W. Va. Code R. § 179-10-5

Current through Register Vol. XLI, No. 50, December 13, 2024
Section 179-10-5 - Internal controls; house rules; terms and conditions; patron protection page
5.1. Interactive gaming operators or their management services providers shall file internal controls with the Commission regarding all aspects of their interactive gaming operations prior to implementation as well as any time a change is proposed. The internal controls shall include detailed procedures for system security, operations, accounting, and reporting of problem gamblers.
5.2. At a minimum, the internal controls shall address the following items regarding the interactive gaming system:
5.2.1. The user access controls for all personnel;
5.2.2. The segregation of duties;
5.2.3. The automated and manual risk management procedures;
5.2.4. The procedures for identifying and reporting fraud and suspicious conduct;
5.2.5. The procedures to prevent wagering by prohibited participants;
5.2.6. A description of Anti-Money Laundering (AML) compliance standards; and
5.2.7. A description of all integrated third party systems.
5.3. An interactive gaming operator or MSP offering interactive gaming shall describe in its internal controls its method for securely issuing, modifying, and resetting a patron's account password, Personal Identification Number (PIN), or other approved security feature, where applicable. The method shall include notification to the patron via electronic or regular mail, text message, or other manner approved by the Commission. At a minimum, the method shall include:
5.3.1. Proof of identity, if in person;
5.3.2. The correct response to two or more challenge questions; or
5.3.3. Strong authentication.
5.4. In the event of a failure of an interactive gaming system's ability to pay winning game outcomes, the interactive gaming operator or MSP shall include internal controls detailing the method of paying winning game outcomes. The interactive gaming operator or MSP shall also file with the Commission an incident report for each system failure documenting the date, time, and reason for the failure along with the date and time the system is restored.
5.5. An interactive gaming operator shall investigate each patron complaint related to interactive gaming and provide a response to the patron within ten calendar days. For complaints that cannot be resolved to the satisfaction of the patron or are related to patron accounts, game outcomes, and/or illegal activity, a copy of the complaint and the interactive gaming operator's response, including all relevant documentation, shall be provided to the Director. Interactive gaming operators shall provide all other complaints and responses related to interactive gaming (for example, password problems, online chat disputes and technical matters) to the Director on a biweekly basis or with such frequency as required by the Commission.
5.6. All terms and conditions for interactive gaming shall be included as an appendix to the internal controls of the interactive gaming operator or MSP addressing all aspects of the operation, including the following:
5.6.1. The name of the party or parties with whom the patron is entering into a contractual relationship, including any interactive gaming operator or MSP;
5.6.2. The patron's consent to have the interactive gaming operator or MSP confirm the patron's age and identity;
5.6.3. The rules and obligations applicable to the patron other than rules of the game including, but not limited to:
5.6.3.a. Any prohibition against allowing any other person to access or use his or her interactive gaming account;
5.6.3.b. Any prohibition against engaging in interactive gaming activity, unless physically present in West Virginia;
5.6.3.c. The consent to the monitoring and recording by the operator, MSP and/or the Commission of any wagering communications and geographic location information;
5.6.3.d. The consent to the jurisdiction of the State of West Virginia to resolve any disputes arising out of interactive gaming;
5.6.3.e. Any prohibition against utilizing automated computerized software or other equivalent mechanism, such as a "bot," to engage in play; and
5.6.3.f. Any prohibition against cheating and geolocation tampering.
5.6.4. A full explanation of all fees and charges imposed upon a patron related to interactive gaming transactions;
5.6.5. The availability of account statements detailing patron account activity;
5.6.6. Privacy policies, including information about who has access to the patron's PII;
5.6.7. The legal age policy, including a statement that it is a criminal offense to allow a person who is under the age of 21 to participate in interactive gaming;
5.6.8. A full explanation of all rules applicable to dormant interactive gaming accounts;
5.6.9. The patron's right to set responsible gaming limits and to self-exclude;
5.6.10. The patron's right to suspend his or her account for a period of no less than 72 hours;
5.6.11. An explanation of the actions that will be taken in the event a patron becomes disconnected from the interactive gaming system during game play;
5.6.12. A notice that a malfunction voids all pays and plays;
5.6.13. The estimated time period for withdrawal of funds from an interactive account; and
5.6.14. The information to be displayed on a patron protection page. At a minimum, the patron protection page shall contain the following:
5.6.14.a. A method for changing or retrieving a password or other approved access security feature and the ability to choose "strong authentication" login protection;
5.6.14.b. A method for filing a complaint with the interactive gaming operator;
5.6.14.c. A method for filing with the Director an unresolved complaint after all reasonable means to resolve the complaint with the operator have been exhausted;
5.6.14.d. A method for obtaining a copy of the terms and conditions to which the patron must agree when he or she establishes an interactive gaming account;
5.6.14.e. A method for the patron to obtain account and game history from the operator;
5.6.14.f. A notification that underage gambling is a criminal offense and that facilitating gambling activity by a person under the age of 21 is also a criminal offense in addition to being prohibited from interactive gaming;
5.6.14.g. A notification that the patron is responsible for configuring his or her device's auto-lock feature to protect the device from unauthorized use;
5.6.14.h. A notification that a patron is prohibited from allowing any other person to access or use his or her interactive gaming account;
5.6.14.i. A notification of federal prohibitions and restrictions regarding interactive gaming, including any limitations upon interactive gaming as set forth in 18 U.S.C. § 1084 et seq. (The Wire Act) and 31 U.S.C. §§ 5361 through 5367 (The Unlawful Internet Gambling Enforcement Act or UIGEA). The notice shall explicitly state that it is a federal offense for persons physically located outside of West Virginia to engage in interactive gaming through a West Virginia operator or MSP, unless explicitly authorized by the Commission; and
5.6.14.j. A notification that the connection will be terminated if the patron device is removed from the boundaries of the State of West Virginia.
