The SPA's refinement (effective Q2 2026) is best understood as a tightening exercise rather than a rewrite. The schema's logical model is unchanged: per-jurisdiction transaction ledger, signed-receipt webhook replay, and the SIGAP submission template are still the load-bearing artefacts. What changes is granularity and a few new mandatory fields.
New fields: device-fingerprint hash on every play attempt, payment-method category enumeration on every deposit (PIX vs card vs wallet-credit), withdrawal-reason code on every cashout request, four AML risk-tier flags on the player record, and a 'source of funds' code for any deposit above the operator-configurable threshold (default BRL 5,000). The remaining three are reshapes — most notably, the timestamp granularity moves from second-level to millisecond-level, which is a wallet-side adjustment.
On the platform side, the schema diff lands as a one-week sandbox-and-test pass for operators already running with us. The bigger question is the operator-side AML model: the four-tier flag enumeration is more aggressive than what most operators run today, and we recommend that the operator-side compliance team reviews the tier mapping ahead of the production cutover. We can supply the platform-side fields; the operator owns the decisioning.