Resolution Of 16 November 2011, The General Direction Of Management Of The Game, Which Approves The Provision By Which Develop Technical Specifications That Must Meet The Technical Systems Of Game Object Of Licensed...

Original Language Title: Resolución de 16 de noviembre de 2011, de la Dirección General de Ordenación del Juego, por la que se aprueba la disposición por la que se desarrollan las especificaciones técnicas que deben cumplir los sistemas técnicos de juego objeto de licen...

Subscribe to a Global-Regulation Premium Membership Today!

Key Benefits:

Subscribe Now for only USD$20 per month, or Get a Day Pass for only USD$4.99.
Law 13/2011, from May 27, the game regulation, establishes the regulatory framework of the activity of game, in its various forms, which develops with State level, in order to ensure the protection of public order, fight against fraud, prevent the addictive behaviors, protect the rights of children and to safeguard the rights of participants in the games.

The establishment of the technical requirements of the aforementioned law 13/2011 has been subject to the Royal Decree 1613 / 2011, of 14 November, which attributes in the first final provision to the National Gambling Commission the development of certain technical aspects of the marketing of gaming activities subject to the Act.

All time that the Commission national of the game not has been effectively constituted and in application of the provision transient first of the law 13 / 2011, of 27 of mayo, of regulation of the game, corresponds to this address General of management of the game of the Ministry of economy and Hacienda the development and concretion of them requirements of character technical established in the cited law 13 / 2011 and in the Real Decree 1613 / 2011 , of 14 November, which develops it.

In his virtue, and prior report favorable of the advocacy of the State in the Secretariat of State of Hacienda and budgets of the Ministry of economy and Hacienda, agrees: first.

Approving the arrangement by which develop technical specifications that must meet technical game systems enabled in Spain and its control mechanisms attached as annex I to this resolution.

Game activities conducted through text messaging, through telephone services fixed or mobile or audiovisual media, not shall apply to the technical specifications laid down in this provision incompatible with the nature and characteristics of the channel for the participation of the game.

Second.

The references that are made to the National Gambling Commission in the provision that approves this resolution be construed as references to the direction General of management of the game of the Ministry of economy and finance or management center that attributed legally its powers until the effective Constitution of the aforementioned regulatory body. References to the President of the National Gambling Commission be construed as references to the General Director of game management.

Third party.

This resolution shall enter into force the day following its publication in the "Official Gazette".

Madrid, 16 of November of 2011.-the Director General of management of the game, immaculate candle tailor.

ANNEX I disposal by which develop technical specifications that must meet technical game systems subject to licenses granted under cover of law 13/2011, may 27, of regulation of the game contents 1. General provisions.

1.1 object.

1.2 definitions.

2. registration of user, features of game, means of payment.

2.1 user registration and limitation in participation.

2.2 deposits of those participating.

2.3. means of payment and collection.

2.4. protection of personal data.

3. game.

3.1. basic rules of the game.

3.2 the domain redirection ". is».

3.3 percentage of return to the participant.

3.4 tables of awards.

3.5 (GNA) random number generator.

3.6 logic game.

3.7 user terminals.

3.8. session of play.

3.9. graphical interface.

3.10. integration into networks of game with other operators.

3.11 disabling of a play or of a session of play.

3.12. incomplete game.

3.13 set automatic.

3.14. repetition of the move.

3.15 virtual players.

3.16. participant 3.17 metamorphic games in «absent» State.

3.18 games multiparticipant with host.

3.19 game «live».

3.20 boats, boats progressive, and awards additional.

4. security of information systems.

4.1 components critical.

4.2 management of the security of the system technical of game.

4.3 management of risks.

4.4 policy of security.

4.5 organisation of the security of the information.

4.6 security in the communication with the participants.

4.7 security of resources human and third.

4.8 security physical and environmental.

4.9 management of communications and operations.

4.10. access control.

4.11 purchase, development and maintenance of systems.

4.12 management of security incidents.

4.13. management of changes.

4.14 availability of service management.

4.15 information loss prevention plan.

4.16. business continuity management.

4.17 penetration testing and vulnerability analysis.

5. the system of Internal Control and inspection.

5.1. Internal Control System.

6 records and logs of the technical system of game.

6.1 registration and traceability.

6.2 registration depending on the marketing channel.

1. General provisions 1.1 object.

This provision aims at the development of technical specifications that must meet technical game of the operators with a licence granted under cover of law 13/2011, 27 of may, regulatory systems of the game and the same control mechanisms.

The technical infrastructure of the operators will ensure supervision by the National Gambling Commission of game operations, the obtaining of records generated during its development and generation and provision of the National Gambling Commission of any other information that is considered relevant.

To these effects specifications for the operations of game and its traceability records storage, are set in the format and in accordance with the procedure established by the National Gambling Commission and outlined the security requirements of information systems used for the game, both physical and logical, as well as the Organization and management of the same.

1.2 definitions.

To the effects of this provision, them terms that in she is used will have the sense that is sets in the present paragraph.

1. system technical of game: is understands by system technical of game to the set of equipment, systems, terminals, instruments and material software employee by the operator for the Organization, exploitation and development of the activity of game. He system technical of game supports all the operations necessary for it organization, exploitation and development of the activity of game, as well as the detection and the registration of them transactions corresponding between them participating and the operator.

The basic elements of the technical system of the game are the games unit and the internal control system. The game system will facilitate the information necessary for its control in Spanish. In case not available in Spanish, the National Gambling Commission may require translation, with either permanent or punctual.

2 games unit: Central Unit of games is the set of technical elements necessary to process and manage the operations performed by the participants in the games.

They form part of the Central Unit of games, platform games and games Software.

3 platform game: gaming platform is the infrastructure of software and hardware which is the main interface between the participant and the game operator and which offers the participant the tools necessary to open and close your account, record and edit your profile information, deposit or withdraw funds from your gaming account, view the detail of the movements in your account or a summary thereof.

Gaming platform includes any web site that displays information relevant to the participant on the games offered by the operator, as well as any client software that the participant has to download to be able to interact with the platform.

Gaming platform allows the operator to manage game participants accounts as well as financial transactions of game, reporting on the results of the games, enable or disable records and accounts and set all configurable parameters.

