Internal controls for operators of interactive gaming
Arkansas Constitution, Amendment 100, sec. 4
- (a) Each operator shall establish, maintain, implement, and comply with standards that the Arkansas Racing Commission shall adopt and publish pursuant to the provisions of this part.
(b) Such minimum standards shall include internal controls for:
- (1) As specified under this part, administrative, accounting, and audit procedures for the purpose of determining the licensee’s liability for taxes and fees under The Arkansas Casino Gaming Amendment of 2018, Arkansas Constitution, Amendment 100, and for the purpose of exercising effective control over the licensee’s internal affairs;
- (2) Maintenance of all aspects of security of the interactive gaming system;
- (3) Registering authorized players to engage in interactive gaming;
(4)
- (A) Identification and verification of authorized players to prevent those who are not authorized players from engaging in interactive gaming.
- (B) The procedures and controls must incorporate robust and redundant identification methods and measures in order to manage and mitigate the risks of non-face-to-face transactions inherent in interactive gaming;
- (5) Protecting and ensuring confidentiality of authorized players’ interactive gaming accounts;
- (6) Reasonably ensuring that interactive gaming is engaged in between human individuals only;
- (7) Reasonably ensuring that interactive gaming is conducted fairly and honestly, including the prevention of collusion between authorized players;
- (8) Testing the integrity of the interactive gaming system on an ongoing basis;
(9)
- (A) Promoting responsible interactive gaming and preventing individuals who have self-excluded from engaging in interactive gaming.
- (B) Such internal controls shall include provisions for substantial compliance with this part; and
(10) Protecting an authorized player’s personally identifiable information, including, but not limited to:
- (A) The designation and identification of one (1) or more senior company officials having primary responsibility for the design, implementation, and ongoing evaluation of such procedures and controls;
- (B) The procedures to be used to determine the nature and scope of all personally identifiable information collected, the locations in which such information is stored, and the devices or media on which such information may be recorded for purposes of storage or transfer;
- (C) The policies to be utilized to protect personally identifiable information from unauthorized access by employees, business partners, and persons unaffiliated with the company;
- (D) Notification to authorized players of privacy policies;
- (E) Procedures to be used in the event the operator determines that a breach of data security has occurred, including required notification to the on-site Department of Finance and Administration representatives; and
- (F) Provision for compliance with all local, state, and federal laws concerning privacy and security of personally identifiable information.
(c) “Personally identifiable information” means any information about an individual maintained by an operator including:
(1) Any information that can be used to distinguish or trace an individual’s identity, such as:
- (A) Name;
- (B) Social Security number;
- (C) Date and place of birth;
- (D) Mother’s maiden name; or
- (E) Biometric records; and
- (2) Any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.
(d)
- (1) The commission may determine additional areas that require internal controls having minimum standards.
- (2) The commission shall adopt and publish any such additional internal controls and the minimum standards pursuant to the provisions of the Arkansas Administrative Procedure Act, Arkansas Code § 25-15-201 et seq., and this part.