Circular Letter No. 4056 — Establishes Procedures for Adherence to the Instant Payment Arrangement (PIX) from Its Launch

The Head of the Department of Competition and Financial Market Structure (Decem), using the powers conferred upon them by Article 97-A, item V, and Article 62, item IV, of the Internal Regulations of the Central Bank of Brazil, annexed to Ordinance No. 84,287 of February 27, 2015, and considering the provisions of Articles 4, 6, and 9 of Circular Letter No. 3,985 of February 18, 2020,

RESOLVES:

Art. 1. To adhere to PIX, from its launch, institutions that fall under the criteria for mandatory participation or that wish to participate in PIX on a voluntary basis must successfully complete the registration and homologation stages.

CHAPTER I

Registration Stage

Art. 2. The registration stage comprises the sending, by the institutions referred to in Art. 1, of their registration information, as provided in Circular Letter No. 4,006 of February 20, 2020.

Sole Paragraph. Institutions that have sent the information referred to in the main text within the deadlines set in Circular Letters No. 4,006 of 2020 and No. 4,022 of April 9, 2020, may alter or complement them until October 16, 2020.

Art. 3. Financial institutions in operation that do not offer transactional accounts to end-users, in addition to the information referred to in Art. 2, must have a pending authorization request for the issuance of electronic money with the Central Bank of Brazil.

§ 1. Institutions referred to in the main text are permitted to submit a PIX adherence request indicating the option to participate in the direct modality in the Instant Payment System (SPI).

§ 2. In addition to the requirements contained in this circular letter, the adherence of the institutions referred to in the main text to PIX depends on the conclusion of the authorization process for the issuance of electronic money and the effective maintenance of transactional accounts for end-users until October 16, 2020.

Art. 4. Payment institutions with a pending authorization for operation at the Central Bank of Brazil are permitted to submit a PIX adherence request, indicating the option to participate in the direct modality in the Instant Payment System (SPI).

Sole Paragraph. The participation of the institution referred to in the main text in the SPI in the direct modality is conditioned on the granting of the aforementioned authorization by the Central Bank of Brazil until October 16.

Art. 5. Confederations of central credit cooperatives, central or federations of credit cooperatives, and cooperative banks, in addition to the information referred to in Art. 2, must provide the following information for each affiliated cooperative:

I - National Registry of Legal Entities (CNPJ) registration;

II - Corporate name of the institution;

III - Number of active customer accounts:

a) number of demand deposit accounts;

b) number of savings deposit accounts; and

c) number of prepaid payment accounts.

Sole Paragraph. Credit cooperatives affiliated with confederations, central or federations of credit cooperatives, or cooperative banks whose registration has been carried out in accordance with the main text are exempt from sending the registration information referred to in Art. 2.

Art. 6. If the institution referred to in Art. 1 is a payment institution not subject to authorization for operation by the Central Bank of Brazil or in the process of obtaining such authorization, it must additionally present:

I - a contract signed with a responsible participant, in accordance with the PIX Regulation; and

II - a declaration signed by the responsible participant stating that, in accordance with the PIX Regulation, the contracting institution:

a) has the technical and operational capacity to fulfill the duties and obligations set forth in the PIX Regulation; and

b) has paid the minimum required capital amount.

Sole Paragraph. The documents referred to in items I and II of the main text must be sent to the Central Bank of Brazil until October 16, 2020.

Art. 7. Except for information regarding the number of active customer accounts, the remaining information and documents related to the Registration Stage must be kept updated with the Central Bank of Brazil.

Art. 8. The information and documents referred to in this Chapter, including any changes to information and documents already sent, must be forwarded to Decem through the Central Bank of Brazil's Digital Protocol (Digital Protocol), observing the guidelines contained in Annex III.

CHAPTER II

Homologation Stage

Art. 9. The homologation stage referred to in Art. 1 comprises:

I – formal homologation tests in the SPI;

II – homologation tests between the indirect participant and the direct participant providing settlement services in the SPI;

III – formal homologation tests in the Transactional Account Identifier Directory (DICT); and

IV – verification of adherence of solutions developed for end-users.

Section I

Formal Homologation Tests in the SPI

Art. 10. Institutions that fall under the mandatory criteria or that wish to participate in the SPI in the direct modality on a voluntary basis must carry out formal homologation tests, as provided in specific regulation.

