Combat Matchfixing
News & Events

ESSA response: Spanish Sports Betting

Combat Matchfixing

Combat Matchfixing

News & Events

ESSA 2018 Annual Integrity Report


Code of Conduct

Our code of conduct

ESSA regards its Code of Conduct as an important statement by its members to their commitment to socially responsible sports betting. The Code should be used in conjunction with each member’s national licensing requirements:

Introduction and Application


ESSA was established by leading regulated betting operators to meet the challenges presented by match-fixing in sport. It currently represents many of the world’s largest regulated betting operators and is actively involved in national and international discussions to protect regulated betting markets, consumers and sporting events from the negative effects of match-fixing.

ESSA and its members have a clear business need to work with other stakeholders to address betting-related corruption in sport. Building partnerships is at the core of ESSA’s approach in achieving this goal.

The association works closely with its members and other key stakeholders to exchange information related to potential match-fixing and to identify and sanction those responsible. ESSA and its members have provided important data leading to sporting and criminal sanctions against match-fixers. This has deterred corrupters from regulated betting markets, with fixers primarily focusing on unregulated markets.


ESSA regards its Code of Conduct (also referred to as “the Code”) as an important statement by its members of their commitment to socially responsible sports betting practices and the protection of sport, consumers and regulated betting markets. The Code should be applied in conjunction with each member’s national or international gambling licensing or associated legal requirements as well as being supported by appropriate customer Terms and Conditions. It sets out the minimum standards expected of ESSA members which should be adopted except where licensing or other legal obligations differ or exceed the requirements set out in this Code.

All ESSA members are required to adhere to the organisation’s Code – as listed below and which may be revised as the ESSA Board (also referred to as “the Board”) determines. Members will be informed of any changes to this Code and be given at least 8 weeks from that date to implement any necessary changes within the operational structures of their respective businesses. Any issues concerning the implementation of any new or existing Code of Conduct requirement/s should be made to the Board at an early stage to determine if further time to meet that condition/s is warranted; this will only be agreed in exceptional circumstances.

Sanctions for not adhering to this Code of Conduct, as determined by the ESSA Board, may include:
• Suspension of membership; and
• Revocation of membership.

Any enquiries about this Code should be made to the ESSA Secretary General.

1. Promoting ESSA aims and objectives

ESSA’s principal goal is to protect its members, consumers and partners from potential fraud caused by the unfair manipulation of sports and other events. This requires a cross-sector and multi-national approach. Members are expected to promote ESSA’s core aims in their day-to-day internal and external operational activities, and in particular to aspire to:

  • Protect the integrity of sports and other events by preventing criminals from profiting from regulated betting;
  • Provide a safe and secure betting environment for consumers;
  • Work in partnership with other stakeholders at national and international levels;
  • Be a leading voice in the discussion on how to combat betting-related corruption;
  • Campaign for an evidence-based debate to ensure that policy actions are effective;
  • Promote the regulation of betting as a key element in defeating match-fixing;
  • Work with the sports sector to ensure that robust rules and sanctions are in place; and
  • Support the education of players and other sporting personnel about match-fixing.

2. Staff Betting Policies & Preventing Conflicts of Interest

ESSA members must seek to avoid ethical and commercial conflicts and observe the necessary precautions to preserve the integrity of sport and associated regulated betting markets. To this end, the following operational activities are required to be implemented and enforced:

  • Members’ employees must be restricted or prevented from betting on their own betting products;
  • Members must have a staff betting policy that strictly prevents employees from the exploitation of inside information that could adversely impact the integrity of sporting and other events and the associated betting markets, for example placing bets based on an ESSA alert;
  • Members should play no role in or have a direct influence over any decisions that could have a negative impact on the integrity of a sporting event and/or associated betting markets; and
  • Members will support any stakeholder, such as a sport or regulatory authority, that prohibits or restricts players, coaching staff or any other individual associated with that event from betting on it and provide information of any violations of that to the relevant authorities.

3. Participation in ESSA’s Monitoring and Alert System & Cooperation with Stakeholders

A central tenet of ESSA’s role is to protect the integrity of any event for which betting markets are offered by providing information to stakeholders regarding any suspicious betting activity taking place on ESSA members betting markets.

To achieve this, ESSA has developed a monitoring and alert platform (The Platform) which all members have access to and are obliged to support. The process seeks to quickly and efficiently determine if any fraudulent activity or manipulation may have taken place on any sports or relevant event offered by members. The process works as follows:

  • ESSA members know their customers and invest significant sums in sophisticated and robust risk management systems which detect suspicious activity in their markets.
  • When a member identifies unusual or suspicious activity that cannot be explained they raise an alert in the ESSA platform. All other members are then notified and must respond quickly and in detail indicating whether they also saw similar activity
  • ESSA’s Betting Integrity Officer then conducts a detailed review where a series of factors are analysed to establish if the activity is suspicious and warrants further reporting to an external stakeholder.

