Key Benefits:
Law 13/2011, of 27 May, of regulation of the game, establishes the regulatory framework of the activity of the game, in its various modalities that it is developed with state scope in order to guarantee the protection of the order public, fight against fraud, prevent addictive behaviour, protect the rights of minors and safeguard the rights of participants in games.
For the recognition of technical requirements to be met by operators for the organization, exploitation and development of gaming activities that require the enabling titles to which they relate Title III of Law 13/2011, of 27 May, has been dictated by Royal Decree 1613/2011 of 14 November, laying down the technical requirements of the activities of the game.
Article 11 of the Royal Decree instructs the National Gaming Commission to establish the content of the preliminary and final reports of certification of the technical projects submitted by the interested parties, at the time specified in the aforementioned Royal Decree.
Any time the National Gaming Commission has not been effectively constituted and in application of the transitional provision first of Law 13/2011, of 27 May, of regulation of the game, it corresponds to this Directorate General of Management of the Game of the Ministry of Economy and Finance the development and concretion of the technical requirements set forth in Law 13/2011 and Royal Decree 1613/2011 of 14 November, which develops it.
In its virtue, and prior to the favorable report of the State Advocate in the Secretariat of State of Finance and Budget of the Ministry of Economy and Finance, this Directorate General, in use of the conferred powers, resolves:
First.
Approve the provision setting out the minimum models and contents of the preliminary certification reports for technical projects submitted by stakeholders along with their license applications general and unique, and the model and minimum content of the certification report of the Internal Control Systems of the gaming operators, which are attached as Annex I, II and III to this Resolution.
Second.
The references that in the provision approving this Resolution are made to the National Gaming Commission shall be construed as references to the General Direction of the Management of the Game of the Ministry of Economy and Finance or a management center to the that their powers are legally attributed to the effective establishment of the said regulatory body. References to the President of the National Gaming Commission shall be construed as references to the holder of the General Management of the Game.
Third.
This Resolution shall enter into force on the day following that of its publication in the "Official State Gazette".
Madrid, November 16, 2011. -Director General of the Game Management, Immaculate Vela Sastre.
ANNEX I
General License Certification Preliminary Report Model
1. Object
The purpose of this provision is to describe the model of the report, to be issued by any of the entities designated for this purpose by the National Gaming Commission, and in which it is reported, as a preliminary and on the basis of the technical project submitted by the requesting entity, which contains the requirements for compliance with the technical specifications required for the granting of general licences in the rules of play.
2. Description of the report to be performed
The preliminary certification report, at least, shall inform, on the basis of the technical project submitted with the application, the preliminary compliance with the technical requirements listed below, together with the code which are assigned to them. These technical requirements are defined in the Resolution of the General Management of Game Management, which provided for the approval of the technical specifications of the technical systems of the game (hereinafter RET).
Area: User registry and participation limitation.
• RET 2.1.7-User registration activation and participation limitation.
• RET 6-Logs and logs.
Area: Participants ' repositories.
• RET 2.2.2-Play account. Association to the user registry.
• RET 2.2.3-Movements and history.
• RET 2.2.5-Ban on player transfers.
• RET 2.2.7-Accounts associated with user records in a different state to asset.
• RET 2.2.8-Creditor Balance.
• RET 6-Logs and logs.
Area: Means of payment and collection.
• RET 2.3.2-Deposit Limits.
• RET 6-Logs and logs.
Area: Protection of personal data.
• RET 2.4.1-Organic Law on Data Protection.
Area: Domain ". is".
• RET 3.2-Domain creation ". is" and redirection.
Area: Platform user terminals.
• RET 2.1.12-User authentication and password policy.
Area: Platform information systems security.
• RET 4-Security of information systems.
Area: Monitoring. Internal control system.
• RET 4-Security of information systems, relative to the internal control system: Capturator and Store.
3. Model and minimum content of the report
• Paragraph 1. General data.
-The requester's identifying data.
-Identification data of the certificate entity.
-The identifying data of the signing of the report by the certifying entity.
-Request dates and preliminary report issue.
• Paragraph 2. Scope of certification.
Description of the scope and limitations of the certification. Specification of its preliminary character.
• Paragraph 3. Comments.
Those requirements that are not considered to be accredited in the final report for not being included in the technical project will be identified.
The defaults will be detailed according to the following example:
| Observations | |
|---|---|
|
RET 4.16 Business Continuity Management | RET 4.16 Business Continuity | Not provided documentation on replication |
• Paragraph 4. Conclusions.
For each section of the reference document object of analysis, the rating that can be "Compliant", "Not compliant", or "Not applicable" will be indicated.
