Minimum Internal Control Standards, 58707-58729 [2012-23155]

Agencies

• DEPARTMENT OF THE INTERIOR
• National Indian Gaming Commission

[Federal Register Volume 77, Number 184 (Friday, September 21, 2012)]
[Rules and Regulations]
[Pages 58707-58729]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2012-23155]



[[Page 58707]]

Vol. 77

Friday,

No. 184

September 21, 2012

Part V





Department of the Interior





-----------------------------------------------------------------------





National Indian Gaming Commission





-----------------------------------------------------------------------





25 CFR Part 543





Minimum Internal Control Standards; Final Rule

Federal Register / Vol. 77 , No. 184 / Friday, September 21, 2012 / 
Rules and Regulations

[[Page 58708]]


-----------------------------------------------------------------------

DEPARTMENT OF THE INTERIOR

National Indian Gaming Commission

25 CFR Part 543

RIN 3141-AA27


Minimum Internal Control Standards

AGENCY: National Indian Gaming Commission, Interior.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: The National Indian Gaming Commission (NIGC) amends its 
minimum internal control standards for Class II gaming under the Indian 
Gaming Regulatory Act to provide comprehensive and updated standards 
for all aspects of Class II gaming. These amendments replace the 
partial standards published in 2008 with a set of comprehensive 
standards for the entire Class II gaming environment. The new sections 
include, for example: Card games; drop and count; surveillance; and 
gaming promotions and player tracking. The amendments also update and 
reorganize existing sections, such as bingo and information technology. 
The amendments reflect advancements in technology and provide auditable 
standards while leaving more areas in which the Tribal Gaming 
Regulatory Authorities (TGRAs) may exercise discretion.

DATES: This rule is effective on October 22, 2012.

FOR FURTHER INFORMATION CONTACT: Jennifer Ward, National Indian Gaming 
Commission, 1441 L Street NW., Suite 9100, Washington, DC 20005. 
Telephone: 202-632-7009; email: reg.review@nigc.gov.

SUPPLEMENTARY INFORMATION:

I. Background

    The Indian Gaming Regulatory Act (IGRA or Act), Public Law 100-497, 
25 U.S.C. 2701 et seq., was signed into law on October 17, 1988. The 
Act establishes the NIGC and sets out a comprehensive framework for the 
regulation of gaming on Indian lands. On January 5, 1999, the NIGC 
published a final rule in the Federal Register called Minimum Internal 
Control Standards. 64 FR 590. The rule added a new part to the 
Commission's regulations establishing Minimum Internal Control 
Standards (MICS) to reduce the risk of loss because of customer or 
employee access to cash and cash equivalents within a casino. The part 
contains standards and procedures that govern cash handling, 
documentation, game integrity, auditing, surveillance, and variances, 
as well as other areas.
    Part 543 addresses minimum internal control standards (MICS) for 
Class II gaming operations. The regulations require tribes establish 
controls and implement procedures at least as stringent as those 
described in this part to maintain the integrity of the gaming 
operation and minimize the risk of theft.
    The Commission recognized from their inception that the MICS would 
require periodic review and updates to keep pace with technology, and 
has amended them three times since: June 27, 2002 (67 FR 43390), August 
12, 2005 (70 FR 47108), and October 10, 2008 (73 FR 60498). In addition 
to making updates to account for advances in technology, the 2008 MICS 
also included part 543 and began the process of relocating all Class II 
controls into that part. The MICS do not classify games as Class II or 
Class III; rather, they provide minimum controls for gaming that is 
assumed to be Class II.
    On November 18, 2010, the NIGC issued a Notice of Inquiry and 
Notice of Consultation advising the public that the NIGC endeavored to 
conduct a comprehensive review of its regulations and requesting public 
comment on which were most in need of revision, in what order the 
Commission should review its regulations, and the process NIGC should 
utilize to make revisions. 75 FR 70680. On April 4, 2011, after 
consulting with tribes and reviewing all comments, the NIGC published a 
Notice of Regulatory Review Schedule (NRR) setting out a consultation 
schedule and process for review. 76 FR 18457. The Commission's 
regulatory review process established a tribal consultation schedule 
with a description of the regulation groups to be covered at each 
consultation. Part 543 was included in this regulatory review.

II. Previous Rulemaking Activity

    The Commission consulted with tribes as part of its review of part 
543. In response to comments received, the Commission appointed a 
Tribal Advisory Committee (TAC) to review and recommend changes to part 
543. The TAC submitted its recommendations for part 543 on February 14, 
2012.
    The Commission developed a preliminary discussion draft based upon 
recommendations from current and previous TACs, NIGC staff and subject 
matter experts. The Commission published the preliminary draft on its 
Web site on March 16, 2012, and requested that all comments from the 
public be provided to the Agency by April 27, 2012. The Commission held 
two consultations on the preliminary draft and received numerous 
written comments.
    After reviewing comments and making revisions, the Commission 
published a Proposed Rule on June 1, 2012 (77 FR 32444). The Commission 
held several consultations. At the request of commenters, the 
Commission published a notice on July 24, 2012, extending the comment 
period to August 15, 2012 (77 FR 43196).

III. Review of Public Comments

A. General Comments

    Commenters generally stated that the rule is an improvement over 
the current MICS. Some commenters noted that these regulations provide 
tribes with more flexibility than the existing MICS or the 2010 
proposal, but many stated that part 543 should be drafted to provide 
even more flexibility to tribal regulators and gaming operations. 
Commenters suggested removing the procedural requirements and measuring 
compliance by the extent to which tribes have successfully achieved a 
regulatory standard, rather than the extent to which tribes have 
followed step-by-step procedures in the MICS. The Commission declines 
to take this approach and believes the standards set forth in this part 
are both appropriate and sufficiently detailed to be implemented by 
tribes.
    Commenters noted several provisions in the MICS--notably in the 
Bingo and Information Technology sections--that they argued either 
surpassed the requirements of 547 or would be more appropriately placed 
there. Necessarily, there is substantial interplay between the 
Technical Standards in part 547 and the MICS of this part, and many 
standards could arguably be placed in either. The Commission reviewed 
each of these comments and determined that the standards to which the 
commenters refer are best categorized as control standards and declines 
to move them to Part 547. Further, where a standard may unintentionally 
require older devices to produce a report that it is not capable of 
producing (bingo card sales tracking or kiosk reports, for example), 
the Commission has revised the standard to allow an exemption for the 
devices, so long as their limitations are noted.
    Similarly, commenters suggested that provisions for vouchers and 
cash and cash equivalents should be relocated from individual sections 
to Sec.  543.18 (Cage, vault, etc.). The Commission declines to 
relocate those provisions because the controls are specific to the 
section in which they appear. The exception is the vouchers subsection 
of

[[Page 58709]]

Sec.  543.8 (Bingo), which is identical to the subsection added to 
Sec.  543.18. It is needed in Sec.  543.8 because bingo department 
agents, for example, sometimes pay vouchers on the floor. The 
subsection is also necessary in Sec.  543.18 because the cage (and 
kiosks) redeems the majority of vouchers. Therefore, despite the 
redundancies, the Commission included the voucher subsection in both 
Sec.  543.8 (Bingo) and Sec.  543.18 (Cage, vault, etc.).
    Additionally, two commenters provided extensive comments in red-
line format. The Commission has reviewed those comments, and, to the 
extent those comments identified inconsistent language, noted 
grammatical errors, or suggested stylistic changes, the Commission has 
made changes where appropriate. One of the changes suggested in the 
red-line comments was to delete ``authorized'' where it modified 
``agent'' because agents are necessarily authorized. The Commission 
understands that point, but stresses that, where the MICS require an 
``authorized agent'', the term refers to an agent specifically 
authorized for the particular department or function. The red-line 
comments also noted that variance thresholds are more appropriately 
determined by the gaming operation and approved by the TGRA. The 
Commission agrees and has revised the rule accordingly.

B. Definitions

    Based on comments, the Commission added definitions for the 
following: cashless transaction, complimentary services or items, 
coupon, financial instrument storage component, voucher, and voucher 
system.
    Commenters also suggested that the terms kiosk, sufficient clarity, 
and surveillance system be revised to avoid limiting technology. 
Accordingly, the Commission redefined kiosk to be a device capable of 
performing one of two core functions. Kiosks may perform additional 
functions beyond those in the definition, but only the devices that are 
able to perform those core functions are subject to the kiosk controls. 
``Sufficient clarity'' was revised to allow for an equivalent to the 20 
frames per second recording speed. The Commission declines, however, to 
revise the definition of surveillance system in response to commenters 
who suggested that the specified equipment, specifically ``video'' 
cameras may limit technology. Video cameras are not limited to tape 
formats and may be digital. The Commission also revised the definition 
of the TICS to provide a more complete definition.
    Commenters also suggested that the definition of ``Gaming 
promotion'' should be limited to promotions requiring Class II game 
play as a condition of eligibility. The Commission declines to limit 
the definition, believing that NIGC's authority is already sufficiently 
described by the title of the part (Class II MICS). Promotions offered 
solely to Class III gaming participants are not covered by this part or 
the gaming promotion definition, in particular. However, where 
eligibility may be secured by playing either Class II or III games, 
this definition applies. Because the suggested revision fails to 
include ``either II or III'' promotions, the Commission declines to 
adopt it.
    Finally, the Commission notes that commenters requested language 
requiring the implementation of procedures ``to prevent unauthorized 
access, misappropriation, forgery, theft, or fraud.'' Rather than 
repeat the language, the Commission added it to the definition of SICS 
so that it applies to all implementing procedures. Consequently, the 
Commission removed the language from individual provisions where it 
appeared.

C. Interpretive Provisions and Compliance

    Commenters suggested adding five interpretive provisions to Sec.  
543.3. First, commenters requested a provision stating that nothing in 
this part is intended to limit technology. The Commission agrees that 
nothing in this part is intended to limit technology, but believes such 
a provision is properly located in the technical standards rather than 
control standards. Although the Commission declines to add a general 
statement that nothing in this part is intended to limit technology, it 
reviewed and made appropriate changes regarding all comments that 
specifically noted possible limitations. Similarly, several commenters 
requested that the Commission expand computer applications in Sec.  
543.3(e) to include other technologies. The Commission declines, but 
clarifies that computer applications include software regardless of 
whether it is commonly regarded as a ``computer application''.
    Second, commenters recommended that the Commission include a 
section specifying that only applicable control standards apply. The 
Commission addressed this concern by changing Sec.  543.3(b) to require 
TGRAs to ensure that ``TICS are established and implemented that 
provide a level of control that equals or exceeds the applicable 
standards set forth in this part.'' (emphasis added). In other words, 
TGRAs need only establish TICS for applicable standards. The Commission 
does not believe any further clarification is necessary.
    Third, some commenters advocated for the inclusion of a 
severability clause to ensure that, should a court conclude that any 
part of this regulation is invalid, such invalidity will not affect the 
rest of the part. The Commission also addressed this concern in the 
previous preamble, stating that severability clauses are not conclusive 
of an agency's intent (Canterbury Liquors v. Sullivan, 999 F. Supp. 144 
(D.MA. 1994)) and that ``the ultimate determination of severability 
will rarely turn on the presence or absence of such a clause.'' 
Community for Creative Non-violence v. Turner, 893 F. 2d 1387 (D.C. 
Cir. 1990), citing United States v. Jackson, 390 U.S. 570, 585 n. 27 
(1968). Again, the Commission declines to include a severability clause 
in this regulation because it believes that the regulations are not so 
intertwined that striking one provision would necessarily always 
require invalidation of the entire part, and the lack of a severability 
clause will not compel a court's finding on the issue.
    Fourth, many commenters requested the inclusion of a provision 
recognizing that tribes are the primary regulatory authority for Class 
II gaming. The Commission declines to insert the requested language 
into the regulation. The Commission agrees that tribes are the primary 
regulators of Indian gaming, but has never understood that to mean that 
the regulatory authority of a TGRA is superior to that of the NIGC. 
Rather, the Commission recognizes that TGRAs are the day-to-day 
regulators of Indian gaming and the first line of oversight at every 
facility. Although the findings section of IGRA states that tribes have 
the exclusive right to regulate gaming activity on Indian lands, IGRA 
also establishes a regulatory scheme that includes the NIGC as well as 
tribes.
    Fifth, several commenters requested a provision stating that the 
regulations are not intended to require a particular organizational 
structure. The Commission declines to add the provision because it 
could be read too broadly, but clarifies that the terms ``supervisor'' 
or ``manager'', as they are used within the MICS, reference the agent's 
authority level, not the agent's job title.
    In addition to the five requested interpretative provisions, 
commenters also questioned the Commission's authority to require a 
System of Internal Controls (SICS) and the standard by which the 
Commission will judge deficiencies in the SICS. In response,

[[Page 58710]]

the Commission has revised the part to clarify that Tribal Internal 
Control Standards (TICS) must be implemented, and that SICS are the 
policies and procedures to carry out the implementation. The 
enforcement provisions have also been revised to reflect the 
Commission's intent that it not judge the sufficiency of the SICS. The 
provision now provides that enforcement action may be initiated for 
deficiencies in the TICS or absence of SICS.

D. Charitable Operations

    Commenters requested clarification that the charitable gaming 
operations described in Sec.  543.4 are not limited to those with a 
501(c)(3) designation. The Commission agrees that it does not intend to 
limit the definition of charitable organizations to those with a 
501(c)(3) designation. For purposes of the MICS, an organization is 
charitable if the regulating tribe recognizes it as such.
    Further, the Commission reviewed the exception for charitable 
operations. Rather than cause unnecessary confusion by removing it, the 
Commission has left the charitable gaming exception in place, despite 
any redundancy it may have with the small gaming operation exception.

E. Alternate Minimum Standard

    The Commission received several comments at consultations asking 
for clarification of the process. Provisions were added to clarify that 
operations may implement an alternate standard once it has been 
approved by the TGRA, that operations may continue to implement the 
standard upon approval from the Chair, and that operations must revert 
to the relevant MICS if the Chair objects to the standard.

F. Bingo

    Commenters generally supported the Commission's consolidation of 
manual and Class II gaming system bingo into a single Bingo section, 
but many of the other comments on this section were very specific.
    In response to comments requesting that Sec.  543.8(d)(1) be 
limited to ``physical'' objects, the Commission made the change, but 
also re-ordered the subsection to eliminate redundancy and better 
clarify which controls apply to physical objects.
    Commenters objected to the installation testing requirements, 
suggesting that all testing standards should be included in part 547. 
The Commission disagrees and emphasizes that--contrary to technical 
standards, which test the system itself--installation testing standards 
are meant to ensure that components have been properly connected to 
associated equipment and are functioning as intended.
    Commenters also objected to the removal, retirement and/or 
destruction standards, explaining that these details are often spelled 
out in their lease agreements. The Commission understands that tribes 
may not have control over the disposition of machines and software, and 
points out that the MICS do not require specific procedures, only that 
they address certain areas.
    Many expressed confusion resulting from a missing line break 
between Sec.  543.8(g)(8) Dispute resolution and (h) Operations. 
Dispute resolution is the final of eight areas for which procedures 
must be developed relating to the use of technological aids in bingo. 
``Operations'' begins a new subsection.
    Finally, some also questioned clarification for the term ``other 
associated meter information'' as it appears in Class II gaming system 
sales. This refers to meter information that reflects anomalies such as 
malfunctions.

