Dynamic and diversified Brazil was devastated by the COVID-19 pandemic, which led to the world’s second highest death count at over half a million people1, undid years of poverty reduction2 and battered the economy. Brazil’s GDP contracted by 4.1% in 20203, bringing it down from the world’s ninth largest economy to the twelfth4. Inflation is high5, and protests have erupted in reaction to President Jair Bolsonaro’s management of the health crisis.
There is hope yet for Brazil, which has the opportunity to tap into incredible digitalization and fintech potential in recapturing lost development progress, revamping the economy and promoting financial inclusion. The city of São Paulo is home to the world’s fourth largest fintech ecosystem6, Brazil receives half of South America’s fintech investments7 and the central bank launched a fintech sandbox in November 20208. The Digital Intelligence Index (DII), developed by Tufts University’s Fletcher School and Mastercard, ranks Brazil low on digital evolution momentum, but notes that Brazilians are highly technologically engaged.
Amidst the pandemic, Brazilians have flocked to digital banking9, and the state is forecast to reach over 200 million digital bank accounts in 202110. In 2020, 14 million Brazilians became banked11 and low-income Brazilians’ demand for digital services soared12. The instant payments system PIX, launched in November 2020 by the central bank, has been instrumental in making the national payments sector more innovative and competitive than ever.
Brazil’s 2021 digital agenda focuses on the implementation of open banking, a possible central bank digital currency (CBDC), a national artificial intelligence strategy, cybersecurity in payments and a national data protection framework. The central bank is reportedly developing a framework to provide regulatory clarity for the increasingly popular digital currency market13. Regulators must ensure that digitalization initiatives dovetail with efforts to boost national cybersecurity, as Brazil faces a high risk of cybercrime.14
Financial Regulatory Authorities
The Central Bank of Brazil (BCB) is Brazil’s central bank.
The National Data Protection Authority (ANDP) oversees and enforces compliance with the General Data Privacy Law (LGPD).
The Brazilian Securities and Exchange Commission (CVM) regulates the Brazilian capital markets and its participants, including stock exchanges, public companies and financial intermediaries. It aims to promote fairness and transparency and protect consumers.
The National Monetary Council (CNM) formulates monetary and credit policies.
Policy, Laws and Regulations
Open Banking Implementation, 13 August 2021
Brazil’s open banking scheme, which was approved in 2019, aims to boost competition and innovation, promote financial inclusion and modernize the national financial and payments sectors. Participation is mandatory for large and medium-sized Brazilian banks, and voluntary for other entities15. It is being implemented through a phased approach, covering four major dates from February to December 2021. On 24 June 2021, the central bank issued Resolution No. 109, which established a timeline for the implementation of open banking services outlined in the 04 May 2020 Joint Resolution No. 1 and the technical requirements and other operational procedures outlined in the 04 May 2020 Circular No. 4015. The resolution has been updated twice in line with the second and third phases of open banking implementation, and includes deadlines up until 30 September 2022. Key dates are included in the following table:
01 February 2021: Phase 1
Phase 1 covers the sharing of data for savings accounts, prepaid payment accounts, credit cards and credit operations; and the development of infrastructure in the implementation of the participant directory, service desk and Open Banking portal.
13 August 2021: Phase 2
Initially scheduled for a 15 July 2021 implementation date, Phase 2 of open banking was postponed to 13 August 202116. It covers the sharing of customer registration and transaction data for demand and savings accounts, as well as procedures for the resolution of disputes between participating entities.
30 September 2021: Submission of plans to central bank
Obliged entities must have submitted plans on the sharing of data on products and services per Article 2, Item III of the Joint Resolution.
29 October 2021: Technical requirement
Obliged entities must have shared the PIX payment transaction initiation service, per Article 5, Item II, Sub-item “a” of the Joint Resolution and Article 6, Item IV of the Circular.
29 October 2021: Phase 3
Initially scheduled for a 30 August 2021 implementation date, Phase 3 of open banking was postponed to 29 October 2021 to allow financial institutions and fintechs more time to integrate payment services.17
16 November 2021: Submission of plans to central bank
Obliged entities must have submitted plans on the payment transaction initiation service per Article 2, Item IV of the Joint Resolution.
15 December 2021: Technical requirement
Obliged entities must have shared data on products and services per Article 5, Item I, Sub-item “b” and Items VI to X of the Joint Resolution.
15 December 2021: Phase 4
Phase 4 expands the scope of covered data, and will allow for the sharing of extra customer information across foreign exchange services, investments, insurance and salary accounts.18
17 December 2021: Submission of plans to central bank
Obliged entities must have submitted plans on the sharing of the credit operation proposal forwarding service per Article 2, Item V of the Joint Resolution.
24 February 2022: Submission of plans to central bank
Obliged entities must have submitted plans on the sharing of customer transaction data per Article 2, Item VI of the Joint Resolution.
31 March 2022: Submission of plans to central bank
Obliged entities must have submitted plans on the sharing of the payment transaction initiation service per Article 2, Item VII of the Joint Resolution.
31 May 2022: Technical requirement
Obliged entities must have shared customer transaction data per Article 5, Item I, Sub-item “d” and Items VI to XI of the Joint Resolution.
