Brazil’s Ministry of Finance publishes ordinance regulating fixed-odds betting systems

On May 2, 2024, the Brazilian Ministry of Finance’s Prizes and Betting Secretariat (Gaming Authority) published SPA/MF Ordinance So. 722 to regulate minimum requirements for platforms and systems that operators will use to run betting and operate online games under Law No. 14,790/2023.

Among the regulated topics, the following stand out:

• Domain names: the online channels the operator uses must be registered with the “bet.br” domain name in accordance with specific regulations;
• Online games: When a bet is placed, online games must set a multiplication factor (for each unit of Brazilian currency wagered) defining the specific sum the player receives in the event of a win. The result is determined by the outcome of a future random event based on randomly generated numbers, symbols, figures, or objects defined in the system’s rules;
• Location: the operator must run the betting system and store its respective data in Brazil-based data centers. Systems and data may only be kept outside of Brazilian borders in countries that have signed an international legal cooperation agreement with Brazil (covering both civil and criminal matters) when specific consent has been obtained for the international data transfer in accordance with Article 33 of the Brazilian General Data Protection Law (LGPD). Moreover, the Ministry of Finance’s technical area must be guaranteed access to the operator’s systems and data, the operator must replicate its database and information in Brazil, and the operator must submit an IT business continuity plan;
• Certification: the operator’s systems must be certified by specific Gaming Authority-approved entities. The certificates must attest that these systems fully comply with the technical requirements defined in the ordinance’s annexes I, II and III. Within ninety days of the Gaming Authority publishing the authorization act, the operator must submit an evaluation report for the certifying entity to use when certifying the system requirements. Certificates must be revalidated annually, as well as whenever critical components are included, modified, or removed;
• Guaranteed access for the Gaming Authority: the operator must grant the Gaming Authority’s departments and inspection agents full access to its betting systems at any time if requested. The operator must also forward data concerning bets, players, players’ portfolios, legal destinations, and other information regarding their operations in line with the frequency and format established in the SIGAP Manual.

The annexes in SPA/MF Ordinance No. 722 outline general and technical requirements that operators’ systems must meet, including in relation to:

• Registering users, verifying user identity, recovering accounts, and providing users with information;
• The mandatory use of multifactor authentication;
• A duty to geolocate players to monitor and prevent bets placed by a single player’s account from geographically incompatible locations;
• Fraud prevention processes;
• A list of the types of data that operator’s systems must record;
• The need for certification entities to evaluate operators’ software source code; and
• Minimum access controls and other security requirements.

For more information on the topic, please contact Mattos Filho’s Technology and Entertainment practice areas.