Hard Rock Digital Mobile Internal Controls

Definitions................................................................................................................................................. 2
111.B.1 Event Wagering System .............................................................................................................. 3
111.B.2 Event Wagering Server Security ................................................................................................. 7
111.B.3 Geolocation Verification ............................................................................................................. 7
111.B.4 Security and Surveillance ............................................................................................................ 8
111.B.5 User Access Control for all Event Wagering Personnel.............................................................. 8
111.B.6 System Failure ........................................................................................................................... 10
111.B.7 Automated and Manuel Risk Management Procedures ............................................................ 11
111.B.8 Change Management Procedures .............................................................................................. 11
111.B.9 Fraudulent or Suspicious Wagering Activity ............................................................................ 11
111.B.10 Mitigation of Risk of Fraud and Cheating ............................................................................... 13
111.B.11 Bank Secrecy Act Procedures ................................................................................................. 14
111.B.12 Responsible Marketing and Advertising Procedures............................................................... 15
111.B.13 Problem Gambling .................................................................................................................. 16
111.B.14 Responsible Gaming Training and Education ......................................................................... 17
111.B.15 Identification, Notice, and Removal of Self-Excluded or Barred Persons .............................. 18
111.B.16 Selling tickets, cashing tickets, cancelling event wagers, voiding tickets, handling lost tickets,
and issuing tax or other required forms .................................................................................................. 18
111.B.17 Obvious Errors ........................................................................................................................ 20
111.B.18 Setting and Moving Lines ....................................................................................................... 21
111.B.19 Reconciliation of Assets .......................................................................................................... 21
111.B.20 Verification of Player Identification........................................................................................ 22
111.B.21 Promotional/Bonus Credit for Event Wagers .......................................................................... 22
111.B.22 Patron Disputes ....................................................................................................................... 22
111.B.23 Player Account Management .................................................................................................. 23
111.B.24 Internal Audit .......................................................................................................................... 25
111.B.25 Event Wagering Records ......................................................................................................... 25
111.B.26 Disposition of Claims .............................................................................................................. 25
111.B.27 Prohibited Participants ............................................................................................................ 25

Page 1 of 25
MOBILE AND ONLINE EVENT WAGERING

These Mobile and Online Event Wagering Internal Controls are adopted pursuant to Section 111
of the Arizona Department of Gaming’s Event Wagering Regulation.

Definitions

(a) "Age and Identity Verification" means a method, system, or device used by Hard Rock
Digital to verify the validity of a Patron's age and the Patron's identity.

(b) "Canceled Wager" means a wager that has been canceled by the Event Wagering System
due to an issue with an event that prevents the wager's completion.

(c) “Compact” means the 2021 Gaming Compact Between the Arizona Tribes and the State
of Arizona ("Compact"), which took effect on April 15, 2021.

(d) "Department" means the Arizona Department of Gaming or ADG.

(e) "Facility" means a building or buildings in which the Covered Games authorized by the
ADG are conducted.

(f) "Independent Integrity Monitoring Provider" means an independent individual or entity

approved by the Department to receive reports of Unusual Betting Activity for the purpose
of assisting in identifying Suspicious Betting Activity.

(g) "Patron" means any person who is participating in Event Wagering.

(h) "Event Wagering" means wagering on any past or future professional sport or athletic
event, competition or contest, any Olympic or international sports competition event, any
collegiate sport or athletic event (but not including proposition bets on such collegiate sport
or event), or any motor vehicle race, or any portion of any of the foregoing, including but
not limited to the individual performance statistics of an athlete or other individual
participant in any event or combination of events, or any other "in-play" betting with
respect to any such sporting event, competition or contest, except "Event Wagering" does
not include Fantasy Sports Contests, pari-mutuel betting, or betting on any form of poker
or other card game.

(i) "Event Wagering System" means the system and/or any platforms utilized to accept sports
wagers.

(j) "Suspicious Wagering Activity" means previously reported Unusual Betting Activity that
cannot be explained and is indicative of match-fixing, the manipulation of an event, misuse
of inside information, or other prohibited activity.

(k) "Unusual Wagering Activity" means abnormal betting activity exhibited by Patrons and

Page 2 of 25
 deemed by Hard Rock Digital as a potential indicator of Suspicious Betting Activity.
Unusual Betting Activity may include the size of a Patron's wager or increased betting
volume on a particular event or wager type.

(l) "Vendor" means an entity providing non-management services to support Hard Rock
Digital's Event Wagering operations either directly or through subcontractors. All Vendor
contracts must be provided to the Department before they are executed.

Article I Event Wagering

General requirements for Event Wagering

(a) Hard Rock Digital shall comply, and Hard Rock Digital shall require any Vendor to
comply, with the requirements for Event Wagering set forth in the 2021 Arizona Tribal-
State Gaming Compact, the Arizona Gaming Code, and all applicable federal laws and
regulations.

(b) Event Wagering may commence upon approval of the Arizona Department of Gaming
("ADG" or "Department")

(c) Event Wagering is limited to Patrons who are natural persons who are twenty-one (21)
years of age or older and are physically located within the State of Arizona.

