The Brazilian fintech market has been evolving at a rapid rate, with the Central Bank of Brazil (Banco Central do Brasil; BCB) and the National Monetary Council (Conselho Monetário Nacional; CMN) being very active regulatory authorities incentivising evolution and modernisation.

Particularly over the past 12 months, the BCB has issued a series of public consultation notices in a number of matters that are expected to change, including:

• the regulatory framework for the investment of non-residents in the Brazilian financial market, through Public Consultation Notice No 103 of 2024 (“ECP 103”);
• the rules of centralised risk management in payment schemes forming part of the Brazilian Payment System (sistema de pagamentos brasileiro; SPB) through Public Consultation Notice No 104 of 204 (“ECP 104”);
• the rules of banking as a service (BaaS) partnerships through Public Consultation Notice No 108 of 2024 (“ECP 108”); and
• the regulation of virtual asset service provision in general through Public Consultation Notice No 109, which provides the overall rules (“ECP 109”), No 110, which provides the authorisation process (“ECP 110”), and No 111, which includes virtual asset service provisions for the foreign exchange market (“ECP 111”).

These public consultation notices have the potential to be “game changers” for many fintechs because they add regulatory obligations to institutions that were not previously regulated, such as virtual asset service providers. BaaS providers will also need their service users to comply with regulatory responsibilities, making their regulation very similar to that currently in place for banking correspondents, another business model used by many fintechs. With these changes, fintechs that operate as service users will have limited compensations and will have to provide clear information to their clients, as well as observe restrictions about sub-contracting functions within the same economic group.

Fintech business models in Brazil are very diverse. Products and services can be offered by legacy players (traditional banks in the Brazilian financial system), licensed fintechs that hold specific licences (as detailed in 2.2 Regulatory Regime) and unlicensed fintechs (also detailed in 2.2 Regulatory Regime).

The business models that predominate in Brazil are as follows.

Credit Market

Products and services in the credit market can be offered by traditional banks, licensed fintechs and unlicensed fintechs. Traditional banks have traditional business models, and offer traditional banking products such as loans and financing. The offer of these products can be expanded through partnerships between traditional banks and unlicensed fintechs that work as BaaS users or banking correspondents (as detailed in 2.2 Regulatory Regime).

Credit fintechs also have strong business models in the credit market, targeting businesses with lower-than-average ticket operations and/or borrowers with lower credit scores. They usually offer credit using their own capital or intermediate peer-to-peer (P2P) lending.

Investment Market

The investment market in Brazil has more traditional players than fintechs. Traditional players include investment banks, multiple banks, (corretoras de rítulos e valores mobiliários; CTVMs) and securities dealers (distribuidores de títulos de valores mobiliários; DTVMs) and financing and investment companies (sociedades de crédito, financiamento e investimento; SCFIs), as detailed in the following. It should be noted that the investment market is also regulated by the Brazilian Securities and Exchange Commission (Comissão de Valores Mobiliários; CVM).

A business model widely implemented by Brazilian fintechs involving investment is the “introducing broker” business model, based on CVM’s opinion notes, enabling Brazilian institutions to introduce investment products offered by licensed institutions in other jurisdictions to Brazilian investors.

Foreign Exchange Market

The foreign exchange market has experienced regulatory changes that have incentivised new entrants into Brazil, including global fintechs. The main business model offered is the “global account” model, a product through which Brazilian users are able to open accounts in other jurisdictions and hold funds in multiple currencies.

Payment Services

Many fintechs were born of, and still leverage the products and services of, the SPB, offering instant payments (Pix) through direct or indirect participation in the Brazilian instant payments system (serviço de proteção ao índio; SPI). These products provide an efficient and cost-free experience for the users of these products and services.

Unlicensed Business Models

As further detailed in 2.2 Regulatory Regime, there are unlicensed fintechs that implement their business models either through providing ancillary services to regulated players or entering into partnerships with regulated players.

All fintechs are regulated by either the BCB or CMN, or are not regulated by any regulatory authority.

