PAGCOR Gambling Regulation: B2B Supplier License Requirements in the Philippines

Updated for the Philippine legal and regulatory context as of late 2025. This article provides a practitioner-oriented overview for gaming technology vendors, platform providers, content studios, managed service providers, and other business-to-business (B2B) firms that wish to supply products or services to gambling operators licensed by the Philippine Amusement and Gaming Corporation (PAGCOR).

1) Legal and Institutional Framework

Primary statute. PAGCOR’s mandate comes from Presidential Decree No. 1869 (the consolidated PAGCOR charter), as amended by Republic Act No. 9487. These give PAGCOR broad authority to operate and regulate games of chance and to license third parties under terms and conditions it sets.

Regulatory perimeter. “Gambling” (or “gaming”) in the Philippine context spans:

  • Land-based casinos and their suppliers (e.g., gaming machines, tables, systems).
  • Onshore remote gaming (e.g., remote betting by registered domestic patrons under tightly controlled programs).
  • Offshore/foreign-facing internet gaming (historically called “POGO,” more recently regulated under the Internet Gaming Licensee or IGL framework).
  • Electronic gaming sectors (e.g., eBingo/eGames) with their own rulebooks and supplier accreditation regimes.

Regulator. PAGCOR issues licenses/authorizations and technical standards; it also conducts compliance audits, fits-and-proper tests, and sanctions. Other agencies that interact with B2B suppliers include:

  • SEC (company registration), DTI (for certain registrations), BIR (tax), DOLE/Bureau of Immigration (alien employment/work visas), NPC (data privacy), AMLC (AML/CFT oversight for covered persons), and LGUs (mayor’s permits for physical offices).

2) Who Is a “B2B Supplier” Under PAGCOR Rules?

PAGCOR regimes distinguish operators (B2C licensees that take bets) from suppliers (B2B entities providing technology or services). Common supplier categories include:

  • Gaming platform/system providers (RGS/RGS aggregator, PAM, wallet, player account management, bonus/loyalty modules).
  • Game/content studios (RNG casino games, slots, table games, live dealer software, crash/instant games).
  • Live studio providers (facilities, streaming, dealers).
  • Sportsbook/odds feed and risk management providers.
  • Payment, KYC/IDV, geolocation, fraud and risk tools.
  • Data hosting, managed services, BCP/DR, cybersecurity, SOC.
  • Gaming machine manufacturers/distributors, jackpot controllers, SAS/EGM-system integrators (for land-based).

Each vertical has specific accreditation or license sub-types, but the application backbone is consistent: corporate legitimacy, technical suitability, integrity checks, financial soundness, and ongoing compliance capacity.

3) License vs. Accreditation: The Two B2B Paths

PAGCOR uses both supplier licenses (a stand-alone authority to supply to a given sector like IGL) and supplier accreditations (authorization tied to supplying PAGCOR-licensed land-based casinos or e-gaming sectors). Functionally they impose similar obligations:

  1. Right to supply only to PAGCOR-authorized operators in the permitted sector(s).
  2. Scope-bound—you may need separate approvals for additional sectors or material product changes.
  3. Term-limited—with renewal subject to continued compliance.

4) Core Application Requirements

While checklists vary by sector, a comprehensive B2B application typically includes:

A) Corporate and Legal

  • SEC registration of a Philippine entity (domestic corporation) or SEC-registered branch of a foreign company; updated Articles/By-Laws or Board Resolutions.
  • Principal office address in the Philippines; LGU mayor’s permit and other local clearances for the physical site(s).
  • Ultimate Beneficial Ownership (UBO) disclosures, shareholding maps, notarized affidavits on the accuracy/completeness of submissions, and waivers for background checks.
  • Fit-and-Proper documentation for directors, key officers, and control function heads (IDs, national police/NBI clearances, foreign police certificates where applicable, CVs, conflict-of-interest declarations).
  • Good standing certificates from home regulators (if already licensed in other jurisdictions) are highly advantageous.

B) Financial and Tax

  • Audited financial statements, proof of capitalization/solvency (minimum capital varies by category and is periodically updated by PAGCOR), bank certifications, and business plan with 3–5-year projections.
  • BIR registration, TIN, and undertakings on timely tax compliance.
  • Fees & bonds: application fees, annual license/accreditation fees, and sometimes security deposits/performance bonds. (Schedules change; rely on the current PAGCOR circular.)

C) Technical and Security

  • System architecture and data flows for game/platform modules; diagrams for hosting (onshore/offshore), data storage, and replication.
  • Game math and RNG evidence; independent testing lab (e.g., GLI/BMM or PAGCOR-recognized labs) certificates for fairness, RTP, volatility profiles, and protocol compliance.
  • Information security program mapped to recognized frameworks (ISO/IEC 27001 or equivalent), vulnerability management, penetration test results, SOC operations, access controls, logging/SIEM, key management for jackpots.
  • Change management and release governance (segregation of duties, versioning, rollback).
  • BCP/DR: RTO/RPO targets, secondary site details, regular failover testing.

