[Federal Register Volume 73, Number 198 (Friday, October 10, 2008)]
[Rules and Regulations]
[Pages 60492-60508]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: E8-23081]



  Federal Register / Vol. 73, No. 198 / Friday, October 10, 2008 / 
Rules and Regulations  

[[Page 60492]]


-----------------------------------------------------------------------

DEPARTMENT OF THE INTERIOR

National Indian Gaming Commission

25 CFR Parts 542 and 543

RIN 3141-AA37


Minimum Internal Control Standards for Class II Gaming

AGENCY: National Indian Gaming Commission (``NIGC'' or ``Commission''), 
Interior.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: This rule supersedes certain specified sections of the current 
Minimum Internal Control Standards and replaces them with a new part 
titled Minimum Internal Control Standards for Class II Gaming. Since 
the implementation of Minimum Internal Control Standards (MICS), it 
became obvious that the MICS require technical adjustments and 
revisions so that they can effectively protect tribal assets, while 
still allowing tribes to utilize technological advances in the gaming 
industry. This rule applies only to Class II games.

DATES: This regulation is effective November 10, 2008, except for the 
amendments to Sec. Sec.  542.7 and 542.16, which are effective October 
13, 2009. The incorporation by reference of certain publications listed 
in the rule is approved by the Director of the Federal Register as of 
November 10, 2008. Existing operations must develop tribal internal 
controls (TICS) within six months of the effective date and must 
implement those controls within 6 months of the development of the 
TICS. New operations (those that are not open on the effective date) 
must develop and implement the TICS when they open.

FOR FURTHER INFORMATION CONTACT: Joe H. Smith, Director of Audits, 
telephone 202-632-7003. This is not a toll free call.

SUPPLEMENTARY INFORMATION:

Withdrawal of Classification Standards and Amendment to Definition of 
Facsimile

    The Commission has withdrawn the Classification standards it 
proposed on October 24, 2007. ``Classification Standards for Bingo, 
Lotto, Etc. as Class II Gaming When Played Through an Electronic Medium 
Using `Electronic Computer, or Other Technologic Aids.' '' 72 FR 60483. 
The Commission has also withdrawn the amendment to the definition of 
``electronic or electromechanical facsimile,'' also proposed on October 
24, 2007. ``Definition for Electronic or Electromechanical Facsimile.'' 
72 FR 60482. See the Commission's notices of withdrawal, published 
simultaneously.

Background

    On October 17, 1988, Congress enacted the Indian Gaming Regulatory 
Act (``IGRA'' or ``Act''), 25 U.S.C. 2701-21, creating the National 
Indian Gaming Commission (``NIGC'' or ``Commission'') and developing a 
comprehensive framework for the regulation of gaming on Indian lands. 
25 U.S.C. 2702. The NIGC was granted, among other things, the authority 
to promulgate such regulations and guidelines as it deems appropriate 
to implement the provisions of IGRA, 25 U.S.C. 2706(b)(10), as well as 
oversight and enforcement authority, including the authority to monitor 
tribal compliance with the Act, Commission regulations, and tribal 
gaming ordinances.
    The Commission believes that the importance of internal control 
systems in the casino operating environment cannot be overemphasized. 
While this is true of any industry, it is particularly true and 
relevant to the revenue generation processes of a gaming enterprise, 
which, because of the physical and technical aspects of the games and 
their operation and the randomness of game outcomes, makes exacting 
internal controls mandatory. The internal control systems are the 
primary management procedures used to protect the operational integrity 
of gambling games, account for and protect gaming assets and revenues, 
and assure the reliability of the financial statements for Class II and 
III gaming operations. Consequently, internal control systems are a 
vitally important part of properly regulated gaming. Internal control 
systems govern the gaming enterprise's governing board, management, and 
other personnel who are responsible for providing reasonable assurance 
regarding the achievement of the enterprise's objectives, which 
typically include operational integrity, effectiveness and efficiency, 
reliable financial statement reporting, and compliance with applicable 
laws and regulations.
    The Commission believes that strict regulations, such as the MICS, 
are not only appropriate but necessary for it to fulfill its 
responsibilities under the IGRA to establish necessary baseline, or 
minimum, Federal standards for all Tribal gaming operations on Indian 
lands. 25 U.S.C. 2702(3). Although the Commission recognizes that many 
Tribes had sophisticated internal control standards in place prior to 
the Commission's original promulgation of its MICS, the Commission also 
continues to believe that promulgation and revision of these standards 
is necessary and appropriate to effectively implement the provisions of 
the IGRA and, therefore, within the Commission's clearly expressed 
statutory power and duty under Section 2706(b)(10) of the Act.
    On February 22, 2007, the Commission held a meeting of its 
Classification Standards Advisory Committee. At this meeting the tribal 
representatives on the committee presented to the Commission a draft of 
descriptive technical standards for Class II gaming. As the technical 
standards were being developed the Commission realized that many of the 
provisions being considered for inclusion were not technical standards 
but rather internal controls. After reviewing the technical standards 
draft, the Commission decided that for the technical standards to be 
effective, it would have to make changes to its existing minimum 
internal control standards (MICS). The updating of MICS will be done in 
phases with the first phase limited to those areas that have a direct 
impact on the technical standards that are being issued 
simultaneously--specifically bingo and other games similar to bingo.
    Currently, MICS for both Class II and Class III gaming are 
contained in 25 CFR part 542. As there are some essential differences 
between Class II and Class III gaming, the Commission decided that 
there should be separate MICS for Class II and Class III gaming. 
Therefore, the Commission is adopting a new part 543 that would be 
limited to Class II gaming.
    To complete this task, the Commission requested that its standing 
MICS Advisory Committee embark on an aggressive schedule to complete 
the new draft part 543 to be published concurrently with the publishing 
of technical standards. Additionally, members of the Classification 
Standards Advisory Committee assisted in drafting MICS revisions to 
ensure that any changes were consistent with the draft technical 
standards. The Commission had originally planned to reflect the 
structure of part 542 in the drafting of new part 543. The controls in 
part 542 are categorized by the type of game they apply to or by an 
area within the gaming operation. However, during a MICS Advisory 
Committee meeting held on June 25, 2007, in Dallas, Texas, tribal 
representatives on the MICS Committee urged the Commission to adopt a 
format for the new MICS regulations different than the one originally 
proposed by the Commission. This alternative format focused on the type 
of game rather than the function that is being performed. This format 
represented a departure

[[Page 60493]]

from the longstanding practice of establishing controls specific to 
functions. Following this meeting, the Commission decided to go forward 
with the suggested alternative format. This new format is a one-size-
fits-all set of controls governing the game of bingo and games similar 
to bingo, whether played manually or electronically, without regard to 
how the game actually functions.
    The tribal representatives to the MICS Committee utilized a working 
group, referred to by them as the Tribal Gaming Working Group (TGWG), 
to solicit information from tribal regulators, operators, and 
manufacturers. Tribal representatives requested that they be allowed 
time to consult with this group before providing advice to the 
Commission. The Commission agreed and between June and September 2007, 
the TGWG met several times in person and conducted numerous conference 
calls. The Commission did not participate in the establishment of this 
working group. However, Commission staff was invited to attend all of 
the meetings and participate in some of the conference calls. The 
Commission felt it was important to make staff available to this 
working group to answer questions about the goals of the Commission in 
drafting regulation revisions. Commission staff participated in this 
capacity during in-person meetings on July 15, 2007, in Seattle, 
Washington; on July 24, 2007, in Arlington, Virginia; and on August 13 
and 27, 2007 in Las Vegas, Nevada.
    The Commission is grateful to the tribal representatives on the 
MICS Advisory Committee and to those who assisted the tribal 
representatives for all of their hard work and for the high quality 
draft minimum internal control regulations that resulted from their 
efforts. The rule is largely adopted from the final draft MICS, 
delivered to the Commission by the tribal representatives of the 
Advisory Committee on September 4, 2007.
    The full committee, including the Commission, met to discuss the 
draft on September 12, 2007, in Arlington, Virginia. During this 
meeting the Commission raised questions about the draft regulations and 
received responses from the tribal representatives. The Commission also 
allowed members of the audience to make comments on the draft MICS as 
well as the process for developing them.
    There are places, of course, where the Commission felt it could not 
accept the MICS Committee's recommendations. As such, the Commission 
proposed rules that were at times more stringent and at times less 
stringent than those recommended by the Committee.
    While it will eventually be necessary to bring many of the controls 
currently contained in part 542 into new part 543, in order to have 
separate and independent MICS for Class II and Class III gaming, the 
Commission felt it was necessary to structure this migration in phases. 
The most immediate concern was the controls related to bingo and other 
games similar to bingo. These controls were addressed first so that the 
Class II MICS would not conflict with proposed technical standards. 
Accordingly, the proposed rule addresses only the game of bingo, other 
games similar to bingo, and directly related information technology 
controls. Many of the provisions of part 542 will remain effective and 
applicable to class II games until such time as replacement regulations 
are enacted by the Commission.
    The second phase of this process of developing a comprehensive set 
of Class II MICS will address forms of Class II gaming other than bingo 
and games similar to bingo, such as pull-tabs and poker, and will 
codify the rules governing the processes that support the games, such 
as drop and count, cage, credit and internal audit. Furthermore, just 
as with part 542, the concept of tier classification will be preserved, 
so that smaller gaming operations will be subject to a set of MICS 
better tailored to the risks found in small gaming operations and the 
resources available for addressing them.

Regulatory Matters

Regulatory Flexibility Act

    The Regulatory Flexibility Act generally requires an agency to 
prepare a regulatory flexibility analysis of any rule subject to notice 
and comment rulemaking requirements under the Administrative Procedure 
Act or any other statute, unless the agency certifies that the rule 
will not have a significant economic impact on a substantial number of 
small entities. Small entities include small businesses, small 
organizations, and small governmental jurisdictions.
    For purposes of assessing the impact of the MICS on small entities, 
``small entity'' is defined as: (1) A small business that meets the 
definition of a small business found in the Small Business Act and 
codified at 13 CFR 121.201; (2) a small governmental jurisdiction that 
is a government of a city, county, town, school district or special 
district with a population of less than 50,000; and (3) a small 
organization that is any not-for-profit enterprise that is 
independently owned and operated and is not dominant in its field.
    Indian tribes and tribal casinos do not meet this definition. 
Tribes are excluded from the governmental jurisdictions listed under 
(2), and tribally owned casinos are not ordinary commercial activities 
but are tribal governmental operations.
    In determining whether a rule has a significant economic impact on 
a substantial number of small entities, the impact of concern is any 
significant adverse economic impact on small entities, because the 
primary purpose of the regulatory flexibility analyses is to identify 
and address regulatory alternatives ``which minimize any significant 
economic impact of the proposed rule on small entities.'' 5 U.S.C. 603 
and 604. Thus, an agency may certify that a rule will not have a 
significant economic impact on a substantial number of small entities 
if the rule relieves regulatory burden, or otherwise has a positive 
economic effect on all of the small entities subject to the rule.
    As a practical matter, the economic impacts of the MICS will fall 
primarily upon the Indian tribes. The MICS impose some direct costs 
upon gaming tribes--regulatory compliance costs, for example. 
Accordingly, the Commission certifies that this action will not have a 
significant economic impact on a substantial number of small entities.

Small Business Regulatory Enforcement Fairness Act

    This rule is not a major rule under 5 U.S.C. 804(2), the Small 
Business Regulatory Enforcement Fairness Act. This rule does not have 
an annual effect on the economy of $100 million dollars or more. This 
rule will not cause a major increase in costs or prices for consumers, 
individual industries, federal, state or local government agencies or 
geographic regions and does not have a significant adverse effect on 
competition, employment, investment, productivity, innovation, or the 
ability of U.S. based enterprises to compete with foreign-based 
enterprises. The Commission has determined that the cost of compliance 
with this regulation shall be minimal for several reasons. First, part 
542 has been in effect since 1999 and requires that all Indian gaming 
operations be in compliance with the MICS. Second, considering that the 
Indian gaming industry spent approximately $419 million in 2006 on 
regulation and given the testimony of various tribal and industry 
leaders, it can be assumed that almost all gaming operations are 
compliant with part 542

[[Page 60494]]

or more stringent tribal internal control standards. Given the 
widespread compliance with part 542, the cost of complying with new 
part 543 should be minimal. Finally, the Commission contracted for a 
cost-benefit analysis for this rule as part of a package of four rules. 
The Commission decided not to go forward with the rules that would have 
a significant economic impact on the tribes. The study concluded that 
the cost of the MICS would not be significant. Specifically, the report 
states that the promulgation of MICS and technical standards is 
estimated to cost 7.8 million annualized over ten years. Accordingly, 
the MICS are not a major rule within the meaning of 5 U.S.C. 804.2, the 
Small Business Regulatory Enforcement Fairness Act. The Commission's 
cost-benefit analysis is available for review at the Commission's web 
site, www.nigc.gov, or by request using the addresses or telephone 
numbers, above.

