Gaming regulation is at its core the management of risk control. In general, businesses are designed to act in their own self-interest. The fundamental goal of a business enterprise is to maximize value for its stakeholders. This is a good thing. Regulatory agencies, on the other hand, also have the responsibility of acting in the best interests of their stakeholders – the public at large. This often creates conflict between the business community and its overseers. The result is a constant struggle to avoid profit-killing bureaucratic oversight while preventing rogue businesses from taking undue advantage of consumers.
Managing this conflict is not an easy task for regulators. They are generally provided with broad objectives, limited resources and judged by the shifting sands of their political overseers. The dilemma is perhaps best described by Malcolm Sparrow in his excellent treatise on risk control entitled The Regulatory Craft where he argues that regulators are constantly asked to:
“Be more effective– but less intrusive; be kinder and gentler – but don’t let the bastards get away with anything; focus your efforts – but be consistent; process things quicker – and be more careful next time [and by the way, do with 15% fewer resources because of budget cuts]; deal with important issues – but do not stray outside your statutory authority; be more responsive to the regulated community – but do not get captured by industry.”3
The answer to this dilemma, says Sparrow, is for regulators to become problem solvers. They must constantly examine their inventory of tools and strategies to apply the right solution to the problem. They must, as he says, “Pick important problems and solve them.” This requires careful analysis, collaboration with the industry, continuing education, third-party partnerships and resource efficiency.
The Problem: Controlling Risk on the Modern Gaming Floor
The security features of modern gaming devices are, without question, superior in almost every imaginable way to their predecessors. Manufacturers use complex security algorithms and sophisticated communication firewall techniques to provide layers of technological security to the network. In addition, more robust internal control processes and audit practices provide additional levels of oversight and security.
However, one undeniable dynamic of today’s gaming floor is that risk is becoming more concentrated. While yesterday’s cheating techniques such as slug tokens, coat hangers, top-bottom joints and monkey paws, seem primitive today, the similarity of their purpose indicates that the disconnected nature of the slot floor of that era was one the its most effective safeguards against large scale cheating. Each of the devices was designed to work on a stand-alone slot machine and the payoff was limited to the amount in the hopper of that machine. The cheats had to be wary of attracting the attention of surveillance so prudent cheats knew they could only strike a few machines at a time. Thus, the disconnected nature of the slot floor served as an important aspect of risk control.
The networked gaming floor concentrates risk. Rather than having funds held in a hopper, every device payout is now centrally contained in a TITO database. While it would require an extremely sophisticated cheat and likely the use of a partner inside the operation, the opportunity now exists to compromise the security of the entire casino floor by breaking into the system. The expanded use of wireless technology and the frequency of network configuration errors enhance the security risks of the networked gaming floor. Consequently, regulators must place greater emphasis on having access to properly qualified laboratory testing personnel, network security specialists and a robust system of internal controls.
Networked gaming devices will allow for the inclusion of a myriad of new capabilities, many of them involving casino marketing programs. Some regulators do not believe that a gaming operation’s promotional and marketing activities merit oversight since these programs do not involve taxable revenue. In contrast, many regulators find that when promotional activities are compromised, it reflects poorly on the overall integrity of the operation. For example, if a patron discovers that they were cheated out of a promotional prize such as a car, do they really care that it did not involve taxable funds? As promotional activities become more integrated into the gaming operation’s network, regulators will be faced with new challenges for developing reasonable policies that ensure the integrity of the contests.
The increasingly complex and integrated nature of the gaming floor also creates operational and functionality issues for regulators. The question of whether the network’s functionality is reliable is equally important to whether it is secure. Breakdowns in functionality lead to patron mistrust, inability to properly account for funds, loss of gaming tax revenue and patron disputes that the regulator must adjudicate. The core purpose of regulatory technical standards is to ensure that the devices meet the functionality standards established by each jurisdiction. Regulators have established sound practices for certifying devices and verification techniques that have served the industry well. However, as technology advances, regulators must have access to new skills and new techniques to certify the integrity of the networked gaming floor.