They are part of the game platform the following components: ● databases that collect the personal data of the participants in the games, those relating to the totality of transactions by the participants and information on results of events or sporting events, coefficients, etc.

● Them gateways of payments that allow perform them transactions economic between the participant and the operator of game and that contain the logical necessary to transfer funds from the medium of payment employee by the participant to the operator and from this to the participant.

The platform of game must meet with the requirements technical that is established in this provision.

4. software of game: is understands by software of game each one of them modules or components software that allow manage each one of them games, authorize and implement the rules of each one of them and to which is enter from the platform of game.

5 random number generator: random number generator, also known by its acronym GNA, is the component software or hardware which, through procedures that guarantee its randomness, generate numerical results that are employed by the operator for the determination of the results of each of the games in which it is used.


Through a process called scaling, will become the gross profit obtained by the generator of random numbers to a value within the range of values that support every game (52 cards, bingo numbers n values). These numbers, through the process of translation or mapping, is converted to the symbols that used the game (cards, balls, etc.).

6. Internal Control System: the system of Internal Control or IBS, is the set of components for recording transactions in the development of games in order to ensure the possibility of maintaining a permanent control over the activities of the operator game to the National Gambling Commission.

The Internal Control system shall consist of grabber and secure database or store of gaming operations.

7. grabber: the grabber is the component of the system of control internal of the operator intended to the captures and record of them data of monitoring and control established by the Commission national of the game, its translation and its storage in the device called warehouse of operations of game.

8. the secure database or warehouse of gaming operations: secure database or warehouse of gaming operations (hereinafter, store) is the device located in Spain which contains the data of monitoring and control introduced by the grabber and which at all times can access the National Gambling Commission. The information extracted from the system of game by the grabber must store is, with the format and structure established by the Commission national of the game.

9. user registration: user registration only registration that allows the participant access to activities of a given operator is defined and in which are collected, among others, the data enabling the identification of the participant and which allow economic transactions between it and the game operator.

10. has of game: is understands by has of game to it has open by the participant, of form linked to your registration of user, in which is loaded them income of them amounts economic intended by this to the payment of the participation in them activities of game and is paid them amounts of them awards obtained by the participation. The gaming account may not, in any case, file credit balance.

2. registration of user, has of game and means of payment 2.1 registration of user and limitation in the participation.

2.1.1 identification of participants.

The identification of participants will take place through a user record that shall contain, at least, the following information: ● identification data: ○ to residents, identification number fiscal (NIF) or identification number of foreigners (NIE).

○ For non-residents, an equivalent document: identity card, social security, passport, driving licence card.

○ Name and surname.

● personal data: date of birth ○.

○ Sex.

○ Address.

○ For non-residents, country of residence.

○ Nationality.

○ Email.

○ Phone.

● Data of fiscal residence: ○ code of tax residence of the participant, in accordance with the model 763 from autoliquidación of taxes on gaming activities, approved in order EHA/1881/2011, July 5.

○ For residents it is not necessary that the participant will provide a copy of the document used for identification.

2.1.2. conservation of copy of the documents supplied.

The operator shall establish the technical procedures necessary for the preservation of the digital copy of the documents provided by the participants.

2.1.3. game contract.

Operator shall keep the record of acceptance of the contract game and its eventual amendments.

2.1.4 verification services offered by the National Gambling Commission.

The National Gambling Commission gives operators an online service-checking of identity and date of birth for participating residents in Spain: the verification service is based on the NIF/NIE of the participant.

The Commission national of the game provides to them operators two services online of verification for the registration of them participating in the Register General of bans of access to the game: ● a service of verification of the registration of a participant in the record General of bans of access to the game for participating residents in Spain starting from NIF / NIE. The operators must use this service to check the registration in the process of registration of user.

● a service of consultation of the variations (high / low) in the registration in the Register General of bans of access to the game, corresponding to them participating that previously had verified the operator. Operators must use this service every hour to verify variations in registration in the General Register of bans access to the play of their participants.

2.1.5. periodic review of user records.

The operator shall establish the technical procedures that allow for the periodic review of the records for user in the terms established in article 26.3 of the Royal Decree 1613 / 2011, 14 November, whereby the law 13/2011, may 27, of regulation of the game, develops with regard to the technical requirements of gaming activities.

2.1.6. cancellation of user registration.

The operator will retain the cancelled records for user data. In the registry, the moment of cancellation and the reason will be presented.

2.1.7. activation of the user registration and limitation in participation.

The operator shall have a documented procedure of registration and activation of user who will pick up the requirements identification and limitation of participation set forth in articles 26 and 27 of the Royal Decree 1613 / 2011, 14 November, whereby the law 13/2011, may 27, of regulation of the game, develops with regard to the technical requirements of gaming activities.

He operator must count with a service of verification of the data of identity and date of birth enough for determine the veracity of the record. This service may be lent by third parties that provide services professional of verification of identity.

2.1.8 suspension by inactivity.

The operator will keep a record of them records of user suspended by inactivity in which is will include the date of suspension.

2.1.9 suspension injunction of the registration of user.

The operator shall maintain a registry of user logs suspended on the grounds set out in article 33.2 of the Royal Decree 1614 / 2011, 14 November, whereby the law 13/2011, may 27, of regulation of the game, develops with regard to licenses, authorizations and registrations of the game. The register shall include the date and the reason for the suspension.

2.1.10. only active user registry.

The operator shall establish procedures and mechanisms to ensure the requirement for registration of unique active user per participant of article 26.2 of the Royal Decree 1613 / 2011, 14 November, whereby the law 13/2011, may 27, of regulation of the game, develops with regard to the technical requirements of gaming activities.

2.1.11 identification for access.

Once you have completed the registration process will be assigned to the participant a unique user identifier. Access to user registration and the gaming account must be booked exclusive registration incumbent participant.

2.1.12 authentication of the user and policy of passwords.

The access to the record of user must count with mechanisms of security to authenticate to the user in the platform.

The authentication of the user can make is through the use of passwords. The political of passwords must contemplate, at least, them following requirements minimum: ● must establish is, by default or by the participant, a password initial of user.

● During the process of definition of the password of user, the participant must be informed on good practices in the choice of password safe.

● The length minimum of the password will be of 4 characters or digits.