Paperwork Reduction Act

    This regulation requires an information collection under the 
Paperwork Reduction Act, 44 U.S.C. 3501 et seq., as did the regulation 
it replaces. There is no change to the paperwork requirements created 
by this rule.

Unfunded Mandates Reform Act

    The Commission, as an independent regulatory agency within the 
Department of the Interior, is exempt from compliance with the Unfunded 
Mandates Reform Act, 2 U.S.C. 1502(1); 2 U.S.C. 658(1).

Takings

    In accordance with Executive Order 12630, the Commission has 
determined that this rule does not have significant takings 
implications. A takings implication assessment is not required.

Civil Justice Reform

    In accordance with Executive Order 12988, the Office of General 
Counsel has determined that the rule does not unduly burden the 
judicial system and meets the requirements of sections 3(a) and 3(b)(2) 
of the Order.

National Environmental Policy Act

    The Commission has determined that this rule does not constitute a 
major federal action significantly affecting the quality of the human 
environment and that no detailed statement is required pursuant to the 
National Environmental Policy Act of 1969, 42 U.S.C. 4321 et seq.

Comments to Class II Minimum Internal Control Standards

    We requested written comments from the public on the proposed Class 
II Minimum Internal Control Standards (72 FR 60495) during the comment 
period that opened on October 24, 2007, and closed on March 9, 2008. 
This proposed rule was published on the same day as three other 
proposed rules related to the regulation of Class II gaming. During the 
comment period, we received many comments that were not specific to the 
MICS but rather referred to the package of Class II rules proposed on 
October 24, 2007. Only a few of these comments were specific to the 
MICS. However, we considered the general comments as applying to the 
MICS as well as to the rest of the package. The comments are grouped 
based on the common topics addressed. The Commission carefully reviewed 
all comments and where appropriate revised the final rule to reflect 
those comments. The comments and the NIGC responses follow.

Comments Regarding Publication of the Proposed Class II MICS

    Comment: The publishing of 5 proposed regulations simultaneously 
violates the federal trust responsibility and contravenes Executive 
Order 13175.
    Response: The Commission published 4 proposed rules simultaneously 
as part of one package related to class II gaming. Since the rules all 
pertained to the regulation of Class II gaming activities the 
Commission determined that it was important for all interested parties 
to consider all of the parts at once. The other regulation published by 
the Commission was the facility licensing regulations that were not 
part of the previously mentioned package. We disagree that following 
the notice and comment requirements of the Administrative Procedures 
Act violates the trust responsibility.
    Further, Congress has made abundantly clear that it intended the 
Commission to be an independent regulatory agency and, as such, exempt 
from the requirements of these Executive Orders and the Unfunded 
Mandates Reform Act. The Senate report accompanying the passage of IGRA 
provides Congress's intention clearly and unambiguously: the bill 
``established a National Indian Gaming Commission as an independent 
agency within the Department of Interior.'' S. Rep. No. 100-446, at 1 
(1988). When it amended IGRA in 2005, Congress reiterated its 
intention:

    Additionally, it is to be noted that the NIGC is an independent 
regulatory agency. This status has ramifications, including, that 
the agency is not governed by Executive Order 13175, which compels 
agencies other than independent regulatory agencies to consult 
tribal officials in the development of regulatory policies that have 
tribal implications. The Executive Order encourages independent 
agencies to observe its precepts, however, and the Committee notes 
with approval that the Commission, through its current consultation 
policy, has endeavored to do so.

S. Rep. No. 109-122 at 3 (2005).

    Comment: Several comments suggested that the NIGC may have violated 
the Government Performance and Results Act (``GPRA'') by embarking on 
several rulemaking exercises without an overall plan in violation of 
Public Law 109-221.
    Response: The Commission agrees that Public Law 109-221, the Native 
American Technical Corrections Act of 2006, provides that the NIGC 
shall be subject to the GPRA. On September 30, 2007, the NIGC submitted 
a draft performance and accountability report to the Office of 
Management and Budget for review. The Commission made revisions to its 
GPRA plan and on September 18, 2008, mailed it to tribal leaders for 
comment.

Comments Regarding NIGC Authority to Promulgate MICS

    Comment: A few commenters suggested that the Commission lacks the 
authority to promulgate Class II MICS, one analogizing the situation to 
that in Colorado Indian Tribes v. NIGC, where the DC Circuit ultimately 
found the Commission lacked the authority to enforce Class III MICS.
    Response: The Commission disagrees. IGRA does give the Commission 
the authority to adopt Class II MICS. Congress was expressly concerned 
that gaming under IGRA be ``conducted fairly and honestly by both the 
operators and the players'' and that the ``Indian tribe is the primary 
beneficiary of the gaming operation.'' 25 U.S.C. 2702(2). To carry out 
this mission Congress granted the Commission the power to monitor, 
inspect, and examine Class II gaming. 25 U.S.C. 2706(b)(1)-(4), and to 
promulgate such regulations as it deems appropriate to implement the 
provisions of IGRA. 25 U.S.C. 2706(b)(10). The creation of MICS 
provides the basis for which the Commission can monitor, inspect, and 
examine. The Class II MICS create procedures the Commission can verify 
are being followed as well as creating a revenue trail. Without a set 
of national standards it would be very difficult for the Commission to 
exercise its power in a meaningful manner and therefore fulfill its 
mission.

[[Page 60495]]

Comments Regarding NIGC Consultation With Tribes

    Comment: Several comments pertained to the level of consultation 
conducted in connection with the regulations stating that the NIGC did 
not conduct meaningful consultation and that the consultation conducted 
was in violation of the NIGC's consultation policy. Further, commenters 
stated that the use of an advisory committee was not an acceptable 
substitute for consultation.
    Response: The NIGC published its Government-to-Government Tribal 
Consultation Policy on March 24, 2004, 69 FR 16973. In that policy, the 
Commission recognized the government-to-government relationship that 
exists between the NIGC and federally-recognized tribes and stated that 
the primary focus of the NIGC's consultation policies would involve 
consulting with individual tribes and their recognized governmental 
leaders. The Commission's consultation policy also calls for providing 
early notification to affected tribes of any regulatory policies prior 
to a final agency decision regarding their formulation or 
implementation.
    The Commission conducted extensive consultations that included the 
formation of a tribal advisory committee, face-to-face meetings with 
tribal governments, and regional meetings with tribal gaming 
associations. Additionally, the Commission followed the formal 
rulemaking process under the Administrative Procedures Act thereby 
providing tribes another opportunity to submit written comments.
    As to the quality of consultation, some comments were critical of 
the Commission for not allotting sufficient time for individual 
consultation sessions. The Commission understands and appreciates this 
concern. The Commission would note, however, that it goes to great time 
and expense traveling to large, regional and national gaming 
association meetings to make itself available for consultations, and 
this minimizes the burdens of time and expense for the tribes. The 
Commission would point out as well that with approximately 225 tribes, 
balance of time spent between consultations and the Commission's other 
duties and obligations is often a difficult one to make. Further, the 
Commission believes that the criticism concerning the quality of 
consultation about the technical standards, however, is an unfair one, 
when only 25% of tribes accepted invitations for consultation between 
September 2005 and December 2007 and only a minority of those that 
accepted actually chose to discuss the MICS. That said, the Commission 
recognizes that there are many views about what consultation is and how 
it may best be done. The Commission is not married to its consultation 
practices and has already begun a dialogue and collaboration with 
tribal leaders, through the National Congress of American Indians and 
the National Indian Gaming Association, about finding mutually 
satisfactory methods of consultation.
    Comment: Several comments stated that the proposed rule represented 
a material departure from the consensus documents submitted by the 
Tribal Advisory Committee.
    Response: We disagree. The proposed rule accepted almost all of the 
suggestions by the Tribal Advisory Committee. Further, in the final 
regulation the Commission has made changes further closing the distance 
between the proposed rule and the alternative proposed by the Tribal 
Advisory Committee. As stated in the preamble, the Commission greatly 
values and appreciates the work on the MICS done by the tribal advisory 
committee and the working group of tribal leaders, tribal regulators, 
and manufacturers who advised them. During drafting, the Commission did 
state to the Committee and its working group that the Committee's role 
was advisory and that the Commission could, as the final decision-
maker, choose to depart from the draft provided. The Commission 
believes that this was appropriate insofar as this is consistent with 
its federal regulatory oversight mission. Nonetheless, the draft that 
the advisory committee supplied makes up verbatim most of what the 
Commission has adopted.

Comments Regarding the Length of the Comment Period

    Comment: Several comments stated that the comment period was not 
long enough.
    Response: The October 24, 2007, notice of proposed rulemaking 
stated that the comment period would end on December 10, 2007. Based 
upon early comments received, the Commission elected to extend the 
comment period to March 9, 2008. This is a period of 138 days. The 
Commission believes this is a sufficient comment period.

Comments Regarding Implementation of Class II MICS

    Comment: Several comments stated that tribes will not be able to 
implement a wholly separate set of MICS in a gaming operation that 
conducts both Class II and Class III gaming activities without a 
complete overhaul of the operating procedures and comprehensive 
retraining of the entire staff. The logistical, organizational, and 
operational complexities, not to mention the time and expense that will 
be required to implement new Class II MICS is unworkable.
    Response: The Commission appreciates the concern and recognizes 
that the control systems of a gaming enterprise are typically defined 
by function, e.g., table games, gaming machines, counter games and card 
games. However, recent technological advances in game development have 
somewhat blurred these distinctions. It is the expectation of the 
Commission that, from a practical perspective, except for the specific 
revenue centers of the Class II MICS (bingo, pull-tabs, card games) the 
remaining sections, which are generally relevant to the accounting for 
or facilitation of the noted games will out of necessity remain 
substantively identical to their companion standards in the Class III 
MICS (part 542). The dominant exception is that controls directly 
related to a Class III game will be omitted. Consequently, we disagree. 
The Commission believes the regulations ultimately arising from the 
next phase will have minimal impact on the gaming operation conducting 
both Class II and Class III gaming.
    Comment: Incorporating the sections of part 542 listed in 543.1 
will create conflicts given that the defined terms used in the proposed 
543 may be very different from the defined term in 542. The Commission 
should take the time necessary to integrate the sections of part 542 
with the new part 543 before promulgating the final rule.
    Response: The Commission agrees, however, the risk of having gaps 
in regulation outweigh any confusion that would be caused by 
referencing part 542. It is the expectation of the Commission that this 
interim period during which the remaining part 543 sections are adopted 
will be as brief as possible.
    Comment: One comment proposed that if the Commission is unwilling 
to postpone these rules until all relevant sections of part 542 can be 
transferred that section 543.1 be amended to state, ``To the extent 
that there is a discrepancy between the language or terms contained in 
this part 543 and that contained in the sections of part 542 
incorporated by reference in section 543.1 of this part, the applicable 
language or terms contained in this part 543 shall apply.''

[[Page 60496]]

    Response: The Commission disagrees. The Commission believes that 
the risk of confusion is minimal and fully anticipates that the 
remaining sections will be proposed before TICS are required to be 
implemented.
    Comment: The proposed rule states in section 543.3(c)(3) that 
``shall in accordance with the tribal gaming ordinance, establish that 
tribal internal control standards are established and implemented.'' 
This could mistakenly be read to require revision to the tribal gaming 
ordinance.
    Response: We disagree. This provision is necessary to ensure that 
tribes follow their ordinance requirements in the promulgation of TICS. 
We note that the commenter was able to understand this provision 
correctly and are sure that other tribes and tribal gaming regulatory 
agencies will likewise be able to understand its intent.

