Joint Resolution No. 16 — Regulates the Provision of Banking as a Service (BaaS) by Financial Institutions and Payment Institutions

Joint Resolution No. 16

JOINT RESOLUTION NO. 16, OF NOVEMBER 28, 2025

Regulates the provision of Banking as a Service – BaaS services by financial institutions, payment institutions, and other institutions authorized to operate by the Central Bank of Brazil.

The Central Bank of Brazil, in accordance with Art. 9 of Law No. 4.595, of December 31, 1964, makes public that its Collegiate Board, in a session held on November 17, 2025, and the National Monetary Council, in a session held on November 27, 2025, based on Arts. 3, caput, item V, and 4, caput, items VI and VIII, of Law No. 4.595, of December 31, 1964, 9-A of Law No. 4.728, of July 14, 1965, 20, § 1, of Law No. 4.864, of November 29, 1965, 1 of Decree-Law No. 70, of November 21, 1966, 7 and 23, caput, item “a”, of Law No. 6.099, of September 12, 1974, 1, caput, item II, of Law No. 10.194, of February 14, 2001, 9, caput, items II and X, of Law No. 12.865, of October 9, 2013, and 1, § 1, of Complementary Law No. 130, of April 17, 2009,

RESOLVED:

CHAPTER I OF THE OBJECT AND SCOPE OF APPLICATION

Art. 1. This Joint Resolution regulates the provision of Banking as a Service – BaaS services by financial institutions, payment institutions, and other institutions authorized to operate by the Central Bank of Brazil.

CHAPTER II OF DEFINITIONS

Art. 2. The institutions referred to in Art. 1 must observe the provisions of this Joint Resolution in the provision of BaaS services.

Art. 3. For the purposes of this Joint Resolution, the following are considered: I - provision of BaaS services: the contracting between the BaaS service provider institution and the BaaS service recipient entity for the financial and payment services specified in Art. 4 to be made available to the customer through the BaaS service recipient entity; II - BaaS service provider institution: the institution referred to in Art. 1 that signs a contract with the BaaS service recipient entity to provide the financial or payment services specified in Art. 4 to the customer; III - BaaS service recipient entity: the legal entity legally established in Brazil for whose customers the financial and payment services specified in Art. 4 are made available, provided in accordance with a contract signed with the BaaS service provider institution; and IV - customer: the natural or legal person who has a contractual relationship: a) with the BaaS service provider institution for the provision of the financial and payment services specified in Art. 4; and b) with the BaaS service recipient entity for the provision of other services not specified in Art. 4. Sole paragraph. The following are not included in the provision of BaaS services referred to in item I of the caput, non-exhaustively: I - the provision of correspondent services in the country, in accordance with specific regulation; II - the provision of data processing and storage services and cloud computing services, in accordance with specific regulation; III - partnerships within the scope of Open Finance, in accordance with specific regulation; and IV - activities performed by sub-acquirers and network service providers, in accordance with the regulation governing payment arrangements integrated into the Brazilian Payments System.

CHAPTER III OF THE SCOPE OF SERVICES TO BE PROVIDED

Art. 4. The BaaS service provision contract must have as its scope exclusively one or more of the following services: I - opening, maintenance, and closure of accounts of: a) demand deposits; b) savings deposits; c) prepaid payments; or d) postpaid payments; II - provision of payment services carried out through the accounts referred to in item I; III - provision of acquiring services for acceptance of payment instruments in payment arrangements; IV - provision of credit operations services, including offering, contracting, administration, and collection; and V - other services that may be included, as provided in Art. 23, caput, item II. § 1. The services referred to in the caput may only be provided: I - by the institutions referred to in Art. 1, observing: a) the operating authorization granted by the Central Bank of Brazil; b) the list of operations, activities, and services provided in the regulation of the segment in which it operates, in the case of an institution whose discipline contemplates an exhaustive list of operations, activities, and services; and c) the legislation and regulation in force for the performance of such operations, activities, and services; and II - through an electronic channel, using the integration of systems, platforms, interfaces, or processes between the BaaS service provider institution and the BaaS service recipient entity, observing the procedures defined contractually, as well as the provisions of this Joint Resolution, legislation, and regulation in force. § 2. For the provision of the account opening, maintenance, and closure services referred to in item I of the caput, the accounts must be in the name of the customer at the BaaS service provider institution. § 3. The provision of payment services referred to in item II of the caput depends on the compatibility of the BaaS service provision with the norms governing the operation of the payment arrangement and the payment services related to the respective payment transaction. § 4. In the provision of payment services referred to in item II of the caput, payment transactions must have as origin or destination exclusively the accounts in the name of the customer at the BaaS service provider institution. § 5. The provision of the services referred to in item IV of the caput requires that the customer be the debtor of the credit operation contracted with the BaaS service provider institution. § 6. The signing of a contract between the institution referred to in Art. 1 and a legal entity for the provision of financial or payment services not provided for in items I to V of the caput: I - is not subject to the rules contained in this Joint Resolution; II - does not consist of the provision of a BaaS service; and III - cannot be offered to customers as a BaaS service provision.

