eCOGRA Introduces Updates to eGAP Requirements for Self-Regulatory Services

The e-Commerce and Online Gaming Regulation and Assurance (eCOGRA) has introduced updates to the eCOGRA Generally Accepted Principles (eGAP), which are requirements imposed on holders of the eCOGRA Seal of Approval. The objective of which is to ensure that such requirements are aligned with internationally recognised standards, particularly those that work toward strengthening the assurance conveyed by the eCOGRA Safe and Fair Seal.

The set of eGAP requirements are the standards observed and maintained by online gambling facility operators who have elected to avail of eCOGRA’s self-regulation services. A team of highly skilled eCOGRA Chartered Accountants and/or Certified Information System Auditors enforces such requirements, by conducting periodic reviews and/or continuous monitoring.

The eGAP requirements also include the European Committee’s Standards for Responsible Remote Gambling Measures, denoting therefore that remote operators certified as passing the eGAP standards for safe and responsible operations, also meet the Comité Européen de Normalisation (CEN) Workshop Agreement (CWA 16259:2014). The agreement covers standards in security requirements for making certain that trustworthy systems for providing and managing services, processes, and products related to electronic signatures, are in place.

eCOGRA Chief Executive Andrew Beveridge explained that the modifications in the eGAP self-regulation requirements constitute industry-related information-security provisions, as outlined in ISO/IEC 27001:2013. The changes are likewise in line with the EC’s most recent “recommendations for the common protection of consumers of online gambling services in the European Union,” and in accordance with European Parliament’s newly approved legislation for the Fourth European Union Anti-Money Laundering Directive.

About ISO/IEC 27001:2013

The International Organization for Standardization ISO/IEC 27001:2013 pertains to the requirements for instituting, implementing, maintaining, and constantly improving an information-security management system within the framework of the organization. Of particular relevance to eCOGRA’s improvement initiatives are the requirements for the assessment and handling of information security risks, customized to the needs of the organization under review. The requirements specified in ISO/IEC 27001:2013 are nonspecific and are intended to be applicable to all institutions, regardless of industry type, size, or nature of business.

Examples of EC Recommendations for Information Security Improvement  

EC’s recommendations propose actions that respond to the regulatory, technical, and societal challenges of Internet-based gambling.  In relation to technical challenges, the Commission took into consideration the different registration processes introduced by online gambling operators across the EU Member States, citing in particular the inclusion of offline or manual process of verification. EC recommends for all Member States to make certain that identification details are effectively verified when facilitating the online registration process.

There is also the matter of protecting online players and their funds, by instituting procedures that ensure transparency of financial transactions, and for verifying player accounts that have been inactive for a specific period, including those under suspension or had been closed. Measures must also take into consideration cancelling out the account of a customer found to be a minor. Another example of EC’s recommendation is the information alert system with options for a visible timer during gaming sessions, and mechanisms for setting of deposit, betting, and loss limits.

The Commission pointed out circumstances in which remote operators of online gambling facilities hold several licences obtained from regulators across Member States, often selected based on gambling regulations implemented by the licensing system. The Commission asserts that online betting operators will more likely benefit from observing a universal approach, as it would eliminate unnecessary replication of infrastructure, related costs, and pointless administrative burdens on the part of regulators.