The ratings will be detailed according to the following example:
| Rating | Remarks | ||
|---|---|---|---|
|
registry and participation | |||
|
RET 2.1.7-Limitation on participation. |
| ||
| RET 6-Logs and logs. | Compliant. |
| |
The report will be completed with the maximum breakdown level.
ANNEX II
Unique License Certification Preliminary Report Model
1. Object
This provision is intended to describe the model of the report, to be issued by any of the entities designated for this purpose by the National Gaming Commission and in which it is reported, as a preliminary and on the basis of the technical project submitted by the requesting entity, which contains the requirements for the fulfilment of the technical specifications required for the granting of the unique licence applied for in the rules of play.
2. Description of the report to be performed
The preliminary certification report, at least, shall inform, on the basis of the project submitted with the application for a singular license and the approvals of the software issued in its case by regulatory authorities of other Member States of the European Economic Area or the Autonomous Communities, for the type of game requested, of the technical requirements listed below, together with the code assigned to them. These technical requirements are defined in each of the Ministerial Orders for which the Basic Regulation of each of the games subject to a single licence is established and in the Disposition establishing the specifications techniques to be met by the technical systems of play enabled in Spain and its control mechanisms, approved by Resolution of the General Direction of Management of the Game of Date-November 2011 (hereafter RET).
Area: Game. Rate of return, maximum amount of bets and prizes, existence of technical procedures for suspension/deferment/cancellation.
• OM-Description of the degree of compliance with the technical aspects and requirements of the Ministerial Order establishing the basic regulation of the relevant game.
Area: Game. Technical aspects.
• RET 3.14-Repetition of the move (replay).
• RET 6-Logs and logs.
3. Model and minimum content of the report
• Paragraph 1. General data.
-The requester's identifying data.
-Identification data of the certificate entity.
-The identifying data of the signing of the report by the certifying entity.
-The succinct description of the software that is the object of the report with the indication of its manufacturer. The indication of the software approvals referred to in the report issued by regulatory authorities of other Member States of the European Economic Area or the Autonomous Communities shall be accompanied. These approvals and certification reports issued by independent entities shall be accompanied as an annex.
-Request and issue dates of the preliminary certification report.
• Paragraph 2. Scope of certification.
Description of the scope and limitations of the certification. Specification of its preliminary character.
• Paragraph 3. Comments.
Those requirements that are deemed to be non-accredited, on the basis of the technical project and, where applicable, the approvals provided, shall be indicated, as well as the requirements that would have been fulfilled. subsated during the realization of the report.
• Paragraph 4. Conclusions.
For each section of the reference document object of report the qualification that can be "Compliant", "Not compliant" or "Not applicable" will be indicated.
The certifying entity may include any observations it deems appropriate in relation to each paragraph.
The ratings will be detailed according to the following example:
|
document and section | Rating | Remarks |
|---|---|---|
| RET 3.14-Repetition of the move (replay). | Compliant. |
|
| Percent Return on Awards. | Compliant. |
|
The report will be completed with the maximum breakdown level.
ANNEX III
Minimum Model and Content of the Game Operators Internal Control System Certification Report
1. Object
This provision is intended to describe the content and form of the certification report to be issued by the entity designated by the National Gaming Commission, which accredits the Internal Control System associated with the The operator's gaming platform complies with the specifications required by the applicable regulations.
The scope of the Internal Control System certification associated with the Platform extends to the following elements:
• The captor, which is the component responsible for capturing the user registration and gaming account data. The data for the platform's captor are detailed in articles 3.7.1-User registration (totals), 3.7.2 User registration (per player), 3.7.3-Play account (totals) and 3.7.4-Play account (per player), Resolution of the General Management of Game Management, which provided for the approval of the "Monitoring Data Model".
• The secure database of the Internal Control System of the Platform or Game Operations Store (hereafter, storeroom).
2. Description of the analyses to be performed
The certification work to be carried out by the designated entity shall include at least the provisions of this paragraph and shall be carried out either on the platform and the internal production control system or on a test environment that is equivalent to the one that will be used in the actual production system.
The development of the jobs must be at least:
• High-five user simulation, which should be performed through the same functionalities that a user would register with on the platform.
• Simulation that three of the users modify their daily, weekly, and monthly deposit limits (through the same functionalities that a user could modify their limits on the platform).
• Simulation that three of the users modify their personal data (through the same functionalities that a user would register with the platform).
• Simulation that three of the users make two deposits and two withdrawals each (through the same functionalities with which a user could make deposits and withdrawals). At least two different means and types of payment offered by the operator shall be used for deposits and withdrawals.
• Simulation to end the day.
