Guidance to the certification programme
In connection with the Danish Gambling Authority’s work with the certification programme, where reports from licence holders are received on a regular basis, a number of recurring errors have been noted. These errors give rise to uncertainty about whether the licence holders’ gambling systems are certified correctly according to the requirements, and much communication between the Danish Gambling Authority and the licence holders. Finally, licence holders often find it necessary to contact their test houses several times.
In this newsletter, some of the errors observed are covered in order to minimise future errors.
The newsletter should not be viewed as a rewriting or expansion of the existing material for the certification programme, but as a support to the interpretation of and a precision of the sections that appear to have posed a challenge for licence holders.
Guidances to the existing material in the certification programme will be included where the Danish Gambling Authority deems it necessary.
The licence holders are responsible for ensuring that their gambling system is completely certified at all times. The complete certification involves the requirements specified in the certification programme regardless of whether the requirement in practice relates to a part of the gambling system operated by the licence holder or parts of the gambling system operated by a supplier. This means that it must be ensured that all games provided are certified with a frequency that does not exceed 12 months.
Thus, the licence holder is responsible for the certification presented to the Danish Gambling Authority whichever functions or tasks relating to their gambling system are outsourced.
The standard reports submitted to the Danish Gambling Authority must be a compilation of the certification of the overall gambling system. In cases where a supplier has had, for example, their games tested themselves, the results of these tests must be presented in the standard report to the Danish Gambling Authority. A single “approved” in the standard report may thus be a summary of many test results. This also means that if, for example, a single requirement to a single game is not met, then this requirement must be reported as not approved and the details must be described in the annex.
The Danish Gambling Authority has received reports where it has been stated in the section on suppliers that a single supplier has not delivered any documentation on their certification to the accredited test company. As no documentation on a valid certification is available in this situation, all requirements that concern this supplier must, according to the Danish Gambling Authority’s assessment, be indicated as “not approved” in the overall certification report submitted to the Danish Gambling Authority.
In this connection, the Danish Gambling Authority must emphasise that provision of games that do not comply with the certification requirements is a violation of the conditions for the licence and the requirements of the executive order.
To make visible that a certification covers the entire gambling system, henceforward, a list of all games which the testing or inspection covers must be compiled for the standard reports of testing and inspection. The list may be included in the standardised annex to the standard report. If the list is identical for both testing and inspection, and the two certifications are made simultaneously, the compilation of a single list is sufficient.
The list must as a minimum include the following mandatory information:
- Name of the supplier. If the game is the licence holder’s own game, this must be noted instead.
- Title of the game.
- Date of the most recent certification of the game. This will presumably differ from the date of the licence holder’s annual certification if the game is provided by a third party.
- A reference to a supplementary report for the certification of the game if the game is tested at another time than the licence holder’s annual certification of testing and inspection.
The certification programme works with two different frequencies; annual and quarterly certification. By certification is meant that if the licence holder, within the three or 12 months, has had the prescribed tests and inspections completed by an accredited test company, the deadline is met, and the gambling system is considered duly certified; otherwise not.
The report, which is filled in on the basis of completed certification, must be received by the Danish Gambling Authority no later than two or one month(s) after the tests and inspections are completed, depending on whether it is an annual or quarterly certification.
If a licence holder realises that the deadline for certification cannot be met, the licence holder may postpone the certification. The deadline is the date before which a renewal of the certification must be completed. The Danish Gambling Authority must be informed of this before the certification e.g. testing or inspection standards are commenced.
The certification report must be in the Danish Gambling Authority’s possession within the two or one month(s) after the original deadline for certification. In practice, this means that if a licence holder postpones an annual certification by one month, it leaves only one month to submit the report. If the certification is postponed the maximum two months, the report must be submitted at the same time as the certification is completed.
Not all certifications can be postponed. It appears specifically from the individual document whether the certification can be postponed.
If the licence holder has a certification deadline on 1 July and completes the certification on 15 June and this date appears from the report submitted, the new deadline is 15 June. Thereby, it is ensured that the licence holder is certified at all times, and there are no periods in which the licence holder does not hold a valid certification.
The licence holder was certified according to the inspection standards for online casino on 1 July 2017. The next certification is made and completed on 26 June 2018 and the completed and certificated report is received by the Danish Gambling Authority on 5 August 2018. In this case, the certification deadline is met, and the Danish Gambling Authority has received the report in time.
Correct, postponed certification:
The licence holder was certified according to the inspection standards for online casino on 1 July 2017. The licence holder realises that they are unable to meet the deadline for renewed certification (1 July 2018). The licence holder contacts the Danish Gambling Authority and communicates that the certification is postponed and the reason for this. The control is initiated in 29 June 2018 and is completed on 10 July 2018. The completed report is received by the Danish Gambling Authority on 20 August 2018.