111.B.1 Event Wagering System

All Event Wagering is deemed at all times to be conducted exclusively by Hard Rock Digital at its
Facilities where the sports books, including betting engine servers and devices required to conduct
wagering and accounting transactions, are located. This includes any wagering undertaken by a
Patron physically located in the State of Arizona using hardware mechanisms including electronic
devices such as mobile devices to access a website, application, or other platform accessible via
the internet or mobile, wireless, or similar communications technology that Patrons may use to
participate in Event Wagering.
The Event Wagering System will, at least once every 24 hours, perform a self-authentication
process on all software used to offer, record, and process Event Wagering wagers that are identified
as a critical component of the Event Wagering System, to ensure there have been no unauthorized
modifications. If there is an authentication failure, the Event Wagering System must immediately
notify Hard Rock Digital and Hard Rock Digital must notify ADG within 24 hours. The results of
all self-authentication attempts must be retained for not less than ninety (90) business days.

Page 3 of 25
Hard Rock Sportsbook Platform

The Hard Rock Sportsbook Platform is a sports wagering platform that allows the player to
place eligible sports wager in the state of Arizona using native mobile applications.
The system is comprised of two major software systems which are intended to be installed
with, and operated by, a sports book operator. Hard Rock may act as IT Service Provider to the
Operator, otherwise the Operator’s own IT Department will take responsibility for the
management and control of the software once it is installed. The two system components are:

1. Sportsbook Manager (SBM), an Amelco player account management platform, and

2. Backend – NATS Portal, an Amelco trading platform.

The Sportsbook Manager a PAM platform used to:

 Store Patron’s personal details and transaction histories,
 Allow registered players to place wagers on the Hard Rock Sportsbook platform,
 Allow registered players to deposit and withdraw funds from a wagering account,
 Allow the Operator the ability to make manual account adjustments,
 Allow the Operator the ability to set transaction limits and/or suspend player accounts on-
demand, and
 Provide reports on all wagering account activity.

The NATS - Portal is a sports wagering/trading system used to:

 Create and manage wagering events,
 Accept fixed-odds sports wagers,
 Automatically settle wagers based on entered results,
 Manage and track wager payouts, and
 Provide reports on wagering activity.

The Hard Rock Sportsbook Platform also provides a front-end website and mobile native
applications which are the only way for end users to place account wagers on the system and
manage their wagering account.

Wagers and Approved Events for Wagering

(a) Hard Rock Digital shall not accept wagers on any event unless it has provided written
notification to the Department in advance of the first time that betting on a category of
betting event (for example, betting on a particular type of professional sport) or type of
wager (for example an in-play wager or exchange wager) is offered to the public. Such
notice shall be submitted prior to accepting a wager on a new category of Event Wagering
event or accepting a new type of wager. Within seven (7) days the Department shall issue
a written approval or disapproval to Hard Rock Digital. The Department reserves the right
to prohibit the acceptance of wagers and may order the cancellation of wagers and require
refunds on any event for which betting would be contrary to the public policies of Hard
Rock Digital.

Page 4 of 25
 (b) Hard Rock Digital shall only accept wagers on sports events and other events approved by
the Department for which:

a. The outcome can be verified;

b. The outcome can be generated by a reliable and independent process;

c. The outcome will not be affected by any wager placed; and

d. The event is conducted in conformity with all applicable laws.

(c) Payment for event wagering activity or for deposit into a player account shall be made by
cash, cash equivalent, electronic funds transfer, credit card, debit card, check, wire transfer,
winnings, and/or promotional or bonus credit. Other forms of payment may be utilized
upon written approval of the Department

(d) Hard Rock Digital shall maintain a cash reserve in the amount of at least $500,000.00 or
the actual amount, if higher, to ensure the ability to cover the outstanding Event Wagering
liability.

Integrated Third-Party Systems

(a) Hard Rock Digital Internal Trading Feed – provides event creation, management, pricing
and settlement.

(b) Amelco Platform: Trading platform where all Hard Rock Digital trading is hosted;
consumes feeds for creation and pricing and surfaces to our channels.

(c) Betradar – Provides pricing and event information.

(d) Genius Sports – Provides pricing and event information.

(e) Lsports – Provides analytic insights to derive pricing.

(f) Swish – Provides analytics used in pricing prop bets in approved markets.

Page 5 of 25
(g) Slack – Communication tool between US & dedicated Trading and Risk team.

(h) LexisNexis – Provides customer identification verification

(i) Socure – Provides customer identification verification.

(j) Geocomply – Provides geolocation services.

(k) Accertify – Provides automated AML and fraud detection tools.

(l) MLB – Official Data provider.

(m) NBA – Official Data provider.

Page 6 of 25
111.B.2 Event Wagering Server Security

Hard Rock Digital uses Amazon Web Services Outposts as its Event Wagering server. AWS
Outposts rack is delivered as an industry-standard 42U rack. The Outposts rack is 80 inches
(203.2cm) tall, 24 inches (60.96cm) wide, and 48 inches (121.92cm) deep. Inside it has hosts,
switches, a network patch panel, a power shelf, and blank panels. Outposts racks are designed for
high availability with redundant network switches and power connections. Amazon Web Services
will deliver the servers to the physical site fully assembled and ready to use once plugged into
power and the network. All servers and related equipment for Event Wagering shall be located at
1850 W Deer Valley Road, Phoenix, 85027 Arizona US. The location will have adequate security,
including twenty-four (24) hour surveillance, and will be approved by the Department.

