Brazil’s Betting Regulation 2026: Post-Implementation Guide for Operators

The "grey market" era of Brazilian iGaming is officially dead. As of January 1, 2026, the transition period defined by Law 14.790/2023 has expired, and the Secretaria de Prêmios e Apostas (SPA) has moved from guidance to strict enforcement.

For operators, 2026 is not about obtaining a license—it is about keeping it. The SPA has already issued its first wave of fines for non-compliance with Ordinance SPA/MF No. 722, specifically targeting platforms with weak identity verification protocols.

If your compliance stack still relies on basic document uploads and static data checks, your operations are at financial and reputational risk. This guide breaks down the technical requirements for passing SPA audits and integrating with the Sigap monitoring system in the current regulatory landscape.

Mandatory Identity Verification: Beyond Basic CPF Checks

In 2026, "Know Your Customer" (KYC) in Brazil is no longer just a best practice; it is a rigid technical standard. The days of accepting a simple photo of an RG (identity card) are over. The regulator now demands a biometric-first approach to prevent multi-accounting and underage gambling.

The "Face Match" Requirement (Ordinance SPA/MF No. 722)

The cornerstone of the 2026 compliance framework is mandatory facial recognition, commonly referred to in the industry as "Face Match." According to the latest SPA technical ordinances, operators must verify that the person registering is the live owner of the provided document.

Static selfies are insufficient. To meet the Presentation Attack Detection (PAD) standards required by the regulator, your onboarding flow must include active or passive liveness detection. This technology is the only defense against the surge of generative AI deepfakes and injection attacks that have plagued the LatAm market since late 2025.

Implementing certified liveness detection standards is critical not just for compliance, but for fraud prevention. Operators failing to implement this layer face immediate sanctions for enabling "orange" accounts (accounts used for money laundering).

CPF Status Validation & Age Verification

The Cadastro de Pessoas Físicas (CPF) remains the unique identifier for all players in Brazil. However, simply validating the mathematical format (11 digits) of a CPF number is a rookie mistake that will trigger a red flag during an audit.

In 2026, operators must perform a real-time query against the Receita Federal database during the onboarding process. This check must validate three data points instantly:

↪ Name Match: Does the name provided match the tax records exactly?

↪ Date of Birth: Is the user strictly over 18?

↪ CPF Status: Is the CPF "Regular"?

You cannot onboard users with "Suspended," "Cancelled," or "Null" status. These statuses often indicate tax irregularities or deceased individuals (a common vector for bonus abuse). Manual checks are impossible at scale; your system needs an automated CPF validation solution that pings the government database and returns a decision in milliseconds to minimize user drop-off.

Sigap Integration: Automating Regulatory Reporting

The biggest technical hurdle for operators in 2026 is not the license fee — it’s the Sistema de Gestão de Apostas (Sigap). This centralized monitoring system, managed by the Ministry of Finance, acts as the "Big Brother" of the Brazilian betting market.

Under the current regime, "batch reporting" at the end of the month is obsolete. The regulator requires near real-time visibility into player activity.

The "Exclusion List" Check (Self-Exclusion Compliance)

Before accepting any wager or deposit, your platform must query Sigap’s National Register of Prohibited Persons. This list includes problem gamblers who have self-excluded, as well as individuals legally barred from betting (e.g., sports officials, regulators).

This is a synchronous blocking call. If your system fails to check this list and allows a prohibited person to bet, the penalty is severe: a fine of up to 20% of revenue. Automation here is non-negotiable. Your backend must be integrated with a gambling compliance solution that handles these API calls seamlessly, ensuring that every "Spin" or "Bet" button is gated by a compliant check.

Data Reporting Requirements

Operators must submit daily logs covering:

🔹 Player Identity: Anonymized ID linked to the CPF.

🔹 Financial Flow: Deposits, withdrawals, and current balances.

🔹 Betting History: Outcomes and odds.

Manual CSV uploads are error-prone and unscalable. A robust compliance stack automates this reporting pipeline, formatting your data to Sigap’s strict JSON schemas and flagging anomalies (like sudden high-value deposits) before they reach the regulator.

AML & Financial Compliance in a PIX-Dominated Market

Brazil’s betting landscape in 2026 is a "PIX-first" economy. While this instant payment method boosts conversion, it also accelerates the speed at which money laundering can occur.

Payment Restrictions & "Source of Funds"

Law 14.790/2023 explicitly banned credit cards and crypto-anonymity for iGaming. Payments must strictly originate from accounts registered to the player’s verified CPF.

This creates a unique challenge: "Source of Funds" (SoF). Since you cannot rely on credit card chargeback protections, you must verify that the PIX key belongs to the user before crediting the deposit.

↪ The 2026 Rule: Third-party deposits (e.g., a wife using a husband’s account) are strictly prohibited. Your AML software must automatically cross-reference the depositor's CPF with the registered player's CPF. Mismatches must trigger an immediate freeze.

PEP Screening & Sanctions in LatAm

International sanctions lists (OFAC, UN) are standard, but they are not enough for Brazil. The Council for Financial Activities Control (COAF) requires operators to screen against specific domestic lists, including:

↪ Brazilian PEPs: Local politicians, judges, and municipal officials.

↪ National Sanctions: Individuals involved in local corruption scandals.

Given the volatility of local politics, these lists change frequently. Relying on static databases invites risk. You need a dynamic sanctions and PEP screening tool that updates daily and understands the nuances of Latin American naming conventions to avoid false negatives.

The Cost of Non-Compliance: 2026 Case Studies

The "grace period" for iGaming in Brazil ended abruptly in January 2026. The SPA has made it clear that violations of Ordinance 722 are not just administrative errors; they are grounds for immediate license suspension.

The financial impact goes beyond the fine (up to R$ 2 billion in extreme cases). The real cost is the revocation of the operating license, which effectively blacklists the brand from Latin America’s largest market. In 2026, compliance is not a cost center; it is your license to exist.

How to Build a "Future-Proof" Compliance Stack with Kycaid

Meeting SPA requirements doesn’t mean sacrificing user experience. The winners in the Brazilian market are operators who automate compliance invisibly.

Kycaid offers a dedicated Brazil Compliance Module designed specifically for the 2026 regulatory framework.

Modular Approach: Verify Only What You Need

Don't pay for global checks when you only need local compliance. Our modular API allows you to trigger specific checks relevant to Brazil:

🔹 CPF Status & Name Match: Direct integration with Receita Federal.

🔹 Facematch (Liveness): Certified PAD technology to stop deepfakes.

🔹 Sigap Reporting: Automated data formatting for regulatory logs.

High-Speed Onboarding for the Brazilian Player

Brazilian players are accustomed to the speed of PIX. Your onboarding must match that pace. KYCAID’s optimized widget reduces verification time to under 11 seconds, ensuring you reduce onboarding friction without compromising on the mandatory biometric checks.

Ready for the Next SPA Audit?

Don't wait for a notification letter. Automate your CPF, Liveness, and AML checks today.