In Brazil’s newly regulated online gambling market, AML is not just a checkbox in online gambling regulations. It is an important foundation for earning public trust. Brazil is implementing new sector-specific AML requirements to ensure responsible growth. As part of Brazil’s Ministry of Finance, the Secretariat of Prizes and Bets (SPA) is taking a proactive role in shaping Brazil gambling regulations and establishing clear standards for a transparent industry.
Key Points:
- The legalization of Brazil’s iGaming market includes stricter online gambling regulations.
- There are three major focuses for operators, namely AML, CTF and PLD/FTP.
- The SPA has also outlined a set of robust AML and KYC requirements to verify player identity and ensure compliance with relevant regulations.
- Data centers and servers now have specific requirements to keep them secure and compliant with Brazilian gambling regulations.
For betting operators, the message is loud and clear. You need to have strong systems in place to prevent financial crime. Brazil’s gambling regulator, the Secretariat of Prizes and Bets (SPA), is raising the bar on compliance. Betting operators must now have robust policies in place for three key aspects:
- Anti-Money Laundering (AML)
- Counter-Terrorism Financing (CTF)
- Preventing the proliferation of weapons of mass destruction (PLD/FTP).
Compliance is about building a culture that runs through the entire organization. These rules require you to assess the risk level of every customer when they register and how you apply the same checks to employees and suppliers.
AML Rules Under Brazil’s Federal Online Gambling License
The SPA enforces AML and KYC obligations rooted in federal AML legislation and COAF standards. Through Ordinance No. 1,143/2024, the SPA translates these national rules into sector-specific procedures that operators must implement as part of their licensing and oversight.
Licensed operators must follow a strict AML/CTF framework, which is established under federal law and COAF rules and enforced by the SPA through sector-specific ordinances, to prevent money laundering, terrorism financing and the proliferation of weapons of mass destruction. This involves:
- Registering with the Council for Financial Activities Control (COAF)
- Implementing clear internal policies
- Conducting annual risk assessments.
Related article:
In addition to this, Law No. 14,790/2023 states that the authorization to operate fixed-odds betting is conditioned upon the implementation of strict policies aimed at preventing Anti-Money Laundering (AML), Financing of Terrorism (FT) and the Proliferation of Weapons of Mass Destruction (PLD/FTP). SPA/MF Ordinance No. 1,143/2024 mandates the policies, procedures and internal controls for the three aspects. A few key points to note are as follows:
- Annual internal assessment to identify risks for AML & FTP
- Records and documents must be kept for at least 5 years
- Designated responsible person for Integrity and Compliance
- Annual report to be submitted to the SPA
- Providing regular training on the prevention of AML/FTP and other related crimes
KYC Standards at the Core of Brazil Gambling Regulations
Brazil’s iGaming regulations set a high standard for security and player protection. Strict Know Your Customer (KYC) procedures require bettors to verify their identity using their Individual Taxpayer Registration (CPF) number and facial recognition technology upon signup.
Operators must go further by rating players according to their risk profile. You will need to prevent prohibited individuals, such as minors, from registering. Don’t forget that electronic payments must flow through institutions authorized by the Central Bank of Brazil. Credit cards, cash and cryptocurrencies are completely off the table.
Furthermore, licensed operators must submit detailed AML and CTF policies. Reporting suspicious transactions and screening for Politically Exposed Persons (PEPs) are also required.
What is Customer Due Diligence (CDD)?
On the other hand, CDD is a part of the KYC process, which mandates betting operators to gather necessary customer information in line with Brazil’s federal AML legislation, COAF requirements and SPA Ordinance No. 1,143/2024. Similarly, there are a few points to pay attention to in the ordinance:
- Identification and Validation: Identity must be verified and validated upon registration.
- PEP Screening: Operators must verify if the bettor is a Politically Exposed Person (PEP) or a close associate, following the rules issued in this regard by COAF.
- Risk Classification: Bettors must be classified into risk categories defined in the internal risk assessment.
Technical Compliance Requirements for the Brazil Betting License
The Brazilian government is now trying to shape its fast-growing gambling industry with an increasingly rigorous regulatory framework. As Brazil builds out its regulated gambling market, the focus is expanding beyond AML and KYC obligations.
Regulators are now placing equal weight on technical compliance, introducing strict standards for system integrity, data protection and operational security.
Federal licenses require not only robust AML controls and mandatory KYC checks with facial recognition but also adherence to data center rules mandating local hosting in Brazil and ISO 27001-certified infrastructure.
The regulatory discussion also reflects wider social concerns. Despite ongoing complexities, the industry is striving to balance its growth with a safer and more accountable betting ecosystem.
