The guidance shows how we assess reasonable precautions and due diligence when enforcing compliance with the Act.
The register is being introduced under the National Consumer Protection Framework for Online Wagering to minimise gambling harm in the community and make it easy for consumers to exclude from all wagering providers in Australia. If a person who has self-excluded is provided wagering services, the harm can be considerable. We expect providers to invest the appropriate time and effort to comply with their regulatory obligations.
This is not a definitive guide or legal advice. To comply with obligations, it is each provider’s responsibility to:
- review its systems, processes and practices
- use its own judgement or seek professional advice.
Obligations for interactive wagering providers
The Interactive Gambling Act provides a defence of taking reasonable precautions and exercising due diligence to avoid being found to contravene the following provisions:
- opening a licensed interactive wagering service account for a registered individual (section 61MA)
- providing interactive wagering services to a registered individual (section 61KA)
- sending, or causing to be sent, a regulated electronic message to an electronic address of a registered individual (section 61LA relates to electronic messages where the electronic address is known by the provider to be an electronic address of a registered individual, or the provider is reckless to the fact that the address is that of a registered individual)
- making a telemarketing call to a self-excluded individual (section 61LB)
- sending direct physical material via a postal service to a self-excluded individual (section 61LC)
- disclosing specified information relating to an individual for marketing purposes (section 61LD)
- not immediately closing the interactive wagering account/s of a registered individual (section 61MB relates to an account with no outstanding/pending bets and section 61MC relates to an account with outstanding/pending bets).
How we assess reasonable precautions and due diligence
An interactive wagering services provider bears the evidential burden in establishing this defence. This includes being able to produce records and evidence that demonstrate they took reasonable precautions and exercised due diligence.
Reasonable precautions – what did the provider do to achieve compliance?
These are the actions and procedures a provider put in place to avoid any alleged contravening conduct and achieve compliance. They must be ‘reasonable’, given the nature of the obligations, the objectives of the register and the circumstances.
Due diligence – how hard did the provider try to achieve compliance?
This examines the effort a provider made to ensure the actions and procedures were properly carried out and proportionate to the seriousness of the obligations. Because of the harms that can happen if gambling services are provided to someone who has self-excluded, providers will need to demonstrate constant and serious effort over time was made to achieve compliance.
When assessing reasonable precautions and due diligence, we will consider:
- all the circumstances
- whether the measures taken were proportionate to the seriousness of the issue.
We will look at whether the provider had effective and robust arrangements and systems in place to comply. We will also consider whether they provided the adequate supervision to ensure that these arrangements and system were properly carried out. Our assessment may include:
- how the provider’s system has integrated with the register to find out if a customer is excluded
- how the provider’s system responds if a customer is excluded
- the adequacy of ongoing testing, monitoring and assurance undertaken by the provider to confirm the system works
- whether the provider has compliance policies and procedures such as manuals and guidance on how it will meet its obligations. This includes how and when it checks the register
- whether the provider has audits and reviews to proactively monitor compliance
- the nature and frequency of communications on the provider’s compliance processes and procedures with staff, agents, and contractors (personnel)
- the nature, adequacy, and frequency of training provided to personnel about these compliance policies and procedures
- the oversight and governance provided about the administration of the provider’s compliance arrangements. This includes supervision of personnel and quality assurance
- the appropriateness and oversight of contracts with third parties.
Applying the rules
The Act gives providers flexibility in how they protect customers and achieve compliance. This will depend on their business practices and how they manage risk.
When to check the register
- Providers could check the register before each bet is taken and/or before direct marketing occurs. However, a provider may consider this frequency of checking is not warranted. This may depend on how the provider’s customers interact with them and the controls and assurances within its business systems.
- If a customer is placing bets sequentially, the provider may determine it will check the register when the first bet is placed or when the customer logs in to their account instead of checking the register before each bet is accepted.
- In these circumstances, we would have a minimum expectation that a provider will have customer account controls that require customers to log back in at reasonably short intervals and/or establish a new session so that a new check of the register can occur.
- How ‘reasonable’ an interval is will depend on how likely it is that a customer may have been able to self-exclude while logged on.
- Providers could check the register before opening a new wagering account. However, the act of checking the register before opening a new account alone is unlikely to satisfy a test of reasonable precautions and due diligence.
- Reasonable precautions and due diligence in the context of opening a new wagering services account would also likely include having a system for the provider to make sure the information provided by a new customer is accurate before using it to check the register. For example, undertaking an identity verification check to verify that the person opening the account is who they say they are, and the information provided by them matches their identity document.
Using third-party IT providers
- If a wagering provider is using a third-party IT provider to provide its betting platform and that platform connects to the register, a wagering provider could manage compliance risks by formalising contracts to require the IT provider to have arrangements in place to connect to the register.
- A contractual arrangement is unlikely, on its own, to satisfy a defence of reasonable precautions and due diligence. Rather, we expect that the wagering provider would take steps to confirm that the IT provider has delivered a solution that allows the wagering provider to meet its compliance obligations and that appropriate ongoing quality assurance measures and oversight arrangements are in place.
- If the wagering provider becomes aware of circumstances that indicate the IT provider’s solution may not be operating properly, and the wagering provider does not address it, it is unlikely the provider will be able to demonstrate it has exercised reasonable precautions and due diligence.