The Brazilian fintech market continues to evolve swiftly, supported by a pro-innovation stance led by the Central Bank of Brazil (Banco Central do Brasil; BCB) and the National Monetary Council (Conselho Monetário Nacional; CMN).

Over the past 12 months, the BCB has discussed several matters focusing on security and financial stability, including:

• a new calculation method for minimum and permanent capital, and net equity, for institutions authorised to operate by the BCB, through the enactment of CMN/BCB Joint Resolution No 14/25 and BCB Resolution No 517/25, which has substantially changed the entrance scenario for new institutions in the country, as well as the capital requirements for institutions subject to the transitional regime set forth by such rules;
• the launch of a new regulatory framework for virtual asset service providers (VASPs), encompassing rules relating to corporate governance, operational standards, the integration of virtual asset transactions into the foreign exchange market framework and the authorisation process before the BCB, with core regulatory provisions taking effect on 2 February 2026 by means of BCB Resolution Nos 519–521;
• a new regulatory landscape regulating banking as a service (BaaS) relationships through the issuance of CMN BCB Joint Resolution No 16/2025;
• the enactment of new rules regulating foreign exchange brokers (corretoras de câmbio), which has allowed such institutions to act as e-currency issuers and virtual asset intermediaries in Brazil, in accordance with Resolution No 542/25;
• the creation of new rules for centralised risk management in payment schemes that are part of the Brazilian payment system (Sistema de Pagamentos Brasileiro; SPB) as a result of Public Consultation Notice Nos 104 and 204; and
• the creation of new regulatory and technical requirements for information technology service providers (provedor de serviços de tecnologia da informação; PSTI) with access to the Brazilian financial system network (Rede do Sistema Financeiro Nacional; RSFN), through the issuance of BCB Resolution No 498/25.

These actions aim to revamp the Brazilian regulatory landscape by bringing certain key business models into the regulatory perimeter with clear accountability, capital expectations and operational controls. As a result of the new rules, the market is expecting to see a significant number of authorisation requests to operate as VASPs in 2026, both from new market entrants and from institutions who were already operating in Brazil.

Fintech business models in Brazil are very diverse. Products and services can be offered by legacy players (traditional banks in the Brazilian financial system), licensed fintechs that hold specific licences and unlicensed fintechs (as detailed in 2.2 Regulatory Regime). The business models that predominate in Brazil are as follows.

Credit Market

Products and services in the credit market can be offered by traditional banks, credit fintechs and unlicensed fintechs – in the last case necessarily through partnerships with licensed financial institutions via BaaS or banking correspondent structures (as detailed in 2.2 Regulatory Regime).

Credit fintechs usually target businesses with small-ticket operations and/or borrowers with lower credit scores.

Investment Market

The investment market in Brazil has more traditional players than fintechs. Traditional players include investment banks, universal banks with investment portfolios, securities broker-dealers (corretoras de títulos e valores mobiliários; CTVMs) and securities distribution companies (distribuidoras de títulos e valores mobiliários; DTVMs), which are regulated by the Securities and Exchange Commission of Brazil (Comissão de Valores Mobiliários; CVM) and BCB.

The fintech market involving investment products has been growing. Cross-border structures involving the “introducing broker” business model, based on the CVM’s opinion notes, have increased in number in the last few years, with the aim of enabling Brazil-based institutions to introduce their clients to products offered by licensed institutions abroad. These products are known in Brazil as “investment global accounts”.

Foreign Exchange Market

The foreign exchange market has experienced regulatory changes that have incentivised new entrants into Brazil, including global fintechs. The main recent trend in this area is the emergence of the “global account” model, a product through which Brazilian users are able to open accounts in other jurisdictions and hold funds in multiple currencies using the same app. Also, the BCB has recently allowed foreign exchange brokers to offer prepaid payment accounts as an ancillary activity, which should enhance the sector.

The regulation concerning the provision of international payment and transfer services was recently subject to public consultation through the BCB’s Public Consultation Notice No 124/2025, proposing that all institutions providing international payment services (so-called eFX services) obtain authorisation from the BCB to operate as a payment institution, while also introducing other changes to strengthen oversight of international payments. The market expects the regulation resulting from the consultation to be enacted during 2026.

Payment Services

Payments remain a core engine of fintech growth. The SPB encompasses many of the latest and most efficient payment solutions and innovations. For instance, Pix (instant payment system) processed transactions worth a total of BRL3 trillion monthly in 2025.

Payment services in Brazil are provided both by incumbent banks and payment service providers (instituições de pagamento). With the introduction of the Pix instant payments scheme by the BCB, several payment service providers currently offer (either in accordance with regulatory obligations or voluntarily) instant payments through direct or indirect participation in the Brazilian instant payments system (sistema de pagamentos instantâneos; SPI).

Crypto Market

With the recent introduction of a regulatory framework for VASPs, alongside the ongoing wave of authorisation requests and compliance initiatives, this sector is expected to grow substantially – particularly given the global increase in operations involving stablecoins.

Unlicensed Business Models

As further detailed in 2.2 Regulatory Regime, there are unlicensed fintechs that implement their business models by providing ancillary services to regulated players, entering into partnerships with regulated fintechs or exploring licence exemptions under the regulations.

