[Federal Register Volume 77, Number 106 (Friday, June 1, 2012)]
[Proposed Rules]
[Pages 32444-32465]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2012-12991]
=======================================================================
-----------------------------------------------------------------------
DEPARTMENT OF THE INTERIOR
National Indian Gaming Commission
25 CFR Part 543
RIN 3141-AA27
Minimum Internal Control Standards
AGENCY: National Indian Gaming Commission.
ACTION: Proposed rule.
-----------------------------------------------------------------------
SUMMARY: The National Indian Gaming Commission (NIGC) proposes to amend
its minimum internal control standards for Class II gaming under the
Indian Gaming Regulatory Act to reorder the sections, delete commonly
understood definitions, add and amend existing definitions; amend the
term ``variance'' as it applies to establishing an alternate minimum
standard; amend the bingo, pull-tab, information and technology
sections to reflect technological advances; delete references to
``unrestricted player accounts''; and consolidate the revenue audit and
audit and accounting procedures into their respective sections.
DATES: Submit comments on or before July 31, 2012.
ADDRESSES: You may submit comments by any one of the following methods,
however, please note that comments sent by electronic mail are strongly
encouraged.
[ssquf] Email comments to: [email protected].
[ssquf] Mail comments to: National Indian Gaming Commission, 1441 L
Street NW., Suite 9100, Washington, DC 20005.
[ssquf] Hand deliver comments to: 1441 L Street NW., Suite 9100,
Washington, DC 20005.
[ssquf] Fax comments to: National Indian Gaming Commission at 202-
632-0045.
FOR FURTHER INFORMATION CONTACT: National Indian Gaming Commission,
1441 L Street NW., Suite 9100, Washington, DC 20005. Telephone: 202-
632-7009; email: [email protected].
SUPPLEMENTARY INFORMATION:
I. Comments Invited
Interested parties are invited to participate in this proposed
rulemaking by submitting such written data, views, or arguments as they
may desire. Comments that provide the factual basis supporting the
views and suggestions presented are particularly helpful in developing
reasoned regulatory decisions on the proposal.
II. Background
The Indian Gaming Regulatory Act (IGRA or Act), Public Law 100-497,
25 U.S.C. 2701 et seq., was signed into law on October 17, 1988. The
Act establishes the NIGC and sets out a comprehensive framework for the
regulation of gaming on Indian lands. On January 5, 1999, the NIGC
published a final rule in the Federal Register called Minimum Internal
Control Standards. 64 FR 590. The rule added a new part to the
Commission's regulations establishing Minimum Internal Control
Standards (MICS) to reduce the risk of loss because of customer or
employee access to cash and cash equivalents within a casino. The rule
contains standards and procedures that govern cash handling,
documentation, game integrity, auditing, surveillance, and variances,
as well as other areas.
The Commission recognized from their inception that the MICS would
require periodic review and updates to keep pace with technology, and
has amended them three times since: June 27, 2002 (67 FR 43390), August
12, 2005 (70 FR 47108), and October 10, 2008 (73 FR 60498). In addition
to making updates to account for advances in technology, the 2008 MICS
also included part 543 and began the process of relocating all Class II
controls into that part. These MICS do not classify games as Class II
or Class III; rather, they provide minimum controls for gaming that is
assumed to be Class II.
On November 18, 2010, the NIGC issued a Notice of Inquiry and
Notice of Consultation (NOI) advising the public that the NIGC was
conducting a comprehensive review of its regulations and requesting
public comment on which of its regulations were most in need of
revision, in what order the Commission should review its regulations,
and the process NIGC should utilize to make revisions. 75 FR 70680
(Nov. 18, 2010). On April 4, 2011, after consulting with tribes and
reviewing all comments, NIGC published a Notice of Regulatory Review
Schedule (NRR) setting out a consultation schedule and process for
review. 76 FR 18457. The Commission's
[[Page 32445]]
regulatory review process established a tribal consultation schedule
with a description of the regulation groups to be covered at each
consultation. This part 543 was included in this regulatory review.
III. Development of the Proposed Rule
The Commission consulted with tribes as part of its review of part
543. In response to comments received, the Commission appointed a
Tribal Advisory Committee (TAC) to review and recommend changes to part
543. The TAC submitted its recommendations for part 543 on February 14,
2012.
The Commission developed a preliminary discussion draft based upon
recommendations from current and previous TACs, NIGC staff and subject
matter experts. The Commission published the preliminary draft on its
Web site on March 16, 2012, and requested that all comments from the
public be provided to the Agency by April, 27, 2012. The Commission
consulted with tribes on the discussion draft in Mayetta, Kansas, on
March 22, 2012, and San Diego, California, on April 5, 2012.
Part 543 addresses minimum internal control standards (MICS) for
Class II gaming operations. The regulations require tribes to establish
controls and implement procedures at least as stringent as those
described in this part to maintain the integrity of the gaming
operation and minimize the risk of theft.
The MICS were last amended in 2009, in the first phase of a multi-
phase process of revising the MICS and separating Class II and III
controls. This proposed rule furthers that multi-phase process and
includes amendments to update the MICS to reflect widespread
technological advances in the industry.
A. General Comments
Commenters generally stated that the discussion draft is an
improvement over the current MICS. Some commenters noted that these
regulations provide tribes with more flexibility than the existing MICS
or the 2010 proposal, but many stated that part 543 should be drafted
to provide even more flexibility to tribal regulators and gaming
operations. Commenters suggested removing the procedural requirements
and measuring compliance by the extent to which tribes have
successfully achieved a regulatory standard, rather than the extent to
which tribes have followed step-by-step procedures in the MICS. The
Commission declines to take this approach, and believes that the
standards set forth in this part are both appropriate and sufficiently
detailed to be implemented by tribes.
Additionally, some commenters requested that NIGC reference IRS
regulations when establishing validation and verification thresholds
throughout this part. Although the thresholds are the same in both the
MICS and in IRS reporting requirements, the relationship is merely one
of convenience for the operations. The intent of the thresholds in the
MICS would be unaffected by any prospective change in IRS regulations.
Moreover, referencing another agency's regulations could create
unnecessary jurisdictional confusion. For these reasons, the Commission
declines to reference IRS regulations in the proposed rule.
Finally, some commenters noted inconsistent language and use of the
supervision provisions throughout the proposed rule. The Commission has
revised each section accordingly, with the exception of the information
and technology section, which requires additional detailed controls and
segregation of duties because information and technology flows across
all departments.
B. Interpretive Provisions
Commenters suggested adding three interpretive provisions to Sec.
543.3. First, commenters requested that the Commission include a
provision stating that nothing in this part is intended to limit
technology. The Commission agrees that nothing in this part is intended
to limit technology, but believes that such a provision is properly
located in the technical standards rather than control standards. The
Commission invites further comment on specific ways in which the MICS
may inadvertently limit technology.
Next, commenters recommended that the Commission include a section
specifying that only applicable control standards apply. The Commission
agrees and has changed Sec. 543.3(b) of this proposed rule to require
TGRAs to ensure that ``TICS are established and implemented that
provide a level of control that equals or exceeds the applicable
standards set forth in this part.'' (emphasis added). If a standard is
not applicable, a TGRA need not establish or implement TICS for it and
there will be no standard to apply.
Finally, some commenters advocated for the inclusion of a
severability clause to ensure that, should a court conclude that any
part of this regulation is invalid, such invalidity will not affect the
rest of the part. Although a severability clause appears in the current
technical standards, the Commission declines to incorporate a
severability clause in the proposed rule. Though the presence of
severability clause may give some indication of an agency's intent
regarding the severability of its regulations, ``severability clauses *
* * are not conclusive.'' Canterbury Liquors v. Sullivan, 999 F. Supp.
144 (D.MA. 1994). When interpreting a regulation, ``the ultimate
determination of severability will rarely turn on the presence or
absence of such a clause.'' Community for Creative Non-violence v.
Turner, 893 F. 2d 1387 (D.C. Cir. 1990), citing United States v.
Jackson, 390 U.S. 570, 585 n. 27 (1968).
The Commission declines to include a severability clause in this
regulation because it believes that the regulations are not so
intertwined that striking one provision would necessarily always
require invalidation of the entire part, and the lack of a severability
clause will not compel a court's finding on the issue.
C. Small Operations
Commenters requested clarification that the charitable gaming
operations described in 543.4 are not limited to those with a 501(c)(3)
designation. The Commission agrees that it does not intend to limit the
definition of charitable organizations to those with a 501(c)(3)
designation. For purposes of the MICS, an organization is charitable if
the regulating tribe recognizes it as such.
Nevertheless, the comment prompted close review of the charitable
organization exception. The Commission invites comment on whether there
is a practical difference or benefit for distinguishing charitable
operations from other small operations, or whether the small operation
provision sufficiently covers all operations, charitable or not, with
less than $3 million in gross gaming revenue.
D. Alternate Minimum Standard
Except when a TGRA institutes a stricter standard than those
contained in this part, if a TGRA wishes to use a different standard,
it may submit a request to the Chair for approval of an alternate
minimum standard. The discussion draft differed in terminology,
referring to an ``alternate control standard.'' Several commenters
expressed confusion over what is meant by an alternate control
standard. In response, the Commission revised the terminology to
clarify that there is no need to seek approval from the Chair where a
TGRA desires to implement
[[Page 32446]]
standards that exceed the level of control described in these MICS.
E. Bingo
Many comments expressed concern that the discussion draft separated
Class II gaming systems from manual bingo. The Commission agrees with
these commenters that ``bingo is bingo'' and there is no need to
separate them. For these reasons, the controls for bingo appear as a
consolidated section (Sec. 543.8) in the proposed rule.
Additionally, commenters suggested that the definition of ``agent''
should be expanded to allow computer applications to perform the
functions of an agent. The only provision cited in support of this
suggestion was Sec. 543.7(d)(3-4), which inadvertently required two
agents to verify and validate every gaming system payout. The proposed
rule corrects the language in Sec. 543.7(d) to provide that the system
may serve as one validator and verifier for manual payouts and the sole
verifier and validator for automatic payouts. Further, Sec. 543.3(e)
states that ``for any computer applications utilized, alternate
documentation or procedures that provide at least the level of control
established by the standards of this part, as approved by the TGRA,
will be acceptable.'' Therefore, the Commission declines to revise the
definition of agent at this time, but invites comment on whether
additional uses of the term agent may warrant amendment of the
definition.
F. Pull Tabs
The Commission received very few comments on the pull tabs section,
but one commenter expressed concern that the defacing requirement and
kiosk definition would prevent barcoded pull tabs from being redeemed
at kiosks. The Commission revised the definition of kiosk in the
proposed rule to specifically include machines with the capability to
redeem and reconcile pull tabs, if those machines also perform the
routine functions of a kiosk, such as accepting and generating cash-out
tickets and gaming credits. Further, the Commission is not limiting
technology to the barcode-reading machines referenced in the comment,
but has included a provision that allows for kiosks to redeem and
reconcile uniquely identified pull tabs (up to $600) without the need
for defacing, so long as the tabs are secured and destroyed after
removal from the kiosk in accordance with procedures approved by the
TGRA.
G. Card Games
The card games section contains standards for both promotional
tournament play and regular card room operations. One commenter
suggested that promotional and non-promotional funds should be treated
in the same way. The Commission disagrees. In promotional play, the
operation becomes the custodian of the entry fees; in regular play, the
players maintain control of their chips, which they may exchange for
value at any point. The custodial relationship is not present in
regular card play and, therefore, the controls need not be as
stringent. The need for stricter standards in promotional play is also
the reason for the difference in rule posting requirements (Sec. Sec.
543.10(f) and 543.10(g)(5)) cited by one commenter.
Another commenter expressed concern that the standards may allow
the card room to be unsupervised. At this time, the Commission has
chosen not to revise the standard because it is intended to be a
minimum. Nevertheless, the Commission acknowledges the concern and
requests further comment on whether further amendments to this section
are necessary.
H. Player Tracking, Gaming Promotions, and Complimentary Items
Commenters inquired why player tracking and gaming promotions were
combined into one section. The discussion draft and this proposed rule
combined the sections because player tracking and gaming promotions are
both high risk areas in the gaming industry that offer players awards
based upon gaming activity and a predetermined rule structure. The
Commission also notes that the two activities are often interrelated,
particularly when a player's game play tracking information is used to
determine eligibility for gaming promotions.
Many commenters recommended deleting the standards for player
tracking and gaming promotions, stating that they are non-gaming
activities. The Commission disagrees. Gaming promotions, as defined in
the proposed rule, require game play as a condition of eligibility. For
example, the promotions standards are not applicable to the type of
promotion in which a patron drops a free card into a tumbler drawing.
The promotions at issue are directly related to gaming activity and
are, therefore, within the scope of the Commission's authority to
establish Class II MICS.
Further, although player tracking systems may be useful for
gathering other customer data, their primary purpose is to track game
play and issue rewards based upon that play.
Because the player tracking and gaming promotions standards found
in this proposed rule require game play to become eligible for the
rewards, the Commission has concluded that they relate to gaming
activities and are within the scope of its authority.
I. Complimentary Items
Commenters have also recommended deletion of the complimentary
service or items (comps) section because they believe that it is not
directly related to gaming and therefore outside of the Commission's
authority. However, like player tracking rewards, comps are awarded to
induce gaming at the operation and are awarded based upon gaming
activity. Comps are also a high risk area for gaming operations if not
adequately controlled, but, unlike player tracking rewards, comps are
often granted based on agent discretion. Accordingly, the Commission
declines to delete the comps section from the proposed rule.
J. Patron Deposit Accounts
The proposed rule makes two corrections as a result of comments
received. First, it resolves a discrepancy between the smart card
definition and the patron deposit account standards by eliminating the
definitional requirement that smart cards be the only source of account
data. Second, it no longer lists ``adjustments'' as an example of a
change that patrons may make to their account. Additionally, to clarify
one commenter's concerns, personal identification numbers continue to
be acceptable forms of identification under Sec. 543.14(b)(1), despite
the deletion of the specific reference to them.
Some commenters suggested adding standards for unrestricted player
deposit accounts, but the Bank Secrecy Act prohibits access to accounts
without some form of identification. Therefore, the proposed rule does
not reference unrestricted accounts.
K. Lines of Credit
The Commission received few comments relating to lines of credit.
One commenter noted that the TAC recommended deleting this section.
Some operations issue lines of credit for gaming, and others, during
consultation, have mentioned that they have plans to issue lines of
credit in the future. The Commission invites additional comments on why
this section is unnecessary.
