LogoRegulatory Alerts
2026-04-01 | Instrução Normativa BCB 718

Central Bank of Brazil Normative Instruction No. 718 of April 1, 2026

The Central Bank of Brazil issued Normative Instruction No. 718 to establish the procedures, documents, deadlines, and information required for the accreditation and deaccreditation of Information Technology Service Providers (PSTIs) and for their ongoing reporting obligations. The regulation mandates specific documentation, including business plans, security certifications, and orderly exit plans, while defining strict timelines for notifying the central bank of administrative changes or control transfers. It further details the minimum coverage requirements for civil liability and operational risk insurance that PSTIs must maintain to ensure service continuity and regulatory compliance.

Banco Central do Brasil logo

Brazil

Banco Central do Brasil

Click to view thumbnail

CENTRAL BANK OF BRAZIL NORMATIVE INSTRUCTION NO. 718, OF APRIL 1, 2026

Publishes procedures, documents, deadlines, and information necessary for the processing of requests related to the accreditation and deaccreditation of Information Technology Service Providers – PSTI, and for the provision of information to the Central Bank of Brazil by the PSTI.

The heads of the Departments of Organization of the Financial System (Deorf), of Information Technology (Deinf), and of Strategic Management and Specialized Supervision (Degef), in the exercise of the authority conferred upon them by Article 23, item I, letter “a”, of the Internal Regulations of the Central Bank of Brazil, annexed to Resolution BCB No. 340, of September 21, 2023, based on Article 36 of Resolution BCB No. 498, of September 5, 2025,

RESOLVE:

CHAPTER I OF THE OBJECT AND SCOPE OF APPLICATION

Article 1. Procedures, documents, deadlines, and information necessary for the processing of requests related to the accreditation and deaccreditation of Information Technology Service Providers – PSTI, and for the provision of information to the Central Bank of Brazil by the PSTI, are hereby published.

CHAPTER II OF ACCREDITATION AND DEACREDITATION

Section I Of Accreditation

Article 2. The accreditation request must be filed with the Central Bank of Brazil, via the Digital Protocol, directed to the Department of Organization of the Financial System (Deorf), in accordance with current regulations, accompanied by the following documents and information:

I - application, in the format of Annex I;

II - designation of administrators;

III - declaration, signed by controllers who are natural persons, stating that they meet the requirement of impeccable reputation and the conditions established by legislation and current regulations, in the format of Annex II, in the case of a PSTI organized as a corporation or limited liability company;

IV - declaration, signed by controllers who are not natural persons, stating that they meet the conditions established by legislation and current regulations, in the format of Annex III, in the case of a PSTI organized as a corporation or limited liability company;

V - authorization, signed by controllers, in the case of a PSTI organized as a corporation or limited liability company, in the format of Annex II or III, to the Central Bank of Brazil to:

a) access information about them in any public or private registration and information system, including judicial or administrative proceedings and police inquiries;

b) carry out the processing and shared use of personal data under their ownership, including those considered sensitive and covered by confidentiality, in accordance with current legislation;

VI - declaration, signed by the designated administrators, stating that they meet the requirements of impeccable reputation and technical qualification compatible with the functions to be exercised during their term, as well as the conditions established by legislation and current regulations, in the format of Annex IV;

VII - authorization, signed by the designated administrators, in the format of Annex IV, to the Central Bank of Brazil to, during the evaluation process of their names and the period of exercise of functions:

a) access information about them in any public or private registration and information system, including judicial or administrative proceedings and police inquiries;

b) carry out the processing and shared use of personal data under their ownership, including those considered sensitive and covered by confidentiality, in accordance with current legislation;

VIII - declaration, signed by the PSTI, in the format of Annex V, stating:

a) knowledge of the legal and regulatory requirements and conditions to which the designated administrators are subject for the exercise of their functions, as well as the hypotheses of ineligibility;

b) that research has been conducted regarding the designated administrators in public and private registration and information systems, confirming that they meet the legal and regulatory requirements and conditions necessary for the exercise of their functions;

c) that it has been verified that the designated administrators possess technical qualification compatible with the functions to be exercised during their term;

d) that it has been authorized by the designated administrators to access any information, protected by legal confidentiality or not, or documents related to the analysis by the Central Bank of Brazil of their names for the exercise of functions and while their terms last;

e) that it has been authorized by the designated administrators to be aware of the processing of respective processes related to accreditation, monitoring, or supervision and to obtain copies of documents contained therein, including those containing data under their ownership protected by any type of confidentiality, even those considered sensitive, in accordance with current legislation;

IX - declaration, signed by the controllers, regarding the definition of control and agreements and other instruments entered into by shareholders or partners, in the format of Annex VI, in the case of a PSTI organized as a corporation or limited liability company;