G. Pull Tabs and Card Games

    As a result of a number of comments that questioned the usefulness 
of analyzing pull tab statistical records before the deal is finished, 
the Commission eliminated requirements for conducting a statistical 
review at regular intervals. The Commission agrees that statistical 
analysis is useful for pull tabs only when the deal is finished or has 
been removed from play.
    Regarding card room supervision, one commenter expressed concern 
that allowing a supervisor to function as a dealer without other 
supervision could result in inadequate supervision. The Commission 
specifically requested additional comments regarding that issue and 
received no additional comments. Therefore, the Commission declines to 
revise the provision, but notes that it is an area where TGRAs may wish 
to issue more stringent controls.
    Some comments suggested that it is unheard of in the industry to 
require supervisory authorization for every exchange or transfer from a 
card table. These comments do not take into account the second half of 
the provision, which does not require supervisory authorization for 
banks maintained at an imprest level. Because nearly all card room 
banks are maintained at an imprest level, exchanges requiring 
supervisory authorization are very rare.

H. Player Tracking, Gaming Promotions, and Complimentary Items

    Many commenters objected to the gaming promotion and player 
tracking standards, arguing that the Commission should defer to TGRAs 
to establish standards, and that the NIGC lacks authority to regulate 
these areas. The Commission agrees that TGRAs should establish 
standards, which is precisely the reason the standards do not detail 
requirements, and instead provide a general outline of areas that must 
be addressed and displayed to patrons. The Commission disagrees with 
commenters regarding its authority. Gaming promotions, as defined in 
the rule, require game play as a condition of eligibility. For example, 
the promotions standards are not applicable to the type of promotion in 
which a patron drops a free card into a tumbler drawing. This rule 
applies to promotions that are directly related to gaming activity and 
are, therefore, within the scope of the Commission's authority to 
establish Class II MICS. Further, although player tracking systems may 
be useful for gathering other customer data, their primary purpose is 
to track game play and issue rewards based upon that play. Because the 
player tracking and gaming promotions in this rule require game play to 
become eligible for rewards, the Commission concludes that they relate 
to gaming activities and are within the scope of its authority.
    Commenters also questioned the inclusion of promotions, patron 
accounts, coupons and vouchers in the player tracking subsection 
because they are all controlled in separate sections. The Commission 
revised the heading to include both player tracking and promotions, but 
also points out that there are no coupon or voucher controls in this 
section. The standard requires that changes to the ``player tracking 
systems * * * which control external bonusing system parameters such as 
the * * * issuance of * * * coupons or vouchers * * * must be performed 
under the authority of a supervisory agent * * *.'' (Sec.  543.12(d)).
    Finally, commenters requested clarification of the use of 
``tracking'' in the complimentary services and items section. The 
Commission agrees that the term caused confusion and revised the 
standard to require ``documenting and recording the authorization, 
issuance, and redemption'' of complimentary services or items.

I. Patron Deposit Accounts

    As a result of comments, the Commission added a provision 
specifically allowing for a Personal

[[Page 58711]]

Identification Number as a method of verifying identity. The Commission 
rejected comments suggesting that the industry standard definition of 
smart card conflicts with this section because it prohibits smart cards 
from being the only source of account data. While that may have been 
the case at one time, today, a smart card must not be the only source 
of account data in this section because it must retrieve the data from 
some other source.

J. Drop and Count

    Many commented generally that the section is too procedural and it 
should be one streamlined standard instead of separated by game. The 
Commission agrees this section is more procedural than others, but drop 
is a process that differs by game and count is necessarily detailed.
    Some comments suggested using one term for both financial 
instrument storage components and drop boxes. Although they serve the 
same purpose, financial instrument storage components are an industry 
term specific to player interfaces, while drop boxes are specific to 
card tables. Applying either of the terms universally could create 
confusion. The Commission revised the card game drop and player 
interface drop standards in response to comments suggesting that the 
two should mirror each other where they address the same control 
(notifying surveillance of the drop, for example).
    The Commission also agrees with comments suggesting that a cage/
vault agent should be allowed to be on the count team if they are not 
the sole recorder of the count and do not participate in the transfer 
of drop proceeds to the cage/vault. The Commission declines to revise 
the provisions requiring supervisory participation because it is a 
necessary control.

K. Cage, Vault, Kiosk, Cash and Cash Equivalents

    The Commission accepted numerous suggestions in this section. Most 
notably, the Commission revised the kiosk section to require a series 
of reconciliation reports be available on demand. If the system is not 
capable of producing a report(s), the limitation must be documented. 
Commenters stated that the physical and logical controls from the kiosk 
subsection are already addressed in the information technology section, 
but the Commission does not agree that the redundancy is clear and 
declines to remove them.
    The Commission agrees with a suggestion to eliminate the $100 
minimum threshold for requiring specific documentation on cage 
increases or decreases. Specific documentation is now required for all 
increases or decreases to cage inventory.
    Finally, the Commission accepted a suggestion to raise the 
threshold from $100 to $600 for specifically documenting card game 
promotional payouts.

L. Information and Technology

    Some commenters were concerned that the requirement to secure 
communications from Network Communication Equipment, or to secure some 
of the more portable equipment, such as cell phones, may be an 
impossible standard. The Commission clarifies that, where endpoints of 
communication are controlled by an entity other than a tribe, an 
attestation by the third party confirming the security of the 
communications is sufficient. Further, a procedure ensuring that highly 
portable Network Communication Equipment, such as tablets and cell 
phones, are distributed only to appropriate persons will satisfy the 
standard for that equipment.
    Commenters also requested a provision requiring operations to 
consult with a manufacturer before disabling ports suspected of being 
unused. While consulting with manufacturers regarding services and 
ports may be worthwhile, it is more appropriately included as a 
suggestion in future guidance documents.
    Finally, commenters suggested deleting the annual requirement for 
testing recovery procedures. The Commission disagrees, and notes that 
removing the phrase would not change the standard, because an 
independent auditor conducts yearly reviews to determine whether each 
requirement has been met.

M. Surveillance

    Several commenters questioned the need for surveillance of all 
jackpot meters. The Commission agrees and has limited the standard to 
progressive prize meters exceeding specified thresholds. The Commission 
believes this revision more adequately reflects the risks addressed by 
the standard.
    One commenter expressed concern that the one-year retention period 
for surveillance footage of suspected crimes, suspicious activity, and 
security detentions is arbitrary. The Commission invited further 
comment on this concern. After clarifying that digital copies of 
surveillance are acceptable forms of retention, the Commission received 
no further comment and declines to revise the standard. The Commission 
emphasizes, however, that it intentionally declined to provide a 
definition of suspicious activity and believes that TGRAs are in the 
best position to define the term for their operations.

N. Audit and Accounting and Revenue Audit

    Many commenters requested that the Commission limit the instances 
of noncompliance requiring action or reporting to ``material'' 
instances. The Commission disagrees. Although most instances of 
noncompliance would not be deemed material, they may pose a significant 
risk, individually or collectively, to the gaming operation and must, 
therefore, be reported and corrected as required in this part.
    The Commission accepts commenters' request to clarify that 
independent accountants may, but are not required to, create journal 
entries.
    The Commission accepted several comments for Sec.  543.24. It 
agreed that the title ``Revenue Audit'' may be misleading for 
operations who have departments by that name. As clarification, the 
Commission has retitled Sec.  543.24 ``Auditing Revenue''. It also 
agreed that once per quarter may not be a frequent enough interval for 
review of player tracking systems. One comment suggested weekly review, 
but the Commission determined that monthly is a more appropriate 
minimum interval. Additionally, the Commission understands commenters' 
concerns with the list of entities required to be provided with a 
report detailing complimentary services and items and has revised it to 
include entities authorized by the TGRA or by tribal law or ordinance.
    Finally, the Commission reviewed the provision that required 
reconciling lines of credit payments with sequential receipts as a 
result of comments requesting clarification. Upon review, the 
Commission realizes that the provision was mis-numbered and should have 
been included in (7)(i). The Commission clarified and reordered the 
provision.

IV. Regulatory Matters

Regulatory Flexibility Act

    The rule will not have a significant impact on a substantial number 
of small entities as defined under the Regulatory Flexibility Act, 5 
U.S.C. 601, et seq. Moreover, Indian tribes are not considered to be 
small entities for the purposes of the Regulatory Flexibility Act.

[[Page 58712]]

Small Business Regulatory Enforcement Fairness Act

    The rule is not a major rule under 5 U.S.C. 804(2), the Small 
Business Regulatory Enforcement Fairness Act. The rule does not have an 
effect on the economy of $100 million or more. The rule will not cause 
a major increase in costs or prices for consumers, individual 
industries, Federal, State, local government agencies or geographic 
regions, nor will the rule have a significant adverse effect on 
competition, employment, investment, productivity, innovation, or the 
ability of the enterprises, to compete with foreign based enterprises.

Unfunded Mandate Reform Act

    The Commission, as an independent regulatory agency, is exempt from 
compliance with the Unfunded Mandates Reform Act, 2 U.S.C. 1502(1); 2 
U.S.C. 658(1).

Takings

    In accordance with Executive Order 12630, the Commission has 
determined that the rule does not have significant takings 
implications. A takings implication assessment is not required.

Civil Justice Reform

    In accordance with Executive Order 12988, the Commission has 
determined that the rule does not unduly burden the judicial system and 
meets the requirements of sections 3(a) and 3(b)(2) of the Order.

National Environmental Policy Act

    The Commission has determined that the rule does not constitute a 
major federal action significantly affecting the quality of the human 
environment and that no detailed statement is required pursuant to the 
National Environmental Policy Act of 1969, 42 U.S.C. 4321, et seq.

Paperwork Reduction Act

    The information collection requirements contained in this rule were 
previously approved by the Office of Management and Budget (OMB) as 
required by 44 U.S.C. 3501 et seq. and assigned OMB Control Number 
3141- 0012, which expired in August of 2011. The NIGC published a 
notice to reinstate that control number on April 25, 2012. 77 FR 24731. 
There is no change to the paperwork created by this revision.

List of Subjects in 25 CFR Part 543

    Gambling, Indian--Indian lands, Indian--tribal government.


0
For the reasons set forth in the preamble, the Commission revises 25 
CFR Part 543 to read as follows:

PART 543--MINIMUM INTERNAL CONTROL STANDARDS FOR CLASS II GAMING

Sec.
543.1 What does this part cover?
543.2 What are the definitions for this part?
543.3 How do tribal governments comply with this part?
543.4 Does this part apply to small and charitable gaming 
operations?
543.5 How does a gaming operation apply to use an alternate minimum 
standard from those set forth in this part?
543.6 [Reserved]
543.7 [Reserved]
543.8 What are the minimum internal control standards for bingo?
543.9 What are the minimum internal control standards for pull tabs?
543.10 What are the minimum internal control standards for card 
games?
543.11 [Reserved]
543.12 What are the minimum internal control standards for gaming 
promotions and player tracking systems?
543.13 What are the minimum internal control standards for 
complimentary services or items?
543.14 What are the minimum internal control standards for patron 
deposit accounts and cashless systems?
543.15 What are the minimum internal control standards for lines of 
credit?
543.16 [Reserved]
543.17 What are the minimum internal control standards for drop and 
count?
543.18 What are the minimum internal control standards for the cage, 
vault, kiosk, cash and cash equivalents?
543.19 [Reserved]
543.20 What are the minimum internal control standards for 
information technology and information technology data?
543.21 What are the minimum internal control standards for 
surveillance?
543.22 [Reserved]
543.23 What are the minimum internal control standards for audit and 
accounting?
543.24 What are the minimum internal control standards for auditing 
revenue?
543.25-543.49 [Reserved]

    Authority: 25 U.S.C. 2702(2), 2706(b)(1-4), 2706(b)(10).


Sec.  543.1  What does this part cover?

    This part establishes the minimum internal control standards for 
the conduct of Class II games on Indian lands as defined in 25 U.S.C. 
2701 et seq.


Sec.  543.2  What are the definitions for this part?

    The definitions in this section apply to all sections of this part 
unless otherwise noted.
    Accountability. All financial instruments, receivables, and patron 
deposits constituting the total amount for which the bankroll custodian 
is responsible at a given time.
    Agent. A person authorized by the gaming operation, as approved by 
the TGRA, to make decisions or perform assigned tasks or actions on 
behalf of the gaming operation.
    Automated payout. Payment issued by a machine.
    Cage. A secure work area within the gaming operation for cashiers, 
which may include a storage area for the gaming operation bankroll.
    Cash equivalents. Documents, financial instruments other than cash, 
or anything else of representative value to which the gaming operation 
has assigned a monetary value. A cash equivalent includes, but is not 
limited to, tokens, chips, coupons, vouchers, payout slips and tickets, 
and other items to which a gaming operation has assigned an exchange 
value.
    Cashless system. A system that performs cashless transactions and 
maintains records of those cashless transactions.
    Cashless transaction. A movement of funds electronically from one 
component to another, such as to or from a patron deposit account.
    Chair. The Chair of the National Indian Gaming Commission.
    Class II gaming. Class II gaming has the same meaning as defined in 
25 U.S.C. 2703(7)(A).
    Class II gaming system. All components, whether or not technologic 
aids in electronic, computer, mechanical, or other technologic form, 
that function together to aid the play of one or more Class II games, 
including accounting functions mandated by these regulations or part 
547 of this chapter.
    Commission. The National Indian Gaming Commission, established by 
the Indian Gaming Regulatory Act, 25 U.S.C. 2701 et seq.
    Complimentary services and items. Services and items provided to a 
patron at the discretion of an agent on behalf of the gaming operation 
or by a third party on behalf of the gaming operation. Services and 
items may include, but are not limited to, travel, lodging, food, 
beverages, or entertainment expenses.
    Count. The act of counting and recording the drop and/or other 
funds. Also, the total funds counted for a particular game, player 
interface, shift, or other period.
    Count room. A secured room where the count is performed in which 
the cash and cash equivalents are counted.
    Coupon. A financial instrument of fixed wagering value, that can 
only be used to acquire non-cashable credits through interaction with a 
voucher

