Chapter 3775-16 | General Sports Gaming Proprietor Duties

(A) Sports gaming proprietors must use a sports gaming system approved by the commission. No wagers may be accepted in the event of a system failure or unavailability.

(B) Sports gaming proprietors must use a sports gaming system designed to prevent and detect the following:

(1) Unauthorized use of an account by someone other than the account holder;

(2) Unauthorized withdrawals from patron accounts;

(3) Wagering by persons under the age of twenty-one;

(4) Wagering by members of the involuntary or voluntary exclusion lists; and

(5) Wagering by other prohibited persons.

(C) Sports gaming proprietors must have procedures governing its sports gaming system. The procedures must include:

(1) A description of, and the inter-relationships and dependencies of, the sports gaming system, hardware, software, and all integrated supplier modules;

(2) A description of physical and logical security of the sports gaming servers;

(3) How it will respond to a failure of the sports gaming system;

(4) Risk management procedures;

(5) Change management procedures;

(6) Procedures for complying with the data match requirements of sections 3123.90 and 3775.16 of the Revised Code; and

(7) Procedures for the prevention and detection of attempts to launder currency.

(D) Each sports gaming proprietor must provide read-only remote access to its sports gaming systems and any hardware or software required to facilitate this access to the commission in a manner prescribed by the executive director. All costs associated with providing this access are the sole responsibility of the sports gaming proprietor.

(E) Each sports gaming proprietor must test the recovery procedures of the sports gaming system on a sample basis at least annually. The results must be documented and available to the commission upon request.

(F) The executive director may require sports gaming systems and equipment be verified by the commission at any time, or as prescribed.

(A) The responsible licensee for each sports gaming system must implement change management policies and procedures for tracking and controlling changes made to the system. The change management policies and procedures must include:

(1) Procedures for testing proposed changes in a non-production environment. The non-production environment must be segregated from the production environment and not have the capability to alter data in the production environment;

(2) Procedures for the classification of changes in accordance with paragraph (B) of this rule;

(3) Procedures for the installation of changes into the production environment;

(4) Procedures for the rollback of changes;

(5) Procedures for documenting each phase of the change management process;

(6) Procedures for logging all changes to the system; and

(7) Policies to ensure appropriate segregation of duties to prevent unintended changes from occurring.

(B) Changes made to sports gaming systems must be reviewed and classified by the responsible licensee as follows:

(1) "High Impact" is any change to, or addition of, components which impact the operational integrity of the system. Components include, but are not limited to, any component deemed to be critical by the certified independent test lab.

(2) "Low Impact" is any other change to the sports gaming system.

(C) High Impact changes require commission notification at least five business days prior to installation. The installation may be denied or delayed at the discretion of the executive director.

(D) Changes made to the sports gaming system that are necessary to remediate an immediate threat or liability may be installed immediately. The commission must be notified of the change within forty-eight hours of implementation.

(E) The executive director may require any changes be tested by a certified independent testing laboratory, with testing completed and a testing laboratory letter provided to the commission within ninety days.

(A) Online sports pool wagers may only be placed through a sports gaming account compliant with the provisions of this rule.

(B) As required by paragraph (B) of section 3775.12 of the Revised Code, a patron must register with a type B sports gaming proprietor and place all wagers on sporting events with a type B sports gaming proprietor through that registration. This registration is to be a sports gaming account compliant with the provisions of this rule.

(C) Each sports gaming proprietor must have procedures for ensuring sports gaming accounts comply with this rule and any other requirements of Chapter 3775. of the Revised Code and the rules adopted thereunder, including ensuring, through commercially reasonable means, that:

(1) An individual who falls into a category of a prohibited person under section 3775.13 of the Revised Code is not permitted to create a sports gaming account, or permitted to continue to make wagers once they become prohibited, for as long as that status applies; and

(2) A patron's identification is re-verified upon reasonable suspicion that the patron's identification or account has been compromised.