Despite the absence of a formal or unified taxonomy, fintechs may be broadly categorised as licensed or unlicensed institutions. Licensed fintechs can be further divided into credit or payment fintechs. Naturally, fintech solutions and/or innovative business models may be implemented by incumbent or traditional financial institutions as well.

Traditional Financial Institutions

Traditional financial institutions in Brazil include:

• commercial banks, which among other activities carry out traditional financial intermediation by raising funds from the public and lending such funds to entities and individuals;
• investment banks, which may, among other activities, also carry out financial intermediation but are not allowed to receive demand deposits;
• universal banks operate two or more portfolios (one of which must be either a commercial or investment portfolio), combining different bank-related services;
• credit, finance and investment companies (sociedades de crédito, financiamento e investimento), the primarily activity of which is to extend credit, especially to segments and consumers that are not fully covered by commercial banks; and
• broker-dealers, which primarily carry out security intermediation and underwriting activities, and may not extend credit (except for margin loans).

Credit Fintechs

The various types of credit fintechs are as follows:

• direct lending companies (sociedades de crédito direto; SCDs), have as their primary activity credit lending via electronic platforms using their own funds; and
• peer-to-peer (P2P) lending companies (sociedades de empréstimo entre pessoas; SEPs), which facilitate P2P lending via electronic platforms without incurring the credit risk arising in connection therewith.

Payment Fintechs

The various types of payment fintechs are as follows:

• electronic currency issuers (emissores de moeda eletrônica; EMEs) are payment institutions that convert cash into digital currency and vice versa, issuing pre-paid payment instruments to their clients;
• post-paid instrument issuers are payment institutions that manage post-paid payment accounts of end users and enable payment transactions based on those accounts;
• acquirers are payment institutions that enable merchants to accept payment instruments and participate in the settlement of transactions as creditors of issuers; and
• payment initiation service providers (PISPs) are payment institutions that do not hold funds or manage payment accounts but enable end users to initiate payment transactions from one account to another.

Virtual Asset Service Providers

There are three types of VASPs in Brazil according to applicable regulations:

• virtual asset intermediaries (intermediária de ativos virtuais), whose primary corporate purpose is the intermediation of virtual assets, encompassing, among other activities, the underwriting, buying and selling of virtual assets, management of portfolios and exchange of virtual assets;
• virtual asset custodians (custodiante de ativos virtuais), whose corporate purpose is to take custody of virtual assets, and whose activities include the safekeeping and control of instruments that affect the exercise of rights and benefits in relation to virtual assets, the supervision of buy or sell orders for virtual assets, etc; and
• virtual asset brokers, whose corporate purpose is intermediation and custody of virtual assets.

It should be noted that VASPs that were already operating in Brazil before 2 February 2026 are authorised to maintain their activities in the country, provided that they comply with the transitional regime set forth by the BCB and submit an authorisation request to operate as a regulated VASP within 270 days after the enactment of BCB Resolution No 520/25.

Unlicensed Fintechs

Unlicensed fintechs typically operate through models that avoid performing regulated functions directly but still rely on contractual partnerships with institutions authorised to operate by the BCB.

The main unlicensed business models in Brazil are as follows:

• marketplaces may act as sub-acquirers, accrediting merchants to accept payment instruments and receiving funds from acquirers rather than from issuers of payment instruments (ie, sub-acquirers are creditors of acquirers and debtors of merchants);
• unregulated entities may settle closed-loop payment schemes and explore certain exemptions under the regulations to offer payment services, such as limited-purpose payment schemes;
• unregulated companies may provide international payment services (also known as international payment facilitation) to merchants located outside Brazil, which allows the purchase of goods and services abroad by Brazil-based buyers, by collecting funds from end-users in local currency and remitting them abroad via consolidated foreign exchange transactions with a financial institution authorised to operate in the foreign exchange market (this arrangement may change depending on the results of BCB’s Public Consultation Notice No 124/2025);
• credit origination activities, either via a banking correspondent or BaaS structure; and
• white-label or co-branded solutions, leveraging the regulatory licence of authorised financial institutions to mediate the offer of financial products and services, such as loans, foreign exchange and payment instruments.

The BCB establishes caps and baskets for certain fees derived from financial/payment products and services, including specific rules related to fees when charged under Pix. For instance, Pix users who are individuals cannot be charged by Pix participants for remitting or receiving funds.

With respect to disclosure, the general rule applicable to the Brazilian financial and payment systems is that fees should be clearly disclosed to end clients. Furthermore, with respect to credit transactions involving individuals and certain small-sized companies, financial institutions are required to disclose the total costs involved prior to the execution of the transaction in a standardised manner set forth by the BCB, to enable customers to compare the costs of the same product offered by different institutions (the so-called total effective cost; custo efetivo total – CET). The same rationale applies to spot foreign exchange transactions of amounts equal to or less than USD100,000 (total effective amount; valor efetivo total – VET).

Traditionally, the regulation applicable to fintech industry participants is lighter than that applicable to legacy players, such as traditional banks. However, there is currently a trend in the Brazilian regulatory framework towards rebalancing the regulatory burden imposed upon fintech players.

For instance, the licencing process applicable to payment institutions used to be simpler than that for financial institutions. However, changes were recently made to make these processes more similar, and there are now very few differences between them.

