Title 809 | Chapter 010 | Regulation 006


SUPERSEDED
This document is no longer current.
View Current Regulation
PREVIOUS VERSION
The previous document that this document is based upon is available.
View Previous Version
PUBLIC PROTECTION CABINET
Kentucky Horse Racing Commission
(Amended at ARRS Committee)

809 KAR 10:006.Audit and internal control standards.

Section 1.

Internal Controls. Before beginning operations, a licensee shall submit its administrative and accounting controls, in detail, in a system of internal controls for racing commission review and approval in accordance with GLI-33 Standards and subsection (3) of this section. The racing commission or its designee may perform any inspection necessary in order to determine conformance with the approved internal controls.

(1)

Amendments to any portion of the internal controls shall be submitted to the racing commission for approval consistent with commission staff audits in accordance with GLI-33 Standards. If, within thirty (30) calendar days the racing commission has not approved, denied, or otherwise provided written notice, a licensee may implement the amended internal controls, which shall be implemented as submitted, in which casewith the racing commission shall retainretaining its authority to require further amendment, approval, or denial.

(a)

The racing commission may approve, deny, or require a revision to the amendment to the internal controls consistent with commission staff audits in accordance with GLI-33 Standards. If the licensee is notified of a required revision, the licensee shall address the revision within fifteen (15) calendar days, unless otherwise required by the commission based on immediate risk or immediate implied risk to sports wagering.

(b)

If the racing commission requests additional information, clarification, or revision of an amendment to the internal controls and the licensee fails to satisfy the request within thirty (30) calendar days after the racing commission submits the request, the racing commission shall consider the amendment denied and the amendment shall notit cannot be implemented or, if previously implemented, the licensee shall cease implementation of that amendment within fifteen (15) calendar days. If the licensee subsequently wants to pursue the amendment, it shall resubmit the request along with the additional information previously requested by the racing commission.

(2)

In an emergency, the licensee may temporarily amend their internal controls. The racing commission or its designee shall be notified immediately that an emergency exists before the licensee temporarily amends its internal controls due to an emergency. The licensee shall submit the temporary emergency amendment of the internal controls to the racing commission or its designee within twenty-four (24) hours of the amendment. The submission shall include the detailed emergency procedures that will be implemented and the time period the emergency procedures will be temporarily in place. Any concerns the racing commission has with the submission shall be addressed with the licensee promptly.

(3)

The internal controls shall include a detailed narrative description of the administrative and accounting procedures designed to satisfy the requirements of KAR Title 809, including the following:

(a)

Reliable accounting controls, including the standardization of forms and definition of terms to be used in the sports wagering operations;

(b)

Reporting controls, which shall include policies and procedures for the timely reporting of standard financial and statistical information in accordance with this administrative regulation;

(c)

Access controls, which shall includeinclude, as their primary objective, the safeguarding of company assets;

(d)

Tables of organization, which shall provide for:

1.

A system of personnel and chain of command that allowswhich permits management and supervisory personnel to be held accountable for actions or omissions within their areas of responsibility;

2.

The segregation of functions that are incompatible with separation of duties, so that no employee is in a position both to commit an error or to perpetrate a fraud and to conceal the error or fraud in the normal course of their duties;

3.

Supervisory positions that allowwhich permit the authorization or supervision of necessary transactions at all relevant times; and

4.

Areas of responsibility thatwhich are not so extensive as to be impractical for one (1) person to monitor;.

(e)

A jobs compendium detailing job descriptions, chains of command, and lines of authority for all personnel engaged in the operation of sports wagering. The licensee shall maintain and update the jobs compendium on a regular basis, but at least annually;

(f)

An infrastructure and information security program; and

(g)

All wagering procedures and practices establishedspecified within the GLI-33 Standards.

(4)

To the extent a service provider is involved in or provides any of the internal controls required in 809 KAR Chapter 10this Chapter, the licensee's internal controls shall document the roles and responsibilities of the service provider and shall include procedures to evaluate the adequacy of and monitor compliance with the service provider's internal controls.

(5)

The licensee shall stamp or otherwise mark each page of the internal controls submitted to the racing commission with the word "CONFIDENTIAL" if the licensee does not believe the material submitted isshould be subject to public disclosure.