● If the password is established by the user and its length is lower to 6 characters, of which at least one will be letter and at least one will be a digit, the user will receive a message recommending of good practices in the choice of passwords safe. The user will need to validate his decision.

● password may not contain any of the following data: name of user, the pseudonym, the name or last name or date of birth of the participant.

● Must offer the user a reminder of password with a minimum annual frequency change, although it is not mandatory for the user to perform the change.

● The mechanism of identification through username and password must be blocked if more than 5 erroneous access attempts occur on the same day. The operator can set a bottom to this requirement.

The operator may provide other methods of user authentication whenever they offer a higher level of security than the password.

The scheme will retain all attempts to access registration, either with or without success, for its subsequent audit.

The operator shall have a documented procedure of access security of the user that will be described:


▪ The mode in which protects user from unauthorized access registration.

▪ The existence or not of a half indirect, or assisted by staff of the operator, of access to the record of user, prior overcoming of questions before grant the access or renew it.

▪ treatment of lost passwords or user IDs.

2.2 deposits of those participating.

2.2.1. procedure of control of the deposit account.

The obligations of the operator in relation to the funding of participants are those set out in article 39 of the Royal Decree 1614 / 2011, 14 November, whereby the law 13/2011, may 27, of regulation of the game, develops with regard to licenses, authorizations and registrations of the game.

2.2.2 features of game. Association to the user record.

Each user record will have linked one or more accounts of the game. Of the accounts linked to the same record of user, unless one will allow the deposit and the withdrawal of funds. The transfer of funds between different game accounts linked to same user registration will be immediately and free of charge for participants. Each has of game will allow pay the participation in one, several or all the games offered in the platform.

2.2.3 history.

He participant may consult in time real the balance of it has of game and the record, at least, of all the shares or played made in them last thirty days.

2.2.4. units of the gaming account.

Of conformity with it willing in the article 35.2 of the Real Decree 1614 / 2011, of 14 of November, by which is develops the law 13 / 2011, of 27 of mayo, of regulation of the game, in it relative to licensing, authorizations and records of the game, the unit monetary of the has of game is the euro.

The operator can use other units as bonus points ("bonus"), points to pay for entry into tournaments or others. The platform will record the balance and movements expressed in each of the units.

2.2.5. Prohibition of transfers between participants.

The operator will establish the procedures technical necessary that prevent them transfers between accounts of game associated to different records of user.

2.2.6. promotional offers.

If the conditions of promotional offers to establish a quantity to accumulate, e.g. of points, the participant should be able to check points accumulated or the remaining conditions.

2.2.7 accounts associated to different State than active user records.

Different State than active user records are restricted in whole or in part your trading platform. The operator must have a documented procedure of technical controls and reviews to ensure that the game accounts associated to different State than active user records do not perform improper movements.

2.2.8 balance creditor.

Any game account may have credit balance. If there are no sufficient funds available in the account of the game, the stakes in the game must be rejected and not allowed withdrawals of funds.

Without prejudice to the provisions of the preceding paragraph, the operator will have a documented procedure to correct possible errors that can occur temporarily credit balances as a result of operator error. This procedure shall include a record of them identifying the cause and its rectification.

2.3. means of payment and collection.

2.3.1. withdrawal of funds.

Operator shall establish a procedure to instruct the method of payment that corresponds to the transfer of funds within a maximum of 24 hours. This procedure must provide for that in exceptional case of rather than not fulfilled the referred deadline shall be previously notified to the National Gambling Commission.

2.3.2 deposit limits.

The operator will keep a record with modifications in the deposit limits detailed by user registration. The record included the date and the reason for the amendment.

2.4. protection of personal data.

2.4.1. data protection.

Operators shall establish appropriate technical procedures to maintain the privacy of the data of the participants in accordance with the organic law 15/1999, of 13 December, on protection of data of a Personal nature and its complementary regulations.

Operators must also implement security measures established in the current legislation on data protection on the files and treatments and to comply with the duty of secrecy imposed by such legislation.

2.4.2. policy of privacy.

The operator shall publish in gaming platform privacy policy.

To complete the user registration process, the participant must give its consent to the operator policy. The platform shall record acceptance of the participant and the contents of the privacy policy or a link to the text of the same. Any subsequent modification of the privacy policy will require your communication to the user and their acceptance.

The operator will have a technical and operational plan to ensure the privacy of the user data.

3 game 3.1 basic rules of the game.

Operators must implement in its game system procedures needed to comply with the requirements laid down in the basic regulation of every game and that is set to the corresponding Ministerial order and, in particular, the requirements with regard to: ● special rules of the game.

● Claims of those participating.

● Obligations of information to those participating.

● Promotion of the games.

● Channels and means of participation.

● Objective in the game.

● Participation in the game and limits to her participation.

● Development of the game, determination and allocation of the prizes.

● Formalization of betting or played and assumptions of cancellation and postponement.

● Payment of awards.

3.2 the domain redirection ". is».

The operator shall establish procedures and mechanisms to ensure that all connections made from Spain or a Spanish user record are directed to a Web site with domain name under ". is».

3.3 percentage of return to the participant.

In those games where possible, operators will determine the theoretical percentage of return to the participant. The theoretical percentage of return participant will be public and accessible to participants, and shall include, at least in the specific rules of the game.

In the case of the theoretical percentage of return to the participant should be informed always minimum or the expected range, as well as an explanation of its meaning for each game or family of games. A participant who follow an optimal game strategy must obtain a percentage of return greater than the informed participant to the participant. The operator shall ensure that also gets a percentage of return participant as well or upper half a participant who follow a strategy game.

The operator must demonstrate to the National Gambling Commission percentage of return to each game participant.

The operator will retain record of them changes in the percentage of return to the participant of every game, for the purposes of its review.

He percentage of return to the participant not may be modified during the course of the game, except in those cases in that this made is planned in the rules private and the participant is properly informed.

3.4. tables of awards.

Tables of awards, in those games that exist, will be public and accessible to participants and include all possible winning combinations and a description of the prize corresponding to each combination.

The awards program information must clearly indicate if the awards are quantified in units of account, monetary or any other unit established unit.

The awards program information reflect any change in the value of the prize that may occur in the course of the game. For these purposes, it is sufficient the operator has and display a box in a prominent place in the graphical interface of the game they appear concerned changes in the value of the prizes.

