Law No 4,595, of 31 December 1964 (“Law No 4,595/1964”), also called the Banking Reform Law, established the National Financial System (SFN) and outlined the structure and attributions of the National Monetary Council (CMN). The primary purpose of Law No 4,595/1964 is to regulate the activities of the banking sector, seeking to ensure the stability and security of the financial system and to promote transparency and consumer protection. In addition, the legislation seeks to align with international standards and guidelines, reinforcing the commitment to the integrity and efficiency of the financial system.

The Brazilian SFN is composed of a set of institutions, rules and regulations that structure and govern the country’s financial activities. The operation of the SFN is based on the guidelines established by the CMN, the Central Bank of Brazil (BCB) and the Brazilian Securities and Exchange Commission (CVM), aiming to ensure efficiency in the allocation of resources and promote the stability of the financial system.

SFN regulation is applied to financial institutions in a segmented manner, considering the size of their exposure to risks and the relevance of their international operations. Thus, institutions with greater exposure to risks or with significant international operations are subject to a more extensive and complex set of regulations. On the other hand, those with lower exposure to risks or with reduced external performance follow fewer complex rules, without prejudice to prudential requirements in both cases.

In addition, the rules governing the SFN are established by joint decisions of the CMN, the BCB and the CVM. The proposals submitted to these joint bodies are based on technical studies and recommendations from multilateral entities that formulate financial standards, often through public consultations.

Finally, Law No 4,728, of 14 July 1965 (“Law No 4,728/1965”) stands out, as it is responsible for regulating the capital market in Brazil, establishing rules for its operation.

CMN Resolution No 4,970/2021 establishes the normative guidelines to regulate the authorisation procedures related to the operation of financial institutions that depend on prior authorisation from BCB. This rule outlines the essential requirements for granting authorisation, including:

• the economic and financial capacity of the controllers, individually or jointly, compatible with the capital necessary for the structuring and operation of the institution, as well as the contingencies arising from the market dynamics;
• the lawful origin of the resources used in the payment of the capital stock, in the acquisition of control and qualified interest;
• the economic and financial viability of the enterprise;
• compatibility of the information technology infrastructure with the business complexity and risks;
• the unblemished reputation of holders of positions in statutory or contractual bodies, of controllers and holders of qualified interest, in the case of individuals;
• knowledge, among the administration, of the business line, the segment in which the institution intends to operate, the market dynamics, the sources of operational resources, the management of the activities and risks associated with them;
• technical training of the administrators, compatible with the functions to be exercised during their term in office; and
• compliance with the minimum capital and equity requirements provided for in the regulations in force.

To supplement these guidelines, BCB Normative Ruling No 299/2022 describes the procedures, terms and information necessary to instruct authorisation requests regarding financial institutions governed by CMN Resolution No 4,970/2021.

Requests for authorisation must be filed with BCB, addressed to the Financial System Organisation Department (DEORF), accompanied by the relevant documents and information listed in Article 5 of BCB Normative Ruling No 299/2022.

With regard to terms, BCB Resolution No 317/2023 establishes the maximum term for the administrative decision on requests for public acts for the release of economic activity submitted to BCB. The rule sets a limit of three 360 days for the analysis and decision on the authorisation for the organisation and operation of financial institutions, thus ensuring that a reasonable amount of time is allowed for the examination of requests submitted to the regulatory authority.

Once the authorisation for the institution’s operation has been granted, BCB must be informed of the start date of the activities within five days after the commencement of operations, by means of registration in the Central Bank’s Information System on Entities of Interest (“Unicad”).

Brazil has a diverse range of financial institutions, classified according to the line and type of activity they carry out, namely:

• development agencies;
• savings and loans associations;
• commercial banks;
• foreign exchange banks;
• development banks;
• investment banks;
• multiple banks;
• mortgage companies;
• credit unions;
• leasing companies;
• foreign exchange brokerage companies;
• securities brokerage companies;
• direct credit companies;
• credit, financing and investment companies;
• real estate credit companies;
• micro-entrepreneur and small business credit companies;
• bonds and securities distributing companies;
• inter-personal loan companies; and
• service confederations.

Each of these institutions operates in different segments, fulfilling specific roles in the national financial system, according to the activities and services they are authorised to perform by BCB.

Within the Brazilian legislative framework, Law No 4,595/1964 gives BCB responsibility for granting authorisations for the acquisition and/or change of control of financial institutions. National Monetary Council Resolution No 4,970/21 regulates the authorisation process related to these institutions, especially in matters of control, with the following definitions.