(6)

If a licensee intends to utilize any new technology not identified in its initial proposal, it shall submit the changes to its internal controls to incorporate the use of any such new technology to the racing commission for approval based on GLI-33 Standards.

(7)

If the racing commission determines that the internal controls of the licensee do not comply with the requirements of KAR Title 809, the racing commission shall notify the licensee in writing. Within fifteen (15) calendar days after receiving the notification, the licensee shall amend its internal controls accordingly and shall submit, for racing commission approval, a copy of the written internal controls, as amended, and a description of any other remedial measure taken. Commission approval shall be based on commission staff audits and compliance with GLI-33 Standards.

Section 2.

Information Security Responsibilities. The internal controls shall ensure that an information security program shall beis effectively implemented, and information security function responsibilities shall beare effectively allocated.

(1)

The licensee shall implement, maintain, and comply with a comprehensive information security program, the purpose of which shall be to take reasonable steps to protect the confidentiality, integrity, and availability of personally identifiable information of individuals who place a sports wager with the licensee.

(2)

The licensee's information security program shall contain administrative, technical, and physical safeguards appropriate to the size, complexity, nature, and scope of the operations, and the sensitivity of the personally identifiable information owned, licensed, maintained, handled, or otherwise in the possession of the licensee.

(3)

A licensee's information security forum, data privacy committee, or other similar organizational structure comprised of senior managers shall be formally established to monitor and review the information security program to ensure its continuing suitability, adequacy, and effectiveness, maintain formal minutes of meetings, and convene at least every six months.

(3)(4)

A licensee's information security department shall exist that shall beis responsible for developing a security strategy in accordance with the overall operation. The information security department shallwill subsequently work with the other departments to implement the associated action plans. It shall be involved in reviewing all tasks and processes that are necessary from the security perspective for the licensee, including the protection of information and data, communications, physical, virtual, personnel, and overall business operational security.

(4)(5)

The licensee's information security department shall report to no lower than executive level management and shall be independent of the IT department with regard to the management of security risk.

(5)(6)

The licensee's information security department shall have the competencies and be sufficiently empowered, and shall have access to all necessary resources, to enable the adequate assessment, management, and reduction of risk.

(7)

The licensee's chief security officer or equivalent head of the information security department shall be a full member of the information security forum and be responsible for recommending information security policies and changes.

Section 3.

Accounting Records. Licensees shall maintain complete, accurate, and legible records of all financial transactions for at least five (5) years, including transactions pertaining to revenues, expenses, assets, liabilities, and equity in conformance with generally accepted accounting principles. The licensee's financial transaction reports shall be in compliance with GLI-33 Standards, unless otherwise permitted by the commission.

(1)

The accounting records shall be maintained according to GLI-33 Standards, unless otherwise permitted by the commission. The detailed subsidiary records shall include:

(a)

Detailed general ledger accounts identifying all revenue, expenses, assets, liabilities, and equity;

(b)

A record of all investments, advances, loans, and accounts receivable balances due the establishment;

(c)

A record of all loans and other accounts payable;

(d)

A record of all accounts receivable written off as uncollectible;

(e)

Journal entries prepared;

(f)

Tax work papers used in preparation of any state or federal tax return if applicable;

(g)

Records supporting the accumulation of the costs for complimentary services and items. A complimentary service or item provided to individuals in the normal course of a sports wagering business shall be recorded in an amount based upon the full retail price normally charged for the service or item or as is otherwise consistent with generally accepted accounting principles; and

(h)

Records required by the internal controls.

(2)

The licensee shall maintain all records supporting the adjusted gross revenue for at least five (5) years.

(3)

If a licensee fails to maintain the records used by it to calculate the adjusted gross revenue, the racing commission may compute and determine the amount upon the basis of an audit conducted by the racing commission using available information.

Section 4.

Financial Audits. Upon application, and annually thereafter, each licensee shall submit to the racing commission, within ninety (90) calendar days of the licensee's fiscal year end, its financial audit for that fiscal year.

(1)

The licensee shall operate in conformity with financial audit conditions established in the license conditions issued by the racing commission pursuant to KRS 230.290(3).

