Kentucky Administrative Regulations
Title 809 - Public Protection Cabinet - Kentucky Horse Racing Commission
Chapter 10 - Technical Criteria
Section 809 KAR 10:006 - Audit and internal control standards
Universal Citation: 809 KY Admin Regs Service 10:006
Current through Register Vol. 51, No. 6, December 1, 2024
RELATES TO: KRS Chapter 230
NECESSITY, FUNCTION, AND CONFORMITY: KRS 230.260(16)(a) requires the corporation to promulgate regulations to establish standards related to sports wagering, including standards for "maintaining and auditing books and financial records, securely maintaining records of bets and wagers, integrity requirements for sports wagering and related data surveillance and monitoring systems, and other reasonable technical criteria related to conducting sports wagering."KRS 230.811(2) requires tracks and service providers to "comply with the standards established by the corporation. . . to ensure the integrity of the system of sports wagering." This administrative regulation establishes internal control standards, including administration and accounting controls, and establishes certain duties to permit access to the corporation of information and records, record retention, and reporting requirements.
Section 1. Internal Controls. Before beginning operations, a licensee shall submit its administrative and accounting controls, in detail, in a system of internal controls for corporation review and approval in accordance with GLI-33 Standards and subsection (3) of this section. The corporation or its designee may perform any inspection necessary in order to determine conformance with the approved internal controls.
(1)
Amendments to any portion of the internal controls shall be submitted to the
corporation for approval consistent with corporation staff audits in accordance
with GLI-33 Standards. If, within thirty (30) calendar days the corporation has
not approved, denied, or otherwise provided written notice, a licensee may
implement the amended internal controls, which shall be implemented as
submitted, in which case the corporation shall retain its authority to require
further amendment, approval, or denial.
(a)
The corporation may approve, deny, or require a revision to the amendment to
the internal controls consistent with corporation staff audits in accordance
with GLI-33 Standards. If the licensee is notified of a required revision, the
licensee shall address the revision within fifteen (15) calendar days, unless
otherwise required by the corporation based on immediate risk or immediate
implied risk to sports wagering.
(b) If the corporation requests additional
information, clarification, or revision of an amendment to the internal
controls and the licensee fails to satisfy the request within thirty (30)
calendar days after the corporation submits the request, the corporation shall
consider the amendment denied and the amendment shall not be implemented or, if
previously implemented, the licensee shall cease implementation of that
amendment within fifteen (15) calendar days. If the licensee subsequently wants
to pursue the amendment, it shall resubmit the request along with the
additional information previously requested by the corporation.
(2) In an emergency, the licensee
may temporarily amend their internal controls. The corporation or its designee
shall be notified immediately that an emergency exists before the licensee
temporarily amends its internal controls due to an emergency. The licensee
shall submit the temporary emergency amendment of the internal controls to the
corporation or its designee within twenty-four (24) hours of the amendment. The
submission shall include the detailed emergency procedures that will be
implemented and the time period the emergency procedures will be temporarily in
place.
(3) The internal controls
shall include a detailed narrative description of the administrative and
accounting procedures designed to satisfy the requirements of KAR Title 809,
including:
(a) Reliable accounting controls,
including the standardization of forms and definition of terms to be used in
the sports wagering operations;
(b)
Reporting controls, which shall include policies and procedures for the timely
reporting of standard financial and statistical information in accordance with
this administrative regulation;
(c)
Access controls, which shall include as their primary objective, the
safeguarding of company assets;
(d)
Tables of organization, which shall provide for:
1. A system of personnel and chain of command
that allows management and supervisory personnel to be held accountable for
actions or omissions within their areas of responsibility;
2. The segregation of functions that are
incompatible with separation of duties, so that no employee is in a position
both to commit an error or to perpetrate a fraud and to conceal the error or
fraud in the normal course of their duties;
3. Supervisory positions that allow the
authorization or supervision of necessary transactions at all relevant times;
and
4. Areas of responsibility that
are not so extensive as to be impractical for one (1) person to
monitor;
(e) A jobs
compendium detailing job descriptions, chains of command, and lines of
authority for all personnel engaged in the operation of sports wagering. The
licensee shall maintain and update the jobs compendium on a regular basis, but
at least annually;
(f) An
infrastructure and information security program; and
(g) All wagering procedures and practices
established within the GLI-33 Standards.