(D) Sports gaming proprietors must ensure that all sports gaming accounts:

(1) Include the following information for each patron, and the sports gaming proprietor must update this information each time it becomes aware of changes:

(a) Full legal name;

(b) Date of birth;

(c) Primary address;

(d) Sports gaming account number or username;

(e) If obtained pursuant to paragraph (D)(2)(a) of this rule, the type of government-issued identification examined, the government-issued identification number on the identification, and a digital copy of the identification;

(f) The method and any other information used to verify the patron's identity;

(g) The date of identity verification; and

(h) A history of the wagers placed;

(2) Are only created for patrons whose identities have been successfully verified and documented. Verifying and documenting the patron's identity must include:

(a) Digital or physical examination of the patron's government-issued identification, including the use of verification software designed to confirm the authenticity of the identification; or

(b) Methodology for multi-source authentication, which may include third party and governmental databases, as approved by the executive director;

(3) Provide for the following upon account creation:

(a) A patron must certify that the information provided to the sports gaming proprietor is accurate and they are not an excluded or otherwise prohibited sports gaming participant. The sports gaming proprietor must document this certification;

(b) A patron must acknowledge that the legal age for sports gaming is twenty-one years of age, and that they are prohibited from allowing any other person to access or use their sports gaming account. The sports gaming proprietor must document this acknowledgment; and

(c) A patron must be notified of available responsible gaming resources;

(4) Provide patrons with a readily accessible method for closing an account through the sports gaming proprietor's website or application or upon contact with the proprietor's customer service team. Upon account closure, the patron must be notified of available responsible gaming resources, including a helpline number compliant with paragraph (A)(3) of rule 3775-16-08 of the Administrative Code; and

(5) Provide patrons with on-demand access to a summary statement of all their patron account wagering activity during the past year. In addition, a sports gaming proprietor must provide patrons the ability to request a summary statement of all their patron account wagering activity during the past five years. On-demand access and requests must be accessible through the sports gaming proprietor's website, application, or sports gaming facility.

(E) A sports gaming proprietor may allow a sports gaming account to be deposit-enabled. In addition to the listed requirements, a deposit-enabled account must:

(1) Allow, in accordance with the proprietor's house rules, accounts to be funded only through the use of:

(a) Deposit of cash or vouchers at an approved cashiering or kiosk location;

(b) Credit or debit card;

(c) Promotional credit;

(d) Winnings;

(e) Corrections made by the sports gaming proprietor with documented notification to the patron;

(f) ACH transfer;

(g) Wire transfer; or

(h) Any other means approved by the executive director;

(2) Notify the patron of the establishment of a sports gaming account via electronic mail or regular mail;

(3) Provide patrons with an easy and obvious method, immediately upon initial account registration and at all times through the sports gaming proprietor's website or application, to impose limitations for betting parameters including, but not limited to, deposits, wagers, and time-based limitations. The self-imposed limitation method must provide the following functionality:

(a) Upon receiving any self-imposed limitation request, the sports gaming proprietor must ensure that all specified limits are correctly implemented immediately or at the point in time that was clearly indicated by the patron;

(b) The self-imposed limitations set by a patron must not override more restrictive sports gaming proprietor-imposed limitations. The more restrictive limitations must take priority;

(c) Once established by a patron and implemented by the sports gaming system, it must only be possible to reduce the severity of self-imposed limitations upon the expiration of the self-imposed period; and

(d) An option must be available for patrons to set automatically renewing self-imposed limits;

(4) Include the following additional information for each patron, and the sports gaming proprietor must update this information each time it becomes aware of changes:

(a) Telephone number;

(b) Electronic mail address; and

(c) Social security number, or the last four digits of the social security number, or an equivalent identification number for a noncitizen patron, such as a passport or taxpayer identification number;

(5) Provide patrons the option to protect access to funded sports gaming accounts with multi-factor authentication as approved by the executive director;

(6) Prohibit a patron from transferring funds from a sports gaming account to another sports gaming account;

(7) Allow patrons to withdraw the funds maintained in his or her account, whether such account is open or closed, within five business days of the request. A request for withdrawal will be considered honored if it processed by the sports gaming proprietor notwithstanding a delay by a payment processor, credit card issuer or the custodian of a financial account. If the sports gaming proprietor believes in good faith that the patron engaged in either fraudulent conduct or other conduct that would put the sports gaming proprietor in violation of the law, the sports gaming proprietor may delay the withdraw of funds to investigate or otherwise comply with the law. In such cases, the sports gaming proprietor must:

(a) Provide notice to the patron of the general nature of the investigation of the account; and

(b) Conduct its investigation in a reasonable and expedient fashion, providing the patron additional written notice of the status of the investigation at least every tenth business day starting from the day the original notice was provided to the patron; and

(8) Refund any balance remaining in a sports gaming account closed by a patron according to the account withdrawal requirements of this rule.