(2)

Upon request by the commission, the licensee shall submit pro forma statements that present projected or estimated financial performance, assets, and liabilities. These pro forma statements shall include:

(a)

Pro forma balance sheet: A projected or estimated balance sheet statingoutlining the entity's assets, liabilities, and equity at a specific point in time;

(b)

Pro forma income statement: A projected or estimated income statement presenting the entity's anticipated revenues, expenses, and net income for a specific period;

(c)

Pro forma cash flow statement: A projected or estimated cash flow statement demonstrating the expected cash inflows and outflows of the entity over a specific period;

(d)

Pro forma statement of retained earnings: A projected or estimated statement reflecting changes in the entity's retained earnings over a specific period, considering projected net income, dividends, and other adjustments; and

(e)

Notes for financial statements: Explanatory notes providing additional information and disclosures related to the pro forma statements, including significant assumptions, methodologies used, and any other relevant details.

(3)

If audited financial statements are not available, the licensee shall provide audited financial statements of its parent company and the licensee's unaudited financial statements, which document the licensee's financial performance, assets, and liabilities, including:

(a)

A balance sheet;

(b)

An income statement;

(c)

A cash flow statement;

(d)

A statement of retained earnings; and

(e)

Notes for financial statements.

(4)

The pro forma statements shall be clearly labeled as unaudited and based on management's estimates and assumptions. These statements may serve as temporary financial documentation until audited financial statements become available.

(5)

The financial audit shall be performed in accordance with generally accepted accounting principles by an independent certified public accountant currently authorized to practice in Kentucky or any other U.S. state or jurisdiction, and shall contain the opinion of the independent certified public accountant as to its fair preparation and presentation in accordance with generally accepted accounting principles.

(6)

The racing commission shall determine the number of copies of audits or reports required under this procedure. The audits or reports shall be received by the racing commission or postmarked no later than the required filing date.

(7)

The reporting year-end of the licensee shall beis December 31 of each year, unless otherwise approved by the racing commission for good cause shown by the licensee.

Section 5.

Retention, Storage, and Destruction of Records. The internal controls shall include a records retention schedule, and provisions related to the storage and destruction of records that incorporates the following provisions established in subsections (1) through (7) of this section., without limitation:

(1)

Each licensee shall maintain, in a place secure from theft, loss, or destruction, adequate records of its business and accounting operations.

(2)

A licensee shall make the records available to the racing commission, upon request, within a time provided for by the racing commission. A licensee shall retain the records for not less than five (5) years.

(3)

A licensee shall keep and maintain, in a manner and form approved by the racing commission, accurate, complete, and legible records of any books, records, or documents pertaining to, prepared in, or generated by, the licensee.

(4)

A licensee shall organize and index all required records in a manner that enables the racing commission to locate, inspect, review, and analyze the records with reasonable ease and efficiency.

(5)

A licensee shall notify the racing commission in writing at least sixty (60) calendar days prior to the scheduled destruction of any record required to be retained in accordance with this section, if within the five (5) year record retention requirement. Such Notice shall list each type of record scheduled for destruction, including a description sufficient to identify the records included,; the retention period,; and the date of destruction. If documents are to be destroyed in the normal course of business in accordance with document retention policies previously establishedset forth in the internal controls approved by the racing commission, no notice to the racing commission shall be required.

(6)

The racing commission may prohibit the destruction of any record required to be retained in accordance with this section by so notifying the licensee in writing within forty-five (45) calendar days of receipt of the notice of destruction pursuant to subsection (5) or within the establishedspecified retention period. This prohibition shall be based on factors such as an ongoing investigation or the licensee's history of unusual wagering activity. AnSuch original record may thereafter be destroyed only upon notice from the racing commission, or by order of the racing commission upon the petition of the licensee, or by the racing commission on its own initiative.

(7)

The licensee may use the services of a disposal company for the destruction of any records required to be retained in accordance with this section.

Section 6.

Reserve Requirement.

(1)

The internal controls shall include a plan to maintain and protect sufficient funds to conduct sports wagering at all times through a reserve in the amount necessary to ensure the security of funds held in sports wagering accounts and the ability to cover the outstanding sports wagering liability.

(a)

The reserve shall be in the form of cash, cash equivalents, payment processor receivables, payment processor reserves, an irrevocable letter of credit, a bond, or a combination thereof.

