Legalizing Internet Gaming, Part IV: Enforcement

As with any industry, Internet gaming is susceptible to crime. A United States presidential committee perhaps best summed up the situation when it stated: “Advances in technology—the advent of the automobile and the telephone, for instance—have always given wrongdoers new means for engaging in unlawful conduct. The Internet is no different: it is simply a new medium through which traditional crimes can be committed, albeit through the use of inexpensive and widely available computer and telecommunications systems, and with unprecedented speed and on a far-reaching scale.” It is essential, therefore, that a state implement and enforce regulations that are designed to protect critical aspects of the online operation, such as hardware, software or operating systems, from unauthorized access by players and employees alike.

There are several requirements a state can impose to help ensure the security of websites. In particular, all Internet gaming operators should be required to house their Internet gaming computer systems in secure data centers to restrict access.  Moreover, logging directly into the Internet gaming computer system should be restricted to terminals physically located in the secure data center.  Additionally, only certain personnel should have access to core systems and software. For instance, important data files and programs should also be protected by passwords known only to certain authorized personnel. Such regulations will help preserve the integrity and fairness of the Internet gaming sites, which are crucial to the success of a state’s online gaming operation.

Equally important is the financial stability of the online operators and the security of players’ funds. Operators of Internet gaming sites should not only be required to demonstrate that they are financially suitable to perform the obligations of an operator during the licensing process, but this responsibility should carry forward as long as they remain a licensed operator. Therefore, regulators should routinely audit the financial records of licensed operators to ensure that adequate funds exist to operate their sites in a fair, safe and secure manner.

In terms of player funds, regulations should address requirements for establishing, funding and maintaining the accounts. For example, operators should continually be monitored to ensure they provide a means for registered players to place funds into a registered player account and transfer funds out of that account. Likewise, such deposits, withdrawals and other transactions should be maintained in a system audit log and should be backed up in case of a system failure. Moreover, operators must be prohibited from commingling the funds in the segregated accounts that contain funds paid by registered players with any other funds held by the operators. Intrastate gambling regulations also need to necessitate that both the accounts of the operators and their segregated registered player accounts must be held in financial institutions located in the state.

Internet gaming is also a potential vehicle for laundering money. Accordingly, in order to help prevent such illegal transactions, regulators should work with operators to provide appropriate training for employees to educate them about money laundering techniques and the prevention of money laundering. Some of the other important provisions regarding funding are to require operators to record the identity of the player as soon as practicable after first contact, to require registered players to identify the source of funds to be used to put money into the account, and to not allow operators to provide credit to registered players or permit registered players to make payments by money order or cash, thereby helping prevent money laundering on the part of the users.“  The overall goals of technical standards are to assure that all gambling activity is fair, secure and auditable.”  One of the specific areas covered by these requirements includes fairness of the games. Internet gaming sites can be prone to cheating, by both the player and the operator. Typical scams associated with Internet gaming include player collusion and robotic play. As a consequence, regulators should ensure that adequate laws are implemented and enforced to prevent such fraudulent activity. By way of an example, covert field observations are a useful tactic that land-based regulators use in order to detect cheating scams and operational regulatory violations.

Physical observations of Internet gaming, however, are limited because all the major transactions occur in the electronic world. Therefore, efficiently regulating Internet gaming is much more based in technology than traditional gaming. Absent the human interaction common in traditional gaming, the regulation of Internet gaming tends to focus on technical aspects. Instead of physically observing the interaction between patrons and operators, as can be done in a land-based casino, regulators must rely heavily on the monitoring of an operator’s hardware and software. For example, a regulator may choose to observe the behavior of the operators and players via real-time online monitoring of the websites using a “mirrored” server that records all transactions maintained at the site’s main server.

In order to ensure that operators are operating within the confines of the laws and regulations, state regulators should mandate that operators conduct self-monitoring and self-assessment of their activities. This includes requiring operators to draft, implement and enforce minimum internal control standards that maintain accountability for transactions and prevent and detect any errors and irregularities that might occur in a timely manner.  Specifically, internal controls are measures (such as reviews, checks and balances, methods and procedures) instituted by an entity to (1) conduct its business in an orderly and efficient manner; (2) safeguard its assets and resources; (3) deter and detect errors, fraud and theft; (4) ensure the accuracy and completeness of its accounting data; and (5) ensure adherence to its policies and plans.

With regard to Internet gaming websites, operators should maintain, for example, records on player account balances, including time-stamped records of funds added to and withdrawn from players’ accounts; total monies wagered and won; and jackpot wins. Operators also should review, analyze and maintain records of all “significant events.” This includes details of large wins; large transfers or single and aggregated funds over a specified period of time; any changes to the game or jackpot parameters; jackpot win occurrences; player exclusion information, including requests to lift exclusions; and notifications of end-layer device malfunctions. However, because most transactions will be recorded online, measures also must be in place to ensure that these transactions are verifiable, subject to monitoring and permanent. For instance, an operator may be required to maintain certain information for several years.

Equally important, internal controls should be designed to help prevent and detect internal and external fraudulent activity. With regard to internal fraudulent activity, personnel controls can be implemented to create a chain of command for approval of and accountability for transactions. These controls may include staff supervision, secondary review and approval of transactions, and appropriate segregation of job duties. With regard to external fraudulent activity, controls should address identifying and analyzing risks and should include written policies and procedures. Controls also should mandate employee training so that employees can better detect patron fraud and cheating. Specifically, the controls should be designed to discourage and identify errors and fraud. In both instances, if errors or fraud are discovered, the internal controls should set forth steps to stop these activities immediately and inform the regulator of all relevant facts.

Internal controls should be an integral part of any operator’s financial and business policies and procedures. However, if such controls are not being followed and enforced, they are valueless. Accordingly, a state can help ensure compliance with its gaming laws and regulations through the use of audits. Typical audit objectives include verifying that the operator has established adequate internal control procedures and is complying with these procedures. Audits can be divided into internal audits and external audits. Internal audits are conducted by the operator, whereas external audits are conducted by a third party (e.g., the applicable state agency or an independent company). Internal audits assess whether the policies and procedures of an operator are adequate and effectively working to safeguard assets and control activities. While internal audits do not formulate policies and procedures, they make recommendations for improvement and can be called upon during the implementation and assessment of new processes and systems. Specifically, unlike an external auditor, the internal auditor is around throughout the year and, therefore, typically delves into more process detail.

In contrast, external audits are typically conducted on a periodic basis and focus upon providing an independent opinion on the operator's compliance with the laws of the state. The objectives of external audits are set primarily by statute or regulation. Nevertheless, both types of audit can include interviewing of employees, the examination of documents and the observation of protocols.  Most importantly, each type of audit provides the operator the opportunity to improve and add value to its operating measures and practices.

Ultimately, effective regulation lies not only with the ability to enforce regulations, but also with the fact that consumers will want to play only with regulated gaming sites. Specifically, if operators submit to reasonable regulation in order to achieve a level of credibility and if players acknowledge this benefit, then unregulated operators will be at a competitive disadvantage. One of the many factors that aid players in this determination is whether the regulating authority is legitimate and provides the necessary protection to the players. Thus, a state attempting to legalize and regulate Internet gaming should, at a minimum, evaluate the aforementioned factors and thoroughly consider how it can best implement and govern these safeguards.


Karl F. Rutledge
Karl F. Rutledge
Partner, Chair - Commercial Gaming Group

Related Attorneys

Related Services