(F) A sports gaming proprietor that allows for deposit-enabled sports gaming accounts as described in paragraph (D) of this rule must have procedures in place to ensure that the manual addition or subtraction of funds, by the sports gaming proprietor, in a deposit-enabled sports gaming account are either:

(1) Reviewed for any adjustments of five hundred dollars or less; or

(2) Authorized in advance by supervisory personnel for all other adjustments.

(A) Sports gaming wagers must only be accepted from a verified patron account unless otherwise permitted under Chapter 3775. of the Revised Code and the rules adopted thereunder.

(B) A sports gaming wager must not be knowingly accepted from a person who is placing the wager for the benefit of another or is placing the sports wager in violation of state or federal law.

(C) A sports gaming wager must not be accepted on events for which the outcome has already been determined.

(D) Sports gaming wagers may only be funded through the funding means allowed in paragraph (E)(1) of rule 3775-16-03 of the Administrative Code.

(E) The sports gaming proprietor may, but need not, cancel an accepted wager for obvious error as defined in the proprietor's house rules. If a wager is cancelled for obvious error, the sports gaming proprietor must clearly convey the reason for cancellation to the patron.

(F) Except for obvious error or as otherwise required under Chapter 3775. of the Revised Code and the rules adopted thereunder, the sports gaming proprietor must not cancel any wager without prior written approval of the executive director or at the request of a patron in accordance with the proprietor's required procedures.

(G) If a patron wishes to void a ticket written prior to the start of an event, and the void request is approved by the sports gaming proprietor, the ticket must be verified by the sports wagering system and a refund must be given to the patron. For printed tickets, a void designation must be visible on the ticket.

(H) Winnings from wagers placed from sports gaming accounts, funded pursuant to paragraph (E)(1) of rule 3775-16-03 of the Administrative Code, must be deposited into the sports gaming account upon verification by the sports gaming proprietor.

(I) For type B sports gaming proprietors, winnings from anonymous wagers, as described in paragraph (C) of rule 3775-18-05 of the Administrative Code, must be payable to the patron upon validation of the ticket by the sports gaming system and verification by the sports gaming proprietor.

(J) For type B sports gaming proprietors, in the case of a sports gaming system or power failure, tickets may be manually paid. All manually paid tickets must be marked as "paid" and entered into the sports gaming system as soon as possible to verify the accuracy of the payout. All manually paid tickets must be reviewed as part of the daily audit process. A log for all manually paid tickets must be maintained and include:

(1) The unique transaction identified;

(2) Date and time of the transaction;

(3) Amount of the payout; and

(4) Name of the employee(s) who processed the transaction.

(A) Upon completion of a sports gaming wager, the patron must receive an unalterable virtual or printed wager record from the sports gaming system which must contain, at a minimum, the following information:

(1) Sports gaming proprietor name;

(2) The date and time the wager was placed;

(3) The date and time the event is expected to occur;

(4) Any patron choices involved in the wager, including:

(a) Wager selection;

(b) Type of wager and line postings;

(c) Any special condition(s) applying to the wager; and

(d) Pay out, applicable at the time the wager is placed;

(5) Total amount wagered, including any promotional credits, if applicable;

(6) The identifier for the sporting event or series of sporting events;

(7) Unique identification number of the wager record;

(8) Expiration period or expiration date (applicable to all tickets not automatically paid pursuant to paragraph (H) of rule 3775-16-04 of the Administrative Code);

(9) A problem gambling message, including a helpline number compliant with paragraph (A)(3) of rule 3775-16-08 of the Administrative Code; and

(10) The unique sports gaming device ID that issued the wager record, if applicable.