• The captor should generate the batches corresponding to the daily records: Total User Registry (RUT), User Registry by Player (RUD), Total Play Account (CJT) and Player Account by Player (CJD). In the game account records (CJT and CJD), the fields relating to game movements (participation, prizes, prizes in kind, etc.) should not be analyzed for this certification.
• The batches will be stored in the Storeroom, in the corresponding directory.
The minimum requirements to be analyzed are those listed below, along with the code assigned to them. These technical requirements are defined in the Disposition laying down the technical specifications to be met by the technical systems of the game enabled in Spain and its control mechanisms, approved by Resolution of the Directorate Date Game Management General-November 2011 (forward RET), and the Disposition establishing the Monitoring Data Model approved by the Resolution of the General Management of the Date Game November 2011 (hereinafter RMO).
The requirements are sorted by areas, which will serve to structure the report.
Area: Store.
• RET 5.1.4-SCI time source.
• RET 5.1.5-Signature, compression and encryption of SCI data.
• RMO 3.3-Warehouse directory structure.
For this requirement, only the User Registry (RU) and Game Account (CJ) directory structure will be analyzed.
• File Nomenclature: RMO 3.5.1-User Registry and RMO 3.5.2-Play Account.
Area: Capturator.
• RMO 2.4-Movements, amounts and units.
• RMO 3.7.1-User Registration (Total), RMO 3.7.2 User Registration (per Player), RMO 3.7.3-Play Account (Total) and RMO 3.7.4-Play Account (per player).
The format corresponds to the expected and the XSD of the Monitoring Data Model.
The content corresponds to the data entered in the simulation performed.
3. Model and minimum content of the report
The certification report will consist of the following sections and include at least the following information:
• Paragraph 1. General data.
-The requester's identifying data.
-Identification data of the certificate entity.
-The identifying data of the signing of the report by the certifying entity.
-Dates of the request, the completion of the work, and the release of the certification report.
• Paragraph 2. Scope of certification.
-Description of the scope of the certification.
-Description of the software components analyzed, identifying versions, manufacturer, or any other data that allow identification.
• Paragraph 3. Incidents detected.
A description of the detected incidents will be performed throughout the report. Those requirements which are not considered to be sufficiently accredited, as well as the incidents that have been remedied during the performance of the report, shall be identified.
For each of the detected incidents, the following information shall be entered: number of incident, component, reference document and section, requirement, description of the incident.
The incidents will be detailed according to the following example:
| Rating | |
|---|---|
| Capturator | |
|
RMO 3.7.2-User (per player) record | Success. |
|
Remarks: The RUD record included in your data the date of birth of the player, but in an incorrect format. The incident has been remedied. | |
| RMO 3.7.4-Play account (per player). | Not successful. |
| Observations: The generated CJD record includes the total of deposits for each player, but does not specify a detail for each repository. The other aspects are satisfactory. |
|
• Paragraph 4. Conclusions.
For each of the sections of the analysis, the rating that you have obtained will be indicated, and it may be "Successful", "Not Successful", or "Not applicable".
If an incident had been detected and it would have been remedied during the reporting period, the report will be listed as "Successful" and the circumstance in the "Remarks".
The certifying entity may, in any case, include any observations it deems appropriate in relation to each paragraph. If the content of the observations is voluminous, annexes may be used, in which case the corresponding Annex shall be referred to in the relevant "Remarks" section.
The conclusions will be detailed according to the following example:
| document and section | Rating | |
|---|---|---|
|
RET 5.1.4-SCI Time | ||
| Success. | ||
| Observations: The Capturator and the Store are each synchronized to a time source, but both are compatible with each other because they have the same reference | ||
|
RET 5.1.5-Signature, compression, and encryption of the SCI data. | Success. | |
|
Capturator | ||
| RMO 3.7.1-User Registry (totals). | Success. | |
|
RMO 3.7.2-User registry (per player). |
Successful. | |
| RMO 3.7.3-Play account (totals). | Success. | |
| RMO 3.7.4-Play account (per player). | Successful. | |
The report will be populated for each of the sections with their maximum breakdown level. For example, the report will reflect 3.7.1 and 3.7.2 and not just 3.7.
• Paragraph 5. Description of the environment.
A description of the work and analysis environment will be performed, indicating all the issues that may be relevant to the development of the analyses and the results obtained.
The personal and material resources that have been used for the analysis should be described, among other things, and explicitly stated if a real or evidence environment has been worked, if the code has been analysed. source, if the designated entity has completed the compilation of the source code or the approach of a "supervised build" has been used, if the staff of the designated entity have visited the premises of the petitioner in person, or if worked together through telematic connections.
• Paragraph 6. Comments.