When there are boats or multipliers of the awards displayed on screens, should be specified if the boat or the multiplier affects the programme of awards or not.

The operator will retain record of awards for each game tables, so that these changes can be audited.

Awards tables may not be changed during the game, except in those cases in which this fact is foreseen in particular rules and the participant to be properly informed.

3.5 (GNA) random number generator.

3.5.1. operation of the GNA.

The random number generator shall, as a minimum, meet the following requirements: ● the random data generated must be statistically independent.

● The random data should be uniformly distributed within the established range.

● The random data must remain within the established range.

● The random data generated must be unpredictable (his prediction must be unworkable by computing without knowing the algorithm and seed).

● The generated data series must not be reproducible.

● Instances different of a GNA not must synchronize is between itself so the results of ones allow predict them of another.

● The technical of seeded / resemillado not must allow the realization of predictions on the results.


● generation mechanisms must have passed different statistical evidence supporting its randomness.

The technical system can share a GNA or an instance for one or more games if this does not affect the random behavior of the system.

3.5.2. methods of scaling.

Scaling methods must comply with the requirements to the GNAs.

Them methods of scaling should be linear and not should introduce any bias, pattern or predictability and should to submit is to testing statistics recognized.

3.5.3 GNA Hardware.

For use is a GNA hardware must meet the same requirements, adapted to them features technical of the hardware and, of exist, prove that the personal that it operates not can influence in them results. In the event of use of a GNA hardware operated by staff, the operator must have a procedure to minimize the hypothetical risks that could affect the generation of results.

3.5.4 failures in the GNA.

The operator shall implement a monitoring system of the GNA that allows you to detect faults, as well as the mechanisms that disable the game when a fault in the GNA.

3.5.5. the GNA Resemillado.

The operator must have a procedure for resemillado of the GNA.

3.6 logical of the game.

3.6.1 logic independent of the user's terminal.

All functions and logic that are critical to the implementation of the rules of the game and the determination of the result must be generated by the Central Unit of games, user terminal independently.

3.6.2 implementation of the GNA in those games.

The range of values of the GNA should be precise and not to distort the percentage of return to the participant.

The method of translation of them symbols or results of the game not should be subject to the influence or controlled by another factor that not are them values numerical derivatives of the GNA.

Random events should be governed exclusively by the random number generator and there should not be any correlation between a few moves and others.

He game not must discard any event of random, except in those cases in that this circumstance is contemplated in the rules of the game.

Game not servicing events from random, or manual, or automatically, or to keep a percentage of minimum return to the participant.

When the rules of the game require that it is lot a sequence of events in random (for example, letters of a mallet), random events will not resecuenciados during the course of the game, except in those cases in which this circumstance is contemplated in the rules of the game.

3.6.3. the logic of the game controls.

The game must be designed to minimize the risk of manipulation. Shall be taken of the technical, organizational and procedural measures that prevent behaviors involving deviations from the rules of the game.

The operator shall have a documented procedure that describes the measures applied on your system to ensure that: ● the game takes place in accordance with the rules of the game.

● The data of game is recorded in the system.

● guards or identifying documents of a bet or participation are protected against its possible manipulation.

● The system controls the marketing of bets or the participation time. The moment in which the marketing is closed should be one who is established in the rules which govern the game and in any case will be before the end of the event that triggers the outcome of the game.

● The system controls the prize fund made up.

● The procedure of determining winners working properly, and does not introduce winners who do not meet the conditions to be awarded or by not winning to those who do comply with them.

● The system be granted awards to participants who appear on the list of winners of effectively.

Any modification, alteration or deletion of them data must leave trace of audit, especially when there is intervention manual.

3.7 user terminals.

3.7.1 identification of terminals.

It platform must be capable of identifying them different types and versions of terminals of user, and is will retain record of them same.

If the terminal is installed in rooms of game physical, casino or other establishments where are authorized, the platform must identify the establishment. Except for reasons technical duly justified, the platform must register if the participant is using a solution specific provided for devices mobile.

3.7.2 installation of components in the equipment of the participant.

If the use of the system of game requires the installation of any component in the team of the participant, is must require the consent express of the participant prior to the installation.

3.7.3 disadvantage by the quality of the connection.

He operator is obliged to introduce in their systems technical all them media possible to treat of reduce the risk of that certain customers are in disadvantage facing others by factors technical that can affect to the speed of the connection.

The participant must be informed in those cases where the response time may have a significant impact on the probability of winning.

3.7.4. information about the quality of the connection.

The system will inform the participant about the non-availability of communication with the game system as soon as it detects it.

The gaming software should not be affected by the malfunction of the devices of the final participants, with the exception of the implementation of the procedures for end items or incomplete games.

3.7.5 functionality reduced to certain terminals.

Terminals that have a graphical interface more reduced than others (such as for example the mobile devices from personal computers) may offer some content that may not be viewed fully as in other terminals. The platform will offer, for strictly technical reasons arising from the characteristics of the terminal, other functionality in different types of terminals.

The participant must be informed of the limitations of information or functionality of the terminal and client application you're using, and accept it expressly.

The operator will mitigate the risks resulting from the lack of information or functionality in a given terminal offering the same information by other means.

Except duly justified technical impediments, all the information which must appear in the interface should also appear in a terminal. When it is not possible to include all information or links in the interface of the game, they will be from a link, a menu or from another application in the same terminal.

3.7.6. minimum resources of the terminal.

The platform will not process terminal games if not available for all minimum resources to allow play without technical problems and disadvantages.

3.8. session of play.

3.8.1. disconnection for inactivity.

The time of disconnection for inactivity of the user will be a maximum of 20 minutes; After this time, the platform must disconnect the user.

When the operator basically one-way communications where the expected user behavior is passive, as for example in the broadcast of a sporting event live, can understand that the user is still active even if you do not perform any action.

If technically is possible, is informed to the participant of that the session has ended.

3.8.2 record of those sessions of play.

The platform will retain record of them sessions of user, with detail of the times of home and end of session, of the mechanism of authentication used by the user, and the cause of disconnection or inactivity.

In the event that the terminal belong to the user, the platform will allow identify, if technically is possible, the type of device (computer, smartphone or others), it application / version used (browser or application concrete), and in his case it address IP.

