KYC Requirements for iGaming in Brazil 2025

With a population exceeding 210 million, Brazil stands as the largest country in South America, representing a significant potential customer base. As such, Brazil's gambling market represents one of the largest untapped opportunities globally, promising significant growth potential for providers. Historically, Brazilian authorities enforced strict regulations on gambling, allowing only limited forms such as lotteries and horse racing.

In 2024, the Brazilian government is updating its gambling laws. They recognise the changing global environment around online gambling and see the economic benefits, like possible tax revenue increases.

This new set of rules aims to create a safe and responsible gambling market. International operators who want to join this growing sector expect to attract significant investment. Key areas of the regulatory framework will include licensing, consumer protection, taxation, and anti-money laundering (AML) measures. It also addresses advertising standards and technology requirements. Customer KYC will be a key part of these regulations.

Opportunities For iGaming in Brazil

The iGaming market in Brazil is bound to be dynamic, with lots of potential for growth. A key reason for this is the greater availability and lower cost of high-speed internet and smartphones. This has improved online participation across Central and South America and serves as a solid foundation for any online business planning to enter the market.

Furthermore, there are positive developments in the regulatory landscape. Latin America has over 34 countries and territories. This creates a mix of different legal systems. As regulations in Brazil continue to evolve and markets gradually open up, iGaming operators that comply with KYC (Know Your Customer) protocols and offer safe, engaging experiences are more likely to find success.

Brazil is a major market opportunity, mainly because of three reasons:

• Internet penetration: The solid internet penetration rate of around 80% both in terms of fixed broadband and mobile enhances the reach of online gambling platforms.
• Growing middle class: Despite facing recent economic challenges, Brazil’s expanding middle class possesses disposable income that can be allocated towards entertainment, including iGaming.
• New licensing: Recently introduced licensing laws aim to bring online gambling out of the grey market and transform it into a properly regulated industry.

New Licensing Rules for Brazil’s Betting Operators

Normative Ordinance 827, published in Brazil’s Official Diary of the Union on May 21, outlines the requirements for obtaining sports betting and gaming licenses in the country.

The ordinance provides an "adjustment period”, allowing gaming operators until December 31, 2024, to comply with the new regulations. Applications submitted within 90 days of its release will receive priority in the review process.

Anyone who fails to obtain a license by the deadline will face penalties beginning on January 1, 2025.

Local Ownership Rule for Betting Licenses

Applicants for a license must be based in Brazil. Foreign companies are still eligible, but they must establish a local subsidiary, with at least 20% of its share capital owned by a Brazilian.

The specifics of how this requirement will work in practice are still uncertain, leaving operators with unanswered questions. One lawyer expressed disappointment at the lack of clarity and hoped for further guidance from the Ministry.

An operator must set up this structure before applying for a license. Any mergers, splits, or changes in control will lead to a review by the Secretariat of Prizes and Bets (SPA).

Certification and Data Centre Requirements for Operators

The Ministry of Finance has announced that certain exceptions will enable data centres to locate outside Brazil. Operators must have their betting systems technically certified, as required by Ordinance 722, issued on 3 May, 2024.

The ordinance also allows offshore data centres, provided they are in countries with a legal cooperation agreement with Brazil, ensuring the SPA has easy access to their data. This agreement must cover civil and criminal matters.

To allow data centres outside the country, certain conditions must be met. The host country must have a legal cooperation agreement with Brazil that covers civil and criminal matters. Data holders abroad must authorise data transfers in advance, and the finance ministry's technical team must have secure, unrestricted access to this data.

The operating agent is also responsible for replicating the database within Brazil. They must keep all databases synchronised by performing regular updates and periodic tests to ensure consistency across all information.

While companies like Gaming Laboratories International (GLI) are certified to conduct testing, the large number of applicants could cause delays. In January, 134 local and international operators expressed interest in the licensing process.

KYC Requirements in Brazil (Know Your Player)

The new KYC rules in Brazil aim to improve security. These rules help make verification easier. They also work to stop financial crimes like fraud and money laundering. Here’s an overview of the core technical components expected for compliance:

1. Identity Verification through CPF and Biometric Data

• CPF Verification: Businesses must verify customers’ identities using the Cadastro de Pessoas Físicas (CPF), which is a unique Brazilian taxpayer identification number. This involves cross-checking the CPF number with government databases to confirm the individual’s identity .
• Biometric Verification: Facial recognition technology is required to complement CPF checks. This involves capturing and matching facial biometric data against the registered image in the CPF database. Additional biometric checks happen at least every seven days. They ensure that the person using the service is the same as the registered account holder.