(B) As required under Chapter 3775. of the Revised Code, all winning sports gaming tickets expire one year from the last day on which the relevant sporting event is held. For tickets involving multiple sporting events, the expiration date is one year from the last day on which the last relevant sporting event on the ticket is held. Each sports gaming proprietor must, on the last business day of each month, pay the winnings from all tickets which have expired to the commission, which will deposit them into the sports gaming revenue fund.

(C) Unless otherwise approved by the executive director, all payments required by paragraph (B) of this rule must be in the form of an electronic funds transfer payable to the treasurer of the state of Ohio.

(D) The sports gaming proprietor must notify the commission of payments made under paragraph (B) of this rule and provide supporting information for the payments in the format prescribed by the executive director.

(A) Each sports gaming proprietor must always maintain a reserve in an amount that is equal to or greater than the amount necessary to ensure the sports gaming proprietor's ability to cover the sum of all amounts accepted by a sports gaming proprietor on sporting events whose outcomes have not been determined, money owed but unpaid by the sports gaming proprietor to patrons on winning wagers, and the funds held for patron accounts.

(B) Reserve funds must be held separate from operational funds in a manner approved by the executive director.

(C) The reserve funds must be held in the form of cash, cash equivalents, payment processor reserves, payment processor receivables, an irrevocable letter of credit, a bond, or a combination thereof.

(D) Sports gaming proprietors must notify the commission no less than ninety days prior to ceasing operations and provide a written plan to settle any outstanding liabilities and refund player account funds.

(A) Sports gaming proprietors may conduct sports gaming tournaments. Only sporting events and wager types listed as approved in the commission's catalogue are authorized for use in a tournament.

(B) Sports gaming proprietors must maintain and make the tournament rules available to all tournament patrons prior to the beginning of the tournament.

(C) The tournament rules and procedures must include but are not limited to:

(1) Qualification or selection criteria that limit the eligibility of tournament patrons;

(2) Regulations of the tournament (e.g., beginning and ending times, number of events, entry fee, elimination factors, cash handling procedures, etc.); and

(3) The nature and value of prizes to be awarded.

(A) All sports gaming advertisements must:

(1) Clearly convey the conditions under which sports gaming is being offered, including information about the cost to participate and the nature of any promotions and information to assist patrons in understanding the odds of winning. Any material conditions or limiting factors must be clearly and conspicuously specified. If an advertisement is not of sufficient size or duration to permit inclusion of such information, that advertisement shall refer to a website or application that does prominently include such information within one click;

(2) Disclose the identity of the sports gaming proprietor, mobile management services provider, or management services provider, as applicable; and

(3) Clearly and conspicuously include messages designed to prevent problem gambling and provide information about how to access resources related to problem gambling, including one of the following:

(a) The national council on problem gambling's twenty-four hour confidential helpline;

(b) The problem gambling helpline number established under section 3772.062 of the Revised Code; or

(c) Another helpline approved by the executive director that is free of charge to the caller.

(B) Sports gaming advertisements must not:

(1) Depict any individual under the age of twenty-one, except live footage or images of athletes in sporting events on which sports gaming is permitted. Any individual under the age of twenty-one may not be depicted in any way that may be construed as the underage individual participating in or endorsing sports gaming;

(2) Target individuals under the age of twenty-one, other individuals who are ineligible to participate in sports gaming, individuals with gambling problems, or other vulnerable individuals;

(3) Obscure any material fact;

(4) Be false, deceptive, or misleading; or

(5) Promote irresponsible or excessive participation in sports gaming, or suggest that social, financial, or personal success is guaranteed by engaging in sports gaming.

(C) Each direct advertisement, or an advertisement disseminated to a specific individual or individuals, must clearly and conspicuously describe a method by which an individual may opt out of receiving future advertisements. If the direct advertisement is sent via electronic mail, the described opt out method must include either electronic mail or a linked online website. All other direct advertisements must include at least one of the following methods to opt out:

(1) Telephone;

(2) Regular U.S. mail;

(3) Online website or mobile application; or

(4) Electronic mail.

(D) A sports gaming proprietor must act upon a request for opt out pursuant to paragraph (C) of this rule within fifteen days of receipt to ensure the individual will no longer receive advertisements.

(E) A sports gaming proprietor must not advertise or promote on college or university campuses located in the state of Ohio except for generally available advertising, including television, radio, and digital advertising. Any advertisement shown to be targeting the area of a college or university campus is not generally available and will be a violation of this paragraph.

