C.M.R. 16, 633, ch. 57 - SPORTS WAGERING SYSTEM REQUIREMENTS

1. Prior to operating sports wagering or mobile sports wagering in the State, all equipment and software used in conjunction with its operation shall be submitted to a Department approved independent testing laboratory recognized by the Director for certification of the use for operation in the State. A Department approved independent testing laboratory must certify that the sports wagering system used in conjunction with the sports wagering operation meets or exceeds the standards approved by the Director, and the standards established by this rule. Sports wagering operations are prohibited from offering sports wagering in Maine without such certification.

2. This rule incorporates by reference the State of Maine Sports Wagering or Associated Equipment Standards, 2022 edition consisting of GLI-33 version 1.1, Standards for Event Wagering Systems and its appendices, and GLI-CMP, version 1.0, Change Management Program Guide. Copies of this standard are available through the Maine Department of Public Safety, Gambling Control Unit, 45 Commerce Drive, Augusta, ME 04330.

3. The Director will make available, upon request, those laboratories approved to certify sports wagering systems for use. A sports wagering operator may seek recognition of an alternative testing laboratory for use in completing the certification by submitting a written request to the Director. The Director will review the qualifications and experience of the testing laboratory and determine whether to recognize that entity as an approved provider. The Director will make available the names of organizations that are approved to complete certifications upon request.

4. All wagers on authorized sports events shall be initiated, received, and otherwise made within this State unless otherwise determined by the Director in accordance with applicable federal and state laws. Consistent with the intent of the United States Congress as articulated in the Unlawful Internet Gambling Enforcement Act of 2006 (31 U.S.C. s. 5361 et seq.), the intermediate routing of electronic data relating to a lawful intrastate wager authorized under this provision shall not determine the location or locations in which such wager is initiated, received, or otherwise made.

5. A sports wagering operator shall document and maintain any system malfunction or deviation from the equipment and software and maintain that data for a minimum period of five (5) years.

6. A sports wagering operator must locate the primary server in the State of Maine. The primary server shall be the server responsible for the acceptance and storage of patron wagers. The location selected must have adequate security, access controls and the same twenty-four (24) hour surveillance as required of the sports wagering facility. Access to the primary server location by the Director, and all information necessary for the Department to conduct any investigation shall be provided to the Department immediately upon request.

7. A sports wagering system shall maintain all transactional wagering data for a period of five (5) years.

8. The Director may approve the use of cloud storage for duplicate data, or data not related to transactional wagering data upon written request by a sports wagering operation.

9. A sports wagering system shall be capable of recording and maintaining the following information for each wager made, and be capable of transmitting it to the Director upon request:

A. Description of event;

B. Event number;

C. Wager selection;

D. Type of wager;

E. Amount of wager;

F. Date and time of wager;

G. Unique wager identifier;

H. Patron identification number (if applicable);

I. Current wager status (active, cancelled, redeemed, pending voided, etc.);

J. An indication of when the ticket expires;

K. Name and address of the party issuing the ticket;

L. Results of wagering;

M. Amount won;

N. Date and time winning wager was paid to patron; and

O. Additional requirements for all tickets generated by a cashier or at a kiosk.

10. If the sports wagering system issues and redeems a sports wagering voucher, the system shall be capable of recording the following information for each voucher:

A. Amount of voucher;

B. Date, time and location of issuance;

C. Unique operator/operator identifier;

D. Expiration date of the voucher; and

E. Date, time and location of redemption.

11. A sports wagering system that offers in-play wagering or bets placed during a game or event shall be capable of the following:

A. The accurate and timely update of odds for in-play wagers;

B. The ability to notify the patron of any change in odds after a wager is attempted;

C. The ability to confirm to the patron the wager after notification of the odds change; and

D. The ability to freeze or suspend the offering of wagers when necessary.

12. A sports wagering system shall be configured to allow a sports wagering operator to rescind, void, or cancel awager, which it may only do if one or more of the following conditions is met prior to the time at which the outcome of the related event is known:

A. Upon approval of the Director;

B. In the event that the wager was placed by a prohibited participant or a person outside of Maine;

C. In the case of obvious error, as specified in the sports wagering operator's terms and conditions, house rules or internal controls; or

D. In the case of a wager indicating suspicious wagering activity.

13. A sports wagering operator or management services provider receiving a report of suspicious wagering activity shall be permitted to suspend wagering on events related to the report but may only cancel related wagers after Director approval.

