Central Bank Resolution No. 547 of January 30, 2026

RESOLUTION BCB NO. 547, OF JANUARY 30, 2026

Amends Resolution BCB No. 498, of September 5, 2025, which regulates, within the scope of the National Financial System and the Brazilian Payment System, the requirements, procedures and conditions for the accreditation of Information Technology Service Providers – ITSP and gives other provisions.

The Collegiate Board of Directors of the Central Bank of Brazil, in a session held on January 30, 2026, based on art. 10 of Law No. 4.595, of December 31, 1964, and on art. 10 of Law No. 10.214, of March 27, 2001,

R E S O L V E S:

Art. 1º Resolution BCB No. 498, of September 5, 2025, published in the Official Gazette of the Union on September 5, 2025, shall enter into force with the following alterations:

“Art. 1º ...................................................................................................................................

§ 1º .........................................................................................................................................

§ 2º The entities that provide data processing services, for the purpose of accessing the RSFN, exclusively to institutions that are part of the same economic group, are not subject to the provisions of this norm, but must ensure operational segregation and observe the applicable technical and security requirements.” (NR)

“Art. 2º ...................................................................................................................................

.................................................................................................................................................

II - RSNF: data communication structure whose purpose is to support the traffic of information within the scope of the National Financial System – NFS and the Brazilian Payment System – BPS for authorized services;

III - ITSP: accredited entity capable of providing data processing services, for the purpose of accessing the RSNF, to financial institutions and other institutions supervised by the Central Bank of Brazil; and

IV - administrators: managing partners and directors. ” (NR)

“Art. 3º ...................................................................................................................................

.................................................................................................................................................

II - regular constitution of the ITSP;

.................................................................................................................................................

IV - proof of technical-operational capacity to provide data processing services, for the purpose of accessing the RSNF, observing the requirements established in this Resolution and the technical standards regarding electronic data communication within the scope of the NFS and the BPS established by the Department of Information Technology – Deinf of the Central Bank of Brazil;

V - designation of administrators, observing the provisions of arts. 5º, 5º-A, 5º-B and 11;

.................................................................................................................................................

VII - compliance with the conditions provided for in art. 5º by the controllers, in the case of an ITSP organized as a corporation or a limited liability company;

VIII - paid-up share capital and net equity in the minimum amount of R$15,000,000.00 (fifteen million reais), with the Central Bank of Brazil being able to require a higher amount, proportional to the volume of operations, the number of clients and the risk profile of the ITSP;

IX - proof of the establishment of mechanisms provided for in Chapter III;

.................................................................................................................................................

XI - information security certification in a standard recognized internationally;

XII - proof of the hiring of independent audit with the objective of carrying out annual evaluations on information security and, when applicable, on anti-money laundering and counter-terrorist financing;

.................................................................................................................................................

XV - proof of the establishment of procedures for providing, to the Central Bank of Brazil and to contracting institutions, the reports prepared by the independent audit based on the annual evaluations on information security and, when applicable, on anti-money laundering and counter-terrorist financing.

.................................................................................................................................................

§ 4º In proving the requirements referred to in the main text , the Central Bank of Brazil may require that they be attested by a reasonable assurance report prepared by an independent audit registered with the Securities and Exchange Commission.

§ 5º The independent audit hired by the institution, if applicable, must possess technical, administrative and operational capacity compatible with the performance of the reasonable assurance work provided for in this Resolution. ” (NR)

“ Art. 4º-A For the purposes of this Resolution, it is understood as:

I - controller: person who, individually or together with other members of a control group in which they participate, holds partner rights corresponding to the majority of the voting capital of the institution:

a) in the case of a natural person, directly or indirectly; or

b) in the case of a legal entity, directly or, if indirectly, provided that:

1. appears at the last level of the branches of the institution's control chain; and

2. its controllers are not identifiable in the manner provided for in this item; and

II - group of control: group of people linked by a voting agreement or under common control who assume the condition of controller of the institution, as defined in item I.