(4) To the extent a service provider is
involved in or provides any of the internal controls required in 809 KAR
Chapter 10, the licensee's internal controls shall document the roles and
responsibilities of the service provider and shall include procedures to
evaluate the adequacy of and monitor compliance with the service provider's
internal controls.
(5) The licensee
shall stamp or otherwise mark each page of the internal controls submitted to
the corporation with the word "CONFIDENTIAL" if the licensee does not believe
the material submitted is subject to public disclosure.
(6) If a licensee intends to utilize any new
technology not identified in its initial proposal, it shall submit the changes
to its internal controls to incorporate the use of any new technology to the
corporation for approval based on GLI-33 Standards.
(7) If the corporation determines that the
internal controls of the licensee do not comply with the requirements of KAR
Title 809, the corporation shall notify the licensee in writing. Within fifteen
(15) calendar days after receiving the notification, the licensee shall amend
its internal controls accordingly and shall submit, for corporation approval, a
copy of the written internal controls, as amended, and a description of any
other remedial measure taken. Corporation approval shall be based on
corporation staff audits and compliance with GLI-33 Standards.
Section 2. Information Security Responsibilities. The internal controls shall ensure that an information security program shall be effectively implemented and information security function responsibilities shall be effectively allocated.
(1) The licensee shall implement, maintain,
and comply with a comprehensive information security program, the purpose of
which shall be to take reasonable steps to protect the confidentiality,
integrity, and availability of personally identifiable information of
individuals who place a sports wager with the licensee.
(2) The licensee's information security
program shall contain administrative, technical, and physical safeguards
appropriate to the size, complexity, nature, and scope of the operations, and
the sensitivity of the personally identifiable information owned, licensed,
maintained, handled, or otherwise in the possession of the licensee.
(3) A licensee's information security
department shall exist that shall be responsible for developing a security
strategy in accordance with the overall operation. The information security
department shall subsequently work with the other departments to implement the
associated action plans. It shall be involved in reviewing all tasks and
processes that are necessary from the security perspective for the licensee,
including the protection of information and data, communications, physical,
virtual, personnel, and overall business operational security.
(4) The licensee's information security
department shall report to no lower than executive level management and shall
be independent of the IT department with regard to the management of security
risk.
(5) The licensee's
information security department shall have the competencies and be sufficiently
empowered, and shall have access to all necessary resources, to enable the
adequate assessment, management, and reduction of risk.
Section 3. Accounting Records. Licensees shall maintain complete, accurate, and legible records of all financial transactions for at least five (5) years, including transactions pertaining to revenues, expenses, assets, liabilities, and equity in conformance with generally accepted accounting principles. The licensee's financial transaction reports shall be in compliance with GLI-33 Standards.
(1) The detailed subsidiary records shall
include:
(a) Detailed general ledger accounts
identifying all revenue, expenses, assets, liabilities, and equity;
(b) A record of all investments, advances,
loans, and accounts receivable balances due the establishment;
(c) A record of all loans and other accounts
payable;
(d) A record of all
accounts receivable written off as uncollectible;
(e) Journal entries prepared;
(f) Tax work papers used in preparation of
any state or federal tax return if applicable;
(g) Records supporting the accumulation of
the costs for complimentary services and items. A complimentary service or item
provided to individuals in the normal course of a sports wagering business
shall be recorded in an amount based upon the full retail price normally
charged for the service or item or as is otherwise consistent with generally
accepted accounting principles; and
(h) Records required by the internal
controls.
(2) The
licensee shall maintain all records supporting the adjusted gross revenue for
at least five (5) years.
(3) If a
licensee fails to maintain the records used by it to calculate the adjusted
gross revenue, the corporation may compute and determine the amount upon the
basis of an audit conducted by the corporation using available
information.
