The transition period is over. With the full enforcement of Law 14.790/2023, the Brazilian iGaming market has shifted from a regulatory gray zone into one of the most technologically demanding jurisdictions in the world. The Secretaria de Prêmios e Apostas (SPA) is no longer issuing warnings—they are auditing data pipelines and revoking licenses for technical non-compliance.
For CTOs and Heads of Compliance operating in Brazil in 2026, the challenge is purely architectural. Regulatory requirements are no longer satisfied by uploading a batch CSV file at the end of the month or running a basic regex check on a registration form. If your platform’s backend cannot natively ping government databases, validate identities biometrically in real-time, and format telemetry data for the government's monitoring engine, your operation is fundamentally exposed. Manual compliance is impossible under SPA’s watchful eye; survival requires engineering a seamless, automated data pipeline.
The CPF Mandate: Moving Beyond Basic Formatting
The Cadastro de Pessoas Físicas (CPF) is the absolute epicenter of the Brazilian digital identity. Every bet, deposit, and withdrawal must be immutably tied to a verified, active CPF. However, how platforms validate this 11-digit number separates compliant operators from those facing imminent fines.
Real-Time Queries via Receita Federal
Historically, many platforms relied on basic Modulo 11 (mod-11) algorithms to verify that a user-entered CPF was mathematically valid. In the 2026 SPA regulatory framework, algorithmic validation is functionally obsolete. A mathematically valid CPF can belong to a deceased individual or someone with severe tax irregularities—both of which are strict regulatory red flags.
Today, your onboarding API must execute a real-time, synchronous query against the Receita Federal (the Brazilian Federal Revenue Service) database. Your system must parse the API response to confirm not just the existence of the CPF, but its precise status. Your onboarding logic must automatically hard-block the registration if the Receita Federal returns any of the following statuses:
- ↪ Suspensa (Suspended): Incomplete voter registration or tax filing issues.
- ↪ Cancelada (Canceled): Often due to multiple registrations or administrative decisions.
- ↪ Nula (Null): Fraudulent or invalid generation.
- ↪ Titular Falecido (Deceased): A major indicator of synthetic identity fraud.
Relying on legacy asynchronous checks introduces unacceptable latency and allows non-compliant users to potentially trigger a first deposit before the account is flagged, putting you in direct violation of AML mandates.
Tying the CPF to Biometrics (Ordinance 722)
Validating the CPF against the tax database is only step one. The operator must provide technological proof that the individual holding the device actually owns that CPF.
Under the strict requirements of Ordinance SPA/MF No. 722, simple document uploads (e.g., a static photo of an RG or CNH) are legally insufficient. The SPA requires operators to implement a "Facematch" protocol during onboarding. This means your backend must securely cross-reference the biometric face data extracted during the selfie capture with the official government photo tied to the CPF.
Crucially, to combat the surge of generative AI deepfakes and camera-injection attacks in LatAm, this process must be fortified by certified Presentation Attack Detection (PAD). If your liveness detection flow does not meet iBeta Level 2 standards at a minimum, you are highly vulnerable to synthetic identity fraud, which the SPA explicitly penalizes the operator for failing to prevent.
Demystifying Sigap (Sistema de Gestão de Apostas)
For engineering teams, Sigap is the ultimate technical hurdle of 2026. The days of submitting batch CSV files at the end of the month are definitively over. The SPA now demands an event-driven architecture that logs activity via secure APIs.
Definition
Sigap (Sistema de Gestão de Apostas) is the centralized, real-time monitoring system managed by the Brazilian Ministry of Finance. It functions as the primary regulatory oversight tool for the iGaming market, requiring operators to push continuous data streams regarding player identity, betting volume, and financial transactions directly to the government.
Data Formatting and Automated Reporting
Your backend must be designed to continuously push properly formatted JSON payloads to the Sigap endpoint. Failure to meet their strict data schemas results in rejected logs and immediate regulatory warnings.
The required telemetry data includes:
- ↪ Player Identity Data: Anonymized player IDs explicitly linked to their verified CPF.
- ↪ Financial Flow Logging: Timestamps and values for every deposit, wager, and withdrawal, explicitly tracking the Source of Funds (SoF).
- ↪ Betting History & Outcomes: Granular data on specific betting events, odds, and payouts to monitor for match-fixing anomalies.
To handle this volume, operators must implement a robust message broker (e.g., Kafka or RabbitMQ) in their compliance pipeline to queue and guarantee the delivery of Sigap logs even during peak traffic events like the Brasileirão finals.