On the capital requirements side, the creation in 2022 of different prudential conglomerates comprising at least one payment institution evidences the regulator’s aim to avoid regulatory arbitrage and adopt both a risk-based approach and the principle of “same risk, same activity, same regulation”.

Brazil has regulatory sandboxes within the scope of the BCB, the CVM and the Superintendence of Private Insurance (Superintendência de Seguros Privados; SUSEP) that were involved in a selection process for innovative projects between 2020 and 2021. Many of these projects are still ongoing, but the regulatory sandboxes are not currently open for new participants. Based on the projects’ results, the applicable regulator may or may not change the current rules to regulate innovative activities or business structures.

There is no official news regarding additional cycles.

The Brazilian financial ecosystem is comprehensively regulated. The legal framework for banking activities, payment services and securities offering/trading is underpinned by Law No 4,595/64, Law No 12,865/13, Law No 6,385/76 and Law No 4,728/65.

In general, fintech companies are subject to rules issued by the BCB, the CMN and the CVM, depending on the nature of the services rendered, the attainment of certain thresholds (as applicable) and the market in which the fintech company operates (or intends to operate).

In addition, self-regulatory organisations may play an important role through binding standards for their members and participants, depending on the business model implemented by fintechs in Brazil – eg, the Brazilian Financial and Capital Markets Association (Associação Brasileira das Entidades dos Mercados Financeiro e de Capitais – ANBIMA), the B3 supervisory body (BSM Supervisão de Mercados) and private payment arrangement settlors.

Regulators in Brazil do not issue “no-action” letters.

Certain regulated functions may be “outsourced” through contractual arrangements maintained between regulated and non-regulated entities, between two regulated entities or through more than one regulated entity.

The outsourcing of regulated functions is usually achieved through two kinds of contractual arrangements, as follows.

Banking as a Service

In BaaS, one entity retains another to provide regulated services to its clients through technological integration (ie, white-label or co-branded solutions). BaaS providers must always be regulated entities, but BaaS contractors can be either regulated or non-regulated. This relationship was recently regulated by the BCB through the enactment of CMN BCB Joint Resolution No 16/2025, which provides a dedicated regulatory framework for BaaS. Full regulatory accountability has been assigned to the BaaS provider, requiring robust corporate governance, adequate risk management and internal controls, as well as operational and information security measures consistent with the nature of the services offered.

Banking Correspondence

Regulated and non-regulated entities can function as banking correspondents of institutions authorised to operate by the BCB. This relationship is regulated by CMN Resolution No 4,935 of 29 July 2021. This Resolution provides that the banking correspondent must offer services under the guidelines of the contracting entity, which is fully liable for the service provided to end users through its banking correspondents. There are also specific contract requirements concerning remuneration and forbidden activities, etc.

Fintech providers are indirectly deemed as gatekeepers responsible for the regulated activities on their platform, especially regarding AML/CFT and the proliferation of weapons of mass destruction, based on the provisions of BCB Circular No 3,978 of 23 January 2020. Also, regulated entities are viewed as gatekeepers with respect to cybersecurity, internal controls (which include antifraud measures) and risk management requirements when carrying out their activities.

Enforcement actions taken by the BCB and the CVM are based on Law No 13,506 of 13 November 2017. This law establishes a procedure for the imposition of administrative sanctions within the regulatory scope of the BCB and the CVM, listing acts considered as administrative wrongdoings. BCB Resolution No 131/21 details administrative sanctioning proceedings, criteria for violations classification, procedural rules and penalties guidelines. CVM Resolution No 45/21 governs the administrative sanctions procedural rules.

Actions that can be taken in response to administrative wrongdoings include:

• making the sanctioning public;
• pecuniary sanctions;
• prohibiting the provision of certain services for a specific period;
• prohibiting certain activities or operations for a specific period;
• prohibiting individuals from acting as officers or assuming statutory roles in entities authorised to operate by the BCB for a specific period; and
• licence cancellation.

It should be noted that the BCB and the CVM are legally allowed to enter into administrative agreements (settlement terms) with the relevant regulated entities and individuals, pursuant to certain rules and requirements.

All public and private Brazilian entities that process personal data must comply with the Brazilian General Data Protection Law (Lei Geral de Proteção de Dados Pessoais; LGPD).

In addition, fintech companies authorised to operate by the BCB must comply with specific cybersecurity regulations. In general terms, applicable regulations establish that these entities must:

• guarantee the confidentiality, integrity and availability of the data and information systems;
• put in place internal policies, procedures and controls to prevent incidents related to the cyber environment; and
• ensure the security of sensitive information.

An action and response plan in respect of security incidents must be established as well.

Recently, the CMN and BCB tightened the framework by altering the supervisory stance towards minimum cybersecurity requirements and reinforcing the requirements for critical environments connected to the National Financial System Network (Rede do Sistema Financeiro Nacional; RSFN) and Pix. Also, accreditation procedures have been introduced for information technology service providers (prestadores de serviços de tecnologia da informação; PSTI) with access to RSFN, which may affect vendor selection, contracting and governance in fintech outsourcing chains.