(F) Sports gaming advertisements, including logos, trademarks, or brands must not be used, or licensed for use, on products, clothing, toys, games, or game equipment intended primarily for persons under twenty-one years of age.

(G) A sports gaming proprietor must cease the dissemination of an advertisement upon discovery that the advertisement fails to continue to comply with this rule or if required by the executive director because the advertisement fails to comply with Chapter 3775. of the Revised Code, or the rules adopted thereunder, or otherwise undermines the integrity of sports gaming.

(H) Sports gaming advertisements can only be disseminated in Ohio for sports gaming proprietor applicants or licensees, unless the advertisement disclaims that the offerings are not available in Ohio or otherwise makes clear that the offerings are not intended for use in Ohio.

(I) Affiliate marketers need not obtain a supplier license under rule 3775-4-08 of the Administrative Code solely as a result of their conduct as an affiliate marketer but must comply with all aspects of this rule and must not otherwise advertise forms of illegal gambling or gaming in Ohio. The commission may require a sports gaming proprietor to terminate an affiliate marketer contract if the affiliate marketer has violated Chapter 3775. of the Revised Code or the rules adopted thereunder.

(A) Sports gaming proprietors may offer promotions and bonuses.

(B) The promotion or bonus rules must be clear and unambiguous, and include:

(1) Date and time the promotion or bonus is active and expires;

(2) Rules of play;

(3) Nature and value of prizes or awards;

(4) Eligibility restrictions or limitations;

(5) Wagering and redemption requirements, including any limitations;

(6) Eligible events or wagers;

(7) Cancellation requirements; and

(8) Terms and conditions that are full, accurate, concise, transparent, and do not contain misleading information.

(C) Promotions or bonuses described as free or risk-free must not require the patron to incur any loss or risk their own money to use or withdraw winnings from the free wager.

(D) Promotions or bonuses may require promotion or bonus funds be played through in order to be withdrawn but must not restrict the patron from withdrawing their own funds or withdrawing winnings from wagers placed using their own funds.

(E) Sports gaming proprietors must make the promotion or bonus rules available to patrons and the commission.

(F) Sports gaming proprietors must have procedures for the issuance, acceptance, and tracking of promotions or bonuses.

(G) A sports gaming proprietor must cease the offering of a promotion or bonus upon discovery that the promotion or bonus fails to comply with this rule or if required by the executive director because the promotion or bonus fails to comply with Chapter 3775. of the Revised Code or the rules adopted thereunder or otherwise undermines the integrity of sports gaming.

(A) Each sports gaming proprietor must contract with a certified independent integrity monitor for the purposes of monitoring sports gaming conducted in this state. The contract should include any restrictions on dissemination of data by the certified independent integrity monitor and the sports gaming proprietor.

(B) Each sports gaming proprietor must have procedures for monitoring all sports gaming activity and for identifying activity it believes to be unusual, including reports of unusual sports gaming activity received from its contracted certified independent integrity monitor.

(C) Sports gaming proprietor employees conducting monitoring activities must hold a sports gaming employee license when the employees duties are such that the individual has the ability to alter material aspects of sports gaming conducted by a sports gaming proprietor.

(D) Each sports gaming proprietor must provide to its contracted certified independent integrity monitor the underlying data for sports gaming activity the proprietor deems to be unusual. Data must be provided as soon as practically possible. The data must be provided in a format and method approved by the executive director and include, at a minimum, the following information for each related sports gaming transaction:

(1) Time;

(2) Odds;

(3) Location;

(4) Wager amount;

(5) Win amount;

(6) Wager type;

(7) Team, side, total, or other statistic the wager was placed upon; and

(8) Any other information required by the executive director.

(E) A sports gaming proprietor may provide the data required under this rule in a manner which removes the personally identifiable information of patrons.

(F) A sports gaming proprietor receiving a report of suspicious betting activity may suspend their related offerings. Proprietors may not cancel previously accepted related wagers unless the cancellation is approved by the executive director.

(G) All integrity monitoring reports and associated data are not public records and can only be shared or used to the extent allowed under Chapter 3775. of the Revised Code and the rules adopted thereunder.