• A controller is a person or group of persons (control group) that holds:
1. in joint-stock companies, the majority of the voting capital; or
2. 75% of the capital stock in limited liability companies.
• A control group is a group of persons (individuals or legal entities) bound by a voting agreement or common control, that have control of the financial institution in a direct or indirect manner.
• A qualified interest holder is a person (individual or legal entity) that is not a controller, but holds 15% of the voting capital or 10% of the non-voting capital of a company that indirectly controls a financial institution, or that holds:
1. direct interest of 15% of the voting capital; or
2. direct interest equivalent to 10% or more of the non-voting capital; or
3. control of a company that holds 15% of the voting capital or 10% of the non-voting capital.

The control of financial institutions may only be exercised by individuals, institutions authorised by BCB, foreign financial institutions or national legal entities whose corporate purpose is exclusively to hold equity interest in financial institutions.

The change of control must be previously authorised by BCB, which has up to 360 days to analyse the feasibility of the change of control, based on the following requirements:

• a demonstration of the economic and financial capacity of the controllers, individually or jointly, compatible with the capital necessary for the structuring and operation of the institution;
• the lawful origin of the resources used in the acquisition of control and qualified interest; and
• the unblemished reputation of the controllers.

In turn, the assumption of the condition of holder of a qualified interest (that is, the direct or indirect acquisition of 15% of the voting capital or 10% of the non-voting capital of the financial institution) does not require prior authorisation from BCB. However, it is necessary to report the act within 15 days after the occurrence. The same applies to any change in the corporate composition of financial institutions, which must be informed to BCB, which will have up to 180 days to carry out the analysis.

CMN Resolution No 4,595/2017 establishes that financial institutions authorised by BCB must implement and maintain a compliance policy appropriate to the nature, size, complexity, structure, risk profile and business model of the institution, in order to ensure effective compliance risk management. Such a policy must clearly define the purpose and scope of the compliance function, as well as the responsibilities involved, avoiding conflicts of interest. In addition, it must:

• specify the position of the compliance unit in the organisational structure;
• ensure the independence and authority necessary for the performance of the functions;
• allocate sufficient resources;
• ensure free access to information; and
• provide channels of communication with the executive board, the board of directors and the audit committee, if any.

Those responsible for compliance have a duty to test and assess the institution’s adherence to the legal framework, non-constitutional regulations and codes of ethics, in addition to supporting the board of directors and the executive board in the correct application of these regulations. It is also up to these professionals to train employees and outsourced service providers on topics related to compliance, ensuring the dissemination of risk knowledge and mitigation.

BCB Normative Ruling No 299/2022 supplements this framework by requiring that the documents for requesting the institutions’ operating authorisation include a business plan or executive summary, which must include the corporate governance standards and structure adopted, duly compatible with the complexity and risks of the business.

The Code of Best Corporate Governance Practices, developed by the Brazilian Institute of Corporate Governance (IBGC) and currently in its 6th edition, is not mandatory but is widely used as a reference by financial institutions in the improvement of their governance practices. This new edition places ethics at the centre of its guidelines, expanding its application beyond the protection of partners against abuse and fraud to also encompass relationships with stakeholders, including employees, suppliers, customers and society in general, reinforcing the role of institutions in ethical and responsible action at all levels.

Another relevant aspect brought by the 6th edition is the emphasis on the clear definition of the purpose of organisations, which should guide their strategies and culture, focusing on the creation of shared value between partners and other stakeholders. This approach reflects a more comprehensive view of corporate governance, which goes beyond maximising value for shareholders, also seeking to create value for society and the environment.

Finally, the Code introduces expanded diversity and inclusion guidelines, which must now be observed in the appointment of directors and auditors, as well as in the composition of the executive board. In addition to the gender criterion, diversity must cover colour or race, ethnicity, sexual orientation and different professional experiences, reflected in the competency matrix. This approach seeks to foster a plural environment that promotes innovation and sustainability, while ensuring the organisation’s sensitivity to the economic, social and environmental impacts of its operations.

With regard to the registration and supervision of senior management, CMN Resolution No 4,970/2021 establishes that the taking of office and the exercise of elected or appointed positions for the senior management of financial institutions are subject to prior authorisation by BCB. Such authorisation depends on compliance with requirements related to the unblemished reputation of the candidates, as well as the demonstration of technical training compatible with the functions to be performed during the term of office.

For proving an unblemished reputation, factors such as the following are considered:

• the absence of criminal proceedings or police investigations;
• judicial or administrative actions related to SFN or the SPB;
• proceedings concerning insolvency, liquidation, intervention, bankruptcy or judicial reorganisation;
• breach of obligations; and
• other similar situations, occurrences or circumstances.

In the assessment of these situations, the relevance, severity, recurrence and specificities of each case are taken into account.