Institutions duly authorised by the BCB must conduct internal and independent audits. Current regulations set forth that such entities must have internal audit units and retain independent auditors duly registered with the CVM. Depending on the size of the institution, additional requirements may apply, such as the incorporation of a statutory audit committee. Market self-regulatory bodies may also audit their participants, such as card scheme settlors, ANBIMA, B3 (the Brazilian Stock Exchange) and FEBRABAN (the Brazilian Federation of Banks).

Generally, institutions regulated by the BCB can only conduct the activities listed in the specific regulation applicable to them and that have been duly included in the institution’s corporate purpose statement.

Depending on the type of institution, additional services may be rendered only:

• through the establishment of a subsidiary, subject to prior authorisation from the BCB in the case of financial institutions;
• if the services are supplementary to their core business, in the case of payment institutions; or
• when not expressly forbidden.

Federal Law No 9,613/98 (the “AML Law”) sets forth a set of obligations that certain individuals and legal entities must comply with, in accordance with the rules issued by their relevant supervisory authority, summarised as follows:

• identify clients and keep the relevant information updated;
• record transactions;
• adopt internal policies, procedures and controls compatible with the size of the company and the volume of its operations, allowing it to comply with the AML Law;
• register itself (and maintain such registration) with the competent regulatory entity, or in its absence, with the Council for Financial Activities Control (Conselho de Controle de Atividades Financeiras; COAF);
• comply with requests made by the COAF in a timely manner, as set forth by the COAF; and
• report to the COAF in a timely manner suspicious transactions or transactions that reach certain thresholds (in the latter case, regardless of the suspiciousness of the transaction).

According to the AML Law, the rendering of specific services or offering of specific products – including the issuance of credit cards, the rendering of custody services and financial intermediation – triggers the need to comply with AML obligations and regulations enacted by the competent authority.

Fintechs authorised to operate by the BCB are subject to BCB Circular No 3,978/20 and related rules enacted by the BCB, while non-regulated fintechs must comply with COAF Resolution No 36/21 and other key rules depending on their business model.

AML and sanctions rules issued by the BCB are generally aligned with the guidelines and standards provided by the Financial Action Task Force (FATF), especially the adoption of a risk-based approach and the overall standards.

The offering of banking products and services by foreign financial institutions to residents of Brazil on a cross-border basis (ie, without a local presence) is not entirely regulated yet, leading to uncertainties as to the limits within which such activity may be conducted in a safe and risk-free manner.

For the time being, experience shows that any foreign financial institution engaged in such activities should take into account the need:

• to comply with the rules governing the offering of securities in Brazil;
• to perform banking activities in consistency with sound market practices;
• to comply with foreign exchange, tax and money laundering regulations, as applicable, particularly when the investments require the conversion of Brazilian currency into foreign currency; and
• for such activity to be conducted in a manner that avoids incentivising the outflow of local savings, which could be viewed as potentially harmful to the local economy or financial system.

Robo-advisers are not directly regulated by Brazilian authorities as standalone entities. Therefore, different regulatory implications may arise depending on the regulated activities performed by the automated tool.

Consequently, legal and regulatory responsibility falls on the entities supervised by the CVM and their statutory officers when using robots, including for any non-compliance with applicable rules enacted by the CVM related to portfolio management, investment advice and suitability in respect of product distribution.

Incumbent institutions that choose to use automated tools and robot solutions typically have to implement them within the framework of existing regulated activities and ensure compliance with current regulations, as mentioned in 3.1. Requirement for Different Business Models.

Intermediary institutions regulated by the CVM are generally required to act in the best interest of their clients, ensuring that trades are carried out at market prices in a manner that is efficient, transparent and secure. The centralised trading and clearing mechanisms of B3 provide an infrastructure that reduces settlement risk and enhances investor protection. Moreover, compliance with CVM rules obliges intermediaries to implement internal controls, risk management procedures and suitability assessments.

Challenges remain, however – particularly in balancing technological innovation with regulatory safeguards. Automated trading tools and digital platforms must be integrated into existing regulated activities, ensuring that customer trades continue to benefit from the protections afforded by CVM oversight and the operational reliability of B3. Regulatory attention is required to address new market practices and maintain investor confidence.

Generally, there are no major differences in the regulation of loans granted to individuals, small businesses and others, barring certain informational requirements that must be complied with in the context of transactions with consumers and certain small-sized companies (eg, prior disclosure of the CET and VET), as well as certain limitations imposed on specific transactions (eg, interest rate limitations on payroll loans extended to retirees).

On 3 January 2024, the interest rates and fees on rolling credit card debts of individuals were limited to 100% of the original amount of the debt by Law No 14,690 of 3 October 2020.

The BCB and CMN establish the requirements that must be observed by industry participants to evaluate the credit rights and liquidity risk that may be incurred by each player. CMN Resolution No 4,557, of 23 February 2017 establishes the guidelines that must be observed with respect to the risk policy and measures that must be taken by financial institutions in Brazil. Following these guidelines, each institution has its own underwriting process.

Funding structures vary by type of regulated institution.

Pursuant to 2.1 Predominant Business Models and 2.2 Regulatory Regime, P2P loans are funded by the lenders themselves, without any credit risk underwriting by the P2P lending company (SEP).

On the other hand, direct lending companies (SCDs) have fundraising strategies that are basically limited to equity and credit assignment structures, being the latest type of credit fintech and the most common in the market.