(A) A list of pending and denied requests will be readily available on the commission's website.

(B) A sports gaming proprietor must not submit a request for the addition of any item that is currently in pending status.

(C) If a request is denied by the executive director, any substantially similar request may not be made for the period of time designated in the sports gaming catalogue.

(A) As enumerated, described, and defined in division (F) of section 3775.13 of the Revised Code:

(1) A sports gaming proprietor must employ commercially reasonable methods to prevent any person involved in a sporting event with respect to which sports gaming is permitted from engaging in any sports gaming with the sports gaming proprietor, based on publicly available information and any information garnered under paragraph (A)(2) of this rule.

(2) A sports governing body must have a procedure for providing to the commission a list of persons who are involved in sporting events, including those persons' full legal names, dates of birth, and social security numbers, for the purpose of preventing those persons from engaging in sports gaming. The commission will make the list available to each sports gaming proprietor and to the state lottery commission. The Ohio casino control commission, the state lottery commission, and each sports gaming proprietor must keep the information in the list confidential.

(3) A person is considered to be involved in a sporting event if the person is an athlete, participant, coach, referee, team owner, or sports governing body with respect to the sporting event; any agent or employee of such an athlete, participant, coach, referee, team owner, or sports governing body; and any agent or employee of an athlete, participant, or referee union with respect to the sporting event.

(B) The executive director must approve the procedure in paragraph (A)(2) of this rule. The procedure must adequately protect the personally identifiable information of the persons involved in sporting events.

(A) A sports governing body may request anonymized sports gaming data from a sports gaming proprietor if the sports governing body believes that the integrity of one of its sporting events is in question. This request must be appropriately tailored and must include:

(1) The name of the sports governing body;

(2) The contact information of an individual who the sports gaming proprietor or commission may contact if additional information is needed;

(3) The particular sporting event or events at issue;

(4) The data requested, including the specific data types or fields;

(5) A brief description of the reason for the sports governing body's belief and how the data requested will be of assistance;

(6) Procedures for how the sports governing body will protect the confidentiality of the data; and

(7) Any other information that may be requested on a specified form.

(B) Data provided under this rule must be anonymized and free of any patron personal information.

(C) Upon receipt of a valid request for data, a sports gaming proprietor must promptly provide the requested data. If the sports governing body and the sports gaming proprietor cannot come to an agreement on whether the request is valid, the request must be sent to the commission for review. The executive director will determine if the request is valid and will notify the sports governing body and sports gaming proprietor of this decision. If the executive director determines that the request is valid the sports gaming proprietor must promptly provide the requested data.

(D) Any information or data provided by a sports governing body or a sports gaming proprietor pursuant to this rule is confidential and is not to be shared or used for any reason or purpose not contained here, except as otherwise required by law or order of the commission, or pursuant to an agreement between a sports governing body and a sports gaming proprietor.

(A) A state university, as defined in section 3345.011 of the Revised Code, may submit a request to receive anonymized data from a sports gaming proprietor. Valid requests must clearly fulfill one of the following purposes and must be appropriately tailored for the stated purpose:

(1) To assist the commission, at the request of the executive director, in ensuring the integrity of sports gaming; or

(2) To improve state-funded services related to responsible gambling and problem gambling.

(B) The state university's request must include the following information:

(1) The name of the state university;

(2) The contact information of an individual who the sports gaming proprietor or commission may contact if additional information is needed;

(3) The data requested including the specific data types or fields;

(4) The research purpose of the request, including a specific description of how the data will be used to meet a permitted purpose under paragraph (A) of this rule;

(5) Who, if anyone, the data may be shared with outside of the university;

(6) Procedures for how the university will protect the confidentiality of the data; and

(7) Any other information required by the executive director.

(C) Data provided under this rule must be anonymized and free of any patron personal information.

(D) Upon receipt of a valid request for data, a sports gaming proprietor must promptly provide the requested data to the state university. If the state university and the sports gaming proprietor cannot come to an agreement on if the request is valid, the request must be sent to the commission for review. The executive director will determine if the request is valid and will notify the state university and sports gaming proprietor of this decision. If the executive director determines that the request is valid the sports gaming proprietor must promptly provide the requested data.

