Maths Compliance, the key to a successful certification

by Lorenzo Nardini – Head of Technical Compliance and Maths at ComplianceOne

If you have ever undergone the certification process to enter any regulated market, you have probably encountered issues relative to Random Number Generators and the maths models of games of chance. The two parts of the certification process have most likely endangered the planned time to market.

In this short article, I would like to help you understand good practice and reduce these risks, by sharing some tips and best practices to follow that I have learned in my 6 years’ experience as math analyst.

The start  

In principle, maths requirements are only a small part of the full list of criteria that apply to a gaming technology platform, and they do not vary wildly between land based or iGaming solutions. Nevertheless, they can be quite difficult to check.

The first step in this process is typically the Random Number Generator approval. This is because, in the same way car suppliers want to first ensure that there is a functioning engine that enables the vehicle to move, game suppliers need to be able to generate unpredictable game outcomes that are fair to the players.

At first glance, the RNG can look like a scary topic preferably discussed only with a very limited audience. However, it is not necessarily the case, if you have a good understanding of the main technical standards governing this component and a team of professionals to support you.

In general, regulators want to ensure that the RNG can output unpredictable numbers without introducing any form of bias. For some markets the unpredictability requirement can be very strict, allowing only secure RNGs (known as cryptographically strong). This is where many issues can rise since RNG technology continuously evolves over time and methods that are currently deemed as secure may not necessarily be in the future. In fact, cryptographic security is a vastly researched topic in information technology and its evolution has large repercussions in many areas other than Gambling: from Finance to Healthcare, from E-commerce to Military. Fortunately, you don’t need to be a crypto guru to have a well-functioning cryptographic RNG and stay ahead of time! Most operating systems have embedded cryptographically secure sources of entropy, different cryptographic RNG solutions are easily accessible, and if you want a source of true random numbers you can opt for hardware-based solutions that use the laws of physics to generate truly unpredictable events. On the other hand, something that is not advisable is to try to develop your own RNG algorithm as this can be a very cumbersome task and independently asserting its security might take a very long time.

The tips for successful management of RNG certification

What you should focus on if you want to reduce your time to market while ensuring compliance for your RNG can be summarised in the following tips.

1. You should probably opt from the very start for a cryptographically secure RNG, even if you are currently aiming for a market that does not require the RNG to meet this level of security. This is because, as technology is advancing, so are the requirements, and more and more countries are moving in this direction. Furthermore, once you have finally obtained a license for your target market, you might probably want to expand operations to other jurisdictions that might require a secure RNG. Already satisfying this requirement will certainly save you some valuable time! If you are unsure on what type of algorithms to consider, try to address some experts that can guide you in the right direction.
2. Interestingly, the most common mistakes I have noticed concern a much easier component of the RNG solution: the process of performing final outcome mapping without introducing a bias. RNGs typically produce numbers in specific binary format (32bit and 64bit are the most common cases). It is then up to you to add some functions in your code to enable to generate outcomes in a specific format. This typically includes a target range (for instance 0-36 if you want to use your RNG to give outcomes for a single-zero roulette) and the possibility to perform shuffling to output unique outcomes within a single play (as in the case of card games). These methods are prone to introducing bias and experts can assist you to avoiding these commons mistakes.
3. Try to set up your system architecture so that the RNG is encapsulated. This is because, once your RNG is approved and since it is such an important component of Gaming Platforms, you only want to modify it when necessary, and avoid that any change to other files nonrelated to it can trigger the recertification of this component. Ideally, once you have a secure RNG algorithm, unbiased scaling, and mapping methods and, where necessary, a dynamic monitoring feature, you should update your RNG only if disruptive technological advancements require so. A review of your RNG architecture can be performed by experts to help you maintain a compliant RNG solution.
4. Ensure that your RNG is tested for general use. Many regulated markets require that the RNG passes statistical testing for all the possible configurations for which it is requested to generate random outcomes by the associated gaming applications. Having your RNG tested upfront for a vast variety of cases will save you from having to apply for updated RNG certifications whenever you want to release a new game.

Now that you have your RNG approved, it is time to start the certification process of the associated games.

The maths in Games

A good game’s maths is the differentiation between a good game and a bad game. The maths is where your company new ideas can be implemented to making more and more appealing features to attract players.

All games are unique and require passing independent testing to ensure their compliance. The standard requirements related to maths mostly concern the following aspects: minimum Return to Player (RTP) allowed, odds of specific outcomes such as the top prize, and limitations enforced by the regulator such as on the maximum possible win in a single play or maximum average loss per hour that players can expect while playing the game.

To pass these requirements you need a sound mathematical model of your game and, most importantly, very detailed and accurate documentation to ensure its reproducibility and independent verification. In my experience, insufficient/unclear information is the number one responsible for a slow math evaluation. Whether it is for inexperience or for trying to protect their intellectual property, it often happens that young suppliers do not submit accurate and complete math documentation (PAR Sheets). This irremediably results in a tedious testing process full of long email threads and JIRA tickets to address. A thorough revision of these documents before the certification commences is then recommended and it is something that my team is happy to perform.

At the same time, efficiencies can be found by allowing simultaneous testing against different markets: after all the underlying game math model is the same! In order to do that, your main thing to worry is to have performed a complete compliance research for all applicable requirements.

Conclusion

The usual piece of advice is preparation; the successful certification with a quick time to market requires expertise in this area, sound maths documentation to submit to the lab and remembering that complexity isn’t always good.