30 June 2022: Submission of plans to central bank
Obliged entities must have submitted plans on the sharing of payment transaction initiation services per Article 2, Item VIII of the Joint Resolution.
30 September 2022: Technical requirement
Obliged entities must have shared the debt payment transaction initiation service per Article 5, Item II, Sub-item “a” of the Joint Resolution and Article 6, Item I of the Circular.
A presidential decree was issued to announce the members of the National Council for the Protection of Personal Data and Privacy (CNPD). The CNPD, which shall create guidelines on data protection rules, will be composed of 23 board members and deputies for a two-year term19. The decree follows other recent updates as part of Brazil’s ongoing efforts to strengthen its national data protection framework. The Brazilian General Data Privacy Law (LGPD) was approved 14 August 2018, and the National Data Protection Authority (ANDP) was created by a 28 December 2018 executive order.
On 29 June 2021, the Brazilian Chamber of Deputies amended Decree-Law No. 2848 of 07 December 1940 (the Penal Code), which now criminalizes the disclosure, supply, sale or permission to access third-party personal data, whether unauthorized or for illicit purposes. Violations will incur a fine and a two-to-five-year prison sentence.
On 31 May 2021, the National Data Protection Authority opened a public consultation seeking feedback on the establishment of oversight mechanisms per the application of the LGPD. The ANDP aims to boost compliance, with a focus on evidence-based regulation, proportionality between risks and resources, transparent and just processes, and diverse approaches to promoting compliance. The consultation was closed 28 June 2021.
On 13 May 2021, the National Data Protection Authority issued a guidance on the reporting of security incidents involving personal data. Obliged entities must report security incidents within a “reasonable” timeframe, and include key information in their reports, including: the identity and contact details for the “entity or person responsible for the processing” and “the data officer or other control person;” and information on the security incident such as the date and time of detection, its duration and circumstances, a description of the personal data affected, possible consequences, a summary of response measures and “possible problems of a cross-border nature.”
General Guideline for Brazilian CBDC, 24 May 2021
The central bank issued its general guideline for a Brazilian CBDC, which addresses the potential benefits in the issuance of a CBDC. Key benefits include a CBDC’s capacity to facilitate new business models based on technological advances, boost efficiency in cross-border transactions and the retail payment system at large, and contribute to the “dynamic technological evolution of the Brazilian economy.” The central bank has not yet developed a timeframe for a possible CBDC trial, noting that it must first conduct discussions with the private sector. In an email to CoinDesk, the central bank stated that a CBDC might be adopted within two to three years.20
National Artificial Intelligence Strategy, 12 April 2021
The Brazilian government launched its national AI strategy, which outlines six objectives in the development and adoption of AI solutions. The objectives seek to develop ethical principles in the use of AI; remove barriers to innovation; bolster collaboration between the government, private sector and researchers; develop AI skills; invest in technologies; and promote Brazilian tech abroad21. The strategy aims to implement AI solutions in at least twelve national public services by 2022 and establish a national digital literacy program for students.22
Cybersecurity Requirements for Payment Services, 08 April 2021
The central bank issued Resolution No. 85, which outlines cybersecurity requirements for the processing and storage of data, as well as cloud computing services, applicable to payment institutions. In the case that payment institutions contract services to third parties, payment institutions must report the contractual relationship to the central bank. Prior to entry into the contract, payment institutions must notify the bank of the country and regions where the service may be provided and provide alternatives for the continuity of the service should the contract end. Payment institutions are responsible for compliance, reliability, integrity and confidentiality. Regarding cybersecurity, payment institutions must implement monitoring and control mechanisms to ensure the effectiveness of their incident response and action plans. The central bank must have five-year access to payment institutions’ documents related to their respective cybersecurity policies, minutes of meetings of the board of directors, documents related to the incident response and action plans, the annual plan, and data and records related to monitoring and control mechanisms. The resolution took effect 31 August 2021.
Launch of PIX Instant Payments Platform, 16 November 2020
The central bank launched its instant payments system, PIX, which enables wallets with QR codes to conduct real-time, 24/7 payments and transfers. The system is key in promoting financial inclusion, as it is free to use and end users are not required to have a bank account. As of May 2021, PIX had processed 1.549 billion transactions and had over 87.3 million users. Central bank president Roberto Campos Neto stated in August 2021 that measures intended to boost the service’s security were upcoming.
1. Guerin, Orla. “Covid-19 pandemic: 'Everything you should not do, Brazil has done'.” BBC News, 09 July 2021. https://www.bbc.co.uk/news/world-latin-america-57733540.
2. “The World Bank in Brazil.” The World Bank, 06 April 2021. https://www.worldbank.org/en/country/brazil/overview.
3. McGeever, Jamie. “Brazil GDP drops 4.1% in 2020, COVID-19 surge erodes rebound.” Reuters, 03 March 2021. https://www.reuters.com/article/us-brazil-economy-gdp-idUSKBN2AV1FZ.