Comments Regarding Specific Definitions

    Comment: Several comments suggested that the final definitions used 
in 543.2 of the MICS and 547.3 of the technical standards should 
conform to one another unless there is an appropriate reason for 
different terms.
    Response: We agree. Where possible the Commission has used 
consistent terms. However, it is important to recognize that the two 
regulations possess differing objectives. Part 547 is intended to 
define the technical specification of a Class II gaming device and 
support systems; whereas part 543 is intended to set minimum standards, 
consistent with industry best practices, specific to the authorization, 
recognition, and recordation of the gaming and gaming related 
transactions. Consequently, users of the documents should be well aware 
of the definition section accompanying each rule.
    Comment: Any defined terms not used in the final version text 
should be deleted.
    Response: Except for Tier A and Tier B, we agree. Terms defined in 
Section 543.2 that are not utilized in this regulation have been 
deleted. The definition of Tier A and Tier B is necessary to an 
understanding of the applicability of certain subsections contained 
within section 543.7.
    Comment: Statutorily defined terms like ``Commission'' do not need 
to be included in a section of specific terms.
    Response: We disagree. The inclusion of the term ``Commission'' 
helps distinguish the federal commission from the tribal gaming 
commissions. Additionally, we do not see how the inclusion of this 
definition harms tribes or causes confusion in anyway.
    Comment: Since the term ``agreed-upon procedures'' is used many 
times in part 543, consideration should be given to defining the term. 
By defining the term, it would be possible to clarify that the CPA's 
client could be any or all of the tribal government, the tribal gaming 
regulatory authority or the gaming operation. This definition is 
consistent with applicable provisions of the Statements on Standards 
for Attestation Engagements issued by the Auditing Standards Board.
    Response: The Commission believes the current language is effective 
in defining the scope of the engagement.
    Comment: Since the term ``CPA'' is used frequently in part 543, 
consideration should be given to defining the term and making it clear 
in the definition that the term refers to either individuals or firms, 
as the case may be.
    Response: We disagree. Each state has a oversight body, generally 
referred to as a State Board of Accountancy, that is responsible for 
adopting regulations to carry out the laws governing the practice of 
public accountancy in that jurisdiction. It makes final licensing 
decisions and takes disciplinary actions against people who violate the 
licensing laws. Although much similarity exists from one state to 
another regarding the qualifications and licensing requirements of a 
Certified Public Accountant, to obtain an exact definition of the term 
within a particular state, the referenced oversight body should be 
consulted.
    Comment: Since the term ``internal control systems'' is used 
frequently in part 543, consideration should be given to defining the 
term and making it clear in the definition that internal control 
systems (i) include ``policies'' and ``procedures,'' as well as 
``systems.''
    Response: We disagree. The Institute of Internal Auditors defines 
internal controls as follows: The process effected by an entity's board 
of directors, management, and other personnel designed to provide 
reasonable assurance regarding the achievement of objectives in the 
following categories: (1) Operational controls--relating to the 
effective and efficient use of the entity's resources; (2) Financial 
reporting controls--relating to the preparation of reliable published 
financial statements; and (3) Compliance controls--relating to the 
entity's compliance with applicable laws and regulations.
    Within the context of the MICS, it is important to recognize that 
the regulation is not intended to define a comprehensive system of 
internal controls for a gaming enterprise. The objective is to identify 
a basic set of controls that the federal authority has determined to be 
necessary to satisfy its obligation as stipulated in Section 2702 of 
the Declaration of Policy of the IGRA. Conceptually, a similar 
motivation drives the tribal gaming regulatory authority in the 
creation of its minimum internal control standards, except that the 
scope may be broader and include all areas of the organization. 
However, even with the anticipated more expansive version of minimum 
internal controls codified by the tribal regulatory authority, such 
controls would generally be inadequate to define a gaming operation's 
breadth of policies and procedures in which issues such as efficiency 
and customer service are captured. Furthermore, it is the gaming 
operation's policies and procedures that frequently clarify how the 
property intends to comply with a regulatory requirement.
    Comment: Since the last three sentences of the definition of 
``internal audit'' are substantive provisions and readers who review 
section 543.3(f) may not realize that related substantive provisions 
have been organized in the definitions section, consideration should be 
given to relocating the last three sentences of the definition to an 
appropriate location in section 543.7(f).
    Response: The definition of internal audit and internal auditor has 
been revised to clarify the role of the internal auditor.
    Comment: The phrase ``or other component'' should be deleted from 
the definition of ``kiosk'' because kiosks are stand alone systems that 
are not ``components'' of anything or, if the phrase is retained, 
clarifying of what system a kiosk is a component.
    Response: We disagree. The kiosk is normally at the very least a 
component of an accounting system. Retention of the phrase confers 
flexibility for application of future technological advances.
    Comment: The term MICS should be defined and clarified so that it 
does not mean any variance to such a standard or a more stringent 
standard that may be established by a tribal internal control standard.
    Response: We disagree. The MICS is defined by part 543 in its 
entirety. Section 543.3 is intended to communicate that an alternative 
procedure to that contained in the federal rule is acceptable as long 
as it does not conflict with the rule it is intended to replace. 
Essentially, the Commission recognizes that a procedure, although 
different, could satisfy all elements of a part 543

[[Page 60497]]

standard. Furthermore, it is entirely permissible for the tribal gaming 
regulatory authority to require a control that is more stringent than 
that in the MICS.
    Comment: The term ``CPA NIGC MICS Compliance Checklist'' should be 
shortened to ``NIGC Checklist.''
    Response: We disagree. The NIGC provides various documents to 
assist tribal gaming regulators, operators and practitioners. Some are 
in the form of checklists; therefore, the title of this item is 
intended to differentiate it from others.
    Comment: The definition of the term ``PIN'' contained in 
543.7(g)(1)(iv) should be moved to the definition section.
    Response: The Commission agrees. The definition has been moved from 
543.7(g)(1)(iv) to 543.2.
    Comment: None of the sections of part 543 are based on tiers and 
all tiers must comply with all provisions of the current part 543. 
Therefore, the definitions of Tier A, B, and C should be deleted.
    Response: We disagree. The first phase of the task of developing a 
comprehensive set of minimum internal controls for Class II gaming does 
not contain the drop and count, internal audit and surveillance 
sections that have different applications based on Tier classification; 
however, the next phase of the rule making will include these 
standards. Therefore, it is worthwhile to leave the Tier definition in 
the rule. Additionally, the definition of Tier A and Tier B is 
necessary to an understanding of the applicability of subsection 
543.7(i)(3)(X), which is relevant to only Tier C.
    Comment: The term ``tribal internal control standards'' should be 
defined because it is used throughout part 543 but it is not defined.
    Response: Part 543 in its entirety establishes minimum internal 
controls for tribal operations. Attempting to further define the 
tribes' specific internal controls would be difficult since tribes vary 
in the method by which they implement the phrase. For example, some 
tribal gaming regulatory authorities have formal due process procedures 
whereby their minimum internal control standards are adopted as 
governmental regulations; others require a council resolution to create 
the rule; and some merely approve the internal control systems 
submitted to the gaming operation. The position of the NIGC is that the 
agency should not dictate to the tribe the methodology by which the 
tribe creates its rules governing the conduct of gaming on its lands; 
only that the rule must equal or exceed the level of control 
established by the federal regulation.

Comments Regarding Section 543.3

    Comment: The heading to this section should be changed to 
substitute the term ``tribal government'' for the term ``I.''
    Response: We agree. The term has been changed.
    Comment: The terms ``ensure'' and ``implement'' should be deleted 
so that it is left to the discretion of the tribal government to 
determine whether, when, and how to enforce the tribal minimum internal 
standards which have been adopted.
    Response: The Commission disagrees. The federal regulation is 
intended to require tribes to ensure tribal internal controls are 
established and implemented that accomplish three objectives: (1) 
Provide a level of control that equals or exceeds those set forth in 
part 543; (2) establish standards to detect and deter unlawful 
activity; and (3) set a deadline, as specified in the above referenced 
section, for the gaming operation to come into compliance with the 
tribal internal controls. Although the Commission recognizes the 
tribes' primary oversight role, the federal rules objective is to set a 
minimum threshold applicable to all tribal gaming; consequently, 
failure to comply would result in an ineffective regulation.
    Comment: It should be made clear that variances are allowed under 
this part. It should not simply incorporate by reference the provisions 
in 542.18.
    Response: The Commission will consider specifically setting out the 
variance section as well as all other sections that are presently 
incorporated by reference in its next revision of the MICS.
    Comment: Section 543.3(c) requires that tribal internal control 
standards comply with 31 CFR part 103. Authority for the implementation 
and enforcement of 31 CFR part 103 rests with the Department of 
Treasury. We believe it is beyond the Commissions authority to require 
compliance with other agencies' regulations.
    Response: We agree. This provision has been changed to require that 
the tribal gaming regulatory authority develop standards for 
identifying and reporting possible illegal activity. A program similar 
to that required by 31 CFR part 103 would satisfy this requirement.
    Comment: It should be made clear that the regulations impose 
requirements on the tribal gaming regulatory authority not directly on 
the gaming operation.
    Response: The regulation requires the tribal gaming regulatory 
authority to establish and implement tribal internal control standards 
that provide a level of control that equals or exceeds those set forth 
in this part and establish a deadline consistent with the timelines 
within this section for its gaming operation(s) to comply with the 
tribal internal controls. Consequently, the application of the federal 
rule to the gaming enterprise is through the tribal gaming regulatory 
authority.
    Comment: There should be a time gap between the date the tribal 
gaming regulatory authority establishes the new tribal internal control 
standards and the date the gaming operation must comply with those 
standards. Under this approach, the date the gaming operation would be 
required to comply with the new tics would be pegged to the date those 
standards are adopted and the date would apply to both existing and new 
operations.
    Response: The rule does identify specific timelines. From the date 
the rule is published in the Federal Register, the tribal gaming 
regulatory authority has six months to develop or revise its tribal 
internal control standards to comply with this Part and, upon 
implementation the regulatory authority shall establish a timeframe for 
its respective gaming operation(s) to come into compliance. 
Furthermore, at the discretion of the tribe, the period for the gaming 
operation(s) to come into compliance may be extended an additional six 
months. A gaming property that is opened after the date this rule is 
published in the Federal Register must be compliant upon opening.
    Comment: In order to add flexibility, the requirement that the 
report be issued to the tribe, the tribal gaming regulatory authority, 
and the manager should be changed to only mandate that the report 
should be issued to whoever engages the CPA and anyone else that entity 
designates.
    Response: We agree. The Commission concurs and has modified the 
regulation accordingly.
    Comment: The responsibility for submitting the report should be 
placed on the tribal gaming regulatory authority not the tribe.
    Response: We disagree. Since the tribe is ultimately responsible 
and since the tribal gaming regulatory authority is a component of 
tribal government, the distinction is not necessary.
    Comment: The term ``fiscal year'' is more precise than the term 
``business year.''
    Response: We disagree. Fiscal year is generally defined as the 
twelve consecutive months used by a business entity to account for and 
report on its

[[Page 60498]]

business operations. Business year is generally defined as the fiscal 
year based on the cycle of the given business rather than a calendar 
year. Although the terms are essentially synonymous, as used in the 
subject regulation, the Commission believes ``business year'' is more 
appropriate.
    Comment: The checklist or internal testing procedure is done by the 
internal auditor so it is redundant to require the CPA to do it.
    Response: We disagree. The checklist is relevant to the CPA, unless 
the practitioner determines that, and in accordance with relevant 
professional standards for attestation engagements, reliance can be 
placed on the work of the internal auditor. The extent of that reliance 
would determine the scope of checklists that the internal auditor might 
perform.

