Back to Blog
5 min read
kyccompliancedeepfakeidentityregulation

The Felca Law and the KYC Challenge: When Digital Identity Becomes a Risk

Brazil's new Felca Law demands robust digital identity verification, but the current landscape shows that even video game characters can fool KYC systems. Understand the risks and challenges facing platforms.

By Murilo Hoffmann from VerXus Team

Leia a versão em Português

Brazil's regulatory landscape has just gained a new milestone: Law No. 15,211/2025, popularly known as the Felca Law. While public debate has focused on child protection, the operational impact on technology platforms and social networks is profound.

The central issue? The mandatory implementation of robust age and identity verification mechanisms. However, while regulators tighten the noose, both organized crime and ordinary users are escalating their arsenal. The battlefield is now KYC (Know Your Customer), and the adversary goes by names like Deepfake, Social Engineering, and curiously, Skyrim (yes, the RPG game).

What Does the Felca Law Require in Practice?

The Felca Law is not merely a recommendation. It establishes clear obligations (Art. 24) for IT service providers:

  • Parental Linking: Accounts for minors under 16 must be mandatorily linked to a legal guardian.

  • Continuous Verification: Platforms must constantly improve their verification mechanisms to identify non-compliant users.

  • Direct Liability: Fines of up to 10% of revenue, capped at R$50 million per violation.

This pressure forces companies to implement more rigorous KYC processes. But in the digital environment, "knowing your customer" has become a herculean technical task.

The K-ID Case: When an RPG Beats Cybersecurity

If you think KYC Bypass attacks require supercomputers or extremely efficient AI models, the recent case involving the K-ID platform (which specializes precisely in age verification for child safety) proves otherwise.

Ver publicação no Xx.com/NP__Oficial/status/2034431391128014964

An attacker completely subverted the verification system using the screen from RaceMenu, a character customization mod for the game Skyrim. By manipulating the 3D model in real time to simulate basic facial movements, the liveness system was fooled by a video game character.

The Diagnosis: The system failed to distinguish the texture and artifacts of a game rendering from a real video capture. This demonstrates that if a 2011 game engine can fool a modern KYC system, the use of generative AI and Deepfakes (as warned by Kaspersky) raises the risk to an existential level for platforms.

The Entry Barrier: The Cost of Compliance

Implementing these layers of protection is not just a technical challenge but also a financial one. The unit cost of each KYC verification, combined with data processing infrastructure and biometric software licensing, becomes unfeasible for many Brazilian startups and initiatives.

Often, the cost of validating each user consumes the profit margin of small projects, creating a scenario where regulatory compliance serves as an insurmountable entry barrier. For these smaller initiatives, the dilemma is harsh: either invest capital they don't have in compliance solutions, or operate under the risk of fines that could annihilate the business.

The Anatomy of KYC Bypass

To understand how incidents like the K-ID case happen, we need to examine the bypass tactics:

  • Liveness Bypass: The use of synthetic or real-time rendered content to mimic physiological reactions. The use of Skyrim's RaceMenu illustrates the technical gap: the system accepts the rendering as "proof of life" because it fails to validate the integrity of the capture source or the real depth of the object.

  • Injection Attacks: The attacker injects a video stream (whether from a game or a deepfake) directly into the camera interface via virtual drivers, completely bypassing the physical hardware capture.

  • Social Engineering (KYC Phishing): Criminals create fake websites that simulate identity verification processes. The victim, believing they are complying with the Felca Law, voluntarily provides high-resolution photos of their face and documents, which are later used to fuel account takeover attacks.

The Dilemma: User Experience vs. Security

Here lies the challenge for C-Level executives. The Felca Law demands an entry barrier, but the market demands minimal friction. If the KYC process is too complex, the user abandons the platform; if it's too simple, the system succumbs to bypass attacks.

Modern protection needs to look beyond the image:

  1. Metadata and Hardware Analysis: Identifying whether the signal comes from a legitimate physical camera or from software such as OBS Studio.

  2. Behavioral Biometrics: Analyzing how the user interacts with the device, identifying non-human patterns.

  3. Rendering Artifact Detection: Defense layers that identify synthetic textures or lighting patterns typical of game engines and AIs.

Conclusion

The Felca Law places digital identity at the center of compliance strategy in Brazil. However, complying with the law requires more than a form. In a scenario where security systems are defeated by RPG characters and data is stolen through social engineering, a platform's robustness is measured by its ability to distinguish the real from the synthetic.

For companies, the message is clear: static KYC is dead. The future belongs to those who implement dynamic verifications, resistant to the era of generative AI and digital injection tricks.

References