In the event that the terminal belong to an operator, will allow identify the type and version of the terminal, as well as, if technically is possible, the terminal specifically.

3.9 interface graphic.

3.9.1. data of the game.

The name of the game, that the participant is playing must be clearly visible on all associated screens.

The instructions of the game must be easily accessible. The graphical interface must include the information necessary for the development of the game. The function of all action buttons represented on the screen must be clear.

The outcome of each play must show, if it is technically possible, instantly to the participant and maintain for a reasonable time period.

3.9.2. the participant data.

The display should show the current balance of the participant at least in euros and the bets made, unit and total.

3.9.3 awards.

The interface must clearly indicate if the awards are displayed in euros or credits. They shall not alternate different representations that can confuse the participant.

If is offer Awards random associated to a played or bet, the participant must know the amount maximum that can get starting from the bet or played that is going to perform.


The participant must be informed when the amount of the random prize is determined according to the amount of play or bet. When the text or them elements graphics announce an award maximum, this award should to be got through a single game.

3.9.4. card games.

Card games must comply with that: ● the faces of the cards must clearly show the value of the same.

● The faces of the cards must show clearly the stick / color of them same.

● The jokers or wildcards should be distinguished from the rest of the letters.

● The use of more than one shuffle in the game should show is clearly.

● If the cards are barajadas during the game, report clearly on the frequency with which is performed and displayed the time in which it is performed.

3.9.5 simulation of elements of her life real.

Games that simulate real life (roulette wheels, drums, or other) elements, should behave in the way more similar to the behavior of these physical elements. The probability that an event occur in the simulation affecting the outcome of the game must be equivalent to the physical device in real life.

3.9.6 interface graphics from third.

He is considered to be a graphical interface of third parties when the operator does not offer it as part of their platform or when the operator to include a link to download and next to the link is clearly specified that the operator is not responsible for it.

The operator shall inform the participants that they may decide to use a third-party user interface in relation to functionality and any information you receive may not be complete.

3.10 integration in networks of game with other operators.

The operator shall ensure that any integration with systems of other operator is such that it meets the specifications laid down in this provision.

3.11 disabling of a play or of a session of play.

The platform should allow that, in exceptional circumstances, it is possible to disable a full game, or specific user sessions, leaving record of proceedings and the reason that originated them for a later revision.

3.12 game incomplete.

An incomplete game is the one whose outcome has not yet produced or, if it has occurred, the participant could not be informed of this fact.

Before a game incomplete, them rules particular of the game will determine the performance of it if it platform, that can wait to the participant, cancel the game or continue in the same until is completed.

● If the incomplete game is due to a loss of connection from the user's terminal, platform will show incomplete game when the participant returns to connect.

● operator must have a documented procedure for the incident of unavailability of one, several or all management components, which include the associated technical measures. Components must perform a self-diagnostic, critical files check and a check of communications between components.

● After the recovery, the system technical of game should proceed to treat them games on course affected by the interruption.

The technical system saves record of service interruptions, with its onset, duration, and services affected for later review.

3.13. automatic game.

If the system offers tips on game strategy or automatic play features, such recommendations or features must be truthful and ensure that the mandatory return percentage is reached.

Ensure that the participant maintains control of the game when it provides the functionality of automatic game. The participant can control the maximum amount of automatic game or the maximum bet and the number of automatic bets. The participant can deactivate in any time the functionality of game automatic.

When using the automatic play functionality, information displayed on screen (duration, graphic elements or others) will remain the same and will present the same characteristics than when the game is not automatic. The interface will additionally display the number of elapsed or remaining automatic moves.

AutoPlay functionality may not put at a disadvantage to a participant, and neither the sequence of automatic headings, nor any strategy that is recommended to the participant must prove deceptive.

In the case of games in which to intervene simultaneously more than one participant, the participants must be informed and agree to a participant who has established automatic play functionality.

3.14. repetition of the move.

The platform should provide the participant the repeat option of the move, showing it as a graphic reconstruction or intelligible description that should be played by all sets of the game that may have an impact on their development. The repeat option must provide all the information necessary to reconstruct the last ten games of the current meeting.

3.15 virtual players.

3.15.1. virtual players provided by the operator.

The operator can use artificial intelligence through virtual players, also known as robots, if so expressly allowed by the regulation of the corresponding game.

In the case of games in which to intervene simultaneously more than one participant, the participants should be informed and accept the presence of a virtual player.

Automatic or virtual players must be clearly identified in the interface.

The virtual player should have no technical advantage over the participants, and will not have access to information that is not in the scope of these.

3.15.2. virtual players used by participants.

The operator can provide participants artificial intelligence through the use of virtual players or robots, thus permitting regulation of the corresponding game.

The operator will report on whether or not allows the use of virtual players or robots by the participants. In the cases which allow them and simultaneously involved more than one participant, the operator must ensure that the other participants know who is a virtual player or robot. In cases that do not allow them and simultaneously involved more than one participant, should try to avoid that participants make use of virtual players and soon detected use this circumstance shall inform the participants. Participants must have a mechanism for reporting the existence of a possible virtual player.

The operator shall have procedures to detect if a participant is using artificial intelligence techniques.

3.16 metamorphic games.

Metamorphic or evolution, games should: ● inform the rules applicable at each time or phase of play.

● Show participants enough information to indicate the proximity of the next metamorphosis. For example, if the participant goes collecting elements, the interface must show the number of elements that the participant has collected, which are necessary for the metamorphosis or which you missing to get it.

● The probability of a metamorphosis not must be varied depending on the awards obtained by the participant in previous games. Any exception must be previously authorized by the Commission national of the game.

● The information and the game not must be misleading or ambiguous.

3.17 participating in State «absent».

During a game in that intervene simultaneously more than one participant, the platform must allow to the user establish a State of «absent» or «pause» that can be used if the participant need leave of play during a period brief that never will be superior to twenty minutes. In status «absent» participant does not perform new moves. If he made any move your State stop being automatically «absent». If the actions do not affect the game (eg. see support) will keep the status of «absent».

3.18 games multiparticipant with host.

In games where a participant is the host, the Council may decide whether to accept any participant or if it only accepts it through an invitation. The host may not exclude participants from the table once have been previously accepted to it.

3.19 game «live».

There must be procedures for the resolution of any incidents that may happen during the game live.