Comments Regarding Section 543.7

    Comment: The term ``critical proprietary software'' in 543.7 is not 
defined. The Commission should consider changing the term to ``game 
software.''
    Response: We agree. The Commission concurs with the comment and has 
modified the regulation accordingly, see 543.7(e)(2).
    Comment: It is not clear what entity is responsible for verifying 
game software.
    Response: The regulation anticipates that the tribal gaming 
regulatory authority will adopt a rule requiring personnel independent 
of the bingo department to test the signature of the game to ensure it 
is consistent with that previously approved. However, in practice, the 
Commission is aware that frequently the tribal regulator will assume 
responsibility for this task, which is common to the gaming industry.
    Comment: The Commission should clarify what procedure the tribal 
gaming regulatory authority should use to verify authenticity and 
consider if this is feasible for a tribal gaming regulatory authority.
    Response: We disagree. The detailed procedures necessary to confirm 
the authenticity of a game program may vary. This is consistent with 
section 547.8(f) of the technical standards.

Comments on Section 543.16

    Comment: Section 543.16(e) appears to be a technical standard 
instead of an internal control.
    Response: We disagree. The standard pertains to procedural 
requirements specific to the review of computer access records and 
unsuccessful log on attempts.
    Comment: In Section 543.16(f) it is unclear to what the term 
``version number'' refers.
    Response: We disagree. In the noted standard, the term refers to 
software applications; therefore, we believe the meaning to be evident.

Comments Regarding Alternative Procedures

    Comment: One commenter suggested that time and money could be saved 
by allowing alternative procedures in the MICS.
    Response: We disagree. Essentially the regulations do allow for 
alternative procedures by allowing for variances.
    Comment: The Commission should allow self-regulated tribes to 
approve alternative procedures to those in the Class II MICS.
    Response: The MICS are common in established gaming jurisdictions 
and, to be effective in establishing a minimum baseline for the 
internal operating procedures of tribal gaming enterprises, the rule 
must be concise, explicit, and uniform for all tribal gaming operations 
to which they apply. Furthermore, to nurture and promote public 
confidence in the integrity and regulation of Indian gaming and ensure 
its adequate regulation to protect tribal gaming assets and the 
interests of tribal stakeholders and the public, the Commission's MICS 
regulations must be reasonably uniform in their implementation and 
application and regularly monitored and enforced by tribal regulators 
and the NIGC to ensure tribal compliance. Regardless, self-regulated 
tribes may adopt variances.

Comments Regarding Application of MICS to Small and Charitable Gaming 
Operations

    Comment: Several comments stated that the threshold for applying 
the MICS to small or charitable gaming is too low. Raising the 
threshold to $3 million dollars would not eliminate the requirement for 
internal controls since small and charitable operations must operate 
under appropriate standards, however it would save in regulatory 
expenditures allowing tribal governments to retain more gaming dollars 
for governmental services and infrastructure.
    Response: The Commission agrees to some extent and therefore has 
raised the threshold to $2 million. We note that the threshold 
contained in the Class II technical standards will remain at $1 million 
as proposed because the cost of compliance will be a one-time cost.

Comments Regarding MICS References to Classification and Technical 
Standards

    Comment: Several comments stated that the MICS should not reference 
proposed classification standards or proposed technical standards.
    Response: The Commission agrees. Because the classification 
standards are being withdrawn simultaneously with the publishing of 
these regulations, all references to classification standards have been 
removed. The MICS did not include any references to the technical 
standards.

Comments on Game Classification

    Comment: One commenter stated that part 543 assumes that the bingo 
games will be similar to slot machines and such provisions are improper 
because Class II games cannot include ``slot machines of any kind.''
    Response: These regulations are not intended to be used to classify 
machines as either Class II or Class III. It is possible for Class III 
games to be compliant with these MICS. Therefore, compliance with these 
MICS is not an indicator or evidence that a game is Class II.

List of Subjects in 25 CFR Parts 542 and 543

    Accounting, Auditing, Gambling, Incorporation by reference, 
Indian--lands, Indian--tribal government, Reporting and recordkeeping 
requirements.


0
Accordingly, for the reasons described in the preamble, the Commission 
amends its regulations at 25 CFR chapter III as follows:

PART 542--MINIMUM INTERNAL CONTROL STANDARDS

0
1. The authority citation for part 542 continues to read as follows:

     Authority: 25 U.S.C. 2702(c), 2706(b)(10).


Sec.  542.7  [Removed and Reserved]

0
2. Section 542.7 is removed and reserved effective October 13, 2009.


Sec.  542.16  [Removed and Reserved]

0
3. Section 542.16 is removed and reserved effective October 13, 2009.

0
4. Add new part 543 to read as follows:

PART 543--MINIMUM INTERNAL CONTROL STANDARDS FOR CLASS II GAMING

Sec.
543.1 What does this part cover?
543.2 What are the definitions for this part?
543.3 How do tribal governments comply with this part?

[[Page 60499]]

543.4-543.5 [RESERVED]
543.6 Does this part apply to small and charitable gaming 
operations?
543.7 What are the minimum internal control standards for bingo?
543.8-543.15 [RESERVED]
543.16 What are the minimum internal controls for information 
technology?

     Authority: 25 U.S.C. 2701 et seq.


Sec.  543.1  What does this part cover?

    This part, along with Sec. Sec.  542.14 through 542.15, 542.17 
through 542.18, 542.20 through 542.23, 542.30 through 542.33, and 
542.40 through 542.43 of this chapter establishes the minimum internal 
control standards for the conduct of Class II bingo and other games 
similar to bingo on Indian lands as described in 25 U.S.C. 2701 et seq. 
Throughout this part the term bingo includes other games similar to 
bingo.


Sec.  543.2  What are the definitions for this part?

    The definitions in this section apply to all sections of this part 
unless otherwise noted.
    Accountability. All financial instruments, receivables, and patron 
deposits constituting the total amount for which the bankroll custodian 
is responsible at a given time.
    Actual bingo win percentage. The percentage calculated by dividing 
the bingo win by the bingo sales. Can be calculated for individual 
prize schedules or type of player interfaces on a per-day or cumulative 
basis.
    Agent. An employee or licensed person authorized by the gaming 
operation, as approved by the tribal gaming regulatory authority, 
designated for certain authorizations, decisions, tasks and actions in 
the gaming operation. This definition is not intended to eliminate nor 
suggest that appropriate management contracts are not required, where 
applicable, as referenced in 25 U.S.C. 2711.
    Amount in. The total value of all financial instruments and 
cashless transactions accepted by the Class II gaming system.
    Amount out. The total value of all financial instruments and 
cashless transactions paid by the Class II gaming system, plus the 
total value of manual payments.
    Bingo paper. A consumable physical object that has one or more 
bingo cards on its face.
    Bingo sales. The value of purchases made by players to participate 
in bingo.
    Bingo win. The result of bingo sales minus prize payouts.
    Cage. A secure work area within the gaming operation for cashiers 
which may include a storage area for the gaming operation bankroll.
    Cash equivalents. The monetary value that a gaming operation may 
assign to a document, financial instrument, or anything else of 
representative value other than cash. A cash equivalent includes, but 
is not limited to, tokens, chips, coupons, vouchers, payout slips and 
tickets, and other items to which a gaming operation has assigned an 
exchange value.
    Cashless system. A system that performs cashless transactions and 
maintains records of those cashless transactions.
    Cashless transaction. A movement of funds electronically from one 
component to another, often to or from a patron deposit account.
    Class II game. A game as described in 25 U.S.C. 2703(7)(A).
    Class II Gaming System. All components, whether or not technologic 
aids in electronic, computer, mechanical, or other technologic form, 
that function together to aid the play of one or more Class II games 
including accounting functions mandated by part 547 of this chapter.
    Commission. The National Indian Gaming Commission.
    Count. The act of counting and recording the drop and/or other 
funds.
    Count room. A secured room where the count is performed.
    Coupon. A financial instrument of fixed wagering value, usually 
paper, that can only be used to acquire non-cashable credits through 
interaction with a voucher system. This does not include instruments 
such as printed advertising material that cannot be validated directly 
by a voucher system.
    Drop. The total amount of financial instruments removed from 
financial instrument storage components in Class II gaming systems.
    Drop period. The period of time that occurs between sequential 
drops.
    Electronic funds transfer. A transfer of funds to or from a Class 
II gaming system through the use of a cashless system, which are 
transfers from an external financial institution.
    Financial instrument. Any tangible item of value tendered in Class 
II game play including but not limited to bills, coins, vouchers, and 
coupons.
    Financial instrument acceptor. Any component that accepts financial 
instruments.
    Financial instrument storage component. Any component that stores 
financial instruments.
    Game software. The operational program or programs that govern the 
play, display of results, and/or awarding of prizes or credits for 
Class II games.
    Gaming Equipment. All electronic, electro-mechanical, mechanical or 
other physical components utilized in the play of Class II games.
    Independent. The separation of functions so that the person or 
process monitoring, reviewing or authorizing the controlled 
transaction(s) is separate from the persons or process performing the 
controlled transaction(s).
    Inter-tribal prize pool. A fund to which multiple tribes contribute 
from which prizes are paid to winning players at a participating tribal 
gaming facility and which is administered by one of the participating 
tribes or a third party, (e.g. progressive prize pools, shared prize 
pools, etc.).
    Internal audit. The audit function of a gaming operation that is 
independent of the department subject to the audit. Internal audit 
activities should be conducted in a manner that permits objective 
evaluation of areas examined.
    Internal auditor. The person(s) who perform an independent audit. 
Independence is obtained through the organizational reporting 
relationship, as the internal audit department must not report to 
management of the gaming operation. Internal audit personnel may 
provide audit coverage to more than one operation within a tribe's 
gaming operation holdings.
    Kiosk. A self serve point of sale or other component capable of 
accepting or dispensing financial instruments and may also be capable 
of initiating cashless transactions of values to or from a patron 
deposit account or promotional account.
    Manual payout. The payment to a player of some or all of a player's 
accumulated credits (e.g. short pays, cancelled credits, etc.) or an 
amount owed as a result of a winning event by an agent of the gaming 
operation.
    MICS. Minimum internal control standards in this part.
    Non-cashable credit. Credits given by an operator to a patron; 
placed on a Class II gaming system through a coupon, cashless 
transaction, or other approved means; and capable of activating play 
but not being converted to cash.
    Patron deposit account. An account maintained on behalf of a 
patron, for the purpose of depositing and withdrawing cashable funds 
for the primary purpose of interacting with a gaming activity.
    Patron deposits. The funds placed with a designated cashier by 
patrons for the patrons' use at a future time.
    PIN. A personal identification number.
    Player interface. Any component(s) of a Class II gaming system, 
including an electronic or technological aid (not limited to terminals, 
player stations, handhelds, fixed units, etc.) that

[[Page 60500]]

directly enable(s) player interaction in a Class II game.
    Player tracking system. A system typically used by a gaming 
operation to record the amount of play of an individual patron.
    Prize payout. A transaction associated with a winning event.
    Prize schedule. A set of prizes available to players for achieving 
pre-designated patterns in Class II game(s).
    Progressive prize. A prize that increases by a selectable or 
predefined amount based on play of a Class II game.
    Promotional account. A file, record, or other data structure that 
records transactions involving a patron or patrons that are not 
otherwise recorded in a patron deposit account.
    Promotional prize payout. Merchandise or awards given to players by 
the gaming operation which is based on gaming activity.
    Random number generator (RNG). A software module, hardware 
component or combination of these designed to produce outputs that are 
effectively random.
    Server. A computer which controls one or more applications or 
environments.
    Shift. An eight-hour period, unless otherwise approved by the 
tribal gaming regulatory authority, not to exceed 24 hours.
    Short pay. The payment of the unpaid balance of an incomplete 
payout by a player interface.
    Tier A. Gaming operations with annual gross gaming revenues of more 
than $1 million but not more than $5 million.
    Tier B. Gaming operations with annual gross gaming revenues of more 
than $5 million but not more than $15 million.
    Tier C. Gaming operations with annual gross gaming revenues of more 
than $15 million.
    Tribal Gaming Regulatory Authority. The entity authorized by tribal 
law to regulate gaming conducted pursuant to the Indian Gaming 
Regulatory Act.
    Voucher. A financial instrument of fixed value that can only be 
used to acquire an equivalent value of cashable credits or cash through 
interaction with a voucher system.
    Voucher System. A component of the Class II gaming system or an 
external system that securely maintains records of vouchers and 
coupons; validates payment of vouchers and coupons; records successful 
or failed payments of vouchers and coupons; and controls the purging of 
expired vouchers and coupons.