In the first instance, it is necessary to differentiate traditional banks from fintechs.

Traditional Banks

The types of traditional banks are as follows:

• commercial banks collect public funds through timed settlement deposits (depósito à vista) and term deposits (depósito a prazo), and mediate the circulation of funds between investors and borrowers;
• investment banks grant loans of fixed or working capital and collect funds through financial deposits, but do not operate via timed settlement deposits; and
• multiple banks operate the functions of commercial banks and have other products such as investments and/or foreign exchange services.

Fintechs can be divided into licensed fintechs and unlicensed fintechs. Licensed fintechs can be further divided into the macro-categories of (i) credit fintechs; (ii) payment fintechs; and (iii) investment fintechs.

Credit Fintechs

The types of credit fintechs are as follows:

• direct credit companies (sociedades de crédito direto; SCDs) grant loans, provide financing and acquire credit rights through their own capital and their electronic platforms;
• P2P lending companies (sociedades de empréstimo entre pessoas; SEPs) conduct loan transactions between peers through their electronic platforms; and
• SCFIs can provide investments and loans to their clients.

Payment Fintechs

The types of payment fintechs are as follows:

• electronic currency issuers (electronic money institutions; EMEs) are payment institutions that convert physical currency into digital currency and vice versa, issuing pre-paid payment instruments to their clients;
• post-paid instrument issuers are payment institutions that manage the post-paid payment accounts of end users and enable payment transactions based on those accounts;
• acquirers are payment institutions that do not manage payment accounts and enable merchants to accept payment instruments – and participate in the settlement thereof – as the creditor before the issuer; and
• payment initiation service providers (PISPs) are payment institutions that do not hold funds or manage payment accounts but enable end users to initiate payment transactions from one account to another.

Investment and Foreign Exchange Fintechs

The types of investment and foreign exchange fintechs are as follows:

• DTVMs/CCTVM offer investments and foreign exchange products to their clients; and
• foreign exchange brokers offer foreign exchange settlements of up USD500,000 per transaction.

Unlicensed Fintechs

Unlicensed fintechs essentially implement the following business models:

• marketplaces work as sub-acquirers, accrediting merchants to accept payment instruments but not receiving funds from the issuer of the payment instrument – instead, they receive finds from acquirers (which are essentially payment institutions);
• electronic foreign exchange (eFX) service providers collect Brazilian currency from end users that will acquire goods and services abroad and enter into foreign exchange transactions with regulated financial institutions; and
• BaaS providers and banking correspondents leverage the regulatory licence of other financial or payment institutions to mediate the offer of financial products and services, such as loans, foreign exchange and payment instruments, through white-label or banking correspondence solutions.

The BCB establishes caps and baskets for charging fees for financial products and services, and for payment services. Concerning the caps and baskets, financial and payments service providers are free to obtain compensation from their customers and partners.

With respect to disclosure, the general rule observed in the Brazilian financial and payment systems is that the end user must be informed of the effective total amount of the transaction, which includes the spread charge, on top of any other fees and taxes incurred.

Fintechs are subject to the Brazilian Consumer Protection Code, which requires them to disclose to the individuals – and sometimes the companies – that are their end users clear information about the customer attendance service (serviço de atendimento ao cliente; SAC), for example.

Traditionally, the regulation applicable to fintech industry participants is lighter than the regulation applicable to legacy players, such as traditional banks. However, there is currently a tendency in the Brazilian regulatory framework towards making the regulation more similar, and to apply criteria based on risk instead of focusing on whether the institution is a traditional bank or a fintech.

One example of this is the rules for management compensation, which used to be applicable only to financial institutions but are also now applicable to payment institutions. Another example is the licensing process. The licensing of financial institutions usually requires evidence and proof, while the licensing of payment institutions is a more declaratory process, where the BCB asks for evidence as needed. However, changes were recently made to make these processes more similar, and there are now very few differences between them.