Traditional financial institutions (such as commercial banks) may raise funds via myriad alternatives, including deposit taking and debt issuance.

Brazilian law and regulations admit the structuring of syndicated loans. Such transactions are typically driven by contractual structuring that follows the credit policy of each institution. Guarantees given under syndicated loans are usually shared by the creditors.

Syndicated loans may also be cross-border and involve payments in foreign currency. Brazilian residents are free to contract cross-border loans in any currency provided that the relevant reporting obligations with the BCB are complied with by the borrower resident in Brazil. 

Payment processors may either settle new payment rails (eg, closed-loop payment schemes, limited-purpose payment schemes) or participate in existing payment rails (eg, Pix, Mastercard, Visa) to operate in Brazil.

The settlement of payment rails may imply the need for authorisation from the BCB to operate as a payment institution in Brazil, either as an acquirer or as an e-currency issuer, depending on the functionalities and reach of the new payment rail. Now, only e-currency issuers or acquirers that act exclusively within limited-purpose payment schemes or federal, state or municipal public programmes are exempted from authorisation by the BCB.

Also, in addition to the operation of the payment scheme participants, the operation of the payment rail itself may require authorisation from the BCB if certain financial thresholds are exceeded.

Pursuant to Law No 14,286, enacted on 29 December 2021 (the “Foreign Exchange Law”), foreign exchange transactions may be carried out without any value limitation, subject to applicable laws and the regulations issued by the CMN and the BCB.

Cross-border remittances and payments can only be implemented via foreign exchange transactions executed between a Brazil-based party and an institution duly authorised to operate in the FX market by the BCB, namely banks (without limitation), foreign exchange brokers, securities brokers/distributors (up to USD500,000 per transaction) and payment institutions (up to USD100,000).

BCB Resolution 277/22 governs, among other matters, cross-border remittances, and provides that institutions authorised to operate in foreign exchange must, among other things, collect support documentation pertaining to their clients’ economic/financial capacity and the legality of the transaction, as well as provide all such information to the BCB. The focus of the regulation is control of the inflow and outflow of foreign currency and AML/CFT rules.

Security Trading on Organised Markets

Public trading and secondary market transactions for securities are carried out through regulated securities markets and intermediaries under the CVM’s framework. In Brazil, the key “marketplace” categories are typically structured exchange markets (bolsa de valores) and organised over-the-counter (OTC) markets (balcão organizado), operated by market infrastructure providers subject to the CVM’s rules on regulated markets and organised market administrators (including CVM Resolution No 135 of 10 June 2022). 

In Brazil, B3 is the main organised market infrastructure provider, operating equities, derivatives and fixed-income markets, as well as organised OTC environments, under CVM oversight and its own operational rulebooks. Other players acting as organised market infrastructure providers in Brazil mostly focus on niche markets (eg, commodity trading platforms).

Digital Marketplaces

In Brazil, digital marketplaces or e-commerce platforms may be subject to regulation depending on the business model adopted, and particularly the functions offered to buyers and sellers registered with such platforms.

Digital marketplaces may either act as subacquirers or contract an acquirer or another subacquirer to be responsible for ensuring the acceptance of payment instruments within their digital environment, and for settling payments to merchants.

The definition of “subacquirer” is broad and has increasingly been applied to major big tech companies that have developed successful multinational delivery and mobility solutions. In essence, companies in Brazil are not permitted to act as merchants for the purpose of credit or debit card transactions and subsequently intermediate in the payment of such amounts to different sub-merchants within their own platforms. Instead, these companies are required to operate as subacquirers under private payment schemes to mitigate bankruptcy risks, or to delegate this function to a licensed acquirer or subacquirer under such schemes, which then transfer the funds directly to sub-merchants/final receivers registered on the digital marketplace platform.

For regulatory purposes, assets in Brazil are divided into financial assets and securities. Financial assets are instruments that represent a claim over future economic resources, such as the payment of interest or dividends. Financial instruments include public bonds, credit rights and other instruments issued by financial institutions that are not publicly offered.

When instruments are publicly offered, they are classified as securities for regulatory purposes. Securities are described in Article 2 of Law No 6,385/76 and can be largely defined, as in other jurisdictions, as assets negotiated in financial and capital markets that pass the Howey test.

For the public issuance of securities, prior registration of the issuance and of the issuer with the CVM is required. Investment in financial instruments does not require prior registration with the CVM, since they are issued by financial institutions that are already regulated by the BCB.

Previously, virtual assets were not regulated per se, but their purchase and trade were regulated as:

• securities, if they fit the concept of securities based on the Howey test; or
• purchase of assets abroad, which required a foreign exchange transaction.

On 21 December 2022, Law No 14,478 was enacted to establish guidelines for the “provision of virtual asset services”, which would require the prior approval of an undefined regulatory authority. Decree No 11,563/2023 established that such authority would be the BCB (without prejudice to the CVM’s competence over securities). 

In November 2025, the BCB issued key rules for the authorisation and operation of VASPs, including BCB Resolution No 520 of 10 November 2025 (on incorporation, operation and virtual asset service provision), which sets expectations around governance, operational capacity and controls appropriate to the services offered.

Equity Capital Markets Listing Standards

In the Brazilian organised stock market (B3), securities can be listed in different segments:

• Bovespa Mais;
• Bovespa Mais Level 2;
• New Market Level 2; and
• New Market Level 1.