The automatic devices for recognition and registration used must be equipped with a manual mode that allows the correction of an erroneous result. The participant must be informed that the manual mode is active. Every time you activate the manual operating mode the trace which allows its further revision should be left.

Should exist procedures to treat interruptions in the game caused by the discontinuity in the flow of data, video and voice.

3.20 boats, boats progressive, and awards additional.

Whenever the regulations basic of them games corresponding it allow, the operator can create boats, boats accumulated, boats progressive or awards additional.


Platform shall inform the participant in a clear manner when it is providing funds to boats and the way in which a participant may choose to. All participants who contribute to the pot must be eligible to win it throughout the development of the game. The description of them conditions of the boat and them requirements to win it should be communicated to the participant.

Conditions of the boat should include any conclusion or interruption, planned or unplanned, the game, as well as technical disruption of the system.

The operator must have a procedure that allows the control of boats, ensuring that: ● the boat creates, manages, and grants in line with the rules of the game.

● Once constituted and open the pot, the conditions do not change until this has been won by one or more participants and made effective amount.

● The procedure of determination of winners works correctly. The procedure should not allowed to introduce winners who do not meet the conditions to be awarded, or nor not given by winners to those who do comply with them.

● The system gives them awards to those participating that listed in the list of winners.

● If they exist, will pay special attention to systems of redirection of the pot in which part of the accumulated jackpot is redirected to another fund, where it can be won later. Boat redirection system cannot be used in order to indefinitely postpone the award of a prize.

The procedures involved in the determination of winners must trace enabling the subsequent revision of the process of decisions taken.

The amount of the boat must appear updated in all the terminals of them participating that participate in it.

The ineffectiveness of the boat must be communicated to the participants by viewing at its terminal messages as «closed boat» or similar. It will not be possible to win a cumulative jackpot that is previously closed.

4. security of information systems security requirements of the technical system of play established aim to protect the records of user's users and their associated game accounts, as well as ensuring that the game is set correctly.

4.1 components critical.

Critical components are the elements whose security must be strengthened, since its impact on the development of the game is important.

They are critical components: ● in the user record, has gaming and payment processing: the components of the technical system of play that stored, handled or transmit sensitive information from customers such as personal, authentication, or economic data and the stored timely State Games, betting and its result.

● In the random number generator: the components of the technical system of play which transmitted or processed random numbers that will be subject to the outcome of the games and the integration of the results of the generator of random numbers in the logic of the game.

● The connections with the Commission national of the game.

● The internal control system: the grabber and the warehouse.

● The points of access and communications and to previous critical components.

● communication networks that transmit sensitive information from participants.

4.2 management of the security of the system technical of game.

The operator shall implement a system of safety management, which will protect especially critical components referred to in the previous number.

Security procedures should be directed to implement specific security measures, on the basis of an assessment of the risks. Operator shall plan periodic inspections and make revisions derived from the significant changes.

4.3 management of risks.

The management of risks will identify them elements to protect, to then carry to out an identification, quantification and prioritization periodic of them risks to which is submitted the system technical of game. The management of risk should translate are in a plan of measures.

4.4 policy of security.

Them operators must count with some procedures of security that will be releases to the whole of their employees and, in his case, to them entities collaborating external.

4.5 organisation of the security of the information.

Them operators must establish a frame of management for the security of the information indicating the functions and responsibilities of its personal.

4.6 security in the communication with the participants.

Must adopt are mechanisms of authentication that allow to the system of game identify to the participant, and that, to his time, allow to the participant identify to the system of game.

The communications will be encrypted in the cases of transmission of data personal (registration of user) or economic (has of game).

In relation to communications, the operator shall take the measures which are necessary to ensure the integrity and non-repudiation in the cases of transmission of personal or economic data, and transactions from participation in the game.

4.7 security of resources human and third.

Security personnel of the operator shall include training programs, management contracting, changes and termination of contracts, paying special attention to the permissions of access to critical information and components.

When the operator need of third-party services involving access, processing, communication and treatment of information, or access to facilities, products or services related to the game, these third parties shall comply with all of the requirements of security to the rest of the staff.

4.8 security physical and environmental.

Operators safety plans must include, in relation to the physical safety of the components of the technical system of play and its replica, the following: ● security perimeter for areas containing sensitive information and critical components: walls, card access, etc.

● Control of physical access to facilities in which teams, they are both employees and external personnel, including physical elements, authorisation procedures, access records and surveillance services.

● Protection of them equipment critical to risk environmental: water, fire, caused by people, etc.

● Protection of them teams critical facing cuts of the supply electric and other interruptions caused by failures at facilities of support. The wiring of supply electric must be protected from damage.

● Control of access to the wiring of communications if conveys information critical without encrypting.

● Maintenance of the facilities and equipment.

● The devices that contain information should be deleted of way safe or destroyed before being reused or retired.

● The teams that contain information not can be transferred out of the facilities safe without the corresponding authorization.

4.9 management of communications and operations.

You must be safe and proper operation of the game system, as well as communications: ● the critical components should be monitored to avoid that different versions of the homologated may be used.

● communication between the components of the technical game systems will ensure the integrity and confidentiality.

● The tasks are segregated between different areas of responsibility, to minimize the possibility of unauthorized access and potential damage.

● Will separate the tasks of development, testing and production.

● services provided by third parties must include controls and metrics for security contracts, and should be regularly audited and monitored.

● measures of protection against malicious code.

● Should do regularly backups with adequate frequency and keep guarded as it is collected in the backup plan.

● measures of security in communications network.

● measures of safety in the handling of portable media as well as secure deletion or destruction of them, which will translate in a documented procedure.

● Them watches of all those components, especially those critical, must be synchronized with a source of time reliable. The source of time reliable may not be the same for each component. He operator will establish measures and controls to avoid the manipulation of them marks of time or its alteration rear, especially in them records of audit.

● Should generate is and save is record of audit of activities of all those users, exceptions and events of security of the information during a period minimum of 2 years.

○ The records of audit will be protected against the alteration and the access abuse.

○ The activities of the administrator of the system and of the operator of the system must be registered.

○ Is will perform an analysis periodic of them records of audit. It will take actions depending on the incidents detected.

4.10. access control.

The access to the staff of the operator and the participants must meet the following requirements: ● there must be a policy of access to documented information, which will be reviewed periodically.