CHAPTER IV OF THE CONTRACTING OF BaaS SERVICES

Art. 5. The institutions referred to in Art. 1 must ensure that their policies, strategies, and structures for risk management required in the regulation in force contain rules and criteria for the provision of BaaS services, as provided in this Joint Resolution. § 1. If the BaaS service provider institution and the BaaS service recipient entity are institutions authorized to operate by the Central Bank of Brazil, the provisions of the caput apply to both. § 2. The policies, strategies, and structures must be approved by the board of directors or, in its absence, by the executive board of the institution. Art. 6. It is prohibited for the institutions referred to in Art. 1 to formalize a contract for the provision of BaaS services: I - with the objective of the BaaS service recipient entity acting in the name of the provider institution to make available the provision of the services referred to in Art. 4, in accordance with the regulation governing correspondent services in the country; II - with the BaaS service recipient entity that has a BaaS service provision contract in force with another BaaS service provider institution for the provision of account opening, maintenance, and closure services for demand deposits, including payment services carried out through these accounts; III - with the BaaS service recipient entity that has a BaaS service provision contract in force with another BaaS service provider institution for the provision of account opening, maintenance, and closure services for savings deposits, including payment services carried out through these accounts; IV - with the BaaS service recipient entity that has a BaaS service provision contract in force with another BaaS service provider institution for the provision of account opening, maintenance, and closure services for prepaid payment accounts, including payment services carried out through these accounts; V - with the BaaS service recipient entity that has a BaaS service provision contract in force with another BaaS service provider institution for the provision of account opening, maintenance, and closure services for postpaid payment accounts, including payment services carried out through these accounts; and VI - with a BaaS service recipient entity that, in its name, employs terms characteristic of the nomenclature of institutions of the National Financial System or the Brazilian Payments System or similar expressions in the vernacular or in a foreign language, except in the case where the recipient entity is an institution authorized to operate by the Central Bank of Brazil, observing specific regulation. Sole paragraph. The prohibitions mentioned in items II, III, IV, and V of the caput do not apply when the BaaS service recipient entity is an institution referred to in Art. 1 that is part of the same prudential conglomerate as the BaaS service provider institution. Art. 7. BaaS service provider institutions, prior to contracting and during the provision of the services referred to in Art. 4, must implement procedures that contemplate, at a minimum: I - the adoption of corporate governance and risk management practices compatible with the exposures resulting from the contracting; and II - the verification of the BaaS service recipient entity's capacity to ensure: a) contractual compliance with the fulfillment of legislation and regulation in force; b) the BaaS service provider institution's access to information on the effectiveness of data and information transfer related to the services provided; c) the confidentiality, integrity, availability, and recovery of data and information on services provided; d) adherence to certifications, when required by the BaaS service provider institution for the execution of services, observing the provisions of Art. 23, caput, item III; e) the BaaS service provider institution's access to reports prepared by an independent specialized company, if any, regarding the procedures and controls used by the BaaS service recipient entity, observing the provisions of Art. 23, caput, item IV; f) the provision of information and the existence of adequate management resources for monitoring the services provided; g) the quality of access controls aimed at protecting personal data, observing specific legislation, and information on the services provided; and h) the financial and technical capacity for the execution of the services provided for in the BaaS service provision contract. § 1. The procedures referred to in the caput, including with regard to the information related to the verification mentioned in item II of the caput, must be documented and permanently updated by the BaaS service provider institution. § 2. The management resources referred to in item II, item “f”, of the caput must contain a means for the BaaS service provider institution to have access to data and information on the availability of services provided through platforms or electronic systems made available by the BaaS service recipient entity. § 3. The BaaS service provider institution must possess the necessary resources and competencies for adequate contract management, including for the analysis of information and for the use of the resources provided in accordance with item II, item “f”, of the caput. § 4. The procedures referred to in the caput must be compatible with the nature, size, complexity, criticality, relevance, structure, risk profile, and business model of the BaaS service recipient entity. § 5. The capacity of the BaaS service recipient entity referred to in item II of the caput may, at the discretion of the BaaS service provider institution, be verified through proven adherence to the certifications referred to in item II, item “d”, of the caput or attested by independent audit. Art. 8. The contract for the provision of BaaS services must provide, at a minimum: I - the object of the contract; II - the roles and responsibilities of the contracting parties; III - the form of remuneration between the BaaS service recipient entity and the BaaS service provider institution; IV - the adoption of security measures for the reception and storage, by the BaaS service recipient entity, of data or information on services offered to customers, as well as data provided by customers; V - the BaaS service provider institution's access to: a) information provided by the BaaS service recipient entity, aiming to verify compliance with the provisions of item IV and Art. 6; b) information related to the certifications and reports referred to in Art. 7, caput, item II, items “d” and “e”; and c) information and management resources adequate for monitoring the services provided referred to in Art. 7, caput, item II, item “f”; VI - the obligation