[[Page 58713]]

system. This does not include instruments such as printed advertising 
material that cannot be validated directly by a voucher system.
    Dedicated camera. A video camera that continuously records a 
specific activity.
    Drop box. A locked container in which cash or cash equivalents are 
placed at the time of a transaction, typically used in card games.
    Drop proceeds. The total amount of financial instruments removed 
from drop boxes and financial instrument storage components.
    Exception report. A listing of occurrences, transactions or items 
that fall outside a predetermined range of acceptability.
    Financial instrument. Any tangible item of value tendered in Class 
II game play, including, but not limited to bills, coins, vouchers, and 
coupons.
    Financial instrument storage component. Any component that stores 
financial instruments, such as a drop box, but typically used in 
connection with player interfaces.
    Gaming promotion. Any promotional activity or award that requires 
game play as a condition of eligibility.
    Generally Accepted Accounting Principles (GAAP). A widely accepted 
set of rules, conventions, standards, and procedures for reporting 
financial information, as established by the Financial Accounting 
Standards Board (FASB), including, but not limited to, the standards 
for casino accounting published by the American Institute of Certified 
Public Accountants (AICPA).
    Generally Accepted Auditing Standards (GAAS). A widely accepted set 
of standards that provide a measure of audit quality and the objectives 
to be achieved in an audit, as established by the Auditing Standards 
Board of the American Institute of Certified Public Accountants 
(AICPA).
    Governmental Accounting Standards Board (GASB). Generally accepted 
accounting principles used by state and local governments.
    Independent. The separation of functions to ensure that the agent 
or process monitoring, reviewing, or authorizing the controlled 
activity, function, or transaction is separate from the agents or 
process performing the controlled activity, function, or transaction.
    Kiosk. A device capable of redeeming vouchers and/or wagering 
credits or initiating electronic transfers of money to or from a patron 
deposit account.
    Lines of credit. The privilege granted by a gaming operation to a 
patron to:
    (1) Defer payment of debt; or
    (2) Incur debt and defer its payment under specific terms and 
conditions.
    Manual payout. Any non-automated payout.
    Marker. A document, signed by the patron, promising to repay credit 
issued by the gaming operation.
    MICS. Minimum internal control standards in this part.
    Network communication equipment. A device or collection of devices 
that controls data communication in a system including, but not limited 
to, cables, switches, hubs, routers, wireless access points, landline 
telephones and cellular telephones.
    Patron. A person who is a customer or guest of the gaming operation 
and may interact with a Class II game. Also may be referred to as a 
``player.''
    Patron deposit account. An account maintained on behalf of a 
patron, for the deposit and withdrawal of funds for the primary purpose 
of interacting with a gaming activity.
    Player interface. Any component(s) of a Class II gaming system, 
including an electronic or technologic aid (not limited to terminals, 
player stations, handhelds, fixed units, etc.), that directly enables 
player interaction in a Class II game.
    Prize payout. Payment to a player associated with a winning or 
qualifying event.
    Promotional progressive pots and/or pools. Funds contributed to a 
game by and for the benefit of players that are distributed to players 
based on a predetermined event.
    Shift. A time period, unless otherwise approved by the tribal 
gaming regulatory authority, not to exceed 24 hours.
    Shill. An agent financed by the gaming operation and acting as a 
player.
    Smart card. A card with embedded integrated circuits that possesses 
the means to electronically store or retrieve account data.
    Sufficient clarity. The capacity of a surveillance system to record 
images at a minimum of 20 frames per second or equivalent recording 
speed and at a resolution sufficient to clearly identify the intended 
activity, person, object, or location.
    Surveillance operation room(s). The secured area(s) where 
surveillance takes place and/or where active surveillance equipment is 
located.
    Surveillance system. A system of video cameras, monitors, 
recorders, video printers, switches, selectors, and other equipment 
used for surveillance.
    SICS (System of Internal Control Standards). An overall operational 
framework for a gaming operation that incorporates principles of 
independence and segregation of function, and is comprised of written 
policies, procedures, and standard practices based on overarching 
regulatory standards specifically designed to create a system of checks 
and balances to safeguard the integrity of a gaming operation and 
protect its assets from unauthorized access, misappropriation, forgery, 
theft, or fraud.
    Tier A. Gaming operations with annual gross gaming revenues of more 
than $3 million but not more than $8 million.
    Tier B. Gaming operations with annual gross gaming revenues of more 
than $8 million but not more than $15 million.
    Tier C. Gaming operations with annual gross gaming revenues of more 
than $15 million.
    TGRA. Tribal gaming regulatory authority, which is the entity 
authorized by tribal law to regulate gaming conducted pursuant to the 
Indian Gaming Regulatory Act.
    TICS. Tribal Internal Control Standards established by the TGRA 
that are at least as stringent as the standards set forth in this part.
    Vault. A secure area where cash and cash equivalents are stored.
    Voucher. A financial instrument of fixed wagering value, usually 
paper, that can be used only to acquire an equivalent value of cashable 
credits or cash through interaction with a voucher system.
    Voucher system. A system that securely maintains records of 
vouchers and coupons; validates payment of vouchers; records successful 
or failed payments of vouchers and coupons; and controls the purging of 
expired vouchers and coupons.


Sec.  543.3  How do tribal governments comply with this part?

    (a) Minimum standards. These are minimum standards and a TGRA may 
establish and implement additional controls that do not conflict with 
those set out in this part.
    (b) TICS. TGRAs must ensure that TICS are established and 
implemented that provide a level of control that equals or exceeds the 
applicable standards set forth in this part.
    (1) Evaluation of existing TICS. Each TGRA must, in accordance with 
the tribal gaming ordinance, determine whether and to what extent their 
TICS require revision to ensure compliance with this part.
    (2) Compliance date. All changes necessary to ensure compliance 
with this part must be promulgated within twelve months of the 
effective date of this part and implemented at the

[[Page 58714]]

commencement of the next fiscal year. At the discretion of the TGRA, 
gaming operations may have an additional six months to come into 
compliance with the TICS.
    (c) SICS. Each gaming operation must develop a SICS, as approved by 
the TGRA, to implement the TICS.
    (1) Existing gaming operations. All gaming operations that are 
operating on or before the effective date of this part, must comply 
with this part within the time requirements established in paragraph 
(b) of this section. In the interim, such operations must continue to 
comply with existing TICS.
    (2) New gaming operations. All gaming operations that commence 
operations after the effective date of this part must comply with this 
part before commencement of operations.
    (d) Variances. Where referenced throughout this part, the gaming 
operation must set a reasonable threshold, approved by the TGRA, for 
when a variance must be reviewed to determine the cause, and the 
results of the review must be documented and maintained.
    (e) Computer applications. For any computer applications utilized, 
alternate documentation and/or procedures that provide at least the 
level of control established by the standards of this part, as approved 
in writing by the TGRA, will be acceptable.
    (f) Determination of tier.
    (1) The determination of tier level will be made based upon the 
annual gross gaming revenues indicated within the gaming operation's 
audited financial statements.
    (2) Gaming operations moving from one tier to another will have 
nine months from the date of the independent certified public 
accountant's audit report to achieve compliance with the requirements 
of the new tier. The TGRA may extend the deadline by an additional six 
months if written notice is provided to the Commission no later than 
two weeks before the expiration of the nine month period.
    (g) Submission to Commission. Tribal regulations promulgated 
pursuant to this part are not required to be submitted to the 
Commission pursuant to Sec.  522.3(b) of this chapter.
    (h) Enforcement of Commission MICS.
    (1) Each TGRA is required to establish and implement TICS pursuant 
to paragraph (b) of this section. Each gaming operation is then 
required, pursuant to paragraph (c) of this section, to develop a SICS 
that implements the TICS. Failure to comply with this subsection may 
subject the tribal operator of the gaming operation, or the management 
contractor, to penalties under 25 U.S.C. 2713.
    (2) Enforcement action by the Commission will not be initiated 
under this part without first informing the tribe and TGRA of 
deficiencies in the TICS or absence of SICS for its gaming operation 
and allowing a reasonable period of time to address such deficiencies. 
Such prior notice and opportunity for corrective action are not 
required where the threat to the integrity of the gaming operation is 
immediate and severe.


Sec.  543.4  Does this part apply to small and charitable gaming 
operations?

    (a) Small gaming operations. This part does not apply to small 
gaming operations provided that:
    (1) The TGRA permits the operation to be exempt from this part;
    (2) The annual gross gaming revenue of the operation does not 
exceed $3 million; and
    (3) The TGRA develops, and the operation complies with, alternate 
procedures that:
    (i) Protect the integrity of games offered;
    (ii) Safeguard the assets used in connection with the operation; 
and
    (iii) Create, prepare and maintain records in accordance with 
Generally Accepted Accounting Principles.
    (b) Charitable gaming operations. This part does not apply to 
charitable gaming operations provided that:
    (1) All proceeds are for the benefit of a charitable organization;
    (2) The TGRA permits the charitable organization to be exempt from 
this part;
    (3) The charitable gaming operation is operated wholly by the 
charitable organization's agents;
    (4) The annual gross gaming revenue of the charitable operation 
does not exceed $3 million; and
    (5) The TGRA develops, and the charitable gaming operation complies 
with, alternate procedures that:
    (i) Protect the integrity of the games offered;
    (ii) Safeguard the assets used in connection with the gaming 
operation; and
    (iii) Create, prepare and maintain records in accordance with 
Generally Accepted Accounting Principles.
    (c) Independent operators. Nothing in this section exempts gaming 
operations conducted by independent operators for the benefit of a 
charitable organization.


Sec.  543.5  How does a gaming operation apply to use an alternate 
minimum standard from those set forth in this part?

    (a) TGRA approval.
    (1) A TGRA may approve an alternate standard from those required by 
this part if it has determined that the alternate standard will achieve 
a level of security and integrity sufficient to accomplish the purpose 
of the standard it is to replace. A gaming operation may implement an 
alternate standard upon TGRA approval subject to the Chair's decision 
pursuant to paragraph (b) of this section.
    (2) For each enumerated standard for which the TGRA approves an 
alternate standard, it must submit to the Chair within 30 days a 
detailed report, which must include the following:
    (i) An explanation of how the alternate standard achieves a level 
of security and integrity sufficient to accomplish the purpose of the 
standard it is to replace; and
    (ii) The alternate standard as approved and the record on which it 
is based.
    (3) In the event that the TGRA or the tribal government chooses to 
submit an alternate standard request directly to the Chair for joint 
government to government review, the TGRA or tribal government may do 
so without the approval requirement set forth in paragraph (a)(1) of 
this section.
    (b) Chair review.
    (1) The Chair may approve or object to an alternate standard 
approved by a TGRA.
    (2) If the Chair approves the alternate standard, the Tribe may 
continue to use it as authorized by the TGRA.
    (3) If the Chair objects, the operation may no longer use the 
alternate standard and must follow the relevant MICS set forth in this 
part.
    (4) Any objection by the Chair must be in writing and provide 
reasons that the alternate standard, as approved by the TGRA, does not 
provide a level of security or integrity sufficient to accomplish the 
purpose of the standard it is to replace.
    (5) If the Chair fails to approve or object in writing within 60 
days after the date of receipt of a complete submission, the alternate 
standard is considered approved by the Chair. The Chair may, upon 
notification to the TGRA, extend this deadline an additional 60 days.
    (c) Appeal of Chair decision. A TGRA may appeal the Chair's 
decision pursuant to 25 CFR chapter III, subchapter H.

[[Page 58715]]

Sec.  543.6  [Reserved]


Sec.  543.7  [Reserved]


Sec.  543.8  What are the minimum internal control standards for bingo?

    (a) Supervision. Supervision must be provided as needed for bingo 
operations by an agent(s) with authority equal to or greater than those 
being supervised.
    (b) Bingo cards.
    (1) Physical bingo card inventory controls must address the 
placement of orders, receipt, storage, issuance, removal, and 
cancellation of bingo card inventory to ensure that:
    (i) The bingo card inventory can be accounted for at all times; and
    (ii) Bingo cards have not been marked, altered, or otherwise 
manipulated.
    (2) Receipt from supplier.
    (i) When bingo card inventory is initially received from the 
supplier, it must be inspected (without breaking the factory seals, if 
any), counted, inventoried, and secured by an authorized agent.
    (ii) Bingo card inventory records must include the date received, 
quantities received, and the name of the individual conducting the 
inspection.
    (3) Storage.
    (i) Bingo cards must be maintained in a secure location, accessible 
only to authorized agents, and with surveillance coverage adequate to 
identify persons accessing the storage area.
    (ii) For Tier A operations, bingo card inventory may be stored in a 
cabinet, closet, or other similar area; however, such area must be 
secured and separate from the working inventory.
    (4) Issuance and returns of inventory.
    (i) Controls must be established for the issuance and return of 
bingo card inventory. Records signed by the issuer and recipient must 
be created under the following events:
    (A) Issuance of inventory from storage to a staging area;
    (B) Issuance of inventory from a staging area to the cage or 
sellers;
    (C) Return of inventory from a staging area to storage; and
    (D) Return of inventory from cage or seller to staging area or 
storage.
    (ii) [Reserved]
    (5) Cancellation and removal.
    (i) Bingo cards removed from inventory that are deemed out of 
sequence, flawed, or misprinted and not returned to the supplier must 
be cancelled to ensure that they are not utilized in the play of a 
bingo game. Bingo cards that are removed from inventory and returned to 
the supplier or cancelled must be logged as removed from inventory.
    (ii) Bingo cards associated with an investigation must be retained 
intact outside of the established removal and cancellation policy.
    (6) Logs.
    (i) The inventory of bingo cards must be tracked and logged from 
receipt until use or permanent removal from inventory.
    (ii) The bingo card inventory record(s) must include:
    (A) Date;
    (B) Shift or session;
    (C) Time;
    (D) Location;
    (E) Inventory received, issued, removed, and returned;
    (F) Signature of agent performing transaction;
    (G) Signature of agent performing the reconciliation;
    (H) Any variance;
    (I) Beginning and ending inventory; and
    (J) Description of inventory transaction being performed.
    (c) Bingo card sales.
    (1) Agents who sell bingo cards must not be the sole verifier of 
bingo cards for prize payouts.
    (2) Manual bingo card sales: In order to adequately record, track, 
and reconcile sales of bingo cards, the following information must be 
documented:
    (i) Date;
    (ii) Shift or session;
    (iii) Number of bingo cards issued, sold, and returned;
    (iv) Dollar amount of bingo card sales;
    (v) Signature, initials, or identification number of the agent 
preparing the record; and
    (vi) Signature, initials, or identification number of an 
independent agent who verified the bingo cards returned to inventory 
and dollar amount of bingo card sales.
    (3) Bingo card sale voids must be processed in accordance with the 
rules of the game and established controls that must include the 
following:
    (i) Patron refunds;
    (ii) Adjustments to bingo card sales to reflect voids;
    (iii) Adjustment to bingo card inventory;
    (iv) Documentation of the reason for the void; and
    (v) Authorization for all voids.
    (4) Class II gaming system bingo card sales. In order to adequately 
record, track and reconcile sales of bingo cards, the following 
information must be documented from the server (this is not required if 
the system does not track the information, but system limitation(s) 
must be noted):
    (i) Date;
    (ii) Time;
    (iii) Number of bingo cards sold;
    (iv) Dollar amount of bingo card sales; and
    (v) Amount in, amount out and other associated meter information.
    (d) Draw.
    (1) Controls must be established and procedures implemented to 
ensure that all eligible objects used in the conduct of the bingo game 
are available to be drawn and have not been damaged or altered. 
Verification of physical objects must be performed by two agents before 
the start of the first bingo game/session. At least one of the 
verifying agents must be a supervisory agent or independent of the 
bingo games department.
    (2) Where the selection is made through an electronic aid, 
certification in accordance with 25 CFR 547.14 is acceptable for 
verifying the randomness of the draw and satisfies the requirements of 
paragraph (d)(1) of this section.
    (3) Controls must be established and procedures implemented to 
provide a method of recall of the draw, which includes the order and 
identity of the objects drawn, for dispute resolution purposes.
    (4) Verification and display of draw. Controls must be established 
and procedures implemented to ensure that:
    (i) The identity of each object drawn is accurately recorded and 
transmitted to the participants. The procedures must identify the 
method used to ensure the identity of each object drawn.
    (ii) For all games offering a prize payout of $1,200 or more, as 
the objects are drawn, the identity of the objects are immediately 
recorded and maintained for a minimum of 24 hours.
    (e) Prize payout.
    (1) Controls must be established and procedures implemented for 
cash or cash equivalents that address the following:
    (i) Identification of the agent authorized (by position) to make a 
payout;
    (ii) Predetermined payout authorization levels (by position); and
    (iii) Documentation procedures ensuring separate control of the 
cash accountability functions.
    (2) Verification of validity.
    (i) Controls must be established and procedures implemented to 
verify that the following is valid for the game in play prior to 
payment of a winning prize:
    (A) Winning card(s);
    (B) Objects drawn; and
    (C) The previously designated arrangement of numbers or 
designations on such cards, as described in 25 U.S.C. 2703(7)(A).
    (ii) At least two agents must verify that the card, objects drawn, 
and