L. Drop and Count
Many commented generally that the section is too procedural and it
should be one, streamlined standard instead of
[[Page 32447]]
separated by game. The Commission agrees that this section is more
procedural than others. Drop and count is, however, a process, which
differs by game.
In response to comments received, the proposed rule contains
several edits from the preliminary draft. First, all references to
``soft count'' have been stricken and the section references only a
generic ``count.'' Next, physical access to the count room in Sec.
543.17(b) has been expanded to ``count team agents, designated staff,
and other authorized persons.'' This change is intended to allow access
for regulators, independent auditors, and emergency staff that are not
``agents'' of the operation. Similarly, emergency access to stored full
financial instrument storage components was expanded to authorized
``persons'' for addressing an emergency situation because fire
department or other emergency responders may not necessarily be
personnel of the gaming operation.
Some comments suggested using one term for both financial
instrument storage components and drop boxes. Although they serve the
same purpose, financial instrument storage components are an industry
term specific to player interfaces, while drop boxes are specific to
card tables. Applying either of the terms universally could create
confusion. Additionally, one commenter was concerned that the terms
``financial instrument storage component'' and ``bill-in meter'' may
limit the use of particular technologies. The Commission is interested
in hearing what specific technologies this may limit and potential
alternative terms.
Finally, one comment suggested that, for operations that do not
designate a supervisory count team member, a supervisor from the
department receiving the drop proceeds should be able to verify them.
The Commission disagrees, and notes that doing so would contravene the
intent of Sec. 543.17(f)(14), which requires that the receiving agents
have no knowledge of the drop proceeds total before it is verified, and
that the drop proceeds are not transferred with their documentation.
M. Cage, Vault, Kiosk, Cash and Cash Equivalents
This section describes the standards and documentation requirements
for securing and issuing money from the cage. Some comments advised
that the provisions addressing patron deposit accounts and gaming
promotions should be moved to their respective sections. The proposed
rule does not incorporate this suggested change because the patron
deposit and gaming promotion sections address the controls for those
programs generally, but the provisions in the cage section are specific
to the handling of those types of transactions by the cage. One
commenter suggested that the kiosk section is unnecessary. The
Commission disagrees. Kiosks function as automated cashiers. Therefore,
controls are necessary to ensure kiosks' integrity.
N. Information and Technology
In response to comments, the Commission reviewed the use of the
terms ``personnel'' and ``agents'' in this section, and extended the
independence provision to all agents, rather than the personnel of the
gaming operation. Commenters also requested clarification on the
reference to ``systems'' in the physical and logical security
provisions. The Commission agrees that ``systems'' might be confused
with Class II gaming systems, and has clarified the provisions by
adding the following definition of systems to the information
technology section: ``As used in this section only, a system is any
computerized system that is essential to the gaming environment. This
includes, but is not limited to, the server and peripherals for Class
II gaming systems, accounting, surveillance, essential phone systems,
and door access and warning systems.''
A commenter also suggested deleting the annual requirement for
testing recovery procedures. The Commission disagrees, and notes that
removing the phrase would not change the standard, because an
independent auditor conducts yearly reviews to determine whether each
requirement has been met.
O. Surveillance
Several commenters questioned the need for surveillance of a bingo
server, particularly where the server is located in a secure physical
location with controlled access. The Commission agrees that requiring
surveillance of a bingo server may be impractical, and that the
controls in the information and technology section are adequate
minimums to protect against tampering with a device and its software.
Specifically, the Commission points to the physical security standards
in Sec. 543.20(e), the logical security standards in Sec. 543.20(f),
the user controls in Sec. 543.20(g), and the remote access controls in
Sec. 543.20(i). Therefore, the Commission has deleted the bingo server
surveillance requirement from the proposed rule.
One commenter expressed concern that the one-year retention period
for surveillance footage of suspected crimes, suspicious activity, and
security detentions is arbitrary. The Commission notes that this
timeframe was adopted from Tribal Gaming Working Group guidance and
invites further comment on why the Commission should adopt a different
retention period.
One commenter also objected to the definition of sufficient
clarity, noting that it may unintentionally prohibit the use of
technology that does not use frames. The Commission appreciates this
comment and is interested in learning more about the specific types of
surveillance technology that may be excluded by requiring 20 frames per
second, and whether inclusion of the phrase ``or equivalent recording
speed'' would sufficiently address any potential limitations on
technology.
Finally, a commenter suggested that the MICS should specifically
require documentation of training and surveillance coverage of the
bingo board. The Commission appreciates these concerns. TGRAs may
include such standards as appropriate. With regard to surveillance of
bingo boards, the Commission believes that risks are adequately reduced
by the information technology section and part 547 technical standards
(for gaming system bingo and electronic card minders) and the presence
of a physical card (for manual bingo).
P. Audit and Accounting and Revenue Audit
Several commenters requested that the rule replace ``Commission''
with ``TGRA'' as the entity responsible for citing instances of
noncompliance in Sec. 543.23(c)(8). The Commission declines to make
this change, but agrees that it is entirely appropriate to add the
TGRA, and has done so in the proposed rule.
Some commenters requested that we clarify the requirement to record
journal entries by independent accountants, stating that independent
accountants do not keep journal entries. The Commission disagrees.
Independent CPAs regularly prepare what are referred to as ``audit
entries.'' They also sometimes prepare ``closing entries.'' Audit
entries and closing entries are specific types of journal entries that
are encompassed by the requirement of Sec. 543.23(b)(2)(iii). Further,
when ``independent accountant'' refers to an outsourced accountant or
accounting firm, the person or firm will prepare journal entries for
posting to the records in the same manner as accountants employed by
the operation.
Finally, one commenter requested clarification about whether a call
to the TGRA to schedule a test of the currency counter would constitute
an improper ``announcement'' of the test. A scheduling call to a
regulatory body,
[[Page 32448]]
particularly in cases where the test may be performed by that same
regulatory body, does not constitute an improper announcement under the
currency counter testing provision.
Regulatory Matters
Regulatory Flexibility Act
The proposed rule will not have a significant impact on a
substantial number of small entities as defined under the Regulatory
Flexibility Act, 5 U.S.C. 601, et seq. Moreover, Indian Tribes are not
considered to be small entities for the purposes of the Regulatory
Flexibility Act.
Small Business Regulatory Enforcement Fairness Act
The proposed rule is not a major rule under 5 U.S.C. 804(2), the
Small Business Regulatory Enforcement Fairness Act. The rule does not
have an effect on the economy of $100 million or more. The rule will
not cause a major increase in costs or prices for consumers, individual
industries, Federal, State, local government agencies or geographic
regions, nor will the proposed rule have a significant adverse effect
on competition, employment, investment, productivity, innovation, or
the ability of the enterprises, to compete with foreign based
enterprises.
Unfunded Mandate Reform Act
The Commission, as an independent regulatory agency, is exempt from
compliance with the Unfunded Mandates Reform Act, 2 U.S.C. 1502(1); 2
U.S.C. 658(1).
Takings
In accordance with Executive Order 12630, the Commission has
determined that the proposed rule does not have significant takings
implications. A takings implication assessment is not required.
Civil Justice Reform
In accordance with Executive Order 12988, the Commission has
determined that the proposed rule does not unduly burden the judicial
system and meets the requirements of sections 3(a) and 3(b)(2) of the
Order.
National Environmental Policy Act
The Commission has determined that the proposed rule does not
constitute a major federal action significantly affecting the quality
of the human environment and that no detailed statement is required
pursuant to the National Environmental Policy Act of 1969, 42 U.S.C.
4321, et seq.
Paperwork Reduction Act
The information collection requirements contained in this proposed
rule were previously approved by the Office of Management and Budget
(OMB) as required by 44 U.S.C. 3501 et seq. and assigned OMB Control
Number 3141- 0012, which expired in August of 2011. The NIGC published
a notice to reinstate that control number on April 25, 2012. 77 FR
24731. There is no change to the paperwork created by this amendment.
Text of the Proposed Rules
For the reasons discussed in the Preamble, the Commission proposes
to amend the text of its regulations at 25 CFR Part 543 to read as
follows:
PART 543--MINIMUM INTERNAL CONTROL STANDARDS FOR CLASS II GAMING
Sec.
543.1 What does this part cover?
543.2 What are the definitions of this part?
543.3 How do tribal governments comply with this part?
543.4 Does this part apply to small and charitable gaming
operations?
543.5 How does a gaming operation apply to use an alternate control
standard from those set forth in this part?
543.6 [Reserved]
543.7 [Reserved]
543.8 What are the minimum internal control standards for bingo?
543.9 What are the minimum internal control standards for pull tabs?
543.10 What are the minimum internal control standards for card
games?
543.11 [Reserved]
543.12 What are the minimum internal control standards for gaming
promotions and player tracking systems?
543.13 What are the minimum internal control standards for
complimentary services or items?
543.14 What are the minimum internal control standards for patron
deposit accounts and cashless systems?
543.15 What are the minimum internal control standards for lines of
credit?
543.16 [Reserved]
543.17 What are the minimum internal control standards for drop and
count?
543.18 What are the minimum internal control standards for the cage,
vault, kiosk, cash and cash equivalents?
543.19 [Reserved]
543.20 What are the minimum internal control standards for
information technology and information technology data?
543.21 What are the minimum internal control standards for
surveillance?
543.22 [Reserved]
543.23 What are the minimum internal control standards for audit and
accounting?
543.24 What are the minimum internal control standards for revenue
audit?
543.25--543.49 [Reserved]
Authority: 25 U.S.C. 2702(2), 2706(b)(1-4), 2706(b)(10).
Sec. 543.1 What does this part cover?
This part establishes the minimum internal control standards for
the conduct of Class II games on Indian lands as defined in 25 U.S.C.
2701 et seq.
Sec. 543.2 What are the definitions for this part?
The definitions in this section apply to all sections of this part
unless otherwise noted.
Accountability. All financial instruments, receivables, and patron
deposits constituting the total amount for which the bankroll custodian
is responsible at a given time.
Agent. A person authorized by the gaming operation, as approved by
the TGRA, to make decisions or perform assigned tasks or actions on
behalf of the gaming operation.
Automatic payout. Payment issued by a machine.
Cage. A secure work area within the gaming operation for cashiers,
which may include a storage area for the gaming operation bankroll.
Chair. The Chair of the National Indian Gaming Commission.
Cash equivalents. Documents, financial instruments other than cash,
or anything else of representative value to which the gaming operation
has assigned a monetary value. A cash equivalent includes, but is not
limited to, tokens, chips, coupons, vouchers, payout slips and tickets,
and other items to which a gaming operation has assigned an exchange
value.
Cashless system. A system that performs cashless transactions and
maintains records of those cashless transactions.
Chips. Cash substitutes, in various denominations, issued by a
gaming operation.
Class II game. Class II gaming has the same meaning as defined in
25 U.S.C. 2703(7)(A).
Class II gaming system. All components, whether or not technologic
aids in electronic, computer, mechanical, or other technologic form,
that function together to aid the play of one or more Class II games,
including accounting functions mandated by these regulations or part
547 of this chapter.
Commission. The National Indian Gaming Commission, established by
the Indian Gaming Regulatory Act, 25 U.S.C. 2701 et seq.
Count. The act of counting and recording the drop and/or other
funds. Also, the total funds counted for a particular game, player
interface, shift, or other period.
[[Page 32449]]
Count room. A secured room location where the count is performed in
which the cash and cash equivalents are counted.
Dedicated camera. A video camera that continuously records a
specific activity.
Drop proceeds. The total amount of financial instruments removed
from drop boxes and financial instrument storage components.
Drop box. A locked container in which cash or cash equivalents are
placed at the time of a transaction.
Exception report. A listing of occurrences, transactions or items
that fall outside a predetermined range of acceptability.
Financial instrument. Any tangible item of value tendered in Class
II game play, including, but not limited to bills, coins, vouchers, and
coupons.
Gaming promotion. Any promotional activity or award that requires
game play as a condition of eligibility.
Generally Accepted Accounting Principles (GAAP). A widely accepted
set of rules, conventions, standards, and procedures for reporting
financial information, as established by the Financial Accounting
Standards Board (FASB), including, but not limited to, the standards
for casino accounting published by the American Institute of Certified
Public Accountants (AICPA).
Generally Accepted Auditing Standards (GAAS). A widely accepted set
of standards that provide a measure of audit quality and the objectives
to be achieved in an audit, as established by the Auditing Standards
Board of the American Institute of Certified Public Accountants
(AICPA).
Governmental Accounting Standards Board (GASB). Generally accepted
accounting principles used by state and local governments.
Independent. The separation of functions to ensure that the agent
or process monitoring, reviewing, or authorizing the controlled
activity, function, transaction is separate from the agents or process
performing the controlled activity, function, transaction.
Kiosk. A device capable of accepting or generating wagering or
cash-out tickets and/or wagering credits, and may be capable of
initiating electronic transfers of money to or from a customer account.
Kiosks may also be capable of redeeming and reconciling pull tabs.
Lines of credit. The privilege granted by a gaming operation to a
patron to (1) defer payment of debt or (2) to incur debt and defer its
payment under specific terms and conditions.
Manual payout. Hand payment to a player.
Marker. A document, signed by the patron, promising to repay credit
issued by the gaming operation.
MICS. Minimum internal control standards in this part.
Network communication equipment. A device or collection of devices
that controls data communication in a system including, but not limited
to, cables, switches, hubs, routers, wireless access points, landline
telephones and cellular telephones.
Patron. A person who is a customer or guest of the gaming operation
and may interact with a Class II game. Also may be referred to as a
``player.''
Patron deposit account. An account maintained on behalf of a
patron, for the deposit and withdrawal of funds for the primary purpose
of interacting with a gaming activity.
Player interface. Any component(s) of a Class II gaming system,
including an electronic or technological aid (not limited to terminals,
player stations, handhelds, fixed units, etc.), that directly enables
player interaction in a Class II game.
Prize payout. Payment to a player associated with a winning or
qualifying event.
Promotional progressive pots and/or pools. Funds contributed to a
game by and for the benefit of players that are distributed to players
based on a predetermined event.
Shift. A time period, unless otherwise approved by the tribal
gaming regulatory authority, not to exceed 24 hours.
Shill. An agent financed by the gaming operation and acting as a
player.
Smart card. A card with embedded integrated circuits that possesses
the means to electronically store or retrieve account data.
Sufficient clarity. The capacity of a surveillance system to record
images at a minimum of 20 frames per second and at a resolution
sufficient to clearly identify the intended activity, person, object,
or location.
