Rules & Regulations of the State of Tennessee
Title 1350 - Tennessee Sports Wagering Advisory Council
Chapter 1350-03 - Minimum Internal Controls
Section 1350-03-.12 - INFORMATION SYSTEM MINIMUM CONTROLS
Current through April 3, 2024
(1) Licensees shall verify Sports Gaming Systems daily to ensure the date and time is properly displayed and registered for Wagers made pursuant to Sports Gaming Accounts. Licensees shall Immediately Report any discrepancies to the Council.
(2) Licensee shall implement an Integrity Monitoring System utilizing software to identify irregularities in volume or odds and swings that could signal Unusual or Suspicious Wagering Activities that should require further investigation and shall Immediately Report such findings to the Council.
(3) Sports Gaming Systems shall be designed to only allow Wagers to be created using an authorized Sports Gaming Account.
(4) Sports Gaming Systems shall contain a mechanism to prevent the creation of a Wager before or after the official Wager timeframe (i.e., prior to posting of the Wager and subsequent to the outcome of a Sporting Event or cutoff).
(5) Sports Gaming Systems shall be incapable of voiding a Wager subsequent to the outcome of a Sporting Event or cutoff.
(6) Sports Gaming Systems shall automatically authorize payment of winning Wagers and update a Player's Sports Gaming Account.
(7) Sports Gaming Systems shall be incapable of authorizing payment on a Voided or Cancelled Wager or a Wager that has been previously paid, except in accordance with these Rules.
(8) Sports Gaming Systems shall be designed to prevent an individual, group of individuals or entity from tampering with or interfering with the operation of Interactive Sports Gaming or Sports Gaming Systems.
(9) Sports Gaming Systems shall be configured to terminate a Player's session, and/or require re-authentication, after a prescribed period of inactivity by the Player not to exceed thirty (30) minutes.
(10) Sports Gaming Systems shall be designed to reasonably ensure the integrity and confidentiality of communications and ensure the proper identification of the sender and receiver of communications. If communications are performed across a public or third-party network, the system shall either encrypt the data packets or utilize a secure communications protocol to ensure the integrity and confidentiality of the transmission.
(11) Confidential and/or sensitive electronic data shall be encrypted while both at rest and in transit using the current standards and methodologies set forth by the National Institute of Standards and Technology (NIST), International Organization for Standardization, and the International Electrotechnical Commission (ISO/IEC), or equivalent standard as approved by the Council. Confidential and/or sensitive electronic data may include, but is not limited to, Player PII and Player banking information.
(12) User authentication to the Sports Gaming Systems and other system components shall be configured consistent with the current standards and methodologies set forth by the NIST, ISO/IEC, or equivalent standard as approved by the Council.
(13) Sports Gaming Systems shall monitor for and Immediately Report to the Licensee and the Council any malfunction or security incident that adversely affects the integrity of critical data or system functionality.
(14) A system event log or series of reports/logs for operating systems (including the database layer and network layer) and applications must be configured to track at least the following events:
(15) Sports Gaming Systems shall record and generate daily reports that may be accessed and reviewed by the Council upon request on the following:
(16) Sports Gaming Account management shall be configured in a manner to ensure the confidentiality and integrity of the Player PII and to protect the Sports Gaming Account from unauthorized use. The following controls surrounding Sports Gaming Accounts must be present at a minimum:
(17) Licensees shall have policies and procedures for all changes to the Sports Gaming System and its related components. Documentation must be created and maintained for all changes to the production environment of the Sports Gaming System and its related components.
(18) The Licensee shall have a documented process for performing and restoring Sports Gaming System back-ups. All backup media must be stored at a secure location offsite. Periodic testing of backup media must be performed to ensure that the Sports Gaming System can be restored in the event of a failure.
(19) The integrity of all geolocation systems used by the Licensee shall be reviewed regularly to ensure it detects and mitigates existing and emerging location fraud risks. Licensee must either (1) provide the Council evidence that the geolocation system is updated to the latest version every 180 days, or (2) provide the Council with access to its geolocation system (or a dashboard or application utilized by the geolocation system Vendor) so that compliance can be independently verified by the Council.
(20) Interactive Sports Gaming may only be conducted over the Internet or through the use of Mobile applications or other digital platforms. The internal controls for the Sports Gaming Systems shall apply to all websites and applications used to provide this functionality.
(21) Additional system specifications and Sports Gaming Systems logging requirements may be specified by the Council through the issuance of technical bulletins in the case of exigent circumstances.
(22) Each Licensee shall Immediately Report to the Council any known violations or incidents of non-compliance with any part of this chapter.
Authority: T.C.A. §§ 4-49-102, 4-49-106, 4-49-110, 4-49-115, 4-49-122, and 4-49-125.
