Joint Resolution No. 6 — Requirements for Sharing Data and Information on Fraud Indicators by Financial Institutions

JOINT RESOLUTION NO. 6, OF MAY 23, 2023

Establishes requirements for sharing data and information on fraud indicators to be observed by financial institutions, payment institutions, and other institutions authorized to operate by the Central Bank of Brazil.

The Central Bank of Brazil, in accordance with Article 9 of Law No. 4.595, of December 31, 1964, makes public that its Collegiate Board, in a session held on May 10, 2023, based on Articles 9-A of Law No. 4.728, of July 14, 1965, 9, caput, and item II, of Law No. 12.865, of October 9, 2013, and the National Monetary Council, in a session held on May 18, 2023, based on Articles 4, item VIII, of Law No. 4.595, of 1964, 20, § 1, of Law No. 4.864, of November 29, 1965, 1 of Decree-Law No. 70, of November 21, 1966, 7 and 23, letter "a", of Law No. 6.099, of September 12, 1974, 1, § 1, item XIII, and § 3, item I, of Complementary Law No. 105, of January 10, 2001, 1, item II, of Law No. 10.194, of February 14, 2001, and 1, § 1, of Complementary Law No. 130, of April 17, 2009,

HAVE RESOLVED:

Art. 1. This Joint Resolution establishes requirements for sharing data and information on fraud indicators to be observed by financial institutions, payment institutions, and other institutions authorized to operate by the Central Bank of Brazil.

§ 1. The provisions of this Joint Resolution do not apply to consortium administrators.

§ 2. For the purposes of this Joint Resolution, the institutions referred to in the caput are considered financial institutions for the effects of Complementary Law No. 105, of January 10, 2001.

Art. 2. Institutions must share data and information with the other institutions referred to in Article 1 for the purpose of supporting their procedures and controls for fraud prevention.

§ 1. The sharing referred to in the caput must be carried out through an electronic system that includes, at a minimum, the following functionalities:

I - the recording of data and information on indications of occurrences or attempts of fraud identified by institutions in their activities;

II - the alteration and exclusion of data and information registered in accordance with § 1, item I, of this article, as applicable; and

III - the consultation of data and information registered as referred to in § 1, item I, of this article.

§ 2. The recording of data and information referred to in § 1, item I, of this article must include, at a minimum:

I - the identification of who, according to the available indications, would have executed or attempted to execute the fraud, when applicable;

II - the description of the indications of the occurrence or attempt of fraud;

III - the identification of the institution responsible for recording the data and information; and

IV - the identification of the data of the destination account and its holder, in case of transfer or payment of funds.

§ 3. The institutions referred to in the caput must obtain prior and general consent from the client with whom they have a relationship, enabling the recording of data and information referred to in § 2 that concern said client.

§ 4. The consent referred to in § 3 must:

I - have as its purpose the processing and sharing of data and information on fraud indicators within the scope of this Joint Resolution; and

II - be contained in a contract signed between the client and the institution, through a highlighted clause in the body of the contractual instrument or by another valid legal instrument.

§ 5. The documentation referred to in item II of § 4 must be made available to the Central Bank of Brazil.

§ 6. The data and information to be shared, as provided in the caput of this article, must be made available in compliance with current legislation and regulation, observing the duty of confidentiality, the protection of personal data, and free competition.

§ 7. The recording referred to in § 1, item I, of this article does not apply to confidential data and information, under special legislation, related to indications of the practice of crimes of "money laundering" or concealment of assets, rights, and values, and of terrorism financing.

§ 8. Institutions must establish and document the procedures and criteria for identification referred to in item I of § 2 of this article, in a detailed manner compatible with the institution's risk profile, with the legislation, and with current regulation, which will include, at a minimum, verification with data contained in systems, registries, and other databases available for consultation.

§ 9. The procedures and controls referred to in the caput include, for example, those provided for for the purpose of providing payment services, as well as for the opening and maintenance of deposit and payment accounts, in accordance with current regulation.

Art. 3. The institutions referred to in Article 1, to achieve the purpose of sharing referred to in Article 2, must conduct their activities in observance of current legislation and regulation, observing the duty of confidentiality, the protection of personal data, and free competition, as well as the following principles:

I - security and privacy of data and information shared within the scope of this Joint Resolution;

II - quality of shared data and information;

III - full and non-discriminatory access of institutions to the functionalities of the electronic system referred to in Article 2, § 1;

IV - efficiency in fulfilling the requirements of the electronic system referred to in this Joint Resolution, including in the unique and common communication standard referred to in Article 4, item II;

V - reciprocity with other institutions, regarding the data and information shared within the scope of this Joint Resolution; and

VI - interoperability with other electronic systems implemented in compliance with the provisions of this Joint Resolution, when existing, in accordance with Article 4, item IV.