IT Security and Technical Controls for the Federal License
First and foremost, the betting system, including the sports betting platform and online gaming platform, must be certified by a recognized certifying entity, as stated in the SPA/MF Ordinance No. 722/2024.
The certifying entity has to be recognized by the SPA, for example, Gaming Laboratories International LLC, Trisigma BV, Quinel Limited, eCOGRA Limited and BMM North America Inc.
Operators must revalidate the certification assessment reports annually and whenever there are changes to critical components. Operators should also have assigned a designated director for the operational security of the betting system during the application.
Data Protection and Maintaining Data Integrity
Operators are required to maintain their betting systems and related data in data centers located within Brazil, as set out in Normative Ordinance No. 722/2024. There is some flexibility if systems and data are hosted abroad in a country that has a joint civil and criminal International Legal Cooperation Agreement with Brazil. You must also meet all the cumulative conditions outlined in the ordinance.
As mandated in the aforementioned ordinance, all recorded data must be maintained and backed up for a minimum of five years. Data must be stored redundantly to prevent loss in case of component failure. Operators must also adopt a business continuity policy and a disaster recovery plan and ensure all systems are supported by an uninterruptible power supply to allow safe shutdown and data retention during power loss.
Data Center and Server Requirements for Operators
The data centers that host betting systems must hold ISO 27001 certification. You must also store servers hosting betting systems in secure facilities and equip them with surveillance systems. They must be protected against alteration, tampering or unauthorized access.
Network and Communications Security Standards
For licensed operators, there is a specific domain requirement. Fixed-odds betting sites must exclusively use the “.bet.br” domain registration. Domain Name System Security Extensions, also known as DNSSEC, are also mandatory for the domain registration for DNS security.
Furthermore, all critical communication data and sensitive information must also be encrypted and protected. In order to prevent attacks such as Distributed Denial of Service (DDoS), an Intrusion Detection/Prevention System (IDS/IPS) is required, and communications must pass through at least one approved application-level firewall.
Ensuring Fairness in Online Games and Live Studios
The SPA has also imposed measures to ensure fairness in online casino games and live studios. Firstly, all online game results must be determined by a Random Number Generator (RNG). Secondly, it requires physical security controls to run live game studios. It is also a must to operate a continuous surveillance and recording system during live games. Recordings are to be maintained for at least 90 days.
Key Personnel Roles Required Under SPA Rules
According to the SPA/MF Ordinance No. 827/2024, an administrator refers to a person who holds management positions, which are directors or equivalent, or a member of the board of directors of the applicant company. When submitting your application, you will need to name specific individuals responsible for the below areas:
- Relationship with the Ministry of Finance
- Customer Service and Ombudsman
- Accounting and Finance
- Integrity and Compliance
- Personal Data Processing and Data Security
- Operational Security of the Betting System
Per the same ordinance, the people responsible for areas 1 to 4 must hold the title of director (or equivalent).
On the other hand, the SPA does not allow dual roles for people responsible for areas 2 to 6. In principle, you will need:
- 1 director – Accounting & Finance
- 1 director – Integrity & Compliance
- 1 director – Customer Service & ombudsman
- 1 director – liaison with Ministry of Finance (can be one of the above)
- 1 person – data protection (DPO-type role)
- 1 person – betting system operational security
Enforcement Powers Shaping Brazil Gambling Regulations
Brazil’s new betting framework gives regulators broad authority to supervise, audit and penalize licensed operators, if necessary. Multiple government bodies share oversight, with each playing a distinct role in maintaining market integrity, consumer protection and AML compliance.
Operators must follow rules covering licensing, taxes, advertising and data protection. Several government bodies are involved in enforcing these requirements. Together, they shape how betting companies can operate in Brazil.
The Ministry of Finance
The Ministry of Finance serves as the central governmental body responsible for regulating fixed-odds betting operators in Brazil. The Secretariat of Prizes and Bets (SPA), a department of the Ministry of Finance, is Brazil’s federal gambling regulator. It was established by Law No. 14,790/2023 in December 2023. Also known as “Lei das Apostas” or “Betting Law,” the law regulates the iGaming market nationwide, including both fixed-odds betting, virtual casino-style games and lottery.
The Ministry of Sport (MESP)
MESP is the governmental body responsible for defining, maintaining and updating the list of specific sports modalities and entities eligible to be the subject of fixed-quota bets in real sporting events.
MESP carries out this responsibility mainly through MESP Ordinance No. 125/2024, which clearly names the sports that can be bet on and prohibits betting on categories or events exclusively involving young athletes.
Furthermore, MESP plays a crucial role in the overall regulatory ecosystem by confirming their approval after the SPA’s review of a federal license application, before authorization is granted. It assists the SPA in ensuring the integrity of sporting events.