Sec.  543.3  How do tribal governments comply with this part?

    (a) Compliance based upon tier. [Reserved]
    (b) Determination of tier. [Reserved]
    (c) Tribal internal control standards. Within six months of October 
10, 2008, each tribal gaming regulatory authority must, in accordance 
with the tribal gaming ordinance, establish or ensure that tribal 
internal control standards are established and implemented that must:
    (1) Provide a level of control that equals or exceeds those set 
forth in this part; and
    (2) Contain standards to identify, detect and deter money 
laundering in furtherance of a criminal enterprise, terrorism, tax 
evasion or other unlawful activity. The standards should be designed to 
facilitate the keeping of records and the filing of reports with the 
appropriate federal regulatory and law enforcement authorities.
    (3) Establish a deadline, which must not exceed six months from the 
date the tribal gaming regulatory authority establishes internal 
controls by which a gaming operation must come into compliance with the 
tribal internal control standards. However, the tribal gaming 
regulatory authority may extend the deadline by an additional six 
months if written notice citing justification is provided to the 
Commission no later than two weeks before the expiration of the six 
month period.
    (d) Gaming operations. Each gaming operation must develop and 
implement an internal control system that, at a minimum, complies with 
the tribal internal control standards.
    (1) Existing gaming operations. All gaming operations that are 
operating on or before November 10, 2008, must comply with this part 
within the time requirements established in paragraph (c) of this 
section. In the interim, such operations must continue to comply with 
existing tribal internal control standards.
    (2) New gaming operations. All gaming operations that commence 
operations after April 10, 2009, must comply with this part before 
commencement of operations.
    (e) Submission to Commission. Tribal regulations promulgated 
pursuant to this part are not required to be submitted to the 
Commission pursuant to Sec. 522.3(b) of this chapter.
    (f) CPA testing. (1) An independent certified public accountant 
(CPA) must be engaged to perform ``Agreed-Upon Procedures'' to verify 
that the gaming operation is in compliance with the minimum internal 
control standards (MICS) set forth in this part or a tribally approved 
variance thereto that has received Commission concurrence. The CPA must 
report each event and procedure discovered by or brought to the CPA's 
attention that the CPA believes does not satisfy the minimum standards 
or tribally approved variance that has received Commission concurrence. 
The ``Agreed-Upon Procedures'' may be performed in conjunction with the 
annual audit. The tribe must submit two copies of the report to the 
Commission within 120 days of the gaming operation's fiscal year end. 
In performing the compliance audit, the CPA must use the Statements on 
Standards for Attestation Engagements No. 10 at Sections 101 (``Attest 
Engagements'') and 201 (``Agreed-Upon Procedures Engagements'') 
(collectively ``SSAE's''), July 12, 2007, American Institute of 
Certified Public Accountants Inc, (AICPA). SSAE No. 10 at Sections 101 
and 201 are incorporated by reference into this section with the 
approval of the Director of the Federal Register under 5 U.S.C. 552(a) 
and 1 CFR part 51. To enforce any edition other than that specified in 
this section, the Commission must publish notice of change in the 
Federal Register and the material must be available to the public. You 
may obtain a copy from the American Institute of Certified Public 
Accountants, 220 Leigh Farm Rd., Durham, NC 27707, 1-888-777-7077, at 
http://www.aicpa.org. You may inspect a copy at the National Indian 
Gaming Commission, 1441 L Street, NW., Suite 9100, Washington, DC 
20005, 202-632-7003. All approved material is available for inspection 
at the National Archives and Records Administration (NARA). For 
information on the availability of this material at NARA, call 202-741-
6030 or go to http://www.archives.gov/federal_register/code_of_federal_regulations/ibr_locations.html. The CPA must perform the 
``Agreed-Upon Procedures'' in accordance with the following:
    (i) As a prerequisite to the evaluation of the gaming operation's 
internal control systems, it is recommended that the CPA obtain and 
review an organization chart depicting segregation of functions and 
responsibilities, a description of the duties and responsibilities of 
each position shown on the organization chart, and an accurate, 
detailed narrative description of the gaming operation's procedures in 
effect that demonstrate compliance.
    (ii) Complete the CPA NIGC MICS Compliance checklists or other 
comparable testing procedures. The checklists should measure compliance 
on a sampling basis by performing

[[Page 60501]]

inspections, observations and substantive testing. The CPA must 
complete separate checklists for bingo and information technology. All 
questions on each applicable checklist should be completed. Work-paper 
references are suggested for all ``no'' responses for the results 
obtained during testing (unless a note in the ``W/P Ref'' can explain 
the exception).
    (iii) The CPA must perform, at a minimum, the following procedures 
in conjunction with the completion of the checklists:
    (A) At least one unannounced observation of each of the following: 
financial instrument acceptor drop and count. For purposes of these 
procedures, ``unannounced'' means that no officers, directors, or 
employees are given advance information regarding the dates or times of 
such observations. The independent accountant should make arrangements 
with the gaming operation and tribal gaming regulatory authority to 
ensure proper identification of the CPA's personnel and to provide for 
their prompt access to the count rooms. The checklists should provide 
for drop and count observations. The count room should not be entered 
until the count is in process and the CPA should not leave the room 
until the monies have been counted and verified to the count sheet by 
the CPA and accepted into accountability.
    (B) Observations of the gaming operation's agents as they perform 
their duties.
    (C) Interviews with the gaming operation's agents who perform the 
relevant procedures.
    (D) Compliance testing of various documents relevant to the 
procedures. The scope of such testing should be indicated on the 
checklist where applicable.
    (E) For new gaming operations that have been in operation for three 
months or less at the end of their business year, performance of this 
regulation, this section, is not required for the partial period.
    (2) Alternatively, at the discretion of the tribe, the tribe may 
engage an independent CPA to perform the testing, observations and 
procedures reflected in paragraphs (f)(1)(i), (ii), and (iii) of this 
section utilizing the tribal internal control standards adopted by the 
tribal gaming regulatory authority or tribally approved variance that 
has received Commission concurrence. Accordingly, the CPA will verify 
compliance by the gaming operation with the tribal internal control 
standards. Should the tribe elect this alternative, as a prerequisite, 
the CPA will perform the following:
    (i) The CPA must compare the tribal internal control standards to 
the MICS to ascertain whether the criteria set forth in the MICS or 
Commission approved variances are adequately addressed.
    (ii) The CPA may utilize personnel of the tribal gaming regulatory 
authority to cross-reference the tribal internal control standards to 
the MICS, provided the CPA performs a review of the tribal gaming 
regulatory authority personnel's work and assumes complete 
responsibility for the proper completion of the work product.
    (iii) The CPA must report each procedure discovered by or brought 
to the CPA's attention that the CPA believes does not satisfy paragraph 
(f)(2)(i) of this section.
    (3) Reliance on Internal Auditors. (i) The CPA may rely on the work 
of an internal auditor, to the extent allowed by the professional 
standards, for the performance of the recommended procedures specified 
in paragraphs (f)(1)(iii)(B), (C), and (D) of this section, and for the 
completion of the checklists as they relate to the procedures covered 
therein.
    (ii) Agreed-upon procedures are to be performed by the CPA to 
determine that the internal audit procedures performed for a past 12-
month period (includes two six month periods) encompassing a portion or 
all of the most recent business year has been properly completed. The 
CPA will apply the following agreed-upon procedures to the gaming 
operation's written assertion:
    (A) Obtain internal audit department work-papers completed for a 
12-month period (includes two six month periods) encompassing a portion 
or all of the most recent business year and determine whether the CPA 
NIGC MICS Compliance Checklists or other comparable testing procedures 
were included in the internal audit work-papers and all steps described 
in the checklists were initialed or signed by an internal audit 
representative.
    (B) For the internal audit work-papers obtained in paragraph 
(f)(3)(ii)(A) of this section, on a sample basis, re-perform the 
procedures included in CPA NIGC MICS Compliance Checklists or other 
comparable testing procedures prepared by internal audit and determine 
if all instances of noncompliance noted in the sample were documented 
as such by internal audit. The CPA NIGC MICS Compliance Checklists or 
other comparable testing procedures for the applicable Drop and Count 
procedures are not included in the sample re-performance of procedures 
because the CPA is required to perform the drop and count observations 
as required under paragraph (f)(1)(iii)(A) of this section of the 
agreed-upon procedures. The CPA's sample should comprise a minimum of 
three percent of the procedures required in each CPA NIGC MICS 
Compliance Checklist or other comparable testing procedures for the 
bingo department and five percent for the other departments completed 
by internal audit in compliance with the internal audit MICS. The re-
performance of procedures is performed as follows:
    (1) For inquiries, the CPA should either speak with the same 
individual or an individual of the same job position as the internal 
auditor did for the procedure indicated in the CPA checklist.
    (2) For observations, the CPA should observe the same process as 
the internal auditor did for the procedure as indicated in their 
checklist.
    (3) For document testing, the CPA should look at the same original 
document as tested by the internal auditor for the procedure as 
indicated in their checklist. The CPA need only retest the minimum 
sample size required in the checklist.
    (C) The CPA is to investigate and document any differences between 
their re-performance results and the internal audit results.
    (D) Documentation must be maintained for five years by the CPA 
indicating the procedures re-performed along with the results.
    (E) When performing the procedures for paragraph (f)(3)(ii)(B) of 
this section in subsequent years, the CPA must select a different 
sample so that the CPA will re-perform substantially all of the 
procedures after several years.
    (F) Additional procedures performed at the request of the 
Commission, the tribal gaming regulatory authority or management should 
be included in the Agreed-Upon Procedures report transmitted to the 
Commission.
    (4) Report Format. The NIGC has concluded that the performance of 
these procedures is an attestation engagement in which the CPA applies 
such Agreed-Upon Procedures to the gaming operation's assertion that it 
is in compliance with the MICS and, if applicable under paragraph 
(f)(2) of this section, the tribal internal control standards and 
approved variances, provide a level of control that equals or exceeds 
that of the MICS. Accordingly, the Statements on Standards for 
Attestation Engagements (SSAE's), specifically SSAE 10, at Sections 101 
and 201 are applicable. SSAE 10 provides current, pertinent guidance 
regarding agreed-upon procedure engagements, and the sample report 
formats included within those standards should be used, as appropriate, 
in the

[[Page 60502]]

preparation of the CPA's agreed-upon procedures report. If future 
revisions are made to this standard or new SSAE's are adopted that are 
applicable to this type of engagement, the CPA is to comply with any 
revised professional standards in issuing their agreed upon procedures 
report. The Commission will provide an example report and letter 
formats upon request that may be used and contain all of the 
information discussed below. The report must describe all instances of 
procedural noncompliance (regardless of materiality) with the MICS or 
approved variations, and all instances where the tribal gaming 
regulatory authority's regulations do not comply with the MICS. When 
describing the agreed-upon procedures performed, the CPA should also 
indicate whether procedures performed by other individuals were 
utilized to substitute for the procedures required to be performed by 
the CPA. For each instance of noncompliance noted in the CPA's agreed-
upon procedures report, the following information must be included: The 
citation of the applicable MICS for which the instance of noncompliance 
was noted; a narrative description of the noncompliance, including the 
number of exceptions and sample size tested.
    (5) Report Submission Requirements. (i) The CPA must prepare a 
report of the findings for the tribe and management. The tribe must 
submit two copies of the report to the Commission no later than 120 
days after the gaming operation's business year end. This report should 
be provided in addition to any other reports required to be submitted 
to the Commission.
    (ii) The CPA should maintain the work-papers supporting the report 
for a minimum of five years. Digital storage is acceptable. The 
Commission may request access to these work-papers, through the tribe.
    (6) CPA NIGC MICS Compliance Checklists. In connection with the CPA 
testing pursuant to this section and as referenced therein, the 
Commission will provide CPA MICS Compliance Checklists upon request.
    (g) Enforcement of Commission Minimum Internal Control Standards.
    (1) Each tribal gaming regulatory authority is required to 
establish and implement internal control standards pursuant to 
paragraph (c) of this section. Each gaming operation is then required, 
pursuant to paragraph (d) of this section, to develop and implement an 
internal control system that complies with the tribal internal control 
standards. Failure to do so may subject the tribal operator of the 
gaming operation, or the management contractor, to penalties under 25 
U.S.C. 2713.
    (2) Recognizing that tribes are the primary regulator of their 
gaming operation(s), enforcement action by the Commission will not be 
initiated under this part without first informing the tribe and tribal 
gaming regulatory authority of deficiencies in the internal controls of 
its gaming operation and allowing a reasonable period of time to 
address such deficiencies. Such prior notice and opportunity for 
corrective action is not required where the threat to the integrity of 
the gaming operation is immediate and severe.