Section 4. Financial Audits. Upon application, and annually thereafter, each licensee shall submit to the corporation, within ninety (90) calendar days of the licensee's fiscal year end, its financial audit for that fiscal year.
(1) The licensee shall operate in conformity
with financial audit conditions established in the license conditions issued by
the corporation pursuant to
KRS
230.290(3).
(2) Upon request by the corporation, the
licensee shall submit pro forma statements that present projected or estimated
financial performance, assets, and liabilities. These pro forma statements
shall include:
(a) Pro forma balance sheet: A
projected or estimated balance sheet stating the entity's assets, liabilities,
and equity at a specific point in time;
(b) Pro forma income statement: A projected
or estimated income statement presenting the entity's anticipated revenues,
expenses, and net income for a specific period;
(c) Pro forma cash flow statement: A
projected or estimated cash flow statement demonstrating the expected cash
inflows and outflows of the entity over a specific period;
(d) Pro forma statement of retained earnings:
A projected or estimated statement reflecting changes in the entity's retained
earnings over a specific period, considering projected net income, dividends,
and other adjustments; and
(e)
Notes for financial statements: Explanatory notes providing additional
information and disclosures related to the pro forma statements, including
significant assumptions, methodologies used, and any other relevant
details.
(3) If audited
financial statements are not available, the licensee shall provide audited
financial statements of its parent company and the licensee's unaudited
financial statements, which document the licensee's financial performance,
assets, and liabilities, including:
(a) A
balance sheet;
(b) An income
statement;
(c) A cash flow
statement;
(d) A statement of
retained earnings; and
(e) Notes
for financial statements.
(4) The pro forma statements shall be clearly
labeled as unaudited and based on management's estimates and assumptions. These
statements may serve as temporary financial documentation until audited
financial statements become available.
(5) The financial audit shall be performed in
accordance with generally accepted accounting principles by an independent
certified public accountant currently authorized to practice in Kentucky or any
other U.S. state or jurisdiction, and shall contain the opinion of the
independent certified public accountant as to its fair preparation and
presentation in accordance with generally accepted accounting
principles.
(6) The corporation
shall determine the number of copies of audits or reports required under this
procedure. The audits or reports shall be received by the corporation or
postmarked no later than the required filing date.
(7) The reporting year-end of the licensee
shall be December 31 of each year, unless otherwise approved by the corporation
for good cause shown by the licensee.
Section 5. Retention, Storage, and Destruction of Records. The internal controls shall include a records retention schedule and provisions related to the storage and destruction of records that incorporates the provisions established in subsections (1) through (7) of this section.
(1) Each licensee shall maintain, in
a place secure from theft, loss, or destruction, adequate records of its
business and accounting operations.
(2) A licensee shall make the records
available to the corporation, upon request, within a time provided for by the
corporation. A licensee shall retain the records for not less than five (5)
years.
(3) A licensee shall keep
and maintain accurate, complete, and legible records of any books, records, or
documents pertaining to, prepared in, or generated by, the licensee.
(4) A licensee shall organize and index all
required records in a manner that enables the corporation to locate, inspect,
review, and analyze the records with reasonable ease and efficiency.
(5) A licensee shall notify the corporation
in writing at least sixty (60) calendar days prior to the scheduled destruction
of any record required to be retained in accordance with this section, if
within the five (5) year record retention requirement. Notice shall list each
type of record scheduled for destruction, including a description sufficient to
identify the records included, the retention period, and the date of
destruction. If documents are to be destroyed in the normal course of business
in accordance with document retention policies previously established in the
internal controls approved by the corporation, no notice to the corporation
shall be required.
(6) The
corporation may prohibit the destruction of any record required to be retained
in accordance with this section by so notifying the licensee in writing within
forty-five (45) calendar days of receipt of the notice of destruction pursuant
to subsection (5) or within the established retention period. This prohibition
shall be based on factors such as an ongoing investigation or the licensee's
history of unusual wagering activity. An original record may thereafter be
destroyed only upon notice from the corporation, by order of the corporation
upon the petition of the licensee, or by the corporation on its own
initiative.
(7) The licensee may
use the services of a disposal company for the destruction of any records
required to be retained in accordance with this section.
