Iowa Admin. Code r. 491-14.8
Current through Register Vol. 47, No.14, January 8, 2025
Rule 491-14.8 - Fantasy sports contest service provider requirements(1)Internal controls. Licensees shall submit a description of internal controls to the administrator. The submission shall be made at least 30 days before fantasy sports contest operations are to commence unless otherwise approved by the administrator. All internal controls must be approved by the administrator prior to commencement of contest operations. The service provider shall submit to the administrator any changes to the internal controls previously approved at least 15 days before the changes are to become effective unless otherwise directed by the administrator. It shall be the affirmative responsibility and continuing duty of each licensee and its employees to follow and comply with all internal controls. The submission shall include controls and reasonable methods that comply with and provide for: a. Prevention of employees of the internet fantasy sports contest service provider and relatives living in the same household of such employees from competing in any internet fantasy sports contest on the service provider's digital platform in which the service provider offers a prize to the public.b. Verification that any fantasy sports contest player is 21 years of age or older.c. Restriction of entries from coaches, officials, athletes, contestants, or other individuals who participate in a game or contest that is the subject of an internet fantasy sports contest in which the outcome is determined, in whole or in part, by the accumulated statistical results of a team of individuals in the game or contest in which they participate. Licensees shall demonstrate the capability, subject to review and approval by the administrator, to prevent prohibited persons from participating in contests in which they are not allowed to participate by implementing one of the following:(1) Organize and maintain a list of prohibited persons.(2) Participate in a third-party association or group that organizes and maintains a list of prohibited persons.d. An easy and obvious method for a player to make a complaint and to enable the player to notify the commission if such complaint has not been or cannot be resolved by the licensee.e. Measures used to determine the true identity, date of birth, and address of each player seeking to open an account.f. Standards and procedures used to monitor fantasy sports contests to detect the use of unauthorized scripts and restrict players found to have used such scripts from further fantasy sports contests.g. Prevention of unauthorized withdrawals from a registered player's account by the service provider or others.h. How the service provider will accept wagers within the permitted boundary.i. How the service provider will segregate fantasy sports contest player funds from operational funds.j. Protection of a fantasy sports contestant's personal and private information.(2)Records. Licensees shall provide all information requested by the commission. Access to this information shall be prompt, and copies of the information shall be delivered within seven days or less as ordered or requested by the commission. The licensees shall ensure all books and records and the retention of all books and records comply with 491-subrule 5.4(14). All records pertaining to contests shall be available to allow for player complaint resolution. All records pertaining to the accounts of persons who registered or have account activity in Iowa shall be available to allow for audits and investigations.(3)Reporting. The licensee shall provide prompt notification of any facts which the licensee has reasonable grounds to believe indicate a violation of law or commission rule committed by licensees, their key persons, or their employees, including without limitation the performance of licensed activities different from those permitted under their license. The licensee is also required to provide a detailed written report within seven business days, or a time frame otherwise approved by the administrator, from the discovery for any of the following: a. Criminal or disciplinary proceedings commenced against the service provider or its employees in connection with its operations;b. Abnormal contest activity or patterns that may indicate a concern about the integrity of an internet fantasy sports contest;c. Any other conduct with the potential to corrupt an outcome of an internet fantasy sports contest for purposes of financial gain, including but not limited to match fixing;d. Suspicious or illegal internet fantasy sports contest activities, including the use of funds derived from illegal activity, deposits of money to enter an internet fantasy sports contest to conceal or launder funds derived from illegal activity;e. The use of agents to enter an internet fantasy sports contest or use of false identification.(4)Technical and testing requirements.a.Initial testing. All equipment and systems integral to the conduct of fantasy sports contests shall be tested and certified for compliance with commission rules and the standards required by a commission-designated independent testing laboratory. Certification and commission approval must be received prior to the use of any equipment or system to conduct a fantasy sports contest. The commission may designate more than one independent testing laboratory.b.Change control. The fantasy sports contest service providers shall submit change control processes that detail evaluation procedures for all updates and changes to equipment and systems to the administrator for approval. These processes shall include details for identifying criticality of updates and determining of submission of updates to an independent testing laboratory for review and certification.c.Annual testing.(1) A system integrity and security risk assessment shall be performed annually on the fantasy sports contest system.1. The testing organization must be independent of the licensee and shall be qualified by the administrator.2. The system integrity and security risk assessment shall be completed no later than March 31 of each year. Results shall include a remediation plan to address any risks identified during the risk assessment.3. Results from the risk assessment shall be submitted to the administrator no later than 60 days after the assessment is completed.4. The risk assessment shall be conducted in accordance with current and accepted industry standard review requirements for risk assessments.5. The risk assessment shall include a review of licensee controls. Review of controls shall include but not be limited to a comparison of licensee controls to industry standard and best practice controls, and an audit of the licensee processes for compliance with those controls.(2) At the discretion of the administrator, additional assessments or specific testing criteria may be required.d.Limit on number of websites and platforms. A fantasy sports contest service provider is authorized to conduct no more than two websites or platforms maintained and operated by the service provider.(5)Operating requirements. A fantasy sports contest service provider shall ensure the following:a. Players winning fantasy sports contests shall have winning funds deposited into their player account or be paid by other means approved by the administrator within 48 hours from the end of the contest. Players shall have a fee-free method to deposit or withdraw funds from their player account. If funds are unable to be placed in a player's account, the fantasy sports contest service provider shall mail the funds to the player's address on file within ten days.b. Player withdrawal of funds maintained in the player account shall be completed within five business days of the request unless the licensed fantasy sports contest service provider believes, in good faith, that the player engaged in fraud or other illegal activity pursuant to Iowa Code chapter 99D, 99E or 99F.c. Procedures allow for a player to close an account and to access the player's history, including all fantasy sports contests in which the player participated.d. Employees of the licensee are prohibited from participation in any fantasy sports contest offered by the licensee in which a cash prize is offered to the public. This includes prohibiting relatives living in the same household as such employees from competing in any fantasy sports contests offered by any licensee.e. Prohibition of the sharing of confidential information that could affect fantasy sports contest play with third parties until the information is made publicly available.f. Players are allowed to voluntarily self-exclude in compliance with Iowa Code section 99F.4(22), and a fantasy sports contest service provider shall follow all resolutions associated with the process.g. Authentication for login using a multifactor authentication process or other secure alternative means as authorized by the commission. After successful login, multifactor authentication will need to be performed at least every 14 days for each unique device. Processes for retrieving lost usernames and passwords shall be available, secure, and clearly disclosed to the player. Players shall be allowed to change their passwords.h. During account setup and login, fantasy sports contest service providers shall display the following information on any interface that accepts fantasy sports contest entries: (1) Account sharing is prohibited.(2) Persons under the age of 21 are prohibited from entering fantasy sports contests.(3) Any other disclosures, as required by the administrator.Iowa Admin. Code r. 491-14.8
Adopted by IAB August 28, 2019/Volume XLII, Number 5, effective 7/31/2019Amended by IAB April 8, 2020/Volume XLII, Number 21, effective 5/13/2020Amended by IAB February 10, 2021/Volume XLIII, Number 17, effective 3/17/2021Amended by IAB February 9, 2022/Volume XLIV, Number 16, effective 3/16/2022Amended by IAB February 22, 2023/Volume XLV, Number 17, effective 3/29/2023Amended by IAB February 21, 2024/Volume XLVI, Number 17, effective 3/27/2024