5.6.15. Whenever the terms and conditions that apply to interactive gaming are changed, the interactive gaming operator or MSP shall require a patron to acknowledge acceptance of such change. Unless otherwise authorized by the Director the patron's acknowledgement shall be date and time stamped by the interactive gaming system.
5.7. An interactive gaming operator or MSP shall maintain primary and a backup interactive gaming equipment.
5.7.1. Subject to prior approval by the Director, the interactive gaming operator's or MSP's gaming equipment used to conduct interactive gaming shall be located as set forth below:
5.7.2. The primary interactive gaming equipment shall be located:
5.7.2.a. In a restricted area on the premises of the licensed operator within the boundaries of the State of West Virginia; or
5.7.2.b. In another facility owned or leased by the interactive gaming operator or its MSP within the boundaries of the State of West Virginia that is secure, inaccessible to the public, and specifically designed to house that equipment. The equipment shall be under the complete control of the interactive gaming operator or its MSP. For the purposes of this subsection, a secure facility "within the boundaries of the State of West Virginia" shall be considered to be part of the interactive gaming operator's casino location notwithstanding that the facility may not be contiguous with the interactive gaming operator's casino location.
5.7.2.b.1. The primary server used to resolve domain name service (DNS) inquiries by an interactive gaming operator or its MSP must be physically located in a secure data center. At least one secondary server must be able to resolve DNS queries.
5.7.2.b.2. This applies to each direct interactive gaming system server, including remote gaming servers (RGS) and the player account management system (wallet). This subsection does not apply to ancillary services such as payment processors, player authentication systems (KYC), customer service systems, back end office systems, and other ancillary systems as authorized by the Commission.
5.7.2.b.3. Any hosting data center must register as an approved provider by sending a letter to the Director documenting which vendor systems will be on site, identifying the location, key management, and the scope of services being provided. In addition, the hosting data center must provide a list of applicable certifications including, but not limited to: SOC 1 Type 1-2, PCI, and ISO 27001, which serve as documentation of the adequacy of services for hosting a complex system. Upon request of the Director, the hosting data center will provide copies of its most recent audits. The Lottery must be able to inspect the facilities at the hosting data center upon request.
5.7.3. The backup gaming equipment (redundant system) used to conduct interactive gaming shall be located:
5.7.3.a. In a restricted area on the premises of an operator's facility within the boundaries of the State of West Virginia for a time period not to exceed 60 days unless otherwise authorized by the Director; or
5.7.3.b. In another facility owned or leased by the interactive gaming operator or its MSP within the boundaries of the State of West Virginia that is secure, inaccessible to the public, and specifically designed to house that equipment. The equipment shall be under the complete control of the interactive gaming operator or its MSP. For the purposes of this subsection, a secure facility "within the boundaries of the State of West Virginia" shall be considered to be part of the interactive gaming operator's casino location notwithstanding that the facility may not be contiguous with the interactive gaming operator's casino location.
5.7.4. Backup gaming equipment used to restore data to primary interactive gaming equipment shall be located within the boundaries of the State of West Virginia. Backup data may be stored in any secure data center within the United States.
5.7.5. Each interactive gaming operator or MSP must provide with its license application diagrams and narrative to document how its interactive gaming system is configured including the location of each server that is part of the primary interactive gaming system, the player account management system (wallet), each system providing content, and any remote interactive gaming system that might be combined to provide the player interface. The interactive gaming operator or MSP must define in its minimum internal controls the specific configuration of equipment including any hardened systems or redundant systems and backup requirements including any effect on the entity's risk environment.