Surveillance operation room(s). The secured area(s) where
surveillance takes place and/or where active surveillance equipment is
located.
Surveillance system. A system of video cameras, monitors,
recorders, video printers, switches, selectors, and other ancillary
equipment used for surveillance.
System of Internal Controls (SICS). An overall operational
framework for a gaming operation that incorporates principles of
independence and segregation of function, and is comprised of written
policies, procedures, and standard practices based on overarching
regulatory standards specifically designed to create a system of checks
and balances to safeguard the integrity of a gaming operation and
protect its assets.
Tier A. Gaming operations with annual gross gaming revenues of more
than $3 million but not more than $8 million.
Tier B. Gaming operations with annual gross gaming revenues of more
than $8 million but not more than $15 million.
Tier C. Gaming operations with annual gross gaming revenues of more
than $15 million.
TGRA. Tribal gaming regulatory authority which is the entity
authorized by tribal law to regulate gaming conducted pursuant to the
Indian Gaming Regulatory Act.
TICS. Tribal Internal Control Standards.
Vault. A secure area where cash and cash equivalents are stored.
Sec. 543.3 How do tribal governments comply with this part?
(a) Minimum standards. These are minimum standards and a TGRA may
establish and implement additional controls that do not conflict with
those set out in this part.
(b) TICS. TGRAs must ensure that TICS are established and
implemented that provide a level of control that equals or exceeds the
applicable standards set forth in this part.
(1) Evaluation of Existing TICS. Each TGRA must, in accordance with
the tribal gaming ordinance, determine whether and to what extent their
TICS require revision to ensure compliance with this part.
(2) Compliance Date. All changes necessary to ensure compliance
with this part must be promulgated within twelve months of the
effective date of this part and implemented at the commencement of the
next fiscal year. At the discretion of the TGRA, gaming operations may
have an additional six months to come into compliance with the TICS.
(c) SICS. Each gaming operation must develop and implement a SICS
that, at a minimum, comply with the TICS.
(1) Existing gaming operations. All gaming operations that are
operating on or before the effective date of this part, must comply
with this part within the time requirements established in paragraph
(b) of this section. In the interim, such operations must continue to
comply with existing TICS.
(2) New gaming operations. All gaming operations that commence
operations after the effective date of this part must comply with this
part before commencement of operations.
[[Page 32450]]
(d) Variances. Where referenced throughout this part, the TGRA must
set a reasonable threshold for when a variance must be reviewed to
determine the cause, and the results of the review must be documented
and maintained.
(e) Computer applications. For any computer applications utilized,
alternate documentation and/or procedures that provide at least the
level of control established by the standards of this part, as approved
in writing by the TGRA, will be acceptable.
(f) Determination of tier. (1) The determination of tier level will
be made based upon the annual gross gaming revenues indicated within
the gaming operation's audited financial statements.
(2) Gaming operations moving from one tier to another will have
nine months from the date of the independent certified public
accountant's audit report to achieve compliance with the requirements
of the new tier. The TGRA may extend the deadline by an additional six
months if written notice is provided to the Commission no later than
two weeks before the expiration of the nine month period.
(g) Submission to Commission. Tribal regulations promulgated
pursuant to this part are not required to be submitted to the
Commission pursuant to Sec. 522.3(b) of this chapter.
(h) Enforcement of Commission MICS. (1) Each TGRA is required to
establish and implement TICS pursuant to paragraph (b) of this section.
Each gaming operation is then required, pursuant to paragraph (c) of
this section, to develop and implement a SICS that complies with the
TICS. Failure to do so may subject the tribal operator of the gaming
operation, or the management contractor, to penalties under 25 U.S.C.
Sec. 2713.
(2) Enforcement action by the Commission will not be initiated
under this part without first informing the tribe and TGRA of
deficiencies in the SICS of its gaming operation and allowing a
reasonable period of time to address such deficiencies. Such prior
notice and opportunity for corrective action are not required where the
threat to the integrity of the gaming operation is immediate and
severe.
Sec. 543.4 Does this part apply to small and charitable gaming
operations?
(a) Small gaming operations. This part does not apply to small
gaming operations provided that:
(1) The TGRA permits the operation to be exempt from this part;
(2) The annual gross gaming revenue of the operation does not
exceed $3 million; and
(3) The TGRA develops, and the operation complies with, alternate
procedures that:
(i) Protect the integrity of games offered;
(ii) Safeguard the assets used in connection with the operation;
and
(iii) Create, prepare and maintain records in accordance with
Generally Accepted Accounting Principles.
(b) Charitable gaming operations. This part does not apply to
charitable gaming operations provided that:
(1) All proceeds are for the benefit of a charitable organization;
(2) The TGRA permits the charitable organization to be exempt from
this part;
(3) The charitable gaming operation is operated wholly by the
charitable organization's agents;
(4) The annual gross gaming revenue of the charitable operation
does not exceed $3 million; and
(5) The TGRA develops, and the charitable gaming operation complies
with, alternate procedures that:
(i) Protect the integrity of the games offered;
(ii) Safeguard the assets used in connection with the gaming
operation; and
(iii) Create, prepare and maintain records in accordance with
Generally Accepted Accounting Principles.
(c) Independent operators. Nothing in this section exempts gaming
operations conducted by independent operators for the benefit of a
charitable organization.
Sec. 543.5 How does a gaming operation apply to use an alternate
minimum standard from those set forth in this part?
(a) TGRA approval. (1) A TGRA may approve an alternate standard
from those required by this part if it has determined that the
alternate standard will achieve a level of security and integrity
sufficient to accomplish the purpose of the standard it is to replace.
(2) For each enumerated standard for which the tribal gaming
regulatory authority approves an alternate standard, it must submit to
the Chair within 30 days a detailed report, which must include the
following:
(i) An explanation of how the alternate standard achieves a level
of security and integrity sufficient to accomplish the purpose of the
standard it is to replace; and
(ii) The alternate standard as granted and the record on which it
is based.
(3) In the event that the TGRA or the tribal government chooses to
submit an alternate standard request directly to the Chair for joint
government to government review, the TGRA or tribal government may do
so without the approval requirement set forth in paragraph (a)(1) of
this section.
(b) Chair review. (1) The Chair may approve or object to an
alternate standard granted by a TGRA.
(2) Any objection by the Chair must be in writing and provide
reasons that the alternate standard, as approved by the TGRA, does not
provide a level of security or integrity sufficient to accomplish the
purpose of the standard it is to replace.
(3) If the Chair fails to approve or object in writing within 60
days after the date of receipt of a complete submission, the alternate
standard is considered approved by the Chair. The Chair may, upon
notification to the TGRA, extend this deadline an additional 60 days.
(4) No alternate standard may be implemented until it has been
approved by the TGRA pursuant to paragraph (a)(1) of this section or
the Chair has approved it pursuant to paragraph (b)(1) of this section.
(c) Appeal of Chair decision. A Chair's decision may be appealed
pursuant to 25 CFR Subchapter H.
Sec. 543.6 [Reserved]
Sec. 543.7 [Reserved]
Sec. 543.8 What are the minimum internal control standards for bingo?
(a) Supervision. Supervision must be provided as needed for bingo
operations by an agent(s) with authority equal to or greater than those
being supervised.
(b) Bingo Cards. (1) Physical bingo card inventory controls must
address the placement of orders, receipt, storage, issuance, removal,
and cancellation of bingo card inventory to ensure that:
(i) The bingo card inventory can be accounted for at all times; and
(ii) Bingo cards have not been marked, altered, or otherwise
manipulated.
(2) Receipt from supplier. (i) When bingo card inventory is
initially received from the supplier, it must be inspected (without
breaking the factory seals, if any), counted, inventoried, and secured
by an authorized agent.
(ii) Bingo card inventory records must include the date received,
quantities received, and the name of the individual conducting the
inspection.
(3) Storage. (i) Bingo cards must be maintained in a secure
location, accessible only to authorized agents, and with surveillance
coverage adequate to identify persons accessing the storage area,
(ii) For Tier A operations, bingo card inventory may be stored in a
cabinet, closet, or other similar area; however, such area must be
secured and separate from the working inventory.
[[Page 32451]]
(4) Issuance and Returns of Inventory. (i) Controls must be
established for the issuance and return of bingo card inventory.
Records signed by the issuer and recipient must be created under the
following events:
(A) Issuance of inventory from storage to a staging area;
(B) Issuance of inventory from a staging area to the cage or
sellers;
(C) Return of inventory from a staging area to storage; and
(D) Return of inventory from cage or seller to staging area or
storage.
(ii) [Reserved]
(5) Cancellation and removal. (i) Bingo cards removed from
inventory that are deemed out of sequence, flawed, or misprinted and
not returned to the supplier must be cancelled to ensure that they are
not utilized in the play of a bingo game. Bingo cards that are removed
from inventory and returned to the supplier or cancelled must be logged
as removed from inventory.
(ii) Bingo cards associated with an investigation must be retained
intact outside of the established removal and cancellation policy.
(6) Logs. (i) The inventory of bingo cards must be tracked and
logged from receipt until use or permanent removal from inventory.
(ii) The bingo card inventory record(s) must include:
(A) Date;
(B) Shift;
(C) Time;
(D) Location;
(E) Inventory received, issued, removed, and returned;
(F) Signature of agent performing transaction;
(G) Signature of agent performing the reconciliation;
(H) Any variance;
(I) Beginning and ending inventory; and
(J) Description of inventory transaction being performed.
(c) Bingo card sales. (1) Agents who sell bingo cards must not be
the sole verifier of bingo cards for prize payouts.
(2) Manual bingo card sales: In order to adequately record, track,
and reconcile sales of bingo cards, the following information must be
documented:
(i) Date;
(ii) Shift or session;
(iii) Number of bingo cards issued, sold, and returned;
(iv) Dollar amount of bingo card sales;
(v) Signature, initials, or identification number of the agent
preparing the record;
(vi) Signature, initials, or identification number of an
independent agent who verified the bingo cards returned to inventory
and dollar amount of bingo card sales.
(3) Bingo card sale voids must be processed in accordance with the
rules of the game and established controls that must include the
following:
(i) Patron refunds;
(ii) Adjustments to bingo card sales to reflect voids;
(iii) Adjustment to bingo card inventory;
(iv) Documentation of the reason for the void; and
(v) Authorization for all voids.
(4) Server Based Bingo card sales. In order to adequately record,
track and reconcile sales of bingo cards, the following information
must be documented from the server:
(i) Date;
(ii) Shift or session;
(iii) Number of bingo cards sold (this is not required if the
system does not track cards sold, but system limitation must be noted);
(iv) Dollar amount of bingo card sales; and
(v) Amount in, amount out and other associated meter information;
(d) Draw. (1) Controls must be established and procedures
implemented to ensure that all eligible objects used in the conduct of
the bingo game are available to be drawn and have not been damaged or
altered.
(i) Verification of physical objects must be performed by two
agents before the start of the first bingo game/session. At least one
of the verifying agents must be a supervisory agent or independent of
the bingo games department.
(ii) Where the selection is made through an electronic aid,
certification in accordance with 25 CFR part 547 is acceptable for
verifying the randomness of the draw.
(2) Controls must be established and procedures implemented to:
(i) Verify the identity of the objects as they are drawn;
(ii) Accurately record the drawn objects; and
(iii) Transmit the identity of the drawn objects to the
participants.
(3) Controls must be established and procedures implemented to
provide a method of recall of the draw, which includes the order and
identity of the objects drawn, for dispute resolution purposes.
(4) Verification and display of server based draw. Controls must be
established and procedures implemented to ensure that:
(i) The identity of each object drawn is accurately recorded and
transmitted to the participants. The procedures must identify the
method used to ensure the identity of each object drawn.
(ii) For all games offering a prize payout of $1,200 or more, as
the objects are drawn, the identity of the objects are immediately
recorded and maintained for a minimum of 24 hours.
(iii) Certification in accordance with 25 CFR part 547 is
acceptable for verifying the randomness of the draw.
(e) Prize payout. (1) Authorization or signatures.
(i) Controls must be established and procedures implemented to
prevent unauthorized access or misappropriation of cash or cash
equivalents by identifying the agent authorized (by position) to make a
payout and at the predetermined payouts levels for that position; and
(ii) Payout controls must ensure separate control of the cash
accountability functions;
(2) Verification of validity. Controls must be established and
procedures implemented to verify that the following is valid for the
game in play prior to payment of a winning prize:
(i) Winning card(s);
(ii) Objects drawn; and
(iii) The previously designated arrangement of numbers or
designations on such cards, as described in 25 U.S.C. 2703(7)(A).
(iv) At least two agents must verify that the card, objects drawn,
and previously designated arrangement were valid for the game in play.
(v) Where an automated verification method is available,
verification by such method is acceptable.
(3) Validation. (A) For manual payouts, at least two agents must
determine the validity of the claim prior to the payment of a prize.
The system may serve as one of the validators.
(B) For automatic payout, the system may serve as the sole
validator of the claim.
(4) Verification. (A) For manual payouts, at least two agents must
verify that the winning pattern has been achieved on the winning card
prior to the payment of a prize. The system may serve as one of the
verifiers.
(B) For automatic payouts, the system may serve as the sole
verifier that the pattern has been achieved on the winning card.
(5) Authorization and signatures. (i) At least two agents must
authorize, sign, and witness all manual prize payouts.
(ii) Manual prize payouts over a predetermined amount (not to
exceed $5,000 for a Tier A facility, $10,000 at a Tier B facility and
$20,000 for a Tier C facility, except for $50,000 for a Tier C facility
with over $100,000,000 in gross gaming revenues) must require one of
the two signatures and verifications to be a supervisory or
[[Page 32452]]
management employee independent of the operation of Class II Gaming
System Bingo.
(iii) This predetermined amount must be authorized by management,
approved by the tribal gaming regulatory authority, documented, and
maintained.
(iv) A Class II gaming system may substitute for one authorization/
signature verifying, validating or authorizing a winning card, but may
not substitute for a supervisory or management employee signature.
(6) Payout records, including manual payout records, must be
controlled to prevent unauthorized access, misappropriation, fraud or
forgery. Payout records must include the following information:
(i) Date and time;
(ii) Amount of the payout (alpha & numeric for player interface
payouts); and
(iii) Bingo card identifier or player interface identifier.
