Md. Code Regs. 36.10.13.03

Current through Register Vol. 51, No. 21, October 18, 2024
Section 36.10.13.03 - Content of Internal Controls
A. At least 60 days prior to commencing sports wagering and any time a change is made thereafter, a sports wagering licensee shall submit to the Commission for approval internal controls for:
(1) Sports wagering at the sports wagering licensee's facility; or
(2) Online sports wagering.
B. Each procedure or control submission shall, at a minimum, include both narrative and diagrammatic representations of the system to be utilized including the following:
(1) Administrative controls and record keeping that document the authorization of transactions;
(2) Accounting controls that provide reasonable assurance that:
(a) Transactions or financial events which occur in connection with the sports wagering operation are:
(i) Executed in accordance with the sports wagering licensee's authorization protocols;
(ii) Recorded to permit preparation of financial statements in conformance with generally accepted accounting principles in the United States and the requirements of this chapter; and
(iii) Recorded to permit proper and timely reporting and calculation of proceeds and to maintain accountability for assets;
(b) Access to assets is permitted only in accordance with the sports wagering licensee's authorization protocols; and
(c) The recorded accountability for assets is compared with existing assets at reasonable intervals and appropriate action is taken with regard to a discrepancy;
(3) User access controls for all personnel;
(4) Procedures and controls for ensuring:
(a) That systems accurately and timely communicate all required activities and financial details to the sports wagering platform;
(b) That all functions, duties, and responsibilities are segregated and performed in accordance with sound financial practices by qualified personnel; and
(c) Through the use of a surveillance and a security department, that the sports wagering licensee is secure at all times during normal operation and during any emergency due to malfunctioning equipment, loss of power, natural disaster, or any other cause;
(5) An organizational chart depicting appropriate functions and responsibilities of employees involved in sports wagering;
(6) A description of the duties and responsibilities of each position shown on the organizational chart;
(7) Access controls which address, at a minimum:
(a) Content of, and administrative responsibility over, the manual or computerized access control matrix governing employee access to restricted areas;
(b) Issuance of a temporary access credential; and
(c) Comprehensive key controls;
(8) Procedures and controls over the movement of cash and the count room;
(9) Procedures and standards for conducting internal audits;
(10) The record retention policy;
(11) Procedures to be utilized by the sports wagering licensee to prevent an individual younger than 21 years old, an excluded individual, and bettors outside the State from engaging in sports wagering;
(12) Procedures for the registration of a bettor and establishment of a sports wagering account, including a procedure for:
(a) Authenticating the age, identity and physical address of an applicant for a sports wagering account; and
(b) Determining whether the applicant is a person prohibited from establishing or maintaining an account under applicable laws or regulations;
(13) Procedures for terminating a registered bettor's sports wagering account and the return of any funds remaining in the sports wagering account to the registered bettor;
(14) Procedures for suspending or terminating a dormant account and the return of any funds remaining in the dormant account to the registered bettor;
(15) Procedures for:
(a) The logging in and authentication of a registered bettor to enable the bettor to commence sports wagering; and
(b) The logging off of the registered bettor when the registered bettor has completed play;
(16) Procedures to automatically log a registered bettor out of the registered bettor's sports wagering account after a specified period of inactivity;
(17) Procedures for the crediting and debiting of a registered bettor's sports wagering account;
(18) Procedures for cashing checks, receiving electronic negotiable instruments and for redeeming cash equivalents;
(19) Procedures for withdrawing funds from a sports wagering account by the registered bettor;
(20) Procedures for the protection of a registered bettor's funds, including the segregation of a registered bettor's funds from operating funds of the sports wagering licensee;
(21) Procedures to account for and safeguard money generated from the conduct of sports wagering;
(22) Procedures for the security and sharing of personally identifiable information of a registered bettor, value of funds in a sports wagering account, and other information as required by the Commission;
(23) Procedures by which a sports wagering licensee will provide notice to a registered bettor related to the sharing of personally identifiable information;
(24) Procedures and security for the calculation and recordation of revenue;
(25) Procedures for the security of sports wagering equipment;
(26) Procedures and security standards as to receipt, handling and storage of sports wagering equipment;
(27) Procedures and appropriate measures implemented to deter, detect and prevent cheating;
(28) Procedures for identifying and reporting fraudulent, suspicious, or unusual wagering activity;
(29) Procedures to govern emergencies, including suspected or actual cyber-attacks, hacking or tampering with the sports wagering licensee's sports wagering platform, sports wagering website and sports wagering equipment;
(30) Procedures for the reconciliation or repayment of a registered bettor's sports wagering account;
(31) Procedures for automated and manual risk management;
(32) Procedures for compliance with AML standards;
(33) Description of all integrated third-party hardware, software, or systems;
(34) Procedures to identify a wager or attempts to wager above any maximum wager threshold set by the sports wagering licensee;
(35) Procedures to be utilized by an employee of a sports wagering licensee in the event of a malfunction of sports wagering licensee's:
(a) Sports wagering website;
(b) Sports wagering platform; or
(c) Sports wagering equipment; and
(36) Any other items the Commission may request in writing to be included in the internal controls.
C. Prior to authorizing a sports wagering licensee to commence the conduct of sports wagering, the Commission shall review and approve the system of internal controls, security protocols, and audit protocols submitted under this chapter to determine whether these controls and protocols conform to the requirements of this chapter and whether they provide adequate and effective controls for the conduct of sports wagering.
D. A sports wagering licensee shall submit to the Commission a catalog of the type of events that it intends to accept wagers on as well as the type of wagers it intends to accept.
E. A sports wagering licensee shall notify the Commission of any changes to the catalogue at least 72 hours in advance of implementation of these changes.
F. A sports wagering licensee shall continually maintain a catalog of all prior and current events and the types of wagers it offered on the events.

Md. Code Regs. 36.10.13.03

Amended effective 49:1 Md. R.16, eff. 1/13/2022