Special Secretariat of the Federal Revenue of Brazil (RFB)
The Special Secretariat of the Federal Revenue of Brazil (RFB) is centrally responsible for administering federal taxes and the Active Debt of the Union, including establishing collection codes.
From the fixed-odds betting lotteries perspective, the RFB has the authority to audit operations to ensure they comply with tax obligations, regardless of any license or authorization issued by the SPA.
Council for Financial Activities Control (COAF)
The COAF is the central authority for monitoring and analyzing operations to prevent anti-money laundering (AML), terrorism financing (FTP) and the proliferation of weapons of mass destruction (PLD/FTP) in betting operations.
As stated in SPA/MF Ordinance No. 1,143/2024, operators must develop internal procedures to detect and communicate suspicious activity to the COAF via the Sistema de Controle de Atividades Financeiras (Siscoaf). The council also defines compliance standards, for instance, the criteria for identifying PEPs, as mentioned in the above KYC section.
Central Bank of Brazil (BCB)
The Central Bank disciplines payment arrangements to prevent transactions intended for unauthorized operators. Moreover, it grants authorization to financial institutions and payment providers to manage monetary operations. While cryptocurrencies are not accepted in gambling payments, the Central Bank also supervises virtual asset service providers (VASPs).
Related article:
State-Level Authorities
A federal license from the SPA allows operators to offer fixed-odds betting services across the country, with an application fee of BRL 30 million for 5 years.
Some operators have chosen to apply for state-level licenses, such as those issued by LOTERJ in Rio de Janeiro, where the authorization fee is BRL 5 million. However, these state licenses restrict operations to their respective jurisdictions, and their validity outside those states remains under legal and regulatory discussion.
Consumer Protection Bodies
As licensed operators, you will need to pay attention to customer relationships, as all bettors are assured basic rights under the Consumer Defense Code (Law No. 8,078/1990). Licensed operators must structure a specific channel to address demands originating from the public bodies that are part of the National Consumer Defense System (SNDC).
SNDC includes the National Consumer Secretariat (SENACON), which sets national policy. On the other hand, the local Consumer Protection and Defense Programs (PROCON) handle day-to-day complaints.
These agencies step in to oversee disputes as well as ensure promotional transparency and adherence to advertising standards. They are also responsible for enforcing responsible gambling tools, such as mandatory limits, pauses and self-exclusion.
Conselho Nacional de Autorregulamentação Publicitária (CONAR)
CONAR, a.k.a. the National Advertising Self-Regulation Council, establishes additional restrictions and guidelines with which companies voluntarily comply. It also issues specific recommendations regarding communication, publicity and marketing activities.
In particular, CONAR published Annex X to its Advertising Code to ensure betting advertisements are responsible, focusing particularly on the necessity of protecting children, adolescents and other vulnerable persons.
Agência Nacional de Telecomunicações (ANATEL)
ANATEL is responsible for regulating the Internet service providers and telecommunications. It cooperates with the SPA to regulate unauthorized betting activities.
When the SPA identifies betting websites run by unlicensed operators, ANATEL has the authority to block the illegal websites upon the SPA’s instruction.
Autoridade Nacional de Proteção de Dados (ANPD)
The ANPD, a.k.a. the National Data Protection Authority, oversees compliance with Brazil’s General Data Protection Law (LGPD), ensuring gambling operators handle user data responsibly.
It enacts requirements around user consent, data security and breach reporting. Licensed operators must comply with ANPD standards when processing personal data or risk fines and other penalties. This covers information such as player registration (KYC), payment and banking details as well as responsible gambling records.
How CPI Investigations Influence Industry Compliance
CPI in Brazil stands for Parliamentary Inquiry Commissions. For example, the betting CPI was established to investigate the growing influence of online gambling on Brazilian families’ financial spending.
The investigations have been shaping industry practices as they drive debates for stricter Brazil gambling regulations. Key issues such as misleading influencer advertising and money laundering were covered. The CPIs indeed increased pressure on operators for compliance.
How to Stay Compliant with Brazil Gambling Regulations
As a potential applicant or a licensed operator, it is also important to stay updated with the latest news of the licensing framework. The Ministry of Finance website is an excellent resource for keeping yourself informed on Brazil gambling regulations. The ministry provides regular updates on aspects such as legislation and authorized certification bodies.
If you are interested in receiving regular updates and expert analysis via email, you might find signing up for our newsletter resourceful. You could also visit our Legal & Compliance section or check back in The Rulebook for essential updates.
Brazil Gambling Regulation FAQs
What does AML stand for?
Why is AML important for online gambling?
Are KYC and AML the same thing?
What’s the difference between CDD and KYC?
How are compliance requirements evolving for licensed gambling operators in Brazil?
A practical guide to Brazil gambling regulations, covering AML, KYC and technical standards.