X - financial statements of the PSTI relating to the last fiscal year, audited by independent audit registered with the Securities and Exchange Commission (CVM);

XI - declaration, in the model provided for in Annex I, of the regular constitution of the PSTI;

XII - declaration, in the model provided for in Annex I, that the PSTI does not fall under the prohibitions established in Article 6 of Resolution BCB No. 498, of 2025;

XIII - declaration, in the model provided for in Annex I, regarding the archiving, communication, and provision of agreements and other instruments entered into by shareholders or partners, in the case of a PSTI organized as a corporation or limited liability company;

XIV - registration form filled out by the controllers, in the format of Annex VII or VIII, in the case of a PSTI organized as a corporation or limited liability company;

XV - registration form filled out by the designated administrators, in the format of Annex VII;

XVI - business plan, in accordance with the provisions of Annex IX, containing the description of the business and evidence that the PSTI has adequate and sufficient organizational, technical, operational, and financial capacity and structure to provide data processing services, for the purpose of accessing the National Financial System Network (RSFN), observing the requirements established in Chapter III of Resolution BCB No. 498, of 2025, and the technical standards regarding electronic data communication within the National Financial System - SFN and the Brazilian Payments System - SPB;

XVII - Adhesion and Responsibility Term, as provided for in Annex X, signed by the legal representative of the PSTI using a digital certificate issued by a certification authority of the Brazilian Public Key Infrastructure – ICP-Brasil, proving adherence to the principles and rules of the RSFN;

XVIII - proof of the PSTI’s technical-operational capacity to provide data processing services, for the purpose of accessing the RSFN, observing the requirements established in Chapter III of Resolution BCB No. 498, of 2025, and the technical standards regarding electronic data communication within the National Financial System - SFN and the Brazilian Payments System – SPB, as provided for in Annex XI;

XIX - information security certification in an internationally recognized standard;

XX - contract signed with independent audit with the objective of carrying out annual assessments in information security and, when applicable, in anti-money laundering and counter-terrorism financing prevention;

XXI - documentation proving the hiring of civil liability and operational risk insurance, observing Article 3;

XXII - documentation proving the establishment of procedures for providing, to the Central Bank of Brazil and to contracting institutions, the reports prepared by independent audit based on annual assessments in information security and, when applicable, in anti-money laundering and counter-terrorism financing prevention;

XXIII - complete organizational chart of its governance structure, to ensure that it is compatible with its nature, size, complexity, and risk profile, including committees, forums, and other established governance structures;

XXIV - orderly exit plan, identifying scenarios that may prevent the PSTI from executing its critical activities, and strategies defined to ensure the closure of its activities, highlighting aspects related to legal, operational, and technological requirements that ensure its clients' capacity to continue their operations outside the PSTI environment;

XXV - the policies and plans provided for in Chapter III of Resolution BCB No. 498, of 2025, with proof that they were submitted to and approved by the board of directors, or an equivalent collegial administration body;

XXVI - documents and information regarding business continuity tests carried out in the last 12 (twelve) months;

XXVII - reports of intrusion tests carried out in the last 12 (twelve) months;

XXVIII - contracts, or agreements, signed with companies providing relevant services, especially those involving the hiring of processing, data storage, and cloud computing services.

Sole Paragraph. The Central Bank of Brazil, during the analysis process of the accreditation request, may require other documents and information, convene meetings or interviews, and carry out tests, technical visits, or other types of action in order to verify the information and structure of the PSTI.

Article 3. The civil liability and operational risk insurance must cover, at a minimum, the following coverages:

I - response to cyber incidents and digital fraud;

II - financial losses due to internal and external acts;

III - civil and operational liability; and

IV - governance and executive liability.

Sole Paragraph. The PSTI must submit, together with the proof referred to in the caput, the technical premises, the methodology for determining limits, and the detailed calculation memorandum that underpinned the definition of the policy value.

Section II Of Deaccreditation

Article 4. The deaccreditation request must be filed with the Central Bank of Brazil, via the Digital Protocol, directed to Deorf, in accordance with current regulations, accompanied by the following documents:

I - application, in the format of Annex XII;

II - declaration, in the model provided for in Annex XII, that the orderly exit plan has been concluded;

III - declaration, in the model provided for in Annex XII, that all data processing services, for the purpose of accessing the National Financial System Network – RSFN, to financial institutions and other institutions supervised by the Central Bank of Brazil, have been terminated, as well as that the connection to the RSFN has been deactivated and the support and connectivity services with the RSFN have been cancelled;

IV - declaration of responsibility, in the format of Annex XIII.