Section II

Homologation Tests between the Indirect Participant and the Direct Participant Providing Settlement Services in the SPI

Art. 11. Institutions that fall under the criteria for mandatory indirect participation in the SPI or that wish to participate in the SPI in the indirect modality on a voluntary basis must carry out homologation tests with the direct participant providing settlement services in the SPI.

§1. The homologation tests referred to in the main text must be defined by the direct participant, such that it is able to declare the operational aptitude of the indirect participant.

§ 2. The direct participant must keep the documentation and evidence of the performance of the homologation tests available to the Central Bank of Brazil.

Section III

Formal Homologation Tests in the DICT

Art. 12. Institutions that fall under the criteria for mandatory direct access to the DICT or that wish to access the DICT directly on a voluntary basis must carry out formal homologation tests.

§ 1. The formal tests referred to in the main text comprise:

I – test of the functionalities for registering, deleting, and querying keys for addressing;

II – test of the functionalities for portability and claiming ownership of keys for addressing;

III – test of the protection mechanisms against scanning of the DICT and the internal database replicating the keys for addressing of end-users of the institution related to the transactional accounts maintained therein;

IV – test of the synchronization verification functionality;

V – test of the functionalities for registering, deleting, querying, portability, claiming ownership, and synchronization verification of keys for addressing, simulating requests sent by institutions that access the DICT indirectly; and

VI – capacity test.

§ 2. The tests referred to in item V of § 1 apply only to institutions that offer access to the DICT service to other institutions.

§ 3. To carry out the tests referred to in the main text, the institution may use the virtual institution that will be created by the DICT, in the homologation environment, for each institution.

Art. 13. The schedule and requirements for fulfilling the tests referred to in Art. 11 are set forth in Annex I.

§ 1. The capacity test referred to in item VI of § 1 of Art. 12 must be scheduled in advance by sending a message to the address dict@bcb.gov.br.

§ 2. When extraordinary facts justify it, the Central Bank of Brazil may alter the times scheduled for carrying out tests contained in Annex I, communicating the alteration to the institutions.

Section IV

Process for Verification of Adherence of Solutions to End-Users

Art. 14. Transactional account providers, in accordance with the PIX Regulation, that fall under the criteria for mandatory participation in PIX or that wish to participate in PIX on a voluntary basis must fulfill the stages of the process for verification of adherence of solutions to end-users.

§ 1. Transactional account providers that use a mobile phone application provided by another PIX participant are exempt from complying with the provisions of the main text.

§ 2. For the purposes of the exemption referred to in § 1, the PIX participant providing the mobile phone application must send the exemption request through the Digital Protocol, observing the guidelines contained in Annex III, until July 15, 2020, identifying the PIX participant to whom this service is provided.

Art. 15. The process referred to in the main text of Art. 14 comprises the stages of:

I – submission of a draft mobile phone application design intended for natural person users;

II – submission of a mobile phone application design intended for natural person users; and

III – adjustments to the design and submission of the final version of the mobile phone application design intended for natural person users.

§ 1. The draft design referred to in item I of the main text must contemplate the intended method of making PIX available, presenting at minimum:

I – the dynamics of activating the environment dedicated to PIX;

II – the location of PIX functionalities in the general application environment; and

III – a general presentation of the application options involving functionalities related to PIX (e.g., payments, transfers, etc.), including menus, shortcuts, and quick access buttons, if they exist.

§ 2 The design referred to in item II of the main text must adhere to the obligations and recommendations detailed in the Manual of Minimum Requirements for User Experience, which is part of the PIX Regulation.

§ 3. The draft design and the design referred to in Art. 15 must contain illustrative screens of the mobile phone application.

Art. 16. The schedule and requirements for fulfilling the stages of the process for verification of adherence of solutions are set forth in Annex II.

Art. 17. The draft design and design referred to in Art. 15 must be sent, in free format, to Decem through the Digital Protocol, observing the guidelines contained in Annex III.

Art. 18. Institutions must develop and implement the application in adherence to the final version of the submitted design, and subsequent changes must comply with the provisions of the PIX Regulation, which includes the Manual of Minimum Requirements for User Experience.

Art. 19. The provisions of this section do not apply to mobile phone applications intended exclusively for business end-users.

CHAPTER III

General Provisions

Art. 20. Failure to comply with the requirements and deadlines established in this circular letter may result, at the discretion of the Central Bank of Brazil, in direct supervision actions and detailed monitoring of the evolution of the tests.