Section 6. Reserve Requirement.
(1) The internal controls shall include a
plan to maintain and protect sufficient funds to conduct sports wagering at all
times through a reserve in the amount necessary to ensure the security of funds
held in sports wagering accounts and the ability to cover the outstanding
sports wagering liability.
(a) The reserve
shall be in the form of cash, cash equivalents, payment processor receivables,
payment processor reserves, an irrevocable letter of credit, a bond, or a
combination thereof.
(b) The
reserve shall be not less than the greater of $25,000 or the sum of:
1. The daily ending cashable balance of all
sports wagering accounts;
2.
Pending withdrawals;
3. Amounts
accepted by the licensee on sports wagers with undetermined outcomes;
and
4. Amounts owed but unpaid on
winning sports wagers.
(c) Amounts available to patrons for wagering
that are not redeemable for cash may be excluded from the reserve
computation.
(2) A
licensee shall have access to all sports wagering account and transaction data
to ensure the amount of its reserve is sufficient. Unless otherwise directed by
the corporation based on the risk assessed from audits performed by corporation
staff, a licensee shall file a monthly attestation with the corporation, which
shall state that funds have been safeguarded under this procedure.
(3) The corporation may audit a licensee's
reserve at any time and may direct a licensee to take any action necessary to
ensure the requirements of this section are met.
Section 7. Risk Management Framework. A licensee shall implement a risk management framework. This framework may be provided in-house by a unit capable of performing this function with appropriate segregation of functions and reporting duties, or by a third-party entity.
(1) The internal controls shall
contain a description of the risk management framework, including:
(a) Automated and manual risk management
procedures;
(b) Employee
management, including access controls and segregation of duties;
(c) Information regarding identifying and
reporting fraud and suspicious conduct;
(d) Controls ensuring regulatory
compliance;
(e) Description of
Anti-money Laundering (AML) compliance standards;
(f) Controls for accepting wagers and issuing
pay outs in excess of $10,000;
(g)
Controls for accepting multiple wagers from one patron in a twenty-four (24)
hour cycle, including a process to identify patron structuring of wagers to
circumvent recording and reporting requirements;
(h) Description of all software applications
that comprise the sports wagering system;
(i) Description of all types of sports wagers
available to be offered by the licensee;
(j) Description of the procedures to prevent
past posting of wagers;
(k)
Description of the procedures to prevent individuals from placing wagers as
agents or proxies for other individuals; and
(l) Description of all integrated third-party
platforms.
(2) A
licensee shall file with the corporation a report of any error that occurs in
offering an event or wager or if an unapproved sporting event or type of wager
is offered to the public.
Section 8. Taxation Requirements.
(1) The
internal controls shall ensure compliance with all Internal Revenue Service
(IRS) requirements, and the licensee shall provide for the withholding or
reporting of income tax of patrons as required by applicable state or federal
law.
(2) The licensee shall
disclose potential tax liabilities to patrons at the time of award of any
sports wagering payouts in excess of limits established by the IRS. Disclosure
shall include a statement that the obligation to pay applicable taxes on
payouts shall be the responsibility of the patron and that failure to pay
applicable tax liabilities may result in civil penalties or criminal liability.
Upon written request, the licensee shall provide patrons with summarized tax
information on sports wagering activities.
Section 9. Reports of Suspicious Transactions.
(1) A transaction shall require
reporting under the terms of this section if the transaction is conducted or
attempted, by, at, or through a licensee, and involves or aggregates to at
least $5,000 in funds or other assets, and the licensee knows, suspects, or has
reason to suspect that the transaction or a pattern of transactions of which
the transaction is a part and:
(a) Involves
funds derived from illegal activity or is intended or conducted in order to
hide or disguise funds or assets derived from illegal activity (such as the
ownership, nature, source, location, or control of funds or assets) as part of
a plan to violate or evade any federal law or regulation or to avoid any
transaction reporting requirement under federal law or regulation or of the
corporation;
(b) Is designed,
whether through structuring or other means, to evade any requirements of KAR
Title 809;
(c) Does not have
business or an apparent lawful purpose or is not the sort in which the
particular patron would normally be expected to engage, and the licensee is not
aware of a reasonable explanation for the transaction after examining the
available facts, including the background and possible purpose of the
transaction; or
(d) Involves use of
the licensee to facilitate criminal activity.