Sec. Sec.  543.4-543.5  [Reserved]


Sec.  543.6  Does this part apply to small and charitable gaming 
operations?

    (a) Small gaming operations. This part does not apply to small 
gaming operations provided that:
    (1) The tribal gaming regulatory authority permits the operation to 
be exempt from this part;
    (2) The annual gross gaming revenue of the operation does not 
exceed $2 million; and
    (3) The tribal gaming regulatory authority develops and the 
operation complies with alternate procedures that:
    (i) Protect the integrity of games offered;
    (ii) Safeguard the assets used in connection with the operation; 
and
    (iii) Create, prepare and maintain records in accordance with 
Generally Accepted Accounting Principles.
    (b) Charitable gaming operations. This part does not apply to 
charitable gaming operations provided that:
    (1) All proceeds are for the benefit of a charitable organization;
    (2) The tribal gaming regulatory authority permits the charitable 
organization to be exempt from this part;
    (3) The charitable gaming operation is operated wholly by the 
charitable organization's agents;
    (4) The annual gross gaming revenue of the charitable operation 
does not exceed $2 million; and
    (5) The tribal gaming regulatory authority develops and the 
charitable gaming operation complies with alternate procedures that:
    (i) Protect the integrity of the games offered;
    (ii) Safeguard the assets used in connection with the gaming 
operation; and
    (iii) Create, prepare and maintain records in accordance with 
Generally Accepted Accounting Principles. For more information please 
see www.fasb.gov or www.fasb.org.
    (c) Independent operators. Nothing in this section exempts gaming 
operations conducted by independent operators for the benefit of a 
charitable organization.


Sec.  543.7  What are the minimum internal control standards for bingo?

    (a) Bingo Cards--(1) Inventory of bingo paper. (i) The bingo paper 
inventory must be controlled so as to assure the integrity of the bingo 
paper being used as follows:
    (A) When received, bingo paper must be inventoried and secured by 
an authorized agent(s) independent of bingo sales;
    (B) The issue of bingo paper to the cashiers must be documented and 
signed for by the authorized agent(s) responsible for inventory control 
and a cashier. The bingo control log must include the series number of 
the bingo paper;
    (C) The bingo control log must be utilized by the gaming operation 
to verify the integrity of the bingo paper being used; and
    (D) Once each month, an authorized agent(s) independent of both 
bingo paper sales and bingo paper inventory control must verify the 
accuracy of the ending balance in the bingo control log by reconciling 
it with the bingo paper inventory.
    (ii) Paragraph (a)(1) of this section does not apply where no 
physical inventory is applicable.
    (2) Bingo sales. (i) There must be an accurate accounting of all 
bingo sales.
    (ii) All bingo sales records must include the following 
information:
    (A) Date;
    (B) Time;
    (C) Shift or session;
    (D) Sales transaction identifiers, which may be the unique card 
identifier(s) sold or when electronic bingo card faces are sold, the 
unique identifiers of the card faces sold;
    (E) Quantity of bingo cards sold;
    (F) Dollar amount of bingo sales;
    (G) Signature, initials, or identification of the agent or device 
who conducted the bingo sales; and
    (H) When bingo sales are recorded manually, total sales are 
verified by an authorized agent independent of the bingo sales being 
verified and the signature, initials, or identification of the 
authorized agent who verified the bingo sales is recorded.
    (iii) No person shall have unrestricted access to modify bingo 
sales records.
    (iv) An authorized agent independent of the seller must perform the 
following standards for each seller at the end of each session:
    (A) Reconcile the documented total dollar amount of cards sold to 
the documented quantity of cards sold;

[[Page 60503]]

    (B) Note any variances; and
    (C) Appropriately investigate any noted variances with the results 
of the follow-up documented.
    (3) Voiding bingo cards. (i) Procedures must be established and 
implemented to prevent the voiding of card sales after the start of the 
calling of the game for which the bingo card was sold. Cards may not be 
voided after the start of a game for which the card was sold.
    (ii) When a bingo card must be voided the following controls must 
apply as relevant:
    (A) A non-electronic bingo card must be marked void; and
    (B) The authorization of the void, by an authorized agent 
independent of the original sale transaction (supervisor recommended), 
must be recorded either by signature on the bingo card or by 
electronically associating the void authorization to the sale 
transaction of the voided bingo card.
    (4) Reissue of previously sold bingo cards. When one or more 
previously sold bingo cards need to be reissued, the following controls 
must apply: the original sale of the bingo cards must be verified; and 
the reissue of the bingo cards must be documented, including the 
identity of the agent authorizing reissuance.
    (b) Draw--(1) Verification and display. (i) Procedures must be 
established and implemented to ensure the identity of each object drawn 
is accurately recorded and transmitted to the participants. The 
procedures must identify the method used to ensure the identity of each 
object drawn.
    (ii) For all games offering a prize payout of $1,200 or more, as 
the objects are drawn, the identity of the objects must be immediately 
recorded and maintained for a minimum of 24 hours.
    (iii) Controls must be present to assure that all objects eligible 
for the draw are available to be drawn prior to the next draw.
    (c) Manual Payouts and Short Pays. (1) Procedures must be 
established and implemented to prevent unauthorized access or 
fraudulent transactions using manual payout documents, including:
    (i) Payout documents must be controlled and completed in a manner 
that is intended to prevent a custodian of funds from altering the 
dollar amount on all parts of the payout document subsequent to the 
manual payout and misappropriating the funds.
    (ii) Payout documents must be controlled and completed in a manner 
that deters any one individual from initiating and producing a 
fraudulent payout document, obtaining the funds, forging signatures on 
the payout document, routing all parts of the document, and 
misappropriating the funds. Recommended procedures of this standard 
include but are not limited to the following:
    (A) Funds are issued either to a second verifier of the manual 
payout (i.e., someone other than the agents who generated/requested the 
payout) or to two agents concurrently (i.e., the generator/requestor of 
the document and the verifier of the manual payout). Both witness the 
manual payout; or
    (B) The routing of one part of the completed document is under the 
physical control (e.g., dropped in a locked box) of an agent other than 
the agent that obtained/issued the funds and the agent that obtained/
issued the funds must not be able to place the document in the locked 
box.
    (iii) Segregation of responsibilities. The functions of sales and 
prize payout verification must be segregated, if performed manually. 
Agents who sell bingo cards on the floor must not verify bingo cards 
for prize payouts with bingo cards in their possession of the same type 
as the bingo card being verified for the game. Floor clerks who sell 
bingo cards on the floor are permitted to announce the identifiers of 
winning bingo cards.
    (iv) Validation. Procedures must be established and implemented to 
determine the validity of the claim prior to the payment of a prize 
(i.e., bingo card was sold for the game played, not voided, etc.) by at 
least two persons.
    (v) Verification. Procedures must be established and implemented to 
ensure that at least two persons verify the winning pattern has been 
achieved on the winning card prior to the payment of a prize.
    (vi) Authorization and signatures. (A) A Class II gaming system may 
substitute as one authorization/signature verifying, validating or 
authorizing a winning card of less than $1,200 or other manual payout. 
Where a Class II gaming system substitutes as an authorization/
signature, the manual payout is subject to the limitations provided in 
this section.
    (B) For manual prize payouts of $1,200 or more and less than a 
predetermined amount not to exceed $50,000, at least two agents must 
authorize, sign and witness the manual prize payout.
    (1) Manual prize payouts over a predetermined amount not to exceed 
$50,000 must require one of the two signatures and verifications to be 
a supervisory or management employee independent of the operation of 
bingo.
    (2) This predetermined amount, not to exceed $50,000, must be 
authorized by management, approved by the tribal gaming regulatory 
authority, documented, and maintained.
    (2) Documentation, including:
    (i) Manual payouts and short-pays exceeding $10 must be documented 
on a two-part form, of which a restricted system record can be 
considered one part of the form, and documentation must include the 
following information:
    (A) Date and time;
    (B) Player interface identifier or game identifier;
    (C) Dollar amount paid (both alpha and numeric) or description of 
personal property awarded, including fair market value. Alpha is 
optional if another unalterable method is used for evidencing the 
amount paid;
    (D) Type of manual payout (e.g., prize payout, external bonus 
payout, short pay, etc.);
    (E) Game outcome (e.g., patterns, symbols, bingo card identifier/
description, etc.) for manual prize payouts, external bonus 
description, reason for short pay, etc.;
    (F) Preprinted or concurrently printed sequential manual payout 
identifier; and
    (G) Signatures or other authorizations, as required by this part.
    (ii) For short-pays of $10 or less, the documentation (single-part 
form or log is acceptable) must include the following information:
    (A) Date and time;
    (B) Player interface number;
    (C) Dollar amount paid (both alpha and numeric). Alpha is optional 
if another unalterable method is used for evidencing the amount paid;
    (D) The signature of at least one agent verifying and witnessing 
the short pay; and
    (E) Reason for short pay.
    (iii) In other situations that allow an agent to input a prize 
payout or change the dollar amount of the prize payout by more than $1 
in a Class II gaming system that has an automated prize payout 
component, two agents, one of which is a supervisory employee, must be 
physically involved in verifying and witnessing the prize payout.
    (iv) For manually paid promotional prize payouts, as a result of 
the play of a game and where the amount paid is not included in the 
prize schedule, the documentation (single-part form or log is 
acceptable) must include the following information:
    (A) Date and time;
    (B) Player interface number;
    (C) Dollar amount paid (both alpha and numeric). Alpha is optional 
if another unalterable method is used for evidencing the amount paid;
    (D) The signature of at least one agent verifying and witnessing 
the manual