Brazil had a regulatory sandbox within the scope of the BCB, CVM and Superintendence of Private Insurance (Superintendência de Seguros Privados; SUSEP) that had a selection process for innovative projects. Many of these projects are still ongoing, but the regulatory sandbox is no longer open for new participants. Now, the regulatory authorities commonly allow new market players to “touch base” and open dialogues about new business models and the potential regulatory requirements applicable.

The Brazilian financial system is divided into the following areas: (i) currency, credit, capital and foreign exchange, with the CMN as the normative body and the BCB as the supervisory authority; (ii) private insurance, with the National Council of Private Insurance (Conselho Nacional de Seguros Privados; CNSP) as the normative body and SUSEP as the supervisory authority; and (iii) pension funds, with the National Council for Supplementary Pensions (Conselho Nacional de Previdência Complementar; CNPC) as the normative body and the National Superintendence of Supplementary Pensions (Superintendência Nacional de Previdência Complementar; PREVIC) as the supervisory authority.

The capital markets are governed by the BCB and the CVM, and there are also self-regulatory bodies such as the Brazilian Financial and Capital Markets Association (Associação Brasileira das Entidades dos Mercados Financeiro e de Capitais; ANBIMA), BSM and Ancord.

The SPB has the BCB as its normative body and supervisory authority.

Regulators in Brazil do not issue “no-action” letters.

Some regulated functions can be outsourced through contractual arrangements maintained between regulated and non-regulated entities, or through more than one regulated entity.

The outsourcing of regulated functions is usually achieved through two kinds of contractual arrangements, as follows.

Banking as a Service

In BaaS, one entity hires another to provide regulated services to its clients through a white-label solution. BaaS providers must always be regulated entities, but BaaS service users can be either regulated or non-regulated. This relationship is currently not regulated by the BCB, although regulation is being proposed through ECP 108 (as evidenced in 1.1 Evolution of the Fintech Market). Therefore, as of now, there are no contractual or regulatory requirements for this relationship to be established. It should be noted that the regulatory burden falls on the entity providing the regulated service, whether or not the BaaS user is a regulated entity.

Banking Correspondence

Regulated and non-regulated entities can function as banking correspondents of financial institutions. This relationship is regulated by CMN Resolution No 4,935 of 29 July 2021 (“Resolution 4,935/21”). Article 12 of Resolution 4,935/21 establishes the minimum content of the contract executed between the financial institution and its banking correspondent, and it also establishes the requirements for providing compensation to banking correspondents in credit and foreign exchange transactions. Resolution 4,935/21 expressly provides that the banking correspondent offers services under the guidelines of the contracting entity, which will assume full responsibility for the service provided to end users through its banking correspondents.

Fintech providers are not formally considered as gatekeepers responsible for the activities on their platform. However, the regulatory framework views regulated entities as gatekeepers in relation to anti-money laundering (AML), countering the financing of terrorism (CTF) and measures against the proliferation of weapons of mass destruction, based on the provisions of BCB Circular No 3,978 of 23 January 2020 (“Circular 3,978/20”). Circular 3,978/20 establishes that all institutions regulated by the BCB must establish measures and procedures based on an internal risk assessment to mitigate and prevent the usage of their products and services for the purposes of money laundering or financing terrorism.

The BCB also views regulated entities as gatekeepers in relation to fraud prevention. On 23 May 2023, the BCB and CMN issued Joint Resolution No 6, which requires data and information sharing about fraud between financial institutions, payment institutions and other institutions authorised by the BCB. These institutions must share data and information to prevent the occurrence of fraud within the national financial system and the SPB.

Enforcement actions taken by the regulatory authorities mentioned herein are based on Law No 13,506 of 13 November 2017 (“Law 13,506/17”). This law establishes the procedure for administrative sanctioning procedures within the scope of the BCB and the CVM, listing acts considered as administrative wrongdoings. Within the scope of the BCB, additional rules are provided by BCB Resolution No 131 of 20 August 2021 (“Resolution 131/21”), and within the scope of the CVM, additional rules are provided by CVM Resolution No 45 of 31 August 2021 (“Resolution 45”).