Art. 21. Institutions that do not obtain approval from the Central Bank of Brazil regarding compliance with the requirements of the registration and homologation stages will not be eligible to adhere to PIX from its launch.

Art. 22. In addition to complying with the provisions of this circular letter, the successful conclusion of the PIX adherence process implies a commitment to adhere to the rules, conditions, and procedures established in the PIX Regulation.

Art. 23. This Circular Letter enters into force on June 1, 2020.

Angelo José Mont Alverne Duarte

Head of Decem

Annex I – Requirements and deadlines for fulfilling formal tests for access to the DICT

Object of the tests

For compliance purposes, the institution must:

Period

1. Functionalities for registering, deleting, and querying keys for addressing

I – register at least one key for addressing of each type (mobile phone number, e-mail, CPF, CNPJ, and Virtual Payment Address – EVP); II – delete at least one key for addressing of each type (mobile phone number, e-mail, CPF, CNPJ, and Virtual Payment Address – EVP); and III – query at least one key for addressing of each type (mobile phone number, e-mail, CPF, CNPJ, and Virtual Payment Address – EVP).

June 1, 2020 to July 15, 2020

9am to 6pm

business days

2. Functionalities for portability and claiming ownership of keys for addressing

I – initiate portability process with mobile phone number, e-mail, CPF, and CNPJ; II – cancel at least one portability process with status "Pending"; III – confirm at least one portability process with status "Pending"; IV – initiate ownership claim process with mobile phone number and e-mail; V – cancel at least one ownership claim process with status "Pending"; and VI – confirm at least one ownership claim process with status "Pending".

July 1, 2020 to August 15, 2020

9am to 6pm

business days

3. Protection mechanisms against scanning of the DICT and internal databases of participants

I – send a declaration, to the email dict@bcb.gov.br, stating that performing two successive queries of the same key for addressing results in the same "PI-EndUser" for both queries; and II – send a declaration, to the email dict@bcb.gov.br, stating that the protection mechanisms against scanning of the internal database are satisfactorily replicating the mechanisms for preventing reading attacks used by the DICT.

August 1, 2020 to September 30, 2020

4. Synchronization verification functionality

I – register at least one thousand keys for addressing of a specific type (mobile phone number, e-mail, CPF, CNPJ, or Virtual Payment Address – EVP) and request synchronization verification for this type of key for addressing; and II – simulate lack of synchronization between the DICT and the internal database and identify divergent keys for addressing through a file of content identifiers (CIDs) registered in the DICT.

July 1, 2020 to August 31, 2020

9am to 6pm

business days

(exception: CIDs – 4pm to 6pm

business days)

5. Simulation of requests sent by participants accessing the DICT indirectly (all functionalities)

Execute, on behalf of another institution, the tests referred to in items 1, 2, and 4 (object of the tests).

July 1, 2020 to August 31, 2020

9am to 6pm

business days

6. Capacity test

I – Query one thousand different keys within a 60-second interval and receive a successful response from the DICT, if the institution maintains up to one million transactional accounts; II – query two thousand different keys within a 60-second interval and receive a successful response from the DICT, if the institution maintains between one million and ten million transactional accounts; or III – query four thousand different keys within a 60-second interval and receive a successful response from the DICT, if the institution maintains more than ten million transactional accounts.

The queries must last ten minutes and must be distributed homogeneously over time, with the total number of operations being equal to:

I – ten thousand, if the institution maintains up to one million transactional accounts;

II – twenty thousand, if the institution maintains between one million and ten million transactional accounts; or

III – forty thousand, if the institution maintains more than ten million transactional accounts.

August 1, 2020 to September 30, 2020

9am to 6pm

business days

Final adjustments

Until October 16, 2020

9am to 6pm

business days

Annex II – Requirements and deadlines for the process of verification of adherence of solutions to end-users

Stages

For compliance purposes, the institution must:

Period

1. Submission of draft mobile phone application design

Submit draft mobile phone application design indicating the intended method of making PIX available, presenting, at minimum: I – the dynamics of activating the environment dedicated to PIX; II – the location of PIX functionalities in the general application environment; and

III – a general presentation of the application options involving functionalities related to PIX (e.g., payments, transfers, etc.), including menus, shortcuts, and quick access buttons, if they exist.