Each member must appoint and advise ESSA of at least four contact persons to whom an alert can be sent and/or who can raise an alert in the Platform. These contact persons must come from the Trading, Integrity/Security team or equivalent. The quality and speed of alert responses are monitored closely by ESSA and data on this is shared with members quarterly. Any issues in this regard will be addressed with members directly and may result in further action.

A betting pattern is only confirmed as suspicious after ESSA has made detailed enquiries with relevant members to eliminate any prospect that the unusual patterns could be for legitimate reasons, such as information in the public domain or pricing the market incorrectly. Members must be prepared to provide further information to ESSA’s Betting Integrity Officer or other relevant person, for example information on the stakes of suspicious bets and other information on the profile of the accounts involved. Due to commercial sensitivities this information can be provided directly to ESSA if necessary and will not be visible to other members in the platform.

ESSA has also produced detailed guidelines on the difference between unusual and suspicious activity, how ESSA review alerts and where they are reported to. These have been provided to all members via the Platform and will also be issued to any new member upon sign up.

Where it appears that suspicious activity may have taken place, ESSA will:

i) report that to the relevant authority, such as Sports Governing Bodies (SGB) or Gambling Regulators (GRs), notably (but not necessarily exclusively) those with which it has information sharing arrangements;

ii) require those member(s) on whose markets potentially fraudulent activity has taken place to immediately report the activity and provide relevant details to the applicable authority, for example their Gambling Regulator. In addition, members should also be prepared to provide relevant details to SGBs or other appropriate stakeholders (see below).; and

iii) provide detailed feedback in the Platform to all members on why an alert was deemed suspicious, the action taken and also manage the process for obtaining investigative updates on behalf of members who have frozen suspicious winnings.

In relation to (ii) above, in addition to any national or international licensing requirements and noting any associated legal obligations on issues such as data protection that may restrict full data disclosure, ESSA expects its members to act in manner that is timely, open and accommodating with other stakeholders. The overriding approach should be one of working in partnership with stakeholders and assisting them in fully investigating suspicious and potentially fraudulent activity. The approach to disclosure related to suspicious betting activity should be to provide sports, regulatory and law enforcement authorities with as much detailed information as possible to facilitate thorough investigations and aid any subsequent prosecutions. Following the receipt of an ESSA alert the relevant SGB or Regulator may decide to conduct an investigation and request further information on the suspicious customers. Members should be prepared to provide relevant details to SGB or other relevant stakeholders.

If members deem they cannot for legal reasons disclose directly to an SGB or other appropriate stakeholders, they should make the information available to their regulator (or other public body) and encourage the SGB to liaise with the relevant regulator.

Where, following their own investigation, a sport, regulatory or law enforcement body determines to take sporting or criminal action against a person or a group of persons regarding betting-related corruption, ESSA is committed to making all reasonable and legally responsible efforts to assist those parties with their investigation and expects all members to engage and support that approach.

It is also important to note that although ESSA will make every effort to assist the relevant authority in undertaking their investigations ESSA itself is not an investigatory body and will not conduct investigations. As such members should not advise their customers that payment of a suspicious bet has been withheld or any other account-related action taken pending an investigation by ESSA.

4. Data Protection – Disclosure of information – Processing Agreement

4.1. Disclosure of information and data protection

ESSA and its Members are working together for sport betting integrity by making alert for unusual betting. This involves, in the ordinary course of business operations, sharing of Personal Data (as defined below).

All the Members act as Joint-controller (as defined below) regarding the unusual betting processing that takes place on the ESSA platform.  All the Members jointly agree to appoint ESSA as a processor for the processing of Personal data (as defined below) in the context of the unusual betting processing.

ESSA complies with the applicable legislation on personal data protection, in particular when processing personal data in accordance with the Processing Agreement below (see section 4.2.) in relation with any irregular betting patterns or insider betting within the framework of the ESSA platform.

Members acknowledge that they comply with all applicable legislation on personal data protection, especially when collecting personal data, by informing concerned data subjects properly about the various purposes of the processing and the categories of recipients of their personal data, taking into account data processing in the framework of the ESSA platform.

4.2. Data Processing Agreement

This processing agreement (the “Agreement”) is an integral part of the ESSA Code of Conduct and ESSA and its Members recognize that they are bound by this Agreement.