D) Compliance and Responsible Gaming

  • Compliance manual tailored to the sector (IGL vs. land-based vs. e-gaming), including:

    • Anti-Money Laundering/Counter-Terrorist Financing (AML/CFT) responsibilities appropriate to a B2B role (see §7).
    • Responsible Gaming (RG) features support (self-exclusion, deposit/time limits, reality checks) when the supplier’s system touches patron experience.
    • Incident reporting procedures (cyber, game malfunctions, critical outages).
    • Change notifications/material variations protocol to PAGCOR.

5) Hosting, Data Location, and Connectivity

  • Regime-specific hosting rules apply. Offshore-facing IGL stacks typically require regulatory access to key servers, data mirroring, and real-time reporting interfaces to PAGCOR.
  • Transactional logs must be tamper-evident, time-synced, and retained for the period specified in the applicable rulebook.
  • Encryption in transit and at rest is expected, with strict database privilege models and audit trails.
  • Live studios need certified camera coverage, dealer procedures, and secure streaming pipelines.

6) Game and System Certification

Before go-live—and often again upon material change—PAGCOR requires independent testing and/or PAGCOR certification confirming:

  • RNG statistical quality and seeding;
  • Declared RTP within certified tolerances;
  • Communications protocols (e.g., EGM-to-system for land-based) and jackpot logic;
  • Player account, wallet, bonus, and risk controls functioning as approved;
  • Regulatory reports and APIs produce accurate, timely data.

Certifications must be kept current; suppliers are responsible for re-testing after significant code or math changes.

7) AML/CFT: What Applies to B2B Suppliers?

  • The Anti-Money Laundering Act (AMLA), as amended (including R.A. 10927), designates casinos and certain internet gaming operators as covered persons with direct KYC, monitoring, and reporting duties to the AMLC.

  • Pure B2B suppliers (with no player relationship) are typically not covered persons; however:

    • Contractual obligations often require suppliers to implement AML-supporting features (e.g., velocity controls, sanctions screening integrations, audit trails) enabling the operator to meet its AML duties.
    • If a supplier touches funds or customer onboarding (e.g., payment facilitation, remote KYC), PAGCOR may impose heightened AML expectations, and the supplier may be independently designated as covered depending on the precise role and applicable circulars.

  • Maintain an AML support statement in your compliance manual describing how your systems enable operators’ compliance (KYC capture hooks, suspicious activity flags, reporting exports, secure retention).

8) Data Privacy and Cybersecurity

  • The Data Privacy Act of 2012 (R.A. 10173) and NPC issuances apply whenever personal data (especially sensitive personal information) are processed.
  • Many gaming stacks meet NPC registration thresholds (especially if >1,000 employees/records or processing sensitive IDs/biometrics); prepare for DPO appointment, privacy impact assessments (PIAs), privacy management program, and breach notification procedures.
  • Implement industry-grade cybersecurity aligned to ISO 27001/NIST; conduct annual third-party audits and regular pen tests; maintain vendor risk management for sub-processors.

9) Taxes and Fiscal Obligations

  • General corporate taxes apply (corporate income tax under CREATE, 12% VAT on most services, withholding obligations, and LGU fees).
  • Where the supplier is categorized as a service provider to offshore/IGL operators, sector-specific taxes or levies may apply under special laws/circulars distinct from ordinary VAT/CIT. Keep your tax posture current with BIR rulings and PAGCOR issuances in the relevant vertical.
  • Foreign employees require AEPs (DOLE) and appropriate work visas; gaming-sector rules on headcount nationality ratios and background checks are strictly enforced.

10) Advertising, Marketing, and IP

  • B2B suppliers generally do not market to the public, but brand presence on operator sites is common (e.g., game splash screens). Ensure any co-marketing respects PAGCOR restrictions and broader advertising standards (including limitations around minors, celebrity endorsements, and problem gambling messaging where applicable).
  • Protect IP and math models through registrations and robust license agreements; include escrow or source-code deposit provisions if required by operators or PAGCOR for mission-critical modules.

11) Ongoing Obligations After Approval

  • Annual renewals (or per-term) with fee payments and updated documentation.
  • Material change notifications (ownership changes, key officer changes, hosting/data location changes, major code revisions, or financial distress events).
  • Periodic audits (technical, compliance, financial); timely remedial action plans.
  • Incident reporting for game faults, security events, and significant outages; maintain an RCA process and communicate fixes/compensations as required.
  • Regulatory data feeds must remain online and accurate; test after every major release.