Lack of certification (incorrect):
The licence holder was certified according to the inspection standards for online casino on 1 July 2017. The next certification is made on 25 August 2018 and the Danish Gambling Authority receives the report on 25 September 2018. Thereby, the licence holder is not duly certified in the period between 1 July 2018 and 25 August 2018.
Reports completed incorrectly
The Danish Gambling Authority has noted recurring errors in the standard reports submitted by licence holders. A report which is completed incorrectly cannot be approved by the Danish Gambling Authority. The reason for this is that the Danish Gambling Authority depends on the correctness, precision, and sufficiency of the information that appears from the report, as it forms the basis for the Danish Gambling Authority’s supervision. It also forms the basis for the Danish Gambling Authority’s total assessment and overview of a licence holder’s certification and that, for example, all games live up to the Danish Gambling Authority’s requirements. Moreover, the reports constitute the overall documentation for a gambling system’s compliance with the requirements.
Some of the typical errors that appear from the standard reports are listed below:
- Errors in dates: These appear where the prior, current, and future certification are stated and where the date of the control is stated. For example: the prior certification was made on 1 September 2016 and the current on 1 September 2017 (on time), but on the report, the prior certification is stated as 1 September 2015.
- Lacking information about staff: This appears where it must be noted which employee has conducted a control and the employees education and level of experience.
- Lacking information about suppliers: in reports where subcontractors must be stated, the list must be sufficient.
If a vulnerability scanning is not passed, a plan for correction of the errors and compensating controls must always be specified in the standardised annex. The latter must be described in such a way that it is clear wherein the vulnerabilities consist, and the compensating controls must be aimed at the weak spots of the system. The vulnerabilities found must be corrected before the following scanning.
This appears from section 4 of the Guidelines for vulnerability scanning.
When updating critical components of the gambling system, a new vulnerability scanning must be conducted. If this scanning identifies vulnerabilities that score four or more on the NVD CVSS scale, a new penetration testing must also be conducted.
Change management programme
Every third month, the licence holder must send a report concerning the implemented changes to the gambling system. This report covers both changes made directly by the licence holder, but also changes made by suppliers that affect the licence holder’s provision of gambling.
If the licence holder specifies changes in the annex, these changes must be described in a clear and lucid manner for the Danish Gambling Authority to assess in which the change consists. If the licence holder has implemented new games during the three-month period, the Danish Gambling Authority expects to see the title of the game in the annex to the report.
The following exemplifies in which situations the information provided is not sufficient and sufficient, respectively.
The three first examples are, according to the Danish Gambling Authority’s assessment, not sufficient without further explanation. The three last examples are sufficient without further explanation.
- 139 changes affecting the components
- Change Log 20190520-CAR-45
- Implemented 10 new games
- Removing old firewall, deployment of new
- Changes of the apps so they can run from multiple locations
- Implemented game X from supplier Y
In the section on requirements to the staff in the individual documents of the certification programme, it appears that work must be “supervised”.
As a rule, the Danish Gambling Authority interprets “supervision” as actions in which a person reviews/controls/tests another person’s work, such as testing and inspection, and the results obtained in connection with this work. Through supervision, it must be ensured that the work is carried out properly. This must be understood based on the general view of separation of duties. Thereby it should not be possible for a person to both complete a task and subsequently approve it.
An exception to the rule of separation of duties is if the person who carries out the certification work, possesses the qualifications that the Danish Gambling Authority requires from the staff that supervises and attests the certification work. This means that if a person has the proper education and qualifications, the proper certification and the necessary work experience within this field of work, the Danish Gambling Authority allows self-supervision.
It should be noted that if the exception is applied, just as when the rule is applied, the tasks must still be divided into two individual actions that cannot be performed in one procedure:
- Performing the task (testing, inspection etc.)
- Review/control/testing of the task performed (supervision)
Licence holders must use the standard reports from the certification programme when reporting to the Danish Gambling Authority. These will, with the enclosed annexes, in most cases be sufficient documentation. If the Danish Gambling Authority needs supplementary documentation, the licence holder will be requested to submit it.
Other types of reports/documentation can never replace the standard reports.
The licence holders must relate to all sections in the standard reports.
Lack of documentation for the test company’s accreditation
The licence holder must use a test company with a valid accreditation. It must be stated in the standard reports whether the test company holds a valid accreditation, and the accreditation should be enclosed as documentation hereof. The documentation must be presented to the Danish Gambling Authority at each submission of a certification.
The Danish Gambling Authority knows that it is often possible to see the test company’s accreditation online e.g. on the website of the national accreditation body. The Danish Gambling Authority accepts that the accreditation is documented by linking to the accreditation. The link may be provided in the annex to the certification report.