Solving the Problem: The Role of the Testing Laboratory and Network Security Experts
Regulators have long relied on their independent testing laboratory (“the lab”) to assist them in the difficult challenge of certifying that every device on a gaming floor meets the technical requirements of the jurisdiction. Many jurisdictions also employ their own technical staffs to assist in developing regulatory policy, to oversee the activities of the lab and to handle daily technical troubleshooting issues that occur within the jurisdiction.
This collaborative arrangement between regulators and the lab has worked well to establish an efficient process for certifying that gaming devices meet jurisdictional requirements. It has been an effective solution to the problem of ensuring the integrity of computerized gaming devices and regulators have become comfortable with it. However, in order to adequately oversee the modern gaming floor, regulators must continually evaluate their resources and practices. If we are standing still, we are moving backward. In order to avoid problems associated with the more complex networked gaming floor, regulators must ensure that they have access to the specialized knowledge needed to understand the diverse web of devices that are involved in the network.
It is no longer possible to have the ability to properly examine today’s gaming technology using 15, 20 or even 50 people. It requires teams of specialists devoted to concentrating on specific technological functions and manufacturing platforms to effectively ensure the integrity of the gaming floor. Today’s gaming lab must have specialists in math, communications protocols, network hardware, network security, device hardware, wireless technology and a wide variety of programming languages. As previously noted, GLI now tests for over 374 manufacturers. It is unreasonable to expect an engineer to be an expert in everyone’s technology. Therefore, the modern gaming lab must assign teams of engineers to specific manufacturers, not only to ensure adequate knowledge of the technology but also to offer each manufacturer equal access to laboratory resources so that their work is not being delayed by the demands of a competitor.
As standards become more intricate and robust, regulators must also ensure that its gaming lab has a dedicated Quality Assurance team that checks each certification to verify that every regulatory requirement has been properly tested and documented. In addition, the lab must have an experienced forensic team that provides the regulator with the investigative tools it needs in the event of a malfunction or patron complaint. Regulators must also constantly respond to questions about new technologies that were not envisioned when the existing standards were drafted. Accordingly, it is important that the lab have an experienced Technical Compliance team that is on call around the clock to field questions from regulators about emerging technologies or the interpretation of a rule or technical standard. Finally, the continuing education of a regulator’s technical personnel is imperative in today’s environment, so the lab must have an effective training program to help regulators develop the knowledge they need.
It is important to understand that laboratory testing of gaming equipment is the outsourcing of a regulatory function. Therefore, the lab is acting at the direction of and under the supervision of the regulator. The testing model for gaming is different from other industries where the laboratory works for the manufacturer. While exceptions certainly exist, the regulatory model that has been adopted in most North American jurisdictions is for the gaming lab to work for the regulator. Thus, the regulator is the gaming lab’s client while the manufacturer is a consumer of the service.
As the industry moves towards a more integrated networked gaming floor it will be even more important for the regulatory agency and the gaming lab to work together to independently ensure the integrity of the gaming devices offered to the public. The modern gaming floor will be dynamic and highly configurable by the operator working with the manufacturers. Therefore, it is critical that independent third party oversight take place or the industry risks that a growing number of its patrons will begin to believe the old myth that “someone behind the scenes is controlling the outcome of the game.”
GLI is already working with regulators around to the world by developing the tools they will need to ensure the integrity of the networked gaming floor. It will require new procedures that integrate network security precautions, proven techniques for software control as well as new tools to monitor network configuration and activity. The result will be a transparent process that allows the industry to have the maximum amount of flexibility in offering new and exciting products that patrons will demand while providing independent third party assurance that the games are fair and everyone has an equal chance to win.
By Kevin P. Mullally, General Counsel and Senior Director of Government Relations for Gaming Laboratories International, LLC.