(iv) Manual payouts must also include the following:
(A) Game name or number;
(B) Description of pattern covered, such as cover-all or four
corners;
(C) Signature of all, but not less than two, agents involved in the
transaction;
(D) Overrides; (1) An authorized agent must compare the amount of
the prize at the player interface to the accounting system amount. If
the player interface amount is different than the accounting system
amount, an override may be necessary and, if so, must be properly
documented.
(2) Override transactions must be verified by a supervisory or
management agent independent of the transaction.
(E) Any other information necessary to substantiate the payout.
(7) Payouts must be witnessed and verified against the payout
record by an agent other than the agent issuing the payout.
(f) Cash and cash equivalent controls. (1) Procedures must be
implemented to prevent unauthorized access to, or fraudulent
transactions involving, cash or cash equivalents.
(2) Cash or cash equivalents exchanged between two persons must be
counted independently by at least two agents and reconciled to the
recorded amounts at the end of each shift or session. Unexplained
variances must be documented and maintained. Unverified transfers of
cash or cash equivalents are prohibited.
(3) Procedures must be implemented to control cash or cash
equivalents based on the amount of the transaction. These procedures
must include documentation by shift, session, or other relevant time
period of the following:
(i) Inventory, including any increases or decreases;
(ii) Transfers;
(iii) Exchanges, including acknowledging signatures or initials;
and
(iv) Resulting variances.
(4) Any change to control of accountability, exchange, or transfer
must require that the cash or cash equivalents be counted and recorded
independently by at least two agents and reconciled to the recorded
amount.
(g) Technologic aids to the play of bingo. Controls must be
established and procedures implemented to safeguard the integrity of
technologic aids to the play of bingo during installations, operations,
modifications, removal and retirements. Such procedures must include
the following:
(1) Shipping and receiving. (i) A communication procedure must be
established between the supplier, the gaming operation, and the TGRA to
properly control the shipping and receiving of all software and
hardware components. Such procedures must include:
(A) Notification of pending shipments must be provided to the TGRA
by the gaming operation;
(B) Certification in accordance with 25 CFR part 547 and approval
by TGRA prior to shipment;
(C) Notification from the supplier to the TGRA, or the gaming
operation as approved by the TGRA, of the shipping date and expected
date of delivery. The shipping notification must include:
(1) Name and address of the supplier;
(2) Description of shipment;
(3) For player interfaces: a serial number;
(4) For software: software version and description of software;
(5) Method of shipment; and
(6) Expected date of delivery.
(ii) Procedures must be implemented for the exchange of Class II
gaming system components for maintenance and replacement.
(iii) Class II gaming system components must be shipped in a secure
manner to deter unauthorized access.
(iv) The TGRA, or its designee, must receive all Class II gaming
system components and game play software packages, and verify the
contents against the shipping notification.
(2) Access credential control methods. (i) Controls must be
established to restrict access to the Class II gaming system
components, as set forth in Sec. 543.20, Information and Technology.
(ii) [Reserved]
(3) Recordkeeping and audit processes. (i) The gaming operation
must maintain the following records, as applicable, related to
installed game servers and player interfaces:
(A) Date placed into service;
(B) Date made available for play;
(C) Supplier;
(D) Software version;
(E) Serial number;
(F) Game title;
(G) Asset and/or location number;
(H) Seal number; and
(I) Initial meter reading.
(ii) Procedures must be implemented for auditing such records in
accordance with Sec. 543.23, Audit and Accounting.
(4) System software signature verification. (i) Procedures must be
implemented for system software verifications. These procedures must
include comparing signatures generated by the verification programs
required by 25 CFR 547.8, to the signatures provided in the independent
test laboratory letter for that software version.
(ii) An agent independent of the bingo operation must perform
system software signature verification(s) to verify that only approved
software is installed.
(iii) Procedures must be implemented for investigating and
resolving any software verification variances.
(iv) Internal audits must be conducted as set forth in Sec.
543.23, Audit and Accounting. Such audits must be documented.
(5) Testing. (i) Testing must be completed during the installation
process to verify that the player interface has been properly
installed. This must include testing of the following, as applicable:
(A) Communication with the Class II gaming system;
(B) Communication with the accounting system;
(C) Communication with the player tracking system;
(D) Currency and vouchers to bill acceptor;
(E) Voucher printing;
(F) Meter incrementation;
(G) Pay table, for verification;
(H) Player interface denomination, for verification;
(I) All buttons, to ensure that all are operational and programmed
appropriately;
(J) System components, to ensure that they are safely installed at
location; and
(K) Locks, to ensure that they are secure and functioning.
(6) Display of Rules and Necessary Disclaimers. The TGRA or the
operation must verify that all game rules and disclaimers are displayed
at all times or made readily available to the player upon request, as
required by 25 CFR part 547.
[[Page 32453]]
(7) All Class II gaming equipment must comply with 25 CFR part 547,
Minimum Technical Standards for Gaming Equipment Used With the Play of
Class II Games.
(8) Dispute resolution (h) Operations.
(1) Malfunctions. Procedures must be implemented to investigate,
document and resolve malfunctions. Such procedures must address the
following:
(i) Determination of the event causing the malfunction;
(ii) Review of relevant records, game recall, reports, logs,
surveillance records;
(iii) Repair or replacement of the Class II gaming component;
(iv) Verification of the integrity of the Class II gaming component
before restoring it to operation; and
(2) Removal, Retirement and/or Destruction. Procedures must be
implemented to retire or remove any or all associated components of a
Class II gaming system from operation. Procedures must include the
following:
(i) For player interfaces and components that accept cash or cash
equivalents:
(A) Coordinate with the drop team to perform a final drop;
(B) Collect final accounting information such as meter readings,
drop, payouts, etc.;
(C) Remove and/or secure any or all associated equipment such as
locks, card reader, or ticket printer from the retired or removed
component; and
(D) Document removal, retirement, and/or destruction.
(ii) For removal of software components:
(A) Purge and/or return the software to the license holder; and
(B) Document the removal.
(iii) For other related equipment such as blowers, cards, interface
cards:
(A) Remove and/or secure equipment; and
(B) Document the removal or securing of equipment.
(iv) For all components: (A) Verify that unique identifiers, and
descriptions of removed/retired components are recorded as part of the
retirement documentation; and
(B) Coordinate with the accounting department to properly retire
the component in the system records.
(v) Where the TGRA authorizes destruction of any Class II gaming
system components, procedures must be developed to destroy such
components. Such procedures must include the following:
(A) Methods of destruction
(B) Witness or surveillance of destruction
(C) Documentation of all components destroyed; and
(D) Signatures of agent(s) destroying components attesting to
destruction.
(i) Vouchers. (1) Controls must be established and procedures
implemented to:
(i) Verify the authenticity of each voucher or coupon redeemed.
(ii) If the voucher is valid, verify that the patron is paid the
appropriate amount.
(iii) Document the payment of a claim on a voucher that is not
physically available or a voucher that cannot be validated such as a
mutilated, expired, lost, or stolen voucher.
(iv) Retain payment documentation for reconciliation purposes.
(v) For manual payment of a voucher of $500 or more, require a
supervisory employee to verify the validity of the voucher prior to
payment.
(2) Vouchers paid during a period while the voucher system is
temporarily out of operation must be marked ``paid'' by the cashier.
(3) Vouchers redeemed while the voucher system was temporarily out
of operation must be validated as expeditiously as possible upon
restored operation of the voucher system.
(4) Paid vouchers must be maintained in the cashier's
accountability for reconciliation purposes.
(5) Unredeemed vouchers can only be voided in the voucher system by
supervisory employees. The accounting department will maintain the
voided voucher, if available.
(j) All relevant controls from Sec. 543.20, Information and
Technology will apply.
(k) Revenue Audit. Standards for revenue audit of bingo are
contained in Sec. 543.24, Revenue Audit.
(l) Variance. The TGRA must establish the threshold level at which
a variance, including deviations from the mathematical expectations
required by 25 CFR 547.4, will be reviewed to determine the cause. Any
such review must be documented.
Sec. 543.9 What are the minimum internal control standards for pull
tabs?
(a) Supervision. Supervision must be provided as needed for pull
tab operations and over pull tab storage areas by an agent(s) with
authority equal to or greater than those being supervised.
(b) Pull tab inventory. Controls must be established and procedures
implemented to prevent unauthorized access, misappropriation, forgery,
theft, or fraud to pull tab inventory. Such controls must provide that:
(1) Access to pull tabs is restricted to authorized agents;
(2) The pull tab inventory is controlled by agents independent of
pull tab sales;
(3) Pull tabs exchanged between agents are secured and
independently controlled;
(4) Increases or decreases to pull tab inventory are recorded,
tracked, and reconciled; and
(5) Pull tabs must be maintained in a secure location, accessible
only to authorized agents, and with surveillance coverage adequate to
identify persons accessing the area.
(c) Pull tab sales. (1) Controls must be established and procedures
implemented to record, track, and reconcile all pull tab sales and
voids.
(2) When pull tab sales are recorded manually, total sales must be
verified by an agent independent of the pull tab sales being verified.
(3) No person may have unrestricted access to pull tab sales
records.
(d) Winning pull tabs. (1) Controls must be established and
procedures implemented to record, track, and reconcile all redeemed
pull tabs and pull tab payouts.
(2) The redeemed pull tabs must be defaced so that they cannot be
redeemed for payment again.
(3) Pull tabs that are uniquely identifiable with a machine
readable code (including, but not limited to a barcode) may be
redeemed, reconciled, and stored by kiosks without the need for
defacing, so long as the redeemed pull tabs are secured and destroyed
after removal from the kiosk in accordance with the procedures approved
by the TGRA.
(4) Winning pull tabs must be verified and paid as follows:
(i) Prize payouts of $600 or more, or a lesser amount established
by the gaming operation, must be documented and verified by at least
two agents. If an automated method of verification is available, it is
acceptable for the automated method to serve as one of the verifiers.
(ii) Prize payouts over a predetermined amount require the
signature and verification of two agents, one of whom must be a member
of supervisory or management staff independent of the pull tab
department. This predetermined amount must be authorized by management,
documented, and maintained.
(5) Total payout must be calculated and recorded by shift.
(e) Pull tab operating funds.
(1) All funds used to operate the pull tab game must be accounted
for and recorded and all transfers of cash and/or cash equivalents must
be verified.
(2) All funds used to operate the pull tab game must be
independently counted and verified by at least two agents and
reconciled to the recorded
[[Page 32454]]
amounts at the end of each shift or session.
(f) Statistical records. (1) Statistical records must be
maintained, including (for games sold in their entirety) a win-to-write
hold percentage as compared to the expected hold percentage derived
from the flare. Records must also include win and write (sales) for
each deal or type of game, for:
(i) Each shift;
(ii) Each day;
(iii) Month-to-date; and
(iv) Year-to-date or fiscal year-to-date as applicable.
(2) A manager independent of the pull tab operations must review
statistical information at least on a monthly basis and must
investigate any unusual statistical fluctuations. These investigations
must be documented, maintained for inspection, and provided to the TGRA
upon request.
(g) Revenue audit. Standards for revenue audit of pull tabs are
contained in Sec. 543.24, Revenue Audit.
(h) Variances. The TGRA must establish the threshold level at which
a variance must be reviewed to determine the cause. Any such review
must be documented.
Sec. 543.10 What are the minimum internal control standards for card
games?
(a) Supervision. Supervision must be provided as needed during the
card room operations by an agent(s) with authority equal to or greater
than those being supervised.
(1) A supervisor may function as a dealer without any other
supervision if disputes are resolved by supervisory personnel
independent of the transaction or independent of the card games
department; or
(2) A dealer may function as a supervisor if not dealing the game.
(b) Exchanges or transfers. (1) Exchanges between table banks and
the main card room bank (or cage, if a main card room bank is not used)
must be authorized by a supervisor. All exchanges must be evidenced by
the use of a lammer unless the exchange of chips, tokens, and/or cash
takes place at the table. If table banks are maintained at an imprest
level and runners are used for the exchanges at the table, no
supervisory authorization is required.
(2) Exchanges from the main card room bank (or cage, if a main card
room bank is not used) to the table banks must be verified by the card
room dealer and the runner.
(3) Transfers between the main card room bank and the cage must be
properly authorized and documented. Documentation must be retained for
at least 24 hours.
(c) Playing cards. (1) New and used playing cards must be
maintained in a secure location, with appropriate surveillance
coverage, and accessible only to authorized agents.
(2) Used playing cards that are not to be re-used must be properly
cancelled and removed from service to prevent re-use. The removal and
cancellation procedure requires TGRA review and approval.
(3) Playing cards associated with an investigation must be retained
intact and outside of the established removal and cancellation
procedure.
(d) Shill funds. (1) Issuance of shill funds must be recorded and
have the written approval of the supervisor.
(2) Returned shill funds must be recorded and verified by a
supervisor.
(3) The replenishment of shill funds must be documented.
(e) Standards for reconciliation of card room bank. Two agents--one
of whom must be a supervisory agent--must independently count the table
inventory at the opening and closing of the table and record the
following information:
(1) Date;
(2) Shift;
(3) Table number;
(4) Amount by denomination;
(5) Amount in total; and
(6) Signatures of both agents.
(f) Posted rules. The rules must be displayed or available for
patron review at the gaming operation, including rules governing
contests, prize payouts, fees, the rake collected, and the placing of
antes.
(g) Promotional Progressive Pots and Pools. (1) All funds
contributed by players into the pools must be returned when won in
accordance with the posted rules with no commission or administrative
fee withheld.
(i) The payout may be in the form of personal property, such as a
car.
(ii) A combination of a promotion and progressive pool may be
offered.
(2) The conditions for participating in current card game
promotional progressive pots, pools, and any related promotions,
including drawings and giveaway programs, must be prominently displayed
or available for customer review at the gaming operation.
(3) Individual payouts for card game promotional progressive pots,
pools and any other promotion, including related drawings and giveaway
programs, that are $600 or more must be documented at the time of the
payout to include the following:
(i) Customer's name;
(ii) Date of payout;
(iii) Dollar amount of entry payout and/or nature and dollar value
of any non-cash payout;
(iv) The signature of the agent completing the transaction
attesting to the disbursement of the payout; and
(v) Name of contest/tournament.
(4) If the cash (or cash equivalent) payout for the card game
promotional progressive pot, pool, or related promotion, including a
payout resulting from a drawing or giveaway program, is less than $600,
documentation must be created to support accountability of the bank
from which the payout was made.
