Compliance considerations

To meet their obligations, wagering providers should consider at what points in the customer journey and interactions it makes sense to check BetStop.

The Interactive Gambling Act 2001 and Register rules do not state that checks of BetStop must be undertaken by wagering providers, or define when checks must occur if they are undertaken. Instead, the Interactive Gambling Act sets out when offences will occur. This provides flexibility for wagering providers to take a risk-based approach to their obligations.

For instance, wagering providers could check BetStop before every account is opened, or before each bet is taken or before direct marketing occurs. However, a provider may consider this level of checking is not warranted when they review how customers interact with them, what they know about their customers and what controls or assurances are appropriate for their business systems.

For example, if a customer is placing a series of bets sequentially, a wagering provider may decide it is not appropriate to check BetStop before each bet is placed. It may be better for a provider to instead check BetStop before any bets are placed – for example, when the customer logs in to their account.

Please note these matters are provided for guidance only. They are not intended to be definitive, exhaustive or constitute legal advice. It is each wagering provider’s responsibility to review their own systems, processes and practices to ensure they will be able to comply with the new obligations.

Compliance obligation 1: A wagering provider must not open a licensed interactive wagering service account for a registered individual

Section of the Act: 61MA

Consider:

• What controls do wagering providers have in place to ensure there is integrity in their customer data sufficient to support business practices and meet obligations?
• What records will be retained to demonstrate the reasonable precautions and due diligence exercised?

Compliance obligation 2: A wagering provider must not provide a licensed interactive wagering service to a registered individual

Section of the Act: 61KA

Consider:

• Are there customer interaction points where a wagering provider can elicit information about whether they have self-excluded since a check was last made?
• If this information is sought, how much weight will be put on the response as part of risk management processes?
• What blocks will be in place on the account to prevent the customer from betting?
• When will these be reviewed and how often?
• Do customer account systems have controls that require customers to log back in at regular intervals or establish a new session? 
• Are those intervals such that it is unlikely that someone would log in, then self-exclude, then try to bet again while the login remains current?
• What controls do wagering providers have in place to ensure there is integrity in their customer data sufficient to support business practices and meet obligations?
• What arrangements are in place to maintain the currency of customer information? For example, are arrangements in place to check whether a customer has re-located (and therefore changed postcodes)?
• To make a request to BetStop, wagering providers will need to provide their customer’s full name, date of birth, postcode, mobile phone number and email address for these to be checked against BetStop.
  • What processes are in place to validate the information provided by customers during the sign-up process?
  • Do customer databases contain reliable and complete information to enable a wagering provider to make a request to the register operator? If not, how will this information be sought from customers?
  • Do processes and systems prevent a wagering provider from recording non-sensical names for a customer, for example, accuracy errors, keyboard smashes or fictional characters?
  • Do processes and systems prevent or provide exception reports if someone tries to register with a date of birth or other details that are impossible or unlikely?

Compliance obligation 3: A wagering provider must not conduct direct marketing to a registered individual

Section of the Act: 61LA, 61LB, 61LC

Consider:

• Are internal lists currently used to exclude customers from future marketing, including based on customer preferences, other self-exclusions and/or Gambling Incident Registers?
• Can these inform if and when BetStop checks need to be undertaken for direct marketing?
• Can BetStop results inform these lists, for instance, if an individual returns a self-excluded result from BetStop, can this information inform internal lists?
• Do processes need to differ depending on the marketing channel?
• If marketing occurs to individuals that do not have an active account, but have otherwise consented to receive marketing, how will wagering providers ensure direct marketing does not occur to people who have previously consented to receive marketing material but have subsequently self-excluded via BetStop?

Compliance obligation 4: A wagering provider must not disclose information about a registered individual for marketing purposes

Section of the Act: 61LD

Consider:

• What processes and procedures are needed to safeguard information?
• Do any third-party arrangements need to be reconsidered or amended?

Compliance obligation 5: A wagering provider must close and not reopen accounts for a registered individual (and pay any credit balance or pay any credit balance for subsequently resolved bets)

Section of the Act: 61MB, 61MC

Consider:

• What needs to be done to close an account, including refunding any credit in the customer’s account?
• If there are pending bets, how will the account be managed while those bets are being resolved?
• How will changes be communicated to the customer?

Compliance obligation 6: A wagering provider and their employees and contracted service providers and their employees must not disclose protected information

Section of the Act: 61NB

Consider:

• What processes and procedures are needed to safeguard sensitive information?
• Who needs to know about this information?
• Does the information need to be disclosed to third parties? If so, what arrangements need to be put in place to ensure that the third party does not disclose information?

Compliance obligation 7: A wagering provider must take reasonable steps to have connectivity in place to enable connection to BetStop

Section of the Act: 61NC

Consider:

• What changes need to be made to system(s) to make it(them) capable of connecting to BetStop?
• What are the timeframes involved in making these changes and are there any third-party approvals that providers need to consider?
• If providers do not manage their own IT system, do any third-party arrangements need to be reconsidered or amended?

Other considerations: business systems, practice and processes

• Do governance, oversight, risk management and compliance assurance processes need updating to reflect the new obligations? It is unlikely to be enough to merely have processes in place and/or documented, they must be current, active and regularly reviewed to ensure they remain fit for purpose.
• Do change management processes for compliance obligations, business processes or IT systems need to be updated to reflect the new obligations?
• Do any third-party arrangements need to be reconsidered or amended? For example, do contractual arrangements with technology providers or other platforms need to be amended to comply? Are oversight and assurance processes in relation to third parties robust and appropriate for these new arrangements?
• Are systems, processes and practices in place sufficient to demonstrate reasonable precautions have been taken and due diligence exercised? Will records be available and credible?
• Do terms of service or customer communications need to be updated to reflect any changes customers will experience?