Art. 4. Institutions must observe, for the purpose of implementing the electronic system referred to in Article 2, § 1, the following requirements:

I - allow full access by the institutions referred to in Article 1 to the functionalities of the said system with the respective identification of who performed the access;

II - adopt a unique and common communication standard that allows the execution of its functionalities;

III - include procedures and controls to ensure:

a) compliance with current legislation and regulation;

b) the confidentiality, integrity, availability, and recovery of data and information registered therein;

c) its adherence to security certifications;

d) the preparation of reports by an independent specialized audit company regarding the procedures and controls used in the execution of its functionalities;

e) the provision of adequate information and management resources for the monitoring of its functionalities;

f) the identification and segregation of data and information registered through physical or logical controls;

g) the quality of access controls aimed at protecting the data and information registered through the said system; and

h) to the data subject, free access to information concerning them, as well as the timely exclusion or correction of registered data and information, in case of eventual errors, inconsistencies, or other demands, in observance of current legislation and regulation; and

IV - ensure its interoperability with other electronic systems implemented in compliance with the provisions of this Joint Resolution, when existing.

Sole Paragraph. Compliance with the requirements referred to in this article must be documented.

Art. 5. It is permitted to hire a company to provide the data and information sharing service referred to in Article 2, in observance of the provisions of this Joint Resolution, in legislation, and in current regulation, especially in regulations concerning the hiring of data processing and storage services and cloud computing by financial institutions, payment institutions, and other institutions authorized to operate by the Central Bank of Brazil.

§ 1. In the case of hiring referred to in the caput, the responsibilities for the purposes of this Joint Resolution, including those related to the processing of shared data, carried out in the name of the contracting institution, will remain with the contracting institution.

§ 2. The service provided as referred to in the caput is considered relevant for the purposes of applying current regulation on the hiring of data processing and storage services and cloud computing by financial institutions, payment institutions, and other institutions authorized to operate by the Central Bank of Brazil.

Art. 6. The institutions referred to in Article 1 are responsible:

I - for the reliability, integrity, availability, security, and confidentiality regarding data and information registered by them in accordance with Article 2, § 1, item I;

II - for the implementation of the functionalities of the system referred to in Article 2, § 1;

III - for compliance with the requirements cited in Article 4;

IV - for the use of data and information obtained by them through consultation of the electronic system referred to in Article 2, § 1, and for the preservation of the confidentiality of such data; and

V - for compliance with current legislation and regulation.

Art. 7. The institutions referred to in Article 1 must establish monitoring and control mechanisms with a view to ensuring the effectiveness of compliance with the provisions of this Joint Resolution, including:

I - the definition of processes, tests, and audit trails;

II - the definition of adequate metrics and indicators; and

III - the identification and correction of eventual deficiencies.

Sole Paragraph. The mechanisms referred to in the caput must be submitted to periodic tests by internal audit, when applicable, compatible with the institution's internal controls.

Art. 8. Institutions must make available to the Central Bank of Brazil:

I - documentation on the electronic system referred to in Article 2, § 1, including regarding the requirements referred to in Article 4, sole paragraph;

II - for ten years, the data and information shared, in accordance with Article 2, § 6, item II, and the documentation with the criteria and procedures referred to in Article 2, § 8; and

III - for five years, the data, records, and information relating to the application of the monitoring and control mechanisms referred to in Article 7, with the period referred to in this item counted from each application of the cited mechanisms.

Art. 9. The Central Bank of Brazil may adopt, within the scope of its legal attributions, the necessary measures for the execution of the provisions of this Joint Resolution, which includes establishing, among other aspects:

I - the functionalities of the electronic system, observing the minimum content of Article 2, § 1;

II - the scope of data and information to be registered as referred to in Article 2, § 1, item I, observing the minimum content set forth in Article 2, § 2;

III - the detailing of parameters on service level agreements in the execution of the functionalities of the system referred to in Article 2, § 1;

IV - the technical security requirements for the operation of the system referred to in Article 2, § 1, observing the provisions of Article 4, as applicable;

V - the adequacy of the mechanisms referred to in Article 7; and

VI - other technical requirements and operational procedures for the sharing of data and information referred to in Article 2.

§ 1. In the regulation of the measures referred to in the caput, the Central Bank of Brazil must observe the principles referred to in Article 3.

§ 2. In the regulation referred to in item II of the caput, the Central Bank of Brazil must also observe the following general guidelines:

I - the data and information on indications of occurrences or attempts of fraud to be registered must be those necessary and adequate to support the procedures and controls of the institutions referred to in Article 1 for fraud prevention; and

II - the content of the recording must keep pace with technological and procedural innovations, in order to maintain its aptitude for the objective of fraud prevention in future scenarios.

Art. 10. The Central Bank of Brazil may veto or impose restrictions on the hiring referred to in Article 5, when it finds, at any time, non-compliance with the provisions of this Joint Resolution, as well as limitations to the action of the Central Bank of Brazil, establishing a deadline for the adequacy of processes.

Art. 11. Access to data and information shared in accordance with this Joint Resolution will be restricted to the institutions referred to in Article 1, to the Central Bank of Brazil, and to other competent authorities, in accordance with current legislation.

Art. 12. The provisions of this Joint Resolution do not exempt the institution from the responsibility of:

I - carrying out the procedures and controls for fraud prevention provided for in current regulation; and

II - communicating information regarding fraud to competent authorities, in accordance with current legislation.

Art. 13. This Joint Resolution enters into force on November 1, 2023.

Roberto de Oliveira Campos Neto President of the Central Bank of Brazil