The segments are used to segregate issuers who must adhere to different corporate governance rules and disclosure of information requirements to issue securities to the public.

Debt Capital Markets and Other Securities

The criteria for listing other securities, such as debentures, is also governed by self-regulation, based on the Public Offering Code issued by ANBIMA. The requirements essentially concern the good-faith provision of truthful information to investors.

Tokenised Products and Virtual Assets

The virtual assets traded by VASPs are selected by the VASPs themselves, based on clear, justified, transparent and broadly published criteria. VASPs must have policies in place that guide their decisions to list, de-list and suspend the trading of virtual assets based on the decisions of technical committees put in place for this specific purpose.

It should be noted that for virtual assets classified as securities (based on the Howey test applied by the CVM), the CVM’s guidelines must be followed, and prior approval must be obtained from the CVM for their issuance, public offering and trade. 

Orders are handled by B3. The rules around order handling are established by B3 itself, and must be observed by all intermediaries of securities when they are placing the orders. There are additional rules established by the CVM concerning the minimum information that securities intermediaries must retain about the orders they place; however, the actual order handling rules are established by B3. The environment in which the orders are placed, overseen by B3, enables interaction between offers placed by trading participants, which can be either full trading participants or trading participants acting under the responsibility of full trading participants; these can act as intermediaries for some institutions and conduct operations on their own behalf.

The Brazilian financial and capital markets are highly regulated. There are no direct P2P trading platforms, but there are P2P loan platforms (sociedade de empréstimo entre pessoas), which are treated like “lighter” financial institutions for regulatory purposes. P2P loan platforms can issue a credit instrument linking debtors and investors, allowing investors to fund loans and earn a spread. There are also crowdfunding platforms through which investors can invest small amounts in entrepreneurial endeavours; these are regulated by CVM Resolution No 88.

Investors are able to sell their securities in Brazilian secondary capital markets – usually via P2P platforms, but always through a securities intermediary.

Intermediaries of securities may charge fees for placing orders on behalf of investors, observing guidelines established by self-regulatory bodies such as ANBIMA, although there are also rules to be followed based on the regulations issued by the CMN and the CVM. For example, CMN Resolution No 5008/22 establishes that CTVMs and DTVMs cannot charge fees for the negotiation of securities during the term of their primary issuance. ANBIMA’s guidelines provide that securities distributors may seek transparency in the provision of information to investors about the fees charged for placing orders. The CVM’s rules establish that securities intermediaries must inform investors of compensation charges and potential conflicts of interests.

The CVM and self-regulatory bodies such as ANBIMA promote the market integrity principles followed by securities intermediaries and investors. In the Brazilian financial market, integrity principles are laid out by the BCB and followed by regulated market players through a risk-based approach.

Insider Trading

Under the Brazilian justice system, insider trading is a criminal, administrative and civil infraction. Article 155, paragraph 1 of the Brazilian Corporations Law prevents the use of privileged information by the management of publicly traded companies, and paragraph 4 establishes that the unlawful use of such information by any person is also prohibited. Classification as “criminal” tends to be based on the CVM’s evaluation.

Market Manipulation

CVM Resolution No 62 prohibits the creation of artificial conditions of supply, demand or price, as well as price manipulation, fraudulent operations and the use of unequal practices in the securities market. These activities are considered serious offences and are punished harshly by the CVM.

Risk-Based Approach to Financial Crimes

Within its sphere of competence, the BCB uses regulated market players as gatekeepers to ensure that the national financial system and the SPB are not used to facilitate financial crimes, mainly by establishing minimum internal controls for regulated players and allowing them do adopt a risk-based approach in obtaining information from clients to prevent financial crimes.

High-frequency trading (HFT) and algorithmic trading are not regulated by the Brazilian capital markets, since the usage of algorithms therein is incipient. However, in its Orientation Notice No 40 of 11 October 2022, the CVM informed the market that it is receptive to new technologies that lawfully contribute and positively influence the evolution of the capital markets. In 2022, B3 also informed the market that it had begun using HFT technology to monitor transactions.

The activity of market makers is governed by CVM Resolution No 133, and by B3’s guidelines, which require institutions to be registered with B3 to conduct operations designed to promote liquidity in securities admitted to trading. Criteria to become a market maker include:

• being a B3 participant;
• having access to B3’s trading systems; and
• having economic, financial, technical and operational capacity.

A market maker will conduct its activities whenever hired by the issuer of the security.

Brazilian practice generally distinguishes between the following.

• Investment funds: Investment funds trade exclusively for the benefit of their own portfolios and are primarily subject to the governance, operational and risk-management framework applicable to collective investment vehicles. In Brazil, the framework is consolidated under CVM Resolution No 175/22, which establishes a fiduciary-based structure involving the fund’s administrator, portfolio manager, custodian and other service providers.
• Intermediaries/dealers: Where an entity is acting as an intermediary in regulated markets, conduct is primarily governed by CVM Resolution No 35/2021, which specifies order handling, execution quality conflict management and organisational requirements for intermediaries.

There is no specific licensing regime in Brazil targeted solely at programmers who develop trading algorithms, since algorithmic trading is incipient in Brazil.