Regarding the technical training of senior management members, BCB analyses the skills and qualifications required to perform the functions, ensuring that they are compatible with the nature, size, complexity and risks involved in the institution’s operations.

The conditions established for the exercise of senior management positions include:

• the obligation to reside in Brazil for management positions;
• the absence of legal impediments, including convictions for bankruptcy crimes, tax evasion, malfeasance, active or passive corruption, bribery, embezzlement, infractions against the economy, forgery, infractions against property or SFN, or even convictions that prohibit access to public positions, even temporarily;
• the non-declaration of disqualification or suspension for the exercise of positions in statutory or contractual bodies of institutions authorised to operate by BCB; and
• the absence of a declaration of bankruptcy or insolvency.

In addition, BCB reserves the right to determine the removal of members of statutory or contractual bodies in the current term of office if circumstances are identified at any time that characterise non-compliance with the unblemished reputation requirements and the other requirements mentioned above.

CMN Resolution No 5,177/2024 regulates the compensation policy applicable to the administrators of financial institutions authorised to operate by BCB. The rule establishes that institutions must implement and maintain a compensation policy based on criteria that consider the nature, size, complexity, structure, risk profile and business model of the institution, in order to avoid encouraging behaviours that may increase risk exposure beyond prudent levels. In addition, this policy must be based on transparent criteria that ensure the absence of discrimination.

With regard to the compensation of the administrators responsible for the areas of internal control, risk management, compliance and internal audit specifically, the Resolution determines that it must be structured in such a way as to attract qualified and experienced professionals, without connection to the performance of the business areas, thus avoiding conflicts of interest.

The compensation policy requires approval by the general meeting in credit unions, while in other financial institutions it is up to the board of directors to approve and supervise the policy, including its planning, execution, control and review.

With regard to variable compensation, the Resolution allows it to be paid through various instruments, such as cash, shares or other assets, in proportion to the responsibility and function of the administrator. The rule also emphasises that the ratio of fixed to variable compensation must be balanced.

For the payment of variable compensation, the following criteria, among others, must be observed:

• In determining the overall amount and the allocation of compensation, the current and potential risks, the overall result of the institution, the cash generation capacity, the economic environment and the long-term prospects must be considered.
• In the individual compensation of the administrators, the individual performance, the performance of the business unit and the performance of the institution as a whole, in relation to the risks assumed, must be assessed.

For institutions with shares traded on the stock exchange or that issue stock-based instruments (Stock Options), 50% of the variable compensation must be paid in shares. For other institutions, the compensation must consider the variation in the book value of net equity. In addition, at least 40% of the variable compensation must be deferred for future payment, with a progressive increase of this percentage according to the level of responsibility of the administrator.

Finally, institutions that are registered as publicly held companies and that are leaders of a prudential conglomerate classified in Segments S1, S2 and S3 shall constitute a statutory body called a “compensation committee”. This committee shall prepare a document called “compensation committee report”, on an annual basis, referring to the base date of 31 December.

BCB plays an essential role in the Brazilian System for Preventing and Fighting Money Laundering and Terrorism Financing, contributing significantly to the mitigation of risks and their financial repercussions within the scope of SFN. In addition, BCB is responsible for regulating and supervising the activities of financial institutions and other entities authorised to operate by BCB in the fight against money laundering and terrorist financing (PLD/FT).

In this sense, Circular Letter No 3,978, of 23 January 2020, provides for the policy, procedures and internal controls to be adopted by institutions authorised to operate by BCB, in order to prevent the use of the financial system for the practice of crimes of laundering or concealment of assets, rights and values and terrorist financing. The main requirements to be implemented by the institutions are as follows:

• implementing and maintaining an internal policy based on principles and guidelines that seek to prevent PLD/FT practices, compatible with the risk profiles of customers, the institution, operations, transactions, products, services and employees, partners and outsourced service providers;
• having a governance structure in order to ensure compliance with the policy mentioned above and the PLD/TF internal procedures and controls;
• carrying out internal assessment with the purpose of identifying and measuring the risk of using their products and services in money laundering and terrorist financing;
• implementing procedures aimed at knowing their clients, including procedures that ensure due diligence in their identification, quantification and classification, including for administrators of corporate clients;
• implementing procedures that allow them to qualify their clients as politically exposed persons;
• maintaining records of all operations carried out, products and services contracted, including withdrawals, deposits, contributions, payments, receipts, transfers of funds and transactions in the foreign exchange market;
• implementing procedures for monitoring, selecting and analysing transactions and situations in order to identify and pay special attention to suspicions of money laundering and terrorist financing;
• reporting transactions or suspicious situations of money laundering and terrorist financing to the Council for Financial Activities Control (COAF);
• implementing procedures aimed at knowing their employees, partners and outsourced service providers, including identification and qualification procedures;
• establishing monitoring and control mechanisms, in order to ensure the implementation and adequacy of the policy mentioned in the first point above, the procedures and internal controls; and
• assessing the effectiveness of the policy, procedures and internal controls.

