September arrived with the expectation of spring, but until then, much will still be said about the unfolding of three major operations carried out simultaneously at the end of last month against Brazil’s largest criminal faction, the PCC ('Primeiro Comando da Capital' / First Capital Command).
For the first time, the Federal Police, the Federal Revenue Service and the São Paulo Public Prosecutor’s Office, in a joint action, reached the top echelon and busted the criminal organization’s vault, which moves billions of reais each year.
This money was laundered step by step: first, criminals adulterated and sold fuel; to do this, they acquired and managed more than a thousand gas stations across the country. The revenue from these illegal activities was deposited into fintechs and then transferred to investment and real estate funds.
Part of these funds were headquartered on Faria Lima, considered the heart of Brazil’s financial market. Investigations revealed they were used to shield and conceal illicit money.
But before reaching the funds, the resources passed through fintechs, as the Federal Revenue Service showed.
What has changed: from retail finance to regulated iGaming
A fintech, or financial technology company, is a business that uses technology to provide financial services efficiently and accessibly. They can operate in payments, lending, investments, insurance and financial management.
The goal is to simplify processes, reduce costs and improve customer experience, often challenging traditional banks.
In theory, they democratized services once exclusive to banks. In practice, however, in recent years they were also created for illicit purposes, especially money laundering.
Main vulnerabilities:
- Unknown ultimate beneficiary (who is the true owner of the fintech);
- Companies registered in tax havens, outside oversight;
- Liquidity risk: if the money “disappears,” investors bear the losses;
- Weak regulation: until recently, it was possible to set up a fintech in your backyard.
“Umbrella accounts,” BaaS and shielding illicit capital
The relationship between Fintechs and 'Bets' is divided into two parts:
1.Regulated betting market: protected by a robust regulatory framework, such as SPA/MF Ordinance 566/25, which requires IFs, PIs and payment arrangements to reject accounts from illegal operators. In addition, there is a 24-hour deadline to report suspicious cases to the SPA, including CNPJ, corporate name and justification.
2.Illegal betting market: without governance, compliance or concern for bettors. These 'Bets' rely on fintechs that operate “on both sides” or exclusively on the illicit side, using PIs, IFs or illegal Pix arrangements that operate outside the radar of the Central Bank and the Federal Revenue Service.
Governance that matters (SPA/MF 566/25 and 1.143/2024)
The regulation of the betting sector also includes SPA/MF Ordinance 1.143/2024, specific for AML/CFT. The combination of 566/25 and 1.143/2024 became a watershed moment:
- Mandatory rejection of illegal operators;
- Immediate reporting of suspicious cases;
- Continuous monitoring of betting transactional accounts.
Practical risks: traceability, ultimate beneficiary and liquidity
The illegal market only operates because it attempts to circumvent money tracing. One of the most common tools is the use of “umbrella accounts,” in which the fintech appears as the account holder, but the account hides multiple unidentified subaccounts.
Another critical point is the use of BaaS (Banking as a Service) by shell companies. There have already been cases of companies registered under perfumery CNPJs acquiring BaaS to provide “payment services” to the illegal betting market. The scheme was only uncovered because of multimillion-dollar transactions at unlikely times, such as Friday midnights and Sunday afternoons.
How to mitigate: 6 immediate measures (for operators and fintechs)
Enhanced due diligence on suppliers;
Automated KYC/AML integrated with official databases;
Geolocation monitoring to identify VPNs/proxies;
Continuous auditing of transactional accounts;
Investment in compliance teams focused on AML;
Adoption of executive risk KPIs understood by the board.
Executive KPIs: AML the board understands
For boards and directors to grasp the impact, AML must be translated into metrics such as:
- Approval rate vs. fraud rate;
- Average response time to AML alerts;
- Financial exposure due to tracking failures;
- Volume of transactions preventively blocked.
Equating fintechs to banks and the new reporting standard
After the PCC operations gained national attention, the Federal Revenue Service published a Normative Instruction equating fintechs to banks. Now they are required to provide clients’ financial information, increasing the capacity to track tax crimes and money laundering.
For betting operators, the message is clear: know your suppliers, strengthen compliance and invest in AML. Otherwise, all efforts to maintain a good image may be destroyed by association with the wrong partner.
Fred Justo
AML Director at Legitimuz and former General Coordinator of AML at the Secretariat of Prizes and Betting (SPA/MF).