In this Agreement, the following terms shall have the following meanings: 
a. “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;
b. “GDPR” means the regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);
c. “GRs” means gambling regulators;
d. “Joint Controller” means the natural or legal person, public authority, agency or other body which, jointly with others, determines the purposes and means of the processing of personal data;
e. “LEAs” means law enforcement agencies;
f. “Personal Data” means any information relating to an identified or identifiable natural person;
g. “Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
h. “Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller; and
i. “SCC” means standard contractual clauses adopted by the European Commission to offer sufficient safeguards on data protection for the data to be transferred internationally.
j. “SGBs” means sport governing bodies. 

In the context of the ESSA platform, sporting participant’s Personal Data are provided to ESSA by its Members on occasions when unusual betting activity is detected and for running checks on sporting events.  Members share information on unusual betting patterns via the ESSA platform.

If a Member identifies activities that cannot be explained, they raise an alert in the ESSA platform. After the alert is raised, other Members are then notified that there is an alert and must respond quickly indicating whether they also saw suspicious activity.

The purpose of this processing is to protect its Members for betting‑related fraud and also to assist SGBs, GRs and LEAs in conducting investigations into potential match fixing or a breach of SGB rules.

The Personal Data concerned by this Agreement are the names of sporting participants and sporting data but not the Personal Data of Members customers.

This Agreement remains valid during the ESSA’s membership of the concerned Member.


Members recognize that they jointly determine the purposes and means of processing concerning unusual betting.

Their respective responsibilities for compliance with the obligations under the GDPR in particular in regards to exercising the rights of the data subject and their respective duties to provide the information to data subject is exercised by each Member initiating the concerned alert.

If data subject or data protection authority’s requests is applied before a Member, this Member shall respond to all of these requests and may ask assistance to ESSA.

This section permits to determine the respective responsibilities of Joint-controllers for compliance with the GDPR as imposed by Article 26 of the GDPR. As a rule of principle, each Joint-controller shall be liable for its own actions and Processing. In any event, any joint controller that proves that it is not in any way responsible for the event and/or the Processing shall be exempt from liability.

Where more than one joint controller is involved in the same Processing, they are jointly responsible for any damage caused by the Processing. In this case, each Joint-controller shall be held liable for the entire damage. Where a Joint-controller has paid full compensation for the damage suffered that Joint-controller shall be entitled to claim back from other(s) Joint-controller(s) involved in the same Processing that part of the compensation corresponding to their part of responsibility for the damage.


ESSA shall process the Personal Data only on documented instructions from its Members, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by Union or Member State law to which the Processor is subject; in such a case, ESSA shall inform its Members of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.


Members expressly authorize ESSA to share Personal Data with relevant SGBs, GRs and LEAs in the context of any suspicious betting on a sporting event or competition in order to enable them to take appropriate action. This sharing shall take place in the context of a written agreement with the relevant SGBs, GRs and LEAs as provided by the section 4.2.6 below.

Members authorize ESSA to transfer Personal Data to relevant SGBs, GRs and LEAs that are located in third countries (outside the EEA) where that third country in question ensures an adequate level of protection in the meaning of the GDPR or if appropriate safeguards are provided. In this way, in the absence of an adequacy decision concerning the third country in question, ESSA can only transfer Personal Data to third countries when SCC are signed in accordance with the section 4.2.7 below.


Members expressly authorize ESSA to sign MoU on their behalf with SGBs, GRs and LEAs to permit the sharing of information concerning irregular betting patterns or suspicious betting activity which occurs in respect of events and competitions.


Members expressly authorize ESSA to sign SCC on their behalf with relevant SGBs, GRs and LEAs to permit transfer of personal data to a third country in the context of unusual betting processing.


ESSA shall ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.


Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, ESSA, along with and under the instructions of its Members, shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

  • The pseudonymisation and encryption of Personal Data;
  • The ability to ensure the ongoing confidentiality, integrity, availability and the resilience of Processing systems and services;
  • The ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
  • A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing.

In assessing the appropriate level of security, account shall be taken in particular of the risks that are presented by Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise processed.

ESSA shall take steps to ensure that any natural person acting under its authority who has access to Personal Data does not process them except on instructions from its Members, unless he or she is required to do so by Union or Member State law.


For engaging a Sub-Processor, ESSA must obtain the prior specific or general written authorization of its Members. In the case of general written authorization, ESSA shall inform its Members of any intended changes concerning the addition or replacement of other Processors, thereby giving its Members the opportunity to object to such changes.

The same data protection obligations as set out in this Agreement between Members and ESSA shall be imposed on the sub-Processor by way of a contract, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the Processing will meet the requirements of the GDPR. Where that sub-Processor fails to fulfil its data protection obligations, ESSA shall remain fully liable to its Members for the performance of that sub-Processor’s obligations.