In this context, BCB is also responsible for:

• monitoring and supervising the compliance of supervised entities with the rules in force;
• maintaining the Customer Register of the National Financial System (CCS), which is set out as a system for registering the relations between financial institutions and other entities authorised by BCB and customers;
• communicating:
1. evidence of crimes related to money laundering and terrorist financing to COAF;
2. evidence of crimes of public action identified in the exercise of its duties to the Public Prosecutor’s Office; and
3. any irregularities and administrative unlawful acts of which it becomes aware to the competent public agencies;
• applying administrative sanctions when violations of the rules by the supervised entities are identified; and
• participating in relevant national and international forums.

By adequately complying with the regulations established by BCB, the supervised entities promote the effectiveness of the PLD/FT system, through risk management and the implementation of effective policies, procedures and controls, assisting the state in the identification of financial transactions that may present suspicious characteristics and that, therefore, require investigation.

The Credit Guarantee Fund (FGC) is a non-profit civil association, established by CMN Resolution No 2,197/1995, with the purpose of guaranteeing credits to customers of financial institutions authorised to operate by BCB and that are associated with FGC. The coverage offered by FGC includes deposits in financial institutions up to the limit of BRL250,000 per individual or legal entity, per institution, observing the ceiling of BRL1 million every four years, considering the total number of institutions in which the customer has funds. FGC is supported by monthly contributions from Brazilian financial institutions, corresponding to 0.0125% of the total amounts traded in products covered by the fund.

Deposits covered by FGC include:

• deposits in cash or deposits withdrawable upon prior notice;
• savings deposits;
• bills of exchange;
• mortgage bills;
• real estate bills of credit;
• agribusiness bills of credit;
• term deposits, with or without the issuance of a certificate, such as the Bank Deposit Receipt (RDB) and the Bank Deposit Certificate (CDB);
• deposits in accounts not operated by checks, intended for the registration and control of the flow of funds for the payment of salaries, maturities, retirements, etc; and
• repurchase transactions that have as their object bonds issued after 8 March 2012 by a related company.

BCB Resolution No 102/2021 regulates the preparation and sending of information related to financial instruments guaranteed by FGC. According to this rule, financial institutions must have systems and controls capable of generating an electronic file, within two business days, containing:

• identification of the holder of the secured credit;
• the type of financial instrument representing the credit;
• an identifier of the financial instrument;
• the acquisition date of the instrument by the credit holder;
• the classification of the credit holder and condition of ownership control of the financial instrument guaranteed by FGC; and
• the amount of the credit held by the holder.

In addition, institutions are required to submit, by the tenth business day of each month, aggregate information on secured credits to FGC, based on the position of the last business day of the previous month. This information must cover the classification of the type of financial instrument guaranteed, the type of credit holder, the ownership control condition and the amount range of the credits held by the holders.

The Basel III rules were incorporated into the Brazilian legal system in 2013, through four resolutions of the National Monetary Council (CMN) and 15 circular letters issued by BCB, which established guidelines for their implementation in the national banking system. The adoption of these rules in Brazil occurred before the completion of the Basel II implementation schedule, which was scheduled for the end of 2012. This anticipation resulted from the outbreak of the 2008 global financial crisis, which evidenced the inadequacy of the rules to mitigate systemic risk in force at the time.

In this sense, CMN Resolution No 4,557/2017 aims to regulate the risk management structure and the capital management structure of the institutions authorised to operate by BCB, classified in Segments S1, S2, S3 and S4. The rule obliges these institutions to implement a continuous and integrated risk and capital management structure, as well as a policy for disclosing information on these topics.

According to the rule, institutions shall also prepare a Risk Appetite Statement (RAS) and document risk appetite levels, considering:

• the levels of risks that the institution is willing to assume, broken down by type of risk and, where applicable, by different time horizons;
• the ability of the institution to manage risks effectively and prudently;
• the strategic objectives of the institution; and
• the conditions of competitiveness and the regulatory environment in which the institution operates.

The risk management structure must identify, measure, assess, monitor, report, control and mitigate the following matters:

• the credit risk to which the institution is subject in a material manner;
• the market risk to which the institution is subject in a material manner;
• the risk of interest rate variations for instruments classified in the banking portfolio (IRRBB) to which the institution is subject in a material manner;
• the operational risk;
• the liquidity risk;
• the social risk;
• the environmental risk;
• the climate risk;
• the country risk and the transfer risk to which the institution is subject; and
• other relevant risks, according to criteria defined by the institution, including those not covered in the calculation of the amount of risk-weighted assets.

