In this article, we show you that responsibility has reached a new level. Now, in addition to “know your customer” (KYC) procedures to prevent fraud, it is necessary to monitor, analyze, and report suspicious activities related to Money Laundering (ML) and Terrorist Financing (TF).
The duty to report: not optional, but mandatory
The relationship between operators and the Coaf is based on the duty to report. This does not mean reporting everything, but reporting what is atypical. The intelligence of the operation lies precisely in the ability to distinguish a legitimate high roller from someone trying to launder funds.
Under current regulation, there are clear triggers that require the monitoring of suspicious activities. Operators need well-defined processes for:
Suspicious Transaction Reports (STRs)
This is where complexity lies — and where most operations fail. STRs require analysis. Operators must identify signs of atypical behavior, such as:
* Structuring of amounts (“smurfing”): small and successive deposits to avoid triggering large-transaction alerts.
* Inconsistent financial capacity: a minimum-wage earner moving six-figure amounts in bets.
* Transactions with no economic rationale: deposits followed by immediate withdrawals without meaningful betting activity (“passing money through the house”).
* Resistance to providing information: users who abandon the flow when asked for additional proof of source of funds.
RBA: The risk-based approach
One of the cornerstones of Portaria 1.143/2024 is the Risk-Based Approach (RBA). The regulator understands that treating every user equally is inefficient. Your operation must segment its customer base.
That is, the operation must classify bettors into risk categories (High, Medium, Low). For a low-risk customer, simplified monitoring procedures may be enough. For high-risk customers — such as Politically Exposed Persons (PEPs) or users in border regions — Due Diligence must be strengthened.
Ask yourself: Can your back office today show, in real time, the 1% of users who account for 90% of your compliance risk?
The 19 monitoring indicators
The Notice establishes that robust operations must monitor around 19 indicators of fraud and criminal activity. This monitoring is not a one-time onboarding event — it is a continuous obligation.
Technology must be capable of answering critical questions:
* Does the system automatically cross-check the bettor’s taxpayer ID with PEP lists and international sanctions lists (OFAC, UNSC)?
* Can it identify whether a user is operating from a high-risk region or using IP obfuscation tools (VPNs/Proxies) to mask their true location?
* Is there monitoring for synthetic accounts or “straw men” operating in clusters?
If the answer to these questions relies on manual work, spreadsheets, or the “intuition” of your risk team, your operation faces severe regulatory risk.
The role of technology and the compliance officer
In this scenario, the role of the Compliance Officer shifts from bureaucratic to strategic. They are the bridge between technology and Coaf.
However, humans do not scale. Trying to monitor thousands of daily transactions “by eye” is humanly impossible and financially unsustainable.
For this reason, artificial intelligence becomes indispensable. An efficient AI can process in seconds what would take an entire team days to analyze, such as:
1- Dynamic risk scoring: assigning a live risk score to each player, updated as their behavior evolves.
2- Continuous monitoring: recurring checks of sanctions and PEP lists (someone who was not a PEP yesterday may become one today).
3- Detection of anomalous patterns: algorithms that identify behavior outside the bettor’s statistical norm, generating qualified alerts for human review.
Technology enables:
* Real-time processing of thousands of transactions
* Identification of high-risk operations
* Forwarding only qualified alerts for human analysis
* Higher effective detection rates
With the right technology, any operation can monitor comprehensively, control costs, and ensure compliance.
Is your operation ready to engage technically with Coaf?
It is essential to remember that ML/TF responsibility falls not only on the company but also personally on its executives.
Failure to report suspicious transactions to Coaf can result in heavy fines (potentially a significant percentage of revenue) and, in extreme cases of proven negligence or intent, criminal liability for facilitating money laundering.
With this in mind, consider: when Coaf requests your records for the past 12 months, will your operation have organized reports or a pile of disconnected data?
Legitimuz
Legitimuz is a Brazilian company specializing in security and compliance solutions for regulated operators. The company offers identity verification (KYC), facial recognition, document analysis, geolocation monitoring, and fraud prevention.
In ML/TF prevention, it developed an automated system aligned with all current regulations, with enhanced Due Diligence, Legitimuz Presumed Income (RPL), real-time monitoring with cross-checking against PEP and international sanctions lists, and a risk-flagging system to facilitate communication with Coaf.
Source: Legitimuz