111.B.3 Geolocation Verification

The online Event Wagering system utilizes GeoComply for geolocation purposes. A GeoComply
check is initiated as part of a Patron’s login process. The customer will be unable to wager until a
valid location has been established, and the customer will not be allowed to place a wager if
GeoComply detects that the player is not in an area authorized for an online Event Wagering
system.
Customers will not be prohibited from logging into their accounts to make deposits, request
withdrawals, change preferences, etc. when not in an authorized area.
GeoComply’s technology detects and blocks the use of proxies, remote desktop software, virtual
machines, jailbroken devices, mock location settings, developer tools, and many other location
spoofing methods.
GeoComply technology has propriety tools to detect location jumping, account sharing, and other
methods to disguise a user’s location. If the GeoComply system cannot determine a player’s
location or finds the player’s location to be outside the authorized area, it will prevent the player
from wagering.
Periodic rechecks of a customer’s location are done in the background after a certain number of
seconds (as dictated by GeoComply’s “regeolocate in” value). The frequency of GeoComply’s
periodic rechecks are velocity-based (assumed at 70mph) and dependent upon a user’s proximity
to border. The system is designed to trigger more frequent checks as the user approaches the
border, and to cut off access by the time the user reaches the nearest border. If a valid location is
not established at any time, wagering is disabled for that customer. Velocity checks and accuracy
thresholds are fully configurable by GeoComply. The desktop version of the online Event
Wagering offering will utilize the GeoComply “PLC” plugin. iOS and Android apps use the
relevant software development kit plugin.

Page 7 of 25
Hard Rock Digital will ensure that any online Event Wagering hosted on the Event Wagering
System will take place in accordance with all applicable laws. Any Patron attempting to access or
use the system with an older version will fail the location check and therefore be unable to wager.
Geolocation software updates will be implemented client-side by Hard Rock Digital using
GeoComply’s updated Software Development Kit (“SDKs”). These SDKs, once ready, are
available via GeoComply’s Release Portal which notifies Hard Rock Digital that a new release is
available. The ADG would also receive notice of this new release at that time as well as a new
submission.

111.B.4 Security and Surveillance

Retail - Reserved

111.B.5 User Access Control for all Event Wagering Personnel

Systems Access
(a) Access to the Event Wagering system will be managed by a small group of administrators
approved by Hard Rock Digital. A current listing of all permissions will be maintained by the
system vendor and shared with the ADG as requested. Hard Rock Digital will maintain the player
account management (“PAM”) program for the Arizona system as well as the administrative back-
office tool.

(b) Permissions in Hard Rock Digital’s use of the back-office system are managed by system
administrators who assess an employee’s need for access to the system and grant permissions on
a minimal permission needed basis. Each department has designated user groups set up to access
only the parts of the system needed for that department as approved by Hard Rock Digital.

(c) Managers within the IT and Compliance departments can add new users to back-office
platform with approval of Hard Rock Digital. Each user can access only the parts of the system
required to do their job.

(d) Hard Rock Digital will maintain documentation of each account created and note the
approver for each account. Hard Rock Digital will maintain a current listing of all employees with
access to the PAM and the back-office tool and will share such lists with ADG as requested.

Page 8 of 25
(e) Each Hard Rock Digital or Vendor user may only have one back-office tool account
assigned to each user at any given time, which will be associated with the user’s email address.
Sharing of account login information between employees is prohibited.

(f) Vendor employees will use Okta identity management to access the back office with
approval of Hard Rock Digital. This means that employees must be active with the Vendor in order
to access these tools and will lose access upon termination.

(g) Upon any employee departure or termination from Hard Rock Digital or Vendor, Hard
Rock Digital's or Vendor's Human Resources (“HR”) will notify Hard Rock Digital's Information
Technology (“IT”) department, and IT will, within 24 hours, ensure that individual no longer has
access to Hard Rock Digital’s sports wagering systems. Hard Rock Digital and Vendor HR will
maintain a record of all active and terminated employees and will share such lists with ADG as
required.

(h) Access to system functions is controlled by user roles and assigned in a manner that ensures
appropriate segregation of duties so that no employee is in a position both to commit an error or
to perpetrate fraud and to conceal that error or fraud in the normal course of his or her duties.

(i) All user roles shall be approved by Hard Rock Digital in accordance with user Access
Control Procedures.

(j) Hard Rock Digital user roles include:

 ADMINISTRATOR
 PUNTER
 AGENT
 MEMBER
 CUSTOMER_CARE_AGENT
 CUSTOMER_CARE_MANAGER
 PAYMENT_AGENT
 MARKETING
 MANAGER
 READ_ONLY
 RISK_AGENT
 RISK_MANAGER
 TRANSLATIONS_AGENT
 DEVELOPMENT

Page 9 of 25
  BACKOFFICE
 OPERATOR_ADMIN
 TERMINAL
 TELLER_OPERATOR
 TELLER_DEVICE
 NATS_ADMIN
 AMELCO
 SBM_ADMIN

The roles and permissions of each user role are contained in Hard Rock Digital’s NATS user roles
database.

Need more expansive Segregation of Duties

111.B.6 System Failure

Procedures for paying wagers in the event of a system failure depend on the nature and expected
duration of the failure.

In normal operations, winning wagers are paid from the Event Wagering System to the player
wallet system in near-real time as the bets are settled. If the failure is a long-term failure of the
Event Wagering System (longer than an hour), unsettled bets will be manually settled with
approval from Hard Rock Digital by the Vendor’s Customer Operations team based on the bet
transaction log and winnings credited to the player’s account as a financial adjustment, where they
can be withdrawn in the normal course. Once the Event Wagering System is restored, balancing
adjustments will be posted as necessary to correct the balance once the settlement proceeds.

If the Event Wagering System is unable to accept a wager or validate a ticket for more than two
(2) hours, HRD will notify the Department as soon as practically possible as required by R19-4-
125 of the Arizona Event Wagering Regulations.

