3. Each operator's
internal controls shall include a detailed diagram or description of the
operator's organizational structure. The proposed organizational structure
shall provide for:
A. A system of personnel
and chain of command which holds management and supervisory personnel
accountable for actions or omissions that violate Maine sports wagering laws or
rules within their areas of responsibility;
B. The segregation of incompatible functions
so that no employee is in a position both to commit an error or to perpetrate a
fraud and to conceal the error or fraud in the normal course of his or her
duties;
C. Primary and secondary
supervisory positions which permit the authorization or supervision of
necessary transactions at all relevant times;
D. Areas of responsibility which are
sufficiently limited in scope that the responsibilities can practically be
performed or monitored by one person.
4. The internal controls shall address the
following items regarding the sports wagering operations, at a minimum:
A. User access controls for all wagering
systems for all sports wagering department or licensed employee
personnel;
B. Segregation of
duties;
C. Automated and manual
integrity management general authorization procedures;
D. Risk management procedures, including
procedures to govern emergencies such as suspected or actual cyber-attacks on,
hacking of, or tampering with the sports wagering system and associated
equipment. The procedures shall include the process for the reconciliation or
repayment of a sports wagering account;
E. Procedures for identifying and reporting
fraud, suspicious wagering activity and suspicious conduct which have as their
primary objective rapid identification, effective analysis, and prompt
reporting of any potential conduct listed above;
F. Procedures for promptly sharing reporting
information required in Section (4)(E) above with each operator and
disseminating all reports of suspicious activity to all management services
providers. All sports wagering operators shall review such reports and notify
other operators of whether or not they have experienced similar
activity;
G. Procedures that prevent
wagering by patrons prohibited from wagering;
H. Procedures that ensure a refund of any
prohibited wager placed and reporting of the transaction to the Unit within
seven (7) business days of the placement of the prohibited wager;
I. Detailed description of all types of
wagers that will be offered by the applicant or the wagering system;
J. Description of federal and state
anti-money laundering "AML" compliance standards, to include:
(1) Process for accepting wagers and issuing
pay outs in excess of $10,000, and the measures in this system that prevent the
system from being used in money-laundering;
(2) A process for creating and maintaining a
log of wagers of $5,000 or more;
(3) Methods within the system that identify
and prevent the use of structured multiple-wagers within a 24-hour period that
patrons might use to circumvent reporting and recording requirements;
and
(4) Reporting to the
appropriate authorities.
K. The following requirements for facility
sports wagering operators, where applicable:
(1) A detailed procedure for reconciliation
of assets and documents contained in a sports wagering area cashier's drawer or
sports wagering kiosks, which shall include the drop and count procedures for
sports wagering kiosks;
(2) A
procedure requiring cashiers assigned to an outgoing shift to record on a daily
cashier's shift form, the face value of each cashier inventory item counted and
the total of the opening and closing cashier inventories;
(3) A procedure to reconcile the total
closing inventory with the total opening inventory;
(4) Systems sufficient to ensure an auditable
trail that permits the review of wagers or reconstruction of
transactions;
(5) A process for
maintaining and tracking the custody of inventory, forms, tickets, documents,
records and the exchange of currency and coin, utilized by wagering
cashiers;
(6) A detailed
description of the process and system for clandestine and continual video
surveillance recording of all areas of sports wagering-related activities and
the retention or electronic filing of those recordings for a period of no less
than 14 calendar days;
(7) Be
capable of processing expired wagering tickets within the sports wagering
operator's system;
(8) A method of
redeeming tickets (lost, damaged, torn, etc.);
(9) Procedures for cashing winning tickets at
the cage after the sports wagering area has closed, if applicable;
and
(10) Procedures for accepting
value chips at licensed casinos for sports wagers.
L. If promotional funds or free bets are
accepted or offered by the operator, procedures for issuance and acceptance of
promotional funds and free bets for sports wagering in conjunction with
requirements in chapter 64 of these rules;
M. Procedures for the interception of sports
wagering winnings according to
8 M.R.S.
§1217;
N. Description of all integrated third-party
systems;
O. Description of all
software applications that comprise the system;
P. Description of all types of wagers
available to be offered by the system;
Q. The process for identifying and
restricting prohibited sports wagering participants;
R. Descriptions of the method to prevent past
posting;
S. Description for the
retention of all transactional wagering data for sports pool systems for a
period of five (5) years;
T. A
process to close out dormant accounts after one year of no activity and return
any remaining funds in the account to the patron holder;
U. Detailed procedures that describe how a
patron may make adjustments to their sports wagering account, the method by
which a patron can close out their account, and how patrons will be refunded
after the closure of an account;
V.
The method for verifying geolocation systems to reliably establish patrons'
geographic locations are within the State of Maine;
W. Process and systems for using commercially
reasonable methods for maintaining the security of patrons' identity and
financial information, wagering data and other confidential information from
unauthorized access and dissemination;
X. Detailed responsible wagering program
according to Chapter 63;
Y. A
method for securely issuing, modifying, and resetting a patron's account
password, Personal Identification Number (PIN), biometric login, two factor
authentication or other approved security feature, when applicable;
Z. Methods of patron notification including
any password or security modification via electronic or regular mail, text
message, or other manner approved by the Director.
Such methods shall include at a minimum:
(1) Proof of identity, if in
person;
(2) The correct response to
two or more challenge questions;
(3) Strong authentication using a combination
of upper-case and lower-case letters, numbers and symbols; or
(4) Two-factor authentication.
AA. System to guarantee all
adjustments over $250.00 must be authorized by supervisory personnel prior to
being entered and for reporting such activity to the Director on a monthly
basis from the wagering system;
BB.
Detail the location of the sports wagering servers, including any third-party
remote location servers, and what controls ensure the physical security and
access to the sports wagering servers;
CC. Terms and conditions for sports wagering
shall be included as an appendix;
DD. Description of the process for line
setting and line moving;
EE. Method
by which the sports wagering operator will identify and cancel wagers,
including defining "obvious error";
FF. A process for voiding wagers;
GG. Include copies of all reports, forms or
documents used or referenced in the internal controls or produced by the sports
wagering system with a brief description of the report;
HH. Any other internal controls ensuring
regulatory compliance with Maine sports wagering or gambling
statutes;
II. Description of the
process for handling incorrectly posted events, odds, wagers, or
results;
JJ. Effect of schedule
changes; and
KK. Method of
contacting the operator for questions and complaints.
9. Amendments to previously approved internal
controls must be filed in writing on form MGCU-8400 with the Director for
approval prior to implementation, highlighting the amendment(s) with strike
through for deletions and underlining for additions.
A. The Director and his/her designated
personnel shall review the request. After the review is completed, the Director
shall communicate to the operator, in writing, the result of the review and:
(1) Shall accept the change as
submitted;
(2) Reject the
submission as not in the best interest of the State of Maine; or
(3) Propose a revision. In this case, the
Director will communicate in writing to the operator about further changes that
will have to be made to the submission before final approval.
B. If the operator accepts the
Director's recommended changes, the operator shall make the changes as
suggested by the Director and re-submit the request for change document. If the
operator does not accept the suggested changes, the request shall be
denied.
C. Step A shall be repeated
until the Director is completely satisfied with the request for change
document.
D. The Director shall
send to the operator an accepted version of the submitted request for change
with date and signature signifying approval.
E. The Director will make every effort to
make a determination concerning a submission for change no later than 30 days
following receipt of the proposed change unless the Director and the operator
agree to extend the period for making such a determination. No operator shall
alter its internal controls unless and until such changes are approved in
writing by the Director.