[[Page 58716]]

previously designated arrangement were valid for the game in play.
    (iii) Where an automated verification method is available, 
verification by such method is acceptable.
    (3) Validation.
    (i) For manual payouts, at least two agents must determine the 
validity of the claim prior to the payment of a prize. The system may 
serve as one of the validators.
    (ii) For automated payouts, the system may serve as the sole 
validator of the claim.
    (4) Verification.
    (i) For manual payouts, at least two agents must verify that the 
winning pattern has been achieved on the winning card prior to the 
payment of a prize. The system may serve as one of the verifiers.
    (ii) For automated payouts, the system may serve as the sole 
verifier that the pattern has been achieved on the winning card.
    (5) Authorization and signatures.
    (i) At least two agents must authorize, sign, and witness all 
manual prize payouts above $1,200, or a lower threshold as authorized 
by management and approved by the TGRA.
    (ii) Manual prize payouts above the following threshold (or a lower 
threshold, as authorized by management and approved by TGRA) must 
require one of the two signatures and verifications to be a supervisory 
or management employee independent of the operation of Class II Gaming 
System bingo:
    (A) $5,000 for a Tier A facility;
    (B) $10,000 at a Tier B facility;
    (C) $20,000 for a Tier C facility; or
    (D) $50,000 for a Tier C facility with over $100,000,000 in gross 
gaming revenues.
    (iii) The predetermined thresholds, whether set at the MICS level 
or lower, must be authorized by management, approved by the TGRA, 
documented, and maintained.
    (iv) A Class II gaming system may substitute for one authorization/
signature verifying, validating or authorizing a winning card, but may 
not substitute for a supervisory or management authorization/signature.
    (6) Payout records, including manual payout records, must include 
the following information:
    (i) Date and time;
    (ii) Amount of the payout (alpha & numeric for player interface 
payouts); and
    (iii) Bingo card identifier or player interface identifier.
    (iv) Manual payout records must also include the following:
    (A) Game name or number;
    (B) Description of pattern covered, such as cover-all or four 
corners;
    (C) Signature of all, but not less than two, agents involved in the 
transaction;
    (D) For override transactions, verification by a supervisory or 
management agent independent of the transaction; and
    (E) Any other information necessary to substantiate the payout.
    (f) Cash and cash equivalent controls.
    (1) Cash or cash equivalents exchanged between two persons must be 
counted independently by at least two agents and reconciled to the 
recorded amounts at the end of each shift or session. Unexplained 
variances must be documented and maintained. Unverified transfers of 
cash or cash equivalents are prohibited.
    (2) Procedures must be implemented to control cash or cash 
equivalents based on the amount of the transaction. These procedures 
must include documentation by shift, session, or other relevant time 
period of the following:
    (i) Inventory, including any increases or decreases;
    (ii) Transfers;
    (iii) Exchanges, including acknowledging signatures or initials; 
and
    (iv) Resulting variances.
    (3) Any change to control of accountability, exchange, or transfer 
requires that the cash or cash equivalents be counted and recorded 
independently by at least two agents and reconciled to the recorded 
amount.
    (g) Technologic aids to the play of bingo. Controls must be 
established and procedures implemented to safeguard the integrity of 
technologic aids to the play of bingo during installations, operations, 
modifications, removal and retirements. Such procedures must include 
the following:
    (1) Shipping and receiving.
    (i) A communication procedure must be established between the 
supplier, the gaming operation, and the TGRA to properly control the 
shipping and receiving of all software and hardware components. Such 
procedures must include:
    (A) Notification of pending shipments must be provided to the TGRA 
by the gaming operation;
    (B) Certification in accordance with 25 CFR part 547;
    (C) Notification from the supplier to the TGRA, or the gaming 
operation as approved by the TGRA, of the shipping date and expected 
date of delivery. The shipping notification must include:
    (1) Name and address of the supplier;
    (2) Description of shipment;
    (3) For player interfaces: a serial number;
    (4) For software: software version and description of software;
    (5) Method of shipment; and
    (6) Expected date of delivery.
    (ii) Procedures must be implemented for the exchange of Class II 
gaming system components for maintenance and replacement.
    (iii) Class II gaming system components must be shipped in a secure 
manner to deter unauthorized access.
    (iv) The TGRA, or its designee, must receive all Class II gaming 
system components and game play software packages, and verify the 
contents against the shipping notification.
    (2) Access credential control methods.
    (i) Controls must be established to restrict access to the Class II 
gaming system components, as set forth in Sec.  543.20, Information and 
Technology.
    (ii) [Reserved]
    (3) Recordkeeping and audit processes.
    (i) The gaming operation must maintain the following records, as 
applicable, related to installed game servers and player interfaces:
    (A) Date placed into service;
    (B) Date made available for play;
    (C) Supplier;
    (D) Software version;
    (E) Serial number;
    (F) Game title;
    (G) Asset and/or location number;
    (H) Seal number; and
    (I) Initial meter reading.
    (ii) Procedures must be implemented for auditing such records in 
accordance with Sec.  543.23, Audit and Accounting.
    (4) System software signature verification.
    (i) Procedures must be implemented for system software 
verifications. These procedures must include comparing signatures 
generated by the verification programs required by 25 CFR 547.8, to the 
signatures provided in the independent test laboratory letter for that 
software version.
    (ii) An agent independent of the bingo operation must perform 
system software signature verification(s) to verify that only approved 
software is installed.
    (iii) Procedures must be implemented for investigating and 
resolving any software verification variances.
    (iv) Internal audits must be conducted as set forth in Sec.  
543.23, Audit and Accounting. Such audits must be documented.
    (5) Installation testing.
    (i) Testing must be completed during the installation process to 
verify that the player interface has been properly installed. This must 
include testing of the following, as applicable:
    (A) Communication with the Class II gaming system;

[[Page 58717]]

    (B) Communication with the accounting system;
    (C) Communication with the player tracking system;
    (D) Currency and vouchers to bill acceptor;
    (E) Voucher printing;
    (F) Meter incrementation;
    (G) Pay table, for verification;
    (H) Player interface denomination, for verification;
    (I) All buttons, to ensure that all are operational and programmed 
appropriately;
    (J) System components, to ensure that they are safely installed at 
location; and
    (K) Locks, to ensure that they are secure and functioning.
    (ii) [Reserved]
    (6) Display of rules and necessary disclaimers. The TGRA or the 
operation must verify that all game rules and disclaimers are displayed 
at all times or made readily available to the player upon request, as 
required by 25 CFR part 547;
    (7) TGRA approval of all technologic aids before they are offered 
for play.
    (8) All Class II gaming equipment must comply with 25 CFR part 547, 
Minimum Technical Standards for Gaming Equipment Used With the Play of 
Class II Games; and
    (9) Dispute resolution.
    (h) Operations.
    (1) Malfunctions. Procedures must be implemented to investigate, 
document and resolve malfunctions. Such procedures must address the 
following:
    (i) Determination of the event causing the malfunction;
    (ii) Review of relevant records, game recall, reports, logs, 
surveillance records;
    (iii) Repair or replacement of the Class II gaming component;
    (iv) Verification of the integrity of the Class II gaming component 
before restoring it to operation; and
    (2) Removal, retirement and/or destruction. Procedures must be 
implemented to retire or remove any or all associated components of a 
Class II gaming system from operation. Procedures must include the 
following:
    (i) For player interfaces and components that accept cash or cash 
equivalents:
    (A) Coordinate with the drop team to perform a final drop;
    (B) Collect final accounting information such as meter readings, 
drop and payouts;
    (C) Remove and/or secure any or all associated equipment such as 
locks, card reader, or ticket printer from the retired or removed 
component; and
    (D) Document removal, retirement, and/or destruction.
    (ii) For removal of software components:
    (A) Purge and/or return the software to the license holder; and
    (B) Document the removal.
    (iii) For other related equipment such as blowers, cards, interface 
cards:
    (A) Remove and/or secure equipment; and
    (B) Document the removal or securing of equipment.
    (iv) For all components:
    (A) Verify that unique identifiers, and descriptions of removed/
retired components are recorded as part of the retirement 
documentation; and
    (B) Coordinate with the accounting department to properly retire 
the component in the system records.
    (v) Where the TGRA authorizes destruction of any Class II gaming 
system components, procedures must be developed to destroy such 
components. Such procedures must include the following:
    (A) Methods of destruction;
    (B) Witness or surveillance of destruction;
    (C) Documentation of all components destroyed; and
    (D) Signatures of agent(s) destroying components attesting to 
destruction.
    (i) Vouchers.
    (1) Controls must be established and procedures implemented to:
    (i) Verify the authenticity of each voucher redeemed.
    (ii) If the voucher is valid, verify that the patron is paid the 
appropriate amount.
    (iii) Document the payment of a claim on a voucher that is not 
physically available or a voucher that cannot be validated such as a 
mutilated, expired, lost, or stolen voucher.
    (iv) Retain payment documentation for reconciliation purposes.
    (v) For manual payment of a voucher of $500 or more, require a 
supervisory employee to verify the validity of the voucher prior to 
payment.
    (2) Vouchers paid during a period while the voucher system is 
temporarily out of operation must be marked ``paid'' by the cashier.
    (3) Vouchers redeemed while the voucher system was temporarily out 
of operation must be validated as expeditiously as possible upon 
restored operation of the voucher system.
    (4) Paid vouchers must be maintained in the cashier's 
accountability for reconciliation purposes.
    (5) Unredeemed vouchers can only be voided in the voucher system by 
supervisory employees. The accounting department will maintain the 
voided voucher, if available.
    (j) All relevant controls from Sec.  543.20, Information and 
Technology will apply.
    (k) Revenue Audit. Standards for revenue audit of bingo are 
contained in Sec.  543.24, Revenue Audit.
    (l) Variance. The operation must establish, as approved by the 
TGRA, the threshold level at which a variance, including deviations 
from the mathematical expectations required by 25 CFR 547.4, will be 
reviewed to determine the cause. Any such review must be documented.


Sec.  543.9  What are the minimum internal control standards for pull 
tabs?

    (a) Supervision. Supervision must be provided as needed for pull 
tab operations and over pull tab storage areas by an agent(s) with 
authority equal to or greater than those being supervised.
    (b) Pull tab inventory. Controls must be established and procedures 
implemented to ensure that:
    (1) Access to pull tabs is restricted to authorized agents;
    (2) The pull tab inventory is controlled by agents independent of 
pull tab sales;
    (3) Pull tabs exchanged between agents are secured and 
independently controlled;
    (4) Increases or decreases to pull tab inventory are recorded, 
tracked, and reconciled; and
    (5) Pull tabs are maintained in a secure location, accessible only 
to authorized agents, and with surveillance coverage adequate to 
identify persons accessing the area.
    (c) Pull tab sales.
    (1) Controls must be established and procedures implemented to 
record, track, and reconcile all pull tab sales and voids.
    (2) When pull tab sales are recorded manually, total sales must be 
verified by an agent independent of the pull tab sales being verified.
    (3) No person may have unrestricted access to pull tab sales 
records.
    (d) Winning pull tabs.
    (1) Controls must be established and procedures implemented to 
record, track, and reconcile all redeemed pull tabs and pull tab 
payouts.
    (2) The redeemed pull tabs must be defaced so that they cannot be 
redeemed for payment again.
    (3) Pull tabs that are uniquely identifiable with a machine 
readable code (including, but not limited to a barcode) may be 
redeemed, reconciled, and stored by kiosks without the need for 
defacing, so long as the redeemed pull tabs are secured and destroyed 
after removal from the kiosk in accordance with the procedures approved 
by the TGRA.
    (4) At least two agents must document and verify all prize payouts 
above $600,

[[Page 58718]]

or lower threshold as authorized by management and approved by the 
TGRA.
    (i) An automated method may substitute for one verification.
    (ii) The predetermined threshold must be authorized by management, 
approved by the TGRA, documented, and maintained.
    (5) Total payout must be calculated and recorded by shift.
    (e) Pull tab operating funds.
    (1) All funds used to operate the pull tab game must be accounted 
for and recorded and all transfers of cash and/or cash equivalents must 
be verified.
    (2) All funds used to operate the pull tab game must be 
independently counted and verified by at least two agents and 
reconciled to the recorded amounts at the end of each shift or session.
    (f) Statistical records.
    (1) Statistical records must be maintained, including (for games 
sold in their entirety or removed from play) a win-to-write hold 
percentage as compared to the expected hold percentage derived from the 
flare.
    (2) A manager independent of the pull tab operations must review 
statistical information when the pull tab deal has ended or has been 
removed from the floor and must investigate any unusual statistical 
fluctuations. These investigations must be documented, maintained for 
inspection, and provided to the TGRA upon request.
    (g) Revenue audit. Standards for revenue audit of pull tabs are 
contained in Sec.  543.24, Revenue Audit.
    (h) Variances. The operation must establish, as approved by the 
TGRA, the threshold level at which a variance must be reviewed to 
determine the cause. Any such review must be documented.


Sec.  543.10  What are the minimum internal control standards for card 
games?

    (a) Supervision. Supervision must be provided as needed during the 
card room operations by an agent(s) with authority equal to or greater 
than those being supervised.
    (1) A supervisor may function as a dealer without any other 
supervision if disputes are resolved by supervisory personnel 
independent of the transaction or independent of the card games 
department; or
    (2) A dealer may function as a supervisor if not dealing the game.
    (b) Exchanges or transfers.
    (1) Exchanges between table banks and the main card room bank (or 
cage, if a main card room bank is not used) must be authorized by a 
supervisor. All exchanges must be evidenced by the use of a lammer 
unless the exchange of chips, tokens, and/or cash takes place at the 
table. If table banks are maintained at an imprest level and runners 
are used for the exchanges at the table, no supervisory authorization 
is required.
    (2) Exchanges from the main card room bank (or cage, if a main card 
room bank is not used) to the table banks must be verified by the card 
room dealer and the runner.
    (3) Transfers between the main card room bank and the cage must be 
properly authorized and documented. Documentation must be retained for 
at least 24 hours.
    (c) Playing cards.
    (1) New and used playing cards must be maintained in a secure 
location, with appropriate surveillance coverage, and accessible only 
to authorized agents.
    (2) Used playing cards that are not to be re-used must be properly 
cancelled and removed from service to prevent re-use. The removal and 
cancellation procedure requires TGRA review and approval.
    (3) Playing cards associated with an investigation must be retained 
intact and outside of the established removal and cancellation 
procedure.
    (d) Shill funds.
    (1) Issuance of shill funds must be recorded and have the written 
approval of the supervisor.
    (2) Returned shill funds must be recorded and verified by a 
supervisor.
    (3) The replenishment of shill funds must be documented.
    (e) Standards for reconciliation of card room bank. Two agents--one 
of whom must be a supervisory agent--must independently count the table 
inventory at the opening and closing of the table and record the 
following information:
    (1) Date;
    (2) Shift;
    (3) Table number;
    (4) Amount by denomination;
    (5) Amount in total; and
    (6) Signatures of both agents.
    (f) Posted rules. The rules must be displayed or available for 
patron review at the gaming operation, including rules governing 
contests, prize payouts, fees, the rake collected, and the placing of 
antes.
    (g) Promotional progressive pots and pools.
    (1) All funds contributed by players into the pools must be 
returned when won in accordance with posted rules, and no commission or 
administrative fee may be withheld.
    (i) The payout may be in the form of personal property, such as a 
car.
    (ii) A combination of a promotion and progressive pool may be 
offered.
    (2) The conditions for participating in current card game 
promotional progressive pots and/or pools must be prominently displayed 
or available for patron review at the gaming operation.
    (3) Individual payouts for card game promotional progressive pots 
and/or pools that are $600 or more must be documented at the time of 
the payout to include the following:
    (i) Patron's name;
    (ii) Date of payout;
    (iii) Dollar amount of payout and/or nature and dollar value of any 
non-cash payout;
    (iv) The signature of the agent completing the transaction 
attesting to the disbursement of the payout; and
    (v) Name of contest/tournament.
    (4) If the cash (or cash equivalent) payout for the card game 
promotional progressive pot and/or pool is less than $600, 
documentation must be created to support accountability of the bank 
from which the payout was made.
    (5) Rules governing current promotional pools must be conspicuously 
posted in the card room and/or available in writing for patron review. 
The rules must designate:
    (i) The amount of funds to be contributed from each pot;
    (ii) What type of hand it takes to win the pool;
    (iii) How the promotional funds will be paid out;
    (iv) How/when the contributed funds are added to the pools; and
    (v) Amount/percentage of funds allocated to primary and secondary 
pools, if applicable.
    (6) Promotional pool contributions must not be placed in or near 
the rake circle, in the drop box, or commingled with gaming revenue 
from card games or any other gambling game.
    (7) The amount of the pools must be conspicuously displayed in the 
card room.
    (8) At least once each day that the game is offered, the posted 
pool amount must be updated to reflect the current pool amount.
    (9) At least once each day that the game is offered, agents 
independent of the card room must reconcile the increases to the posted 
pool amount to the cash previously counted or received by the cage.
    (10) All decreases to the pool must be properly documented, 
including a reason for the decrease.
    (11) Promotional funds removed from the card game must be placed in 
a locked container.
    (i) Agents authorized to transport the locked container are 
precluded from having access to the contents keys.
    (ii) The contents key must be maintained by a department 
independent of the card room.