The underwriting and retention of insurable risks are key aspects of the structuring of insurance companies subject to the regulatory sandboxes proposed by SUSEP, which has already had three editions. Many such companies do indeed innovate in this area. However, insurance companies operating in a regulatory sandbox may not cede more than 90% of their underwritten risks in reinsurance, and the simplified investment structure to which they are subject may be impacted (and they will have to comply with full investment structure requirements) if they cede more than 50% of their underwritten risks in reinsurance.

Insurtechs operating outside the regulatory sandbox environment are subject to the rules and requirements generally applicable to other insurance companies.

In general, private pension plans and insurance structured in accordance with the separate account regime or capitalisation regime (usually life insurance) are excluded from the regulatory sandboxes proposed by SUSEP. Innovative projects related to all other types of insurance are acceptable – although each regulatory sandbox focuses on specific types of insurance.

Brazil does not recognise “regtech” as a standalone regulated category. Generally, providers of monitoring, reporting, governance and related technologies are not directly licensed, acting solely as third-party service providers for regulated institutions.

Brazilian regulation and legislation do not impose mandatory contractual terms or templates on regtech contracts, as regtechs are not regulated in Brazil.

The use of blockchain in the Brazilian financial sector continues to expand, with many traditional institutions exploring partnerships with VASPs or providing virtual asset services themselves.

The use of blockchain in the financial services industry has been evolving rapidly, with ongoing projects including the BCB’s proposed central bank digital currency (CBDC; moeda digital do banco central – DREX). From a practical standpoint, blockchain is being used in the financial services industry especially for the remittance of funds to Brazil from abroad, and vice versa, to facilitate the inter-banking foreign exchange market, and to effect carry trade based on stablecoins backed by the Brazilian real and government bonds.

The use of blockchain itself is not regulated, and neither is the issuance and tokenisation of virtual assets. As detailed in 6.3 Impact of the Emergence of Cryptocurrency Exchanges, regulated assets are securities and financial assets. When classified as securities or financial assets, blockchain assets are under the local regulator’s supervision. Currently enacted regulation was formulated by means of public consultations.

Regulated blockchain assets in Brazil are classified as securities, falling under the CVM’s jurisdiction (defined by Article 3 of Law 14,478 of 21 December 2022 as “the digital representation of value that may be negotiated or transferred through electronic methods and used to conduct payments or investments”). The same article expressly excludes assets that are not defined as virtual assets. Virtual assets fall under the BCB’s jurisdiction. No other blockchain assets are regulated in Brazil.

Issuers of blockchain-based assets are not regulated in Brazil. However, the trading of assets classified as securities or virtual assets (as mentioned in 10.3 Classification of Blockchain Assets) is regulated. Bill of Law No 4,308 of 2024 proposes that issuers of stablecoins should be regulated and require prior authorisation to operate in the Brazilian foreign exchange market.

Custody and intermediation of virtual assets and the public offering of blockchain assets seen as securities are regulated.

Blockchain assets seen as securities (collective investment contracts) may only be publicly distributed and issued upon prior registration with the CVM, and with observance of the self-regulatory rules, and must be distributed via securities intermediaries duly authorised by the CVM and the BCB.

Blockchain assets characterised as virtual assets based on Law No 14,478 are traded by VASPs, which may be either “pure” VASPs or institutions already regulated by the BCB that may also provide virtual asset services (eg, commercial banks). The regulation requiring prior BCB authorisation entered into force on 2 February 2026. Institutions that were already functioning as VASPs had a grandfathering period of 270 days to adapt to the new regulatory requirements.

Staking is defined by the BCB as the procedure through which an individual or a company allows its virtual assets to be blocked by a VASP in order to participate in transaction validation through a system based on a distributed ledger technology (or similar technology) that uses proof of participation as its consensus mechanism. Participants may earn compensation from such operation. Staking may be done by VASPs provided that clients are informed of the risks of such operation according to applicable rules.

Any institution authorised to operate by the BCB  (except for “pure” VASPs and foreign exchange brokers) that acts as an intermediary may grant financing to their clients to purchase virtual assets (operação de conta margem) from it, as long as:

• the virtual assets are given as collateral to the creditor;
• the amount of the virtual asset given as collateral, as well as other collateral provided by the debtor, is at least 200% of the amount of the entire financing on the date it was granted; and
• the total amount of operações de conta margem does not exceed the net equity of the institution in case it is a CTVM or DTVM.

Cryptocurrency derivatives are not specifically regulated. They fall under the general regulation of derivatives, which are securities, and require prior registration before they can be issued and publicly distributed.

No specific rules about DeFi are in place in Brazil. DeFi projects have previously been submitted to regulatory sandboxes, but no rules have been issued.

Funds that hold crypto-assets in their portfolios are subject to the regime applicable to “financial investment funds” under Annex I of CVM Resolution No 175/2022, which encompasses multimarket, foreign exchange, equity and fixed-income funds.

Subject to certain limitations and requirements, these funds may hold crypto-assets in their portfolios if such assets are traded on venues operated by a VASP duly authorised to operate in Brazil – or, if abroad, by a foreign supervisory authority competent to oversee the VASP’s operation and, in particular, enforce AML/CFT and market integrity rules. Non-financial funds are only allowed to hold crypto-assets insofar as they represent another financial asset – that is, a tokenised asset.

