Current through 2024-51, December 18, 2024
Chapter 53 - INTERNAL CONTROLS1. Operators shall develop, implement and follow internal control procedures to ensure compliance with Title 8 M.R.S. Chapter 35.2. Operators shall submit to the Director for approval a written description of internal controls procedures that demonstrate compliance with the rules adopted under this chapter and incorporate administrative and accounting controls with its application and shall obtain the Director's approval before commencing sports wagering.3. Each operator's internal controls shall include a detailed diagram or description of the operator's organizational structure. The proposed organizational structure shall provide for:A. A system of personnel and chain of command which holds management and supervisory personnel accountable for actions or omissions that violate Maine sports wagering laws or rules within their areas of responsibility;B. The segregation of incompatible functions so that no employee is in a position both to commit an error or to perpetrate a fraud and to conceal the error or fraud in the normal course of his or her duties;C. Primary and secondary supervisory positions which permit the authorization or supervision of necessary transactions at all relevant times;D. Areas of responsibility which are sufficiently limited in scope that the responsibilities can practically be performed or monitored by one person.4. The internal controls shall address the following items regarding the sports wagering operations, at a minimum: A. User access controls for all wagering systems for all sports wagering department or licensed employee personnel;B. Segregation of duties;C. Automated and manual integrity management general authorization procedures;D. Risk management procedures, including procedures to govern emergencies such as suspected or actual cyber-attacks on, hacking of, or tampering with the sports wagering system and associated equipment. The procedures shall include the process for the reconciliation or repayment of a sports wagering account;E. Procedures for identifying and reporting fraud, suspicious wagering activity and suspicious conduct which have as their primary objective rapid identification, effective analysis, and prompt reporting of any potential conduct listed above;F. Procedures for promptly sharing reporting information required in Section (4)(E) above with each operator and disseminating all reports of suspicious activity to all management services providers. All sports wagering operators shall review such reports and notify other operators of whether or not they have experienced similar activity;G. Procedures that prevent wagering by patrons prohibited from wagering;H. Procedures that ensure a refund of any prohibited wager placed and reporting of the transaction to the Unit within seven (7) business days of the placement of the prohibited wager;I. Detailed description of all types of wagers that will be offered by the applicant or the wagering system;J. Description of federal and state anti-money laundering "AML" compliance standards, to include: (1) Process for accepting wagers and issuing pay outs in excess of $10,000, and the measures in this system that prevent the system from being used in money-laundering;(2) A process for creating and maintaining a log of wagers of $5,000 or more;(3) Methods within the system that identify and prevent the use of structured multiple-wagers within a 24-hour period that patrons might use to circumvent reporting and recording requirements; and(4) Reporting to the appropriate authorities.K. The following requirements for facility sports wagering operators, where applicable: (1) A detailed procedure for reconciliation of assets and documents contained in a sports wagering area cashier's drawer or sports wagering kiosks, which shall include the drop and count procedures for sports wagering kiosks;(2) A procedure requiring cashiers assigned to an outgoing shift to record on a daily cashier's shift form, the face value of each cashier inventory item counted and the total of the opening and closing cashier inventories;(3) A procedure to reconcile the total closing inventory with the total opening inventory;(4) Systems sufficient to ensure an auditable trail that permits the review of wagers or reconstruction of transactions;(5) A process for maintaining and tracking the custody of inventory, forms, tickets, documents, records and the exchange of currency and coin, utilized by wagering cashiers;(6) A detailed description of the process and system for clandestine and continual video surveillance recording of all areas of sports wagering-related activities and the retention or electronic filing of those recordings for a period of no less than 14 calendar days;(7) Be capable of processing expired wagering tickets within the sports wagering operator's system;(8) A method of redeeming tickets (lost, damaged, torn, etc.);(9) Procedures for cashing winning tickets at the cage after the sports wagering area has closed, if applicable; and(10) Procedures for accepting value chips at licensed casinos for sports wagers.L. If promotional funds or free bets are accepted or offered by the operator, procedures for issuance and acceptance of promotional funds and free bets for sports wagering in conjunction with requirements in chapter 64 of these rules;M. Procedures for the interception of sports wagering winnings according to 8 M.R.S. §1217;N. Description of all integrated third-party systems;O. Description of all software applications that comprise the system;P. Description of all types of wagers available to be offered by the system;Q. The process for identifying and restricting prohibited sports wagering participants;R. Descriptions of the