Mich. Admin. Code R. 432.763 - Board approval of internal control standards and requirements

Rule 763.

(1) Unless otherwise provided for by the board, before beginning internet sports betting operations, a sports betting operator or internet sports betting platform provider, or both must submit its administrative and accounting procedures in detail in a written system of internal control for board review and written approval. A written system of internal controls must include a detailed narrative description of the administrative and accounting procedures designed to satisfy the requirements of these rules.

(2) The written system of internal controls must address the following items, at a minimum:

(a) Procedures for responding to a failure of the sports betting platform (i.e., game, system, communications, or platform malfunction), including procedures for restoring internet sports betting operations. The sports betting operator or internet sports betting platform provider, or both, must also file with the board an incident report for each significant platform failure and document the date, time, and reason for the failure along with the date and time the system is restored.

(b) User access controls for all sports betting personnel.

(c) Segregation of duties.

(d) Automated and manual risk management procedures.

(e) Procedures for identifying and reporting fraud and suspicious conduct including identifying unusual wagering activity and reporting that activity to an independent integrity monitoring provider.

(f) Procedures to prevent wagering by prohibited persons.

(g) Procedures for sports betting operator-imposed or internet sports betting platform provider-imposed exclusion of authorized participants, including the following:

(i) Providing a notification containing operator-imposed or internet sports betting platform provider-imposed exclusion status and general instructions for resolution.

(ii) Ensuring that immediately upon executing the operator-imposed or internet sports betting platform provider-imposed exclusion order, no new wagers or deposits are accepted from the authorized participant, until such time as the operator-imposed or internet sports betting platform provider-imposed exclusion has been revoked.

(iii) Ensuring that the authorized participant is not prevented from withdrawing any or all of his or her account balance, if the sports betting operator or internet sports betting platform provider acknowledges that the funds have cleared, and that the reason or reasons for exclusion would not prohibit a withdrawal.

(h) Description of anti-money laundering compliance standards.

(i) Process for submitting or receiving approval of all event categories and wager types available.

(j) Description of process for accepting wagers and issuing payouts, plus any additional controls for accepting wagers and issuing payouts in excess of $10,000.00.

(k) Description of process for voiding or cancelling wagers and refunding the authorized participant in accordance with these rules.

(l) Description of process for accepting multiple wagers from one authorized participant in a 24-hour cycle, including process to identify authorized participant structuring of wagers to circumvent recording and reporting requirements.

(m) Procedure for the recording of and reconciliation of internet sports betting transactions.

(n) Procedures for issuance and acceptance of promotional funds for internet sports betting.

(o) Description of all integrated third-party platforms.

(p) Procedures for identifying and restricting prohibited persons.

(q) Description of process to close out dormant accounts.

(r) Procedures for making adjustments to an internet sports betting account, providing a method for an authorized participant to close out an account and how an authorized participant will be refunded after the closure of an account or how funds will be escheated.

(s) Procedures to verify each authorized participant's physical location pursuant to part 3 of these rules.

(t) Procedures for the security and sharing of personal identifiable information of an authorized participant, funds or financial information in an internet sports betting account, and other information as required by the board. The procedures must include the means by which a sports betting operator or internet sports betting platform provider, or both will provide notice to an authorized participant related to the sharing of personal identifiable information.

(u) Detailed responsible gaming measures.

(v) Method for securely implementing the responsible gaming database.

(w) Methods for securely issuing, modifying, and resetting an authorized participants account password, personal identification number (PIN), or other approved security feature, if applicable. Any method must include notification to the authorized participant following any modification via electronic or regular mail, text message, or other manner approved by the board. Such methods must include, at a minimum, one of the following:

(i) Proof of identity, if in person.

(ii) The correct response to 2 or more challenge questions.

(iii) Strong authentication.

(x) Procedures for receiving, investigating, and responding to all authorized participant complaints.

(y) In detail, the location of the sports betting servers, including any third-party remote location servers, and what controls will be in place to ensure security of the sports betting servers.

(z) Description of the process for line setting and line moving.

(aa) Technical security standards (controls) required by these rules.

(bb) Procedures for registration of authorized participants and establishing internet sports betting accounts, including a procedure for authenticating the age, identity and physical address of an applicant for an internet sports betting account, and whether the applicant is prohibited from establishing or maintaining an account under applicable laws or regulations.

(cc) Procedures for terminating an internet sports betting account and the return of any funds remaining in the internet sports betting account to the authorized participant or confiscation of funds in accordance with these rules.

(dd) Procedures for the logging in and authentication of an authorized participant to enable the authorized participant to commence sports betting and the logging off of the authorized participant when the authorized participant has completed play, including a procedure to automatically log an authorized participant out of the internet sports betting account after a specified period of inactivity.

(ee) Procedures for the crediting and debiting of an internet sports betting account.

(ff) Procedures for withdrawing funds from an internet sports betting account by the authorized participant.

(gg) Procedures for the protection of an authorized participants funds, including the segregation of an authorized participants funds from operating funds of the sports betting operator or internet sports betting platform provider, or both.

(hh) Procedures and security for the calculation and recording of gross sports betting receipts, adjusted gross sports betting receipts, and winnings.

(ii) Procedures and security standards as to receipt, handling, and storage of sports betting equipment.

(jj) Procedures and security standards to protect and respond to an individuals suspected or actual hacking of or tampering with the sports betting operators or internet sports betting platform providers internet sports betting website or sports betting devices and associated equipment.

(kk) Procedures and appropriate measures implemented to deter, detect, and, to the extent possible, prevent cheating, including collusion, and use of cheating devices, including the use of software programs that make bets according to algorithms.

(ll) Procedures to govern emergencies, including suspected or actual cyber-attacks on, hacking of, or tampering with the internet sports betting platform, internet sports betting website, or sports betting devices and associated equipment. The procedures must include the process for the reconciliation or repayment of an authorized participant's internet sports betting account.

(mm) Policies and procedures in connection with the internal audit function of its internet sports betting operations.

(nn) Establishing policies and procedures with respect to credit.

(oo) Any other items considered necessary by the board.

(3) To the extent a third-party is involved in or provides any of the internal controls required in these rules, the sports betting operators or internet sports betting platform providers controls, or the controls of both of them must document the roles and responsibilities of the third-party and must include procedures to evaluate the adequacy of and monitor compliance with the third-partys internal control procedures.

Notes

Mich. Admin. Code R. 432.763

2020 MR 22, Eff. 12/2/2020