CHAPTER III OF THE PROVISION OF INFORMATION TO THE CENTRAL BANK OF BRAZIL

Section I Of the Designation of Administrators

Article 5. The communication of the designation of administrators must be filed with the Central Bank of Brazil, within ten days of its occurrence, via the Digital Protocol, directed to Deorf, in accordance with current regulations, accompanied by the following documents:

I - communication, in the format of Annex XIV;

II - declaration, signed by the designated administrators, stating that they meet the requirements of impeccable reputation and technical qualification compatible with the functions to be exercised during their term, as well as the conditions established by legislation and current regulations, in the format of Annex IV;

III - authorization, signed by the designated administrators, in the format of Annex IV, to the Central Bank of Brazil to, during the evaluation process of their names and the period of exercise of functions:

a) access information about them in any public or private registration and information system, including judicial or administrative proceedings and police inquiries;

b) carry out the processing and shared use of personal data under their ownership, including those considered sensitive and covered by confidentiality, in accordance with current legislation;

IV - declaration, signed by the PSTI, in the format of Annex V, stating:

a) knowledge of the legal and regulatory requirements and conditions to which the designated administrators are subject for the exercise of their functions, as well as the hypotheses of ineligibility;

b) that research has been conducted regarding the designated administrators in public and private registration and information systems, confirming that they meet the legal and regulatory requirements and conditions necessary for the exercise of their functions;

c) that it has been verified that the designated administrators possess technical qualification compatible with the functions to be exercised during their term;

d) that it has been authorized by the designated administrators to access any information, protected by legal confidentiality or not, or documents related to the analysis by the Central Bank of Brazil of their names for the exercise of functions and while their terms last;

e) that it has been authorized by the designated administrators to be aware of the processing of respective processes related to accreditation, monitoring, or supervision and to obtain copies of documents contained therein, including those containing data under their ownership protected by any type of confidentiality, even those considered sensitive, in accordance with current legislation;

V - registration form filled out by the designated administrators, in the format of Annex VII.

Section II Of the Dismissal of Administrators

Article 6. The communication of the dismissal of administrators must be filed with the Central Bank of Brazil, within a maximum of three business days counted from the date of the event, via the Digital Protocol, directed to Deorf, in accordance with current regulations, according to Annex XV.

Section III Of the Transfer or Change of Control

Article 7. The communication of the transfer or change of corporate control of a PSTI organized as a corporation or limited liability company must be filed with the Central Bank of Brazil, within a maximum of fifteen days counted from its occurrence, via the Digital Protocol, directed to Deorf, in accordance with current regulations, accompanied by the following documents and information:

I - communication, in the format of Annex XVI;

II - declaration, signed by the new controllers who are natural persons, stating that they meet the requirement of impeccable reputation and the conditions established by legislation and current regulations, in the format of Annex II;

III - declaration, signed by the new controllers who are not natural persons, stating that they meet the conditions established by legislation and current regulations, in the format of Annex III;

IV - authorization, signed by the new controllers, in the format of Annex II or III, to the Central Bank of Brazil to:

a) access information about them in any public or private registration and information system, including judicial or administrative proceedings and police inquiries;

b) carry out the processing and shared use of personal data under their ownership, including those considered sensitive and covered by confidentiality, in accordance with current legislation;

V - information regarding the purchase and sale contract, the corporate act, or the instrument that formalizes the operation;

VI - declaration, signed by the controllers, regarding the definition of control and agreements and other instruments entered into by shareholders or partners, in the format of Annex VI;

VII - declaration, in the model provided for in Annex XVI, regarding the archiving, communication, and provision of agreements and other instruments entered into by shareholders or partners;

VIII - registration form filled out by the new controllers, in the format of Annex VII or VIII.

CHAPTER IV FINAL PROVISIONS

Article 8. This Normative Instruction enters into force on the date of its publication.

Carolina Pancotto Bohrer Head of Deorf

Caio Moreira Fernandes Head of Deinf

Aristides Andrade Cavalcante Neto Head of Degef

ANNEX I APPLICATION FOR ACCREDITATION

  1. IDENTIFICATION

Social Name:

CNPJ (Taxpayer Registry):

Full Address:

Person responsible for conducting the request: inform name, CPF (Individual Taxpayer Registry), phone, and e-mail.

  1. FORMALIZATION OF THE REQUEST

The institution above qualified, in accordance with the provisions of Article 3 of Resolution BCB No. 498, of 2025, hereby requests from the Central Bank of Brazil accreditation as an Information Technology Service Provider (PSTI) for the provision of data processing services, for the purpose of accessing the National Financial System Network (RSFN), to financial institutions and other institutions supervised by the Central Bank of Brazil.