[[Page 58719]]

    (iii) At least once a day, the locked container must be removed by 
two agents, one of whom is independent of the card games department, 
and transported directly to the cage or other secure room to be 
counted, recorded, and verified, prior to accepting the funds into cage 
accountability.
    (h) Variances. The operation must establish, as approved by the 
TGRA, the threshold level at which a variance must be reviewed to 
determine the cause. Any such review must be documented.


Sec.  543.11  [Reserved]


Sec.  543.12  What are the minimum internal control standards for 
gaming promotions and player tracking systems?

    (a) Supervision. Supervision must be provided as needed for gaming 
promotions and player tracking by an agent(s) with authority equal to 
or greater than those being supervised.
    (b) Gaming promotions. The rules of the gaming promotion must be 
displayed or made readily available to patron upon request. Gaming 
promotions rules require TGRA approval and must include the following:
    (1) The rules of play;
    (2) The nature and value of the associated prize(s) or cash 
award(s);
    (3) Any restrictions or limitations on participant eligibility;
    (4) The date(s), time(s), and location(s) for the associated 
promotional activity or activities;
    (5) Any other restrictions or limitations, including any related to 
the claim of prizes or cash awards;
    (6) The announcement date(s), time(s), and location(s) for the 
winning entry or entries; and
    (7) Rules governing promotions offered across multiple gaming 
operations, third party sponsored promotions, and joint promotions 
involving third parties.
    (c) Player tracking systems and gaming promotions.
    (1) Changes to the player tracking systems, promotion and external 
bonusing system parameters, which control features such as the awarding 
of bonuses, the issuance of cashable credits, non-cashable credits, 
coupons and vouchers, must be performed under the authority of 
supervisory agents, independent of the department initiating the 
change. Alternatively, the changes may be performed by supervisory 
agents of the department initiating the change if sufficient 
documentation is generated and the propriety of the changes are 
randomly verified by supervisory agents independent of the department 
initiating the change on a monthly basis.
    (2) All other changes to the player tracking system must be 
appropriately documented.
    (d) Variances. The operation must establish, as approved by the 
TGRA, the threshold level at which a variance must be reviewed to 
determine the cause. Any such review must be documented.


Sec.  543.13  What are the minimum internal control standards for 
complimentary services or items?

    (a) Supervision. Supervision must be provided as needed for 
approval of complimentary services by an agent(s) with authority equal 
to or greater than those being supervised.
    (b) Complimentary services or items. Controls must be established 
and procedures implemented for complimentary services or items that 
address the following:
    (1) Agents authorized to approve the issuance of complimentary 
services or items, including levels of authorization;
    (2) Limits and conditions on the approval and issuance of 
complimentary services or items;
    (3) Making and documenting changes to conditions or limits on the 
approval and issuance of complimentary services or items;
    (4) Documenting and recording the authorization, issuance, and 
redemption of complimentary services or items, including cash and non-
cash gifts;
    (i) Records must include the following for all complimentary items 
and services equal to or exceeding an amount established by the gaming 
operation and approved by the TGRA:
    (A) Name of patron who received the complimentary service or item;
    (B) Name(s) of issuer(s) of the complimentary service or item;
    (C) The actual cash value of the complimentary service or item;
    (D) The type of complimentary service or item (i.e., food, 
beverage); and
    (E) Date the complimentary service or item was issued.
    (ii) [Reserved].
    (c) Complimentary services and items records must be summarized and 
reviewed for proper authorization and compliance with established 
authorization thresholds.
    (1) A detailed reporting of complimentary services or items 
transactions that meet an established threshold approved by the TGRA 
must be prepared at least monthly.
    (2) The detailed report must be forwarded to management for review.
    (d) Variances. The operation must establish, as approved by the 
TGRA, the threshold level at which a variance must be reviewed to 
determine the cause. Any such review must be documented.


Sec.  543.14  What are the minimum internal control standards for 
patron deposit accounts and cashless systems?

    (a) Supervision. Supervision must be provided as needed for patron 
deposit accounts and cashless systems by an agent(s) with authority 
equal to or greater than those being supervised.
    (b) Patron deposit accounts and cashless systems.
    (1) Smart cards cannot maintain the only source of account data.
    (2) Establishment of patron deposit accounts. The following 
standards apply when a patron establishes an account.
    (i) The patron must appear at the gaming operation in person, at a 
designated area of accountability, and present valid government issued 
picture identification; and
    (ii) An agent must examine the patron's identification and record 
the following information:
    (A) Type, number, and expiration date of the identification;
    (B) Patron's name;
    (C) A unique account identifier;
    (D) Date the account was opened; and
    (E) The agent's name.
    (3) The patron must sign the account documentation before the agent 
may activate the account.
    (4) The agent or cashless system must provide the patron deposit 
account holder with a secure method of access.
    (c) Patron deposits, withdrawals and adjustments.
    (1) Prior to the patron making a deposit or withdrawal from a 
patron deposit account, the agent or cashless system must verify the 
patron deposit account, the patron identity, and availability of funds. 
A personal identification number (PIN) is an acceptable form of 
verifying identification.
    (2) Adjustments made to the patron deposit accounts must be 
performed by an agent.
    (3) When a deposit, withdrawal, or adjustment is processed by an 
agent, a transaction record must be created containing the following 
information:
    (i) Same document number on all copies;
    (ii) Type of transaction, (deposit, withdrawal, or adjustment);
    (iii) Name or other identifier of the patron;
    (iv) The unique account identifier;
    (v) Patron signature for withdrawals, unless a secured method of 
access is utilized;
    (vi) For adjustments to the account, the reason for the adjustment;
    (vii) Date and time of transaction;
    (viii) Amount of transaction;
    (ix) Nature of deposit, withdrawal, or adjustment (cash, check, 
chips); and

[[Page 58720]]

    (x) Signature of the agent processing the transaction.
    (4) When a patron deposits or withdraws funds from a patron deposit 
account electronically, the following must be recorded:
    (i) Date and time of transaction;
    (ii) Location (player interface, kiosk);
    (iii) Type of transaction (deposit, withdrawal);
    (iv) Amount of transaction; and
    (v) The unique account identifier.
    (5) Patron deposit account transaction records must be available to 
the patron upon reasonable request.
    (6) If electronic funds transfers are made to or from a gaming 
operation bank account for patron deposit account funds, the bank 
account must be dedicated and may not be used for any other types of 
transactions.
    (d) Variances. The operation must establish, as approved by the 
TGRA, the threshold level at which a variance must be reviewed to 
determine the cause. Any such review must be documented.


Sec.  543.15  What are the minimum internal control standards for lines 
of credit?

    (a) Supervision. Supervision must be provided as needed for lines 
of credit by an agent(s) with authority equal to or greater than those 
being supervised.
    (b) Establishment of lines of credit policy.
    (1) If a gaming operation extends lines of credit, controls must be 
established and procedures implemented to safeguard the assets of the 
gaming operation. Such controls must include a lines of credit policy 
including the following:
    (i) A process for the patron to apply for, modify, and/or re-
establish lines of credit, to include required documentation and credit 
line limit;
    (ii) Authorization levels of credit issuer(s);
    (iii) Identification of agents authorized to issue lines of credit;
    (iv) A process for verifying an applicant's credit worthiness;
    (v) A system for recording patron information, to include:
    (A) Name, current address, and signature;
    (B) Identification credential;
    (C) Authorized credit line limit;
    (D) Documented approval by an agent authorized to approve credit 
line limits;
    (E) Date, time and amount of credit issuances and payments; and
    (F) Amount of available credit.
    (vi) A process for issuing lines of credit to:
    (A) Verify the patron's identity;
    (B) Notify the patron of the lines of credit terms, including 
obtaining patron's written acknowledgment of the terms by signature;
    (C) Complete a uniquely identified, multi-part, lines of credit 
issuance form, such as a marker or counter check, which includes the 
terms of the lines of credit transaction;
    (D) Obtain required signatures;
    (E) Determine the amount of the patron's available lines of credit;
    (F) Update the credit balance record at the time of each 
transaction to ensure that lines of credit issued are within the 
established limit and balance for that patron; and
    (G) Require the agent issuing the lines of credit to be independent 
of the agent who authorized the lines of credit.
    (vii) A policy establishing credit line limit exceptions to include 
the following:
    (A) Identification of the agent(s) authorized to permit a credit 
line limit to be exceeded;
    (B) Authorization thresholds; and
    (C) Required documentation.
    (viii) A policy governing increases and decreases to a patron's 
lines of credit account balances to include the following:
    (A) Documentation and record keeping requirements;
    (B) Independence between the department that receives the payment 
and the department that maintains custody of the credit balance for 
payments made by mail;
    (C) Collections;
    (D) Periodic audits and confirmation of balances; and
    (E) If a collection agency is used, a process to ensure 
documentation of increases and decreases to the lines of credit account 
balances.
    (ix) A policy governing write-offs and settlements to include:
    (A) Identification of agent(s) authorized to approve write-offs and 
settlements;
    (B) Authorization levels for write-offs and settlements of lines of 
credit instruments;
    (C) Required documentation for write-offs and settlements;
    (D) Independence between the agent who established the lines of 
credit and the agent writing off or settling the lines of credit 
instrument; and
    (E) Necessary documentation for the approval of write-offs and 
settlements and transmittal to the appropriate department for recording 
and deductibility.
    (c) Variances. The operation must establish, as approved by the 
TGRA, the threshold level at which a variance must be reviewed to 
determine the cause. Any such review must be documented.


Sec.  543.16  [Reserved]


Sec.  543.17  What are the minimum internal control standards for drop 
and count?

    (a) Supervision. Supervision must be provided for drop and count as 
needed by an agent(s) with authority equal to or greater than those 
being supervised.
    (b) Count room access. Controls must be established and procedures 
implemented to limit physical access to the count room to count team 
agents, designated staff, and other authorized persons. Such controls 
must include the following:
    (1) Count team agents may not exit or enter the count room during 
the count except for emergencies or scheduled breaks.
    (2) Surveillance must be notified whenever count room agents exit 
or enter the count room during the count.
    (3) The count team policy, at a minimum, must address the 
transportation of extraneous items such as personal belongings, tool 
boxes, beverage containers, etc., into or out of the count room.
    (c) Count team. Controls must be established and procedures 
implemented to ensure security of the count and the count room to 
prevent unauthorized access, misappropriation of funds, forgery, theft, 
or fraud. Such controls must include the following:
    (1) For Tier A and B operations, all counts must be performed by at 
least two agents. For Tier C operations, all counts must be performed 
by at least three agents.
    (2) For Tier A and B operations, at no time during the count can 
there be fewer than two count team agents in the count room until the 
drop proceeds have been accepted into cage/vault accountability. For 
Tier C operations, at no time during the count can there be fewer than 
three count team agents in the count room until the drop proceeds have 
been accepted into cage/vault accountability.
    (3) For Tier A and B operations, count team agents must be rotated 
on a routine basis such that the count team is not consistently the 
same two agents more than four days per week. This standard does not 
apply to gaming operations that utilize a count team of more than two 
agents. For Tier C operations, count team agents must be rotated on a 
routine basis such that the count team is not consistently the same 
three agents more than four days per week. This standard does not apply 
to gaming operations that utilize a count team of more than three 
agents.
    (4) Functions performed by count team agents must be rotated on a 
routine basis.
    (5) Count team agents must be independent of the department being

[[Page 58721]]