(2) A licensee may also file a report of any
suspicious transaction that the licensee believes relevant to the possible
violation of any law or regulation but whose reporting is not required by this
section.
(3) The report shall be
filed no later than thirty (30) calendar days after the initial detection by
the licensee of facts that might constitute a basis for filing a report. In
situations involving violations that require immediate attention, the licensee
shall immediately notify the corporation in addition to filing a
report.
(4) A licensee shall
maintain a copy of any report filed and the original or business record
equivalent of any supporting documentation for a period of at least five (5)
years from the date of filing the report. Supporting documentation shall be
identified and maintained by the licensee, and shall be deemed to have been
filed with the report. A licensee shall make all supporting documentation
available to the corporation and any appropriate law enforcement agencies upon
request.
(5) Unless otherwise
required by KAR Title 809, other law, or court order, a licensee and its
directors, officers, employees, or agents who file a report pursuant to this
administrative regulation shall not notify any person involved in the
transaction that the transaction has been reported. Any report filed with the
corporation shall be confidential and may be disclosed by the corporation in
the necessary administration of their duties and responsibilities under KRS
Chapter 230 or as otherwise required by law or court order.
Section 10. Anti-money Laundering (AML) Monitoring. The internal controls shall implement AML procedures and policies that adequately address the risks posed by sports wagering for the potential of money laundering and terrorist financing. The AML procedures and policies shall provide for:
(1) Up-to-date
training of employees in the identification of unusual or suspicious
transactions;
(2) Assigning an
individual or individuals to be responsible for all areas of AML by the
licensee, including reporting unusual or suspicious transactions;
(3) Use of any automated data processing
systems to aid in assuring compliance; and
(4) Periodic independent tests for compliance
with a scope and frequency as required by the corporation. Logs of all tests
shall be maintained for at least five (5) years.
Section 11. Integrity Monitoring and Suspicious Behavior. A licensee shall implement an integrity monitoring system. This solution may be provided in-house by a unit capable of performing this function with appropriate segregation of functions and reporting duties, or by a third-party entity.
(1) The internal
controls shall include provisions for a licensee to report to the corporation
as soon as practicable, but in no event longer than forty-eight (48) hours
after discovery:
(a) Any information regarding
irregularities in volume or changes in odds identified as abnormal wagering
activity;
(b) Any information
relating to criminal or disciplinary proceedings commenced against the licensee
in connection with its operations;
(c) Any information relating to the
following, which shall also be reported to the relevant sports governing body
or equivalent:
1. Abnormal wagering activity
or patterns that may indicate a concern with the integrity of a sporting event
or events;
2. Any potential breach
of the internal rules and codes of conduct pertaining to sports wagering of a
relevant sports governing body or equivalent, to the extent the licensee has
actual knowledge of the potential breach; and
3. Any other conduct that corrupts a sports
wagering outcome of a sporting event or events for purposes of financial gain,
including match-fixing; or
(d) Any information relating to suspicious or
illegal wagering activities, including the use of funds derived from illegal
activity, the placement of wagers to conceal or launder funds derived from
illegal activity, the use of agents to place wagers, and the use of false
identification in placing wagers.
(2) A licensee shall maintain the
confidentiality of information provided by a sports governing body or
equivalent for purposes of investigating or preventing the conduct established
in subsection (1)(d) of this section, unless disclosure is required by KRS
Chapter 230, the corporation, or other law or court order, or unless the sports
governing body or equivalent consents to its disclosure in writing.
(3) A licensee receiving a report of
suspicious or illegal wagering activity may suspend wagering on sporting events
or types of wager related to the report, and may place a hold on suspicious
wagers while investigating, but may only cancel or void sports wagers related
to the report after receiving written approval from the corporation.