§ 1º Considered at the last level of the branch of the institution's control chain, in cases of direct or indirect participation, is the financial institution or similar entity headquartered abroad responsible for the global consolidation of the financial group.

§ 2º The definitions of controller apply to the beneficiaries of the right to vote.

§ 3º In cases where the control of the company is not identified according to the criteria mentioned in items I and II of the main text , the Central Bank of Brazil may use other elements to identify the controllers, among them:

I - the majority of votes in the deliberations of the meeting or assembly and the power to elect the majority of the administrators; or

II - the effectiveness in conducting the social business.

§ 4º The Central Bank of Brazil may require the signing of a shareholders' or partners' agreement, contemplating the express definition of corporate control, direct or indirect.

§ 5º For the purposes of the provisions of this article, any attribution of plural voting to one or more classes of ordinary shares will be considered.

§ 6º Investment funds are not admitted as controllers or members of a control group of an ITSP.” (NR)

“Art. 4º-B The Central Bank of Brazil may:

I - archive the accreditation request, without assessing the merits, if:

a) it verifies that the object or the elements that serve as the basis for the request were altered during the process;

b) there is non-compliance with the deadlines provided for in the current regulation;

c) it identifies that the requirements to complement the process documentation were not met, within the established deadline;

d) the controllers or the administrators fail to attend the summons by the Central Bank of Brazil for an interview; or

e) the documentation is in disagreement with the format required by the current regulation; or

II - deny the accreditation request, if it is found to:

a) circumstance that may affect the reputation of the controllers or of the administrators;

b) falsity or omission in the declarations and in the documents presented in the process documentation or discrepancy between them and the facts or data found in the analysis;

c) non-compliance with any of the requirements or conditions established in this Resolution, or failure by the interested parties to prove compliance with these requirements or conditions; or

d) non-compliance, by the audit referred to in art. 3º, main text , item XII, with the requirements provided for in art. 3º, § 5º, and the norms and audit procedures determined by the Securities and Exchange Commission and the Federal Council of Accountancy.

Sole Paragraph. In the cases covered by item II of the main text , the Central Bank of Brazil, before the decision, may grant a deadline to the interested parties to express their views.” (NR)

“Art. 4º-C The Central Bank of Brazil may review the decision regarding the matters covered by this Resolution, considering the relevance of the facts, based on the circumstances of each case and the public interest, if it verifies:

I - falsity or omission in the declarations and in the documents presented in the process documentation or discrepancy between them and the facts or data found;

II - pre-existing circumstances to the decision capable of affecting the assessment regarding compliance with the requirements and conditions; or

III - non-compliance by the audit referred to in art. 3º, main text , item XII, with the requirements provided for in art. 3º, § 5º, and the norms and audit procedures determined by the Securities and Exchange Commission and the Federal Council of Accountancy.

§ 1º In the case of transfer of control, the assumption of the condition of controller and in the occurrence of one of the situations provided for in the main text , the Central Bank of Brazil may determine that the operation be regularized, under penalty of de-accreditation of the ITSP.

§ 2º In the hypotheses described in the main text , the Central Bank of Brazil must notify the institution to express its views on the irregularity found. ” (NR)

“ Art. 5º The requirements for assuming the condition of controller and for exercising the function of administrator, in addition to others required by legislation and by the current regulation, are:

I - to have an unblemished reputation, in the case of natural persons;

II - to be a resident of the country, in the case of administrator;

III - not to be declared bankrupt or insolvent;

IV - not to be prohibited by special law, nor convicted of bankruptcy crime, tax evasion, malfeasance, active or passive corruption, extortion, embezzlement, against the popular economy, public faith, property or the National Financial System, nor sentenced to a penalty that prohibits, even temporarily, access to public office;

V - not to be declared ineligible or suspended for the exercise of positions in statutory or contractual bodies in institutions authorized to operate by the Central Bank of Brazil or in complementary pension entities, insurance companies, capitalization companies, publicly held companies or entities subject to the supervision of the Securities and Exchange Commission; and

VI - not have their name been the subject of a prior decision of denial or of review of decision due to the presentation of a false, omitted or discrepant declaration in a request to the Central Bank of Brazil, in the three years prior to the documentation of the request under analysis.