(5) Rules governing current promotional pools must be conspicuously
posted in the card room and/or available in writing for customer
review. The rules must designate:
(i) The amount of funds to be contributed from each pot;
(ii) What type of hand it takes to win the pool;
(iii) How the promotional funds will be paid out;
(iv) How/when the contributed funds are added to the pools; and
(v) Amount/percentage of funds allocated to primary and secondary
pools, if applicable.
(6) Promotional pool contributions must not be placed in or near
the rake circle, in the drop box, or commingled with gaming revenue
from card games or any other gambling game.
(7) The amount of the pools must be conspicuously displayed in the
card room.
(8) At least once each day that the game is offered, the posted
pool amount must be updated to reflect the current pool amount.
(9) At least once each day that the game is offered, agents
independent of the card room must reconcile the increases to the posted
pool amount to the cash previously counted or received by the cage.
(10) All decreases to the pool must be properly documented,
including a reason for the decrease.
(11) Promotional funds removed from the card game must be placed in
a locked container.
(i) Agents authorized to transport the locked container are
precluded from having access to the contents keys.
(ii) The contents key must be maintained by a department
independent of the card room.
(iii) At least once a day, the locked container must be removed by
two agents, one of whom is independent of the card games department,
and transported directly to the cage or other secure room to be
counted, recorded, and verified, prior to accepting the funds into cage
accountability.
[[Page 32455]]
(h) Variances. The TGRA must establish the threshold level at which
a variance must be reviewed to determine the cause. Any such review
must be documented.
Sec. 543.11 [Reserved]
Sec. 543.12 What are the minimum internal control standards for
gaming promotions and player tracking systems?
(a) Supervision. Supervision must be provided as needed for gaming
promotions and player tracking by an agent(s) with authority equal to
or greater than those being supervised.
(b) Gaming promotions. The rules of the gaming promotion must be
displayed or made readily available to participants upon request.
Gaming promotions rules require TGRA approval and must include the
following:
(1) The rules of play;
(2) The nature and value of the associated prize(s) or cash
award(s);
(3) Any restrictions or limitations on participant eligibility;
(4) The date(s), time(s), and location(s) for the associated
promotional activity or activities;
(5) Any other restrictions or limitations, including any related to
the claim of prizes or cash awards;
(6) The announcement date(s), time(s), and location(s) for the
winning entry or entries; and
(7) Rules governing promotions offered across multiple gaming
operations, third party sponsored promotions, and joint promotions
involving third parties.
(c) Player tracking systems. (1) Changes to the player tracking
systems, promotional accounts, promotion and external bonusing system
parameters which control features such as the awarding of bonuses, the
issuance of cashable credits, non-cashable credits, coupons and
vouchers, must be performed under the authority of supervisory
employees, independent of the department initiating the change.
Alternatively, the changes may be performed by supervisory employees of
the department initiating the change if sufficient documentation is
generated and the propriety of the changes are randomly verified by
supervisory employees independent of the department initiating the
change on a monthly basis.
(2) All other changes to the player tracking system must be
appropriately documented.
(d) Variances. The TGRA must establish the threshold level at which
a variance must be reviewed to determine the cause. Any such review
must be documented.
Sec. 543.13 What are the minimum internal control standards for
complimentary services or items?
(a) Supervision. Supervision must be provided as needed for
approval of complimentary services by an agent(s) with authority equal
to or greater than those being supervised.
(b) Complimentary services and items include, but are not limited
to, travel, lodging, food, beverages, or entertainment expenses
provided, at the agent's discretion, directly to the patron by the
gaming operation or indirectly to patrons on behalf of the gaming
operation by a third party.
(c) Complimentary services or items. Controls must be established
and procedures implemented to prevent unauthorized access,
misappropriation, forgery, theft, or fraud. Such controls must include
procedures for the following:
(1) Authorizing agents to approve the issuance of complimentary
services or items, including levels of authorization;
(2) Limits and conditions on the approval and issuance of
complimentary services or items;
(3) Modifying conditions or limits on the approval and issuance of
complimentary services or items;
(4) Documenting and recording the authorization, issuance, and
tracking of complimentary services or items, including cash and non-
cash gifts;
(i) Complimentary issuance records must include the following for
all complimentary items and services equal to or exceeding an amount
established by the TGRA.
(A) Name of patron who received the complimentary service or item;
(B) Name(s) of issuer of the complimentary service or item;
(C) The actual cash value of the complimentary service or item;
(D) The type of complimentary service or item (food, beverage,
etc.); and
(E) Date the complimentary service or item was issued.
(ii) [Reserved].
(d) Complimentary services and items records must be summarized and
reviewed for proper authorization and compliance with established
authorization thresholds.
(1) A detailed reporting of comp transactions that meet an
established threshold approved by the TGRA must be prepared at least
monthly.
(2) The detailed report must be forwarded to management for review.
(e) Variances. The TGRA must establish the threshold level at which
a variance must be reviewed to determine the cause. Any such review
must be documented.
Sec. 543.14 What are the minimum internal control standards for
patron deposit accounts and cashless systems?
(a) Supervision. Supervision must be provided as needed for patron
deposit accounts and cashless systems by an agent(s) with authority
equal to or greater than those being supervised.
(b) Patron deposit accounts and cashless systems. (1) Controls must
be established and procedures implemented for patron deposit accounts
and cashless systems to prevent unauthorized access, misappropriation,
forgery, theft, or fraud.
(2) Smart cards cannot maintain the only source of account data.
(3) Establishment of patron deposit accounts. The following
standards apply when the patron establishes an account.
(i) The patron must appear at the gaming operation in person, at a
designated area of accountability, and present valid government issued
picture identification; and
(ii) An agent must examine the patron's identification and record
the following information:
(A) Type, number, and expiration date of the identification;
(B) Patron's name;
(C) A unique account identifier;
(D) Date the account was opened; and
(E) The agent's name.
(4) The patron must sign the account documentation before the agent
may activate the account.
(5) The agent or cashless system must provide the patron deposit
account holder with a secure method of access.
(c) Patron deposits, withdrawals and adjustments. (1) Prior to the
patron making a deposit or a withdrawal from a patron deposit account,
the agent or cashless system must verify the patron deposit account,
the patron identity, and availability of funds.
(2) Adjustments made to the patron deposit accounts must be
performed by an agent.
(3) When a deposit, withdrawal, or adjustment is processed by an
agent, a transaction record must be created containing the following
information:
(i) Same document number on all copies;
(ii) Type of transaction, (deposit, withdrawal, or adjustment);
(iii) Name or other identifier of the patron;
(iv) The unique account identifier;
(v) Patron signature for withdrawals, unless a secured method of
access is utilized;
(vi) For adjustments to the account, the reason for the adjustment;
(vii) Date and time of transaction;
(viii) Amount of transaction;
[[Page 32456]]
(ix) Nature of deposit, withdrawal, or adjustment (cash, check,
chips); and
(x) Signature of the agent processing the transaction.
(4) When a patron deposits or withdraws funds from a patron deposit
account electronically, the following must be recorded:
(i) Date and time of transaction;
(ii) Location (player interface, kiosk);
(iii) Type of transaction (deposit, withdrawal);
(iv) Amount of transaction; and
(v) The unique account identifier.
(5) Patron deposit account transaction records must be available to
the patron upon reasonable request.
(6) If electronic funds transfers are made to or from a gaming
operation bank account for patron deposit account funds, the bank
account must be dedicated and may not be used for any other types of
transactions.
(d) Variances. The TGRA must establish the threshold level at which
a variance must be reviewed to determine the cause. Any such review
must be documented.
Sec. 543.15 What are the minimum internal control standards for lines
of credit?
(a) Supervision. Supervision must be provided as needed for lines
of credit by an agent(s) with authority equal to or greater than those
being supervised.
(b) Establishment of Lines of Credit Policy. (1) If a gaming
operation extends lines of credit, controls must be established and
procedures implemented to safeguard the assets of the gaming operation.
Such controls must include a lines of credit policy including the
following:
(i) A process for the patron to apply for, modify, and/or re-
establish lines of credit, to include required documentation and credit
line limit;
(ii) Authorization levels of credit issuer(s);
(iii) Identification of agents authorized to issue lines of credit;
(iv) A process for verifying an applicant's credit worthiness;
(v) A system for recording patron information; to include:
(A) Name, current address, and signature;
(B) Identification credential;
(C) Authorized credit line limit;
(D) Documented approval by an agent authorized to approve credit
line limits;
(E) Date, time and amount of credit issuances and payments; and
(F) Amount of available credit.
(vi) A process for issuing lines of credit to include the
following:
(A) Verifying the patron's identity;
(B) Notifying the patron of the lines of credit terms, including
obtaining patron's written acknowledgment of the terms by signature;
(C) Completing a uniquely identified, multi-part, lines of credit
issuance form, such as a marker or counter check, which includes the
terms of the lines of credit transaction;
(D) Obtaining required signatures;
(E) Determining the amount of the patron's available lines of
credit;
(F) Updating the credit balance record at the time of each
transaction to assure that lines of credit issued are within the
established limit and balance for that patron; and
(G) Requiring the agent issuing the lines of credit to be
independent of the agent who authorized the lines of credit.
(vii) A policy establishing credit line limit exceptions to include
the following:
(A) Identification of the agent(s) authorized to permit a credit
line limit to be exceeded;
(B) Authorization thresholds; and
(C) Required documentation.
(viii) A policy governing increases and decreases to a patron's
lines of credit account balances to include the following:
(A) Documentation and record keeping requirements;
(B) Independence between the department that receives the payment
and the department that maintains custody of the credit balance for
payments made by mail;
(C) Collections;
(D) Periodic audits and confirmation of balances; and
(E) If a collection agency is used, a process to ensure
documentation of increases and decreases to the lines of credit account
balances.
(ix) A policy governing write-offs and settlements to include:
(A) Identification of agent(s) authorized to approve write-offs and
settlements;
(B) Authorization levels for write-offs and settlements of lines of
credit instruments;
(C) Required documentation for write-offs and settlements;
(D) Independence between the agent who established the lines of
credit and the agent writing off or settling the lines of credit
instrument.
(E) Necessary documentation for the approval of write-offs and
settlements and transmittal to the appropriate department for recording
and deductibility.
(c) Variances. The TGRA must establish the threshold level at which
a variance must be reviewed to determine the cause. Any such review
must be documented.
Sec. 543.16 [Reserved]
Sec. 543.17 What are the minimum internal control standards for drop
and count?
(a) Supervision. Supervision must be provided for drop and count as
needed by an agent(s) with authority equal to or greater than those
being supervised.
(b) Count Room Access. Controls must be established and procedures
implemented to limit physical access to the count room to count team
agents, designated staff, and other authorized persons. Such controls
must include the following:
(1) Count team agents may not exit or enter the count room during
the count except for emergencies or scheduled breaks.
(2) Surveillance must be notified whenever count room agents exit
or enter the count room during the count.
(3) The count team policy, at a minimum, must address the
transportation of extraneous items such as personal belongings, tool
boxes, beverage containers, etc., into or out of the count room.
(c) Count team. Controls must be established and procedures
implemented to ensure security of the count and the count room to
prevent unauthorized access, misappropriation of funds, forgery, theft,
or fraud. Such controls must include the following:
(1) For Tier A and B operations, all counts must be performed by at
least two agents. For Tier C operations, all counts must be performed
by at least three agents.
(2) For Tier A and B operations, at no time during the count can
there be fewer than two count team agents in the count room until the
drop proceeds have been accepted into cage/vault accountability. For
Tier C operations, at no time during the count can there be fewer than
three count team agents in the count room until the drop proceeds have
been accepted into cage/vault accountability.
(3) For Tier A and B operations, count team agents must be rotated
on a routine basis such that the count team is not consistently the
same two agents more than four days per week. This standard does not
apply to gaming operations that utilize a count team of more than two
agents. For Tier C operations, count team agents must be rotated on a
routine basis such that the count team is not consistently the same
three agents more than four days per week. This standard does not apply
to gaming operations that utilize a count team of more than three
agents.
(4) Functions performed by count team agents must be rotated on a
routine basis.
(5) Count team agents must be independent of the department being
[[Page 32457]]
counted and the cage/vault departments. An accounting agent may be used
if there is an independent audit of all count documentation.
(d) Card game drop standards. Controls must be established and
procedures implemented to ensure security of the drop process to
prevent unauthorized access to gaming equipment and the drop,
misappropriation of funds, forgery, theft, or fraud. Such controls must
include the following:
(1) Surveillance must be notified when the drop is to begin so that
surveillance may monitor the activities.
(2) Once the drop is started, it must continue until finished.
(3) At the end of each shift:
(i) All locked card game drop boxes must be removed from the tables
by an agent independent of the card game shift being dropped;
(ii) For any tables opened during the shift, a separate drop box
must be placed on each table, or a gaming operation may utilize a
single drop box with separate openings and compartments for each shift;
and
(iii) Card game drop boxes must be transported directly to the
count room or other equivalently secure area by a minimum of two
agents, at least one of whom is independent of the card game shift
being dropped, until the count takes place.
(4) Document which tables were not open during a shift and
therefore not part of the drop.
(5) All card game drop boxes must be posted with a number
corresponding to a permanent number on the gaming table and marked to
indicate game, table number, and shift, if applicable.
(e) Player interface and financial instrument drop standards.
(1) Surveillance must be notified when the drop is to begin so that
surveillance may monitor the activities. The player interface financial
instrument storage component drop begins when the first financial
instrument storage component is removed.
(2) A minimum of two individuals must be involved in the removal of
the player interface storage component drop, at least one of whom is
independent of the player interface department.
(3) All financial instrument storage components may be removed only
at the time previously designated by the gaming operation and reported
to the TGRA. If an emergency drop is required, surveillance must be
notified before the drop is conducted and the TGRA must be informed
within a timeframe approved by the TGRA.
(4) The financial instrument storage components must be removed by
an agent independent of the player interface department, then
transported directly to the count room or other equivalently secure
area with comparable controls and locked in a secure manner until the
count takes place.
(i) Security must be provided for the financial instrument storage
components removed from the player interfaces and awaiting transport to
the count room.
(ii) Transportation of financial instrument storage components must
be performed by a minimum of two agents, at least one of whom is
independent of the player interface department.
(5) All financial instrument storage components must be posted with
a number corresponding to a permanent number on the player interface.
(f) Card game count standards. (1) Access to stored, full card game
drop boxes must be restricted to authorized members of the drop and
count teams.
(2) The card game count must be performed in a soft count room or
other equivalently secure area with comparable controls.
(3) Access to the count room during the count must be restricted to
members of the drop and count teams, with the exception of authorized
observers, supervisors for resolution of problems, and authorized
maintenance personnel.