Taking into account the nature of the Processing, ESSA shall assist its Members by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of its Members’ obligation to respond to requests for exercising the following Data Subject’s rights:

  • Information to provide to the data subject;
  • Right to access;
  • Right to rectification;
  • Right to erasure;
  • Right to restriction of Processing;
  • Right to data portability;
  • Right to object to automated individual decision-making. 


ESSA shall assist its Members in the fulfillment of the following obligations, to which its Members are subject:

  • In addition to its own security obligations, ESSA shall assist its Members in complying with their security obligations;
  • Notification of personal data breaches to the supervisory authority;
  • Communication of personal data breaches to the data subject;
  • Elaboration of a data protection impact assessment;
  • Prior consultation with a supervisory authority, where the data protection impact assessment revealed high privacy risks.


ESSA shall delete all the Personal Data after the end of the Processing, and existing copies unless Union or Member State law requires storage of the Personal Data. 


ESSA shall make available to its Members all information necessary to demonstrate compliance with the compulsory clauses of Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by its Members or another auditor mandated by its Members. 


ESSA shall immediately inform its Members if, in its opinion, an instruction infringes the GDPR or other Union or Member State data protection provisions.

5. Removing or suspending betting markets

It is a fundamental integrity provision that ESSA members ensure that they safeguard their customers, sports, other event organisers and businesses from the threat of betting-related match-fixing. When potential fraudulent betting activity is identified, they must give serious consideration to suspending or removing relevant betting markets. It is important that consumers and regulatory authorities are informed of the need for such market restrictions. ESSA members are expected to use their own risk management systems when deciding whether to reinstate a market.

In addition, members should also give due consideration to freezing payment of winnings or withholding settlement of suspicious bets. This can act as a deterrent to suspicious customers but also must adhere to any regulatory requirements.

6. Risk Management and Internal Policies

ESSA members are required to have adequate tools and processes in place to facilitate effective risk management principles and security protocols that ensure a risk-based approach underpins and protects operations. All bets should be monitored in real-time across all platforms (e.g. online, mobile, retail), with clear procedures for identifying suspicious betting patterns and with subsequent mitigating and reporting actions in place.

In particular, members should adopt suitably effective and rigorous Know-Your-Customer (KYC) requirements to produce digital finger prints and audit trails that can be used as a clear evidence-base from which to identify and investigate corrupt betting activity. All staff engaged in determining betting markets and accepting bets should be aware of the risks of corrupters seeking to manipulate sporting events for financial gain through betting markets. ESSA has also produced detailed guidelines on the difference between unusual and suspicious activity, how ESSA review alert and where they are reported to. These should be provided to staff where applicable.

Members should also have policies and processes that detail how the accounts of customers who have bet suspiciously are dealt with. For example, seeking further information from the customer and, where appropriate, a process for withholding payment of suspicious bets pending investigation by a sports governing body. Any process should be in-line with the relevant regulatory requirements.

Match-fixing and the manipulation of sporting and other relevant events has also been linked to money laundering. Members should be mindful of this when meeting their respective national or international anti-money laundering (AML) obligations and in their identification of suspicious betting activity. In particular the 4th Money Laundering Directive.

7. Confidentiality of ESSA Data

The data contained within the Platform is sensitive and must be kept strictly confidential. Alerts are for members internal use only and should never, under any circumstances, be discussed externally (apart from with relevant sports or regulators) or on social media. ESSA has produced a confidentiality declaration which must be signed by all employees who have access to the Platform or the data within it.

8. Enforcement and disciplinary actions

Each member is required to notify ESSA who their main point of contact is for integrity matters. ESSA will then notify this person of potential issues regarding breaches of the Code. ESSA will monitor adherence to the Code and also make members aware of their performance regularly, for example by sharing alert response rates with all members on a quarterly basis.

Following the appropriate ESSA disciplinary procedure, members may be suspended, excluded or other sanction applied by the ESSA Board, as its determines, if they:

  • Facilitate suspicious betting by continuing to accept bets after the member knows that there is evidence to suspect that corruption is or will occur on that market or sporting event;
  • Fail to report knowledge or evidence of suspicion of corruption related to betting;
  • Advise or tip-off an individual that he/she is, or may be, under investigation;
  • Fail to keep ESSA alert data and other information confidential;
  • Making public any details about a possible investigation without prior consent of the ESSA Secretary General;
  • Fail to respond to alerts in a timely and detailed fashion;
  • Place bets with another betting operator (regulated or unregulated) on a sports event that has been reported to members as suspicious, either for personal gain or to hedge; or
  • Breaching the ESSA Code of Conduct, membership standards and/or any action that may jeopardize the overall objective of ESSA or bring its reputation into disrepute.

Compliance with the above will be monitored closely by the ESSA secretariat.

  Download the Code of Conduct