5.8. Interactive gaming systems shall require a patron to re-enter his or her username and password, upon 15 minutes of user inactivity as measured by the interactive gaming system.
5.9. An interactive gaming system shall not induce a patron to continue placing wagers when play is in session, when the patron attempts to end a session, or when the patron wins or loses a bet.
5.10. An interactive gaming system shall allow patrons to access a player protection page at all times while logged into their interactive gaming account. The player protection page shall include all features listed in subsection 5.6.14 above.
5.11. An interactive gaming system may offer games to patrons that do not require a wager or payment from a patron's interactive gaming account as long as the patron has not exceeded any daily time-based limit. The games offered must comply with the following requirements:
5.11.1. Any game substantially similar to a game approved by the Commission shall utilize a payout percentage equal to or less than the lowest payout percentage of the approved game;
5.11.2. Any game not substantially similar to a game approved by the Commission shall prominently display the following information prior to the start of the game and during game play:
5.11.2.a. The game is offered for entertainment purposes only;
5.11.2.b. The game is not approved by the Commission; and
5.11.2.c. The game outcomes may not be representative of those for a Commission approved game.
5.12. Games traditionally played on social networks that may require a payment for certain game features (social games) may be funded or accessed from a patron's interactive gaming account. This requires that the interactive gaming operator or its MSP also provide a clear and conspicuous notice on the initial screen that the patron is accessing a social game whose features may require payment. The social game's terms and conditions must include a notice that the Commission does not regulate such social games.
5.13. All interactive gaming operators or MSP's with employees who have direct contact with patrons via phone, e-mail, electronic chat, or other means, shall implement training for those employees, at the start of their employment and at regular intervals thereafter. The training shall address the following subject areas:
5.13.1. How to recognize the nature and symptoms of problem gambling behavior.
5.13.2. How to assist players in obtaining information about help for a gambling problem;
5.13.3. How to provide information about individual interactive gaming operator self-exclusion and Lottery statewide self-exclusion programs;
5.13.4. How to respond to patrons who may disclose that they have a gambling problem; and
5.13.5. How to respond to reports from third parties, such as family members, about patrons who may have a gambling problem.
5.14. Interactive gaming operators shall employ personnel responsible for the duties of an IT Department.
5.15. Each interactive gaming operator's website shall display a responsible gaming logo in a manner approved by the Director, which shall direct a patron to the site's responsible gaming page. The responsible gaming page shall be accessible to a patron during a patron session and shall contain, at a minimum, the following:
5.15.1. A prominent message that states "If you or someone you know has a gambling problem and wants help, call 1-800-Gambler;"
5.15.2. A direct link to the Problem Gamblers Network of West Virginia;
5.15.3. A clear statement of the interactive gaming operator's or MSP's policy and commitment to responsible gaming; and
5.15.4. The rules governing self-imposed responsible gaming limits, including the ability for the patron to establish those limits.
5.16. Interactive gaming operators or their MSP's shall promptly notify all affected interactive gaming managers of any issues impacting the integrity of interactive gaming operations.
5.17. Each interactive gaming operator or MSP offering interactive gaming shall perform an Annual System Integrity and Security Assessment conducted by an independent professional. The selection of the independent professional shall be by the interactive gaming operator, subject to the approval of the Director. The first assessment should be completed within 90 days of commencing operations and annually thereafter. The independent professional shall timely submit the annual report on the Assessment to the Commission, which shall include:
5.17.1. Scope of review;
5.17.2. Name and company affiliation of the individual(s) who conducted the assessment;
5.17.3. Date of the assessment;
5.17.4. Findings;
5.17.5. Recommended corrective action, if applicable; and
5.17.6. Operator's response to the findings and recommended corrective action.
5.18. Each interactive gaming operator or MSP offering interactive gaming shall comply with all federal requirements including, but not limited to, suspicious activity reporting and W2-G reporting.
5.19. Patron account information shall not be retained by any management service provider, supplier, or third party vendor after contract completion or termination without the express written consent of the interactive gaming operator.
5.20. At a minimum, interactive gaming operators and their MSP's shall adopt comprehensive house rules, which shall be approved by the Director and which shall include the following:
5.20.1. A method of calculation and payment of winning wagers;
5.20.2. A method of notifying patrons of changes;
5.20.3. A method of contacting the operator for questions and complaints;
5.20.4. A description of prohibited participants; and
5.20.5. A method of funding a wager.
5.21. The house rules, together with any other information the Commission deems appropriate, shall be posted on its website, and included in the terms and conditions of a patron's gaming account. Interactive gaming operators or their MSP's shall make copies of the house rules readily available to patrons.

W. Va. Code R. § 179-10-5