Sole Paragraph. The Central Bank of Brazil, in the analysis of the processes covered by this Resolution, considering the circumstances of each concrete case and the context of the facts, may exceptionally, and in the face of duly justified public interest, waive compliance with the requirements and conditions established for entering the condition of controller or for exercising the function of administrator.” (NR)

“Art. 5º-A In proving compliance with the requirement of unblemished reputation, mentioned in art. 5º, main text , item I, the existence of:

I - criminal process or police inquiry;

II - judicial or administrative process that has a relationship with the National Financial System, the Consortium System, the Brazilian Payment System or the provision of virtual asset services;

III - process relating to insolvency, liquidation, intervention, bankruptcy or judicial reorganization;

IV - default on obligations; and

V - other situations, occurrences or analogous circumstances.

Sole Paragraph. In the analysis of the situations and occurrences provided for in the main text , the relevance, severity, recurrence and circumstances of each case will be considered.” (NR)

“Art. 5º-B Administrators must have technical qualification compatible with the functions to be exercised during the term.

§ 1º The proof of compliance with the requirement of technical qualification of administrators, mentioned in the main text , involves the competencies and qualifications necessary for the exercise of the functions, compatible with the nature, size, complexity and risks incurred by the ITSP.

§ 2º The Central Bank of Brazil may waive the proof of technical qualification provided for in the main text , in the case of an administrator whose name has already been subject to appraisal by the Autarchy for the exercise of the function.

§ 3º The administrators may exercise their functions for a period of, at most, four years, which may be renewed for equal periods. ” (NR)

“Art. 6º ...................................................................................................................................

.................................................................................................................................................

III - to financial institutions and other institutions supervised by the Central Bank of Brazil; and

IV - to entities that are, directly or indirectly, holding or held by the institutions referred to in items I to III or that, in relation to these institutions, have a common controller.

.................................................................................................................................................

§ 1º The institutions referred to in items III and IV of the main text may provide data processing services, for the purpose of accessing the RSNF, exclusively to meet the needs of other institutions that are part of the same economic group, provided that operational segregation is maintained and the applicable technical and security requirements are observed.

§ 2º The provisions of § 1º do not remove the duty of the institutions served by the institutions mentioned in items III or IV of the main text that act as ITSPs to observe the current regulation for the contracting of data processing, storage and cloud computing services. ” (NR)

“Art. 7º ...................................................................................................................................

.................................................................................................................................................

II - ex officio, by the Central Bank of Brazil. ” (NR)

“ Art. 8º The ITSP that intends to file a request for de-accreditation must formally notify the Central Bank of Brazil and the contracting institutions, through specific correspondence, with a minimum advance notice of thirty days from the date of the said request.

§ 1º The notification to the Central Bank of Brazil provided for in the main text must be accompanied by a document addressing the actions that will be undertaken aiming at the execution of the orderly exit plan provided for in art. 20.

§ 2º After the completion of the plan referred to in § 1º, the ITSP must request the Central Bank of Brazil for its de-accreditation. ” (NR)

“ Art. 9º The Central Bank of Brazil may promote, after the adoption of a precautionary measure established in art. 32, main text , item VIII, the de-accreditation referred to in art. 7º, main text , item II, when it verifies, at any time, the serious or recurrent non-compliance with the requirements and conditions established in this Resolution, especially regarding:

.................................................................................................................................................

II - the provisions provided for in Chapters III and IV;

.................................................................................................................................................

VII - the non-compliance, within the fixed deadline, of determinations or precautionary measures imposed by the Central Bank of Brazil under this Resolution; and

VIII - situations that evidence the non-compliance by the controllers and by the administrators with requirements or conditions provided for in this Resolution.

