Mich. Admin. Code R. 432.663 - Board approval of internal control standards and requirements

Rule 663.

(1) Unless otherwise provided for by the board, before beginning internet gaming, an internet gaming operator or internet gaming platform provider, or both, must submit its administrative and accounting procedures in detail in a written system of internal control for board review and written approval. A written system of internal controls must include a detailed narrative description of the administrative and accounting procedures designed to satisfy the requirements of these rules.

(2) The written system of internal controls must address the following items, at a minimum:

(a) Procedures for responding to a failure of the internet gaming platform (i.e., game, system, communications, or platform malfunction), including procedures for restoring internet gaming. The internet gaming operator or internet gaming platform provider, or both, must also file with the board an incident report for each significant platform failure and document the date, time, and reason for the failure along with the date and time the system is restored.

(b) User access controls for all internet gaming personnel.

(c) Segregation of duties.

(d) Automated and manual risk management procedures.

(e) Procedures for identifying and reporting fraud and suspicious conduct.

(f) Procedures to prevent wagering by prohibited persons.

(g) Procedures for internet gaming operator-imposed or internet gaming platform provider-imposed exclusion of authorized participants, including the following:

(i) Providing a notification containing operator-imposed or internet gaming platform provider-imposed exclusion status and general instructions for resolution.

(ii) Ensuring that immediately upon executing the operator-imposed or internet gaming platform provider-imposed exclusion order, no new wagers or deposits are accepted from the authorized participant, until such time as the operator-imposed or internet gaming platform provider-imposed exclusion has been revoked.

(iii) Ensuring that the authorized participant is not prevented from withdrawing any or all of his or her account balance, if the internet gaming operator or internet gaming platform provider acknowledges that the funds have cleared, and that the reason or reasons for exclusion would not prohibit a withdrawal.

(h) Description of anti-money laundering compliance standards.

(i) Process for submitting or receiving approval of all types of internet games and wagers available.

(j) Description of process for accepting wagers and issuing payouts, plus any additional controls for accepting wagers and issuing payouts in excess of $10,000.00.

(k) Description of process for voiding or cancelling wagers and refunding the authorized participant in accordance with these rules.

(l) Description of process for accepting multiple wagers from one authorized participant in a 24-hour cycle, including process to identify authorized participant structuring of wagers to circumvent recording and reporting requirements.

(m) Procedure for the recording of and reconciliation of internet gaming transactions.

(n) Procedures for issuance and acceptance of promotional funds for internet gaming.

(o) Description of all integrated third-party platforms.

(p) Procedures for identifying and restricting prohibited persons.

(q) Description of process to close out dormant accounts.

(r) Procedures for making adjustments to an internet wagering account, providing a method for an authorized participant to close out an account and how an authorized participant will be refunded after the closure of an account or how funds will be escheated.

(s) Procedures to verify each authorized participant's physical location pursuant to part 3 of these rules.

(t) Procedures for the security and sharing of personal identifiable information of an authorized participant, funds or financial information in an internet wagering account, and other information as required by the board. The procedures must include the means by which an internet gaming operator or internet gaming platform provider, or both, will provide notice to an authorized participant related to the sharing of personal identifiable information.

(u) Detailed responsible gaming measures.

(v) Method for securely implementing the responsible gaming database.

(w) Methods for securely issuing, modifying, and resetting an authorized participants account password, personal identification number (PIN), or other approved security feature, if applicable. Any method must include notification to the authorized participant following any modification via electronic or regular mail, text message, or other manner approved by the board. Such methods must include, at a minimum, one of the following:

(i) Proof of identity, if in person.

(ii) The correct response to 2 or more challenge questions.

(iii) Strong authentication.

(x) Procedures for receiving, investigating, and responding to all authorized participant complaints.

(y) In detail, the location of the internet gaming servers, including any third-party remote location servers, and what controls will be in place to ensure security of the internet gaming servers.

(z) Technical security standards (controls) required by these rules.

(aa) Procedures for registration of authorized participants and establishing internet wagering accounts, including a procedure for authenticating the age, identity, and physical address of an applicant for an internet wagering account and whether the applicant is prohibited from establishing or maintaining an account under applicable laws or regulations.

(bb) Procedures for terminating an internet wagering account and the return of any funds remaining in the internet wagering account to the authorized participant or confiscation of funds in accordance with these rules.

(cc) Procedures for the logging in and authentication of an authorized participant to enable the authorized participant to commence internet gaming and the logging off of the authorized participant when the authorized participant has completed play, including a procedure to automatically log an authorized participant out of the internet wagering account after a specified period of inactivity.

(dd) Procedures for the crediting and debiting of an internet wagering account.

(ee) Procedures for withdrawing funds from an internet wagering account by the authorized participant.

(ff) Procedures for the protection of an authorized participants funds, including the segregation of an authorized participants funds from operating funds of the internet gaming operator or internet gaming platform provider, or both.

(gg) Procedures and security for the calculation and recording of gross receipts, adjusted gross receipts, and winnings.

(hh) Procedures and security standards as to receipt, handling, and storage of internet gaming equipment.

(ii) Procedures and security standards to protect and respond to an individual's suspected or actual hacking of or tampering with the internet gaming operators or internet gaming platform providers internet gaming website or internet gaming devices and associated equipment.

(jj) Procedures and appropriate measures implemented to deter, detect, and, to the extent possible, prevent cheating, including collusion, and use of cheating devices, including the use of software programs that make bets according to algorithms.

(kk) Procedures to govern emergencies, including suspected or actual cyber-attacks on, hacking of, or tampering with the internet gaming platform, internet gaming website or internet gaming devices and associated equipment. The procedures must include the process for the reconciliation or repayment of an authorized participant's internet wagering account.

(ll) Policies and procedures in connection with the internal audit function of its internet gaming operations.

(mm) Establishing policies and procedures with respect to credit.

(nn) Any other items considered necessary by the board.

(3) To the extent a third-party is involved in or provides any of the internal controls required in these rules, the internet gaming operators or internet gaming platform providers internal controls, or the controls of both of them, must document the roles and responsibilities of the third-party and must include procedures to evaluate the adequacy of and monitor compliance with the third-partys internal control procedures.

Notes

Mich. Admin. Code R. 432.663

2020 MR 22, Eff. 12/2/2020