counted. A cage/vault agent may be used if they are not the sole 
recorder of the count and do not participate in the transfer of drop 
proceeds to the cage/vault. An accounting agent may be used if there is 
an independent audit of all count documentation.
    (d) Card game drop standards. Controls must be established and 
procedures implemented to ensure security of the drop process. Such 
controls must include the following:
    (1) Surveillance must be notified when the drop is to begin so that 
surveillance may monitor the activities.
    (2) At least two agents must be involved in the removal of the drop 
box, at least one of whom is independent of the card games department.
    (4) Once the drop is started, it must continue until finished.
    (5) All drop boxes may be removed only at the time previously 
designated by the gaming operation and reported to the TGRA. If an 
emergency drop is required, surveillance must be notified before the 
drop is conducted and the TGRA must be informed within a timeframe 
approved by the TGRA.
    (6) At the end of each shift:
    (i) All locked card game drop boxes must be removed from the tables 
by an agent independent of the card game shift being dropped;
    (ii) For any tables opened during the shift, a separate drop box 
must be placed on each table, or a gaming operation may utilize a 
single drop box with separate openings and compartments for each shift; 
and
    (iii) Card game drop boxes must be transported directly to the 
count room or other equivalently secure area by a minimum of two 
agents, at least one of whom is independent of the card game shift 
being dropped, until the count takes place.
    (7) All tables that were not open during a shift and therefore not 
part of the drop must be documented.
    (8) All card game drop boxes must be posted with a number 
corresponding to a permanent number on the gaming table and marked to 
indicate game, table number, and shift, if applicable.
    (e) Player interface and financial instrument storage component 
drop standards.
    (1) Surveillance must be notified when the drop is to begin so that 
surveillance may monitor the activities.
    (2) At least two agents must be involved in the removal of the 
player interface storage component drop, at least one of whom is 
independent of the player interface department.
    (3) All financial instrument storage components may be removed only 
at the time previously designated by the gaming operation and reported 
to the TGRA. If an emergency drop is required, surveillance must be 
notified before the drop is conducted and the TGRA must be informed 
within a timeframe approved by the TGRA.
    (4) The financial instrument storage components must be removed by 
an agent independent of the player interface department, then 
transported directly to the count room or other equivalently secure 
area with comparable controls and locked in a secure manner until the 
count takes place.
    (i) Security must be provided for the financial instrument storage 
components removed from player interfaces and awaiting transport to the 
count room.
    (ii) Transportation of financial instrument storage components must 
be performed by a minimum of two agents, at least one of whom is 
independent of the player interface department.
    (5) All financial instrument storage components must be posted with 
a number corresponding to a permanent number on the player interface.
    (f) Card game count standards.
    (1) Access to stored, full card game drop boxes must be restricted 
to:
    (i) Authorized members of the drop and count teams; and
    (ii) In an emergency, authorized persons for the resolution of a 
problem.
    (2) The card game count must be performed in a count room or other 
equivalently secure area with comparable controls.
    (3) Access to the count room during the count must be restricted to 
members of the drop and count teams, with the exception of authorized 
observers, supervisors for resolution of problems, and authorized 
maintenance personnel.
    (4) If counts from various revenue centers occur simultaneously in 
the count room, procedures must be in effect to prevent the commingling 
of funds from different revenue centers.
    (5) Count equipment and systems must be tested, with the results 
documented, at minimum before the first count begins to ensure the 
accuracy of the equipment.
    (6) The card game drop boxes must be individually emptied and 
counted so as to prevent the commingling of funds between boxes until 
the count of the box has been recorded.
    (i) The count of each box must be recorded in ink or other 
permanent form of recordation.
    (ii) For counts that do not utilize a currency counter, a second 
count must be performed by a member of the count team who did not 
perform the initial count. Separate counts of chips and tokens must 
always be performed by members of the count team.
    (iii) Coupons or other promotional items not included in gross 
revenue must be recorded on a supplemental document by either the count 
team members or accounting personnel. All single-use coupons must be 
cancelled daily by an authorized agent to prevent improper 
recirculation.
    (iv) If a currency counter interface is used:
    (A) It must be restricted to prevent unauthorized access; and
    (B) The currency drop figures must be transferred via direct 
communications line or computer storage media to the accounting 
department.
    (7) If currency counters are utilized, a count team member must 
observe the loading and unloading of all currency at the currency 
counter, including rejected currency.
    (8) Two counts of the currency rejected by the currency counter 
must be recorded per table, as well as in total. Posting rejected 
currency to a nonexistent table is prohibited.
    (9) Card game drop boxes, when empty, must be shown to another 
member of the count team, to another agent observing the count, or to 
surveillance, provided that the count is monitored in its entirety by 
an agent independent of the count.
    (10) Procedures must be implemented to ensure that any corrections 
to the count documentation are permanent and identifiable, and that the 
original, corrected information remains legible. Corrections must be 
verified by two count team agents.
    (11) The count sheet must be reconciled to the total drop by a 
count team member who may not function as the sole recorder, and 
variances must be reconciled and documented.
    (12) All count team agents must sign the count sheet attesting to 
their participation in the count.
    (13) A final verification of the total drop proceeds, before 
transfer to cage/vault, must be performed by at least two agents, one 
of whom is a supervisory count team member, and one a count team agent.
    (i) Final verification must include a comparison of currency 
counted totals against the currency counter/system report, if any 
counter/system is used.
    (ii) Any unresolved variances must be documented, and the 
documentation must remain part of the final count record forwarded to 
accounting.
    (iii) This verification does not require a complete recount of the 
drop proceeds, but does require a review sufficient to verify the total 
drop proceeds being transferred.

[[Page 58722]]

    (iv) The two agents must sign the report attesting to the accuracy 
of the total drop proceeds verified.
    (v) All drop proceeds and cash equivalents that were counted must 
be submitted to the cage or vault agent (who must be independent of the 
count team), or to an agent independent of the revenue generation 
source and the count process, for verification. The agent must certify, 
by signature, the amount of the drop proceeds delivered and received. 
Any unresolved variances must be reconciled, documented, and/or 
investigated by accounting/revenue audit.
    (14) After verification by the agent receiving the funds, the drop 
proceeds must be transferred to the cage/vault.
    (i) The count documentation and records must not be transferred to 
the cage/vault with the drop proceeds.
    (ii) The cage/vault agent must have no knowledge or record of the 
drop proceeds total before it is verified.
    (iii) All count records must be forwarded to accounting or secured 
and accessible only by accounting agents.
    (iv) The cage/vault agent receiving the transferred drop proceeds 
must sign the count sheet attesting to the verification of the total 
received, and thereby assume accountability of the drop proceeds, 
ending the count.
    (v) Any unresolved variances between total drop proceeds recorded 
on the count sheet and the cage/vault final verification during 
transfer must be documented and investigated.
    (15) The count sheet, with all supporting documents, must be 
delivered to the accounting department by a count team member or an 
agent independent of the cage/vault. Alternatively, it may be secured 
so that it is only accessible to accounting agents.
    (g) Player interface financial instrument count standards.
    (1) Access to stored full financial instrument storage components 
must be restricted to:
    (i) Authorized members of the drop and count teams; and
    (ii) In an emergency, authorized persons for the resolution of a 
problem.
    (2) The player interface financial instrument count must be 
performed in a count room or other equivalently secure area with 
comparable controls.
    (3) Access to the count room during the count must be restricted to 
members of the drop and count teams, with the exception of authorized 
observers, supervisors for resolution of problems, and authorized 
maintenance personnel.
    (4) If counts from various revenue centers occur simultaneously in 
the count room, procedures must be in effect that prevent the 
commingling of funds from different revenue centers.
    (5) The count team must not have access to amount-in or bill-in 
meter amounts until after the count is completed and the drop proceeds 
are accepted into the cage/vault accountability.
    (6) Count equipment and systems must be tested, and the results 
documented, before the first count begins, to ensure the accuracy of 
the equipment.
    (7) If a currency counter interface is used:
    (i) It must be adequately restricted to prevent unauthorized 
access; and
    (ii) The currency drop figures must be transferred via direct 
communications line or computer storage media to the accounting 
department.
    (8) The financial instrument storage components must be 
individually emptied and counted so as to prevent the commingling of 
funds between storage components until the count of the storage 
component has been recorded.
    (i) The count of each storage component must be recorded in ink or 
other permanent form of recordation.
    (ii) Coupons or other promotional items not included in gross 
revenue may be recorded on a supplemental document by the count team 
members or accounting personnel. All single-use coupons must be 
cancelled daily by an authorized agent to prevent improper 
recirculation.
    (9) If currency counters are utilized, a count team member must 
observe the loading and unloading of all currency at the currency 
counter, including rejected currency.
    (10) Two counts of the currency rejected by the currency counter 
must be recorded per interface terminal as well as in total. Rejected 
currency must be posted to the player interface from which it was 
collected.
    (11) Storage components, when empty, must be shown to another 
member of the count team, to another agent who is observing the count, 
or to surveillance, provided that the count is monitored in its 
entirety by an agent independent of the count.
    (12) Procedures must be implemented to ensure that any corrections 
to the count documentation are permanent, identifiable and the 
original, corrected information remains legible. Corrections must be 
verified by two count team agents.
    (13) The count sheet must be reconciled to the total drop by a 
count team member who may not function as the sole recorder, and 
variances must be reconciled and documented. This standard does not 
apply to vouchers removed from the financial instrument storage 
components.
    (14) All count team agents must sign the report attesting to their 
participation in the count.
    (15) A final verification of the total drop proceeds, before 
transfer to cage/vault, must be performed by the at least two agents, 
one of whom is a supervisory count team member and the other a count 
team agent.
    (i) Final verification must include a comparison of currency 
counted totals against the currency counter/system report, if a 
counter/system is used.
    (ii) Any unresolved variances must be documented and the 
documentation must remain a part of the final count record forwarded to 
accounting.
    (iii) This verification does not require a complete recount of the 
drop proceeds but does require a review sufficient to verify the total 
drop proceeds being transferred.
    (iv) The two agents must sign the report attesting to the accuracy 
of the total drop proceeds verified.
    (v) All drop proceeds and cash equivalents that were counted must 
be turned over to the cage or vault cashier (who must be independent of 
the count team) or to an agent independent of the revenue generation 
and the count process for verification. Such cashier or agent must 
certify, by signature, the amount of the drop proceeds delivered and 
received. Any unresolved variances must be reconciled, documented, and/
or investigated by accounting/revenue audit.
    (16) After certification by the agent receiving the funds, the drop 
proceeds must be transferred to the cage/vault.
    (i) The count documentation and records must not be transferred to 
the cage/vault with the drop proceeds.
    (ii) The cage/vault agent must not have knowledge or record of the 
drop proceeds total before it is verified.
    (iii) All count records must be forwarded to accounting secured and 
accessible only by accounting agents.
    (iv) The cage/vault agent receiving the transferred drop proceeds 
must sign the count sheet attesting to the verification of the total 
received, and thereby assuming accountability of the drop proceeds, and 
ending the count.
    (v) Any unresolved variances between total drop proceeds recorded 
on the count room report and the cage/vault final verification during 
transfer must be documented and investigated.
    (17) The count sheet, with all supporting documents, must be 
delivered to the accounting department by a count team member or agent 
independent of the cashiers department.

[[Page 58723]]

Alternatively, it may be adequately secured and accessible only by 
accounting department.
    (h) Controlled keys. Controls must be established and procedures 
implemented to safeguard the use, access, and security of keys in 
accordance with the following:
    (1) Each of the following requires a separate and unique key lock 
or alternative secure access method:
    (i) Drop cabinet;
    (ii) Drop box release;
    (iii) Drop box content; and
    (iv) Storage racks and carts.
    (2) Access to and return of keys or equivalents must be documented 
with the date, time, and signature or other unique identifier of the 
agent accessing or returning the key(s).
    (i) For Tier A and B operations, at least two (2) drop team agents 
are required to be present to access and return keys. For Tier C 
operations, at least three (3) drop team agents are required to be 
present to access and return keys.
    (ii) For Tier A and B operations, at least two (2) count team 
agents are required to be present at the time count room and other 
count keys are issued for the count. For Tier C operations, at least 
three (two for card game drop box keys in operations with three tables 
or fewer) count team agents are required to be present at the time 
count room and other count keys are issued for the count.
    (3) Documentation of all keys, including duplicates, must be 
maintained, including:
    (i) Unique identifier for each individual key;
    (ii) Key storage location;
    (iii) Number of keys made, duplicated, and destroyed; and
    (iv) Authorization and access.
    (4) Custody of all keys involved in the drop and count must be 
maintained by a department independent of the count and the drop agents 
as well as those departments being dropped and counted.
    (5) Other than the count team, no agent may have access to the drop 
box content keys while in possession of storage rack keys and/or 
release keys.
    (6) Other than the count team, only agents authorized to remove 
drop boxes are allowed access to drop box release keys.
    (7) Any use of keys at times other than the scheduled drop and 
count must be properly authorized and documented.
    (8) Emergency manual keys, such as an override key, for 
computerized, electronic, and alternative key systems must be 
maintained in accordance with the following:
    (i) Access to the emergency manual key(s) used to access the box 
containing the player interface drop and count keys requires the 
physical involvement of at least three agents from separate 
departments, including management. The date, time, and reason for 
access, must be documented with the signatures of all participating 
persons signing out/in the emergency manual key(s);
    (ii) The custody of the emergency manual keys requires the presence 
of two agents from separate departments from the time of their issuance 
until the time of their return; and
    (iii) Routine physical maintenance that requires access to the 
emergency manual key(s), and does not involve accessing the player 
interface drop and count keys, only requires the presence of two agents 
from separate departments. The date, time, and reason for access must 
be documented with the signatures of all participating agents signing 
out/in the emergency manual key(s).
    (i) Variances. The operation must establish, as approved by the 
TGRA, the threshold level at which a variance must be reviewed to 
determine the cause. Any such review must be documented.


Sec.  543.18  What are the minimum internal control standards for the 
cage, vault, kiosk, cash and cash equivalents?

    (a) Supervision. Supervision must be provided as needed for cage, 
vault, kiosk, and other operations using cash or cash equivalents by an 
agent(s) with authority equal to or greater than those being 
supervised.
    (b) Check cashing.
    (1) If checks are cashed at the cage, the controls must provide for 
security and integrity. For each check cashing transaction, the 
agent(s) conducting the transaction must:
    (i) Verify the patron's identity;
    (ii) Examine the check to ensure it includes the patron's name, 
current address, and signature;
    (iii) For personal checks, verify the patron's check cashing 
authority and record the source and results in accordance with 
management policy; however
    (iv) If a check guarantee service is used to guarantee the 
transaction and the procedures required by the check guarantee service 
are followed, then the above requirements do not apply.
    (2) When counter checks are issued, the following must be included 
on the check:
    (i) The patron's name and signature;
    (ii) The dollar amount of the counter check;
    (iii) Patron's bank name, bank routing, and account numbers;
    (iv) Date of issuance; and
    (v) Signature of the agent approving the counter check transaction.
    (3) Checks that are not deposited in the normal course of business, 
as established by management, (held checks) are subject to Sec.  543.15 
lines of credit standards.
    (4) When traveler's checks or other guaranteed drafts, such as 
cashier's checks, are presented, the cashier must comply with the 
examination and documentation procedures as required by the issuer.
    (5) If a third party check cashing or guarantee service is used, 
the examination and documentation procedures required by the service 
provider apply, unless otherwise provided by tribal law or regulation.
    (c) Cage and vault accountability.
    (1) All transactions that flow through the cage must be summarized 
for each work shift of the cage and must be supported by documentation.
    (2) Increases and decreases to the total cage inventory must be 
verified, supported by documentation, and recorded. Documentation must 
include the date and shift, the purpose of the increase/decrease, the 
agent(s) completing the transaction, and the person or department 
receiving the cage funds (for decreases only).
    (3) The cage and vault inventories (including coin rooms) must be 
counted independently by at least two agents, attested to by signature, 
and recorded in ink or other permanent form at the end of each shift 
during which the activity took place. These agents must make individual 
counts to compare for accuracy and maintain individual accountability. 
All variances must be documented and investigated.
    (4) The gaming operation must establish and comply with a minimum 
bankroll formula to ensure the gaming operation maintains cash or cash 
equivalents (on hand and in the bank, if readily accessible) in an 
amount sufficient to satisfy obligations to the gaming operation's 
patrons as they are incurred.
    (d) Kiosks.
    (1) Kiosks must be maintained on the cage accountability and must 
be counted independently by at least two agents, documented, and 
reconciled for each increase or decrease to the kiosk inventory.
    (2) Currency cassettes must be counted and filled by an agent and 
verified independently by at least one agent, all of whom must sign 
each cassette.
    (3) Currency cassettes must be secured with a lock or tamper 
resistant seal and, if not placed inside a kiosk,

