Brazil fintech & payments: BCB-regulated under Pix/Open Finance framework; CVM oversees securities/cryptoassets
The Central Bank of Brazil (BCB) is the primary regulator for fintech and payment activities, operating under a comprehensive framework centered on the Pix instant payment system and Open Finance. Entities must obtain specific authorization to operate as payment institutions, virtual asset service providers (VASPs), or IT service providers (PSTIs), with strict capital and cybersecurity requirements. The National Monetary Council (CMN) sets overarching policy, while the Securities and Exchange Commission (CVM) regulates securities offerings and cryptoasset-linked investment products.
Recent regulatory developments emphasize enhanced consumer protection, operational resilience, and market integrity. The BCB has introduced mandatory administrator succession policies, stricter cybersecurity standards for cloud services, and rigorous procedures for blocking unauthorized gambling transactions. Meanwhile, the CVM continues to enforce strict prohibitions on unauthorized securities activities and has established a regulatory sandbox for innovation.
The regulatory direction of travel is towards deeper integration of digital services, including Banking as a Service (BaaS) and Open Finance data sharing, while maintaining robust oversight of virtual assets and international payments. Licensing timelines are standardized, and operational testing for new services like payment initiation is mandatory before production rollout.
Central Bank of Brazil (BCB)
Primary supervisor for payment institutions, virtual asset service providers, IT service providers, and the Pix/Open Finance ecosystem.
[1][2][3][4][5][6][7][8][9][10][11][12][13]Securities and Exchange Commission (CVM)
Regulator for securities markets, public offerings, and cryptoasset-linked investment contracts.
[14][15][16][17]National Monetary Council (CMN)
Sets general policy and issues joint resolutions with the BCB and other agencies.
[3][18][19][20][13]BCB Resolution No. 522 (Pix Regulation) (2020)
Establishes the legal framework for the Pix instant payment system, including rules for payment arrangement operators, transaction limits, and operational standards.
[2][5][21][22][23][8][24][25]BCB Resolution No. 406 (Open Finance) (2024)
Regulates Open Finance, including payment initiation services and data sharing, with mandatory participation timelines for institutions.
[1][26][27][28][29]BCB Resolution No. 542 (2025)
Establishes norms for the organization, discipline, and supervision of foreign exchange brokerage companies.
[30]CVM Instruction No. 626 (2020)
Establishes the legal framework for the CVM Regulatory Sandbox, allowing temporary waivers for innovative securities market activities.
Payment Institution / Pix Operator
Authorization required to operate payment arrangements or provide Pix services. Includes strict capital, net worth, and cybersecurity requirements. Timeline: 280-day proposal analysis phase (Resolution 549)
[5][22][23][24][31]Virtual Asset Service Provider (VASP)
Mandatory registration in Unicad and submission of reasonable assurance reports from CVM-registered auditors. Staking operations also require registration.
[4][9]IT Service Provider (PSTI)
Accreditation required for entities providing IT services to the financial system, with strict criteria and ongoing reporting obligations.
[7][11]Foreign Exchange Brokerage
Authorization required to operate as a foreign exchange brokerage company, with specific organizational and operational norms.
[6][30]Mandatory blocking of accounts and transactions for individuals and entities operating unauthorized fixed-odds betting lotteries.
[3]Strict cybersecurity and cloud computing requirements for payment institutions, including multi-factor authentication and enhanced technical controls.
[12]Prohibition of unauthorized securities analysis, portfolio management, and public offerings of securities, including cryptoasset-linked investment contracts.
[15][16][17]Mandatory prior express client consent for all account debit authorizations, with strict regulations on cancellation and contract alignment.
[22][25][18]Continued expansion of Open Finance and Pix integration, with mandatory participation timelines for payment initiation services and enhanced data sharing protocols.
[1][26][27][28][29]Regulation of Banking as a Service (BaaS) with strict risk management and due diligence requirements for service providers.
[13]Enhanced oversight of virtual assets, including mandatory administrator succession policies and auditor reporting for VASPs.
[4]Email alerts for Brazil updates
New circulars, rules and guidance — a digest in your inbox, same day.