KYC Requirements for iGaming in Brazil 2025 

With a population exceeding 210 million, Brazil stands as the largest country in South America, representing a significant potential customer base. As such, Brazil’s gambling market represents one of the largest untapped opportunities globally, promising significant growth potential for providers. Historically, Brazilian authorities enforced strict regulations on gambling, allowing only limited forms such as lotteries and horse racing. 

In 2024, the Brazilian government took measures to update its gambling laws. They recognized the changing global environment surrounding online gambling and saw the economic benefits, such as possible tax revenue increases. 

This new set of rules aims to create a safe and responsible gambling market through licensing, consumer protection, taxation, and anti-money laundering (AML)  measures. The regulatory framework around iGaming also addresses advertising standards and technology requirements, and most importantly, customer KYC will be a key part of these regulations. International operators seeking to join this growing sector expect to attract significant investment.  

Opportunities for iGaming in Brazil 

The iGaming market in Brazil is bound to be dynamic, with lots of potential for growth. A key reason for this is the greater availability and lower cost of high-speed internet and smartphones. This has improved online participation across Central and South America, serving as a solid foundation for any online business planning to enter the market. 

Furthermore, there are positive developments in the regulatory landscape. Latin America has over 34 countries and territories. This creates a mix of different legal systems. As regulations in Brazil continue to evolve and markets gradually open up, iGaming operators that comply with KYC (Know Your Customer) protocols and offer safe, engaging experiences are more likely to find success. 

Brazil is a major market opportunity, mainly because of three reasons: 

• Internet penetration: The solid internet penetration rate of around 80% both in terms of fixed broadband and mobile,  enhances the reach of online gambling platforms.  

• Growing middle class: Despite facing recent economic challenges, Brazil’s expanding middle class possesses disposable income that can be allocated towards entertainment, including iGaming. 

• New licensing: Recently introduced licensing laws aim to bring online gambling out of the grey market and transform it into a properly regulated industry. 

New licensing rules for Brazil’s betting operators 

Normative Ordinance 827, published in Brazil’s Official Diary of the Union on May 21, outlines the requirements for obtaining sports betting and gaming licenses in the country. 

The ordinance included an “adjustment period” that allowed gaming operators to comply with the new regulations by December 31, 2024. Applications submitted within 90 days of the ordinance’s publication were prioritized in the review process.  

Anyone who fails to obtain a license by the deadline is now subject to penalties, which took effect on January 1, 2025. 

Local ownership rule for betting licenses 

Applicants for a license must be based in Brazil. Foreign companies are still eligible, but they must establish a local subsidiary with at least 20% of its share capital owned by a Brazilian national.  

The specifics of how this requirement will work in practice are still uncertain, leaving operators with unanswered questions. One lawyer expressed disappointment at the lack of clarity and hoped for further guidance from the Ministry. 

An operator must set up this structure before applying for a license. Any mergers, splits, or changes in control will be reviewed by the Secretariat of Prizes and Bets (SPA). 

Certification and data centre requirements for operators

The Ministry of Finance has announced that certain exceptions will enable data centres to locate outside Brazil. Operators must have their betting systems certified under Ordinance 722m, which was issued on 3 May 2024. 

The ordinance also allows offshore data centres, provided they are in countries with a legal cooperation agreement with Brazil, ensuring the SPA has easy access to their data. This agreement must cover civil and criminal matters. 

To allow data centres outside the country, certain conditions must be met. The host country must have a legal cooperation agreement with Brazil that covers civil and criminal matters. Data holders abroad must authorize data transfers in advance, and the finance ministry’s technical team must have secure, unrestricted access to this data. 

The operating agent is also responsible for replicating the database within Brazil. They must keep all databases synchronized by performing regular updates and periodic tests to ensure consistency across all information. 

While companies like Gaming Laboratories International (GLI) are certified to conduct testing, the large number of applicants could cause delays. In January, 134 local and international operators expressed interest in the licensing process. 