Sanctions that can be applied for administrative wrongdoings include (i) making the sanctioning public; (ii) pecuniary sanctions; (iii) prohibiting the provision of certain services; (iv) prohibiting certain activities or operations; (v) prohibiting institutions from acting as officers or assuming statutory roles authorised by the BCB; and (vi) licence revocation.

It should be noted that the BCB and the CVM are legally allowed to accept the proposals of administrative agreements (settlement terms) that follow specific requirements, such that administrative proceedings are not initiated against the contracting entity.

All public and private Brazilian entities that process data must comply with the Brazilian General Data Protection Law (Lei Geral de Proteção de Dados Pessoais; LGPD), which applies to the processing of personal data by private and public entities. Specifically, financial institutions must also comply with CMN Resolution No 4,893 of 26 February 2021 (“Resolution 4,893/21”). Payment institutions, securities brokers and distributors and foreign exchange brokers must adhere to BCB Resolution No 85 of 8 April 2021 (“Resolution 85/21”). Both rules establish the following: that authorised institutions must have cybersecurity policies; the guidelines that must be contained in these policies; and the criteria for outsourcing data processing and cloud computing services.

Financial institutions, payment institutions and other institutions authorised by the BCB must conduct internal and independent audits. CMN Resolution No 4,879 of 23 December 2020 (“Resolution 4,879/20”) establishes the obligation for financial institutions to have internal audit units, and CMN Resolution No 4,910 of 27 May 2021 (“Resolution 4,910/21”) establishes the obligation for financial institutions to hire independent auditors. BCB Resolution No 93 of 6 May 2021 (“Resolution 93/21”) establishes the obligation for payment institutions and other institutions authorised by the BCB to have internal audit units, and BCB Resolution No 130 of 20 August 2021 (“Resolution 130/21”) establishes the obligation for these entities to hire independent auditors.

Other players that conduct reviews or require associates to have their practices reviewed include the Brazilian Federation of Banks (Federação Brasileira de Bancos; FEBRABAN), ANBIMA and the Brazilian Foreign Exchange Association (Associação Brasileira de Câmbio; ABRACAM). It should be noted that card scheme settlors must also conduct audits and monitor the practices of participants in their schemes, including issuers, acquirers, sub-acquirers and any other participants.

Usually, institutions regulated by the BCB can only conduct the activities listed in the specific regulation applicable to them in their corporate purpose statement. These institutions can only conduct activities that are supplementary to their core business – ie, the regulated activity. However, some industry players’ accounts offer additional services to their clients, such as the possibility of topping up their mobile phones and obtaining travel miles, amongst other services. Furthermore, some players include other entities as part of their economic group, offering services such as marketplaces.

All Brazilian public and private entities, and individuals, must observe Law No 9,613 of 3 March 1998 (the “AML Law”), which establishes money laundering crimes, and Law No 13,260 of 16 March 2016, which establishes terrorism crimes (the “CTF Law”). These laws also provide for the actions that must be taken whenever there is suspicion of money laundering or terrorism financing. The AML Law also created the Council for Financial Activities Control (Conselho de Controle de Atividades Financeiras; COAF), which is the authority that oversees reporting in case of suspicion regarding money laundering and terrorism financing. For fintechs, the BCB issued Circular Letter No 4,001 on 29 January 2020 (“Circular Letter 4,001”), which specifies the operations and situations that could be seen as constituting money laundering or terrorism financing. Fintech companies must report suspicions to COAF, regardless of whether they are regulated. Regulated entities report through the BCB’s system, and unregulated entities report directly to COAF.

In general, the AML and sanctions rules issued by the BCB and CMN follow the guidelines and standards provided by the Financial Action Task Force (FATF), including the risk-based approach and the overall standards. However, the specific thresholds and elements provided by FATF are not always followed.