(b)

The reserve shall be not less than the greater of $25,000 or the sum of the following amounts:

1.

The daily ending cashable balance of all sports wagering accounts;

2.

Pending withdrawals;

3.

Amounts accepted by the licensee on sports wagers with undetermined outcomeswhose outcomes have not been determined; and

4.

Amounts owed but unpaid on winning sports wagers.

(c)

Amounts available to patrons for wagering that are not redeemable for cash may be excluded from the reserve computation.

(2)

A licensee shall have access to all sports wagering account and transaction data to ensure the amount of its reserve is sufficient. Unless otherwise directed by the racing commission based on the risk assessed from audits performed by commission staff, a licensee shall file a monthly attestation with the racing commission, which shall statestates that funds have been safeguarded under this procedure.

(3)

The racing commission may audit a licensee's reserve at any time and may direct a licensee to take any action necessary to ensure the requirements of this section are met.

Section 7.

Risk Management Framework. A licensee shall implement a risk management framework. This framework may be provided in-house by a unit capable of performing this function with appropriate segregation of functions and reporting duties, or by a third-party entity.

(1)

The internal controls shall contain a description of the risk management framework, including:

(a)

Automated and manual risk management procedures;

(b)

Employee management, including access controls and segregation of duties;

(c)

Information regarding identifying and reporting fraud and suspicious conduct;

(d)

Controls ensuring regulatory compliance;

(e)

Description of Anti-money Laundering (AML) compliance standards;

(f)

Controls for accepting wagers and issuing pay outs in excess of $10,000;

(g)

Controls for accepting multiple wagers from one patron in a twenty-four (24) hour24-hour cycle, including a process to identify patron structuring of wagers to circumvent recording and reporting requirements;

(h)

Description of all software applications that comprise the sports wagering system;

(i)

Description of all types of sports wagers available to be offered by the licensee;

(j)

Description of the procedures to prevent past posting of wagers;

(k)

Description of the procedures to prevent individuals from placing wagers as agents or proxies for other individuals; and

(l)

Description of all integrated third-party platforms.

(2)

A licensee shall file with the racing commission a report of any error that occurs in offering an event or wager or if an unapproved sporting event or type of wager is offered to the public.

Section 8.

Taxation Requirements.

(1)

The internal controls shall ensure compliance with all Internal Revenue Service (IRS) requirements, and the licensee shall provide for the withholding or reporting of income tax of patrons as required by applicable state or federal law.

(2)

The licensee shall disclose potential tax liabilities to patrons at the time of award of any sports wagering payouts in excess of limits establishedset by the IRS. Disclosure shallSuch disclosures will include a statement that the obligation to pay applicable taxes on payouts shall beis the responsibility of the patron and that failure to pay applicable tax liabilities may result in civil penalties or criminal liability. Upon written request, the licensee shall provide patrons with summarized tax information on sports wagering activities.

Section 9.

Reports of Suspicious Transactions.

(1)

A transaction shall requirerequires reporting under the terms of this section if the transactionit is conducted or attempted, by, at, or through a licensee, and involves or aggregates to at least $5,000 in funds or other assets, and the licensee knows, suspects, or has reason to suspect that the transaction or a pattern of transactions of which the transaction is a part and:

(a)

Involves funds derived from illegal activity or is intended or conducted in order to hide or disguise funds or assets derived from illegal activity (such asincluding, without limitation, the ownership, nature, source, location, or control of such funds or assets) as part of a plan to violate or evade any federal law or regulation or to avoid any transaction reporting requirement under federal law or regulation or of the racing commission;.

(b)

Is designed, whether through structuring or other means, to evade any requirements of KAR Title 809these regulations or of any other regulations promulgated under the Bank Secrecy Act;

(c)

Does not haveHas no business or an apparent lawful purpose or is not the sort in which the particular patron would normally be expected to engage, and the licensee is not aware of aknows of no reasonable explanation for the transaction after examining the available facts, including the background and possible purpose of the transaction; or

(d)

Involves use of the licensee to facilitate criminal activity.

(2)

A licensee may also file a report of any suspicious transaction that the licenseeit believes is relevant to the possible violation of any law or regulation but whose reporting is not required by this section.