KYC requirements in Brazil (Know Your Player) 

The new KYC rules in Brazil aim to improve security. These rules help make verification easier. They also work to prevent financial crimes, such as fraud and money laundering. Here’s an overview of the core technical components expected for compliance: 

1. Identity verification through CPF and biometric data 
   • CPF verification: Businesses must verify customers’ identities using the Cadastro de Pessoas Físicas (CPF), which is a unique Brazilian taxpayer identification number. This involves cross-checking the CPF number against government databases to confirm the individual’s identity.
   • Biometric verification: Facial recognition technology is required to complement CPF checks. This involves capturing and matching facial biometric data against the registered image in the CPF database. Additional biometric checks happen at least every seven days. They ensure that the person using the service is the same as the registered account holder. 
2. Document authentication 
   • Companies are required to validate customer-provided identification documents such as passports or IDs. This validation process often uses AI technology to recognize documents. It checks for security features such as watermarks or holograms and also verifies the information against the CPF database. These checks verify the document’s authenticity and ensure it hasn’t been tampered with. 
3. Multi-factor authentication (MFA) 
   • To access sensitive accounts, companies must use multi-factor authentication (MFA). This may include biometric factors, such as facial recognition, or other methods, like one-time passwords (OTPs). MFA improves security when recovering accounts. It can also re-authenticate users after they have been inactive for 30 minutes or more. 
4. Geolocation tracking 
   • Businesses must track the locations of their customers. This helps prevent unauthorized access. It also ensures that users are in Brazil when they use services. 
   • Geolocation verification must occur at regular intervals, typically every 30 minutes, to detect potential fraud and restrict access during suspicious activities, such as location spoofing attempts. 
5. Ongoing monitoring and AML compliance 
   • Organizations must establish and continuously update customer risk profiles based on transaction patterns and behaviour. This includes detecting unusual activities, such as rapid fund transfers or attempts to withdraw funds without gameplay. Suspicious activities must be reported to the Financial Activities Control Council (COAF) in Brazil. 
   • Anti-money laundering (AML) rules require operators to check for politically exposed persons (PEPs) and high-risk countries. They must also watch for other signs of financial crime. Organizations may use advanced technologies like AI to automate monitoring processes. This helps ensure quick detection and compliance with AML requirements.   
6. Data privacy and security 
   • Organizations must follow Brazil’s data privacy laws when handling sensitive biometric and financial data. These laws include measures to protect against data breaches and unauthorized access. This means ensuring that systems with KYC data use encryption for protection. Only authorized personnel should be able to access this data.  
7. Address verification 
   • The following documents are accepted in Brazil as valid proof of address: 
   • A current utility bill (such as gas, electricity, telephone, or mobile phone bill) issued within the last three months, displaying the end-user’s name and address. 
   • A bank statement issued within the last three months, clearly showing the end-user’s name and address. 
   • A document from a government department that includes the end-user’s name and address. 
   • You can also enhance the proof of address process by cross-verifying the address with official government records. 

End-to-end KYC verification  

To help iGaming operators comply with these rules, we have analyzed the requirements and established processes to meet the KYC requirements. This strategy includes steps to prevent fraud and bonus abuse. It focuses on Brazil’s regulated sports betting and iGaming market. 

For player onboarding in Brazil, a comprehensive approach to KYC is necessary, which encompasses identity data verification, secure identity document validation, and biometric authentication. 

Identity verification and CPF fraud prevention in Brazil 

Seamless identity checks serve as a starting point for KYC in Brazil. Identity and age verification are matched against the personal information provided during online registration with trusted sources. This helps you confirm that the user’s information is real and can be verified. 

Here is a key list of player personal identity information that operators should collect in Brazil: 

• CPF number 

• Full name 

• Date of birth 

• Address 

• Email address 

Verifying data against trusted national government sources is an effective strategy for CPF-based KYC checks.  

Operators in Brazil should be aware of a developed underground market for stolen CPF numbers. These numbers are widely available, making it essential to verify them and protect against CPF number fraud. It is essential to incorporate ID verification along with facial recognition for enhanced security. 

Screening and monitoring players in Brazil 

Licensed operators in Brazil are required to screen high-risk players. This includes people banned from having gaming accounts and those who are financially vulnerable. These individuals do not meet affordability standards. 

To follow the regulatory framework and AML guidelines, operators must check for PEPs, sanctioned individuals, and names on Brazil’s player exclusion list. This list includes operator employees and public officials who work in the regulation of iGaming and sports betting. It also includes individuals who can influence sports events, such as referees, sports agents, athletes, and coaches. 

How G2RS can help 

Brazil’s gambling regulations are currently in the early stages, resulting in a landscape where compliance requirements are subject to change.  We integrate KYC checks with exclusion lists and affordability data relevant to Brazil, while also compiling various government records, security systems, credit information, and mobile data. Additionally, we verify CPF numbers against Brazil’s Receita Federal (Tax Registry). This comprehensive approach helps protect players and ensures that your business remains compliant with regulations.  

Contact us today and stay KYC compliant with our identity verification solutions.