[[Page 60504]]

promotional prize payout of $599 or less and two agents verifying and 
witnessing the manual promotional prize payout exceeding $599;
    (E) Description or name of the promotion; and
    (F) Total amount of manual promotional prize payouts must be 
recorded by shift, session or other relevant time period.
    (v) When a controlled manual payout document is voided, the agent 
completing the void must clearly mark ``void'' across the face of the 
document, sign across the face of the document and all parts of the 
document must be retained for accountability.
    (d) Operational controls. (1) Procedures must be established and 
implemented with the intent to prevent unauthorized access to or 
fraudulent transactions involving cash or cash equivalents.
    (2) Cash or cash equivalents exchanged between two persons must be 
counted independently by at least two persons and reconciled to the 
recorded amounts at the end of each shift or if applicable each 
session. Unexplained variances must be documented and maintained. 
Unverified transfers of cash or cash equivalents are prohibited.
    (3) Procedures must be established and implemented to control cash 
or cash equivalents in accordance with this section and based on the 
amount of the transaction. These procedures include, but are not 
limited to, counting and recording on an accountability form by shift, 
session or relevant time period the following:
    (i) Inventory, including any increases or decreases;
    (ii) Transfers;
    (iii) Exchanges, including acknowledging signatures or initials; 
and
    (iv) Resulting variances.
    (4) Any change of control of accountability, exchange or transfer 
must require the cash or cash equivalents be counted and recorded 
independently by at least two persons and reconciled to the recorded 
amount.
    (e) Gaming equipment. (1) Procedures must be established and 
implemented with the intention to restrict access to agents for the 
following:
    (i) Controlled gaming equipment/components (e.g., draw objects and 
back-up draw objects); and
    (ii) Random number generator software. (Additional information 
technology security standards can be found in Sec.  543.16 of this 
part.)
    (2) The game software components of a Class II gaming system will 
be identified in the test laboratory report. When initially received, 
the software must be verified to be authentic copies, as certified by 
the independent testing laboratory.
    (3) Procedures must be established relating to the periodic 
inspection, maintenance, testing, and documentation of a random 
sampling of gaming equipment/components, including but not limited to:
    (i) Software related to game outcome must be authenticated semi-
annually by an agent independent of bingo operations by comparing 
signatures against the test laboratory letter on file with the tribal 
gaming regulatory authority for that version.
    (ii) Class II gaming system interfaces to external systems must be 
tested annually for accurate communications and appropriate logging of 
events.
    (4) Records must be maintained for each player interface that 
indicate the date the player interface was placed into service or made 
available for play, the date the player interface was removed from 
service and not available for play, and any changes in player interface 
identifiers.
    (f) Voucher systems. (1) The voucher system must be utilized to 
verify the authenticity of each voucher or coupon redeemed.
    (2) If the voucher is valid, the patron is paid the appropriate 
amount.
    (3) Procedures must be established and implemented to document the 
payment of a claim on a voucher that is not physically available or a 
voucher that cannot be validated (e.g., mutilated, expired, lost, 
stolen, etc.).
    (i) If paid, appropriate documentation is retained for 
reconciliation purposes.
    (ii) Payment of a voucher for $50 or more, a supervisory employee 
must review the applicable voucher system, player interface or other 
transaction history records to verify the validity of the voucher and 
initial the voucher or documentation prior to payment.
    (4) Vouchers redeemed must remain in the cashier's accountability 
for reconciliation purposes. The voucher redemption system reports must 
be used to ensure all paid vouchers have been validated.
    (5) Vouchers paid during a period while the voucher system is 
temporarily out of operation must be marked ``paid'', initialed and 
dated by the cashier. If the voucher is greater than a predetermined 
amount approved (not to exceed $500), a supervisory employee must 
approve the payment and evidence that approval by initialing the 
voucher prior to payment.
    (6) Paid vouchers are maintained in the cashier's accountability 
for reconciliation purposes.
    (7) Upon restored operation of the voucher system, vouchers 
redeemed while the voucher system was temporarily out of operation must 
be validated as expeditiously as possible.
    (8) Unredeemed vouchers can only be voided in the voucher system by 
supervisory employees. The supervisory employee completing the void 
must clearly mark ``void'' across the face of the voucher and sign 
across the face of the voucher, if available. The accounting department 
will maintain the voided voucher, if available.
    (g) Patron accounts and cashless systems. (1) All smart cards 
(i.e., cards that possess the means to electronically store or retrieve 
data) that maintain the only source of account data are prohibited.
    (2) For patron deposit accounts the following standards must apply:
    (i) For each patron deposit account, an agent must:
    (A) Require the patron to personally appear at the gaming 
operation;
    (B) Record the type of identification credential examined, the 
credential number, the expiration date of credential, and the date 
credential was examined. (Note: A patron's driver's license is the 
preferred method for verifying the patron's identity. A passport, non-
resident alien identification card, other government issued 
identification credential or another picture identification credential 
normally acceptable as a means of identification when cashing checks, 
may also be used.);
    (C) Record the patron's name and may include another identifier 
(e.g., nickname, title, etc.) of the patron, if requested by patron;
    (D) Record a unique identity for each patron deposit account;
    (E) Record the date the account was opened; and
    (F) Provide the account holder with a secure method of access to 
the account.
    (ii) Patron deposit accounts must be established for patrons at 
designated areas of accountability and the creation of the account must 
meet all the controls of paragraph (g)(2)(i) of this section when the 
patron makes an initial deposit of cash or cash equivalents.
    (iii) If patron deposit account adjustments may be made by the 
operation, the operation must be authorized by the account holder to 
make necessary adjustments. This requirement can be met through the 
collection of a single authorization that covers the life of the patron 
deposit account.
    (iv) Patron deposits & withdrawals. (A) Prior to the patron making 
a

[[Page 60505]]

withdrawal from a patron deposit account, the cashier must verify the 
identity of the patron and availability of funds. Reliance on a secured 
PIN entered by the patron is an acceptable method of verifying patron 
identity.
    (B) A multi-part deposit/withdrawal record must be created when the 
transaction is processed by a cashier, including;
    (1) Same document number on all copies;
    (2) Type of transaction, deposit or withdrawal;
    (3) Name or other identifier of the patron;
    (4) At least the last four digits of the account identifier;
    (5) Patron signature for withdrawals, unless a secured PIN is 
utilized by the patron;
    (6) Date of transaction;
    (7) Dollar amount of transaction;
    (8) Nature of deposit or withdrawal (e.g., cash, check, chips); and
    (9) Signature of the cashier processing the transaction.
    (C) A copy of the transaction record must be secured for 
reconciliation of the cashier's bank for each shift. All transactions 
involving patron deposit accounts must be accurately tracked.
    (D) The copy of the transaction record must be forwarded to the 
accounting department at the end of the gaming day.
    (E) When a cashier is not involved in the deposit/withdrawal of 
funds, procedures must be established that safeguard the integrity of 
the process used.
    (v) Patron Deposit Account Adjustments. (A) Adjustments to the 
patron deposit accounts must be performed by an agent.
    (B) A record must be created when the transaction is processed, 
including;
    (1) Unique transaction identifier;
    (2) Type of transaction, adjustment;
    (3) Name or other identifier of the patron;
    (4) At least the last four digits of the account identifier;
    (5) Date of transaction;
    (6) Dollar amount of transaction;
    (7) Reason for the adjustment; and
    (8) Signature or unique identifier for the agent who made the 
adjustment.
    (C) The transaction record must be forwarded to the accounting 
department at the end of the gaming day.
    (vi) Where available, systems reports that indicate the dollar 
amount of transactions for patron deposit accounts (e.g., deposits, 
withdrawals, account adjustments, etc.) that should be reflected in 
each cashier's accountability must be utilized at the conclusion of 
each shift in the reconciling of funds.
    (vii) Cashless transactions and electronic funds transfers to and 
from patron deposit accounts must be recorded and maintained at the end 
of the gaming operations specified 24-hour accounting period.
    (viii) Procedures must be established to maintain a detailed record 
for each patron deposit account that includes the dollar amount of all 
funds deposited and withdrawn, account adjustments made, and the 
transfers to or from player interfaces.
    (ix) Detailed patron deposit account transaction records must be 
available to the patron upon reasonable request and to the tribal 
gaming regulatory authority upon request.
    (x) Only dedicated gaming operation bank accounts must be used to 
record electronic funds transfers to or from the patron deposit 
accounts. Gaming operation bank accounts dedicated to electronic funds 
transfers to or from the patron deposit accounts must not be used for 
any other types of transactions.
    (3) For promotional and other accounts the following standards must 
apply:
    (i) Changes to promotional and other accounts must be performed by 
an agent.
    (ii) The following standards apply if a player tracking system is 
utilized:
    (A) In the absence of the patron, modifications to balances on a 
promotional or other account must be made under the authorization of 
supervisory employees and must be sufficiently documented (including 
substantiation of reasons for modification). Modifications are randomly 
verified by independent agents on a quarterly basis. This standard does 
not apply to the deletion of balances related to inactive or closed 
accounts through an automated process.
    (B) Access to inactive or closed accounts is restricted to 
supervisory employees.
    (C) Patron identification is required when redeeming values.
    Reliance on a secured PIN by the patron is an acceptable method of 
verifying patron identification.
    (h) Promotions. (1) The conditions for participating in promotional 
programs, including drawings and giveaway programs must be approved and 
available for patron review at the gaming operation.
    (2) Changes to the player tracking systems, promotional accounts, 
promotion and external bonusing system parameters which control 
features such as the awarding of bonuses, the issuance of cashable 
credits, non-cashable credits, coupons and vouchers, must be performed 
under the authority of supervisory employees, independent of the 
department initiating the change. Alternatively, the changes may be 
performed by supervisory employees of the department initiating the 
change if sufficient documentation is generated and the propriety of 
the changes are randomly verified by supervisory employees independent 
of the department initiating the change on a monthly basis.
    (3) All other changes to the player tracking system must be 
appropriately documented.
    (4) All relevant controls from Sec. 543.16 of this part will apply.
    (i) Accounting. (1) Accounting/audit standards. (i) Accounting/
auditing procedures must be performed by agents who are independent of 
the persons who performed the transactions being reviewed.
    (ii) All accounting/audit procedures and actions must be documented 
(e.g., log, checklist, investigations and notation on reports), 
maintained for inspection and provided to the tribal gaming regulatory 
authority upon request.
    (iii) Accounting/audit procedures must be performed reviewing 
transactions for relevant accounting periods, including a 24-hour 
accounting period and reconciled in total for those time periods.
    (iv) Accounting/audit procedures must be performed within seven 
days of the transaction's occurrence date being reviewed.
    (v) Accounting/audit procedures must be in place to review 
variances related to bingo accounting data, which must include at a 
minimum any variance noted by the Class II gaming system for cashless 
transactions in and out, electronic funds transfer in and out, external 
bonus payouts, vouchers out and coupon promotion out.
    (vi) At least monthly, an accounting/audit agent must confirm that 
the appropriate investigation has been completed for the review of 
variances.
    (2) Audit tasks to be performed for each day's business.
    (i) Records of bingo card sales must be reviewed for proper 
authorization, completion and accurate calculations.
    (ii) Manual payout summary report, if applicable, must be reviewed 
for proper authorizations, completion, accurate calculations, and 
authorization confirming manual payout summary report totals.
    (iii) A random sampling of records of manual payouts must be 
reviewed for proper authorizations and completion for manual payouts 
less than $1,200.

[[Page 60506]]