(4) If counts from various revenue centers occur simultaneously in
the count room, procedures must be in effect to prevent the commingling
of funds from different revenue centers.
(5) Count equipment and systems must be tested, with the results
documented, at minimum before the first count begins to ensure the
accuracy of the equipment.
(6) The card game drop boxes must be individually emptied and
counted so as to prevent the commingling of funds between boxes until
the count of the box has been recorded.
(i) The count of each box must be recorded in ink or other
permanent form of recordation.
(ii) For counts that do not utilize a currency counter, a second
count must be performed by a member of the count team who did not
perform the initial count. Separate counts of chips and tokens must
always be performed by members of the count team.
(iii) Coupons or other promotional items not included in gross
revenue must be recorded on a supplemental document by either the count
team members or accounting personnel. All single-use coupons must be
cancelled daily by an authorized agent to prevent improper
recirculation.
(iv) If a currency counter interface is used:
(A) It must be adequately restricted to prevent unauthorized
access; and
(B) The currency drop figures must be transferred via direct
communications line or computer storage media to the accounting
department.
(7) If currency counters are utilized, a count team member must
observe the loading and unloading of all currency at the currency
counter, including rejected currency.
(8) Two counts of the currency rejected by the currency counter
must be recorded per table, as well as in total. Posting rejected
currency to a nonexistent table is prohibited.
(9) Card game drop boxes, when empty, must be shown to another
member of the count team, to another agent observing the count, or to
surveillance, provided that the count is monitored in its entirety by
an agent independent of the count.
(10) Procedures must be implemented to ensure that any corrections
to the count documentation are permanent, identifiable and that the
original, corrected information remains legible. Corrections must be
verified by two count team agents.
(11) The count sheet must be reconciled to the total drop by a
count team member who may not function as the sole recorder, and
variances must be reconciled and documented.
(12) All count team agents must sign the report attesting to their
participation in the count.
(13) A final verification of the total drop proceeds, before
transfer to cage/vault, must be performed by at least two agents, one
of whom is a supervisory count team member, and one a count team agent.
(i) Final verification must include a comparison of currency
counted totals against the currency counter/system report, if any
counter/system is used.
(ii) Any unresolved variances must be documented, and the
documentation must remain part of the final count record forwarded to
accounting.
(iii) This verification does not require a complete recount of the
drop proceeds, but does require a review sufficient to verify the total
drop proceeds being transferred.
(iv) The two agents must sign the report attesting to the accuracy
of the total drop proceeds verified.
(v) All drop proceeds and cash equivalents that were counted must
be submitted to the cage or vault cashier (who must be independent of
the count team) or to an agent independent of the
[[Page 32458]]
revenue generation source and the count process for verification. The
cashier or agent must certify, by signature, the amount of the drop
proceeds delivered and received. Any unresolved variances must be
reconciled, documented, and/or investigated by accounting/revenue
audit.
(14) After certification by the receiver of the funds, the drop
proceeds must be transferred to the cage/vault.
(i) The count documentation and records must not be transferred to
the cage/vault with the drop proceeds.
(ii) The cage/vault agent must have no knowledge or record of the
drop proceeds total before it is verified.
(iii) All count records must be forwarded to accounting or
adequately secured and accessible only by accounting agents.
(iv) The cage/vault agent receiving the transferred drop proceeds
must sign the report attesting to the verification of the total
received.
(v) Any unresolved variances between total drop proceeds recorded
on the count room report and the cage/vault final verification during
transfer must be documented and investigated.
(15) The count sheet, with all supporting documents, must be
delivered to the accounting department by a count team member or an
agent independent of the cashiers department. Alternatively, it may be
adequately secured so that it is only accessible to accounting agents.
(16) The cage/vault agent must sign the count sheet, or other
reconciling document, and thereby assume accountability of the currency
drop proceeds, ending the count.
(g) Player interface financial instrument count standards.
(1) Access to stored full financial instrument storage components
must be restricted to:
(i) Authorized members of the drop and count teams; and
(ii) In an emergency, authorized persons for the resolution of a
problem.
(2) The player interface financial instrument count must be
performed in a count room or other equivalently secure area with
comparable controls.
(3) Access to the count room during the count must be restricted to
members of the drop and count teams, with the exception of authorized
observers, supervisors for resolution of problems, and authorized
maintenance personnel.
(4) If counts from various revenue centers occur simultaneously in
the count room, procedures must be in effect that prevent the
commingling of funds from different revenue centers.
(5) The count team must not have access to bill-in meter amounts
until after the count is completed and the drop proceeds are accepted
into the cage/vault accountability.
(6) Count equipment and systems must be tested, with the results
documented, at minimum before the first count begins, to ensure the
accuracy of the equipment.
(7) If a currency counter interface is used:
(i) It must be adequately restricted to prevent unauthorized
access; and
(ii) The currency drop figures must be transferred via direct
communications line or computer storage media to the accounting
department.
(8) The financial instrument storage components must be
individually emptied and counted so as to prevent the commingling of
funds between storage components until the count of the storage
component has been recorded.
(i) The count of each storage component must be recorded in ink or
other permanent form of recordation.
(ii) Coupons or other promotional items not included in gross
revenue may be recorded on a supplemental document by the count team
members or accounting personnel. All single-use coupons must be
cancelled daily by an authorized agent to prevent improper
recirculation.
(9) If currency counters are utilized, a count team member must
observe the loading and unloading of all currency at the currency
counter, including rejected currency.
(10) Two counts of the currency rejected by the currency counter
must be recorded per interface terminal as well as in total. Rejected
currency must be posted to the interface terminal from which it was
collected.
(11) Storage components, when empty, must be shown to another
member of the count team, to another agent who is observing the count,
or to surveillance, provided that the count is monitored in its
entirety by an agent independent of the count.
(12) Procedures must be implemented to ensure that any corrections
to the count documentation are permanent, identifiable and the
original, corrected information remains legible. Corrections must be
verified by two count team agents.
(13) The count sheet must be reconciled to the total drop by a
count team member who may not function as the sole recorder, and
variances must be reconciled and documented. This standard does not
apply to vouchers removed from the financial instrument storage
components.
(14) All count team agents must sign the report attesting to their
participation in the count.
(15) A final verification of the total drop proceeds, before
transfer to cage/vault, must be performed by at least two agents, one
of whom is a supervisory count team member and the other a count team
agent.
(i) Final verification must include a comparison of currency
counted totals against the currency counter/system report, if a
counter/system is used.
(ii) Any unresolved variances must be documented and the
documentation must remain a part of the final count record forwarded to
accounting.
(iii) This verification does not require a complete recount of the
drop proceeds but does require a review sufficient to verify the total
drop proceeds being transferred.
(iv) The two agents must sign the report attesting to the accuracy
of the total drop proceeds verified.
(v) All drop proceeds and cash equivalents that were counted must
be turned over to the cage or vault cashier (who must be independent of
the count team) or to an agent independent of the revenue generation
and the count process for verification. Such cashier or agent must
certify, by signature, the amount of the drop proceeds delivered and
received. Any unresolved variances must be reconciled, documented, and/
or investigated by accounting/revenue audit.
(16) After certification by the recipient of the funds, the drop
proceeds must be transferred to the cage/vault.
(i) The count documentation and records must not be transferred to
the cage/vault with the drop proceeds.
(ii) The cage/vault agent may have no knowledge or record of the
drop proceeds total before it is verified.
(iii) All count records must be forwarded to accounting adequately
secured and accessible only by accounting agents.
(iv) The cage/vault agent receiving the transferred drop proceeds
must sign the report attesting to the verification of the total
received.
(v) Any unresolved variances between total drop proceeds recorded
on the count room report and the cage/vault final verification during
transfer must be documented and investigated.
(17) The cage/vault agent must sign the count sheet, or other
reconciling document, thereby assuming accountability of the currency
drop proceeds, and ending the count.
(18) The count sheet, with all supporting documents, must be
delivered to the accounting department
[[Page 32459]]
by a count team member or agent independent of the cashiers department.
Alternatively, it may be adequately secured and accessible only by
accounting department.
(h) Controlled keys. Controls must be established and procedures
implemented to safeguard the use, access, and security of keys in
accordance with the following:
(1) Each of the following requires a separate and unique key lock
or alternative secure access method:
(i) Drop cabinet;
(ii) Drop box release;
(iii) Drop box content; and
(iv) Storage racks and carts used for the drop.
(2) Access to and return of keys or equivalents must be documented
with the date, time, and signature or other unique identifier of the
agent accessing or returning the key(s).
(i) For Tier A and B operations, at least two (2) drop team agents
are required to be present to access and return keys. For Tier C
operations, at least three (3) drop team agents are required to be
present to access and return keys.
(ii) For Tier A and B operations, at least two (2) count team
agents are required to be present at the time count room and other
count keys are issued for the count. For Tier C operations, at least
three (two for card game drop box keys in operations with three tables
or fewer) count team agents are required to be present at the time
count room and other count keys are issued for the count.
(3) Documentation of all keys, including duplicates, must be
maintained, including:
(i) Unique identifier for each individual key;
(ii) Key storage location;
(iii) Number of keys made, duplicated, and destroyed; and
(iv) Authorization and access.
(4) Custody of all keys involved in the drop and count must be
maintained by a department independent of the count and the drop agents
as well as those departments being dropped and counted.
(5) Other than the count team, no agent may have access to the drop
box content keys while in possession of storage rack keys and/or
release keys.
(6) Other than the count team, only agents authorized to remove
drop boxes are allowed access to drop box release keys.
(7) Any use of keys at times other than the scheduled drop and
count must be properly authorized and documented.
(8) Emergency manual keys, such as an override key, for
computerized, electronic, and alternative key systems must be
maintained in accordance with the following:
(i) Access to the emergency manual key(s) used to access the box
containing the player interface drop and count keys requires the
physical involvement of at least three agents from separate
departments, including management. The date, time, and reason for
access, must be documented with the signatures of all participating
persons signing out/in the emergency manual key(s);
(ii) The custody of the emergency manual keys requires the presence
of two agents from separate departments from the time of their issuance
until the time of their return; and
(iii) Routine physical maintenance that requires access to the
emergency manual key(s), and does not involve accessing the player
interface drop and count keys, only requires the presence of two agents
from separate departments. The date, time, and reason for access must
be documented with the signatures of all participating agents signing
out/in the emergency manual key(s).
(i) Variances. The TGRA must establish the threshold level at which
a variance must be reviewed to determine the cause. Any such review
must be documented.
Sec. 543.18 What are the minimum internal control standards for the
cage, vault, kiosk, cash and cash equivalents?
(a) Supervision. Supervision must be provided as needed for cage,
vault, kiosk, and other operations using cash or cash equivalents by an
agent(s) with authority equal to or greater than those being
supervised.
(b) Cash and cash equivalents. Controls must be established and
procedures implemented to prevent unauthorized access,
misappropriation, forgery, theft, or fraud.
(c) Personal checks, cashier's checks, traveler's checks, payroll
checks, and counter checks.
(1) If personal checks, cashier's checks, traveler's checks,
payroll checks or counter checks are cashed at the cage, the controls
must provide for security and integrity. For each check cashing
transaction, the agent(s) conducting the transaction must:
(i) Verify the patron's identity;
(ii) Examine the check to ensure it includes the patron's name,
current address, and signature;
(iii) For personal checks, verify the patron's check cashing
authority and record the source and results in accordance with
management policy;
(iv) If a check guarantee service is used to guarantee the
transaction and the procedures required by the check guarantee service
are followed, then the above requirements do not apply.
(2) When counter checks are issued, the following must be included
on the check:
(i) The patron's name and signature;
(ii) The dollar amount of the counter check;
(iii) Patron's bank name, bank routing, and account numbers;
(iv) Date of issuance; and
(v) Signature of the agent approving the counter check transaction.
(3) Personal checks, payroll checks, and counter checks that are
not deposited in the normal course of business, as established by
management, (held checks) are subject to Sec. 543.15 credit standards.
(4) When traveler's checks or other guaranteed drafts, such as
cashier's checks, are presented, the cashier must comply with the
examination and documentation procedures as required by the issuer.
(5) If a third party check cashing or guarantee service is used,
the examination and documentation procedures required by the service
provider apply, unless otherwise provided by tribal law or regulation.
(d) Cage and vault accountability. (1) All transactions that flow
through the cage must be summarized for each work shift of the cage and
must be supported by documentation.
(2) Increases and decreases to the total cage inventory must be
verified, supported by documentation, and recorded. For any individual
increase/decrease that exceeds $100, documentation must include the
date and shift, the purpose of the increase/decrease, the agent(s)
completing the transaction, and the person or department receiving the
cage funds (for decreases only).
(3) The cage and vault inventories (including coin rooms/vaults)
must be counted independently by at least two agents, attested to by
signature, and recorded in ink or other permanent form at the end of
each shift during which the activity took place. These agents must make
individual counts to compare for accuracy and maintain individual
accountability. All discrepancies must be noted and investigated.
(4) The gaming operation must establish and comply with a minimum
bankroll formula to ensure the gaming operation maintains cash or cash
equivalents (on hand and in the bank, if readily accessible) in an
amount sufficient to satisfy obligations to the gaming operation's
patrons as they are incurred.
[[Page 32460]]
(e) Kiosks. (1) Kiosks shall be maintained on an imprest basis on
the cage accountability and shall be counted independently by at least
two agents and reconciled each time the kiosk is reimpressed.
(2) Currency cassettes shall be imprest by an agent and verified
independently by at least one agent, both of whom shall sign each
cassette.
(3) Imprest cassettes shall be secured with a lock or tamper
resistant seal and, if not placed inside a kiosk, shall be stored in a
secured area of the cage/vault.
(4) The TGRA or the gaming operation, subject to the approval of
the TGRA, shall develop and implement security controls over the
kiosks, i.e. forced entry, evidence of any entry, and protection of
circuit boards containing programs.
(5) With regard to cashless systems, the TGRA or the gaming
operation, subject to the approval of the TGRA, shall develop and
implement procedures to ensure that communications between the kiosk
and system are secure and functioning.
(6) Kiosks or equipment associated therewith must be capable of
producing the following reports upon demand:
(i) Recap of the disposition of wagering instruments accepted,
which must be available by reconciliation period (day, shift or drop
cycle); and
(ii) Reconciliation report that includes the current cash balance,
current balance of the wagering instruments by dollar amount and by
number of items and the reconciliation period date and time.