of the BaaS service recipient entity to notify the BaaS service provider institution in advance regarding the contracting of a third-party company to process or store data or information considered relevant by the said provider institution; VII - the permission for the Central Bank of Brazil to access the contract referred to in the caput, the documentation and information related to data and information on services provided, the procedures and access codes to such information, as well as any other information related to the provision of BaaS services; VIII - the possibility of adoption of measures by the BaaS service provider institution as a result of determination by the Central Bank of Brazil; IX - the obligation of the BaaS service recipient entity to keep the BaaS service provider institution permanently informed about any limitations that may affect the services provided or the fulfillment of legislation and regulation in force; X - the procedures for handling demands forwarded by the customer; XI - the prohibition for the BaaS service recipient entity to charge, in its name, a fee, commission, or any other form of remuneration for the provision to customers of products or services offered by the BaaS service provider institution; XII - the declaration that the BaaS service recipient entity has full knowledge that the performance, on its own account, of operations considered exclusive to financial institutions and other institutions authorized to operate by the Central Bank of Brazil or of other operations prohibited by current legislation subjects the infringer to the penalties provided for in Laws No. 7.492, of June 16, 1986, and No. 13.506, of November 13, 2017; XIII - the causes that justify the early termination of the contract and its consequences; XIV - the prohibition for the BaaS service recipient entity to carry out payment transactions, receipts, and deposits in its own account related to values for services provided by the BaaS service provider institution to customers; and XV - the prohibition for the BaaS service recipient entity to subcontract the services mentioned in Art. 4. § 1. It is prohibited to include in the object of the contract referred to in item I of the caput the provision of services, by the BaaS service recipient entity, of customer service in the name of the BaaS service provider institution, in accordance with the regulation governing correspondent services in the country. § 2. The roles and responsibilities mentioned in item II of the caput must comprise: I - the duty of the BaaS service recipient entity and the BaaS service provider institution to inform the customer that the BaaS service recipient entity does not act in the name of the BaaS service provider institution, for the purposes of providing the services referred to in Art. 4; II - the obligation of the BaaS service recipient entity to present to customers the information that it is not an institution authorized to operate by the Central Bank of Brazil, as applicable, for the provision of the services contemplated in the BaaS service provision contract; III - the responsibility for clarifications to the customer regarding: a) the services provided, including in the case where the BaaS service provision contract is terminated, observing the provisions of § 6; b) the procedures necessary for the portability of credit operations contracted with the BaaS service provider institution, as per the customer's interest; and c) the situations in which credit operations contracted with the BaaS service provider institution are assigned by said institution, with due clarity regarding the conditions for exercising the customer's rights after the assignment, and the precise identification of the assignee that acquired the credit, including contact information of the new creditor and any relationship that remains with the BaaS service provider institution, for example, remaining responsible for collection and renegotiation of operation terms; IV - the sharing, between the BaaS service recipient entity and the BaaS service provider institution, of data and information related to customers and services provided necessary for the fulfillment of the responsibilities described in Chapter V; and V - the obligation of the BaaS service recipient entity: a) to provide information for the execution of procedures under the responsibility of the BaaS service provider institution related to the identification and qualification of customers, as well as to the analysis of their risk profile, fraud prevention, and anti-money laundering and counter-terrorism financing policy; and b) to provide information to customers, clearly and precisely, regarding the charging of fees for services provided by the BaaS service provider institution. § 3. The relationship arising from the provision of BaaS services must not serve as a barrier to the portability of the credit operation originated in accordance with the contract, as per the customer's interest. § 4. The parameters adopted by the BaaS service provider institution to consider the relevance of the service to be notified, referred to in item VI of the caput, must: I - be contemplated in the criteria for contracting with BaaS service recipient entities referred to in Art. 5, caput; and II - consider, when existing, the classification regarding the relevance of services to be contracted, established by the BaaS service provider institution for compliance with current regulation on the contracting of data processing and storage services and cloud computing services by institutions authorized to operate by the Central Bank of Brazil. § 5. The obligation referred to in item IX of the caput must cover the communication of data security violation incidents regarding information on services provided and the measures adopted by the BaaS service recipient entity for their prevention, mitigation, and resolution. § 6. The contract mentioned in the caput must provide: I - in the case of the decree by the Central Bank of Brazil of a resolution regime for the BaaS service provider institution: a) the obligation of the BaaS service recipient entity to grant full and unrestricted access to the person responsible for the resolution regime to the contracts, agreements, documentation, and information related to the service, as well as to the procedures and access codes, mentioned in item VII of the caput, that are in the possession of the BaaS service recipient entity; and b) the obligation to notify in advance the person responsible for the resolution regime of the intention of the BaaS service recipient entity to interrupt the provision of contracted services, with at least thirty days' notice prior to the date scheduled for the interruption, observing that:

