Tenn. Comp. R. & Regs. 1350-03-.12

Current through December 10, 2024
Section 1350-03-.12 - INFORMATION SYSTEM MINIMUM CONTROLS
(1) Licensees shall verify Sports Gaming Systems daily to ensure the date and time is properly displayed and registered for Wagers made pursuant to Sports Gaming Accounts. Licensees shall Immediately Report any discrepancies to the Council.
(2) Licensee shall implement an Integrity Monitoring System utilizing software to identify irregularities in volume or odds and swings that could signal Unusual or Suspicious Wagering Activities that should require further investigation and shall Immediately Report such findings to the Council.
(3) Sports Gaming Systems shall be designed to only allow Wagers to be created using an authorized Sports Gaming Account.
(4) Sports Gaming Systems shall contain a mechanism to prevent the creation of a Wager before or after the official Wager timeframe (i.e., prior to posting of the Wager and subsequent to the outcome of a Sporting Event or cutoff).
(5) Sports Gaming Systems shall be incapable of voiding a Wager subsequent to the outcome of a Sporting Event or cutoff.
(6) Sports Gaming Systems shall automatically authorize payment of winning Wagers and update a Player's Sports Gaming Account.
(7) Sports Gaming Systems shall be incapable of authorizing payment on a Voided or Cancelled Wager or a Wager that has been previously paid, except in accordance with these Rules.
(8) Sports Gaming Systems shall be designed to prevent an individual, group of individuals or entity from tampering with or interfering with the operation of Interactive Sports Gaming or Sports Gaming Systems.
(9) Sports Gaming Systems shall be configured to terminate a Player's session, and/or require re-authentication, after a prescribed period of inactivity by the Player not to exceed thirty (30) minutes.
(10) Sports Gaming Systems shall be designed to reasonably ensure the integrity and confidentiality of communications and ensure the proper identification of the sender and receiver of communications. If communications are performed across a public or third-party network, the system shall either encrypt the data packets or utilize a secure communications protocol to ensure the integrity and confidentiality of the transmission.
(11) Confidential and/or sensitive electronic data shall be encrypted while both at rest and in transit using the current standards and methodologies set forth by the National Institute of Standards and Technology (NIST), International Organization for Standardization, and the International Electrotechnical Commission (ISO/IEC), or equivalent standard as approved by the Council. Confidential and/or sensitive electronic data may include, but is not limited to, Player PII and Player banking information.
(12) User authentication to the Sports Gaming Systems and other system components shall be configured consistent with the current standards and methodologies set forth by the NIST, ISO/IEC, or equivalent standard as approved by the Council.
(13) Sports Gaming Systems shall monitor for and Immediately Report to the Licensee and the Council any malfunction or security incident that adversely affects the integrity of critical data or system functionality.
(14) A system event log or series of reports/logs for operating systems (including the database layer and network layer) and applications must be configured to track at least the following events:
(a) Failed login attempts;
(b) Changes to live data files occurring outside of normal program and operating system execution;
(c) Changes to operating system, database, network, and application policies and parameters;
(d) Audit trail of information changed by administrator accounts;
(e) Changes to date/time on master time server;
(f) Significant periods of unavailability of the Sports Gaming System or any critical component of the Sports Gaming System; and
(g) Other significant events.
(15) Sports Gaming Systems shall record and generate daily reports that may be accessed and reviewed by the Council upon request on the following:
(a) Wagers exceeding $10,000;
(b) Futures Wagers;
(c) Sports Gaming Account activity, including Sports Gaming Account number, transaction, and transaction amount. The report must include deposit amounts, withdrawal amounts, winnings, and Wagers made; and
(d) Changes in odds, Wager cutoff times, Event data, or Sporting Event results.
(16) Sports Gaming Account management shall be configured in a manner to ensure the confidentiality and integrity of the Player PII and to protect the Sports Gaming Account from unauthorized use. The following controls surrounding Sports Gaming Accounts must be present at a minimum:
(a) Once a Sports Gaming Account is created, a secure personal identification for the Player authorized to use the Sports Gaming Account shall be established that is reasonably designed to prevent the unauthorized access to, or use of, the Sports Gaming Account by any individual other than the Player for whom the Sports Gaming Account is established;
(b) Controls shall be in place to ensure the strength of Player's passwords;
(c) A Player shall have only one (1) Sports Gaming Account per Licensee;
(d) Player's Sports Gaming Account shall be Immediately suspended, and Player's identification shall be Immediately re-verified upon reasonable suspicion that the Player's identification has been compromised;
(e) Player's Sports Gaming Account shall be disabled after three failed log-in attempts and require Multi-Factor Authentication to recover or reset a password or username;
(f) Multi-Factor Authentication shall be required before allowing a Player to reset the Sports Gaming Account password, update Player PII, withdraw funds, and unlock the Sports Gaming Account;
(g) Players shall be allowed to manage their profiles at all times when logged in regardless of their geographical location; and
(h) A mechanism shall be in place to suspend a Player's Sports Gaming Account in the event that there is suspicion that the Sports Gaming Account has been compromised or used to commit fraud or other illegal activity.
(17) Licensees shall have policies and procedures for all changes to the Sports Gaming System and its related components. Documentation must be created and maintained for all changes to the production environment of the Sports Gaming System and its related components.
(18) The Licensee shall have a documented process for performing and restoring Sports Gaming System back-ups. All backup media must be stored at a secure location offsite. Periodic testing of backup media must be performed to ensure that the Sports Gaming System can be restored in the event of a failure.
(19) The integrity of all geolocation systems used by the Licensee shall be reviewed regularly to ensure it detects and mitigates existing and emerging location fraud risks. Licensee must either (1) provide the Council evidence that the geolocation system is updated to the latest version every 180 days, or (2) provide the Council with access to its geolocation system (or a dashboard or application utilized by the geolocation system Vendor) so that compliance can be independently verified by the Council.
(20) Interactive Sports Gaming may only be conducted over the Internet or through the use of Mobile applications or other digital platforms. The internal controls for the Sports Gaming Systems shall apply to all websites and applications used to provide this functionality.
(21) Additional system specifications and Sports Gaming Systems logging requirements may be specified by the Council through the issuance of technical bulletins in the case of exigent circumstances.
(22) Each Licensee shall Immediately Report to the Council any known violations or incidents of non-compliance with any part of this chapter.

Tenn. Comp. R. & Regs. 1350-03-.12

Emergency rules filed December 22, 2021 to become effective January 1, 2022; effective through June 30, 2022. New rules filed March 22, 2022; effective June 20, 2022. Amendments filed September 15, 2023; effective 12/14/2023.

Authority: T.C.A. §§ 4-49-102, 4-49-106, 4-49-110, 4-49-115, 4-49-122, and 4-49-125.