The Ministry for Electronics and Information Technology (MeitY) released the draft online gaming rules at the beginning of last month. The rules stipulate the formation and registration of self-regulatory organizations (SRO) with the ministry under the IT Rules, 2021. The ministry itself will not be regulating the sector a great deal by itself. It will be the responsibility of the SROs.

In relation to that, a Delhi-based think tank, Esya Centre, has released a set of recommendations that SROs can adopt to manage their affairs. According to it adopting a uniform code will standardize the online gaming ecosystem without putting too many restrictions on compliance or limiting entry or innovation.

The template “code of conduct” includes the following recommendations –

1. Organization and Structure of Self Regulatory Bodies

A governing body or a board of directors must be formed. A participatory, multi-stakeholder approach must be fostered in order to achieve the goals of self-regulation, and members with appropriate experience must be included according to the recommendation.

For example, an SRO may create committees to handle various aspects of its duties, such as grievance redressal and trust and safety along with experts from fields such as mental health, law, consumer protection, data protection and other relevant fields.

In case of any changes to the governing board of an SRO, the same must be reported to MeitY within 15 days of the changes being effective.

2. Registration of online gaming intermediaries with self-regulatory bodies

Under the Information Technology Act of 2000, the SROs need to register online gaming intermediaries depending on their compliance with the framework already in place. The stipulations outlined in Rule 4B(4) must be followed when an SRO evaluates a membership application from an online gaming intermediary.

Additional membership requirements for online gaming intermediaries include:

(i) Compliance with due diligence requirements under Rule 3 of the IT Rules 2021.

(ii) Promote responsible gaming, user trust and safety and improve accessibility of online games by using technology

(iii) Proper verification of user identity and management of user funds.

After five days from receiving an application, the SRO must be required to acknowledge receipt of the application and enter a contractual agreement within 10 days of acknowledgement.

Application for membership should be accepted or rejected within 30 days. In case it takes more than 30 days, the SRO should provide the reasons in writing.

Any decision regarding the application should be published on the SRO’s website under five days. In case of rejection, the decision must be communicated to the applicant beforehand along with a grant of a 30-day period to remedy deficits.

An online gaming intermediary may be granted provisional membership by a registered SRO for a period of up to 90 days. The intermediary will have 90 days before the expiration of its registration period to submit a renewal application to the SRO.

If the intermediary is found to be in breach of the rules outlined by the SRO’s policies, codes of conduct, or standards, the SRO may cancel its registration.

3. Registration of online games by self-regulatory bodies

According to Esya Centre’s recommendations, when evaluating an application to register an online game, a registered self-regulatory organization shall take the following criteria in consideration –

(i) The game offered should be from a registered member of SRO.

(ii) Does not violate Section 69A of IT Act 2000.

(iii) Does not relate to any form of gambling or betting.

Along with this, the framework may also include the criteria below-

(i) Takes appropriate measures to safeguard children.

(ii) Safeguard users against the risk of gaming addiction and financial loss, using user-defined limits for playtime and spending money.

(iii) Should safeguard users against harm, be it self-inflicted or financial frauds.

The SRO shall only assess application from a registered online gaming intermediary and do so within 30 days of receiving such an application. Any decision made in this regard is also to be published on the SRO’s website within five days.

Similar to the registration of online gaming intermediaries, the application rejected must contain a reason and a 30-day period to fix the said issues. The application may be rejected if the game does not fit the criteria prescribed by the SRO.

Online games approved should be reported to MeitY within five days of approval and must contain details of the intermediary along with the format of the game and results of game testing and verification.

4. Framework for game testing and verification

The SROs should be required to form a framework to properly test games for necessary safeguards before approving the application. For testing and verification of online games, Esya Centre recommends the following examples and aspects of games to consider –

(i) Probabilistic logic of game outcomes.

(ii) safeguards in game design to mitigate potential harm, including self-harm.

(iii) safeguards in game design to protect children from harm and adults from financial loss or frauds.

Furthermore, online games should follow the best practices in cybersecurity and information security mechanisms, integrity mechanisms, and trust and safety measures. Any changes in the online game should be notified to SRO within 72 hours through a reporting mechanism.

SROs may consult an agency with experience in testing and auditing of online games. The agency should fulfil the following requirements before being consulted –

(i) Previous experience in testing and auditing online games and proper availability of equipment and manpower to do so.

(ii) Lack of financial or fiduciary ties to the agency that might compromise its neutrality and the agency’s data protection and information security practices.

5. Grievance Redressal of Consumer Complaints

To protect consumer interest, both the SROs and online gaming intermediaries should have a three-tier grievance redressal framework. This includes acknowledging the complaint of the user within 24 hours if it is not resolved by the online gaming intermediary.

The complaint filed with the SRO shall be resolved within 15 days and allow the consumer and gaming intermediary member to submit documents and evidence either in physical form or electronically. Proper steps to allow a consumer to appeal its decisions to the relevant committee should be in place.

A quarterly report on the SRO’s website informing the number of appeals received against gaming intermediaries along with the number of resolved and unresolved appeals and the ones transferred to relevant Government Appointed Committees should be published.

6. Transparency and Disclosure Obligations for Self-Regulatory Bodies

Esya Centre believes that self-regulation must have transparency in order to create confidence between the government, industry, and consumers. An SRO should publish on its website the following within one month of registering with MeitY –

(i) Internal code of conduct for members with guidelines to evaluate online
gaming intermediaries’ applications.

(ii) Policy and guidelines for proper grievance redressal mechanism and for protection of sensitive and proprietary information.

(iii) Testing and verification protocols for online games and assessment of contents to prevent harm to children or gamers financially.

Quarterly Audit Reports of the functioning of the SRO containing details of investment from third parties, financial performance and overall track record should also be published to keep the communication transparent.

7. Coordination and Cooperation Between Self-Regulatory Bodies

Lastly, all the registered SROs should properly coordinate with each other, as it holds the key to industry-led standard formulation and sectoral growth. SROs that are registered may make agreements or develop tools to promote collaboration, coordination, and communication.

This will aid in creating common standards and procedures for online game registration and testing, trust and safety procedures, and child protection along with preventing duplication of regulatory and enforcement actions.

Proper coordination and communication will also help in sharing data and information in order to fulfil regulatory requirements under the IT Act and detect financial frauds and money laundering activities.