Unsettled bets will be manually settled based on the bet transaction log and outstanding balances
determined from the daily wagering account summary or detail report. Once the Event Wagering
System is restored, balancing adjustments will be posted as necessary to account for the manual
actions and correct the balance.

Hard Rock Digital shall document the date, time, and reason for each system failure along with
the date and time the system is restored and file an incident report for each system failure with
the Department that details the same. In any event where winning wagers are not paid in a timely
manner, Hard Rock Digital will further file an incident report with the Department documenting,
at a minimum, the date, time, and reason for the failure, as well as the date and time the system
is restored, and wagers are properly paid.

Page 10 of 25
111.B.7 Automated and Manuel Risk Management Procedures

The Vendor is responsible for risk management and contracts with traders for setting odds and
wagering limits for a given sporting event and wagering opportunity pursuant to management
direction from Hard Rock Digital. Traders are used to manage risk by using automated and
manual controls to monitor wagering and to adjust odds based upon their assessment of wagering
activity and the risks associated with a sporting event.

The sports wagering platform, provided to Hard Rock Digital by Vendor, processes all the data
and content provided by the traders. The platform is also used by Hard Rock Digital to establish
wagering rules, suspend events, handle wagering and financial transactions, create markets, settle
wagers, close markets, cancel events, void or cancel wagers, player account management, and
maintain odds to limit risk.

111.B.8 Change Management Procedures

Changes and updates to the Event Wagering System will be deployed and implemented
according to Hard Rock Digital’s Information Technology Policies and Procedures approved by
ADG. Hard Rock Digital’s Change Procedures are attached.

111.B.9 Fraudulent or Suspicious Wagering Activity

Identifying and Reporting Unusual and Fraudulent Wagering Activity (Game Integrity)

(a) Hard Rock Digital and its Vendor Trading and Risk Team have controls in place to
identify unusual betting activity and report such activity to an Independent Integrity Monitoring
Providers. Hard Rock Digital is a member of U.S. Integrity.. Hard Rock Digital and its Vendor
Trading and Risk Team escalates unusual betting activity to U.S. Integrity, and this reporting is
shared with other members including Event Wagering operators in other U.S. states.

(b) All Independent Integrity Monitoring Providers shall share information with each other
and shall disseminate all reports of unusual activity to Hard Rock Digital, and the Department.
whenever:
a. Any abnormal betting activity or patterns that may indicate a concern about the
integrity of a sports event or events; or

b. Any other conduct with the potential to corrupt a betting outcome of a sports
event for purposes of financial gain, including but not limited to match fixing.

c. Suspicious or improper betting activities, including use of funds derived from

improper activity, wagers to conceal or launder funds derived from illegal
activity, use of agents to place wagers, or use of false identification.

(c) The Department will send any reports to any appropriate regulatory bodies that are
required.

Page 11 of 25
(d) Hard Rock Digital will review such reports and notify the Independent Integrity
Monitoring Provider of whether or not they have experienced similar activity.

(e) If an Independent Integrity Monitoring Provider finds that previously reported Unusual
Wagering Activity rises to the level of Suspicious Wagering Activity, they shall immediately
notify all other Independent Integrity Monitoring Providers, Hard Rock Digital, and the
appropriate sports governing body and all other regulatory agencies as directed by Hard Rock
Digital.

(f) Hard Rock Digital will provide the Department with a quarterly report detailing Unusual
Wagering Activity or other Suspicious Wagering Activity. Further, upon receipt of a report of
Suspicious Wagering Activity, Hard Rock Digital may suspend betting on events related to the
report and may cancel wagers with Department approval.

a. Any unusual betting activity or patterns that may indicate a concern about the
integrity of a sports event or events; or

b. Any other conduct with the potential to corrupt a betting outcome of a sports
event for purposes of financial gain, including but not limited to match fixing.

(g) Suspicious or improper betting activities, including use of funds derived from improper
activity, wagers to conceal or launder funds derived from illegal activity, use of agents to place
wagers, or use of false identification.

(h) All information and data received or distributed by Hard Rock Digital related to unusual
or suspicious activity shall be considered confidential and shall not be revealed in whole or in
part unless required by the Department.

Identifying and Reporting Unusual and Fraudulent Wagering Activity (Patron Activity)

A combination of manual and automated controls will be used to identify and prevent persons
under the age of 21, and those that have been restricted in accordance with R19-4-150
(Responsible Gaming), and R19-4-149 (Barred Persons), from participating in sportsbook
wagering.

The identification of Barred Persons relies on the creation and maintenance of restricted lists in
accordance with R19-4-150 (Responsible Gaming) and R19-4-149 (Barred Persons). A separate
list will be maintained detailing individuals considered Covered Employees of Hard Rock
Digitals Event Wagering operation. These lists will be used to identify and prevent barred
persons from participating in Event Wagering.

Page 12 of 25
111.B.10 Mitigation of Risk of Fraud and Cheating

Anti-Money Laundering Procedures

Staff and pre-installed software will monitor deposit and withdrawal activity on an ongoing basis
to check for unusual behavior. This monitoring includes, but is not limited to:
 Are customers asking for exemptions from policies as they relate to withdrawals or
federal reporting policies, or asking pointed questions as to how much they should
deposit or withdrawal so as to avoid federal reporting requirements?

 Is the customer initializing any games between deposits and withdrawal?

 Does the customer share a device or IP with suspect/nefarious gaming accounts or

accounts with chargeback histories?

 Maintain high scrutiny of those accounts with mixed payment methods.