With regard to the capital amount requirement, CMN Resolution No 2,607/1999 determines the minimum limits of paid-up capital and shareholders’ equity that must be permanently observed by the institutions authorised to operate by BCB, namely:

• BRL17.5 million for commercial banks and commercial portfolios of multiple banks;
• BRL12.5 million investment banks, development banks, corresponding portfolios of multiple banks and savings banks;
• BRL7 million for credit, financing and investment companies, real estate credit companies, leasing companies and corresponding multiple bank portfolios;
• BRL3 million for mortgage companies;
• BRL1.5 million for bonds and securities brokerage companies and bonds and securities distributing companies that manage investment funds in the modalities regulated by BCB (except investment funds in units of investment funds) or investment companies that are authorised to carry out repurchase and resale agreements;
• BRL550,000 for bonds and securities brokerage companies and bonds and securities distributing companies that carry out activities not included in the previous item; and
• BRL350,000 for foreign exchange brokerage companies.

For institutions operating in the free rate exchange market, BRL6.5 million shall be added to the amounts of paid-in capital and shareholders’ equity established above.

Regarding the quality of capital, under CMN Resolution No 4,577/2017, capital management is carried out with the monitoring and control of the capital maintained by the institution, the assessment of the need for capital to face the risks that the institution is exposed to and the planning of goals and capital needs, considering the strategic objectives of the institution.

With regard to liquidity, CMN Resolution No 4,557/2017 characterises liquidity risk as the possibility of a financial institution not being able to honour its obligations, whether expected or unexpected, current or future, including those arising from guarantees, without compromising its daily operations and without incurring significant losses. In addition, it covers the risk of the institution being unable to settle a position at market value, due to its volume being significantly high compared to what is normally traded, or as a result of a possible discontinuity in the market.

The risk management structure shall additionally provide for a liquidity contingency plan and for liquidity risk policies, strategies and processes that ensure:

• identification, measurement, assessment, monitoring, reporting, control and mitigation of liquidity risk in different time horizons, including intra-day, in normal or stressful situations, including the daily assessment of transactions with settlement terms of less than 90 days;
• maintenance of an adequate inventory of net assets that can be readily converted into cash in stressful situations;
• maintenance of a fund-raising profile appropriate to the liquidity risk of assets and exposures not accounted for in the institution’s balance sheet; and
• adequate diversification of sources of fund-raising.

Liquidity risk management shall consider all operations carried out in the financial and capital markets, as well as possible contingent or unexpected exposures, including those associated with settlement services, the provision of accommodations and guarantees and contracted and unused facilities and liquidity lines. The institution shall also individually consider the liquidity risk in the jurisdictions where it operates and in the currencies to which it is exposed, observing any restrictions on the transfer of liquidity and convertibility between currencies, such as those caused by operational problems or by impositions made by a country.

In the performance of its institutional mission to ensure that the financial system is sound and efficient, BCB has the power to intervene in the institutions under its jurisdiction through the enactment of prudential and recovery measures and resolution regimes, either in order to restore the normal course of operation or to interrupt its activities in an orderly manner, mitigating the contagion risk.

The legal framework that defines these measures and the performance of BCB as a Resolution Authority comprises the following:

• Law No 6,024/1974, which provides for the intervention and out-of-court liquidation of financial institutions;
• Decree Law No 2,321/1987, which instituted, in defence of public finances, the Temporary Special Administration Regime (RAET) in private and non-federal public financial institutions; and
• Law No 9,447/1997, which provides for the joint and several liability of controllers of institutions subject to the regimes referred to in Law No 6,024/1974 and Decree Law No 2,321/1987, the freezing of their assets, the liability of accounting audit companies or independent accounting auditors, and the privatisation of institutions the shares of which are expropriated.

The preservation of financial stability is the public good that BCB seeks to preserve by analysing the scenarios and defining the moment, strategies and tools to act on an institution whose operational continuity proves to be unfeasible or compromises the health of the financial system.

In view of the potential negative effects on both the financial market and economic activities that are affected by the enactment of a resolution regime, BCB primarily seeks for institutions to adopt market solutions that preserve value and productive activity, without prejudice to sanctioning those responsible for any irregularities that contributed to the institution’s non-feasibility.

In this sense, when a financial institution presents a serious impairment of its assets or difficulty in complying with its commitments, BCB may direct its controllers to contribute the necessary resources, transfer control, reorganise the company or adopt recovery measures, also known as market solutions.