Brazilians are not restricted from sending funds to other jurisdictions to use however they please. It is possible to open accounts in other jurisdictions and use such funds as needed, including for investments, general payments, etc. Such accounts are usually marketed to Brazilian consumers as “global accounts”, enabling the account holder to maintain funds in many different currencies. The main requirements for Brazilians to top up their global accounts are to conduct a foreign exchange transaction to remit the funds abroad, collect the applicable taxes and report the holding of accounts abroad through the Declaration of Brazilian Capital Abroad (DCBE). It should be noted that, in general, for public offerings of securities and investments to Brazilians, prior approval must be obtained from the CVM. Alternatively, the introducing broker business model must be used, involving a partnership with a securities distributor/broker in Brazil.

Law No 14,478 of 21 December 2022 (the “Crypto Law”) provides guidelines that must be observed for the provision of virtual asset services by virtual asset service providers. Pursuant to Article 3, Section IV of the Crypto Law, “assets for which the issuance, registering, negotiation or settlement are provided for in specific capital markets law” are excluded from the regulation. Therefore, securities tokens fall within the scope of the CVM’s regulation, while cryptocurrencies fall within the scope of the BCB’s regulation. The BCB has still not issued specific rules governing cryptocurrencies, but through ECP 109, 110 and 111 (as defined in 1.1 Evolution of the Fintech Market), the BCB is soliciting opinions from the general public before issuing applicable rules. In summary, security tokens would fall within the regulatory scope of the CVM, while cryptocurrencies would fall within the scope of the BCB.

The offering of financial and investment advice to the general public is regulated by the CVM. The CVM considers the activity of robo-advisers offering asset management services to be subject to their prior approval, in the form of CVM Resolution No 21 of 25 February 2021 (“Resolution 21”), and consultancy services are subject to CVM Resolution No 19 of the same date (“Resolution 19”). Order execution robots are also subject to the CVM’s prior approval, under CVM Resolution No 20 of the same date (“Resolution 20”). Legacy players implement these business models after obtaining prior approval from the CVM.

The main issues relating to best execution of customer trades include (i) data quality, since robo-advisers rely heavily on the data fed to them, and where the data may not be openly available; (ii) the instability of the Brazilian market, which could be an issue since robo-advisers rely on practice, and where such instability could complicate prediction of the movements of the market; and (iii) regulatory compliance, where offering investments to the public is heavily regulated, requiring specific knowledge and certification that has not been fully adapted to robo-advisers.

There are no major differences in the regulation of loans to individuals, small businesses and others. The only entities that can offer loans are those listed in 2.1 Predominant Business Models and 2.2 Regulatory Regime. It should be highlighted that on 3 January 2024, the interest rate on rolling credit card debts was limited to 100% of the original amount of the debt by Law No 14,690 of 3 October 2020. This law improved the conditions of credit card debts contracted by credit card holders, which are usually individuals and small businesses. Due to credit conditions, individuals and small businesses usually have the worst credit offers, and this law has the potential to reduce the debt of the average Brazilian citizen.

The BCB and CMN establish the requirements that must be observed by industry participants to evaluate the credit rights and liquidity risk that may be incurred by each player. CMN Resolution No 4,557 of 23 February 2017 (“Resolution 4,557/17”) establishes the guidelines that must be observed with respect to the risk policy. Following these guidelines, each institution has their own underwriting process. However, it should be noted that a common practice, especially for fintechs, is to assign their credit rights to credit rights investment funds (fundos de investimento em direitos creditórios; FIDCs) and securitisation companies, which acquire credit rights from fintechs and financial institutions and assume the credit risk.

Pursuant to 2.1 Predominant Business Models and 2.2 Regulatory Regime, P2P loans involve funds that are deposited by one “investor” and taken by another market player, while for an SCD funds are deposited by the SCD’s controlling shareholders themselves. Also, as discussed in 4.2 Underwriting Processes, it is common for fintechs to assign their credit rights to FIDCs. Therefore, funds arising from credit rights owned by fintechs usually come from their own controlling shareholders, or from FIDC investors. Credit issued by traditional banks comes from the general public, where collecting funds from the general public and using such funds to grant additional loans are private activities, as provided in Law No 4,595 of 31 December 1964 (“Law 4,595”).