[[Page 58724]]

must be stored in a secured area of the cage/vault.
    (4) The TGRA or the gaming operation, subject to the approval of 
the TGRA, must develop and implement physical security controls over 
the kiosks. Controls should address the following: forced entry, 
evidence of any entry, and protection of circuit boards containing 
programs.
    (5) With regard to cashless systems, the TGRA or the gaming 
operation, subject to the approval of the TGRA, must develop and 
implement procedures to ensure that communications between the kiosk 
and system are secure and functioning.
    (6) The following reconciliation reports must be available upon 
demand for each day, shift, and drop cycle (this is not required if the 
system does not track the information, but system limitation(s) must be 
noted):
    (i) Starting balance dollar amount per financial instrument;
    (ii) Starting balance number of items per financial instrument;
    (iii) Dollar amount per financial instrument issued;
    (iv) Number of items per financial instrument issued;
    (v) Dollar amount per financial instrument issued;
    (vi) Number of items per financial instrument redeemed;
    (vii) Dollar amount per financial instrument increases;
    (viii) Number of items per financial instrument increases;
    (ix) Dollar amount per financial instrument decreases;
    (x) Number of items per financial instrument decreases;
    (xi) Ending balance dollar amount per financial instrument; and
    (xii) Ending balance number of items per financial instrument.
    (e) Patron deposited funds. If a gaming operation permits a patron 
to deposit funds with the gaming operation at the cage, and when 
transfers of patron deposited funds are transferred to a gaming area 
for wagering purposes, the following standards apply:
    (1) The receipt or withdrawal of a patron deposit must be 
documented, with a copy given to the patron and a copy remaining in the 
cage.
    (2) Both copies of the document of receipt or withdrawal must 
contain the following information:
    (i) Same receipt number on each copy;
    (ii) Patron's name and signature;
    (iii) Date of receipt and withdrawal;
    (iv) Dollar amount of deposit/withdrawal (for foreign currency 
transactions include the US dollar equivalent, the name of the foreign 
country, and the amount of the foreign currency by denomination);
    (v) Nature of deposit/withdrawal; and
    (vi) Name and signature of the agent who conducted the transaction.
    (3) Procedures must be established and complied with for front 
money deposits to:
    (i) Maintain a detailed record by patron name and date of all funds 
on deposit;
    (ii) Maintain a current balance of all patron deposits that are in 
the cage/vault inventory or accountability; and
    (iii) Reconcile the current balance with the deposits and 
withdrawals at least daily.
    (f) Promotional payments, drawings, and giveaway programs. The 
following procedures must apply to any payment resulting from a 
promotional payment, drawing, or giveaway program disbursed by the cage 
department or any other department. This section does not apply to 
payouts for card game promotional pots and/or pools.
    (1) All payments must be documented to support the cage 
accountability.
    (2) Payments above $600 (or lesser amount as approved by TGRA) must 
be documented at the time of the payment, and documentation must 
include the following:
    (i) Date and time;
    (ii) Dollar amount of payment or description of personal property;
    (iii) Reason for payment; and
    (iv) Patron's name and confirmation that identity was verified 
(drawings only).
    (v) Signature(s) of at least two agents verifying, authorizing, and 
completing the promotional payment with the patron. For computerized 
systems that validate and print the dollar amount of the payment on a 
computer generated form, only one signature is required.
    (g) Chip(s) and token(s). Controls must be established and 
procedures implemented to ensure accountability of chip and token 
inventory. Such controls must include, but are not limited to, the 
following:
    (1) Purchase;
    (2) Receipt;
    (3) Inventory;
    (4) Storage; and
    (5) Destruction.
    (h) Vouchers.
    (1) Controls must be established and procedures implemented to:
    (i) Verify the authenticity of each voucher redeemed.
    (ii) If the voucher is valid, verify that the patron is paid the 
appropriate amount.
    (iii) Document the payment of a claim on a voucher that is not 
physically available or a voucher that cannot be validated such as a 
mutilated, expired, lost, or stolen voucher.
    (iv) Retain payment documentation for reconciliation purposes.
    (v) For manual payment of a voucher of $500 or more, require a 
supervisory employee to verify the validity of the voucher prior to 
payment.
    (2) Vouchers paid during a period while the voucher system is 
temporarily out of operation must be marked ``paid'' by the cashier.
    (3) Vouchers redeemed while the voucher system was temporarily out 
of operation must be validated as expeditiously as possible upon 
restored operation of the voucher system.
    (4) Paid vouchers must be maintained in the cashier's 
accountability for reconciliation purposes.
    (5) Unredeemed vouchers can only be voided in the voucher system by 
supervisory employees. The accounting department will maintain the 
voided voucher, if available.
    (i) Cage and vault access. Controls must be established and 
procedures implemented to:
    (1) Restrict physical access to the cage to cage agents, designated 
staff, and other authorized persons; and
    (2) Limit transportation of extraneous items such as personal 
belongings, tool boxes, beverage containers, etc., into and out of the 
cage.
    (j) Variances. The operation must establish, as approved by the 
TGRA, the threshold level at which a variance must be reviewed to 
determine the cause. Any such review must be documented.


Sec.  543.19  [Reserved]


Sec.  543.20  What are the minimum internal control standards for 
information technology and information technology data?

    (a) Supervision.
    (1) Controls must identify the supervisory agent in the department 
or area responsible for ensuring that the department or area is 
operating in accordance with established policies and procedures.
    (2) The supervisory agent must be independent of the operation of 
Class II games.
    (3) Controls must ensure that duties are adequately segregated and 
monitored to detect procedural errors and to prevent the concealment of 
fraud.
    (4) Information technology agents having access to Class II gaming 
systems may not have signatory authority over financial instruments and 
payout forms and must be independent of and restricted from access to:
    (i) Financial instruments;
    (ii) Accounting, audit, and ledger entries; and
    (iii) Payout forms.
    (b) As used in this section only, a system is any computerized 
system that

[[Page 58725]]

is integral to the gaming environment. This includes, but is not 
limited to, the server and peripherals for Class II gaming system, 
accounting, surveillance, essential phone system, and door access and 
warning systems.
    (c) Class II gaming systems' logical and physical controls. 
Controls must be established and procedures implemented to ensure 
adequate:
    (1) Control of physical and logical access to the information 
technology environment, including accounting, voucher, cashless and 
player tracking systems, among others used in conjunction with Class II 
gaming;
    (2) Physical and logical protection of storage media and its 
contents, including recovery procedures;
    (3) Access credential control methods;
    (4) Record keeping and audit processes; and
    (5) Departmental independence, including, but not limited to, means 
to restrict agents that have access to information technology from 
having access to financial instruments.
    (d) Physical security.
    (1) The information technology environment and infrastructure must 
be maintained in a secured physical location such that access is 
restricted to authorized agents only.
    (2) Access devices to the systems' secured physical location, such 
as keys, cards, or fobs, must be controlled by an independent agent.
    (3) Access to the systems' secured physical location must be 
restricted to agents in accordance with established policies and 
procedures, which must include maintaining and updating a record of 
agents granted access privileges.
    (4) Network Communication Equipment must be physically secured from 
unauthorized access.
    (e) Logical security.
    (1) Controls must be established and procedures implemented to 
protect all systems and to ensure that access to the following is 
restricted and secured:
    (i) Systems' software and application programs;
    (ii) Data associated with Class II gaming; and
    (iii) Communications facilities, systems, and information 
transmissions associated with Class II gaming systems.
    (2) Unused services and non-essential ports must be disabled 
whenever possible.
    (3) Procedures must be implemented to ensure that all activity 
performed on systems is restricted and secured from unauthorized 
access, and logged.
    (4) Communications to and from systems via Network Communication 
Equipment must be logically secured from unauthorized access.
    (f) User controls.
    (1) Systems, including application software, must be secured with 
passwords or other means for authorizing access.
    (2) Management personnel or agents independent of the department 
being controlled must assign and control access to system functions.
    (3) Access credentials such as passwords, PINs, or cards must be 
controlled as follows:
    (i) Each user must have his or her own individual access 
credential;
    (ii) Access credentials must be changed at an established interval 
approved by the TGRA; and
    (iii) Access credential records must be maintained either manually 
or by systems that automatically record access changes and force access 
credential changes, including the following information for each user:
    (A) User's name;
    (B) Date the user was given access and/or password change; and
    (C) Description of the access rights assigned to user.
    (4) Lost or compromised access credentials must be deactivated, 
secured or destroyed within an established time period approved by the 
TGRA.
    (5) Access credentials of terminated users must be deactivated 
within an established time period approved by the TGRA.
    (6) Only authorized agents may have access to inactive or closed 
accounts of other users, such as player tracking accounts and 
terminated user accounts.
    (g) Installations and/or modifications.
    (1) Only TGRA authorized or approved systems and modifications may 
be installed.
    (2) Records must be kept of all new installations and/or 
modifications to Class II gaming systems. These records must include, 
at a minimum:
    (i) The date of the installation or modification;
    (ii) The nature of the installation or change such as new software, 
server repair, significant configuration modifications;
    (iii) Evidence of verification that the installation or the 
modifications are approved; and
    (iv) The identity of the agent(s) performing the installation/
modification.
    (3) Documentation must be maintained, such as manuals and user 
guides, describing the systems in use and the operation, including 
hardware.
    (h) Remote access.
    (1) Agents may be granted remote access for system support, 
provided that each access session is documented and maintained at the 
place of authorization. The documentation must include:
    (i) Name of agent authorizing the access;
    (ii) Name of agent accessing the system;
    (iii) Verification of the agent's authorization;
    (iv) Reason for remote access;
    (v) Description of work to be performed;
    (vi) Date and time of start of end-user remote access session; and
    (vii) Date and time of conclusion of end-user remote access 
session.
    (2) All remote access must be performed via a secured method.
    (i) Incident monitoring and reporting.
    (1) Procedures must be implemented for responding to, monitoring, 
investigating, resolving, documenting, and reporting security incidents 
associated with information technology systems.
    (2) All security incidents must be responded to within an 
established time period approved by the TGRA and formally documented.
    (j) Data backups.
    (1) Controls must include adequate backup, including, but not 
limited to, the following:
    (i) Daily data backup of critical information technology systems;
    (ii) Data backup of critical programs or the ability to reinstall 
the exact programs as needed;
    (iii) Secured storage of all backup data files and programs, or 
other adequate protection;
    (iv) Mirrored or redundant data source; and
    (v) Redundant and/or backup hardware.
    (2) Controls must include recovery procedures, including, but not 
limited to, the following:
    (i) Data backup restoration;
    (ii) Program restoration; and
    (iii) Redundant or backup hardware restoration.
    (3) Recovery procedures must be tested on a sample basis at 
specified intervals at least annually. Results must be documented.
    (4) Backup data files and recovery components must be managed with 
at least the same level of security and access controls as the system 
for which they are designed to support.
    (k) Software downloads. Downloads, either automatic or manual, must 
be performed in accordance with 25 CFR 547.12.
    (l) Verifying downloads. Following download of any Class II gaming 
system software, the Class II gaming system must verify the downloaded 
software using a software signature verification method. Using any 
method it deems appropriate, the TGRA must confirm the verification.

[[Page 58726]]

Sec.  543.21  What are the minimum internal control standards for 
surveillance?

    (a) Supervision. Supervision must be provided as needed for 
surveillance by an agent(s) with authority equal to or greater than 
those being supervised.
    (b) Surveillance equipment and control room(s). Controls must be 
established and procedures implemented that include the following:
    (1) For Tier A, the surveillance system must be maintained and 
operated from a secured location, such as a locked cabinet. For Tiers B 
and C, the surveillance system must be maintained and operated from a 
staffed surveillance operation room(s).
    (2) The surveillance operation room(s) must be secured to prevent 
unauthorized entry.
    (3) Access to the surveillance operation room(s) must be limited to 
surveillance agents and other authorized persons.
    (4) Surveillance operation room(s) access logs must be maintained.
    (5) Surveillance operation room equipment must have total override 
capability over all other satellite surveillance equipment.
    (6) Power loss to the surveillance system:
    (i) For Tier A, in the event of power loss to the surveillance 
system, alternative security procedures, such as additional supervisory 
or security agents, must be implemented immediately.
    (ii) For Tier B and C, in the event of power loss to the 
surveillance system, an auxiliary or backup power source must be 
available and capable of providing immediate restoration of power to 
the surveillance system to ensure that surveillance agents can observe 
all areas covered by dedicated cameras.
    (7) The surveillance system must record an accurate date and time 
stamp on recorded events. The displayed date and time must not 
significantly obstruct the recorded view.
    (8) All surveillance agents must be trained in the use of the 
equipment, games, and house rules.
    (9) Each camera required by the standards in this section must be 
installed in a manner that will prevent it from being readily 
obstructed, tampered with, or disabled.
    (10) The surveillance system must:
    (i) Have the capability to display all camera views on a monitor;
    (ii) Include sufficient numbers of recording devices to record the 
views of all cameras required by this section;
    (iii) Record all camera views; and
    (iv) For Tier B and C only, include sufficient numbers of monitors 
to simultaneously display gaming and count room activities.
    (11) A periodic inspection of the surveillance systems must be 
conducted. When a malfunction of the surveillance system is discovered, 
the malfunction and necessary repairs must be documented and repairs 
initiated within seventy-two (72) hours.
    (i) If a dedicated camera malfunctions, alternative security 
procedures, such as additional supervisory or security agents, must be 
implemented immediately.
    (ii) The TGRA must be notified of any surveillance system and/or 
camera(s) that have malfunctioned for more than twenty-four (24) hours 
and the alternative security measures being implemented.
    (c) Additional surveillance requirements. With regard to the 
following functions, controls must also include:
    (1) Surveillance of the progressive prize meters for Class II 
gaming systems at the following thresholds:
    (i) Wide area progressives with a reset amount of $1 million; and
    (ii) In-house progressives with a reset amount of $250,000.
    (2) Manual bingo:
    (i) For manual draws, the surveillance system must monitor the 
bingo ball drawing device or mechanical random number generator, which 
must be recorded during the course of the draw by a dedicated camera to 
identify the numbers or other designations drawn; and
    (ii) The surveillance system must monitor and record the activities 
of the bingo game, including drawing, and entering the balls, numbers 
or other designations drawn.
    (3) Card games:
    (i) Except for card game tournaments, a dedicated camera(s) with 
sufficient clarity must be used to provide:
    (A) An overview of the activities on each card table surface, 
including card faces and cash and/or cash equivalents;
    (B) An overview of card game activities, including patrons and 
dealers; and
    (C) An unobstructed view of all posted progressive pool amounts.
    (ii) For card game tournaments, a dedicated camera(s) must be used 
to provide an overview of tournament activities, and any area where 
cash or cash equivalents are exchanged.
    (4) Cage and vault:
    (i) The surveillance system must monitor and record a general 
overview of activities occurring in each cage and vault area with 
sufficient clarity to identify individuals within the cage and patrons 
and staff members at the counter areas and to confirm the amount of 
each cash transaction;
    (ii) Each cashier station must be equipped with one (1) dedicated 
overhead camera covering the transaction area; and
    (iii) The cage or vault area in which exchange and transfer 
transactions occur must be monitored and recorded by a dedicated camera 
or motion activated dedicated camera that provides coverage with 
sufficient clarity to identify the chip values and the amounts on the 
exchange and transfer documentation. Controls provided by a 
computerized exchange and transfer system constitute an adequate 
alternative to viewing the amounts on the exchange and transfer 
documentation.
    (5) Count rooms:
    (i) The surveillance system must monitor and record with sufficient 
clarity a general overview of all areas where cash or cash equivalents 
may be stored or counted; and
    (ii) The surveillance system must provide coverage of count 
equipment with sufficient clarity to view any attempted manipulation of 
the recorded data.
    (d) Reporting requirements. TGRA-approved procedures must be 
implemented for reporting suspected crimes and suspicious activity.
    (e) Recording retention. Controls must be established and 
procedures implemented that include the following:
    (1) All recordings required by this section must be retained for a 
minimum of seven days; and
    (2) Suspected crimes, suspicious activity, or detentions by 
security agents discovered within the initial retention period must be 
copied and retained for a time period, not less than one year.
    (f) Logs. Logs must be maintained and demonstrate the following:
    (1) Compliance with the storage, identification, and retention 
standards required in this section;
    (2) Each malfunction and repair of the surveillance system as 
defined in this section; and
    (3) Activities performed by surveillance agents as required by the 
controls in this section.


Sec.  543.22  [Reserved]


Sec.  543.23  What are the minimum internal control standards for audit 
and accounting?

