“We’ve moved away from an onboarding process that was almost entirely focused on speed and converting new users to a continuous, risk-based model designed from the ground up, meeting the kind of compliance standards you’d expect from a bank,” Karen Cardieri tells Payment Expert.
This shift is forcing operators to redesign products, reallocate tech resources and rethink how they measure success. Conversion is no longer the only metric that matters; the quality and durability of risk assessment now sits alongside it.
From conversion funnel to continuous risk management
Before Law 14,790, many Brazilian operators treated KYC as a light, “one-and-done” check at registration, with minimal friction to avoid losing new customers.
Now, Cardieri says, onboarding has become the first step in a continuous identification, verification and monitoring process. Operators are expected to assess a player’s risk from the outset and then keep revisiting that assessment over time. Accounts are reviewed when behaviours change, spending spikes, new payment methods appear or links to other players emerge.
This requires much deeper document collection, validation against external databases and watchlists, and tighter collaboration between business, risk, legal and payments teams. Onboarding is no longer the domain of UX and marketing alone; it is a core AML control.
“At the end of the day, the biggest change is that Brazilian operators must now think of onboarding and due diligence as a serious tool for preventing money laundering and terrorist financing, not just as a funnel to get new customers,” Cardieri notes.
Suspicious by whose standard?
If onboarding has grown up, transaction monitoring is where the toughest challenges are emerging. SPA’s expectations for identifying and reporting suspicious activity go beyond what many operators were equipped to deliver.
Cardieri sees three overlapping problems: legal, technical and cultural. Legally, teams are still grappling with a shared definition of what “suspicious” means in practice. Regulations set out a broader range of scenarios to flag, but without clear internal policies and training, staff are caught between over-reporting and under-reporting.
On the technical side, most operators did not build their platforms to behave like bank-grade monitoring engines. Data from gaming systems, payment gateways, affiliates and banking partners is often fragmented, making it difficult to detect complex patterns in real time. Poor-quality onboarding data then feeds false positives and obscures real risk.
Finally, culture is lagging. In many businesses, compliance is still seen as a cost centre rather than a strategic function.
“We’re still building the habit of documenting everything, explaining the logic behind our decisions, and maintaining a solid audit trail,” Cardieri says. Getting budget for specialist staff and tools, or prioritising internal investigations, is still a battle in some departments
Ahead of the curve on paper, but not yet in practice
On paper, Brazil is now one of the most demanding betting jurisdictions in the world, with Law 14,790 and SPA rules holding operators to standards that resemble those in banking.
Cardieri is cautious about declaring the market “ahead of the curve” just yet. She points to four trouble spots that risk undermining ambition.
First, a risk-based approach often exists in name only. Fearful of doing too little, many operators apply the same heavy controls to every customer, regardless of product, risk profile or payment method. That creates friction for low-risk players while still leaving gaps elsewhere.
Second, talk of source-of-funds checks frequently outpaces reality. “Most companies are still just taking the customer’s word for it or relying on simple signals like the amount, frequency, and type of payment,” she said, with more advanced analytics and behavioural models still in their infancy.
Third, the “risk chain” between operators, affiliates and payment providers remains loosely connected, despite regulations making clear that they share responsibility. Governance, contractual clauses and ongoing monitoring of third parties are not yet at the level the rules demand.
Finally, everyone is flying somewhat blind. In the absence of a track record of inspections and penalties, there is uncertainty about what “good” really looks like, and some operators underestimate risks such as PIX mule networks or the overlap of gambling with crypto and informal cash-in schemes.
Hiding the hard work: building “invisible” compliance
The tougher rulebook could easily translate into painful friction for players. Cardieri argues the way out is to design customer journeys with risk in mind from day one, instead of treating compliance and UX as opposing forces.
The starting point is to treat different risks differently. Low-risk customers making small transactions should move through an automated, low-friction journey, while higher spend, unusual behaviour or other red flags trigger more documents, additional questions or manual reviews.
Behind the scenes, data services, digital ID verification, biometrics, watchlist screening and real-time behaviour checks should do as much of the work as possible. Customers are only asked for extra information when automated checks cannot resolve a concern.
When friction is necessary, clarity matters. Cardieri recommends straightforward explanations – for example, that information is needed to meet regulations or protect funds – and complete transparency around withdrawal conditions from the start. Simple tools such as FAQs and status bars that show where a verification sits in the process can help manage expectations and reduce support queries.
Crucially, she adds, “getting people signed up and keeping an eye on their accounts isn’t just a ‘compliance feature’ you can tack on at the end.” Product, UX, risk, compliance and payments teams all need to co-own the journey and track risk metrics as closely as conversion.
Data, partners and the Brazilian stress test
The law’s emphasis on audit trails and traceability means operators must be able to reconstruct a customer’s story and money flow in “just a few clicks”, rather than launching ad hoc internal projects when regulators ask questions.
This vision depends on a single customer view linking registration, gameplay, deposits, withdrawals, bonuses, support tickets and AML alerts, as well as transaction records that clearly show origin, destination, payment method, timestamps and reconciliation IDs.
A centralised compliance data store drawing from gaming, payments, CRM and AML tools, combined with immutable audit logs, is becoming table stakes.
Third-party relationships are also being rewritten. Affiliates and payment providers are no longer simple vendors; they are treated as extensions of the operator’s regulatory risk. Vetting now extends to ownership checks, sanctions screening and assessments of partners’ own KYC, AML and responsible gambling policies, with contracts packed with detailed compliance obligations, audit rights and remediation expectations.
This is driving a shift from “more is better” to fewer, deeper partnerships, standardised data formats and tighter integration into operators’ risk frameworks and incident plans.
For international brands eyeing Brazil as a gateway to Latin America, Cardieri’s message is that you cannot just copy and paste a European compliance setup. The unique mix of Law 14,790, SPA rules, Central Bank regulation and the central role of PIX means local payment culture and banking integration are inseparable from betting compliance.
Ultimately, she suggests, Brazil is becoming a stress test for global AML and KYC readiness. If operators can build systems that satisfy this regime, they will be far better prepared for the next wave of regulation elsewhere.
Source: Payment Expert