2. Document Authentication

• Companies are required to validate customer-provided identification documents such as passports or IDs. This validation process often uses AI technology to recognise documents. It checks for security features like watermarks or holograms and also matches the information with the CPF database. These checks help to verify the document’s authenticity and ensure it hasn’t been tampered with.

3. Multi-Factor Authentication (MFA)

• To access sensitive accounts, companies must use multi-factor authentication (MFA) This may include biometric factors, like facial recognition, or other methods, such as one-time passwords (OTPs). MFA improves security when recovering accounts. It also can re-authenticate users after they have been inactive for 30 minutes or more.

4. Geolocation Tracking

• Businesses must track the locations of their customers. This helps prevent unauthorized access. It also ensures that users are in Brazil when they use services.
• Geolocation verification must occur at regular intervals, typically every 30 minutes, to detect potential fraud and restrict access during suspicious activities, such as location spoofing attempts.

5. Ongoing Monitoring and AML Compliance

• Organisations must establish and continuously update customer risk profiles based on transaction patterns and behaviour. This includes detecting unusual activities, such as rapid fund transfers or attempts to withdraw funds without gameplay. Suspicious activities must be reported to the Financial Activities Control Council (COAF) in Brazil.
• Anti-money laundering (AML) rules require operators to check for politically exposed persons (PEPs) and high-risk countries. They must also watch for other signs of financial crime. Organisations may use advanced technologies like AI to automate monitoring processes. This helps ensure quick detection and compliance with AML requirements.  

6. Data Privacy and Security

• Organizations must follow Brazil’s data privacy laws when handling sensitive biometric and financial data. These laws include measures to protect against data breaches and unauthorized access. This means ensuring that systems with KYC data use encryption for protection. Only authorized personnel should be able to access this data.

7. Address Verification

• The following documents are accepted in Brazil as valid proof of address:
  • A current utility bill (such as gas, electricity, telephone, or mobile phone bill) issued within the last three months, displaying the end-user’s name and address.
  • A bank statement issued within the last three months, clearly showing the end-user’s name and address.
  • A document from a government department that includes the end-user’s name and address.
• You can also enhance the proof of address process by cross-verifying the address with official government records.

End-to-end KYC Verification

To help iGaming operators follow these rules, we have analysed the requirements and created a suggested processes to comply with the KYC requirements. This strategy includes steps to prevent fraud and bonus abuse. It focuses on Brazil's regulated sports betting and iGaming market.

For player onboarding in Brazil, a comprehensive approach to KYC is necessary, which encompasses identity data verification, secure identity document validation, and biometric authentication.

Identity Verification and CPF Fraud Prevention in Brazil

Seamless identity checks serve as a starting point for KYC in Brazil. Identity and age verification match the personal information provided during online registration with trusted sources. This helps you confirm that the user’s information is real and can be verified.

Here is a key list of player personal identity information that operators should collect in Brazil:

• CPF number
• Full name
• Date of birth
• Address
• Email address

Verifying data against trusted national government sources is an effective strategy for CPF-based KYC checks.

Operators in Brazil should be aware of a developed underground market for stolen CPF numbers. These numbers are widely available, making it essential to verify them and protect against CPF number fraud. It is essential to incorporate ID verification along with facial recognition for enhanced security.

Screening and monitoring players in Brazil

Licensed operators in Brazil must screen high-risk players. This includes people banned from having gaming accounts and those who are financially vulnerable. These individuals do not meet affordability standards.

To follow the regulatory framework, the AML guidelines, operators must check for PEPs, sanctioned people, and names on Brazil’s player exclusion list. This list includes operator employees and public officials who work in iGaming and sports betting regulation. It also includes people who can influence sports events, like referees, sports agents, athletes, and coaches.

How ZignSec can help

Brazil's gambling regulations are currently in the early stages, resulting in a landscape where compliance requirements may change. ZignSec is equipped to manage KYC (Know Your Customer) and AML (Anti-Money Laundering) processes efficiently. We integrate KYC checks with exclusion lists and affordability data relevant to Brazil, while also compiling various government records, security systems, credit information, and mobile data. Additionally, we verify CPF numbers against Brazil's Receita Federal (Tax Registry). This comprehensive approach aids in protecting players and ensures that your business remains compliant with regulations. At the end of November, we’ll provide you with a project outlining how to implement a KYC process and the key requirements you’ll need to meet.

‍