One of the basic features in the Regulations is the requirement that the core part of the online gaming/betting operations (i.e. the control system) must be physically located on servers that are co-located  in Malta.

Other components of the system, for example, front-end of the games or customer support operations, may be situated outside Malta at the location of choice of the licensee.

The online gaming system (which is defined as a computer system deployed by a licensee and including all its components, the operating system and application software) must be certified for compliance to the satisfaction of the Authority.

Certification is only necessary for those components of the system the functioning of which directly impacts the operation of the games or the reporting of gaming and financial transactions.

Certification also involves audit as to whether the gaming system is compliant with the requirements of ISO-17799:2000 Information Technology - Code of Practice for Information Security. A “ISO-17799 gap analysis” audit will be carried out by experts approved by the Gaming Authority. Certification costs are chargeable to the licensee; such audit fees approximate to €2,500 for a standard, well documented gaming system.

Specifications of the Control System

The control system is a system of internal controls, administrative and accounting procures for the conduct of a remote gaming office. Technically this would include subcomponents of the system where the player would find himself in a 'secure area'. The Random Number Generator, the database of players, all players accounts, all game and transaction on history would be part of the control system.

The Malta Remote Gaming Regulations provide that an applicant for a license shall submit in writing to the Authority for the purposes of approval, the specifications of the control system he intends to use during operation.

The law also provides that the licensees whose gaming system is hosted by a Class 4 licensee shall be exempted from this requirement.

The system of internal controls, reporting and accounting procedures used by the licensee constitute their Control System which must be approved by the Gaming Authority.

Any gaming/betting offered by the licensee should only be conducted under the approved control system. The licensee will set up the Control System in the live environment prior to audit and may be permitted to run operations, under a provisional license, during this period subject to scrutiny by the Gaming Authority.

The proposal to be submitted to the LGA for such internal controls shall be a system document which shall include detailed information relating to:

(a) the operation of remote gaming
(b) general procedures to be followed for the operation of remote gaming
(c) computer software where applicable
(d) procedures for recording and paying prizes won in remote gaming
(e) accounting systems and procedure
(f) procedures to be followed to play a game
(g) procedures and standards for the maintenance, security, storage and transportation of equipment to be used to conduct remote gaming
(h) procedures for the setting up and maintenance of security facilities including general compliance and internal controls relating to access to critical systems
(i) a disaster recovery plan
(j) an adequate system of data backup
(k) any other information that the Authority may require.

The above provisions also apply when a licensee intends to change a control system which had been approved by the Authority.

The Regulations also provide that the Authority may at its sole discretion, submit or direct the applicant or licensee to submit the proposed control system or an approved control system, to an audit. This takes place in the third stage of the process, that is, after the issue of the letter of intent but before the issue of the final license certificate.

In considering whether to grant the approval of the control system the Authority gives due regard to the following matters:

(a) whether the proposed control system or the proposed changes to the control system satisfy all the requirements of the Maltese Gaming laws and regulations;

(b) whether the proposed control system or the proposed changes to the control system are capable of providing satisfactory and effective control over the operation of remote gaming.

The Authority shall by written notice inform the applicant or licensee of its decision and where approval has not been granted, the Authority shall give reasons for its refusal to grant approval. Where approval is granted, the Authority shall have the right to direct the applicant or licensee, by means of a
directive, to change or modify the approved control system in any manner whatsoever, within a period of time which shall not be less than thirty days from the date on which the directive is served on the applicant or licensee. Failure to comply with such directive shall constitute sufficient grounds for the Authority not to issue a license or to suspend the license as the case may be.
the law further provides that all remote gaming shall be conducted under the control system which has been approved by the Authority.

Specifications of the Gaming System

The “gaming system” is a computer system or systems of computers by means of which remote gaming is conducted, and shall include all its associated components, its operating systems and applications software. Technically this would include the subcomponents of the system that provide the games and would include gaming devices, where applicable.

The Regulations provide that an applicant for a license, or a licensee shall in respect of a new gaming system, and before any such system becomes operational, provide adequate certification that may be required by the Authority. The certification must show that gaming system has been found within the previous six months to comply with each and all the technical specifications laid down in the law.