June 1, 2020 to July 15, 2020

2. Submission of mobile phone application design

Submit mobile phone application design, which must contain, at least, the following indications: I – method of user authentication; II – method of making the following procedures available for initiating a PIX: a) manual insertion of the receiving user's data by the paying user; b) insertion of a key for addressing; and c) QR Code reading; III – method of initiating a PIX through the insertion of the five types of keys for addressing: a) mobile phone number; b) e-mail address; c) CPF registration number; d) CNPJ registration number; and e) Virtual Payment Address (EVP); IV – method of making the receiving user's information available after querying the DICT for a PIX initiated through the insertion of a key for addressing; V – method of making error messages available; VI – method of notifying the paying user after the successful completion of a transaction; VII – method of notifying the receiving user after the successful completion of a transaction; VIII – method of presenting a PIX receipt; IX – method of initiating a PIX through the manual insertion of the receiving user's data; X – method of presenting PIX in the transaction statement; XI – method of making refunds available; XII – method of making the key management option available; XIII – method of making information regarding keys for addressing available; XIV – method of making key registration available; XV – method of making key deletion available; XVI – method of making key portability available; XVII – method of communicating with the user after receiving a key portability request; XVIII – method of notifying the user of the successful and unsuccessful completion of key registration, deletion, portability, and ownership claim operations; XIX – method of making the receiving user's information available after reading a static QR Code; XX – method of making the receiving user's information available after reading a dynamic QR Code or after opening an address via link; XXI – method of making the option to generate a QR Code available.

August 1, 2020 to August 31, 2020

3. Adjustments to the design and submission of the final version of the mobile phone application design

Depending on the analysis of each design.

August 1, 2020 to October 16, 2020

Annex III – Procedures for procedural instruction through the Digital Protocol

Art. 1. The sending of information and documents to the Central Bank of Brazil, both in the registration stage and in the homologation stage of the PIX adherence process, must be done through the Central Bank of Brazil's Digital Protocol (Digital Protocol), observing the following procedures:

I - access the Digital Protocol through an institutional user account via the electronic address https://protocolodigital.bcb.gov.br/protocolo/acesso/;

II - adopt the following procedures on the screen of the system referred to in item I:

a) fill in the "Description" field, using the following components, in the format "xx.xxx.xxx - Institution - stage", wherein the component:

1. "xx.xxx.xxx" must correspond to the registration number (first eight digits) of the institution in the National Registry of Legal Entities (CNPJ);

2. "Institution" must correspond to the corporate name of the institution submitting the information; and

3. "stage" must be filled with "PIX – adherence process – registration stage" or "PIX – adherence process – homologation stage", depending on the stage in which the institution's adherence process is and the documents to be sent, and

b) select "PIX – adherence process" in the "Select a subject" field.

III - send each file in PDF/A format.

§1 In the event of sending more than one document, the "Register complementary document" field must be selected so that all documents from the same institution are linked.

§2 In the event that a file exceeds the maximum size allowed by the system, the file must be partitioned, in which case the "Description" field must be filled using the format "xx.xxx.xxx - Institution - stage - Part 1", "xx.xxx.xxx - Institution - stage - Part 2", and so on.

Art. 2. If the institution does not yet have an institutional user account in the Digital Protocol, instead of what is established in Art. 1 of this Annex, the sending of information and documents may alternatively observe the following procedures:

I - access to the Digital Protocol must be carried out through a natural person user account (citizen profile) via the electronic address https://protocolodigital.bcb.gov.br/protocolo/acesso/;

II - adopt the following procedures on the screen of the system referred to in item I:

a) the "Description" field must be filled using the following components, in the format "xxx.xxx.xxx-xx - Institution - stage", wherein the component:

1. "xxx.xxx.xxx-xx" must correspond to the complete registration number in the Individual Taxpayer Registry (CPF) of the institution's representative;

2. "Institution" must correspond to the corporate name of the institution submitting the information; and

3. "stage" must be filled with "PIX – adherence process – registration stage" or "PIX – adherence process – homologation stage", depending on the stage in which the institution's adherence process is and the documents to be sent, and

b) select "PIX – adherence process" in the "Select a subject" field.

III - send each file in PDF/A format.

§1 In the event of sending more than one document, the "Register complementary document" field must be selected so that all documents from the same institution are linked.

§2 In the event that a file exceeds the maximum size allowed by the system, the file must be partitioned, in which case the "Description" field must be filled using the format "xxx.xxx.xxx-xx - Institution - stage - Part 1", "xxx.xxx.xxx-xx - Institution - stage - Part 2", and so on.