API for Banned Players: Regulatory Impacts and Technical Requirements for Integration in the Betting Sector

By Hugo Ribeiro, Legal Manager at Cactus

The implementation of the Impedidos API by the Prizes and Betting Secretariat (SPA/MF) represents a milestone in the regulatory compliance of fixed-odds betting operations in Brazil.

The mechanism will allow for the real-time identification of users legally prohibited from gambling, such as beneficiaries of the Bolsa Família Program and other categories stipulated in Law No. 14,790/2023 and complementary regulations.

Direct operational impact

The API will be incorporated as a mandatory verification layer within the KYC flows., due diligence and preventing money laundering, resulting in:

Immediate blocking of restricted users;
Reducing irregular registrations and mitigating regulatory risk;
greater alignment with the requirements of integrity and social protection;
Auditable traceability for inspection purposes by the SPA.

This process reduces the operators' exposure to administrative sanctions and increases regulatory predictability. onboarding, with protection for vulnerable populations identified by the Federal Government.

Data protection aspects and legal limits

Because it involves consulting government databases, the API requires strict adherence to the principles of the LGPD (Brazilian General Data Protection Law), especially:

Purpose: For exclusive use in verifying impediments stipulated by law or regulatory standard;
Need and minimization: Only strictly necessary data can be processed;
Transparency and governance: operators must maintain logs, access controls and audit trails;
Non-discrimination: The treatment cannot create restrictions beyond those stipulated by the SPA.

Any extrapolation of interpretation by the operator may constitute a violation of the LGPD (Brazilian General Data Protection Law) and administrative or civil liability.

Necessary regulatory guidelines

To ensure legal certainty and interoperability, the SPA must define minimum technical specifications, including:

authorized query parameters;
categories and granularity of the returned data;
Audit requirements and event logging;
Retention and disposal rules;
Access limits to prevent misuse.

The absence of these parameters can create legal uncertainty and risks of liability for operators, platforms, and integrators.

Conclusion

The Blocked API is a significant step towards raising the integrity and compliance standards of the Brazilian iGaming market, aligning it with international best practices. Its adoption, however, requires technical and legal rigor: transparency, proportionality, robust controls, and absolute adherence to the LGPD (Brazilian General Data Protection Law) and the SPA (Brazilian Society of Authorizations) regulations.

For operators, preparation should begin now, adjusting systems, onboarding flows, audit trails, and governance structures to ensure a secure integration that is fully compliant with regulatory requirements.

iugu announces integration with the Cactus platform and expands its presence in the iGaming ecosystem.

31.12.2025

G2E 2025

Events

From Brazil to the world: Cactus accelerates its global presence at G2E 2025.

31.12.2025

Cactus Experience

Institutional

High-speed experience: Cactus Gaming provides an immersive motorsport experience for customers.

31.12.2025