● must ensure authorized access and preventing the unauthorized using controls in the user registration, management of access privileges, periodic review of policy management of passwords and access privileges.

● users must follow good practices in the use of passwords and adequately protected documentation and supports in your workplace.

● The users only have access to those services that have been authorized to use.

● do not exist generic users and all users will access with their own unique user.

● The system must authenticate all them access, already is personal own, of maintenance or others, already is of others systems and components (for example the gateway of payments). The National Gambling Commission inspection staff or other staff who act on his behalf must also be authenticated.

● The networks be segregated depending on the area and responsibility of the task or function.

● access to operating systems will require a secure authentication mechanism.

● Is restricted and controlled the use of programs that permit avoid of access and security controls.

● The session will have a maximum time of duration of the connection and disconnection for inactivity time.

● computer support staff will have restricted access to the actual data of the applications. The actual sensitive data will be located in isolated environments.

● Is managed the risks associated to devices moving.

● If the telework must be checked that the associated risk is managed as part of the security plan.

4.11 purchase, development and maintenance of systems.

One must analyze the impact on security in the decision-making process of purchase, development and maintenance of information systems.

4.12 management of security incidents.

The operator must dispose of a procedure documented of management of incidents of security.

All security incidents must be reported and the facts, the impacts and the measures taken will be documented in a clear and concise manner.

4.13. management of changes.

Of conformity with it willing in the article 8.5 of the Real Decree 1613 / 2011, of 14 of November, by which is develops the law 13 / 2011, of 27 of mayo, of regulation of the game in it relative to the requirements technical of them activities of game. The approval and certification reports will include a list of critical components. It put in production of any modification substantial that affect to a component critical need to the prior authorization of the Commission national of the game after the presentation of the corresponding report of approval. The National Gambling Commission may qualify as critical other additional components.

The operator must have a documented change management procedure, that controls the changes of equipment and components of the technical system of play in the production environment.

He operator will continue to a process formal of approval internal of all them changes, that must involve the request of change and its approval by the responsible corresponding. Requests for changes and decisions will be recorded and may be subject to later audit.

Substantial changes of critical components must be previously approved by the National Gambling Commission. Requests for changes shall be accompanied by an application for the approval of the new components. In situations of extraordinary emergency, duly accredited, and communicated to the National Gambling Commission, affecting security, the operator may introduce substantial changes in the critical components and then ask for their permission. To obtain type-approval operator shall submit to the National Gambling Commission, together with the certification report, a report which shows the exceptional circumstances.

4.14 availability of service management.

The operator must have a management plan for the availability of the service.

The operator should be considered within the plan for each of the following services: ● registration of participant, game accounts, including the ability to make deposits and withdraw funds.

● gaming services.

The plan will indicate the time maximum of unavailability accumulated monthly, as well as the time maximum of recovery for each service. The operator will adapt its infrastructure and processes, and will implement the measures necessary to comply with the objectives set out in its management of the availability plan.

4.15 information loss prevention plan.

The operator should have of a plan that ensures that not is lost data or transactions that affect or can get to affect to the development of them games, to them rights of them participating or to the interest public e indicate the risk assumed by the operator.

The operator will adapt its infrastructure and processes, and will implement appropriate measures to meet the targets set in its plan, establishing the following minimum: ● copies of the information shall be kept in a location conveniently away from the data that aims to safeguard.

● The copy of the information is will protect of access not authorized through measures of security equivalent to them of the information to safeguard.

The operator must have a documented procedure for action in the event of loss of information which will include mechanisms to address complaints from users, the continuation of the games or betting interrupted, and any other situations that may arise.

In case of a loss of data, the operator shall inform the National Gambling Commission, with immediate, indicating actions taken and an estimate of the impact of the loss.

4.16. business continuity management.

The operator must have a plan of business continuity for the maintenance of the operation of game disaster, including technical, human, and organizational measures to ensure the continuity of the service and a replica of the Central Unit of games that allows the normal development of the activity.

The business continuity plan will determine one or several recovery scenarios indicating for each one of them recovered services and the maximum time in which would be operating. The operator should be considered within the plan for the following scenarios: ● the participants access to their user records and accounts of the game, with the possibility to consult the balance and movements of their associated game accounts. The maximum time for again providing these services will be one week.

● Possibility to the participants to withdraw their funds. The maximum time for again providing these services will be one week.

● Continuation of incomplete games or pending bets, and payment of the validly earned awards. The maximum time for again providing these services will be a month.

● full re-establishment of all services.

The operator will adapt its infrastructure and processes, and will implement measures to make achievable the targets in its business continuity plan.

In case of disaster, the operator shall inform the National Gambling Commission with immediate, making an estimate of the impact and estimated recovery time.

4.17 penetration testing and vulnerability analysis.

The game system must pass a test of penetration and an analysis of vulnerability, at least on a biannual basis. He test of penetration will consist in a method of evaluation of the security of a network or a system, through the simulation of an attack carried out by a third. The process includes an analysis active of the system looking for weaknesses, faults technical, or vulnerabilities. The test will include all the interfaces public that envelope, processed or transmitted data personal, economic or of game.

He analysis of vulnerabilities will consist in the identification and quantification passive of the risk potential of the system. The analysis will include all the interfaces public that envelope, processed or transmitted data personal, economic or of game.

Them results of them test and of them analysis must preserve is along with them measures corrective applied or planned, for its subsequent review or inspection.

5. system of Control internal and inspection 5.1 system of Control internal.

5.1.1 description.

Monitoring and supervision of gaming activities conducted by the operator shall be made through the internal control system (hereinafter SCI), that operators must implement. The SCI must include all participants located in Spain or Spanish register, anyone who is the means of participation. The operator must establish and maintain a line of secure communication for the access of the National Gambling Commission, as well as a service for consultation and download of data available to the National Gambling Commission.

IBS is composed of capture and store game (warehouse) operations.

5.1.2 the national Gaming Commission access to the store.

Store shall maintain the following accesses permanently open for access by the National Gambling Commission: ● access using the SFTP protocol for downloading the information.

● insufficient permissions to list and display the contents of all the store and access via SSH with read-only attributes.


The operator shall provide the following authentication methods to the National Gambling Commission: ● for manual access, user and password.