(f) Patron deposited funds. If a gaming operation permits a patron
to deposit funds for safekeeping and/or front money purposes with the
gaming operation at the cage, and when transfers of patron deposited
funds are transferred to a gaming area for wagering purposes, the
following standards apply:
(1) The receipt or withdrawal of a patron deposit must be
documented, with a copy given to the patron and a copy remaining in the
cage.
(2) Both copies of the document of receipt or withdrawal must
contain the following information:
(i) Same receipt number on each copy;
(ii) Patron's name and signature;
(iii) Date of receipt and withdrawal;
(iv) Dollar amount of deposit/withdrawal (for foreign currency
transactions include the US dollar equivalent, the name of the foreign
country, and the amount of the foreign currency by denomination);
(v) Nature of deposit/withdrawal; and
(vi) Name and signature of the agent who conducted the transaction.
(3) The following procedures must be established and complied with
for front money deposits:
(i) Maintaining a detailed record by patron name and date of all
funds on deposit;
(ii) Maintaining a current balance of all patron deposits that are
in the cage/vault inventory or accountability; and
(iii) Reconciling this current balance with the deposits and
withdrawals at least daily.
(g) Promotional payments, drawings, and giveaway programs. The
following procedures must apply to any payment resulting from a
promotional payment, drawing, or giveaway program disbursed by the cage
department or any other department. This section does not apply to
programs that are addressed elsewhere in this part.
(1) Payments that are less than $100 must be documented to support
the cage accountability.
(2) Payments of $100 or more must be documented at the time of the
payment, and documentation must include the following:
(i) Date and time;
(ii) Dollar amount of payment or description of personal property;
(iii) Reason for payment; and
(iv) Patron's name (drawings only).
(v) Signature(s) of at least two agents verifying, authorizing, and
completing the promotional payment with the patron, except for
computerized systems that validate and print the dollar amount of the
payment on a computer generated form, only one signature is required.
(h) Chip(s) and token(s). Controls must be established and
procedures implemented to ensure accountability of chip and token
inventory. Such controls must include, but are not limited to, the
following:
(1) Purchase;
(2) Receipt;
(3) Inventory;
(4) Storage; and
(5) Destruction.
(i) Cage and vault access. Controls must be established and
procedures implemented to prevent unauthorized access,
misappropriation, forgery, or fraud. Such controls must include the
following:
(1) Restricting physical access to the cage to cage department
agents, designated staff, and other authorized persons; and
(2) Limiting transportation of extraneous items such as personal
belongings, tool boxes, beverage containers, etc., into and out of the
cage.
(j) Variances. The TGRA must establish the threshold level at which
a variance must be reviewed to determine the cause. Any such review
must be documented.
Sec. 543.19 [Reserved]
Sec. 543.20 What are the minimum internal control standards for
information technology and information technology data?
(a) Supervision.
(1) Controls must identify the supervisory agent in the department
or area responsible for ensuring that the department or area is
operating in accordance with established policies and procedures.
(2) The supervisory agent must be independent of the operation of
Class II games.
(3) Controls must ensure that duties are adequately segregated and
monitored to detect procedural errors and to prevent the concealment of
fraud.
(4) Internal controls must require that all personnel having access
to Class II gaming systems have no signatory authority over financial
instruments and payout forms, and are independent of and restricted
from access to:
(i) Financial instruments; and
(ii) Accounting, audit, and ledger entries.
(b) As used in this section only, a system is any computerized
system that is essential to the gaming environment. This includes, but
is not limited to, the server and peripherals for Class II gaming
system, accounting, surveillance, essential phone system, and door
access and warning systems.
(c) Class II gaming systems' logical and physical controls.
Controls must be established and procedures implemented to ensure
adequate:
(1) Control of physical and logical access to the information
technology environment, including accounting, voucher, cashless and
player tracking, among others used in conjunction with Class II gaming;
(2) Physical and logical protection of storage media and its
contents, including recovery procedures;
(3) Access credential control methods;
(4) Record keeping and audit processes; and
(5) Departmental independence, including, but not limited to, means
to restrict agents that have access to information technology from
having access to financial instruments.
(d) Independence. All agents having access to the Class II
information technology environment and/or data are independent of and
restricted from access to:
(1) Financial instruments;
(2) Signatory authority over financial instruments and payouts
forms; and
(3) Accounting, audit, and ledger entries.
[[Page 32461]]
(e) Physical security. (1) Internal controls must require that the
information technology environment and infrastructure be maintained in
a secured physical location such that access is restricted to
authorized agents only.
(2) Access devices to the systems' secured physical location, such
as keys, cards, or fobs, must be controlled by an independent agent.
(3) Access to the systems' secured physical location must be
restricted to agents in accordance with established policies and
procedures, which must include maintaining and updating a record of
agents granted access privileges.
(4) Communications to and from Network Communication Equipment must
be physically secured from unauthorized access.
(f) Logical security. (1) Security standards and procedures must be
designed and implemented to protect all systems and to ensure that
access to the following is restricted and secured:
(i) Systems' software and application programs;
(ii) Data associated with Class II gaming; and
(iii) Communications facilities, systems, and information
transmissions associated with Class II gaming systems.
(2) Unused services and non-essential ports must be disabled
whenever possible.
(3) Procedures must be implemented to ensure that all activity
performed on systems is restricted and secured from unauthorized
access, and logged.
(4) Communications to and from systems via Network Communication
Equipment must be logically secured from unauthorized access.
(g) User controls.(1) Systems, including application software, must
be secured with passwords or other means for authorizing access.
(2) Management personnel or agents independent of the department
being controlled must assign and control access to system functions.
(3) Access credentials such as passwords, PINs, or cards must be
controlled as follows:
(i) Each user must have his or her own individual access
credential;
(ii) Access credentials must be changed at an established interval
approved by the TGRA; and
(iii) Access credential records must be maintained either manually
or by systems that automatically record access changes and force access
credential changes, including the following information for each user:
(A) User's name;
(B) Date the user was given access and/or password change; and
(C) Description of the access rights assigned to user.
(4) Lost or compromised access credentials must be deactivated,
secured or destroyed within an established time period approved by the
TGRA.
(5) Access credentials of terminated users must be deactivated
within an established time period approved by the TGRA.
(6) Only authorized agents may have access to inactive or closed
accounts of other users, such as player tracking accounts and
terminated user accounts.
(h) Installations and/or modifications. (1) Only TGRA authorized or
approved systems and modifications may be installed.
(2) Records must be kept of all new installations and/or
modifications to Class II gaming systems. These records must include,
at a minimum:
(i) The date of the installation or change;
(ii) The nature of the installation or change such as new software,
server repair, significant configuration changes;
(iii) Evidence of verification that the installation or the changes
are approved; and
(iv) The identity of the agent(s) performing the installation/
modification.
(3) Documentation must be maintained, such as manuals, user guides,
describing the systems in use and the operation, including hardware.
(i) Remote access. (1) Agents may be granted remote access for
system support, provided that each access session is documented and
maintained at the place of authorization. The documentation must
include:
(i) Name of agent authorizing the access;
(ii) Name of agent accessing the system;
(iii) Verification of the agent's authorization;
(iv) Reason for remote access;
(v) Description of work to be performed;
(vi) Date and time of start of end-user remote access session; and
(vii) Date and time of conclusion of end-user remote access
session.
(2) All remote access must be performed via a secured method.
(j) Incident monitoring and reporting. (1) Documented procedures
must be implemented for responding to, monitoring, investigating,
resolving, documenting, and reporting security incidents associated
with information technology systems.
(2) All security incidents must be responded to within an
established time period approved by the TGRA and formally documented.
(k) Data backups. (1) Controls must include adequate backup,
including, but not limited to, the following:
(i) Daily data backup of critical information technology systems;
(ii) Data backup of critical programs or the ability to reinstall
the exact programs as needed;
(iii) Secured storage of all backup data files and programs, or
other adequate protection;
(iv) Mirrored or redundant data source; and
(v) Redundant and/or backup hardware.
(2) Controls must include recovery procedures, including, but not
limited to, the following:
(i) Data backup restoration;
(ii) Program restoration; and
(iii) Redundant or backup hardware restoration.
(3) Recovery procedures must be tested on a sample basis at
specified intervals at least annually. Results must be documented.
(4) Backup data files and recovery components must be managed with
at least the same level of security and access controls as the system
for which they are designed to support.
(l) Software downloads. Downloads, either automatic or manual, must
be performed in accordance with 25 CFR 547.12.
(m) Verifying downloads. Following download of any game software,
the Class II gaming system must verify the downloaded software using a
software signature verification method. Using any method it deems
appropriate, the TGRA must confirm the verification.
Sec. 543.21 What are the minimum internal control standards for
surveillance?
(a) Supervision. Supervision must be provided as needed for
surveillance by an agent(s) with authority equal to or greater than
those being supervised.
(b) Surveillance equipment and control room(s). Controls must be
established and procedures implemented to prevent unauthorized access
and/or activities, misappropriation, forgery, theft, or fraud. Such
controls must include the following:
(1) For Tier A, the surveillance system must be maintained and
operated from a secured location, such as a locked cabinet. For Tier B
and C, the surveillance system must be maintained and operated from a
staffed surveillance operation room(s).
(2) The surveillance operation room(s) must be secured to prevent
unauthorized entry.
(3) Access to the surveillance operation room(s) must be limited to
[[Page 32462]]
surveillance agents and other authorized persons.
(4) Surveillance operation room(s) access logs must be maintained.
(5) Surveillance operation room equipment must have total override
capability over all other satellite surveillance equipment located
outside the surveillance operation room.
(6) Power loss to the surveillance system.
(i) For Tier A, in the event of power loss to the surveillance
system, alternative security procedures, such as additional supervisory
or security agents, must be implemented immediately.
(ii) For Tier B and C, in the event of power loss to the
surveillance system, an auxiliary or backup power source must be
available and capable of providing immediate restoration of power to
the surveillance system to ensure that surveillance agents can observe
all areas covered by dedicated cameras.
(7) The surveillance system must record an accurate date and time
stamp on recorded events. The displayed date and time must not
significantly obstruct the recorded view.
(8) All surveillance agents must be trained in the use of the
equipment, games, and house rules.
(9) Each camera required by the standards in this section must be
installed in a manner that will prevent it from being readily
obstructed, tampered with, or disabled.
(10) The surveillance system must:
(i) Have the capability to display all camera views on a monitor;
(ii) Include sufficient numbers of recording devices to record the
views of all cameras required by this section;
(iii) Record all camera views; and
(iv) For Tier B and C only, include sufficient numbers of monitors
to simultaneously display gaming and count room activities.
(11) A periodic inspection of the surveillance systems must be
conducted. When a malfunction of the surveillance system is discovered,
the malfunction and necessary repairs must be documented and repairs
initiated within seventy-two (72) hours.
(i) If a dedicated camera malfunctions, alternative security
procedures, such as additional supervisory or security agents, must be
implemented immediately.
(ii) The TGRA must be notified of any surveillance system and/or
camera(s) that have malfunctioned for more than twenty-four (24) hours
and the alternative security measures being implemented.
(c) Additional surveillance requirements. With regard to the
following functions, controls must also include:
(1) Surveillance of the jackpot meter for Class II gaming systems:
(2) Manual bingo: (i) For manual draws, the surveillance system
must monitor the bingo ball drawing device or mechanical random number
generator, which must be recorded during the course of the draw by a
dedicated camera to identify the numbers or other designations drawn;
and
(ii) The surveillance system must monitor and record the activities
of the bingo game, including drawing, calling, and entering the balls,
numbers or other designations drawn.
(3) Card games: (i) Except for card game tournaments, a dedicated
camera(s) with sufficient clarity must be used to provide:
(A) An overview of the activities on each card table surface,
including card faces and cash and/or cash equivalents;
(B) An overview of card game activities, including patrons and
dealers; and
(C) An unobstructed view of all posted progressive pool amounts.
(ii) For card game tournaments, a dedicated camera(s) must be used
to provide an overview of tournament activities, including entrances/
exits and any area where cash or cash equivalents are exchanged.
(4) Cage and vault: (i) The surveillance system must monitor and
record a general overview of activities occurring in each cage and
vault area with sufficient clarity to identify individuals within the
cage and patrons and staff members at the counter areas and to confirm
the amount of each cash transaction;
(ii) Each cashier station must be equipped with one (1) dedicated
overhead camera covering the transaction area; and
(iii) The cage or vault area in which fill and credit transactions
occur must be monitored and recorded by a dedicated camera or motion
activated dedicated camera that provides coverage with sufficient
clarity to identify the chip values and the amounts on the fill and
credit slips. Controls provided by a computerized fill and credit
system constitute an adequate alternative to viewing the amounts on the
fill and credit slips.
(5) Count rooms: (i) The surveillance system must monitor and
record with sufficient clarity a general overview of all areas where
currency or coin may be stored or counted; and
(ii) The surveillance system must provide coverage of scales of
sufficient clarity to view any attempted manipulation of the recorded
data.
(d) Reporting Requirements. TGRA-approved procedures must be
implemented for reporting suspected crimes and suspicious activity.
(e) Recording Retention. Controls must be established and
procedures implemented that include the following:
(1) All recordings required by this section must be retained for a
minimum of seven days; and
(2) Suspected crimes, suspicious activity, or detentions by
security personnel discovered within the initial retention period must
be copied and retained for a time period, not less than one year.
(f) Logs. Logs must be maintained and demonstrate the following:
(1) Compliance with the storage, identification, and retention
standards required in this section;
(2) Each malfunction and repair of the surveillance system as
defined in this section; and
(3) Activities performed by surveillance agents.
Sec. 543.22 [Reserved]
Sec. 543.23 What are the minimum internal control standards for audit
and accounting?
(a) Conflicts of standards. When establishing SICS, the gaming
operation should review, and consider incorporating, other external
standards such as GAAP, GAAS, and standards promulgated by GASB and
FASB. In the event of a conflict between the MICS and the incorporated
external standards, the external standards prevail.
(b) Accounting. Controls must be established and procedures
implemented to safeguard assets and ensure each gaming operation:
(1) Prepares accurate, complete, legible, and permanent records of
all transactions pertaining to gaming revenue and activities for
operational accountability.
