Sports Betting

The Latest on Identity Verification and Regulated Sports Betting in Brazil

January 20, 2023
May 8, 2024
Table of Content

Sports betting in Brazil has been undergoing a much-anticipated regulatory process, as the country seeks to formally regulate gambling. As part of this process, the Secretary of Prizes and Bets of the Ministry of Finance (SPA/MF) published a new Ordinance – SPA/MF nº 722/2024 of 2/5/2024 – with new guidelines for verifying the identity of bettors for companies that want to operate gambling platforms in Brazil.

What is SPA/MF Ordinance No. 722/2024?

SPA/MF Ordinance No. 722/2024 establishes the technical and security requirements that must be observed by future operators in the sports betting segment in Brazil in their systems and platforms, and aims to provide more security to Brazilian citizens who place bets.

It is a comprehensive document, and the full version is accessible via this link. In this post, we will present a summary of the main aspects of the ordinance, focusing especially on the identity verification of bettors.

Data centers must be located in Brazil

Operating agents must maintain their betting system and the respective data in data centers located in Brazilian territory.

There is an exception to this rule, however. Systems and data may be located outside Brazil, as long as they conform to the following criteria: they must be in countries that have an International Legal Cooperation Agreement with Brazil in civil and criminal matters jointly, and they must comply with the statutes of the General Data Protection Law (LGPD) 

Furthermore, the operating agent must, at any time, grant full access to the betting systems to the inspection units and agents of the Prizes and Betting Secretariat of the Brazilian Ministry of Finance.

Identity must be verified before account activation

The bettor's information must be collected and verified by the operator before registering and, at this stage of account registration, at least the following requirements must be met:

  • Only bettors over the age of eighteen can register; anyone who provides a date of birth that indicates they are a minor will have their account registration request denied;
  • Any person who provides information that differs from their official documents must be denied account registration;
  • Identity verification must include CPF validity and facial recognition and be carried out before a bettor has a registered account;
  • Verification that the bettor is not on any exclusion list or prohibited from establishing or maintaining an account is carried out;
  • The bettor has agreed to the privacy policies and terms and conditions for placing bets;
  • The bettor is aware that third party access to his account is prohibited;
  • The bettor has authorized the monitoring and recording of his data by the operating agent and by SPA/MF;
  • The bettor's account registration is complete;
  • A bettor can only have a single active account at a time in the betting system of each brand with operating authorization; It is
  • The system must allow the updating of passwords or other authentication credentials, registration information and bank accounts used for financial transactions for each bettor, subject to facial recognition.

Access to the betting system must be authenticated

The betting platform must authenticate access by any bettor registered in the system using a username and password combination or via biometrics. If the system does not recognize the username and/or password when entered, an explanatory message must be displayed to the bettor, asking him to re-enter the information.

In cases where the bettor forgets his username and/or password, the system must offer a multi-factor authentication process to recover or reset the username and/or password, one of the factors being facial recognition.

If any suspicious activity is detected, such as multiple unsuccessful access attempts, the betting system must block the respective account. In this case, for the account to be unlocked, a multifactor authentication process must be carried out, one of which is facial recognition.

30 minutes of inactivity requires re-authentication

The betting system must require a new authentication process from the bettor after a period of 30 minutes of inactivity on a device, with no bet or financial transaction being allowed until the bettor is authenticated again.

The betting system may offer, as a form of new authentication on the same device, access via biometrics, which must be tested by the certifying entity authorized by SPA/MF.

The ordinance also stipulates that the betting system must require multifactor authentication from the bettor at least once every seven days; or upon first access after a period of inactivity exceeding seven days.

Operators need to implement geolocation

The betting system must detect the use of programs that have the ability to bypass detection of the bettor's location, such as remote desktop software, rootkits, virtualization and any other programs, and block attempted location data fraud before completion of each bet.

For example: the betting system must monitor and prevent bets placed by a single betting account from geographically incompatible locations, such as identifying locations where bets were placed that would be impossible to place by moving within a short interval of time.

To do this, each bettor must undergo a location check prior to placing the first bet after accessing the betting system on a device. Subsequent checks on this device should occur every 30 minutes.

How Caf can help

As a Brazilian-born and headquartered company, Caf are experts in the regulated sports betting in the country, and we understand the opportunities and challenges of the Brazilian market like no one else.

By partnering with Caf, you can be assured of not only complying with all regulatory statutes, but also be able to onboard new customers quickly, combat fraud and boost revenue.

Our solution for gambling operators, BetID, has a range of features designed to help operators succeed, including:

  • Regulatory Compliance: Identity verification processes that aligned with legal requirements.
  • User Experience: The right balance between safety and practicality so as not to cause too much friction
  • Fraud prevention: Suspicious activity detection to protect your business and legitimate users.

Click here to talk to an expert today. 

Related Blogs

Don’t miss a post.

Subscribe to our newsletter to receive exclusive content as soon as it is published.
"The Latest on Identity Verification and Regulated Sports Betting in Brazil"