For Brazilian lenders, syndicated loans are not as common as cross-border loans. For national credit transactions, the regulation applicable is the credit policy of each institution. For cross-border loans, the applicable regulations are Resolution No 277 and Resolution No 278 of 31 December 2022 (“Resolution 277/22” and “Resolution 278/22”, respectively). Pursuant to Resolution 278/22, Brazilians are free to contract loans in any currency. These loans must be reported to the BCB whenever they exceed USD1 million.

There is no restriction on payment processors with respect to producing new payment rails. However, the Pix payment rails are typically used because of the payment transaction initiator, a payment institution regulated as explained in 2.2 Regulatory Regime.

Cross-border remittances and payments can only be executed by institutions authorised by the BCB, namely banks (without limit), foreign exchange brokers, securities brokers/distributors (up to USD500,000 per transaction) and payment institutions (up to USD100,000). Resolution 277/22 governs remittances and provides that institutions authorised to operate in foreign exchange must collect support documentation pertaining to their clients’ economic/financial capacity and the legality of the transaction, as well as provide all such information to the BCB. The focus areas of the regulation are control of the inflow and outflow of foreign currency and AML/CTF rules.

The CVM regulates the public offering of securities, as explained in 3.2 Legacy Players’ Implementation of Solutions Introduced by Robo-Advisers. Currently, banking correspondents cannot offer investment products; therefore, all investment offerings must be made by institutions that hold specific licences from the BCB and the CVM. The main marketplaces and trading platforms are as follows.

• Stock exchanges: The main stock exchange in Brazil is B3, which operates the equities, derivatives and fixed-income markets. B3 is regulated by the CVM and is subject to specific rules related to trading, listing requirements and market operations.
• Over-the-counter (OTC) markets: OTC trade exists for securities that are not listed on formal exchanges. OTC markets are also regulated by the CVM, with specific rules governing trading, disclosure and investor protection.
• Electronic trading platforms: Electronic trading platforms, including alternative trading systems (ATSs) and electronic communication networks (ECNs), are allowed in Brazil for certain types of securities. These platforms are subject to regulation by the CVM, which sets forth rules related to order matching, transparency and fair access.
• Foreign exchange market: The foreign exchange market in Brazil is regulated by the BCB, as explained in 5.2 Regulation of Cross-Border Payments and Remittances.
• Commodity exchanges: Commodity trading platforms, including those for agricultural and financial commodities, are regulated by the CVM and may also be subject to oversight by specific commodity regulators.

The regulatory regimes for each type of marketplace and trading platform may differ in terms of licensing requirements, operational standards, market surveillance and investor protection measures.

The regulation of different asset classes is detailed in 3.1 Requirement for Different Business Models.

The emergence of cryptocurrencies has significantly changed the Brazilian regulatory environment. The Crypto Law, defined in 3.1 Requirement for Different Business Models, classifies securities issuance under the CVM’s authority, even if tokenised, while all other crypto-assets are under the BCB’s authority. The BCB issued the ECPs mentioned in 1.1 Evolution of the Fintech Market to specifically regulate crypto-asset service providers, which require a licence.

The CVM uses the Howey test to identify public offerings of crypto-assets as securities. All securities that do not fall under the Howey test classification of publicly traded securities also fall outside the CVM’s scope. Other crypto-assets fall within the BCB’s regulatory scope; though regulations have not yet been issued, public consultation is required, as mentioned in 1.1 Evolution of the Fintech Market.

Any security considered to be publicly or privately traded must follow the CVM’s rules; if it is not a security, it will now fall within the BCB’s regulatory scope.

Order handling rules apply, as described in 3.1 Requirement for Different Business Models.