1. the BaaS service recipient entity agrees to accept any request for an additional thirty-day period for service interruption made by the person responsible for the resolution regime; and
2. the prior notification must also occur in the situation where the interruption is motivated by non-compliance with the form of remuneration established between the contracting parties, mentioned in Art. 8, caput, item III; II - in the case of termination of the contractual relationship: a) the provision for the continuity or not of the provision of services to the customer by the BaaS service provider; b) the obligation of the BaaS service recipient entity to ensure due transparency to the customer, including clarifications on the consequences of the continuity or not of the services provided by the BaaS service provider institution; and c) the provision for the customer to have the option to terminate their relationship, as applicable, with the BaaS service provider institution or with the BaaS service recipient entity.

CHAPTER V OF RESPONSIBILITIES

Art. 9. The BaaS service provider institution is responsible for guaranteeing the reliability, integrity, availability, security, and confidentiality of the services provided in accordance with this Joint Resolution, as well as compliance with the legislation and regulation applicable to these services. Sole paragraph. The provisions of the caput also apply to the BaaS service recipient entity that is an institution authorized to operate by the Central Bank of Brazil, to the extent of its responsibility, including the services provided in the technological environments and electronic systems made available by it. Art. 10. The BaaS service provider institution is responsible for the policy and for the procedures and controls related to: I - identification and qualification of customers, as well as to the analysis of their risk profile; II - fraud prevention; and III - anti-money laundering and counter-terrorism financing prevention. § 1. The BaaS service provider institution may rely on the BaaS service recipient entity to carry out ancillary tasks to the procedures and controls referred to in the caput, without prejudice to the responsibilities imposed on the BaaS service provider institution, in accordance with this Joint Resolution, regulation, and legislation in force. § 2. The BaaS service provider institution must provide the procedures, mechanisms, and tools to be used by the BaaS service recipient entity for the performance of the tasks referred to in § 1. § 3. For ancillary tasks related to the offering, contracting, administration, and collection of credit operations, referred to in Art. 4, caput, item IV, the bank secrecy established by Complementary Law No. 105, of January 10, 2001, must be observed, with the provision of access to the Credit Information System – SCR and the provision of information contained in the SCR by the BaaS service provider institution to the BaaS service recipient entity being prohibited. Art. 11. The BaaS service provider institution must adopt mechanisms to ensure the cooperation of BaaS service recipient entities in its adherence to the policy and to the procedures and controls set forth in Art. 10, caput, observing the provisions of Art. 8, § 2, item V, item “a”. Art. 12. In the provision of services referred to in Art. 4, caput, item IV, the BaaS service provider institution is responsible for compliance with the