- (1) Licensees shall verify Sports Gaming Systems daily to ensure the date and time is properly displayed and registered for Wagers made pursuant to Sports Gaming Accounts. Licensees shall Immediately Report any discrepancies to the Council.
- (2) Licensees shall implement procedures for the safeguarding of Sports Gaming Accounts, including maintaining the security of identity and financial information of Players.
- (3) Sports Gaming Systems shall be designed to only allow Wagers to be created using an authorized Sports Gaming Account.
- (4) Sports Gaming Systems shall contain a mechanism to prevent the creation of a Wager before or after the official Wager timeframe (i.e., prior to posting of the Wager and subsequent to the outcome of a Sporting Event or cutoff).
- (5) Sports Gaming Systems shall automatically authorize payment of winning Wagers and update a Player’s Sports Gaming Account.
- (6) Sports Gaming Systems shall be incapable of authorizing payment on a Voided or Cancelled Wager or a Wager that has been previously paid, except in accordance with these Rules.
- (7) Sports Gaming Systems shall be designed to prevent an individual, group of individuals or entity from tampering with or interfering with the operation of Interactive Sports Gaming or Sports Gaming Systems.
- (8) Sports Gaming Systems shall be configured to terminate a Player’s session, and/or require re- authentication, after a prescribed period of inactivity by the Player not to exceed thirty (30) minutes.
- (9) Sports Gaming Systems shall be designed to reasonably ensure the integrity and confidentiality of communications and ensure the proper identification of the sender and receiver of communications. If communications are performed across a public or third-party network, the system shall either encrypt the data packets or utilize a secure communications protocol to ensure the integrity and confidentiality of the transmission.
- (10) Confidential and/or sensitive electronic data shall be encrypted while both at rest and in transit using the current standards and methodologies set forth by the National Institute of Standards and Technology (NIST), International Organization for Standardization, and the International Electrotechnical Commission (ISO/IEC), or equivalent standard as approved by the Council. Confidential and/or sensitive electronic data may include, but is not limited to, Player PII and Player banking information.
- (11) User authentication to the Sports Gaming Systems and other system components shall be configured consistent with the current standards and methodologies set forth by the NIST, ISO/IEC, or equivalent standard as approved by the Council.
- (12) Sports Gaming Systems shall monitor for and Immediately Report to the Licensee and the Council any malfunction or security incident that adversely affects the integrity of critical data or system functionality.
(13) A system event log or series of reports/logs for operating systems (including the database layer and network layer) and applications must be configured to track at least the following events:
- (a) Failed login attempts;
- (b) Changes to live data files occurring outside of normal program and operating system execution;
- (c) Changes to operating system, database, network, and application policies and parameters;
- (d) Audit trail of information changed by administrator accounts;
- (e) Changes to date/time on master time server;
- (f) Significant periods of unavailability of the Sports Gaming System or any critical component of the Sports Gaming System; and
- (g) Other significant events.
(14) Sports Gaming Systems shall record and generate daily reports upon request from the Council on the following:
- (a) Wagers exceeding $10,000;
- (b) Futures Wagers;
- (c) Sports Gaming Account activity, including Sports Gaming Account number, transaction, and transaction amount. The report must include deposit amounts, withdrawal amounts, winnings, and Wagers made; and
- (d) Changes in odds, Wager cutoff times, Event data, or Sporting Event results.
(15) Sports Gaming Account management shall be configured in a manner to ensure the confidentiality and integrity of the Player PII and to protect the Sports Gaming Account from unauthorized use. The following controls surrounding Sports Gaming Accounts must be present at a minimum:
- (a) Once a Sports Gaming Account is created, a secure personal identification for the Player authorized to use the Sports Gaming Account shall be established that is reasonably designed to prevent the unauthorized access to, or use of, the Sports Gaming Account by any individual other than the Player for whom the Sports Gaming Account is established;
- (b) Controls shall be in place to ensure the strength of Player’s passwords;
- (c) A Player shall have only one (1) Sports Gaming Account per Licensee;
- (d) Player’s Sports Gaming Account shall be Immediately suspended, and Player’s identification shall be Immediately re-verified upon reasonable suspicion that the Player’s identification has been compromised;
- (e) Player’s Sports Gaming Account shall be disabled after three failed log-in attempts;
- (f) Multi-Factor Authentication shall be required before allowing a Player to reset the Sports Gaming Account password and recover a disabled Sports Gaming Account;
(g) An Operator shall either
- 1. Require Multi-Factor Authentication before allowing a Player to log in to his or her Sports Gaming Account, unless the Player’s session has not ended or exceeded the prescribed period of inactivity configured in Rule 1350-03-.12(8); or
- 2. Require Multi-Factor Authentication before allowing a Player to:
- (i) Log in to his or her Sports Gaming Account, but after the Player has completed a successful Multi-Factor Authentication for a specific device, the Operator is not required to perform another Multi-Factor Authentication on that device for login for a period of 14 days;
- (ii) Update Player PII;
- (iii) Withdraw funds; and
- (iv) Add a debit card;
- (h) Players shall be allowed to perform any transaction other than Wagering at all times when logged in regardless of their geographical location; and
- (i) A mechanism shall be in place to suspend a Player’s Sports Gaming Account in the event that there is suspicion that the Sports Gaming Account has been compromised or used to commit fraud or other illegal activity.
- (16) Licensees shall have policies and procedures for all changes to the Sports Gaming System and its related components. Documentation must be created and maintained for all changes to the production environment of the Sports Gaming System and its related components.
- (17) The Licensee shall have a documented process for performing and restoring Sports Gaming System back-ups. All backup media must be stored at a secure location offsite from the Licensee’s primary data storage. Periodic testing of backup media must be performed to ensure that the Sports Gaming System can be restored in the event of a failure.
- (18) Interactive Sports Gaming may only be conducted over the Internet or through the use of Mobile Applications or other digital platforms. The Internal Control Standards for the Sports Gaming Systems shall apply to all websites and applications used to provide this functionality.
- (19) Additional system specifications and Sports Gaming Systems logging requirements may be specified by the Council through the issuance of technical bulletins in the case of exigent circumstances.
- (20) Each Licensee shall Immediately Report to the Council any known violations or incidents of non-compliance with any part of this chapter.
Authority: T.C.A. §§ 4-49-102, 4-49-106, 4-49-110, 4-49-115, 4-49-115(f), 4-49-122, and 4-49-125. Administrative History: Emergency rules filed December 22, 2021 to become effective January 1, 2022; effective through June 30, 2022. New rules filed March 22, 2022; effective June 20, 2022. Amendments filed September 15, 2023; effective December 14, 2023. Amendments filed April 1, 2025; effective June 30, 2025.