(3)

The report shall be filed no later than thirty (30) calendar days after the initial detection by the licensee of facts that mightmay constitute a basis for filing such a report. In situations involving violations that require immediate attention, the licensee shall immediately notify the racing commission in addition to timely filing a report.

(4)

A licensee shall maintain a copy of any report filed and the original or business record equivalent of any supporting documentation for a period of at least five (5) years from the date of filing the report. Supporting documentation shall be identified, and maintained by the licensee as such, and shall be deemed to have been filed with the report. A licensee shall make all supporting documentation available to the racing commission and any appropriate law enforcement agencies upon request.

(5)

Unless otherwise required by KAR Title 809this Chapter, other law, or court order, a licensee and its directors, officers, employees, or agents who file a report pursuant to this administrative regulation shall not notify any person involved in the transaction that the transaction has been reported. Any report filed with the racing commission shall beis confidential and may be disclosed by the racing commission in the necessary administration of their duties and responsibilities under KRS Chapter 230the Act or as otherwise required by law or court order.

Section 10.

Anti-money Laundering (AML) Monitoring. The internal controls shall implement AML procedures and policies that adequately address the risks posed by sports wagering for the potential of money laundering and terrorist financing. The AML procedures and policies shall provide for the following:

(1)

Up-to-dateUp to date training of employees in the identification of unusual or suspicious transactions;

(2)

Assigning an individual or individuals to be responsible for all areas of AML by the licensee, including reporting unusual or suspicious transactions;

(3)

Use of any automated data processing systems to aid in assuring compliance; and

(4)

Periodic independent tests for compliance with a scope and frequency as required by the racing commission. Logs of all tests shall be maintained for at least five (5) years.

Section 11.

Integrity Monitoring and Suspicious Behavior. A licensee shall implement an integrity monitoring system. This solution may be provided in-house by a unit capable of performing this function with appropriate segregation of functions and reporting duties, or by a third-party entity.

(1)

The internal controls shall include provisions for a licensee to report to the racing commission as soon as practicable, but in no event longer than forty-eight (48) hours after discovery:

(a)

Any information regarding irregularities in volume or changes in odds identified as abnormal wagering activitythat could signal suspicious activities which were identified;

(b)

Any information relating to criminal or disciplinary proceedings commenced against the licensee in connection with its operations;

(c)

Any information relating to the following, which shall also be reported to the relevant sports governing body or equivalent:

1.

Abnormal wagering activity or patterns that may indicate a concern with the integrity of a sporting event or events;

2.

Any potential breach of the internal rules and codes of conduct pertaining to sports wagering of a relevant sports governing body or equivalent, to the extent the licensee has actual knowledge of the potential breach; and

3.

Any other conduct that corrupts a sports wagering outcome of a sporting event or events for purposes of financial gain, including match-fixing; or

(d)

Any information relating to suspicious or illegal wagering activities, including the use of funds derived from illegal activity, the placement of wagers to conceal or launder funds derived from illegal activity, the use of agents to place wagers, and the use of false identification in placing wagers.

(2)

A licensee shall maintain the confidentiality of information provided by a sports governing body or equivalent for purposes of investigating or preventing the conduct establisheddescribed in subsection (1)(d) of this section, unless disclosure is required by KRS Chapter 230the Act, the racing commission, or other law or court order, or unless the sports governing body or equivalent consents to its disclosure in writing.

(3)

A licensee receiving a report of suspicious or illegal wagering activity mayshall be permitted to suspend wagering on sporting events or types of wager related to the report, and may place a hold on suspicious wagers while investigating, but may only cancel or void sports wagers related to the report after receiving written approval from the racing commission or its designee.

(4)

Upon request by the racing commission or its designee, a licensee shall provide remote, read-only access and the necessary software and hardware for the racing commission to evaluate or monitor the sports wagering system. If requested, the licensee shall provide the racing commission with remote access or other approved mechanism as established in paragraphs (a) through (d) of this subsection, which shall provide:

(a)

All reports of abnormal wagering activity;

(b)

Whether the abnormal wagering activity was subsequently determined to be suspicious or illegal wagering activity;

(c)

All reports deemed suspicious or illegal wagering activity at the outset; and

(d)

The actions taken by the licensee according to its integrity monitoring system.