(4) Upon request by the corporation or its
designee, a licensee shall provide remote, read-only access and the necessary
software and hardware for the corporation to evaluate or monitor the sports
wagering system. If requested, the licensee shall provide the corporation with
remote access or other approved mechanism as established in paragraphs (a)
through (d) of this subsection, which shall provide:
(a) All reports of abnormal wagering
activity;
(b) Whether the abnormal
wagering activity was subsequently determined to be suspicious or illegal
wagering activity;
(c) All reports
deemed suspicious or illegal wagering activity at the outset; and
(d) The actions taken by the licensee
according to its integrity monitoring system.
(5) Nothing in this section shall require a
licensee to provide any information in violation of federal, state or local law
or regulation, including laws and regulations relating to privacy and
personally identifiable information.
(6) A licensee shall maintain records of all
integrity monitoring services and activities, including all reports and
suspicious or illegal wagering activity and any supporting documentation, for a
minimum of five (5) years after a sporting event occurs. The licensee shall
disclose these records to the corporation upon request.
(7) The corporation may require a licensee to
provide any hardware or software necessary to the corporation, or to an
independent testing laboratory approved by the corporation in the best
interests of sports wagering, for evaluation of the licensee's sports wagering
offering or to conduct further monitoring of sports wagering data.
Section 12. Personally Identifiable Information Security.
(1) Any
information obtained in respect to a patron, including confidential
information, personally identifiable information, and authentication
credentials for a sports wagering account, shall be collected in compliance
with the licensee's privacy policies established in its internal controls. Both
personally identifiable information and the sports wagering account funds shall
be considered as critical assets for the purposes of risk assessment.
(2) An employee or agent of the licensee
shall not divulge any confidential information or personally identifiable
information related to a patron, the placing of any wager, or any other
sensitive information related to the operation of the licensee without the
consent of the patron, except as required by this section, the corporation, and
as otherwise required by state or federal law.
(3) The internal controls shall include
procedures for the security and sharing of confidential information, personally
identifiable information, funds in a sports wagering account, and other
sensitive information, including:
(a) The
designation and identification of one (1) or more employees having primary
responsibility for the design, implementation, and ongoing evaluation of
procedures and practices;
(b) The
procedures to be used to determine the nature and scope of all information
collected, the locations in which information is stored, and the storage
devices on which information can be recorded for purposes of storage or
transfer;
(c) The measures to be
utilized to protect information from unauthorized access; and
(d) The procedures to be used if a breach of
data security has occurred, including required notification to the
corporation.
Section 13. Complaints Pertaining to Sports Wagering. The internal controls shall provide procedures for receiving, investigating, responding to, and reporting on complaints by patrons.
(1) If
a patron makes a complaint, the licensee shall, within twenty-four (24) hours,
issue a complaint report, setting out:
(a) The
name of the complainant;
(b) The
nature of the complaint;
(c) The
name of the persons, if any against whom the complaint was made;
(d) The date of the complaint; and
(e) The action taken or proposed to be taken,
if any, by the licensee.
(2) All complaints received by a licensee
from a patron and the licensee's responses to complaints shall be retained for
at least five (5) years and made available to the corporation upon
request.
(3) A licensee shall
investigate and attempt to resolve all complaints with the patron within ten
(10) days of the complaint being filed.
Section 14. Prohibition of Credit Extension. The internal controls shall include controls relating to not allowing the acceptance of a sports wager or deposit of funds into a sports wagering account that is derived from the extension of credit by affiliates or agents of the licensee. For purposes of this section, credit shall not be deemed to have been extended if, although funds have been deposited into a sports wagering account, the licensee is awaiting actual receipt of the funds in the ordinary course of business.
(1) Credit providers such as small
amount credit contracts shall not be advertised or marketed to
patrons.
(2) A patron shall not be
referred to a credit provider to finance their sports wagering
activity.
(3) Personally
identifiable information related to a patron shall not be provided to any
credit provider.
Section 15. Prohibited Patrons. The internal controls shall include commercially and technologically reasonable measures to prevent access to sports wagering by any prohibited patrons at a licensed premises and online via Web site or mobile application.