P2P trading is currently not regulated, which significantly impacts traditional and fintech players. The only regulatory requirement that must be followed is that, whenever an individual or company purchases a crypto-asset from abroad, it must conduct a foreign exchange transaction, notified to the BCB as the purchase of crypto-assets abroad, with collection of the applicable taxes. In accordance with the ongoing public consultations described in 1.1 Evolution of the Fintech Market, the rules will change, and virtual asset service providers will need to obtain a licence from the BCB. Market makers might need to be regulated, even if they are individuals.

As evidenced in the foregoing, payment orders made from/to other countries are subject to the execution of a prior foreign exchange transaction, which leads to the use of institutions authorised by the BCB as gatekeepers for foreign exchange controls and AML/CTF. However, the payment order flow is not restricted. Certain rules issued by the BCB and the CVM aim to prevent market manipulation and other forms of abuse.

In Brazil, the BCB and CVM regulate and supervise the activities of financial institutions and the securities market, respectively. The CVM has issued rules to prevent market and trading abuse, and there are many famous cases of administrative sanctioning proceedings against individuals and companies that initiated market abuse. It should be noted that the CVM has many rules preventing insider trading and conflict of interests, including the requirement that investment policies prevent employees of asset manager firms from purchasing securities.

No response has been provided in this jurisdiction.

No response has been provided in this jurisdiction.

No response has been provided in this jurisdiction.

No response has been provided in this jurisdiction.

No response has been provided in this jurisdiction.

No response has been provided in this jurisdiction.

Regtechs are not regulated, but they could be subject to regulation if offering regulated products and services, or advising on financial investments. However, providing general advice on regulatory aspects is not a regulated activity in Brazil.

The provisions are not dictated by regulation, since financial services are not specifically regulated. There is no “one size fits all” requirement, because this necessarily lacks specificity with respect to industry practices.

Many traditional players are looking at offering crypto-assets to their clients through partnerships with crypto exchanges. In line with the new public consultations (detailed in 1.1 Evolution of the Fintech Market), they might be required to request additional permissions from the BCB and CMN to keep offering these services.

Local regulations have implemented the Crypto Law and granted the BCB the authority to specifically regulate crypto-assets, as provided in ECPs 109, 110 and 111 (see 1.1 Evolution of the Fintech Market).

Not all blockchain assets are considered financial instruments. The Crypto Law provides that virtual assets are considered as digital representations of value, and can be negotiated or transferred through electronic means and used to make payments, for investment purposes or otherwise. The Crypto Law excludes from its scope:

• national and foreign currency;
• electronic currency;
• instruments that enable their owner to gain access to certain products and services, or to benefits arising therefrom, including points and fidelity programmes (redemption of utility tokens); and
• representations of assets of which the issuance, registration, negotiation or settlement occurs in the context of the securities market (security tokens).

Issuers of blockchain assets are not specifically regulated. Custodians will be regulated pursuant to ECPs 109 and 110 (as defined in 1.1 Evolution of the Fintech Market).

Crypto-asset trading platforms are defined as:

• intermediaries, which provide for the possibility of acquiring crypto-assets, having a relationship with the end user without having custody;
• custodians, which exclusively hold clients’ private keys; and
• brokers, which engage in intermediate and custodian activity.

These entities will be regulated by the BCB and will require a licence therefrom. In theory, P2P operations are not allowed without mediation by a trading platform. It should be noted that the transference of stable coins in foreign currency between Brazilian residents is considered a form of foreign exchange to only be conducted by virtual asset service providers authorised to operate in foreign exchange by the BCB.

Staking is not currently regulated but will be regulated by ECP 109. Entities that conduct staking will be required to have additional corporate capital in the amount of BRL 2 million, since these activities are considered higher risk. The only entities allowed to conduct staking are intermediaries and brokers.

The provision of lending services relating to cryptocurrencies is not currently regulated but will be regulated pursuant to ECPs 109 and 111 (including in the foreign exchange market), since the transference of a virtual asset will in future be seen by the Brazilian regulatory framework as a change of ownership.

Cryptocurrency derivatives fall within the scope of the CVM’s authority, are considered securities and are subject to prior approval from the CVM for public distribution.