(5)

Nothing in this section shall require a licensee to provide any information in violation of federal, state or local law or regulation, including laws and regulations relating to privacy and personally identifiable information .

(6)

A licensee shall maintain records of all integrity monitoring services and activities, including all reports and suspicious or illegal wagering activity and any supporting documentation, for a minimum of five (5) years after a sporting event occurs. The licensee shall disclose these records to the racing commission upon request.

(7)

The racing commission may require a licensee to provide any hardware or software necessary to the racing commission, or to an independent testing laboratory approved by the racing commission in the best interests of sports wagering, for evaluation of the licensee's sports wagering offering or to conduct further monitoring of sports wagering data.

Section 12.

Personally Identifiable Information Security.

(1)

Any information obtained in respect to a patron, including confidential information, personally identifiable information, and authentication credentials for a sports wagering account, shall be collected in compliance with the licensee's privacy policies establishedset forth in its internal controls. Both personally identifiable information and the sports wagering account funds shall be considered as critical assets for the purposes of risk assessment.

(2)

AnNo employee or agent of the licensee shall not divulge any confidential information or personally identifiable information related to a patron, the placing of any wager, or any other sensitive information related to the operation of the licensee without the consent of the patron, except as required by this section, the racing commission, and as otherwise required by state or federal law.

(3)

The internal controls shall include procedures for the security and sharing of confidential information, personally identifiable information, funds in a sports wagering account, and other sensitive information as required by the racing commission, including:

(a)

The designation and identification of one (1) or more employees having primary responsibility for the design, implementation, and ongoing evaluation of such procedures and practices;

(b)

The procedures to be used to determine the nature and scope of all information collected, the locations in which such information is stored, and the storage devices on which such information canmay be recorded for purposes of storage or transfer;

(c)

The measures to be utilized to protect information from unauthorized access; and

(d)

The procedures to be used if a breach of data security has occurred, including required notification to the racing commission.

Section 13.

Complaints Pertaining to Sports Wagering. The internal controls shall provide procedures for receiving, investigating, responding to, and reporting on complaints by patrons.

(1)

IfWhen a patron makes a complaint, the licensee shall, within twenty-four (24) hours, promptly issue a complaint report, setting out:

(a)

The name of the complainant;

(b)

The nature of the complaint;

(c)

The name of the persons, if any against whom the complaint was made;

(d)

The date of the complaint; and

(e)

The action taken or proposed to be taken, if any, by the licensee.

(2)

All complaints received by a licensee from a patron and the licensee's responses to complaints shall be retained for at least five (5) years and made available to the racing commission upon requestwithin ten (10) business days of any request by the racing commission.

(3)

A licensee shall investigate and attempt to resolve all complaints with the patron within ten (10) days of the complaint being filed.

Section 14.

Prohibition of Credit Extension. The internal controls shall include controls relating to not allowing the acceptance of a sports wager or deposit of funds into a sports wagering account that is derived from the extension of credit by affiliates or agents of the licensee. For purposes of this section, credit shall not be deemed to have been extended ifwhere, although funds have been deposited into a sports wagering account, the licensee is awaiting actual receipt of thesuch funds in the ordinary course of business.

(1)

Credit providers such as small amount credit contracts shall not be advertised or marketed to patrons.

(2)

A patron shall not be referred to a credit provider to finance their sports wagering activity.

(3)

Personally identifiable information related to a patron shall not be provided to any credit provider.

Section 15.

Prohibited Patrons. The internal controls shall include commercially and technologically reasonable measures to prevent access to sports wagering by any prohibited patrons at a licensed premises and online via Web sitewebsite or mobile application.

(1)

If a licensee detects, or is notified of, an individual suspected of being a prohibited patron who had engaged or is engaging in prohibited sports wagering, the licensee shall use reasonable measures to verify whether the individual is prohibited or not.

(2)

If the licensee is able to establish, by reasonable measures, that the individual is prohibited, the licensee shall cancel a sports wager.

Section 16.

Layoff Wagers. The internal controls shall include procedures for a licensee to accept layoff wagers placed by other licensees and place layoff wagers with other licensees for the purpose of offsetting sports wagers.