method to prevent past posting;S. Description for the retention of all transactional wagering data for sports pool systems for a period of five (5) years;T. A process to close out dormant accounts after one year of no activity and return any remaining funds in the account to the patron holder;U. Detailed procedures that describe how a patron may make adjustments to their sports wagering account, the method by which a patron can close out their account, and how patrons will be refunded after the closure of an account;V. The method for verifying geolocation systems to reliably establish patrons' geographic locations are within the State of Maine;W. Process and systems for using commercially reasonable methods for maintaining the security of patrons' identity and financial information, wagering data and other confidential information from unauthorized access and dissemination;X. Detailed responsible wagering program according to Chapter 63;Y. A method for securely issuing, modifying, and resetting a patron's account password, Personal Identification Number (PIN), biometric login, two factor authentication or other approved security feature, when applicable;Z. Methods of patron notification including any password or security modification via electronic or regular mail, text message, or other manner approved by the Director. Such methods shall include at a minimum:
(1) Proof of identity, if in person;(2) The correct response to two or more challenge questions;(3) Strong authentication using a combination of upper-case and lower-case letters, numbers and symbols; or(4) Two-factor authentication.AA. System to guarantee all adjustments over $250.00 must be authorized by supervisory personnel prior to being entered and for reporting such activity to the Director on a monthly basis from the wagering system;BB. Detail the location of the sports wagering servers, including any third-party remote location servers, and what controls ensure the physical security and access to the sports wagering servers;CC. Terms and conditions for sports wagering shall be included as an appendix;DD. Description of the process for line setting and line moving;EE. Method by which the sports wagering operator will identify and cancel wagers, including defining "obvious error";FF. A process for voiding wagers;GG. Include copies of all reports, forms or documents used or referenced in the internal controls or produced by the sports wagering system with a brief description of the report;HH. Any other internal controls ensuring regulatory compliance with Maine sports wagering or gambling statutes;II. Description of the process for handling incorrectly posted events, odds, wagers, or results;JJ. Effect of schedule changes; andKK. Method of contacting the operator for questions and complaints.5. In the event of a failure of the sports wagering system's ability to pay winning wagers, the operator shall have internal controls detailing the method of paying winning wagers.6. The operator shall also file with the Director an incident report for each system failure and document the date, time and reason for the failure along with the date and time the system was restored.7. An operator's system of internal controls shall include the investigation of any patron complaint and provide a response to the patron within ten (10) calendar days. For complaints that cannot be resolved to the satisfaction of the patron, related to sports wagering accounts, settlement of wagers, and/or illegal activity, a copy of the complaint and operator's response, including all relevant documentation, shall be provided to the Director as applicable for a formal investigation by the Unit.8. No operator shall alter its internal controls unless and until such changes are approved in writing by the Director.9. Amendments to previously approved internal controls must be filed in writing on form MGCU-8400 with the Director for approval prior to implementation, highlighting the amendment(s) with strike through for deletions and underlining for additions. A. The Director and his/her designated personnel shall review the request. After the review is completed, the Director shall communicate to the operator, in writing, the result of the review and: (1) Shall accept the change as submitted;(2) Reject the submission as not in the best interest of the State of Maine; or(3) Propose a revision. In this case, the Director will communicate in writing to the operator about further changes that will have to be made to the submission before final approval.B. If the operator accepts the Director's recommended changes, the operator shall make the changes as suggested by the Director and re-submit the request for change document. If the operator does not accept the suggested changes, the request shall be denied.C. Step A shall be repeated until the Director is completely satisfied with the request for change document.D. The Director shall send to the operator an accepted version of the submitted request for change with date and signature signifying approval.E. The Director will make every effort to make a determination concerning a submission for change no later than 30 days following receipt of the proposed change unless the Director and the operator agree to extend the period for making such a determination. No operator shall alter its internal controls unless and until such changes are approved in writing by the Director.10. An operator shall inform the Unit of any action that the applicant or operator believes would constitute a violation of statute, rules or internal controls. A person who so informs the Unit may not be discriminated against by another applicant or operator because of the supplying of such information.EFFECTIVE DATE:
10/29/2023 - filing 2023-200