high standards. Where this not the case, one would simply buy the license and the ultimate success or demise of the business would be solely up to market forces. The applicant should therefore choose their business partners carefully, keep things in perspective, and focus on running a thriving stable, responsible business - which is all that is expected from them.
A summary of this article has been published in the LGA Supplimentary/Magazine for 2010
