Brazil’s SPA Turns SIGAP Data Gaps Into Sanction Risk

Brazil’s Secretariat of Prizes and Betting at the Ministry of Finance, SPA/MF, has sent notices to betting operators over inconsistencies in data submitted to SIGAP, the federal betting monitoring system. BNLData reported that the letters went out in June 2026 and require operators to correct the errors.

The shift marks a new phase of enforcement. SPA is no longer only confirming that operators submitted the required files. It is now cross checking data sets against each other and asking operators to explain mismatches. Serpro, the federal technology company that built SIGAP, said the file reception module went live in January 2025 so licensed operators could submit daily operational data.

The legal basis for this scrutiny already exists. Portaria SPA/MF No. 722/2024, published in the Official Gazette on 6 May 2024, sets technical and security requirements for betting platforms and requires operators to send data on bets, bettors, player wallets and legal allocations in the format set by the SIGAP Manual. The rule also grants SPA full inspection access to operator systems on request.

Data localisation rules apply too. Operators must host betting systems and data in Brazil unless specific conditions are met, including legal cooperation agreements between Brazil and the host country and compliance with LGPD, Brazil’s data protection law. Records must be retained for at least five years and stay exportable in formats including XML, XLS and CSV. The rule’s annexes require records covering sports bets, player accounts, wallet balances, tax withheld and total GGR.

BNLData reported that notices vary in severity. Some are technical letters asking for corrections within a set period. Others are formal notifications warning of possible sanction proceedings under existing rules.

The reconciliation problem is structural, not cosmetic. SIGAP pulls data from multiple separate files rather than one report. A payout must appear consistently in both the bet record and the wallet movement. If it does not, the operator’s reported gross gaming revenue can stop reflecting the real operation.

That discrepancy carries fiscal weight. Under Law No. 14,790/2023, GGR feeds mandatory legal allocations tied to sport, health and social security funding. Inaccurate data can therefore create fiscal exposure on top of the compliance breach itself.

BNLData reported that SPA’s cross checking covers data submitted since January 2025, meaning operators that met filing deadlines without verifying internal consistency may now carry accumulated liabilities they were not tracking. For operators already notified, the response needs to be precise, since a weak reply can turn a technical inconsistency into a formal enforcement case.

💡 TGJ Take

Brazil has moved from checking whether operators filed to checking whether their files agree with each other, and that is a harder bar to clear quietly. Portaria 722 already gives SPA the legal hook to inspect systems and demand explanations for any mismatch between bets, wallets and GGR. Operators should audit their own historical SIGAP submissions now, before a regulator notice forces a rushed response. The ones most at risk are not the late filers. They are the operators who assumed clean submission meant clean data.