  1. INFORMATION RELATED TO THE REQUEST

3.1. Identification of controllers, with their respective shareholdings: (in the case of a PSTI organized as a corporation or limited liability company)

Inform for each of the controllers: a) name/social name: b) CPF/CNPJ: (if applicable) c) nationality: d) shareholdings: (at any level of the participation chain, by participating company) e) identification criterion: (evidence the adherence of the identification criterion of these persons to the provisions of Article 4-A, items I and II, of Resolution BCB No. 498, of 2025, or, in cases where the control of the company is not identified according to the criteria of items I and II of Article 4-A of Resolution BCB No. 498, of 2025, the institution must demonstrate that the identified controllers hold: i) the majority of votes in deliberations of meetings or assemblies and the power to elect the majority of administrators; and/or ii) the effectiveness in conducting the corporate business)

3.2. Paid-up Capital and Equity: inform the paid-up capital and equity of the institution relating to the last fiscal year.

3.3. Designated administrators:

Inform for each of the administrators: a) name; b) CPF; c) statutory or contractual body; d) statutory or contractual position; e) date of designation; and f) term for exercising the function.

  1. PROCESS DOCUMENTATION

4.1. Attached are the following documents and information: [ ] declaration and authorization, signed by the controllers, regarding compliance with the requirement of impeccable reputation, in the case of natural persons, and the conditions established by legislation and current regulations, in the format of Annex II or III of this Normative Instruction; (in the case of a PSTI organized as a corporation or limited liability company) [ ] declaration and authorization, signed by the designated administrators, regarding compliance with the requirements of impeccable reputation and technical qualification compatible with the functions to be exercised during their term, as well as the conditions established by legislation and current regulations, in the format of Annex IV of this Normative Instruction; [ ] declaration, signed by the PSTI, regarding the designated administrators, in the format of Annex V of this Normative Instruction; [ ] declaration, signed by the controllers, regarding the definition of control and agreements and other instruments entered into by shareholders or partners, in the format of Annex VI of this Normative Instruction; (in the case of a PSTI organized as a corporation or limited liability company) [ ] financial statements of the PSTI relating to the last fiscal year, audited by independent audit registered with the Securities and Exchange Commission (CVM); [ ] registration form filled out by the controllers, in the format of Annex VII or VIII of this Normative Instruction; (in the case of a PSTI organized as a corporation or limited liability company) [ ] registration form filled out by the designated administrators, in the format of Annex VII of this Normative Instruction; [ ] business plan, in accordance with the provisions of Annex IX of this Normative Instruction, containing the description of the business and evidence that the PSTI has adequate and sufficient organizational, technical, operational, and financial capacity and structure to provide data processing services, for the purpose of accessing the RSFN, observing the requirements established in Chapter III of Resolution BCB No. 498, of 2025, and the technical standards regarding electronic data communication within the National Financial System - SFN and the Brazilian Payments System - SPB; [ ] Adhesion and Responsibility Term, as provided for in Annex X of this Normative Instruction, signed by the legal representative of the PSTI using a digital certificate issued by a certification authority of the Brazilian Public Key Infrastructure – ICP-Brasil, proving adherence to the principles and rules of the RSFN; [ ] proof of the PSTI’s technical-operational capacity to provide data processing services, for the purpose of accessing the RSFN, observing the requirements established in Chapter III of Resolution BCB No. 498, of 2025, and the technical standards regarding electronic data communication within the National Financial System - SFN and the Brazilian Payments System – SPB, as provided for in Annex XI of this Normative Instruction; [ ] information security certification in an internationally recognized standard; [ ] contract signed with independent audit with the objective of carrying out annual assessments in information security and, when applicable, in anti-money laundering and counter-terrorism financing prevention; [ ] documentation proving the hiring of civil liability and operational risk insurance, observing Article 3 of this Normative Instruction; [ ] documentation proving the establishment of procedures for providing, to the Central Bank of Brazil and to contracting institutions, the reports prepared by independent audit based on annual assessments in information security and, when applicable, in anti-money laundering and counter-terrorism financing prevention; [ ] complete organizational chart of its governance structure, to ensure that it is compatible with its nature, size, complexity, and risk profile, including committees, forums, and other established governance structures; [ ] orderly exit plan, identifying scenarios that may prevent the PSTI from executing its critical activities, and strategies defined to ensure the closure of its activities, highlighting aspects related to legal, operational, and technological requirements that ensure its clients' capacity to continue their operations outside the PSTI environment; [ ] the policies and plans provided for in Chapter III of Resolution BCB No. 498, of 2025, with proof that they were submitted to and approved by the board of directors, or an equivalent collegial administration body; [ ] documents and information regarding business continuity tests carried out in the last 12 (twelve) months; [ ] reports of intrusion tests carried out in the last 12 (twelve) months; [ ] contracts, or agreements, signed with companies providing relevant services, especially those involving the hiring of processing, data storage, and cloud computing services.

4.2. Declares that: [ ] is regularly constituted; [ ] does not fall under the prohibitions established in Article 6 of Resolution BCB No. 498, of 2025; [ ] all agreements of partners or shareholders and other contractual, corporate, or governance instruments, entered into at any level of the control chain

Share