In this sense, recovery tools are strategies adopted by the institution while it is still in operation, with the purpose of restoring the feasibility of its transactions. CMN Resolution No 4,502/2016 determines that larger institutions prepare a recovery plan, which consists of a set of information and strategies that can be adopted when any indicator shows a deterioration, present or expected, in the economic or liquidity situation. The recovery plan can be defined, therefore, as the set of actions presented by the institution to restore its solidity and feasibility, in case it faces a situation that jeopardises the continuity of its business.

Without prejudice to the actions taken by the institution itself, CMN Resolution No 4,019/2011 authorises BCB to determine the adoption of preventative prudential measures by the institution, such as:

• the adoption of additional controls and operating procedures;
• a reduction of the degree of exposure risk;
• compliance with additional amounts to PRE;
• compliance with more relative operating limits;
• recomposition of liquidity levels;
• the adoption of management on a co-management basis, in the case of a credit union;
• limitation or suspension of an increase in the compensation of administrators, payments of instalments of variable remuneration of administrators and distribution of results or, in the case of credit unions, of surpluses, in an amount higher than the minimum legal limits;
• limitation or suspension of the practice of operational modalities or certain types of active or passive operations, the exploitation of new lines of business, the acquisition of interest, directly or indirectly, in the capital of other companies, financial or non-financial, and the opening of new premises; and
• disposal of assets.

Depending on the evolution and severity of the problem, BCB may intervene directly in the institution through an out-of-court liquidation, intervention or RAET. When a resolution regime is determined, the controllers lose the management power of the institution, which is then managed by a liquidator, intervenor or managing board, appointed by BCB, according to the type of regime.

The regime to be adopted is in accordance with the problem presented by the institution, the impact on the financial system and other situations analysed on a case-by-case basis. Resolution regimes are guided by public interest, the preservation of financial stability and the non-interruption of critical functions for the real economy.

The following resolution regimes stand out.

• Out-of-court liquidation is the insolvency regime that is intended to interrupt the operation of the institution and promote its withdrawal from SFN. It is adopted when the insolvency situation cannot be recovered and the interruption of the institution’s operation does not compromise financial stability.
• Intervention is adopted when there is any possibility of recovery. Activities are temporarily suspended and the intervention lasts up to 12 months. As the case may be, the intervention will cease if there is a resumption of normality or, failing that, if there is a decree of out-of-court liquidation or bankruptcy.
• RAET does not affect the normal activities of the institution and is adopted when the institution performs critical functions for the real economy, due to its size or operational complexity, or when the abrupt stoppage of its operation may cause risks to financial stability. RAET will end if activity is normalised or if there is a market solution for the institution. If there is no market solution, the federal government may take control. If it is possible to adopt measures to preserve critical functions and financial stability, RAET may end by the decree of out-of-court liquidation.

Within the scope of ESG regulation in Brazil, CMN Resolutions No 4,943/2021, No 4,944/2021 and No 4,945/2021 and BCB Resolutions No 139/2021 and No 151/2021 stand out. These rules have the common purpose of providing for social, environmental and climate risks.

CMN Resolution No 4,943/2021 provides for the structure of risk management, capital management and information disclosure policy, and is directed at financial institutions authorised to operate by BCB that fall into the following segments:

• S1 – multiple, commercial, investment, exchange and savings banks that have a size equal to or greater than 10% of GDP or that carry out relevant international activity, regardless of the size of the institution;
• S2 – multiple, commercial, investment, exchange and savings banks that have a size less than 10% and equal to or greater than 1% of GDP, and other institutions with a size equal to or greater than 1% of GDP;
• S3 – institutions with a size less than 1% and equal to or greater than 0.1% of GDP; and
• S4 – institutions with a size less than 0.1% of GDP.

In this sense, CMN Resolution No 4,943/2021 deals with social and environmental risks, and also includes the observance of climate risks. The rule requires the identification, assessment, classification, measurement and establishment of mechanisms to monitor these risks, as well as the establishment of a management structure and minimum prudential requirements to be observed for each type of risk.

CMN Resolution No 4,944/2021 also refers to social, environmental and climate risks for institutions classified in Segment S5 – ie, institutions of less than 0.1% of GDP that use a simplified optional methodology for calculating the minimum requirements of Reference Equity (PR), Level I and Principal Capital, except multiple, commercial, investment, foreign exchange and savings banks and institutions not subject to PR calculation.

CMN Resolution No 4,945/2021 deals with the establishment of the Social, Environmental and Climate Responsibility Policy (PRSAC) by institutions in Segments S1, S2, S2, S4 and S5 authorised to operate by BCB.