Sole Paragraph. The Central Bank of Brazil, prior to the de-accreditation referred to in the main text , will notify the ITSP and grant it a deadline to express its views on the intention of its de-accreditation. ” (NR)

“Art. 11. ..................................................................................................................................

.................................................................................................................................................

§ 4º The directors mentioned in § 3º may perform more than one critical function, or other functions in the entity, provided there is no conflict of interest. ” (NR)

“Art. 15. ..................................................................................................................................

.................................................................................................................................................

Sole Paragraph. The policies referred to in the main text must be approved by the board of directors or an equivalent collegial administration body, and reviewed, at least annually, or whenever there is a relevant change in the structure or risk profile of the ITSP. ” (NR)

“ Art. 15-A. The ITSP must establish a risk management, internal controls and compliance structure compatible with its nature, size, complexity, structure and risk profile.” (NR)

“Art. 15-B. The ITSP must prepare an annual report on risks, internal controls and compliance, to be approved by the board of directors or an equivalent collegial administration body, and sent to the Central Bank of Brazil by the last business day of May of the following year.

§ 1º The report referred to in the main text must include, at least:

I - the conclusions of the examinations carried out;

II - the recommendations regarding any deficiencies, with the establishment of a schedule for their remediation, if applicable; and

III - the statement of those responsible for the corresponding areas regarding the deficiencies found in previous verifications and the measures effectively adopted to remedy them.

§ 2º The Central Bank of Brazil may determine:

I - the inclusion of work in the scope of internal audit and the execution of specific work; and

II - the adoption of measures aimed at improving internal audit processes.

§ 3º The ITSP must keep available to the Central Bank of Brazil the documents referred to in the main text for a minimum period of five years. ” (NR)

“Art. 17. ..................................................................................................................................

.................................................................................................................................................

§ 3º .........................................................................................................................................

.................................................................................................................................................

II - periodic scans of the technological environment that allow identifying devices improperly connected to the corporate network that may establish connection with external technology assets;

.................................................................................................................................................

§ 7º .........................................................................................................................................

.................................................................................................................................................

III - the establishment of mechanisms for monitoring interface requests, enabling behavioral analysis and detection of atypical use;

.................................................................................................................................................

IX - the definition, establishment and monitoring of operational parameters for the services provided through electronic interfaces.

.......................................................................................................................................” (NR)

“Art. 19. ..................................................................................................................................

.................................................................................................................................................

II - preparation of business continuity plans, which must be tested and reviewed with a minimum annual frequency;

.......................................................................................................................................” (NR)

“Art. 20. ..................................................................................................................................

Sole Paragraph. The plan referred to in the main text must prioritize the mitigation of the impact on financial institutions and other institutions supervised by the Central Bank of Brazil that use the services provided by the ITSP, as well as on the regular functioning of the NFS and the BPS. ” (NR)

“ Art. 21. The ITSP must implement and maintain an operational crisis management policy to guide the treatment of atypical situations that may compromise its operation, with potential impacts on the regular functioning of the NFS and the BPS. ” (NR)

“ Art. 24. The ITSP must implement and maintain a fraud management policy to mitigate atypical situations that may compromise the regular functioning of the NFS and the BPS. ” (NR)

“Art. 29. ..................................................................................................................................

I - line of reporting of internal audit to the board of directors or an equivalent collegial administration body;

.................................................................................................................................................

IV - preparation of an annual internal audit plan, with approval by the board of directors or an equivalent collegial administration body, based on the assessment of audit risks and containing, at least, the processes that will be part of the scope of the internal audit activity, the classification of these processes by risk level and the proposal for the allocation of available resources; and

V - possibility of hiring independent audit registered with the Securities and Exchange Commission, to validate or complement the internal audit, with sharing of reports with the Central Bank of Brazil and contracting institutions.” (NR)

“Art. 30. ..................................................................................................................................

I - annual financial statements, audited by independent audit registered with the Securities and Exchange Commission;

.......................................................................................................................................” (NR)

“Art. 30-A. The