12) Typical Timelines and Process Flow

  1. Pre-filing: gap analysis against the relevant supplier checklist; align corporate structure, tax, and hosting.
  2. Submission: application dossier, fees, and scheduling of technical inspection(s).
  3. Evaluation: integrity and financial checks on controllers/UBOs; technical validations and lab certifications.
  4. Conditional approval: satisfaction of pre-go-live conditions (e.g., data-feed handshake with PAGCOR; mirroring; escrow).
  5. Authority to supply: issuance of license/accreditation; enrollment of operator clients on a per-integration basis.
  6. Steady state: audits, renewals, certifications, and change management.

(Exact steps and durations vary by sector and current circulars.)

13) Common Pitfalls—and How to Avoid Them

  • Treating B2B as “light-touch.” PAGCOR expects enterprise-grade governance even for firms without player contact.
  • Incomplete UBO transparency. Complex offshore holding layers trigger delays; prepare clear, notarized beneficial-ownership charts.
  • Out-of-date testing. Releasing new math/RTP without re-certification is a fast path to suspension.
  • Weak logging. Regulators and operators rely on precise, immutable logs; invest in time sync, WORM storage, and robust reconciliation.
  • Privacy blind spots. Analytics pipelines often replicate PII into data lakes; run PIAs on downstream uses and enforce data minimization.

14) Foreign Participation and Structuring

  • Foreign B2B firms frequently enter via a Philippine subsidiary or SEC-registered branch. Choice depends on tax, liability, and commercial considerations.
  • Cross-border components (e.g., offshore dev teams or cloud regions) are viable if the PAGCOR regime allows it and regulatory access/visibility is preserved (mirroring, lawful interception points, real-time dashboards).
  • Ensure inter-company agreements are arm’s-length; document transfer pricing and service-level obligations.

15) Land-Based Casino Supplier Specifics

  • EGM/manufacturer or distributor accreditation requires: device type approvals, SAS/G2S compatibility, jackpot controller certifications, meters reconciliation, and field trials.
  • On-site installation must be performed by PAGCOR-authorized technicians; maintain seal/inventory control and parts traceability.
  • Progressive jackpots require separate approvals for contribution rates, reset values, and signage compliance.

16) IGL/Offshore Internet Gaming Supplier Specifics

  • Platform and content suppliers must integrate with PAGCOR monitoring endpoints and enable geo-blocking to exclude prohibited jurisdictions.
  • Live dealer studios need secure premises, biometric access, camera coverage rules, and dealer training/controls.
  • Risk & trading (for sportsbook) must demonstrate market-abuse controls, feed redundancy, and suspension logic for integrity events.

17) Contracting With Operators: Clauses to Get Right

  • Regulatory audit rights (PAGCOR and AMLC access; data export obligations).
  • Change and incident SLAs aligned to regulatory timelines.
  • Data processing agreement (roles, sub-processors, cross-border transfers, breach notices).
  • Source code/escrow for mission-critical modules.
  • Termination assistance and data repatriation.
  • Compliance warranties and indemnities tied to certification status and IP.

18) Sanctions and Enforcement

Non-compliance can lead to:

  • Fines, suspension, or revocation of the supplier’s authority;
  • Blacklisting of unapproved devices or uncertified titles;
  • Forfeiture of bonds;
  • Referrals to AMLC/NPC/BIR/DOLE or law enforcement for parallel violations.

19) Practical Checklist (B2B Supplier)

  • Philippine entity/branch registered with SEC; LGU permits.
  • UBO disclosures; fit-and-proper packs for key persons.
  • BIR registration; tax model validated (general vs sector-specific).
  • InfoSec program; ISO 27001 roadmap; recent pen test.
  • Independent lab certifications (RNG, math, protocols).
  • Compliance manual (AML support, RG features, incident/change).
  • Hosting/DR design; data mirroring to regulator if required.
  • Regulatory reporting APIs tested; log retention configured.
  • Third-party risk controls for sub-processors.
  • Contracts with operators include audit/data/escrow clauses.
  • Operational readiness: trained staff, ticketing, release cadence.

20) Final Notes

  • Rules are circular-driven and evolve. PAGCOR periodically updates fee schedules, technical standards, and supplier categories. Always align your submissions and operations with the current circular applicable to your sector and the specific operator relationships you intend to support.
  • Local counsel and compliance leadership are critical. Appoint Philippine counsel and a senior compliance officer empowered to engage proactively with PAGCOR, NPC, BIR, and AMLC.
  • Document everything. From build pipelines to math attestations and RCA packs, well-kept records are your best defense in audits and incident reviews.

This article is for general information only and is not legal advice. For a specific project, obtain advice tailored to your products, partners, hosting topology, and tax posture under the latest PAGCOR issuances.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.

Privacy Policy

Terms of Use

Lawyer Login

 
 
Privacy Policy         Terms of Use         Lawyer Login