(1)

The licensee placing a layoff wager shall inform the licensee accepting the wager that the wager is being placed by a licensee and shall disclose their identity.

(2)

A licensee may decline to accept a layoff wager in its sole discretion.

(3)

Layoff wagers shall be reported to the racing commission dailypromptly.

Section 17.

Reports of Licensees. The internal controls shall includedelineate the licensee's capacity to prepare standard reports related to sports wagering revenues, wagering liability, patron information, payouts, or any combination thereof. The internal controls shall be amended to include any additional reports required by the commission to audit sports wagering activity to ensure that all reports shall beare prepared in accordance with the technical conditions prescribed by the commission pursuant to KRS 230.290or its designee. The internal controls shall provide the licensee's process for the timely filing of the reports prepared pursuant to this section. The internal controls shall detail the licensee's ability to prepare reports considered necessary by the racing commission including reports supporting adjusted gross revenue, wagering liability, and payouts. The licensee shall timely file with the commission any additional reports required by the Act or by any regulation prescribed by the racing commission. Any information provided under this section shall beis confidential and proprietary and shall beis exempt from disclosure unless disclosure is required by 809 KAR Chapter 10this Chapter, by other law, or by court order.

Section 18.

Racing Commission Access to Sports Wagering Data. The internal controls shall establish measures to ensure that all sports wagering data shall be maintained in compliance with KRS Chapter 230 and KAR Title 809. The internal controls shall also establish measures to ensure that all sports wagering data shall bedetail the controls to assure that all sports wagering data the racing commission requires to be maintained under the Act or KAR Title 809 is appropriately segregated and controlled to prevent unauthorized access.

(1)

Licensees shall provide the racing commission with access to all applicablesuch data, upon request and with reasonable notice.

(2)

Licensees shall retain such data for a minimum of five (5) years.

Section 19.

Independent Audit of Internal Controls. Licensees shall have their internal controls independently audited at least once every two (2) years with the results documented in a written report. This shall includeincludes internal controls conducted by an affiliate on behalf of the licensee. Reports shall be maintained and available to the racing commission for at least five (5) years.

(1)

Such Independent audits may be conducted by the racing commission in accordance with KAR Titles 809 and 810 and GLI-33 Standards, or a third-party contractor approved by the racing commission in the best interests of sports wagering. The racing commission may, in its discretion, approve the licensee to complete an internal audit, if the licensee uses an independent auditing team to serve as a third-party contractor for use in completing this audit.

(2)

The racing commission or third-party contractor shall be responsible for auditing the licensee's compliance with KRS Chapter 230the Act and KAR Title 809, the Wagering Procedures and Practices establishedspecified within the GLI-33 Standards, and the internal controls.

(3)

Documentation shall be prepared to evidence all independent audit work performed as it relates to the requirements of this section, including all instances of noncompliance.

(4)

Independent audit reports shall include objectives, procedures and scope, findings and conclusions, and recommendations.

(5)

Independent audit findings shall be reported to management. Management shall be required to respond to the independent audit findings and the stated corrective measures to be taken to avoid recurrence of the audit exception. Such Management responses shall be included in the final independent audit report.

(6)

Follow-up observation and examinations shall be performed to verify that corrective action has been taken regarding all instances of noncompliance cited by the independent audits. The verification shall be performed within six (6) months following the date of notification.

(7)

The licensee mayIt is acceptable to reuse the results of prior audits conducted within the audit period by the same third-party contractor in another sports wagering jurisdiction. ASuch reuse shall be noted in the audit report. This reuse option shalldoes not include any internal controls unique to the Commonwealth, which shall require a new auditwill require new audits.

HISTORY: (50 Ky.R. 561, 1346, 1520; eff. 4-2-2024.)

FILED WITH LRC: December 11, 2023
CONTACT PERSON: Jennifer Wolsing, General Counsel, Kentucky Horse Racing Commission, 4063 Iron Works Parkway, Building B, Lexington, Kentucky 40511, phone (859) 246-2040, fax (859) 246-2039, email jennifer.wolsing@ky.gov.

7-Year Expiration: 4/2/2031

Last Updated: 7/1/2024


Page Generated: 9/19/2024, 12:15:11 PM