 Be aware of a common fraud technique known as insistence - whereby customers

will continually try to deposit with a credit card in decreasing amounts, in an effort
to see how much they can deposit at once.

 Review failed deposits. Since the last accepted withdrawal, if the customer has
three (3) or more failed deposits by way of three or more separate deposit methods,
do not approve the withdrawal and immediately escalate to Senior Risk for further
review.

 Has the customer given any indication of financial hardship?

 Large values of deposits within forty-eight (48) hours of opening an account.

 Large deposits, little activity, then withdraw request via different payment method.

 Concentration of activity in multi-player games, particularly when playing against

the same individuals (when applicable).

 Discrepancy in IP address used to access the account versus their registered address
or card issuing country.

 Withdrawal request to personal details which do not match those on the

account/registration details, or withdrawal requests to bank accounts that do not
belong to the gaming account holder.

Page 13 of 25
Any account which meets the criteria as per the system rules, or which staff considers unusual
behavior, will have additional personal information requested as per the KYC procedures, and
the action taken on the account will be the same.
 The customer must not launder money or assist others to do so.

 The customer must not impede, by action or inaction, any official investigation of money
laundering.

 All personnel must report any suspicion of money laundering to the Customer Due
Diligence or Compliance Department.

 Hard Rock Digital and its team members must submit its Money Laundering Reports to
the required authorities.

 Hard Rock Digital will strictly abide by the anti-money laundering regulations stipulated
by a regulatory authority and, as possible, follow FATF 40 standards.

Employee Training

It is vital that all Hard Rock Digital team members are aware of the principles that underlie these
procedures as well as the procedures themselves. Therefore, Hard Rock Digital will implement
an ongoing training regimen to ensure that all team members know the procedures and
understand the rationale behind them. This will ensure they react in an appropriate manner if and
when cases of fraudulent behavior arise. This training will be provided on an annual basis to
ensure each team member's understanding. Furthermore, all Hard Rock Digital team members
will be encouraged to use their judgment and report anything they consider potentially suspicious
rather than leaving it to someone else more directly involved.

111.B.11 Bank Secrecy Act Procedures

Anti-Money Laundering Standards

(a) Hard Rock Digital and its Vendor have controls in place to allow for proper monitoring,
testing, and reporting of AML matters. The Vendor’s Compliance team is charged with
investigating incidents and, when appropriate, reporting such matters to Hard Rock Digital to
make management decisions on the same and file any Suspicious Activity Reports (“SAR”) with
FinCEN. Additionally, the Vendor’s Compliance team oversees an enhanced due diligence
program to monitor customer activity and recommend action to Hard Rock Digital if such action
is necessary.

Page 14 of 25
(b) The Vendor’s AML Standard Operating Procedures and Workflow details the process for
review and escalation. Any additional details required by the Department will be provided by
HRD upon request. .

(c) The Event Wagering System will utilize Accertify and Socure as an automated tool to
assist the operations team with monitoring suspicious behavior, AML concerns such as deposits
and withdrawals with little gameplay, account sharing and linked accounts, bonus and promotion
abuse, claims of fraud/identity theft, and potential structuring of withdrawals to avoid reporting
thresholds (e.g., $10,000 in a single gaming day).

(d) Additionally, the Vendor’s Due Diligence and Compliance teams conduct a monthly
Enhanced Due Diligence process (“EDD”) to review play for potential fraud or AML concerns to
report to Hard Rock Digital for any management decision or action that may be necessary. Each
month, accounts are flagged for review, and AML Compliance personnel and the Vice President
of Regulatory Compliance review customer play along with relevant publicly available
information to share such information with Hard Rock Digital to determine whether additional
action is needed (e.g., request for a source of funds, filing of a SAR, etc.).

(e) As described above, wagering is monitored and tracked on a rolling basis. The Vendor’s
Risk and Trading team have algorithms in place to identify instances where a customer may be
attempting to structure wagers or otherwise avoid reporting requirements (e.g. two-way betting
or short odds wagering). The Risk and Trading team prepares monthly reports on such activity,
which is reviewed by Hard Rock Digital as part of their wider EDD review process.

(f) An ad hoc action tracker for behavior determined to be high risk is also maintained.
These incidents are reviewed immediately rather than at the end of the month.

(g) Hard Rock Digital shall monitor and report all suspicious activity related to Event
Wagering transactions. Should any suspicious activity related to Event Wagering be witnessed or
identified a Suspicious Activity Report shall be submitted in accordance with Hard Rock
Digital’s Title 31 Bank Secrecy Act Anti-Money Laundering Program.

111.B.12 Responsible Marketing and Advertising Procedures

Page 15 of 25
All marketing, advertising, and promotional materials will be reviewed by Hard Rock Digital’s
compliance team before release. The compliance team must ensure that each reviewed material is
compliant with the following:
 The material does not specifically appeal to persons under the age of twenty-one (21)
years of age.
 The material is not misleading and does not contain false information.
 The material does not promote irresponsible or excessive participation in event wagering,
or suggest that social, financial, or personal success is guaranteed by engaging in event
wagering.
 The material is not to occur at event venues where most of the audience at the events at
the venue is reasonably expected to be under twenty-one (21) years of age.
 Event wagering messages, including logos, trademarks, or brands, shall not be used, or
licensed for use, on clothing, toys, games, or game equipment intended primarily for
persons under twenty-one (21) years of age.
 The material shall not be promoted or advertised in college or university-owned news
assets or advertised in college or university campuses.