When analysing the Brazilian regulatory framework, it is important to differentiate electronic currency from virtual assets. Electronic currency is the digital representation of fiduciary Brazilian currency, while virtual assets are blockchain assets, as defined in 10.3 Classification of Blockchain Assets. Stablecoins backed by fiduciary currency are included in the concept of virtual assets.

NFTs in Brazil are not subject to a standalone statutory regime, but may fall under existing legal and regulatory frameworks depending on their functional characteristics. NFTs must comply with copyright and consumer protection laws, tax law and capital markets regulation where they resemble securities, investment contracts or collective investment schemes under CVM oversight.

Stablecoins are defined by BCB Resolution No 520 as “virtual assets backed by reserve assets created for the purpose of maintaining their value linked to the value of a reference fiat currency”. As such, the Brazilian regulatory framework accepts only stablecoins backed by fiat currencies. Algorithmic stablecoins are specifically prohibited.

Pursuant to BCB Resolution No 521, the purchase, sale and exchange of stablecoins are all operations related to foreign exchange markets and require the intermediation of an institution authorised to operate in foreign crypto-exchange markets.

Open banking, initially launched by the BCB in 2020, has since evolved into “open finance”, a broader framework that encompasses data sharing and service integration models beyond banking and payments to also include investment, insurance, pension and foreign exchange products.

Open finance is primarily regulated by Joint Resolution No 1/20, as amended. Under this framework, electronic currency issuers and providers of payment and deposit accounts are required to participate in open finance, at a minimum by enabling the sharing of data for payment initiation services. Participation obligations include adhering to technical standards, governance rules, data sharing protocols and cybersecurity requirements established by the BCB and the open finance governance structure.

The regulatory architecture is structured around three core pillars:

• consumer consent, ensuring that customers retain full control over how their financial data is accessed and shared;
• secure interoperability, supported by standardised application programming interfaces (APIs), cybersecurity protocols and operational requirements; and
• governance and supervision, with oversight exercised by the BCB and the open finance governance structure.

Institutions that voluntarily extend their participation beyond the minimum requirements may share additional categories of data (such as investment or insurance information) and provide more advanced integrated services.

The Brazilian open finance framework imposes robust technological, operational and governance obligations on its participants. Joint Resolution No 1/20 and the open finance protocols establish detailed technological, operational and application programming interface (API) standards that must be followed by regulated institutions wishing to participate in open finance. These standards are designed to ensure interoperability among different financial institutions and to guarantee the secure and efficient exchange of customer data.

In addition to establishing the technical framework, the BCB conducts ongoing certification activities and supervised testing to verify compliance with the security and performance requirements set forth within the open finance ecosystem. These assessments aim to ensure that participating institutions effectively implement the governance rules, cybersecurity controls, consent mechanisms and data-sharing protocols necessary for secure participation in open finance.

To guarantee that shared data is protected and accessed solely by the participating institutions, which bear regulatory and legal responsibility for that data, the BCB, in alignment with the LGPD, ensures that consumer consent is obtained for clear and limited purposes, and for a specific duration. All consent requirements are designed to ensure that the data is not utilised beyond its intended purposes.

Monetary authorities in Brazil have not established a regulatory definition for the practice of “fraud” within the national financial system or Brazilian payment system, though such practice is usually deemed an estelionato (swindling) crime for Brazilian law purposes, defined as “obtaining, for oneself or for another, an unlawful advantage, to the detriment of others, by inducing or keeping someone in error, through artifice, deceit, or any other fraudulent means”.

Brazilian regulators, particularly the BCB, have prioritised fraud prevention and mitigation as a core supervisory objective.

Recent regulations applicable to institutions authorised to operate by the BCB require such institutions to put in place internal controls aimed at preventing, identifying and resolving fraud, as well as sharing with other authorised institutions information on fraud occurrence according to Joint Resolution No 6/22. Additional measures have been taken by the B2B within Pix payment rails to reduce fraud, such as:

• the use of the transactional account identifier directory (Diretório Identificador de Chaves Transactionais; DICT) within Pix for marking fraudulent accounts and account holders in order to prevent such persons from opening new accounts and carrying out new transactions; and
• the creation of transaction limits, enhanced authentication mechanisms and the Special Return Mechanism (Mecanismo Especial de Devolução; MED) to reduce fraud risk and improve customer protection within the PIX ecosystem.

Recent judicial decisions in Brazil have established that institutions authorised by the BCB may be held liable for losses suffered by customers when fraud occurs because of insufficient internal controls or failures in security protocols. Courts have increasingly recognised that regulated entities have a duty to implement robust authentication procedures, effective monitoring systems and adequate safeguards to prevent unauthorised transactions. Where those controls prove deficient, the institution may be required to reimburse the customer for the resulting financial losses.

Conversely, when the fraud results from a customer voluntarily providing their account details or other sensitive information to a third party, typically through social engineering schemes – and where the authorised institution can demonstrate that it maintained all required internal controls, security measures and monitoring mechanisms, the institution is generally not held responsible for reimbursing the customer’s losses. In such cases, courts have understood that the institution fulfilled its regulatory obligations and that the proximate cause of the loss was the customer’s disclosure of sensitive data rather than a failure of the institution’s systems or procedures.