(1) If a
licensee detects, or is notified of, an individual suspected of being a
prohibited patron who had engaged or is engaging in prohibited sports wagering,
the licensee shall use reasonable measures to verify whether the individual is
prohibited or not.
(2) If the
licensee is able to establish, by reasonable measures, that the individual is
prohibited, the licensee shall cancel a sports wager.
Section 16. Layoff Wagers. The internal controls shall include procedures for a licensee to accept layoff wagers placed by other licensees and place layoff wagers with other licensees for the purpose of offsetting sports wagers.
(1) The licensee
placing a layoff wager shall inform the licensee accepting the wager that the
wager is being placed by a licensee and shall disclose their
identity.
(2) A licensee may
decline to accept a layoff wager in its sole discretion.
(3) Layoff wagers shall be reported to the
corporation daily.
Section 17. Reports of Licensees. The internal controls shall include the licensee's capacity to prepare standard reports related to sports wagering revenues, wagering liability, patron information, payouts, or any combination thereof. The internal controls shall be amended to include any additional reports required by the corporation to audit sports wagering activity to ensure that all reports shall be prepared in accordance with the technical conditions prescribed by the corporation pursuant to KRS 230.290. The internal controls shall provide the licensee's process for the filing of the reports prepared pursuant to this section. Any information provided under this section shall be confidential and proprietary and shall be exempt from disclosure unless disclosure is required by 809 KAR Chapter 10, by other law, or by court order.
Section 18. Corporation Access to Sports Wagering Data. The internal controls shall establish measures to ensure that all sports wagering data shall be maintained in compliance with KRS Chapter 230 and KAR Title 809. The internal controls shall also establish measures to ensure that all sports wagering data shall be segregated and controlled to prevent unauthorized access.
(1) Licensees
shall provide the corporation with access to all applicable data, upon request
and with reasonable notice.
(2)
Licensees shall retain data for a minimum of five (5) years.
Section 19. Independent Audit of Internal Controls. Licensees shall have their internal controls independently audited at least once every two (2) years with the results documented in a written report. This shall include internal controls conducted by an affiliate on behalf of the licensee. Reports shall be maintained and available to the racing commission for at least five (5) years.
(1) Independent audits may be conducted by
the racing commission in accordance with KAR Titles 809 and 810 and GLI-33
Standards, or a third-party contractor approved by the racing commission in the
best interests of sports wagering. The racing commission may, in its
discretion, approve the licensee to complete an internal audit, if the licensee
uses an independent auditing team to serve as a third-party contractor for use
in completing this audit.
(2) The
racing commission or third-party contractor shall be responsible for auditing
the licensee's compliance with KRS Chapter 230 and KAR Title 809, the Wagering
Procedures and Practices established within the GLI-33 Standards, and the
internal controls.
(3)
Documentation shall be prepared to evidence all independent audit work
performed as it relates to the requirements of this section, including all
instances of noncompliance.
(4)
Independent audit reports shall include objectives, procedures and scope,
findings and conclusions, and recommendations.
(5) Independent audit findings shall be
reported to management. Management shall be required to respond to the
independent audit findings and the stated corrective measures to be taken to
avoid recurrence of the audit exception. Management responses shall be included
in the final independent audit report.
(6) Follow-up observation and examinations
shall be performed to verify that corrective action has been taken regarding
all instances of noncompliance cited by the independent audits. The
verification shall be performed within six (6) months following the date of
notification.
(7) The licensee may
reuse the results of prior audits conducted within the audit period by the same
third-party contractor in another sports wagering jurisdiction. A reuse shall
be noted in the audit report. This reuse option shall not include any internal
controls unique to the Commonwealth, which shall require a new audit.
STATUTORY AUTHORITY: KRS 230.260(16), 230.811(2)
Disclaimer: These regulations may not be the most recent version. Kentucky may have more current or accurate information. We make no warranties or guarantees about the accuracy, completeness, or adequacy of the information contained on this site or the information linked to on the state site. Please check official sources.
This site is protected by reCAPTCHA and the Google
Privacy Policy and
Terms of Service apply.