(E) Any information or data provided by a sports gaming proprietor to a state university may not be used or shared, except as provided in division (B)(13) of section 3775.02 of the Revised Code.

(A) Sports gaming proprietors must maintain an information technology department that is responsible for the quality, reliability, and accuracy of all electronic systems used in the operation.

(B) Each sports gaming proprietor must maintain IT security insurance as approved by the executive director.

(C) Sports gaming proprietors must ensure that duties in the information technology department are adequately segregated and monitored to detect procedural errors, unauthorized access to financial transactions and assets, and to prevent the concealment of fraud.

(D) The information technology environment and infrastructure must be maintained in a secured physical location that is restricted to authorized employees.

(E) Sports gaming proprietors must adopt procedures for responding to, monitoring, investigating, resolving, documenting, and reporting security incidents associated with information technology systems.

(A) Sports gaming proprietors must maintain and make available to patrons a privacy policy governing its use and storage of patron confidential information.

(B) Sports gaming proprietors must ensure compliance with applicable state and federal requirements and industry standards for protecting the privacy and security of sports gaming patrons and their accounts.

(A) Sports gaming proprietors must immediately report to the commission in a manner prescribed by the executive director, any information in the sports gaming proprietor's possession related to any of the following:

(1) Any wager in violation of Chapter 3775. of the Revised Code or the rules adopted thereunder or of federal law;

(2) Any conduct that corrupts a betting outcome of a sporting event for purposes of financial gain;

(3) Any IT security breach or other compromising IT risk;

(4) Any breaches of confidentiality of a patron's personal information;

(5) Any physical security breach or other compromising risk to patrons, employees, or the commission; and

(6) Any other incident type required by the executive director.

(B) Sports gaming proprietors must have procedures to prevent, detect, and report to the commission attempts to launder money through any of its Ohio licensed sports gaming offerings.

(A) Each sports gaming proprietor must have procedures and systems for the preparation, use, and maintenance of complete, accurate, and legible accounting and gaming records, which must include all transactions.

(B) All books, forms, records, documents, and data submitted to the commission must have the name of the entity, date of completion, and the title of the book, form, record, document, or stored data.

(C) General accounting records must be maintained on a double-entry system of accounting with transactions recorded on a basis consistent with generally accepted accounting principles.

(D) Each sports gaming proprietor must comply with Chapter 5753. of the Revised Code and with any requests of the tax commissioner.

(E) Each sports gaming proprietor must have documented revenue audit procedures. Documentation must be maintained evidencing the performance of all revenue audit procedures, any exceptions noted, and follow-up of all exceptions. The executive director will prescribe the method of documentation and may require additions or modifications to revenue audit procedures.

(A) Sports gaming proprietors must maintain one of the following to annually assess compliance with sports gaming law:

(1) A separate internal audit department which is independent of the sports gaming operation and may be the internal audit department of a parent entity of the sports gaming proprietor; or

(2) A contracted third party independent registered certified public accounting firm licensed to practice in this state, whose name and lead audit partner or other person responsible for the engagement are reported to the commission before the start of the engagement.

(B) The internal audit department or contracted third party must audit the sports gaming proprietor's compliance with Chapter 3775. of the Revised Code and the rules adopted thereunder, the house rules, required procedures, and any other applicable rules and regulations, as required by the executive director.

(C) The internal audit department or contracted third party must follow the standards, conventions, and rules governing audits in the United States.

(D) The audit satisfying the requirements of this rule must be performed at least annually with the results documented in an audit report that must be provided to the commission.

(E) Documentation must be maintained to evidence all work performed as it relates to the requirements of this rule, including all instances of noncompliance.

(F) Follow-up observations and examinations must be performed to verify that corrective action has been taken regarding all instances of noncompliance. The verification must be performed within six months following the date of notification.

(G) The commission may require the termination of any audit engagement under this rule due to lack of qualification, independence, or capacity or a finding that the contract or conduct performed thereunder poses a material risk to the integrity of sports gaming in this state. The invalidation process is an action against the sports gaming proprietor that is subject to the hearing procedures and disciplinary actions provided for under rules 3775-1-07 and 3775-1-08 of the Administrative Code, respectively. If an audit engagement contract is terminated, the sports gaming proprietor must enter into a new audit engagement contract to ensure the requirements of this rule are met.