4. Fonseca, Iolanda. “Brazil out of world’s top 10 economies and down to 12th, ranking shows.” The Rio Times, 03 March 2021. https://riotimesonline.com/brazil-news/brazil/business-brazil/brazil-out-of-worlds-top-10-economies-and-down-to-12th-ranking-shows/.
5. “Emerging-market policymakers grapple with rising inflation.” The Economist, 21 August 2021. https://www.economist.com/finance-and-economics/2021/08/21/emerging-market-policymakers-grapple-with-rising-inflation.
6. “São Paulo has world’s 4th largest fintech ecosystem; Montevideo is 2nd fastest-growing fintech city.” The Rio Times, 01 August 2021. https://riotimesonline.com/brazil-news/sao-paulo/sao-paulo-has-the-fourth-largest-fintech-ecosystem-in-the-world-montevideo-is-the-second-fastest-growing-fintech-city-globally/.
7. Ando, Lincoln. “A Look Into Brazil’s Booming Fintech Scene.” Forbes, 09 August 2021. https://www.forbes.com/sites/forbestechcouncil/2021/08/09/a-look-into-brazils-booming-fintech-scene/?sh=68f4d3c572b0.
8. “Brazil's central bank launches regulatory sandbox.” Finextra, 06 November 2020. https://www.finextra.com/pressarticle/84854/brazils-central-bank-launches-regulatory-sandbox.
9. Prescott, Roberta. “Brazilian digital banks attract new customers amid pandemic.” iupana, 24 June 2021. https://iupana.com/2021/06/24/brazilian-banks/?lang=en.
10. Ando, Lincoln. “A Look Into Brazil’s Booming Fintech Scene.” Forbes, 09 August 2021. https://www.forbes.com/sites/forbestechcouncil/2021/08/09/a-look-into-brazils-booming-fintech-scene/?sh=68f4d3c572b0.
11. Ando, Lincoln. “A Look Into Brazil’s Booming Fintech Scene.” Forbes, 09 August 2021. https://www.forbes.com/sites/forbestechcouncil/2021/08/09/a-look-into-brazils-booming-fintech-scene/?sh=68f4d3c572b0.
12. Mari, Angelica. “Digital Services Surge Among Poor Brazilians Amid Pandemic.” Forbes, 10 November 2020. https://www.forbes.com/sites/angelicamarideoliveira/2020/11/10/digital-services-surge-among-poor-brazilians-amid-pandemic/?sh=397a65b568b0.
13. Kaaru, Steve. “Brazil’s central bank eyes regulation for digital currencies.” CoinGeek, 26 August 2021. https://coingeek.com/brazil-central-bank-eyes-regulation-for-digital-currencies/.
14. “Brazil continues to be a hotspot for cybercrime – Accenture.” Smart Energy International, 12 January 2021. https://www.smart-energy.com/industry-sectors/cybersecurity/brazil-continues-to-be-a-hotspot-for-cybercrime-accenture/.
15. Mari, Angelica. “Open Banking kicks off in Brazil.” ZDNet, 01 February 2021. https://www.zdnet.com/article/open-banking-kicks-off-in-brazil/.
16. “Brazil's cenbank postpones phase 2 of Open Banking to August.” Latin America Business Stories, 14 July 2021. https://labsnews.com/en/news/economy/set-to-begin-this-thursday-brazils-cenbank-postpones-phase-2-of-open-banking/.
17. “Brazil's Central Bank postpones open banking's third phase at the request of institutions and fintechs.” Latin America Business Stories, 27 August 2021. https://labsnews.com/en/news/economy/brazils-central-bank-postpones-open-bankings-third-phase/.
18. Mari, Angelica. “Customer data sharing under Open Banking commences in Brazil.” ZDNet, 13 August 2021. https://www.zdnet.com/article/customer-data-sharing-under-open-banking-commences-in-brazil/.
19. Mari, Angelica. “Brazil announces national data protection council.” ZDNet, 11 August 2021. https://www.zdnet.com/article/brazil-announces-national-data-protection-council/.
20. Sinclair, Sebastian. “BCB said the timeframe for a CBDC depends on the evolution of its current projects and the international landscape.” CoinDesk, 24 August 2021. https://www.coindesk.com/markets/2021/06/11/brazils-central-bank-pushes-back-target-date-on-cbdc-by-two-years/.
21. Lowe, Josh. “Brazil launches national AI strategy.” Global Government Forum, 13 April 2021. https://www.globalgovernmentforum.com/brazil-launches-national-ai-strategy/.
22. Lowe, Josh. “Brazil launches national AI strategy.” Global Government Forum, 13 April 2021. https://www.globalgovernmentforum.com/brazil-launches-national-ai-strategy/.
*DISCLAIMER: This information is OneSpan's interpretation of the compliance requirements as of the date of publication. Please note that not all interpretations or requirements of the applicable laws are well-settled and its application is fact- and context-specific. The information contained in this document should not be relied upon as legal advice or to determine how the law applies to your business or organization. We encourage you to seek guidance from your legal counsel with regard to law applying specifically to your business or organization and how to ensure compliance. This information is provided “as-is” and may be updated or changed without notice. OneSpan does not accept liability for the contents of these materials.
Last updated: November 2021