This rule establishes the need for institutions to establish and implement actions with a view to effectiveness and to strengthen governance and transparency requirements in relation to PRSAC and the actions implemented. To this end, PRSAC must be disclosed to the external public together with the actions that ensure its effectiveness, and must be implemented according to the profile of each institution, observing its business model, the nature of its operations and the complexity of its products, services, activities and process, in addition to considering the institution’s strategic objectives and competitive conditions and the regulatory environment in which the institution operates.

Regarding governance, the rule defines certain functions for different positions. For example, the approval and review of PRSAC is the responsibility of the board of directors, and shall be made at least every three years or when events considered relevant occur. A social, environmental and climate responsibility committee, linked to the board of directors, is mandatory for S1 and S2 and optional for S3, S4 and S5; when not organised, the executive board shall assume the duties of said committee.

Prudential conglomerates shall have a unified PRSAC. One of the participating institutions shall be given responsibility for the policy, and designate a responsible officer and create the committee.

BCB Resolution No 139/2021 provides for the disclosure of the Social, Environmental and Climate Risks and Opportunities Report (“GRSAC Report”) by the institutions authorised to operate by BCB that fall under Segments S1, S2, S3 and S4.

The rule is inspired by the recommendations of the Task Force on Climate Related Financial Disclosure (TCFD), which seeks to promote transparency and market discipline, enabling identification of the institutions’ commitment to a sustainable and inclusive economy, in addition to improving the perception of risks and supporting decisions.

The GRSAC Report shall address governance in risk management, its impacts on the institution’s strategies and the environmental, social and corporate governance risk management processes.

BCB Resolution No 151/2021 requires financial institutions in Segments S1, S2, S3 and S4 to submit information to BCB on the assessment of social, environmental and climate risks. The submission shall follow what is provided for in PRSAC of each institution and in the risk management rules, and it is not necessary to provide information not required by these regulations.

With regard to digital operational resilience, CMN Resolution No 4,893/2021 establishes that institutions authorised to operate by BCB are required to implement and maintain a cybersecurity policy. This policy must be formulated based on principles and guidelines aimed at ensuring the confidentiality, integrity and availability of the data, as well as the information systems used by these institutions.

In addition, the cybersecurity policy must be aligned with the institution’s size, risk profile and business model, considering the nature of the transactions and the complexity of the products, services, activities and processes that the institution develops. The sensitivity of the data and information under the institution’s responsibility shall also be assessed in the preparation of the policy, thus ensuring the adequate protection of information.

CMN Resolution No 4,893/2021 also establishes that institutions authorised to operate by BCB must prepare an incident response and action plan, which must include the necessary measures to adapt their organisational and operational structures to the principles and guidelines of the cybersecurity policy. This plan shall include the routines, procedures, controls and technologies to be employed in preventing and responding to incidents. In addition, the rule obliges institutions to submit, annually, a detailed report on the implementation of the incident response and action plan, with a base date of December 31.

Similarly, CVM Resolution No. 35/2021 establishes rules and procedures to be observed in the intermediation of transactions with securities on regulated markets, and imposes relevant provisions concerning cybersecurity. Such provisions include an obligation for institutions authorised to act as intermediaries in the distribution system, both on their own behalf and on behalf of third parties, in the trading of securities on regulated markets (“Intermediary”), to develop an information security policy. Such policy must cover:

• the processing and control of customer data;
• cybersecurity;
• the guidelines for assessing the relevance of security incidents, including cybersecurity, and the circumstances in which affected customers must be communicated; and
• the contracting of relevant services provided by third parties.

The information security policy must be compatible with the size, risk profile and business model of the Intermediary, as well as the nature of the transactions, the complexity of the products, services, activities and processes and the sensitivity of the data and information under its responsibility.

In addition, such policy must be applicable to employees, agents and service providers, providing for the periodicity with which they must be trained in relation to the rules, procedures and internal controls aimed at ensuring the confidentiality, authenticity, integrity and availability of sensitive data and information.

In the same context, it is worth highlighting Law No 13,709/2019, known as the General Data Protection Law (LGPD), which came into force in September 2020 and represents a regulatory framework for the processing of personal data in Brazil, covering both physical media and digital platforms, applicable to public and private institutions.

LGPD gives the individual (referred to as a “Subject”) a central role in the legal relationships involving the processing of their data, not only by regulating the protection of personal data but, above all, by electing “informative self-determination” as the essential basis, which means that the Subject has the right to decide which data will be used, in addition to determining the limits and term of its use.

Such rights impose a series of duties on those who process data, notably financial institutions, which routinely handle sensitive information of their customers. LGPD thus establishes a series of obligations aimed at ensuring security, privacy and transparency in the use of this information, reinforcing the need for adequate measures for the protection of personal data.

