Brazil’s new regulations for the online gambling market impose strict compliance requirements, covering areas such as anti–money laundering, customer verification, and technical standards. Operators must pay close attention to these rules to avoid regulatory pitfalls. Detailed reports on these topics can be found on the PASA official website, which helps stakeholders better understand the latest developments.
Anti–Money Laundering (AML) and KYC Requirements
According to Brazil’s federal legislation and the regulations issued by SPA, operators must implement stringent anti–money laundering and counter-terrorism financing measures. These include conducting annual risk assessments, maintaining records for at least five years, and appointing a dedicated compliance officer.
For KYC, users must verify their identity during registration using a taxpayer identification number and facial recognition. Operators are also required to conduct risk profiling of players, prohibit participation by minors, and ensure that payments are processed only through institutions authorized by the Central Bank. Credit cards and cryptocurrencies are not permitted.
Technical Compliance and Data Security
Data centers and servers must be located within Brazil and must be certified under ISO 27001. Data backups must be retained for a minimum of five years. Network communications must be encrypted, and operators are required to use the “.bet.br” domain. Intrusion detection systems and firewalls must be deployed to ensure cybersecurity.
Game outcomes must be determined by certified random number generators, and live-streaming studios must maintain continuous video monitoring with recordings kept for more than 90 days. These measures are designed to safeguard fairness and operational integrity.
Key Regulatory Bodies and Their Responsibilities
SPA serves as the primary regulatory authority responsible for issuing federal licenses and overseeing daily operations. The Ministry of Finance, Ministry of Sports, COAF, and the Central Bank each play specific roles, including taxation, sports integrity monitoring, AML oversight, and payment regulation.
Consumer protection agencies and the national data protection authority also participate by ensuring advertising transparency, data security, and handling user complaints.
Compliance Practices and Recommendations
Operators should regularly update internal policies, conduct staff training, and closely track regulatory developments—for example, by consulting updates from the Ministry of Finance. Maintaining active communication with regulatory bodies and establishing robust emergency response and business continuity plans are strongly recommended. These measures are essential for steady and compliant operations in this rapidly evolving market, minimizing the risk of penalties.
