New ordinance regulates technical requirements for sports betting systems

SPA/MF Ordinance No. 722, which establishes the technical and security requirements for betting systems, as well as their sports betting and online gaming platforms, was published on May 03, 2024.

Ordinance 722 stipulates that the betting systems (sports betting platforms and online games) used by betting operators to provide fixed-odds lottery services must comply with the technical requirements set out in the ordinance.

In this regard, Ordinance 722 establishes several parameters:

• The electronic channels used by sports betting operators to provide fixed-odds betting services within a virtual environment must use the “bet.br” domain registration.
• The data center used must be ISO 27001 certified to guarantee information security standards.
• The use of databases and systems located outside national territory will only be allowed in countries that have an International Legal Cooperation Agreement with Brazil, in civil and criminal matters jointly, provided that item VIII of the head paragraph of art. 33 of Law No. 13.709, of 2018, is observed, and four other requirements are cumulatively fulfilled:
  • The data holder must authorize, specifically and in advance, the international transfer of their personal data, and the sports betting operator must provide clear information on the purpose of the operation;
  • The competent technical department of the Ministry of Finance must have secure and unrestricted access, remotely and in person, to the systems, platforms and data of the operation;
  • The sports betting operator must replicate, in Brazil, its database and information, which will be updated continuously, ensuring that all instances of the database have the same content, and that they are tested periodically; and
  • (iv) The sports betting operator must present an Information Technology business continuity plan to address critical scenarios that could jeopardize the security of the operation and data, containing at least:

• • • Mapping of probable loss scenarios;
    • Risk identification, analysis and assessment;
    • Prevention and mitigation actions; and
    • Appointment of competent agents.

• The betting system must use a “control program” (application or software) in place to control behaviors related to any requirement defined by the Ministry of Finance’s Secretariat of Prizes and Betting. This control program must comply with specific requirements regarding its algorithm and functions.
• Players must be over 18 years of age, with their identity verified through facial recognition and a valid Individual Taxpayer Registration (CPF) number. The account will be activated after the player agrees to the policies and terms, as long as it is not on any exclusion lists. The account will be activated after the player’s age and identity are successfully verified, and the player accepts privacy policies, and authorizes data monitoring. In addition, authentication must be done with a username and password or biometrics, including a multifactorial recovery process involving facial recognition in the event that an account holder forgets their authentication information, or the account is blocked.
• The betting system must detect the use of programs that can bypass detection of the bettor’s location, man-in-the-middle attacks, system-level tampering, among others.
• The betting system must keep and back up all recorded data for at least five years. In addition, it must keep records of bets placed, and data regarding payment to the bettors, taxes, transactions in the bettor’s escrow account, on the operator, and on different events such as successive wrong logins, system unavailability, among others.
• Bettors must be informed of the use of cookies when installing the betting software or accessing it via internet browsers to place bets. When cookies are necessary for betting, the operation cannot take place if the cookie policy is not accepted by the bettor. Cookies must not contain malicious code.
• The installed gaming software must comply with several parameters, such as authenticating that all its critical components are valid each time the software is booted up for use or on demand. In addition, the software must not automatically disable antivirus programs or alter any firewall rules configured by the device. In addition, the integrity of the software must be preserved and the software must not store confidential information.
•  The online gaming platform must display directly on the user interface or on a page accessible to the player:
  • the rules and content of the games;
  • player protection information;
  • the terms and conditions of use; and
  • the privacy policy.

•  Several information security requirements must be complied with, such as:
  • Server location: Servers must have physical and logical protection, with monitoring and access controls to prevent damage and unauthorized access.
  • Logical access control: The system must use secure authentication methods, such as passwords and biometrics, with formal procedures for managing credentials and access levels.
  • User authorization: There must be procedures in place to identify suspicious accounts, restrict the use of utilities that could compromise the system and require the regular update of passwords.
  • Data protection: The system must have methods to protect data from unauthorized changes or access.
  • Access restriction: Access to workstations must be limited and files must be encrypted.
  • Safe storage: Data must be stored on encrypted and protected servers.
  • Change control: Any user information changes must strictly require documentation that identifies the user.
• Finally, the contracting and use of third-party services must include all relevant security requirements, and must be monitored and reviewed annually. Additionally, third-party access rights must be removed at the end of the contract or agreement.

Demarest’s Privacy, Technology & Cybersecurity team is available to provide any further clarifications.