The Synchronous "Exclusion List" Check
🛑 Critical Technical Requirement: Perhaps the most technically aggressive requirement of the new SPA regulations is the self-exclusion mandate.
Sigap maintains the National Register of Prohibited Persons, which includes problem gamblers, sports officials, and individuals legally barred from betting.
Your betting engine must execute a synchronous blocking call against this database. This means that before the server accepts a deposit or processes a "Place Bet" request, it must ping the exclusion list API. If the player's CPF returns a hit, the transaction must be hard-blocked in milliseconds. Asynchronous checks—where the bet is placed and the check happens in the background—are illegal and carry massive fines (up to 20% of revenue) if a prohibited person successfully wagers.
Payment Compliance: The CPF-to-PIX Pipeline
Brazil is a PIX-dominated economy. While PIX guarantees instant deposits and skyrocketing conversion rates, Law 14.790/2023 introduced rigid Anti-Money Laundering (AML) controls specifically targeting this payment rail. The use of credit cards for betting is strictly banned, and crypto-anonymity is prohibited.
Blocking Third-Party Deposits
The golden rule of 2026 Brazilian iGaming compliance is simple: The CPF used to register the account must exactly match the CPF tied to the PIX key making the deposit. If a player registers with CPF "A", but the PIX deposit originates from a bank account registered to CPF "B" (e.g., a friend or spouse), the transaction must be instantly rejected.
From an engineering perspective, your payment gateway and your KYC module cannot exist in silos. Your Brazil KYC and onboarding module must automatically extract the player's verified CPF from the onboarding payload and cross-reference it with the metadata returned by the Central Bank's PIX API during the deposit attempt.
If there is a mismatch, the deposit must be frozen, and the funds must be automatically returned to the sender to prevent "orange accounts" (contas laranja) from being used for money laundering. This specific technical control is heavily audited by the SPA.
Building a Future-Proof Brazilian Compliance Stack
The sheer volume of engineering resources required to independently integrate with the Receita Federal, manage real-time Facematch biometrics, and build the infrastructure to format JSON payloads for Sigap is staggering. For CTOs, this is a dangerous distraction from building your core product—the betting experience.
This is why leading iGaming platforms rely on Kycaid. We don't just provide a generic KYC tool; we deliver true Compliance-as-a-Service engineered specifically for the complexities of Law 14.790/2023.
Our unified API handles the entire heavy lifting of the Brazilian market. When a user onboards, Kycaid simultaneously executes the synchronous Receita Federal ping to validate the CPF, runs the iBeta PAD Level 2 biometric Facematch against government records, and automatically formats the required identity telemetry for your Sigap reporting.
We enable your platform to meet every technical demand of the SPA—from blocking third-party PIX deposits to real-time exclusion list checks—without inflating your onboarding friction or draining your developer bandwidth.
Act Now Before the Next Audit
The transition period for Brazilian iGaming compliance has officially ended. The SPA is actively monitoring data streams, and platforms operating with legacy batch processing or asynchronous checks are prime targets for license revocation. Integrating your platform with the Receita Federal, enforcing strict CPF-to-PIX matching, and streaming data to Sigap are no longer optional technical upgrades; they are the absolute prerequisites for operating in the largest regulated market in Latin America.
Don't wait for a failed audit to modernize your architecture. Partner with a compliance provider that understands the technical nuances of the Brazilian regulatory landscape.
Ready to automate your Sigap reporting and CPF validation?
Book a technical consultation with Kycaid today to see our unified Brazil compliance API in action.
FAQ: Sigap and CPF Compliance
What happens if an iGaming operator fails to integrate with Sigap?
Under Law 14.790/2023, failure to continuously report player data, financial flows, and betting history to the Sigap system is a critical violation. The Secretaria de Prêmios e Apostas (SPA) can issue daily fines of up to 20% of the operator's gross revenue and, in severe cases, permanently revoke the operating license.
Is a selfie with an ID card enough for Brazilian KYC in 2026?
No. Ordinance SPA/MF No. 722 strictly requires operators to move beyond static document uploads. To combat synthetic identity fraud, platforms must utilize "Facematch" technology backed by Presentation Attack Detection (PAD) to biometrically verify that the live user matches the government photo tied to the registered CPF.
Can a player deposit via PIX using a different CPF?
Absolutely not. Brazilian Anti-Money Laundering (AML) regulations mandate strict CPF-to-PIX matching to prevent the use of "orange accounts" (contas laranja). The CPF registered to the iGaming account must exactly match the CPF tied to the PIX key originating the deposit; otherwise, the transaction must be instantly blocked and refunded.