111.B.13 Problem Gambling

Method for securely implementing the self-exclusion program and other self-imposed
limitations.

(a) Procedures to prevent betting by prohibited Event Wagering Patrons

During account registration, Hard Rock Digital will verify that the Patron is eligible to wager
(e.g. over 21 and able to verify identity) and is not self-excluded from wagering with Hard Rock
Digital’s platform.

For Patrons that elect to self-exclude through the mobile application or website, their account
will be suspended immediately upon confirming the exclusion.

(b) Procedures for Self-Exclusion and Hard Rock Digital-imposed exclusion of Patrons

If a Patron self-excludes, or if Hard Rock Digital elects to exclude a Patron, the Patron will be
notified via email of this action and his/her account will immediately be suspended. Immediately
upon executing the Hard Rock Digital-imposed exclusion order and while in suspended status,
the Patron may not wager or deposit from the account. If the Patron wishes to withdraw his/her
account balance while the account is suspended, he/she may contact Customer Operations to
request a bank transfer via accounts. A check may also be processed and issued.

(c) Identifying and restricting Barred Persons

Page 16 of 25
Hard Rock Digital’s PAM is designed to work with third-party KYC providers to prevent anyone
under the age of 21 from wagering, and to also block self-excluded customers from creating a
new wagering account.

With respect to otherwise prohibited participants, as noted above, Hard Rock Digital will process
the relevant Barred Persons lists within two business days of receipt and share such information
with its Vendor so that it may block users from wagering as required. Patrons that self-exclude
will have their accounts suspended immediately.

Additionally, appropriate personnel will also be able to access these lists for purposes of
preventing and suppressing marketing to any prohibited Event Wagering participants.

(d) Hard Rock Digital utilizes resources found in the PlayersEdge program. Resources found
in this program are as follows:

a. Access to the 1-800-NEXT-STEP helpline.

b. Access to the problemgambling.az.gov website
c. Access to Self-Exclusion.

(e) Literature related to the PlayersEdge program will be displayed conspicuously on the
website and mobile application.

(f) Other Self-imposed limitations and wagering parameters include:

a. Deposit Limits: Allow a Patron to restrict the amount that they can deposit in a given
period. A Patron can have one limit set or all limits. As a customer deposits into their Hard Rock
Digital account each limit set will be tracked against and enforced based on a lowest first rule.

b. Wager Limits: Allow a Patron to restrict the amount in value of wagers they can place
over a given period. A Patron can have one limit set or all limits. As a Patron deposits and places
wagers into their account each limit set will be tracked against and enforced based on a lowest
first rule.

c. Session Limits: Allow a Patron to restrict the amount of time they will be logged in to the
app or Desktop site in anyone session per day.

d. Timeout: Allows a Patron to close their account for a short period of time. We will allow
Patrons to log in to their account to let them Withdraw funds and look at their history, but they
will not be able to wager or deposit new funds into their account. We will also suspend all
proactive marketing. If a Patron takes part in a promotion and has accumulated winnings or
awards, Patrons will be eligible for anything they have earned up until the point of timeout if the
promotion allows for this mechanic.

111.B.14 Responsible Gaming Training and Education

Page 17 of 25
The site promotes information on risks, safe play habits, assistance, and referrals, including
information on responsible gambling policies and practices.

CONTROLS

• Hard Rock’s PlayersEdge education messages are directed to player segments based on risk
and experience profile.

• Messages are visible and accessible at various places on the site, and are directed to individual
players using account pages, email, texts and pop-up messages.

• Information addresses:
o Understanding individual player behavior
o Setting time and money limits
o Information about taking breaks and self-exclusion
o Obtaining help from Problem Gambling Help Line

• Advertising and marketing messages, where required, relevant and effective, contain a
PlayersEdge message. Informed Decision-Making Players shall be provided with meaningful and
accurate information to enable them to make informed choices, including:
• Rules of play
• Odds of winning, payout odds or returns to Patrons, and displayed in a manner readily
understood by a client e.g. the chance of winning.
• Notice related to progressive awards is provided describing the disposition of
accumulated progressive prizes prior to a progressive game being converted or removed

111.B.15 Identification, Notice, and Removal of Self-Excluded or Barred Persons

Hard Rock Digital’s PAM is designed to work with third-party KYC providers to prevent anyone
under the age of 21 from wagering, and to also block self-excluded customers from creating a
new wagering account.

With respect to otherwise prohibited participants, as noted above, Hard Rock Digital will process
the relevant Barred Persons lists within two business days of receipt and share such information
with its Vendor so that it may block users from wagering as required. Patrons who self-exclude
will have their accounts suspended immediately.

Additionally, appropriate personnel will also be able to access these lists for purposes of
preventing and suppressing marketing to any prohibited Event Wagering participants.

111.B.16 Selling tickets, cashing tickets, cancelling event wagers, voiding tickets, handling
lost tickets, and issuing tax or other required forms

Canceling Wagers

Page 18 of 25
(a) The Director of Sportsbook Operations shall be permitted to authorize the
cancellation/voiding of wagers in the following circumstances:

a. Wagers placed on an event that cannot be completed in way that satisfies the terms of
wager;

b. Wagers placed on events that have been reported as having suspicious or fraudulent
wagering activity in accordance (Section R19-4-135);

c. Obvious trading errors such as inappropriate odds, lines, and market errors;

d. Wagers associated with a person who is prohibited under Section R19-4-149;

e. Any other wager which the Director of Sportsbook Operation has determined to be
contrary to the public policies of Hard Rock Digital;

(b) All cancellations/voids will be appropriately recorded on system generated reports.