Automated download, the operator will configure the exchange of key pairs (SSH keyswap) for the same user described in the manual access.

The operator can use multiple warehouses. The data should contact only once, avoiding that different stores contain redundant information.

5.1.3 model of data of the SCI.

The data model of the SCI contains the scope of data that must be registered, the period of updating of the same and the technical requirements of availability and access, under the terms established in article 24 of the Royal Decree 1613 / 2011 of 14 November, which develops the law 13/2011, may 27 , of regulation of the game, in it relative to the requirements technical of the activities of game.

The data is stored in a structure of files, in a format that is structured in XML according to the definition of the data of monitoring (XSD-XML Schema Definition) schema.

5.1.4 supply time of IBS.

All the elements of the system technical of game, including the capture and the warehouse, will be synchronized with a source of time reliable.

5.1.5 signing, compression, and encryption of data from the SCI.

The data that go to be registered in the warehouse are grouped in batches. Each batch must be signed, compressed and encrypted by the operator, using the format and procedure described in the model of data from monitoring.

He operator must provide to the Commission national of the game, the part public of the certified electronic that used to perform the signature of them lots. The operator shall inform the National Gambling Commission if there is a reversal of the used certificate. The operator may use a certificate from your property or entrust to a third party who, in his name, sign lots.

5.1.6 performance of the grabber and from the warehouse.

The catcher must be able to process and record transactions information.

Except duly justified exceptional circumstances, grabber must be designed so that information is processed, formatted and registered in the warehouse in a maximum time of two times the time set for real time monitoring data model.

He store will have a capacity or flow of communications minimum in Internet, enough so it Commission national of the game can access to the same: ● for the download of data, must have of a flow minimum secured that allow the download of it information maximum to generate in a day, in four hours, by the protocol defined SFTP.

● For the rise of data, it requires a minimum of 64 kbps.

He warehouse as system must have a performance equal or superior to the necessary for ensure them flow of communications described, regardless of other operations that should perform.

5.1.7. security of IBS.

The SCI as a whole, both the capture and store of gaming operations, are considered critical components. The safety requirements laid down in paragraph 4 are applicable to IBS.

While the data model requires that the information in the warehouse register finally encrypted is not required to be encrypted at all times. The chain of custody of the encryption key must be included in the design of the safety of the SCI.

Grabber must register transactions at all times and on a permanent basis. The operator must design the availability, the plan of prevention of loss of information, the time of disaster recovery and business continuity by completing this requirement.

5.1.8 unavailability of the SCI and suspension of the supply of game.

Operator should suspend play offer in the event of unavailability of the system of internal control. Grabber capturing warehouse. To an unavailability of the store less than 24 hours, the operator may continue its game offerings if grabber is still available, provided that it is able to continue registering transactions waiting again to the store be available. The operator shall suspend game offer to a downtime of more than 24 hours store.

5.1.9. availability of IBS.

Grabber must register transactions at all times and on a permanent basis. Store may not have a higher monthly accumulated fall time to 48 hours.

5.1.10 plan of prevention of the loss of information in SCI.

The SCI is a critical component. Gaming operators must implement a procedure that minimizes the risk of loss of information to a maximum of 24 hours.

In case of loss of information in the SCI, the operator must have a new extraction procedure of lost information enabling to remedy the loss within a maximum period of one week.

Any loss of information affecting the SCI must contact the National Commission of the game immediately, indicating an assessment of the loss as well as the plan of measures to be applied.

The operator must have a documented procedure of the quality control of the SCI data and must be prepared to, through new extraction, rectify incorrect data within a maximum period of one week.

5.1.11 IBS business continuity.

Given that the unavailability of IBS involves the suspension of the supply of game, the operator must have a procedure of business continuity enabling a possible disaster have IBS operating in less than a month.

Any disaster that affects to the SCI must communicate is to the Commission national of the game with character immediately, indicating an evaluation of the loss as well as the plan of measures to apply.

5.1.12 conservation of the information of the SCI.

The store must keep their data by a period minimum of six years.

Them operators of game will have the obligation of facilitate and allow to the Commission national of the game the access online to the information corresponding to the 12 last months of activity registered in the warehouse.

The operators must have planned a procedure of recovery of the information corresponding to a period minimum of six years.

5.1.13 location of the store in Spain.

The store or stores of the SCI should be located in Spain, in order to perform the verification and control of the information. The location and any modification thereof shall be communicated to the National Gambling Commission.

5.2 inspection face-to-face and telematics.

The National Gambling Commission shall have the possibility to monitor and supervise any of the elements of the technical platforms of game operators.

Therefore the operator must articulate the necessary mechanisms of secure communication to their technical systems, as well as allow and at all times facilitate access to them by the National Gambling Commission, regardless of their location.

The National Gambling Commission communicated to the operator its intention to make a connection to the game system providing a description of the features which intends to access and time and duration for access.

The operator shall provide to the National Gambling Commission means for secure access to the system. The personnel designated by the operator will collaborate with the National Gambling Commission for appropriate access and consultation of other systems and applications. The National Gambling Commission may make recordings of the session and how many findings are in fact necessary for the exercise of their functions.

If not otherwise required, it should be understood that access provided to the National Gambling Commission is read-only and that it has the level of authorization to access all systems and applications of the technical system of play without any filter in the data that can be accessed.

Complete access operator must close the secure access.

6 records and logs of the technical system of game 6.1 registration and traceability.

The operator shall keep records and logs of all decisions of the participant's own operator, its staff or its systems, which have impact on the development of the game, in the user record, game accounts or in the means of payment.

In relation to development of the game data, data must be able to reconstruct all the lances of the game that could have impact on the technical system of game development must also keep records and logs on security of information systems. All the referred records and logs must be accessible online to the Commission national of the game during a time not lower to 12 months. Without prejudice of it earlier, those records and logs should be preserved in storage during at least 6 years.

The operators must have envisaged a procedure of recovery of this information.

6.2 registration depending on the channel of marketing.

Certain terminals and procedures of participation have requirements specific of registration for the operations of game. These requirements shall not affect other communication between the operator and the participant other than those of the development of the game.


These terminals and specific procedures shall apply to the registration of the messages sent and received for game activities conducted through messaging-text, fixed or mobile telephone services or audiovisual media.

Related Laws