(A) Each sports gaming proprietor, excluding an appointing professional sports organization; mobile management services provider; and management services provider must have its annual financial statements audited by an independent registered certified public accounting firm licensed to practice in this state. The audit must be in accordance with generally accepted auditing standards and, when applicable, the standards of the accountancy board. The sports gaming proprietor, mobile management services provider, or management services provider must report to the commission the name of the independent registered certified public accounting firm as well as the lead audit partner or other individual taking primary responsibility for the financial statement audit engagement before the start of the engagement.

(B) The lead audit partner or other individual taking primary responsibility for the financial statement audit engagement may serve a maximum of five years in such a position before being required to rotate off the engagement.

(C) The annual financial statements audit must be prepared on a comparative basis for the current and prior fiscal years and present financial position and results of operations in conformity with generally accepted accounting principles.

(D) The audit required by paragraph (A) of this rule must be filed with the commission, in a format determined by the executive director, within one hundred twenty days following the end of the fiscal year.

(E) Each sports gaming proprietor must contract with an independent third party to perform an IT audit. The third party must be approved by the executive director as qualified, independent, and capable of performing the audit. The audits must be performed, and a copy of the report provided to the commission, within ninety days of commencing initial operations and at least once each calendar year. The audit and corresponding report must assess the following:

(1) The design, controls, maintenance, and security of the sports gaming proprietor's IT systems;

(2) The sports gaming proprietor's compliance with the IT and sports gaming system requirements of this chapter; and

(3) Any other subject required by the executive director.

(F) The sports gaming proprietor must file with the commission the report required by paragraph (E) of this rule in a format determined by the executive director within one hundred twenty days following the end of the fiscal year or upon receipt, whichever is earlier.

(G) At any time, the executive director may require a special audit of a sports gaming proprietor, mobile management services provider, or management services provider by commission personnel, an independent registered certified public accounting firm, or any other third party the executive director approves as qualified, independent, and capable of performing the special audit. The scope, procedures, and reporting requirements of any special audit are to be established by the executive director.

(H) The sports gaming proprietor, mobile management services provider, or management services provider must notify the commission of any report that is filed, or required to be filed, with the securities and exchange commission or other securities regulatory agency.

(I) All audits and reports required by this rule are to be prepared at the sole expense of the sports gaming proprietor, mobile management services provider, or management services provider.

(J) The commission may require the termination of any audit engagement under this rule due to lack of qualification, independence, or capacity or a finding that the contract or conduct performed thereunder poses a material risk to the integrity of sports gaming in this state. The invalidation process is an action against the sports gaming proprietor, mobile management services provider, or management services provider that is subject to the hearing procedures and disciplinary actions provided for under rules 3775-1-07 and 3775-1-08 of the Administrative Code, respectively. If an audit engagement contract is terminated, the sports gaming proprietor, mobile management services provider, or management services provider must enter into a new audit engagement contract to ensure the requirements of this rule are met.

(K) Each sports gaming proprietor, mobile management services provider, or management services provider must file with the commission a copy of any suspicious activity report filed with the "Financial Crimes Enforcement Network" related to the conduct of sports gaming in this state.

(A) Whenever a sports gaming proprietor refuses payment of alleged winnings to a patron or there is otherwise a dispute with a patron regarding their patron account, wagers, wins, or losses from sports gaming, and the sports gaming proprietor and the patron are unable to resolve the dispute to the satisfaction of the patron, the sports gaming proprietor must notify the patron of their right to file a written complaint. The notice, which may be satisfied by directing a patron to information housed on the sports gaming proprietor's website or application, must include the procedure for filing a written complaint and the sports gaming proprietor's complaint resolution process.

(B) Upon receipt of a written complaint, the sports gaming proprietor must investigate and provide a written response to the patron within ten business days. If a sports gaming proprietor needs additional time to investigate or resolve a complaint beyond the ten business days, the patron must be notified of the need for additional time and be given an expected time frame in which the complaint may be resolved. The ultimate response may include a statement that if the dispute is not resolved to the satisfaction of the patron, the patron may submit their complaint in writing to the commission.