    (iv) Records of all manual prize payouts of $1,200 or more must be 
reviewed for proper authorizations and completion.
    (v) Where manual payout information is available per player 
interface, records of manual payouts must be reviewed against the 
recorded manual payout amounts per player interface.
    (vi) Manual payout forms must be reconciled to each cashier's 
accountability documents and in total for each relevant period (e.g., 
session, shift, day, etc.).
    (vii) Records of voided manual payouts must be reviewed for proper 
authorization and completion.
    (viii) Records of voided bingo cards must be reviewed for proper 
authorization and completion.
    (ix) Use of controlled forms must be reviewed to ensure each form 
is accounted for.
    (x) Where bingo sales are available per player interface, bingo 
sales must be reviewed for reasonableness.
    (xi) Amount of financial instruments accepted per financial 
instrument type and per financial instrument acceptor must be reviewed 
for reasonableness, to include but not limited to zero amounts.
    (xii) Where total prize payouts are available per player interface, 
total prize payouts must be reviewed for reasonableness.
    (xiii) Amount of financial instruments dispensed per financial 
instrument type and per financial instrument dispenser must be reviewed 
for reasonableness, to include but not limited to zero amounts.
    (xiv) For a random sampling, foot the vouchers redeemed and trace 
the totals to the totals recorded in the voucher system and to the 
amount recorded in the applicable cashier's accountability document.
    (xv) Daily exception information provided by systems used in the 
operation of bingo must be reviewed for propriety of transactions and 
unusual occurrences.
    (xvi) Ensure promotional coupons which are not financial 
instruments are properly cancelled to prevent improper recirculation.
    (xvii) Reconcile all parts of the form used to document transfers 
that increase/decrease the inventory of an accountability (includes 
booths and any other accountability areas).
    (xviii) Reconcile voucher liability (e.g., issued-voided-redeemed-
expired = unpaid) to the voucher system records.
    (xix) The total of all patron deposit accounts must be reconciled, 
as follows:
    (A) A report must be generated that details each day's beginning 
and ending balance of patron deposit accounts, adjustments to patron 
deposit accounts, and all patron deposit account transactions.
    (B) Reconcile the beginning and ending balances to the summary of 
manual deposit/withdrawal and account adjustment documentation to the 
patron deposit account report.
    (xx) Reconcile each day's patron deposit account liability (e.g., 
deposits  adjustments-withdrawals = total account balance) 
to the system records.
    (xxi) Reconcile electronic funds transfers to the cashless system 
records, the records of the outside entity which processed the 
transactions and the operations dedicated cashless account bank 
records.
    (xxii) Accounting data used in performance analysis may only be 
altered to correct amounts that were determined to be in error. When 
correcting accounting data, the correct amount must be indicated in any 
Class II gaming system exception reports generated.
    (xxiii) Accounting/auditing agents must reconcile the audited bingo 
totals report to the audited bingo accounting data for each day.
    (xxiv) Accounting/auditing agents must ensure each day's bingo 
accounting data used in performance reports has been audited and 
reconciled.
    (xxv) If the Class II gaming system produces exception reports they 
must be reviewed on a daily basis for propriety of transactions and 
unusual occurrences.
    (3) Audit tasks to be performed at relevant periods:
    (i) Financial instrument acceptor data must be recorded immediately 
prior to or subsequent to a financial instrument acceptor drop. The 
financial instrument acceptor amount-in data must be recorded at least 
weekly. The time between recordings may extend beyond one week in order 
for a recording to coincide with the end of an accounting period only 
if such extension is for no longer than six additional days.
    (ii) When a player interface is removed from the floor, the 
financial instrument acceptor contents must be protected to prevent the 
misappropriation of stored funds.
    (iii) When a player interface is permanently removed from the 
floor, the financial instrument acceptor contents must be counted and 
recorded.
    (iv) For currency interface systems, accounting/auditing agents 
must make appropriate comparisons of system generated count as recorded 
in the statistical report at least one drop period per month. 
Discrepancies must be resolved prior to generation/distribution of 
reports.
    (v) For each drop period, accounting/auditing agents must compare 
the amount-in per financial instrument accepted by the financial 
instrument acceptors to the drop amount counted for the period. 
Discrepancies must be resolved before the generation/distribution of 
statistical reports.
    (vi) Investigation must be performed for any one player interface 
having an unresolved drop variance in excess of an amount that is both 
more than $25 and at least three percent (3%) of the actual drop. The 
investigation performed and results of the investigation must be 
documented, maintained for inspection, and provided to the tribal 
gaming regulatory authority upon request.
    (vii) The results of a variance investigation, including the date 
and personnel involved in any investigation, will be documented in the 
appropriate report and retained. The results will also include any 
corrective action taken (e.g., accounting data storage component 
replaced, interface component repaired, software debugged, etc.). The 
investigation will be completed and the results documented within seven 
days of the day the variance was noted, unless otherwise justified.
    (viii) Procedures must be established and implemented to perform 
the following on a regular basis, at a minimum of monthly, and using 
predetermined thresholds:
    (A) Where the Class II gaming system is capable of providing 
information per player interface, identify and investigate player 
interfaces with total prize payouts exceeding bingo sales;
    (B) Where bingo sales is available per player interface, 
investigate any percentage of increase/decrease exceeding a 
predetermined threshold, not to exceed 20%, in total bingo sales as 
compared to a similar period of time that represents consistency in 
prior performance.
    (C) Investigate any exception noted in paragraphs (i)(3)(viii)(A) 
and (B) of this section and document the findings. The investigation 
may include procedures to review one or more of the following:
    (1) Verify days on floor are comparable.
    (2) Non-prize payouts for authenticity and propriety.
    (3) Player interface out of service periods.
    (4) Unusual fluctuations in manual payouts.
    (D) If the investigation does not identify an explanation for 
exceptions then a physical check procedure must be performed, as 
required by paragraph (i)(3)(viii)(E) of this section.

[[Page 60507]]

    (E) Document any investigation of unresolved exceptions using a 
predefined player interface physical check procedure and checklist, to 
include a minimum of the following as applicable:
    (1) Verify game software;
    (2) Verify player interface configurations;
    (3) Test amount in accounting data for accuracy upon insertion of 
financial instruments into the financial instrument acceptor;
    (4) Test amount out accounting data for accuracy upon dispensing of 
financial instruments from the financial instrument dispenser;
    (5) Record findings and repairs or modifications made to resolve 
malfunctions, including date and time, player interface identifier and 
signature of the agent performing the player interface physical check, 
and additional signatures as required; and
    (6) Maintain player interface physical check records, either in 
physical or electronic form, for the period prescribed by the 
procedure.
    (ix) For Class II gaming systems, procedures must be performed at 
least monthly to verify that the system accounting data is accurate.
    (x) For Tier C, at least weekly:
    (A) Financial instruments accepted at a kiosk must be removed and 
counted by at least two agents; and
    (B) Kiosk transactions must be reconciled to the beginning and 
ending balances for each kiosk.
    (xi) At the conclusion of a promotion, accounting/audit agents must 
perform procedures (e.g., interviews, review of payout documentation, 
etc.) to ensure that promotional prize payouts, drawings, and giveaway 
programs are conducted in accordance with the rules provided to the 
patrons.
    (4) Inter-tribal prize pools. Procedures must be established and 
implemented to govern the participation in inter-tribal prize pools, 
which at a minimum must include the review, verification and 
maintenance of the following records, which must be made available, 
within a reasonable time of the request, to the tribal gaming 
regulatory authority upon request:
    (i) Summary of contributions in total made to an inter-tribal prize 
pool;
    (ii) Summary of disbursements in total from an inter-tribal prize 
pool; and
    (iii) Summary of inter-tribal prize pool funds availability.
    (5) Performance Analysis. (i) Bingo performance data must be 
recorded at the end of the gaming operations specified 24-hour 
accounting period. Such data must include:
    (A) Amount-in and amount-out for each Class II gaming system.
    (B) The total value of all financial instruments accepted by the 
Class II gaming system by each financial instrument acceptor and by 
each financial instrument type.
    (C) The total value of all financial instruments dispensed by the 
Class II gaming system and by each financial instrument type.
    (D) The total value of all manual payouts by each Class II gaming 
system.
    (E) The total value of bingo purchases for each Class II gaming 
system.
    (F) The total value of prizes paid for each Class II gaming system.
    (ii) Procedures must be established and implemented that ensure the 
reliability of the performance data.
    (iii) Upon receipt of the summary of the data, the accounting 
department must review it for reasonableness using pre-established 
parameters defined by the gaming operation.
    (iv) An agent must record and maintain all required data before and 
after any maintenance or modifications that involves the clearing of 
the data (e.g., system software upgrades, data storage media 
replacement, etc.). The information recorded must be used when 
reviewing performance reports to ensure that the maintenance or 
modifications did not improperly affect the data in the reports.
    (6) Statistical reporting. (i) The bingo sales, prize payouts, 
bingo win, and actual bingo win percentages must be recorded for:
    (A) Each shift or session;
    (B) Each day;
    (C) Month-to-date; and
    (D) Year-to-date or fiscal year-to-date.
    (ii) A monthly comparison for reasonableness must be made of the 
amount of bingo paper sold from the bingo paper control log to the 
amount of bingo paper sales revenue recognized.
    (iii) Management employees independent of the bingo department must 
review bingo statistical information on at least a monthly basis.
    (iv) Agents independent of the bingo department must investigate 
any large or unusual statistical fluctuations, as defined by the gaming 
operation.
    (v) Such investigations must be documented, maintained for 
inspection, and provided to the tribal gaming regulatory authority upon 
request.
    (vi) The actual bingo win percentages used in the statistical 
reports should not include operating expenses (e.g., a percentage 
payment to administrators of inter-tribal prize pools), promotional 
prize payouts or bonus payouts not included in the prize schedule.
    (7) Progressive prize pools. (i) A display that shows the amount of 
the progressive prize must be conspicuously displayed at or near the 
player interface(s) to which the prize applies.
    (ii) At least once each day, each gaming operation must record the 
total amount of each progressive prize pool offered at the gaming 
operation on the progressive log.
    (iii) When a manual payment for a progressive prize is made from a 
progressive prize pool, the amount must be recorded on the progressive 
log.
    (iv) Each gaming operation must record, on the progressive log, the 
base reset amount of each progressive prize the gaming operation 
offers.
    (v) Procedures must be established and implemented specific to the 
transfer of progressive amounts in excess of the base reset amount to 
other awards or prizes. Such procedures may also include other methods 
of distribution that accrue to the benefit of the gaming public.


Sec. Sec.  543.8-543.15  [Reserved]


Sec.  543.16  What are the minimum internal controls for information 
technology?

    (a) Physical security measures restricting access to agents, 
including vendors, must exist over the servers, including computer 
terminals, storage media, software and data files to prevent 
unauthorized access and loss of integrity of data and processing.
    (b) Unauthorized individuals must be precluded from having access 
to the secured computer area(s).
    (c) User controls. (1) Computer systems, including application 
software, must be secured through the use of passwords or other 
approved means.
    (2) Procedures must be established and implemented to ensure that 
management or independent agents assign and control access to computer 
system functions.
    (3) Passwords must be controlled as follows unless otherwise 
addressed in the standards in this section.
    (i) Each user must have his or her own individual user 
identification and password.
    (ii) When an individual has multiple user profiles, only one user 
profile per application may be used at a time.
    (iii) Passwords must be changed at least quarterly with changes 
documented. Documentation is not required if the system prompts users 
to change passwords and then denies access if the change is not 
completed.
    (iv) The system must be updated to change the status of terminated 
users from active to inactive status within 72 hours of termination.
    (v) At least quarterly, independent agents must review user access 
records for appropriate assignment of access and

[[Page 60508]]

to ensure that terminated users do not have access to system functions.
    (vi) Documentation of the quarterly user access review must be 
maintained.
    (vii) System exception information (e.g., changes to system 
parameters, corrections, overrides, voids, etc.) must be maintained.
    (4) Procedures must be established and implemented to ensure access 
listings are maintained which include at a minimum:
    (i) User name or identification number (or equivalent); and
    (ii) Listing of functions the user can perform or equivalent means 
of identifying same.
    (d) Adequate backup and recovery procedures must be in place that 
include:
    (1) Daily backup of data files--(i) Backup of all programs. Backup 
of programs is not required if the program can be reinstalled.
    (ii) Secured storage of all backup data files and programs, or 
other adequate protection to prevent the permanent loss of any data.
    (iii) Backup data files and programs may be stored in a secured 
manner in another building that is physically separated from the 
building where the system's hardware and software are located. They may 
also be stored in the same building as the hardware/software as long as 
they are secured in a fireproof safe or some other manner that will 
ensure the safety of the files and programs in the event of a fire or 
other disaster.
    (2) Recovery procedures must be tested on a sample basis at least 
annually with documentation of results.
    (e) Access records. (1) Procedures must be established to ensure 
computer access records, if capable of being generated by the computer 
system, are reviewed for propriety for the following at a minimum:
    (i) Class II gaming systems;
    (ii) Accounting/auditing systems;
    (iii) Cashless systems;
    (iv) Voucher systems;
    (v) Player tracking systems; and
    (vi) External bonusing systems.
    (2) If the computer system cannot deny access after a predetermined 
number of consecutive unsuccessful attempts to log on, the system must 
record unsuccessful log on attempts.
    (f) Remote access controls. (1) For computer systems that can be 
accessed remotely, the written system of internal controls must 
specifically address remote access procedures including, at a minimum:
    (i) Record the application remotely accessed, authorized user's 
name and business address and version number, if applicable;
    (ii) Require approved secured connection;
    (iii) The procedures used in establishing and using passwords to 
allow authorized users to access the computer system through remote 
access;
    (iv) The agents involved and procedures performed to enable the 
physical connection to the computer system when the authorized user 
requires access to the system through remote access; and
    (v) The agents involved and procedures performed to ensure the 
remote access connection is disconnected when the remote access is no 
longer required.
    (2) In the event of remote access, the information technology 
employees must prepare a complete record of the access to include:
    (i) Name or identifier of the employee authorizing access;
    (ii) Name or identifier of the authorized user accessing system;
    (iii) Date, time, and duration of access; and
    (iv) Description of work performed in adequate detail to include 
the old and new version numbers, if applicable of any software that was 
modified, and details regarding any other changes made to the system.

     Dated: September 24, 2008.
Philip N. Hogen,
Chairman.
Norman H. DesRosiers,
Vice Chairman.
 [FR Doc. E8-23081 Filed 10-9-08; 8:45 am]
BILLING CODE 7565-01-P