(c) All cancelled wagers shall be recorded and logged and the transaction record shall include
the following at a minimum:

a. Ticket number or unique transaction identifier;

b. Date and time of issuance;
c. Event;
d. Wager description;
e. Bet amount;
f. Cashier name or identification number; and
g. Reason for void/cancellation.

(d) When an event is canceled all wagers placed on that event are automatically cancelled.

(e) House Rules shall include the policy by which Hard Rock Digital can cancel wagers,
including defining "Obvious Error" (see 111.B.17).

W-2G Issuance
Any Patron wager which results in proceeds of $600.00 or more where the winnings are at least
300 times the amount of the wager will be subject to a W-2G report as required by the Hard Rock
Digital Tax Reporting Manual. Event Wagering Winnings are subject to tax reporting and tax
withholding by Hard Rock Digital only if they are at least 300 times the amount of the wager.

Page 19 of 25
For bets which result in net proceeds greater than $5,000.00 where the winnings are at least 300
times the amount of the wager, Hard Rock Digital withholds 24% of the net proceeds and remit
such amount to the IRS. All Patrons whose wager is subject to W-2G reporting will be cross
referenced against all available exclusion lists or Barred Persons lists as supplied by the
Department.

Debt Setoff

(a) If Hard Rock Digital is required to file a form W2G or a substantially similar form,
regardless of whether those winnings are claimed at a retail wagering area or on an event
wagering platform, Hard Rock Digital shall check to determine if the player has a past due,
setoff obligation.

(b) Hard Rock Digital shall withhold past due, setoff obligations from those winnings which
triggered the filing of a form W2G or a substantially similar form.

(c) The Department will supply Hard Rock Digital with the lists of outstanding obligations as
provided by the Arizona Department of Economic Security, Child Support Enforcement,
Supplemental Nutrition Assistance Program and Assistance Overpayment, the Arizona
Supreme Court, the Arizona Health Care Cost Containment System, and the Arizona
Department of Revenue (State tax debt) on a monthly basis.

(d) The outstanding obligation lists shall not be provided to any licensed supplier without the
written approval of the Department. Approval shall only be granted by the Department when
sharing of the list is deemed necessary to effectuate the terms of the Act and this Article.

(e) Hard Rock Digital shall provide a receipt to the Patron for any funds withheld for
outstanding obligations.

(f) Any funds withheld by Hard Rock Digital shall be remitted to the Department within seven
(7) days in a format provided by the Department.

111.B.17 Obvious Errors

(a) Hard Rock Digital shall authorize the cancellation/voiding of wagers in the following
circumstances:

a. Wagers placed on an event that cannot be completed in way that satisfies the
terms of wager;

b. Wagers placed on events that have been reported as having suspicious or

fraudulent wagering activity;

c. Obvious trading errors such as inappropriate odds, lines, and market errors;

Page 20 of 25
 d. Wagers associated with a person who is prohibited (See 111.B.27);

e. Any other wager which Hard Rock Digital Management or its designee has
determined to be contrary to the public policies of Hard Rock Digital;

(b) All cancellations/voids will be appropriately recorded on system generated reports.

(c) All cancelled wagers shall be recorded and logged and the transaction record shall
include the following at a minimum:

a. Ticket number or unique transaction identifier;

b. Date and time of issuance;
c. Event;
d. Wager description;
e. Bet amount;
f. Cashier name or identification number; and
g. Reason for void/cancellation.

(d) When an event is canceled all wagers placed on that event are automatically cancelled.

(e) House Rules shall include the policy by which Hard Rock Digital can cancel wagers,
including defining "Obvious Error".

111.B.18 Setting and Moving Lines

Most of Hard Rock Digital’s sports content will be provided via third party trading feeds into the
Event Wagering platform. All price management will be done through the third-party trading
fees. The models/feed are controlled by the feed providers. If and when required, manual price
changes can be made on the platform.

Hard Rock Digital will utilize odds that are set by in-house odds-makers who create prices based
on statistical and historical performances, or by third-party suppliers who provide odds.

Manual odds will be based on general market consensus pricing accompanied by any underlying
algorithmic or analytic information received from third party providers. Lines will be moved to
remain in consensus with the market or reactively to betting activity.

111.B.19 Reconciliation of Assets

RESERVED - RETAIL

Page 21 of 25
111.B.20 Verification of Player Identification

Hard Rock Digital uses Lexis-Nexis for initial KYC screening and account creation where the
customer’s name, address, date-of-birth, and Social Security Number are verified. Customers
who fail the Lexis-Nexis verification proceed to the Socure platform which requires the
verification of photo-identification and sanctions screening. Customers who fail the Socure
verification are passed to customer service personnel for manual verification. Hard Rock Digital
will use the Accertify platform to continuously screen customers’ activity for red-flags that may
indicate fraud or money laundering. Some of these triggers are unusual activities related
transaction velocity, multiple deposit methods, and merchant high-risk response codes. Hard
Rock Digital also uses GeoComply for geofencing and GeoComply’s investigative tool Kibana
to enhance fraud identification and investigation relating to the attempted creation of multiple
accounts on the same electronic device. Finally, in addition to using the anti-fraud controls
available through Hard Rock Digital financial vendors Braintree and Mazooma, Hard Rock
Digital uses enhanced machine learning or Artificial Intelligence to identify indicators of fraud at
customer account creation, deposit, and withdrawal; and also implemented Application
Programming Interface “BOT” detection at the computer Server level.