    (a) Conflicts of standards. When establishing SICS, the gaming 
operation should review, and consider incorporating, other external 
standards such as GAAP, GAAS, and standards promulgated by GASB and 
FASB. In the event of a conflict between the MICS

[[Page 58727]]

and the incorporated external standards, the external standards 
prevail.
    (b) Accounting. Controls must be established and procedures 
implemented to safeguard assets and ensure each gaming operation:
    (1) Prepares accurate, complete, legible, and permanent records of 
all transactions pertaining to gaming revenue and activities for 
operational accountability.
    (2) Prepares general accounting records on a double-entry system of 
accounting, maintaining detailed, supporting, subsidiary records, and 
performs the following activities:
    (i) Record gaming activity transactions in an accounting system to 
identify and track all revenues, expenses, assets, liabilities, and 
equity;
    (ii) Record all markers, IOU's, returned checks, held checks, or 
other similar credit instruments;
    (iii) Record journal entries prepared by the gaming operation and 
by any independent accountants used;
    (iv) Prepare income statements and balance sheets;
    (v) Prepare appropriate subsidiary ledgers to support the balance 
sheet;
    (vi) Prepare, review, and maintain accurate financial statements;
    (vii) Prepare transactions in accordance with the appropriate 
authorization, as provided by management;
    (viii) Record transactions to facilitate proper recording of gaming 
revenue and fees, and to maintain accountability of assets;
    (ix) Compare recorded accountability for assets to actual assets at 
periodic intervals, and take appropriate action with respect to any 
variances;
    (x) Segregate functions, duties, and responsibilities;
    (xi) Prepare minimum bankroll calculations; and
    (xii) Maintain and preserve all financial records and relevant 
supporting documentation.
    (c) Internal audit. Controls must be established and procedures 
implemented to ensure that:
    (1) Internal auditor(s) perform audits of each department of a 
gaming operation, at least annually, to review compliance with TICS, 
SICS, and these MICS, which include at least the following areas:
    (i) Bingo, including supervision, bingo cards, bingo card sales, 
draw, prize payout; cash and equivalent controls, technologic aids to 
the play of bingo, operations, vouchers, and revenue audit procedures;
    (ii) Pull tabs, including, supervision, pull tab inventory, pull 
tab sales, winning pull tabs, pull tab operating funds, statistical 
records, and revenue audit procedures;
    (iii) Card games, including supervision, exchange or transfers, 
playing cards, shill funds, reconciliation of card room bank, posted 
rules, and promotional progressive pots and pools;
    (iv) Gaming promotions and player tracking procedures, including 
supervision, gaming promotion rules and player tracking systems;
    (v) Complimentary services or items, including procedures for 
issuing, authorizing, redeeming, and reporting complimentary service 
items;
    (vi) Patron deposit accounts and cashless systems procedures, 
including supervision, patron deposit accounts and cashless systems, as 
well as patron deposits, withdrawals and adjustments;
    (vii) Lines of credit procedures, including establishment of lines 
of credit policy;
    (viii) Drop and count standards, including supervision, count room 
access, count team, card game drop standards, player interface and 
financial instrument drop standards, card game count standards, player 
interface financial instrument count standards, and controlled keys;
    (ix) Cage, vault, cash and cash equivalent procedures, including 
supervision, cash and cash equivalents, personal checks, cashier's 
checks, traveler's checks, payroll checks, and counter checks, cage and 
vault accountability, kiosks, patron deposited funds, promotional 
payouts, drawings, and giveaway programs, chip and token standards, and 
cage and vault access;
    (x) Information technology, including supervision, class II gaming 
systems' logical and physical controls, independence, physical 
security, logical security, user controls, installations and/or 
modifications, remote access, incident monitoring and reporting, data 
back-ups, software downloads, and verifying downloads; and
    (xi) Accounting standards, including accounting records, 
maintenance and preservation of financial records and relevant 
supporting documentation.
    (2) Internal auditor(s) are independent of gaming operations with 
respect to the departments subject to audit (auditors internal to the 
operation, officers of the TGRA, or outside CPA firm may perform this 
function).
    (3) Internal auditor(s) report directly to the Tribe, TGRA, audit 
committee, or other entity designated by the Tribe.
    (4) Documentation such as checklists, programs, reports, etc. is 
prepared to evidence all internal audit work and follow-up performed as 
it relates to compliance with TICS, SICS, and these MICS, including all 
instances of noncompliance.
    (5) Audit reports are maintained and made available to the 
Commission upon request and must include the following information:
    (i) Audit objectives;
    (ii) Audit procedures and scope;
    (iii) Findings and conclusions;
    (iv) Recommendations, if applicable; and
    (v) Management's response.
    (6) All material exceptions identified by internal audit work are 
investigated and resolved and the results are documented.
    (7) Internal audit findings are reported to management, responded 
to by management stating corrective measures to be taken, and included 
in the report delivered to management, the Tribe, TGRA, audit 
committee, or other entity designated by the Tribe for corrective 
action.
    (8) Follow-up observations and examinations is performed to verify 
that corrective action has been taken regarding all instances of non-
compliance. The verification is performed within six (6) months 
following the date of notification of non-compliance.
    (d) Annual requirements.
    (1) Agreed upon procedures. A CPA must be engaged to perform an 
assessment to verify whether the gaming operation is in compliance with 
these MICS, and/or the TICS or SICS if they provide at least the same 
level of controls as the MICS. The assessment must be performed in 
accordance with agreed upon procedures and the most recent versions of 
the Statements on Standards for Attestation Engagements and Agreed-Upon 
Procedures Engagements (collectively ``SSAEs''), issued by the American 
Institute of Certified Public Accountants.
    (2) The tribe must submit two copies of the agreed-upon procedures 
report to the Commission within 120 days of the gaming operation's 
fiscal year end in conjunction with the submission of the annual 
financial audit report required pursuant to 25 CFR part 571.
    (3) Review of internal audit.
    (i) The CPA must determine compliance by the gaming operation with 
the internal audit requirements in this paragraph (d) by:
    (A) Completing the internal audit checklist;
    (B) Ensuring that the internal auditor completed checklists for 
each gaming department of the operation;
    (C) Verifying that any areas of non-compliance have been 
identified;
    (D) Ensuring that audit reports are completed and include responses 
from management; and

[[Page 58728]]

    (E) Verifying that appropriate follow-up on audit findings has been 
conducted and necessary corrective measures have been taken to 
effectively mitigate the noted risks.
    (ii) If the CPA determines that the internal audit procedures 
performed during the fiscal year have been properly completed, the CPA 
may rely on the work of the internal audit for the completion of the 
MICS checklists as they relate to the standards covered by this part.
    (4) Report format. The SSAEs are applicable to agreed-upon 
procedures engagements required in this part. All noted instances of 
noncompliance with the MICS and/or the TICS or SICS, if they provide 
the same level of controls as the MICS, must be documented in the 
report with a narrative description, the number of exceptions and 
sample size tested.


Sec.  543.24  What are the minimum internal control standards for 
auditing revenue?

    (a) Supervision. Supervision must be provided as needed for bingo 
operations by an agent(s) with authority equal to or greater than those 
being supervised.
    (b) Independence. Audits must be performed by agent(s) independent 
of the transactions being audited.
    (c) Documentation. The performance of revenue audit procedures, the 
exceptions noted, and the follow-up of all revenue audit exceptions 
must be documented and maintained.
    (d) Controls must be established and procedures implemented to 
audit of each of the following operational areas:
    (1) Bingo.
    (i) At the end of each month, verify the accuracy of the ending 
balance in the bingo control log by reconciling it with the bingo paper 
inventory. Investigate and document any variance noted.
    (ii) Daily, reconcile supporting records and documents to 
summarized paperwork or electronic records (e.g. total sales and 
payouts per shift and/or day).
    (iii) At least monthly, review variances related to bingo 
accounting data in accordance with an established threshold, which must 
include, at a minimum, variance(s) noted by the Class II gaming system 
for cashless transactions in and out, electronic funds transfer in and 
out, external bonus payouts, vouchers out and coupon promotion out. 
Investigate and document any variance noted.
    (iv) At least monthly, review statistical reports for any 
deviations from the mathematical expectations exceeding a threshold 
established by the TGRA. Investigate and document any deviations 
compared to the mathematical expectations required to be submitted per 
Sec.  547.4.
    (v) At least monthly, take a random sample, foot the vouchers 
redeemed and trace the totals to the totals recorded in the voucher 
system and to the amount recorded in the applicable cashier's 
accountability document.
    (2) Pull tabs.
    (i) Daily, verify the total amount of winning pull tabs redeemed 
each day.
    (ii) At the end of each month, verify the accuracy of the ending 
balance in the pull tab control log by reconciling the pull tabs on 
hand. Investigate and document any variance noted.
    (iii) At least monthly, compare for reasonableness the amount of 
pull tabs sold from the pull tab control log to the amount of pull-tab 
sales.
    (iv) At least monthly, review statistical reports for any 
deviations exceeding a specified threshold, as defined by the TGRA. 
Investigate and document any large and unusual fluctuations noted.
    (3) Card games.
    (i) Daily, reconcile the amount indicated on the progressive sign/
meter to the cash counted or received by the cage and the payouts made 
for each promotional progressive pot and pool. This reconciliation must 
be sufficiently documented, including substantiation of differences and 
adjustments.
    (ii) At least monthly, review all payouts for the promotional 
progressive pots, pools, or other promotions to verify payout accuracy 
and proper accounting treatment and that they are conducted in 
accordance with conditions provided to the patrons.
    (iii) At the conclusion of each contest/tournament, reconcile all 
contest/tournament entry and payout forms to the dollar amounts 
recorded in the appropriate accountability document.
    (4) Gaming promotions and player tracking.
    (i) At least monthly, review promotional payments, drawings, and 
giveaway programs to verify payout accuracy and proper accounting 
treatment in accordance with the rules provided to patrons.
    (ii) At least monthly, for computerized player tracking systems, 
perform the following procedures:
    (A) Review authorization documentation for all manual point 
additions/deletions for propriety;
    (B) Review exception reports, including transfers between accounts; 
and
    (C) Review documentation related to access to inactive and closed 
accounts.
    (iii) At least annually, all computerized player tracking systems 
must be reviewed by agent(s) independent of the individuals that set up 
or make changes to the system parameters. The review must be performed 
to determine that the configuration parameters are accurate and have 
not been altered without appropriate management authorization Document 
and maintain the test results.
    (5) Complimentary services or items. At least monthly, review the 
reports required in Sec.  543.13(d). These reports must be made 
available to those entities authorized by the TGRA or by tribal law or 
ordinance.
    (6) Patron deposit accounts.
    (i) At least weekly, reconcile patron deposit account liability 
(deposits  adjustments-withdrawals = total account balance) 
to the system record.
    (ii) At least weekly, review manual increases and decreases to/from 
player deposit accounts to ensure proper adjustments were authorized.
    (7) Lines of credit.
    (i) At least three (3) times per year, an agent independent of the 
cage, credit, and collection functions must perform the following 
review:
    (A) Select a sample of line of credit accounts;
    (B) Ascertain compliance with credit limits and other established 
credit issuance procedures;
    (C) Reconcile outstanding balances of both active and inactive 
(includes write-offs and settlements) accounts on the accounts 
receivable listing to individual credit records and physical 
instruments. This procedure need only be performed once per year for 
inactive accounts; and
    (D) Examine line of credit records to determine that appropriate 
collection efforts are being made and payments are being properly 
recorded.
    (E) For at least five (5) days during the review period, 
subsequently reconcile partial payment receipts to the total payments 
recorded by the cage for the day and account for the receipts 
numerically.
    (ii) At least monthly, perform an evaluation of the collection 
percentage of credit issued to identify unusual trends.
    (8) Drop and count.
    (i) At least quarterly, unannounced currency counter and currency 
counter interface (if applicable) tests must be performed, and the test 
results documented and maintained. All denominations of currency and 
all types of cash out tickets counted by the currency counter must be 
tested. This test may be performed by internal audit or the TGRA. The 
result of these tests must be documented and signed by the agent(s) 
performing the test.

[[Page 58729]]

    (ii) At least quarterly, unannounced weigh scale and weigh scale 
interface (if applicable) tests must be performed, and the test results 
documented and maintained. This test may be performed by internal audit 
or the TGRA. The result of these tests must be documented and signed by 
the agent(s) performing the test.
    (iii) For computerized key security systems controlling access to 
drop and count keys, perform the following procedures:
    (A) At least quarterly, review the report generated by the 
computerized key security system indicating the transactions performed 
by the individual(s) that adds, deletes, and changes users' access 
within the system (i.e., system administrator). Determine whether the 
transactions completed by the system administrator provide adequate 
control over the access to the drop and count keys. Also, determine 
whether any drop and count key(s) removed or returned to the key 
cabinet by the system administrator was properly authorized;
    (B) At least quarterly, review the report generated by the 
computerized key security system indicating all transactions performed 
to determine whether any unusual drop and count key removals or key 
returns occurred; and
    (C) At least quarterly, review a sample of users that are assigned 
access to the drop and count keys to determine that their access to the 
assigned keys is appropriate relative to their job position.
    (iv) At least quarterly, an inventory of all controlled keys must 
be performed and reconciled to records of keys made, issued, and 
destroyed. Investigations must be performed for all keys unaccounted 
for, and the investigation documented.
    (9) Cage, vault, cash, and cash equivalents.
    (i) At least monthly, the cage accountability must be reconciled to 
the general ledger.
    (ii) At least monthly, trace the amount of cage deposits to the 
amounts indicated in the bank statements.
    (iii) Twice annually, a count must be performed of all funds in all 
gaming areas (i.e. cages, vaults, and booths (including reserve areas), 
kiosks, cash-out ticket redemption machines, and change machines. Count 
all chips and tokens by denomination and type. Count individual straps, 
bags, and imprest banks on a sample basis. Reconcile all amounts 
counted to the amounts recorded on the corresponding accountability 
forms to ensure that the proper amounts are recorded. Maintain 
documentation evidencing the amount counted for each area and the 
subsequent comparison to the corresponding accountability form. The 
count must be completed within the same gaming day for all areas.
    (A) Counts must be observed by an individual independent of the 
department being counted. It is permissible for the individual 
responsible for the funds to perform the actual count while being 
observed.
    (B) Internal audit may perform and/or observe the two counts.
    (iv) At least annually, select a sample of invoices for chips and 
tokens purchased, and trace the dollar amount from the purchase invoice 
to the accountability document that indicates the increase to the chip 
or token inventory to ensure that the proper dollar amount has been 
recorded.
    (v) At each business year end, create and maintain documentation 
evidencing the amount of the chip/token liability, the change in the 
liability from the previous year, and explanations for adjustments to 
the liability account including any adjustments for chip/token float.
    (vi) At least monthly, review a sample of returned checks to 
determine that the required information was recorded by cage agent(s) 
when the check was cashed.
    (vii) At least monthly, review exception reports for all 
computerized cage systems for propriety of transactions and unusual 
occurrences. The review must include, but is not limited to, voided 
authorizations. All noted improper transactions or unusual occurrences 
identified must be investigated and the results documented.
    (viii) Daily, reconcile all parts of forms used to document 
increases/decreases to the total cage inventory, investigate any 
variances noted, and document the results of such investigations.
    (10) Inventory.
    (i) At least monthly, verify receipt, issuance, and use of 
controlled inventory, including, but not limited to, bingo cards, pull 
tabs, playing cards, keys, pre-numbered and/or multi-part forms.
    (ii) Periodically perform minimum bankroll calculations to ensure 
that the gaming operation maintains cash in an amount sufficient to 
satisfy the gaming operation's obligations.


Sec.  543.25-543.49  [Reserved]

    Dated: September 14, 2012, Washington, DC.
Tracie L. Stevens,
Chairwoman.
Steffani A. Cochran,
Vice-Chairwoman.
Daniel J. Little,
Associate Commissioner.
[FR Doc. 2012-23155 Filed 9-20-12; 8:45 am]
BILLING CODE 7565-01-P