For financial institutions, strict compliance with LGPD and with the aforementioned regulations is not limited to mere legal compliance, but constitutes a fundamental element for the preservation of customer and market trust, in addition to being crucial for mitigating the risks of sanctions and reputational damage.

The Central Bank of Brazil (BCB) annually promotes BC# Agenda, its main regulatory planning tool, which aims to discuss and implement a set of strategic guidelines focused on reducing credit costs, modernising the regulatory framework and promoting greater efficiency in the national financial system. The programme also seeks to foster financial inclusion, increase competitiveness, promote sustainability and strengthen transparency in financial market operations.

The BC# Agenda is structured in thematic axes that reflect the priorities of the BCB Regulation Board, among which the following stand out: foreign exchange and international capital, prudential regulation, sustainability, rural credit, and innovation.

For the 2025/2026 biennium, within the scope of foreign exchange and international capital, the following central themes stand out: (i) the regulation of the use of virtual assets in foreign exchange and international capital operations; (ii) the simplification and improvement of the efficiency of interbank operations in the foreign exchange market, including by reviewing information requirements; (iii) the development of a normative framework for private offset of credits between residents and non-residents; and (iv) the modernisation of the regulatory treatment applicable to electronic exchange (eFX).

With regard to prudential regulation, the following objectives are highlighted: (i) the completion of the implementation of Basel III, with the introduction of the new framework for market risk (FRTB – Fundamental Review of the Trading Book) and review of the leverage ratio; (ii) the setting of individualised risk management requirements for certain institutions that are part of prudential conglomerates; (iii) the finalisation of the prudential regulation applicable to Payment Institutions; and (iv) the adjustment of the prudential framework to incorporate the treatment of exposure to virtual assets.

In the context of sustainability, the main topics to be discussed include: (i) the inclusion of quantitative inputs in the disclosure of data on Social, Environmental and Climate Risk Management (SECRM) in order to improve the comparability and transparency of information; and (ii) the setting of sustainability information disclosure standards in line with the guidelines of the International Sustainability Standards Board (ISSB) and IFRS S1 (which addresses the general requirements for the disclosure of sustainability-related financial information) and IFRS S2 (focused on climate-related disclosures). Both standards aim to allow investors to evaluate companies from the perspective of the sustainability of their businesses, as well as the climate impacts on their operations and assets, in addition to promoting the integration of this information with the financial statements.

In the innovation axis, the main topics under discussion are: (i) the evolution of Open Finance, with the institution of a new governance structure, expansion of the journey for legal entities and improvement of the consent experience, as well as the regulation of the startup journey without redirection; (ii) the regulation of Virtual Asset Service Providers (VASP); (iii) the regulation of Banking-as-a-Service (BaaS), allowing partnerships between financial and non-financial institutions to offer financial services; (iv) the preparation of a study on the need to regulate the processes of issue, bookkeeping and trading of tokenised assets; (v) a study on the risks and impacts of the use of artificial intelligence by financial institutions, with an emphasis on conduct and model risks; and (vi) the creation of a new payment slip modality aimed at the settlement of financial assets, such as trade bills and receivables.

Also in the field of innovation, the following stand out: (i) the expansion of PIX’s functionalities, including PIX by approximation, PIX in instalments and PIX under warranty; (ii) the evolution of the Special Return Mechanism (MED 2.0); (iii) the standardisation of interoperability flows between arrangements and registers; and (iv) the regulation of token applicants in payment arrangements.

In addition, there will be discussions on co-operativism, with the objective of establishing, through regulations, the form of organisation and operation of co-operatives as provided for in Complementary Law No 196/2022, which regulates the National Cooperative Credit System. It is also intended, through rulings, to regulate the edition and approval of a catalogue of financial assets by financial institutions, which will serve as a reference for the authorisation processes related to the provision of registration and deposit services of financial assets. Moreover, implementation of the international accounting standards of IFRS 9 – a standard that introduces new requirements for measuring the deterioration of financial assets – will be sought, as well as a new classification and measurement model.

Finally, the agenda includes advances in topics related to conduct and consumer protection, including: (i) the creation of a national base that allows customers to indicate that they do not wish to open accounts in their name, with mandatory consultation by the institutions; (ii) the revision of bank fee rules; and (iii) the updating of the rites and penalties of the sanctioning administrative process within the scope of BCB, including in relation to payment arrangements.

In summary, Agenda BC# 2025/2026 reinforces the consolidation of a more modern, transparent regulatory framework that adheres to international standards with an emphasis on technological innovation, sustainable finance and improved prudential supervision. These initiatives strengthen Brazil’s position as one of the most dynamic and advanced jurisdictions regarding financial regulation, promoting greater legal certainty, competitiveness and efficiency in the national financial system.