Section 12-865-27 - Policies and Procedures(a) Unless otherwise provided for by the department, before beginning internet gaming, an online gaming operator and sports wagering retailer shall submit their internal controls in detail in writing for department review and approval. If an online gaming operator is licensed to offer more than one type of internet game, for example online casino gaming and fantasy contests, the online gaming operator may have separate sets of internal controls for each type of internet game. Internal controls shall include a detailed description of the administrative and accounting procedures to be utilized by the online gaming operator in compliance with the act and sections 12-865-1 to 12-865-34, inclusive, of the Regulations of Connecticut State Agencies. The procedures shall include, but not be limited to: (1) An online gaming operator's procedures for responding to a failure of the electronic wagering platform, including procedures for restoring internet gaming.(2) An online gaming operator's automated and manual risk management procedures, including procedures to govern emergencies such as suspected or actual cyber-attacks on, hacking of, or tampering with the electronic wagering platform and associated equipment. The procedures shall include the process for the reconciliation or repayment of an internet gaming account.(3) Procedures for identifying and reporting fraud and suspicious conduct.(4) Procedures to prevent wagering by excluded or prohibited patrons.(5) Procedures for online gaming operator and sports wagering retailer imposed expulsion of patrons, including the following: (A) Providing a notification to the patron of the patron's expulsion status and general instructions for resolution.(B) Ensuring that immediately upon executing the expulsion order, no new wagers or deposits are accepted from the expelled patron, until such time as the licensee lifts the expulsion order.(C) Ensuring that the patron is not prevented from withdrawing any or all of his or her account balance, if the online gaming operator acknowledges that the funds have cleared, and that the reason or reasons for expulsion would not prohibit a withdrawal.(6) Description of the process for voiding or cancelling wagers and refunding the patron.(7) Procedures for issuance and acceptance of complimentaries for internet gaming.(8) Procedures for identifying and restricting prohibited patrons.(9) An online gaming operator's methods for securely issuing, modifying, and resetting a patron's account password, personal identification number, or other approved security feature, if applicable. Any such method shall include notification to the patron following any modification via electronic or regular mail, text message, or other manner approved by the department. Such methods shall include, at a minimum, one of the following: (A) Proof of identity, if in person.(B) The correct response to two or more challenge questions.(C) Strong authentication.(10) In detail, the location of the online gaming operator's gaming servers, including any third-party remote location servers, and what controls will be in place to ensure security of the gaming servers.(11) Procedures and security for the calculation, recording, and reporting of gross revenue, adjusted gross revenue, winnings, and prizes; or gross receipts and winnings if the online gaming operator provides fantasy contests.(12) Policies and procedures in connection with the internal audit, or equivalent, function of its internet gaming operations.(13) Any other items considered necessary by the department.(b) Modifications or additions to any portion of the internal controls shall be submitted to the department for approval prior to implementation.(c) The commissioner may accept, reject or require modification of any internal control. Rejection or required modifications of internal controls shall be based on the potential for detrimental impact on: the integrity of gaming operations; financial, cyber or physical security related to an electronic wagering platform; or the department's ability to effectively regulate gaming operations. An online gaming operator or sports wagering retailer may appeal any rejection of an internal control by requesting a hearing before the commissioner in accordance with chapter 54 of the Connecticut General Statutes. Such request for hearing shall be made in writing to the commissioner within fifteen days of receipt from the Department of a rejection of such internal control.
(d) Within thirty days of offering online wagering or retail sports wagering to patrons, the online gaming operator and sports wagering retailer shall create and approve the following internal administrative procedures that shall not be subject to department approval but shall be available to the department upon request: (1) User access controls for all online gaming operator internet gaming personnel.(2) Segregation of duties.(3) Description of anti-money laundering compliance standards.(4) Description of an online gaming operator's process for accepting multiple wagers from one patron in a twenty-four-hour cycle, including process to identify patron structuring of wagers to circumvent recording and reporting requirements.(5) Procedures for processing consumer complaints and for the appeal of the designation of a patron as a prohibited or excluded person.(6) Description of process to close out dormant accounts.(7) The online gaming operator's Procedures for making adjustments to an internet gaming account, providing a method for a patron to close out an account and how a patron will be refunded after the closure of an account or how funds will be escheated.(8) The online gaming operator's procedures to verify each patron's physical location.(9) The online gaming operator's procedures for the security and sharing of personal identifiable information of a patron, funds or financial information in an internet gaming account, and other information as required by the department. The procedures shall include the means by which an online gaming operator and a master wagering licensee provide notice to a patron related to the sharing of personal identifiable information.(10) Detailed responsible gaming measures.(11) The online gaming operator's T&S controls.(12) The online gaming operator's procedures for terminating an internet gaming account and the return of any funds remaining in the internet gaming account to the patron or confiscation of funds.(13) The online gaming operator's procedures for the logging in and authentication of a patron to enable the patron to commence internet gaming and the logging off of the patron when the patron has completed play, including a procedure to automatically log a patron out of the internet gaming account after a specified period of inactivity.(14) The online gaming operator's procedures for withdrawing funds from an internet gaming account by the patron.(15) The online gaming operator's procedures and appropriate measures implemented to deter, detect, and, to the extent possible, prevent cheating, including collusion, and use of cheating devices, including the use of software programs that make bets according to algorithms.(16) Policies and procedures with respect to accepting or extending patron credit.(17) Any other items considered necessary by the department in order to ensure the integrity of gaming and internet games in the state.(e) To the extent a third-party is involved in or provides any of the internal controls required in sections 12-865-1 to 12-865-34, inclusive, of the Regulations of Connecticut State Agencies, the online gaming operator's internal controls shall document the roles and responsibilities of the third-party and shall include procedures to evaluate the adequacy of and monitor compliance with the third-party's internal control procedures.(f) In the event of an emergency, the online gaming operator may temporarily amend an internal control. The online gaming operator shall notify the department that an emergency exists before temporarily amending an internal control procedure.(g) An online gaming operator shall submit the temporary emergency amendment of the internal control procedures to the department within three days of the amendment. The submission shall include the detailed emergency procedures that will be implemented and the time period the emergency procedures will be temporarily in place. Any concerns the department has with the submission shall be addressed with the online gaming operator.(h) As soon as the circumstances necessitating the emergency amendment to the internal controls abate, an online gaming operator shall resume compliance with the approved internal controls.Conn. Agencies Regs. § 12-865-27