Section 12-865-9 - Geofencing(a) This section shall apply to all electronic wagering platforms except those electronic wagering platforms that exclusively offer and support fantasy contests, which shall be governed by the provisions of section 12-865-10 of the Regulations of Connecticut State Agencies.(b) Each electronic wagering platform shall employ a geolocation system that checks a patron's location when a patron logs on to the patron's internet gaming account, opens an internet gaming app, and places a wager, and at other times or at a frequency as may be required by the department to ensure account security and the location of the patron related to an investigation, compliance review, audit, or enforcement action. If the geolocation system identifies that the physical location of the patron is outside the state, the electronic wagering platform shall not accept wagers until such time that the patron is in the state, the boundaries of which shall be defined by the department based on U.S. Census maps, and shall not include the reservations. Internet gaming is conducted exclusively on a reservation only if the patron who places the wager is physically present on the reservation when the wager is initiated and when the wager is received, and the wager on an internet game is initiated, received, or otherwise made in conformity with the safe harbor requirements described in 31 USC 5362(10)(C).(c) The geolocation system shall be fully equipped to dynamically and consistently monitor the patron's location and block unauthorized attempts to access the electronic wagering platform throughout the duration of the patron session. The geolocation system shall comply with all technical standards and testing requirements set forth in this section.(d) The electronic wagering platform shall trigger the following geolocation checks: (1) A geolocation check prior to the placement of the first wager in the patron session.(2) Recurring periodic geolocation checks. If a patron session is longer than a single wager, the recurring periodic geolocation check shall be administered as follows: (A) Static connection: Recheck every twenty minutes, or five minutes if within one mile of the state border; and(B) Mobile connections: Recheck intervals to be based on a patron's proximity to the state border, with an assumed travel velocity of seventy miles per hour and a maximum interval not exceeding twenty minutes.(e) If the online gaming operator utilizes a third-party geolocation service, then the online gaming operator shall define the reasons for all trigger instances, for example single wager or deposit, and communicate the trigger reason using an anonymized user identification to the geolocation system when requesting each geolocation check.(f) A geolocation check shall be conducted immediately upon the detection of a change of the patron's internet protocol (IP) address.(g) If the electronic wagering platform determines that a patron is located outside the state, the patron shall be provided limited access to the electronic wagering platform and to the patron's internet gaming account limited to withdrawal or deposit of funds, viewing, and changing settings or updating the patron's account information. The patron shall be prohibited from placing a wager until a geolocation re-check is performed and confirms the patron is located within the state.(h) The geolocation system shall handle location data accurately as follows:(1) To ensure location data is accurate and reliable, the geofencing system shall: (A) Utilize pinpointed and accurate location data sources to confirm the patron is located within state. When a mobile carrier's data is used, the patron's device (where the patron session occurs) and the mobile carrier's data source shall be in proximity to each other;(B) Disregard IP location data for devices utilizing mobile internet connections; and(C) Possess the ability to control whether the accuracy radius of the location data source is permitted to overlap or exceed defined buffer zones or the state border.(2) To mitigate and account for discrepancies between mapping sources and variances in geospatial data, and to ensure accuracy of locational data, the geolocation system shall: (A) Utilize boundary polygons based on audited maps; and(B) Overlay location information onto these boundary polygons.(3) The geolocation system shall monitor and flag for investigation any wagers placed by a single account from geographically inconsistent locations during a single authorized patron session.(i) The geolocation system shall ensure location data integrity as follows: (1) Detect and block any locational data fraud, including but not limited to proxy servers, fake location applications, virtual machines, and remote desktop programs;(2) Utilize detection and blocking mechanisms verifiable to a source code level;(3) Follow best practice security measures to stop "man in the middle" attacks and prevent code manipulation such as replay attacks;(4) Detect and block non-secure devices and those which indicate any system-level tampering, including, but not limited to, rooting and jailbreaking; and(5) Detect and flag for investigation any patron who makes repeated unauthorized attempts to access the electronic wagering platform.(j) All location fraud shall be assessed on a single geolocation check, as well as on a cumulative basis of a patron's history over time.(k) The geolocation system shall: (1) Display the specific and real-time data feed of all geolocation checks and potential fraud risks.(2) Offer an alert system to identify unauthorized or improper access.(3) Facilitate routine, reoccurring delivery of supplemental fraud reports that pertain to the following: (A) Suspicious or unusual activities;(C) Malicious devices; and(D) Other high-risk transactional data. (l) To verify the overall integrity of the geofencing system, the geofencing system shall adhere to the following system maintenance requirements: (1) Be reviewed at least once every three months to assess and measure its continued ability to detect and mitigate existing and emerging location fraud risks;(2) Undergo updates, at least one every three months, to implement the most current industry data collection, device compatibility, and fraud prevention capabilities; and(3) Utilize databases that are updated daily, at a minimum, and are not open source. Such databases shall include, but not be limited to, IP, proxy, and fraud.(m) The electronic wagering platform shall send a message to a patron notifying them of a geolocation failure, which messages shall be approved by the department prior to use.Conn. Agencies Regs. § 12-865-9