The Secretariat of Prizes and Betting (SPA) advanced in its regulatory agenda and issued, last Friday (12), Ordinance No. 1,143/2024. Detailing what was already provided for by law, the Ordinance introduces relevant innovations regarding how the gambling sector will deal with money laundering, terrorism financing, and the proliferation of weapons of mass destruction.
It is important to emphasize that the Ordinance does not introduce the topic for the first time, as the Money Laundering Law, in 2021, was amended to include in its article 9, VI, that fixed-odds betting companies distributing money, movable property, real estate, and other goods or services are subject to the obligations of client identification and record-keeping, as well as the communication of financial operations (Articles 10 and 11 of Law 9,613/98).
In this sense, what the Ordinance innovates is by providing greater detail on who the actors in this market are, their respective roles concerning the prevention and combat of money laundering, terrorism financing, and the proliferation of weapons of mass destruction, and what is expected of them.
One of the important points introduced by the Ordinance is the definition of the betting operator agent as the central figure responsible for implementing the mentioned controls.
It is worth mentioning that the mentioned controls are already applicable to various obligated parties, such as stock exchanges, credit card administrators, leasing companies, individuals or legal entities that trade jewelry, luxury goods, as well as those engaged in real estate promotion activities, among others (Art. 9 of Law 9,613/98).
Thus, with the issuance of the Ordinance, betting operator agents start to use the well-known Financial Activities Control System (SISCOAF), without the creation of a specific system for these actors. The use of SISCOAF indicates an obvious but very central point: it is expected that these betting operators review each of their operations and report whenever they identify any with a high risk of money laundering and/or terrorism financing and the proliferation of weapons of mass destruction. And, to do this, the Ordinance itself makes the risk assessment procedure to be used very clear.
According to article 16 of the Ordinance, betting operator agents must adopt procedures that allow the qualification of bettors through the collection, verification, and validation of information compatible with their risk profile. More specifically, the procedures must include the registration information of their users, an in-depth evaluation between the bet and the economic-financial capacity, and whether or not the user has the status of a PEP (Politically Exposed Person).
These points, although seemingly elementary, are of extreme relevance for those who work in the sector because it signifies the need for an internalized Compliance area within these companies, capable of building (i) mechanisms for developing a risk matrix, (ii) policies for treating this risk matrix, (iii) documentary verification of each person qualifying as a bettor, and (iv) routines for comparing the bettor's operation with their specific profile.
What can be perceived is that compliance with the Ordinance requires a strategic and coordinated execution of many tasks. Therefore, an executive vision based on priorities is fundamental.
In this context, based on our expertise with other sectors that have faced these challenges, we will share some ideas that have already been tried in practice and that may be useful.
As a first step, it is relevant that the agent revisits or develops policies dedicated to the topic. These documents, in a macro way, will translate and document the agent's good intentions to prevent illegal conduct. At the same time, they will serve as a true accountability tool and positive proof of the institutional commitment to regulatory compliance.
The Ordinance expressly states that internal policies must define roles and responsibilities in the execution of the prescribed obligations and the development of a compliance program that includes fostering an organizational culture aimed at preventing money laundering and terrorism. Indeed, like other regulations, such policies should establish compliance-by-design routines, where prevention is a premise of analysis for any new product or initiative (Article 7°), even before its go-live.
This is a functional approach because the structuring of such documents will necessarily involve a careful review of the agent's governance structures, identifying any flaws, gaps, and areas for improvement.
Moreover, the obligation to publish these policies online (Article 12) is not just a requirement but a true opportunity for the agent to demonstrate its commitment to transparency and demystify nuances of social insecurity that often, without reason, hover over its activities.
The Ordinance also outlines the necessary risk assessment procedures. These tasks will translate the prevention objectives of the policies into practical routines. In this regard, we highlight the measures related to the agent's internal routines. Thus, the company must define its own risk matrix according to its activities, considering bettors, business model, employees, third parties and suppliers, and their operations (Article 14).
Documenting the risk matrix will allow the agent to identify and prioritize the most significant risks, develop mitigation strategies, and make informed decisions on how to handle these risks. This is essential for effective risk management and strategic decision-making.
Additionally, the obligation to validate bettors' identities (Article 15) must follow the technical facial recognition model in the bettor's registration, as defined in the technical requirements annex of Ordinance SPA/MF No. 722/2024.
As mentioned above, the Ordinance stipulates that operator agents must work to qualify bettors. This classification should consider at least three points that can reveal risks: the comparison between the bettor's economic-financial capacity and their activities on the platform, the status of being a publicly exposed person, and obtaining registration information for each bettor.
The operator agent then has the explicit obligation to profile all its bettors and users to indicate any suspicions and potential deviant behaviors (Articles 18, 19, and 20). The use of technology in this task is of particular importance, including the use of artificial intelligence to identify patterns and pinpoint any anomalies or unusual movements. Governance over these mechanisms is essential to ensure the security of the results and evaluations.
The Ordinance also addresses the identification, qualification, and classification of risks related to employees, partners, and outsourced service providers. Thus, operator agents must know these individuals and include identification and qualification procedures to assess and mitigate risks. There is also the obligation to store the registration data of these actors for at least 5 years after the end of the relationship (Articles 21 and 22).
Regarding the procedures related to communications to COAF, there is an express provision for betting operators to implement monitoring, selection, and analysis procedures for bets and operations, aiming to identify those that may indicate money laundering and terrorism financing practices (Articles 23 to 26). Agents must adopt a series of tasks to identify and report any unusual movements according to an extensive list of criteria provided in the Ordinance.
Revisiting procedures with employees and third parties is also fundamental at this stage. Here, the importance of proper third-party management with well-designed approval, contracting, and monitoring steps is highlighted.
As mentioned at the beginning of this article, once the policies are established and internal routines are improved, the agent will also have the homework of being prepared to make the necessary reports to the authorities. This includes (i) registration with the Financial Activities Control System (SISCOAF); and (ii) making communications to COAF whenever their analyses indicate or conclude the occurrence of money laundering or illicit financing (Articles 27 to 29). It should be noted that the SPA must also be informed in the event of no occurrences of proposals, transactions, or operations subject to reporting (Article 30 in conjunction with Article 11, III of Law 9,613/98).
From all this, it can be concluded that betting operator agents now have both a pain and a delight: the positive point is that we are dealing with a sector that is still structuring itself, which makes it possible to implement these policies in operations from the start. On the other hand, there is some uncertainty, given that much of the existing doctrine, best practices, and professional training for risk management is directed at the financial sector or traditional sectors of money laundering and terrorism financing. Therefore, there is no doubt that the betting sector will need to focus on creating a specific risk taxonomy to have something centered on its own operation in the long run. What and how to prioritize, for now, remains a bet where the operator agent who gets the prognosis right gains an advantage over the others.
Maria Clara Martins
Compliance Lawyer at Machado Meyer Advogados
Maurício Tamer
Digital Law and Data Protection Lawyer at Machado Meyer Advogados