DeFi is not specifically regulated. Pursuant to Article 3 of the Crypto Law, crypto-assets not representing securities are not subject to the Crypto Law, but instead to Law No 4,728 of 14 July 1965 (the “Capital Markets Law”). They are not unregulated simply because they are securities.

All investment funds are subject to regulation by the CVM, based on the provisions of CVM Resolution No 175 of 23 December 2022 (“Resolution 175”). Funds that invest in blockchain assets are also subject to Resolution 175, as well as to Circular Letters No 1 and 11 of 2018 issued by the CVM. Circular Letter 11 holds that investment funds are allowed to invest in blockchain assets, as long as their managers and administrators observe certain provisions, namely:

• AML/CTF provisions;
• ensuring that negotiations are conducted through “exchanges” that are subject to supervision by regulatory authorities in their countries of origin;
• ensuring that the asset is not fraudulent by determining (i) whether the base software is free open source software, (ii) whether the technology is public, transparent, accessible and verifiable by any user, (iii) whether there are measures in place to reduce the risk of conflict of interests or excessive power concentration, (iv) the liquidity of the asset; (v) the nature of the network and consensus mechanisms, and (vi) the risk profile of the developers;
• conducting due diligence on the asset to which the crypto-asset refers;
• determining whether the crypto-asset should be considered a security and subject to the requirement for prior registration with the CVM;
• adhering to the governance requirements associated with the crypto-asset;
• providing disclosure through the white papers; and
• calculating the fair market value of the assets.

Pursuant to the Crypto Law, as defined in 10.3 Classification of Blockchain Assets, all kinds of blockchain assets are subject to the same law, except for:

• national and foreign currency;
• electronic currency;
• instruments that enable their owner to have access to specified products and services, or to benefits arising therefrom, including points and fidelity programmes (redemption of utility tokens); and
• representations of assets of which the issuance, registration, negotiation or settlement occurs in the context of the securities market (security tokens).

Non-fungible tokens (NFTs) are seen by the CVM as asset-backed tokens and subject to the Howey test, to determine whether or not they are classifiable as securities and thus whether they should be subject to the requirement of prior registration with the CVM. NFTs considered as securities are not subject to the Crypto Law, but rather to the Capital Markets Law. CFTs that are not securities and do not fall within the categories excluded from the Crypto Law are regulated by the BCB. Analysis on a case-by-case basis is necessary.       

Open banking, supported by the local regulatory framework launched in 2020 by the BCB, has been renamed “open finance”, encompassing investment and insurance products. Open finance is governed by Joint Resolution No 1 of 4 May 2020 (“Joint Resolution 1”) which requires all electronic currency issuers and providers of payment and deposit accounts to participate in open finance at least through sharing payment initiation services.

Joint Resolution 1 and the open finance protocols establish specific technology and application programming interface (API) standards and requirements to enable regulated players to participate in open finance. Additionally, the BCB conducts tests to verify that the security standards are being followed.

There are several types of fraud involving financial services and institutions authorised by the BCB, including (i) identity fraud; (ii) financial fraud; (iii) fraudulent activities to obtain an account holder’s credentials and access their account; (iv) phishing; (v) data breaches; (vi) investment fraud; (vii) credit card fraud; and (viii) money laundering.

Regulators are focused on all kinds of fraud related to financial services and services regulated by the BCB. The BCB and CMN issued Joint Resolution No 6 on 23 May 2023, which came into force in November 2023 and requires authorised institutions to share data pertinent to fraud, with the purpose of preventing future cases of fraud.

Subsequent to recent judicial decisions, institutions authorised by the BCB can be held responsible for losses suffered by a customer because their internal controls were insufficient to prevent fraud, such as fraud occurring through a breach of security protocols.

Where a customer has fallen for a scheme in which their account details were provided to an individual committing fraud, and where the authorised entity took all the necessary precautions and had all the required internal controls in place, such entity would not be held responsible for reimbursing the customer’s losses.