The certification submitted to the Authority for approval must, where the system is based on computer software, include the following information-
(a) the name of the owner of the software
(b) the name of the organization which did the testing required by the Authority
(c) all companies and organizations involved in the process and their credentials
(d) all individuals involved in the process and their professional credentials
(e) the processes, rules and parameters of the games
(f) the server protocols, communication protocols and other specifications which are part of the gaming system architecture
(g) information about the security of the system
(h) which modules affect processes, rules and parameters of the game if the source-code is changed
(i) any other information that is of material importance to the specific software
(j) a detailed description of the setup and functionality of the application architecture and system architecture.

No changes to the gaming system shall be made without the prior approval of the Authority and additional certification of compliance.

Where approval of the system is not granted the Authority shall inform the applicant or licensee of its decision in writing stating its reasons for refusal.

Notwithstanding that the system has been approved for operation, the Authority may at any time direct the licensee to submit, at the licensee’s cost, the system’s software for further testing, checking or verification.

Gaming Equipment

No gaming equipment may be used in the operation of an authorized game pursuant to an online betting or online gaming license, without the prior approval of the Authority.

The Authority may, by written notice, require that gaming equipment be submitted for certification by an approved company or organization.

Certification Companies

The Authority may at any time after these regulations come into force publish a list of approved certification companies and organizations.

Technical Requirements for the Gaming System

The gaming system must:

(a) faithfully follow the game rules published by the operator; and
(b) provide over time no more than the expected house advantage to the operator.

Both the gaming and financial transactions must be congruent and secure.

The random number generator software must be used to regulate the outcome of the games. The numbers and cards must be drawn at random and must feature impeccable fair gaming policy. The gaming system must satisfy the following criteria for randomness, following Schneier:

(a) the data must be randomly generated, passing appropriate statistical tests of randomness
(b) the data must be unpredictable, i.e. it must be computationally infeasible to predict what the next number will be, given complete knowledge of the algorithm or hardware generating the sequence, and all previously generated numbers
(c) the series cannot be reliably reproduced, i.e. if the sequence generator is activated again with the same input (as exactly as is reasonably possible) it will produce two completely unrelated random sequences.

The outcome of any game event, and the return to the player, must be independent of the CPU, memory, disk or other components used in the playing device used by the player.

The game or any game event outcome must not be affected by the effective
bandwidth, link utilisation, bit error rate or other characteristic of the communication channel between the gaming system and the playing device used by the player.

The gaming system must be able to display for each game the following
information on the current page or on a page directly accessible from the current page via a hyperlink:

(a) the name of the game
(b) restrictions on play
(c) instructions on how to play, including a pay-table for all prizes and
special features
(d) the player’s current account balance
(e) unit and total bets permitted
(f) the rules of the game.

All financial reports produced by the gaming system must be congruent
with gaming transaction reports and conversely. All such reports shall be readily and freely available to the Authority.

The gaming system must:
(a) be capable of producing monthly auditable and aggregate financial
statements of gaming transactions, and
(b) calculate accurately all taxation and other monies due to the
Authority.

The gaming system must maintain information about all games played,
including:
(a) the identity of the player
(b) the time the game began as recorded on the games server
(c) the balance on the player’s account at the start of the game
(d) the stakes placed in the game (time stamped by the games server)
(e) the game status (in progress, complete, etc.)
(f) the result of the game (time stamped by the games server)
(g) the time the game ended as recorded by the games server
(h) the amount won or lost by the player and
(i) the balance on the player’s account at the end of the game.

The gaming system must maintain information about significant events
as follows:

(a) large wins
(b) transfers of funds in excess of such amount as the Authority may
from time to time direct by notice in writing to the operator
(c) changes made by the operator to game parameters.

Any variations to any of the requirements listed above shall be submitted to the Authority for its approval by notice in writing.

Final Considerations

After the certification process required for issue of the full five year licence, the gaming system need not be tested regularly, but there will be follow up audits by the Gaming Authority when deemed prudent. Only significant changes to the live gaming system require approval by the Gaming Authority before they can be introduced.

Wherever a discrete random number generator (RNG) is used, its certificate must be
submitted to the Gaming Authority.

Where the gaming system used by an operator has already been certified (which is possible when one uses the gaming platform already licensed in Malta), no further gaming system certification is required, but then the individual licensee’s Control System will be subject to audit by the Gaming Authority.