14. When a sports wager is voided or cancelled, the sports wagering system shall clearly indicate that the ticket is voided or cancelled, render it nonredeemable and make an entry in the system indicating the void or cancellation and identity of the cashier or automated process with management's specific authorizations. The operator must notify the Unit of any wagers that have been rescinded, voided, or cancelled in accordance with this rule within 12 hours by email or phone.

15. A sports wagering system shall prevent past posting of wagers and the voiding or cancellation of wagers after the outcome of an event is known.

16. A sports wagering system shall employ a mechanism capable of maintaining a copy of all the information required to be logged in this section on a separate and independent logging device capable of being administered by an employee with no incompatible function. If the sports wagering system can be configured such that any logged data is contained in a secure transaction file, a separate logging device is not required.

17. A sports wagering system shall, at least once every 24 hours, perform a self-authentication process on all software used to offer, record and process wagers to ensure there have been no unauthorized modifications. In the event of an authentication failure, at a minimum, shall immediately notify the operator and Director within 24 hours by email. The results of all self-authentication attempts shall be recorded by the system and maintained for a period of not less than 90 days.

18. A sports wagering system shall have controls in place to review the accuracy and timeliness of any data feeds used to offer or settle wagers. In the event that an incident or error occurs resulting in a loss of communication with data feeds used to offer or redeem wagers, such error shall be recorded in a log capturing the date and time of the error, the nature of the error and a description of its impact on the system's performance. Such information shall be maintained for a period of not less than two (2) years.

19. The operator or management service operating a sports wagering system shall provide access to wagering transactions and related data as deemed necessary by the Director in the manner required by the Director in real time.

20. A sports wagering system shall be capable of maintaining the following:

A. Description of the event;

B. Event number;

C. Wager selection;

D. Type of wager;

E. Amount of wager;

F. Amount of potential payout;

G. Date and time of wager;

H. Identity of the cashier accepting the wager if applicable;

I. Unique ticket identifier;

J. Expiration date of ticket;

K. Patron name, if known;

L. Date, time, amount, and description of the settlement;

M. Location where wager was made;

N. Location of redemption; and

O. Identity of cashier settling the wager if applicable.

21. No payment of a ticket shall be made unless the ticket meets the following requirements:

A. It is presented on a fully legible, valid, printed ticket on paper approved by the Director, containing the information as required.

B. It is not mutilated, altered, unreadable, or tampered with in any manner, or previously paid.

C. It is not counterfeit in whole or in part.

D. It is presented by a person authorized to play.

22. If an operator finds suspicious wagering activity, they shall immediately notify an independent integrity monitor, who will disseminate the information to all other operators, the Director, and all other regulatory agencies or governing authorities as approved by the Director.

23. A sports wagering system shall provide the Director with remote access of real time live attempts of transactions and any reports of suspicious wagering activity in Maine.

24. Notwithstanding the other provisions of this section, all information and data received related to suspicious wagering activity shall be considered confidential and shall not be revealed in whole or in part, except upon the lawful order of a court of competent jurisdiction or with any law enforcement entity, or regulatory agency, governing body, independent third-party integrity monitor or auditor or other entity that the Director deems appropriate.

25. A SOC 2 Type II audit that includes all five trust principles shall be completed by licensed operators by June 1 of each year, for the previous calendar year, on any and all sports wagering systems for use in Maine or to support Maine sports wagering activity operated and/or maintained by operators, management services providers or suppliers. A copy of that audit shall be forwarded to the Director by June 30 of each year which must include at a minimum the following:

A. The scope of review;

B. Name and company affiliation of the individual(s) who conducted the audit;

C. Date(s) of audit;

D. Findings with regard to compliance with the sports wagering system requirements set forth in statute, rules and internal controls;

E. Recommended corrective action, if any; and

F. The operator's response to the findings and recommended corrective action.

26. A sports wagering system shall utilize sufficient security to ensure patron access is appropriately limited to the account holder. Unless otherwise authorized by the Director, security measures shall include at a minimum:

A. A username; and

B. Compliance with NIST Special Publication 800-63-3 "Digital Identity Guidelines" for password and access security including requiring two of the three multi-factor identification methods; or

C. Other requirements set forth by the Director.

27. A sports wagering system shall be designed to detect and report:

A. Suspicious behavior, such as cheating, theft, embezzlement, collusion, money laundering, or other illegal activities; and

B. The creation of an account by an excluded person or any individual who is prohibited from any form of sports wagering.

Notes

C.M.R. 16, 633, ch. 57

EFFECTIVE DATE:
10/29/2023 - filing 2023-204