(2) Prepares general accounting records on a double-entry system of
accounting, maintaining detailed, supporting, subsidiary records, and
ensures the following activities are performed:
(i) Record gaming activity transactions in an accounting system to
identify and track all revenues, expenses, assets, liabilities, and
equity;
(ii) Record all markers, IOU's, returned checks, held checks, or
other similar credit instruments;
(iii) Record journal entries prepared by the gaming operation and
by its independent accountants;
(iv) Prepare income statements and balance sheets;
[[Page 32463]]
(v) Prepare appropriate subsidiary ledgers to support the balance
sheet;
(vi) Prepare, review, and maintain accurate financial statements;
(viii) Prepare transactions in accordance with management's general
and specific authorization only;
(ix) Record transactions to facilitate proper recording of gaming
revenue and fees, and to maintain accountability of assets;
(x) Compare recorded accountability for assets to actual assets at
periodic intervals, and take appropriate action with respect to any
discrepancies;
(xi) Segregate functions, duties, and responsibilities in
accordance with sound business practices;
(xii) Prepare minimum bankroll calculations; and
(xiii) Maintain and preserve all financial records and relevant
supporting documentation.
(c) Internal audit. Controls must be established and procedures
implemented to ensure that:
(1) Internal auditor(s) perform audits of each department of a
gaming operation, at least annually, to review compliance with TICS,
SICS, and these MICS, which include at least the following areas:
(i) Bingo, including supervision, bingo cards, bingo card sales,
draw, prize payout; cash and equivalent controls, technological aids to
the play of bingo, operations, vouchers, and revenue audit procedures;
(ii) Pull tabs, including, supervision, pull tab inventory, pull
tab sales, winning pull tabs, pull tab operating funds, statistical
records, and revenue audit procedures;
(iii) Card games, including supervision, exchange or transfers,
playing cards, shill funds, reconciliation of card room bank, posted
rules, and promotional progressive pots and pools;
(iv) Gaming promotions and player tracking procedures, including
supervision, gaming promotion rules and player tracking systems;
(v) Complimentary services or items, including procedures for
issuing, authorizing, redeeming, and reporting complimentary service
items;
(vi) Patron deposit accounts and cashless systems procedures,
including supervision, patron deposit accounts and cashless systems, as
well as patron deposits, withdrawals and adjustments;
(vii) Lines of credit procedures, including establishment of lines
of credit policy;
(viii) Drop and count standards, including supervision, count room
access, count team, card game drop standards, player interface and
financial instrument drop standards, card game count standards, player
interface financial instrument count standards, and controlled keys;
(ix) Cage, vault, cash and cash equivalent procedures, including
supervision, cash and cash equivalents, personal checks, cashier's
checks, traveler's checks, payroll checks, and counter checks, cage and
vault accountability, kiosks, patron deposited funds, promotional
payouts, drawings, and giveaway programs, chip and token standards, and
cage and vault access;
(x) Information technology, including supervision, class II gaming
systems' logical and physical controls, independence, physical
security, logical security, user controls, installations and/or
modifications, remote access, incident monitoring and reporting, data
back-ups, software downloads, and verifying downloads;
(xi) Accounting standards, including accounting records,
maintenance and preservation of financial records and relevant
supporting documentation.
(2) Internal auditor(s) are independent of gaming operations with
respect to the departments subject to audit (auditors internal to the
operation, officers of the TGRA, or outside CPA firm may perform this
function).
(3) Internal auditor(s) report directly to the Tribe, TGRA, audit
committee, or other entity designated by the Tribe.
(4) Documentation such as checklists, programs, reports, etc. is
prepared to evidence all internal audit work and follow-up performed as
it relates to compliance with TICS, SICS, and these MICS, including all
instances of noncompliance.
(5) Audit reports are maintained and made available to the
Commission upon request and must include the following information:
(i) Audit objectives;
(ii) Audit procedures and scope;
(iii) Findings and conclusions;
(iv) Recommendations, if applicable; and
(v) Management's response.
(6) All material exceptions resulting from internal audit work are
investigated and resolved and the results are documented.
(7) Internal audit findings are reported to management, responded
to by management stating corrective measures to be taken, and included
in the report delivered to management, the Tribe, TGRA, audit
committee, or other entity designated by the Tribe for corrective
action.
(8) Follow-up observations and examinations must be performed to
verify that corrective action has been taken regarding all instances of
non-compliance cited by internal audit, the independent accountant, the
Commission, and/or the TGRA. The verification must be performed within
six (6) months following the date of notification.
(d) Annual requirements. (1) Agreed upon procedures. A CPA must be
engaged to perform an assessment to verify whether the gaming operation
is in compliance with these MICS, and/or the TICS or SICS if they
provide at least the same level of controls as the MICS. The assessment
must be performed in accordance with agreed upon procedures and the
most recent versions of the Statements on Standards for Attestation
Engagements and Agreed-Upon Procedures Engagements (collectively
``SSAEs''), issued by the American Institute of Certified Public
Accountants.
(2) The tribe must submit two copies of the agreed-upon procedures
report to the Commission within 120 days of the gaming operation's
fiscal year end in conjunction with the submission of the annual
financial audit report required pursuant to 25 CFR part 571.
(3) Review of internal audit.(i) The CPA must determine compliance
by the gaming operation with the internal audit requirements in
paragraph (d) above by:
(A) Completing the internal audit checklist;
(B) Ensuring that the internal auditor completed checklists for
each gaming department of the operation;
(C) Verifying that any areas of non-compliance have been
identified;
(D) Ensuring that audit reports are completed and include responses
from management; and
(E) Verifying that appropriate follow-up on audit findings has been
conducted and necessary corrective measures have been taken to
effectively mitigate the noted risks.
(ii) If the CPA determines that the internal audit procedures
performed during the fiscal year have been properly completed, the CPA
may rely on the work of the internal audit for the completion of the
MICS checklists as they relate to the standards covered by this part.
(4) Report format. The SSAEs are applicable to agreed-upon
procedures engagements required in this part. All noted instances of
noncompliance with the MICS and/or the TICS or SICS, if they provide
the same level of controls as the MICS, must be documented in the
report with a narrative description, the number of exceptions and
sample size tested.
[[Page 32464]]
Sec. 543.24 What are the minimum internal control standards for
revenue audit?
(a) Independence. Audits must be performed by agent(s) independent
of the transactions being audited.
(b) Documentation. The performance of revenue audit procedures, the
exceptions noted, and the follow-up of all revenue audit exceptions
must be documented and maintained.
(c) Controls must be established and procedures implemented to
audit of each of the following operational areas:
(1) Bingo. (i) At the end of each month, verify the accuracy of the
ending balance in the bingo control log by reconciling it with the
bingo paper inventory. Investigate and document any variance noted.
(ii) Daily, recalculate supporting records and documents to
reconcile to summarized paperwork (e.g. total sales and payouts per
shift and/or day).
(iii) At least monthly, review variances related to bingo
accounting data, which must include, at a minimum, any variance noted
by the Class II gaming system for cashless transactions in and out,
electronic funds transfer in and out, external bonus payouts, vouchers
out and coupon promotion out. Investigate and document any variance
noted.
(iv) At least monthly, review statistical reports for any
deviations from the mathematical expectations exceeding a threshold
established by the TGRA. Investigate and document any deviations
compared to the mathematical expectations required to be submitted per
Sec. 547.4.
(v) At least monthly, take a random sample, foot the vouchers
redeemed and trace the totals to the totals recorded in the voucher
system and to the amount recorded in the applicable cashier's
accountability document.
(2) Pull tabs. (i) Daily, verify the amount of winning pull tabs
redeemed each day.
(ii) At the end of each month, verify the accuracy of the ending
balance in the pull tab control by reconciling the pull tabs on hand.
Investigate and document any variance noted.
(iii) At least monthly, compare for reasonableness the amount of
pull tabs sold from the pull tab control log to the amount of revenue
recognized.
(iv) At least monthly, review statistical reports for any
deviations exceeding a specified threshold, as defined by the TGRA.
Investigate and document any large and unusual fluctuations noted.
(3) Card games. (i) Daily, reconcile the amount indicated on the
progressive sign/meter to the cash counted or received by the cage and
the payouts made for each promotional progressive pot and pool. This
reconciliation must be sufficiently documented, including
substantiation of differences, adjustments, etc.
(ii) At least monthly, review all payouts for the promotional
progressive pots, pools, or other promotions to determine proper
accounting treatment and that they are conducted in accordance with
conditions provided to the customers.
(iii) At least weekly, reconcile all contest/tournament entry and
payout forms to the dollar amounts recorded in the appropriate
accountability document.
(4) Gaming promotions and player tracking. (i) At least monthly,
perform procedures to ensure that promotional payments, drawings, and
giveaway programs are conducted in accordance with information provided
to the customers.
(ii) At least one day per quarter, for computerized player tracking
systems, perform the following procedures:
(A) Review all point addition/deletion authorization documentation,
other than for point additions/deletions made through an automated
process, for propriety;
(B) Review exception reports, including transfers between accounts;
and
(C) Review documentation related to access to inactive and closed
accounts.
(iii) At least annually, all computerized player tracking systems
(in-house developed and purchased systems) must be reviewed by
personnel independent of the individuals that set up or make changes to
the system parameters. The review must be performed to determine that
the configuration parameters are accurate and have not been altered
without appropriate management authorization (e.g., player tracking
system--verify the accuracy of the awarding of points based on the
dollar amount wagered). Document and maintain the test results.
(5) Complimentary services or items. At least monthly, review the
reports required in Sec. 543.13(d). These reports must be made
available to the Tribe, TGRA, audit committee, other entity designated
by the Tribe, and the Commission, upon request.
(6) Patron deposit accounts. (i) At least weekly, reconcile patron
deposit account liability (deposits adjustments-
withdrawals = total account balance) to the system record.
(ii) At least weekly, review manual increases and decreases to/from
player deposit accounts to ensure proper adjustments were authorized.
(7) Lines of credit. (i) At least three (3) times per year, an
agent independent of the cage, credit, and collection functions must
perform all of the following:
(A) Select a sample of line of credit accounts;
(B) Ascertain compliance with credit limits and other established
credit issuance procedures;
(C) Reconcile outstanding balances of both active and inactive
(includes write-offs and settlements) accounts on the accounts
receivable listing to individual credit records and physical
instruments. This procedure need only be performed once per year for
inactive accounts; and
(D) Examine line of credit records to determine that appropriate
collection efforts are being made and payments are being properly
recorded.
(ii) On at least five (5) days per month, subsequently reconcile
partial payment receipts to the total payments recorded by the cage for
the day and account for the receipts sequentially.
(iii) At least monthly, perform an evaluation of the collection
percentage of credit issued to identify unusual trends.
(8) Drop and count. (i) At least quarterly, unannounced currency
counter and currency counter interface (if applicable) tests must be
performed, and the test results documented and maintained. All
denominations of currency and all types of cash out tickets counted by
the currency counter must be tested. This test may be performed by
internal audit or the TGRA. The result of these tests must be
documented and signed by the agent or agents performing the test.
(ii) At least quarterly, unannounced weigh scale and weigh scale
interface (if applicable) tests must be performed, and the test results
documented and maintained. This test may be performed by internal audit
or the TGRA. The result of these tests must be documented and signed by
the agent or agents performing the test.
(iii) For computerized key security systems controlling access to
drop and count keys, perform the following procedures:
(A) At least quarterly, review the report generated by the
computerized key security system indicating the transactions performed
by the individual(s) that adds, deletes, and changes users' access
within the system (i.e., system administrator). Determine whether the
transactions completed by the system administrator provide adequate
control over the access to the drop and count keys. Also, determine
whether any drop and count key(s) removed or returned to the key
cabinet
[[Page 32465]]
by the system administrator was properly authorized;
(B) At least quarterly, review the report generated by the
computerized key security system indicating all transactions performed
to determine whether any unusual drop and count key removals or key
returns occurred; and
(C) At least quarterly, review a sample of users that are assigned
access to the drop and count keys to determine that their access to the
assigned keys is adequate relative to their job position.
(iv) At least quarterly, an inventory of all controlled keys must
be performed and reconciled to records of keys made, issued, and
destroyed. Investigations must be performed for all keys unaccounted
for, and the investigation documented.
(9) Cage, vault, cash, and cash equivalents. (i) At least monthly,
the cage accountability must be reconciled to the general ledger.
(ii) On at least one day each month, trace the amount of cage
deposits to the amounts indicated in the bank statements.
(iii) On at least two days each year, a count must be performed of
all funds in all gaming areas (i.e. cages, vaults, and booths
(including reserve areas), kiosks, cash-out ticket redemption machines,
and change machines. Count all chips and tokens by denomination and
type. Count individual straps, bags, and imprest banks on a sample
basis. Trace all amounts counted to the amounts recorded on the
corresponding accountability forms to ensure that the proper amounts
are recorded. Maintain documentation evidencing the amount counted for
each area and the subsequent comparison to the corresponding
accountability form. The count must be completed within the same gaming
day for all areas.
(A) Counts must be observed by an individual independent of the
department being counted. It is permissible for the individual
responsible for the funds to perform the actual count while being
observed.
(B) Internal audit may perform and/or observe the two counts.
(iv) At least annually, select a sample of invoices for chips and
tokens purchased, and trace the dollar amount from the purchase invoice
to the accountability document that indicates the increase to the chip
or token inventory to ensure that the proper dollar amount has been
recorded.
(v) At each business year end, create and maintain documentation
evidencing the amount of the chip/token liability, the change in the
liability from the previous year, and explanations for adjustments to
the liability account including any adjustments for chip/token float.
(vi) At least monthly, review a sample of returned checks to
determine that the required information was recorded by cage personnel
when the check was cashed.
(vii) At least monthly, review exception reports for all
computerized cage systems for propriety of transactions and unusual
occurrences. The review must include, but is not limited to, voided
authorizations. All noted improper transactions or unusual occurrences
identified must be investigated and the results documented.
(viii) Daily, reconcile all parts of forms used to document
increases/decreases to the total cage inventory, investigate any
variances noted, and document the results of such investigations.
(10) Accounting. (i) At least monthly, verify receipt, issuance,
and use of controlled inventory, including, but not limited to, bingo
cards, pull tabs, playing cards, keys, pre-numbered and/or multi-part
forms, etc.
(ii) Periodically perform minimum bankroll calculations to ensure
that the gaming operation maintains cash in an amount sufficient to
satisfy the gaming operation's obligations.
Sec. 543.25-543.49 [Reserved]
Dated this 22nd of May, 2012.
Tracie L. Stevens,
Chairwoman.
Steffani A. Cochran,
Vice-Chairwoman.
Daniel J. Little,
Commissioner.
[FR Doc. 2012-12991 Filed 5-31-12; 8:45 am]
BILLING CODE 7565-01-P