111.B.21 Promotional/Bonus Credit for Event Wagers

Promotions and bonuses are set up by Hard Rock Digital’s promotions team using Amelco back-
office tool. The promotions team determines timeframes and bet requirements for players to
qualify for each promotion or bonus credit. The Amelco system determines when a player
qualifies for a credit and applies the credit to the qualifying player’s account. The promotions
team activates and deactivates promotion and bonus opportunities at its discretion using the
Amelco back-office tool.

111.B.22 Patron Disputes

(a) Whenever Hard Rock Digital refuses payment of alleged winnings to a Patron or there is
otherwise a dispute with a Patron regarding their player account, wagers, wins, or losses from
event wagering, and Hard Rock Digital and the Patron are unable to resolve the dispute to the
satisfaction of the Patron, Hard Rock Digital shall notify the Patron of their right to file a
written complaint. The notice shall include the procedure for filing a written complaint and
the responsible party’s complaint resolution process.

(b) Upon receipt of a complaint, Hard Rock Digital shall investigate and provide a written
response to the Patron within ten (10) days. The response shall include a statement that if the
dispute is not resolved to the satisfaction of the Patron, the Patron may submit their
complaint in writing to the Department.

1. If the Department receives a written complaint from a Patron with regard to an

unresolved Patron dispute, the Department shall contact Hard Rock Digital and Hard

Page 22 of 25
 Rock Digital shall provide to the Department a written response and any additional
documentation relating to the Patron’s complaint.

2. The Department, in its sole discretion, may investigate the dispute and reach a final
decision which may include a requirement for appropriate corrective action.

3. The Department shall provide a written response to Hard Rock Digital and the Patron
of the results of its investigation and the corrective action it directs, if any, within five
(5) days of the completion of its investigation.

111.B.23 Player Account Management

Security of Patron identity and financial information

Hard Rock Digital will create and maintain an electronic Patron file containing the information
the Patron submitted to establish the Event Wagering Account.

There are two levels of encryption in place.

1. Hardware encryption:

a. All data storage is symmetrically encrypted at rest.

2. Database encryption:

a. Sensitive fields are symmetrically encrypted and the keys are managed using
AWS Key Management Service.

b. Password fields are asymmetrical salted hashes generated with bcrypt.

c. Currently, the Event Wagering System does not support storing of automated
clearing house (“ACH”) details as the flow allows Patrons to log into their bank
via an overlay, but if/when this is implemented it will be stored within a third-
party PCI vault by Hard Rock Digital’s ACH vendor.

Method for securely issuing, modifying, and resetting a Patron’s password

Users can reset their passwords in two (2) places: (1) the login screen, or (2) the Account section
after being logged in.
Passwords must be eight (8) characters, and include one (1) special character, one (1) number,
and (1) uppercase letter at a minimum.

Forgot Password:

1. The user clicks “Forgot Password” on the sign in screen

Page 23 of 25
2. The user will receive an e-mail with a unique link to reset their password
3. The user clicks the link and will be taken to a standalone web page
4. The user must enter a new password twice, following the same password requirements as
sign up
5. The user clicks “update password” to complete this flow
6. The user will not receive a confirmation e-mail when this action takes place

Change Password:

1. A logged in user can Account > Settings > Change Password to update their password
2. They must enter their current password and new password twice, following the same
password requirements as sign up
3. The user clicks “Confirm new password” to complete this flow
4. The user receives a confirmation e-mail that the password has changed

Hard Rock Digital Vendor Agent Password Update

1. Agent can log into Back office

2. Agent Navigates to Account and search for the user’s account
3. Click “Change Password” under “User Conditions”
4. Enter a password following the same password requirements as sign up and click “Ok”
5. The user will not receive a confirmation e-mail when this action takes place
6. Transactional E-Mails

Methods of Patron notification and identification for security modifications

Overview: Certain behaviors in the app will trigger an e-mail to the user each time they occur.
The actions below will trigger an email

Action Description
Welcome This is sent when a user completes the KYC process to sign up for the first
time
Deposit Completion This is sent when a user deposits funds into their account successfully
Timeout Period This is sent when a user chooses a timeout under the account section of the
app
Account Self-Excluded This is sent when a user chooses to self-exclude under the account section of
the app
Withdrawal Notification This is sent when a user requests a withdrawal
Forgot Password This is sent when a user clicks “Forgot Password” on the login page
Password Changed This is sent when a user changes their password in the account section of the
app

Page 24 of 25
111.B.24 Internal Audit

Internal audit functions will be handled by Hard Rock Digital’s compliance team and a third-
party auditor. Hard Rock Digital’s audit plan is attached.

111.B.25 Event Wagering Records

Hard Rock Digital’s Event Wagering System maintains a detailed record of all wagering
transactions.

111.B.26 Disposition of Claims

If a claim is brought against Hard Rock Digital that falls under 111.B.26, Hard Rock Digital will
follow the procedures required by the relevant insurance policyHard Rock Digital’s relevant
insurance policies may be made available to the Department upon request.

111.B.27 Prohibited Participants

A combination of manual and automated controls will be used to identify and prevent persons
under the age of 21, and those that have been restricted in accordance with Section 13 (Problem
Gaming), from participating in sportsbook wagering.
The identification of Barred Persons relies on the creation and maintenance of restricted lists in
accordance with Section 13. A separate list will be maintained detailing individuals considered
Covered Employees of Hard Rock Digital’s Event Wagering operation. These lists will be used to
identify and prevent restricted persons from participating in Event Wagering.

Page 25 of 25