Current through September 9, 2024
(a) Unless
otherwise provided for by the department, before beginning internet gaming, an
online gaming operator and sports wagering retailer shall submit their internal
controls in detail in writing for department review and approval. If an online
gaming operator is licensed to offer more than one type of internet game, for
example online casino gaming and fantasy contests, the online gaming operator
may have separate sets of internal controls for each type of internet game.
Internal controls shall include a detailed description of the administrative
and accounting procedures to be utilized by the online gaming operator in
compliance with the act and sections 12-865-1 to 12-865-34, inclusive, of the
Regulations of Connecticut State Agencies. The procedures shall include, but
not be limited to:
(1) An online gaming
operator's procedures for responding to a failure of the electronic wagering
platform, including procedures for restoring internet gaming.
(2) An online gaming operator's automated and
manual risk management procedures, including procedures to govern emergencies
such as suspected or actual cyber-attacks on, hacking of, or tampering with the
electronic wagering platform and associated equipment. The procedures shall
include the process for the reconciliation or repayment of an internet gaming
account.
(3) Procedures for
identifying and reporting fraud and suspicious conduct.
(4) Procedures to prevent wagering by
excluded or prohibited patrons.
(5)
Procedures for online gaming operator and sports wagering retailer imposed
expulsion of patrons, including the following:
(A) Providing a notification to the patron of
the patron's expulsion status and general instructions for
resolution.
(B) Ensuring that
immediately upon executing the expulsion order, no new wagers or deposits are
accepted from the expelled patron, until such time as the licensee lifts the
expulsion order.
(C) Ensuring that
the patron is not prevented from withdrawing any or all of his or her account
balance, if the online gaming operator acknowledges that the funds have
cleared, and that the reason or reasons for expulsion would not prohibit a
withdrawal.
(6)
Description of the process for voiding or cancelling wagers and refunding the
patron.
(7) Procedures for issuance
and acceptance of complimentaries for internet gaming.
(8) Procedures for identifying and
restricting prohibited patrons.
(9)
An online gaming operator's methods for securely issuing, modifying, and
resetting a patron's account password, personal identification number, or other
approved security feature, if applicable. Any such method shall include
notification to the patron following any modification via electronic or regular
mail, text message, or other manner approved by the department. Such methods
shall include, at a minimum, one of the following:
(A) Proof of identity, if in
person.
(B) The correct response to
two or more challenge questions.
(C) Strong authentication.
(10) In detail, the location of
the online gaming operator's gaming servers, including any third-party remote
location servers, and what controls will be in place to ensure security of the
gaming servers.
(11) Procedures and
security for the calculation, recording, and reporting of gross revenue,
adjusted gross revenue, winnings, and prizes; or gross receipts and winnings if
the online gaming operator provides fantasy contests.
(12) Policies and procedures in connection
with the internal audit, or equivalent, function of its internet gaming
operations.
(13) Any other items
considered necessary by the department.
(b) Modifications or additions to any portion
of the internal controls shall be submitted to the department for approval
prior to implementation.
(c) The
commissioner may accept, reject or require modification of any internal
control. Rejection or required modifications of internal controls shall be
based on the potential for detrimental impact on: the integrity of gaming
operations; financial, cyber or physical security related to an electronic
wagering platform; or the department's ability to effectively regulate gaming
operations. An online gaming operator or sports wagering retailer may appeal
any rejection of an internal control by requesting a hearing before the
commissioner in accordance with chapter 54 of the Connecticut General Statutes.
Such request for hearing shall be made in writing to the
commissioner within fifteen days of receipt from the Department of a rejection
of such internal control.
(d) Within thirty days of offering online
wagering or retail sports wagering to patrons, the online gaming operator and
sports wagering retailer shall create and approve the following internal
administrative procedures that shall not be subject to department approval but
shall be available to the department upon request:
(1) User access controls for all online
gaming operator internet gaming personnel.
(2) Segregation of duties.
(3) Description of anti-money laundering
compliance standards.
(4)
Description of an online gaming operator's process for accepting multiple
wagers from one patron in a twenty-four-hour cycle, including process to
identify patron structuring of wagers to circumvent recording and reporting
requirements.
(5) Procedures for
processing consumer complaints and for the appeal of the designation of a
patron as a prohibited or excluded person.
(6) Description of process to close out
dormant accounts.
(7) The online
gaming operator's Procedures for making adjustments to an internet gaming
account, providing a method for a patron to close out an account and how a
patron will be refunded after the closure of an account or how funds will be
escheated.
(8) The online gaming
operator's procedures to verify each patron's physical location.
(9) The online gaming operator's procedures
for the security and sharing of personal identifiable information of a patron,
funds or financial information in an internet gaming account, and other
information as required by the department. The procedures shall include the
means by which an online gaming operator and a master wagering licensee provide
notice to a patron related to the sharing of personal identifiable
information.
(10) Detailed
responsible gaming measures.
(11)
The online gaming operator's T&S controls.
(12) The online gaming operator's procedures
for terminating an internet gaming account and the return of any funds
remaining in the internet gaming account to the patron or confiscation of
funds.
(13) The online gaming
operator's procedures for the logging in and authentication of a patron to
enable the patron to commence internet gaming and the logging off of the patron
when the patron has completed play, including a procedure to automatically log
a patron out of the internet gaming account after a specified period of
inactivity.
(14) The online gaming
operator's procedures for withdrawing funds from an internet gaming account by
the patron.
(15) The online gaming
operator's procedures and appropriate measures implemented to deter, detect,
and, to the extent possible, prevent cheating, including collusion, and use of
cheating devices, including the use of software programs that make bets
according to algorithms.
(16)
Policies and procedures with respect to accepting or extending patron
credit.
(17) Any other items
considered necessary by the department in order to ensure the integrity of
gaming and internet games in the state.
(e) To the extent a third-party is involved
in or provides any of the internal controls required in sections 12-865-1 to
12-865-34, inclusive, of the Regulations of Connecticut State Agencies, the
online gaming operator's internal controls shall document the roles and
responsibilities of the third-party and shall include procedures to evaluate
the adequacy of and monitor compliance with the third-party's internal control
procedures.
(f) In the event of an
emergency, the online gaming operator may temporarily amend an internal
control. The online gaming operator shall notify the department that an
emergency exists before temporarily amending an internal control
procedure.
(g) An online gaming
operator shall submit the temporary emergency amendment of the internal control
procedures to the department within three days of the amendment. The submission
shall include the detailed emergency procedures that will be implemented and
the time period the emergency procedures will be temporarily in place. Any
concerns the department has with the submission shall be addressed with the
online gaming operator.
(h) As soon
as the circumstances necessitating the emergency amendment to the internal
controls abate, an online gaming operator shall resume compliance with the
approved internal controls.
