Brazilian Central Bank issues new rules to improve National Financial System and Brazilian Payment System security

On September 5, 2025, the Brazilian Central Bank (BCB) issued a series of measures to strengthen the safety of the country’s National Financial System (Sistema Financeiro Nacional). The measures aim to establish exceptional security and governance criteria and bring forward deadlines for non-authorized payment institutions to meet requirements that previously did not apply to them, as detailed below.

Changes to Pix Regulations

The BCB has published BCB Resolution No. 496 to amend important aspects of BCB Resolution No. 1/2020, which establishes and regulates the Pix payment scheme. The amendments include the following:

• Deadline for payment institutions to comply with Pix requirements brought forward: Non-authorized payment institutions must apply for BCB accreditation to operate within Brazil’s Pix instant payment system between January 1, 2026, and May 1, 2026, regardless of the number of financial transactions they carry out. The previous deadline for accreditation was December 31, 2026.
• Requirements to qualify as a responsible participant in the Pix system: As of September 5, 2025, payment institutions are only eligible to act as responsible Pix participants on behalf of non-authorized payment institutions if they are providers of transactional accounts or settlement participants; direct participants in the Instant Payments System (Sistema de Pagamentos Instantâneos); and also part of segments S1 to S4 (except for trade associations and credit cooperatives).
• Transaction limits for non-authorized payment institutions and PSTI users: Non-authorized payment institutions and Pix participants that connect to the National Financial System Network (Rede do Sistema Financeiro Nacional – RSFN) through an Information Technology Service Provider (Provedor de Serviços de Tecnologia da Informação – PSTI) will be subject to a BRL 15,000 limit per Pix transaction.
• Transaction limit exemptions: The above limit does not apply to Pix participants that access the network via a BCB-accredited PSTI, if they do not share private Pix keys with PSTIs, they verify the integrity of transactions before signing, they use different certificates for different Pix interfaces; and they use separate certificates for signing messages and establishing a connection on Pix. These requirements must be demonstrated via a report issued by an independent auditor registered with the Brazilian Securities Commission (CVM). The BCB may decide to grant such participants a temporary exemption of up to 90 days (or until the information security requirements have been complied with) if they apply for it. However, the application must include a document outlining information security measures the institution has already adopted, and the BCB must consider such measures adequate for mitigating the risks involved.

The new requirements for payment institutions to operate as responsible Pix participants will take effect on March 5, 2026 (180 days after the resolution’s publication date). The other provisions became effective on September 5, 2025.

Transaction limit via TED for unauthorized payment institutions and PSTI users

The BCB has also published BCB Resolution No. 497, establishing that non-authorized payment institutions and PSTI users are subject to a BRL 15,000 limit per transaction via Electronic Available Transfer (Transferência Eletrônica Disponível or TED). The same exemption requirements applicable to Pix transactions also apply in this case.

Process for waiving transaction limits via TED and Pix

On September 22, 2025, the BCB published BCB Normative Instruction No. 666, which outlines the procedure for requesting a temporary 90-day waiver of the maximum limit of R$ 15,000.00 per transaction via TED (“Instruction 666”), and BCB Normative Instruction No. 667, which governs the waiver process for the same limit applicable to Pix transactions (“Instruction 667”). Regarding Pix transactions, the waiver will only be applicable from Monday to Friday, between 6:30 a.m. and 6:30 p.m.

To obtain a waiver for the TED transaction limit, the requesting institution must maintain, as collateral, surplus capital equivalent to 100% of the highest daily volume of TED transfers executed on behalf of customers from its Bank Reserve Account or Settlement Account, as applicable, calculated over the period from August 1 to August 29, 2025.

For the purposes of the waiver from the transaction limit via Pix, the collateral must correspond to the surplus capital equivalent to 100% of the highest daily volume of interbank transfers made from its PI Account, considering the same calculation period.

The capital surplus is defined as for conglomerates and type 1 and type 3 institutions in segments S1 to S4, the lowest capital surplus in relation to the minimum requirements for Common Equity Tier 1 (Capital Principal), Tier 1 Capital (Nível I) and Regulatory Capital (Patrimônio de Referência), for conglomerates and type 1 and type 3 institutions in segment S5, the capital surplus in relation to the minimum Regulatory Capital requirement for S5 (PRS5), and for conglomerates and type 2 institutions, the capital surplus in relation to the minimum Regulatory Capital requirement for IP (PRIP).

The collateral requirement for both Pix and TED transactions is cumulative and the BCB may request additional collateral if understand it necessary.

Institutions must submit their waiver request along with a formal document demonstrating the provision of the collaterals mentioned above, detailing the security controls implemented in compliance with BCB requirements, and a reasonable assurance report regarding the implemented measures prepared by an independent auditor duly registered with the CVM. The request must be signed by the statutory director responsible for cybersecurity policy, who will be responsible for the accuracy of the information provided.

The temporary waiver will only take effect after analysis of the documentation submitted by the institution after formal communication of the joint decision by the BCB’s Department of Banking Operations and Payment Systems (Deban), Department of Information Technology (Deinf), and Department of Strategic Management and Specialized Supervision (Degef),. The waiver may be extended for successive periods of up to 90 days., though it can be revoked by the BCB ate any time if the institution presents serious failures, maintains outdated capital information, or fails to meet collateral requirements. The rules will come into force on the date of their publication.

New requirements for PSTI accreditation

BCB Resolution No. 498 has been issued to govern accreditation and operational requirements for PSTIs, accredited entities that provide data processing services to financial institutions, and other entities authorized by the BCB to access the RSFN.

The main requirements for accreditation include:

• Compliance with the principles and rules of the RSFN;
• Proof the entity is properly incorporated and has the technical and operational capacity to provide services;
• Appointing officers responsible for information security and cybersecurity, risk management and compliance, and crisis management, who must have proven technical qualifications compatible with each position’s duties. Furthermore, an officer responsible for relations with the BCB must be appointed;
• Proof of capital and net worth of at least BRL 15 million;
• Proof of established corporate governance and risk management mechanisms;
• Proof of technical and operational capacity to provide the BCB with information in the event of operational, technological, or security incidents, including those stemming from cyber-attacks or fraud;
• Internationally recognized information security certification;
• The need for annual independent audits covering information security and (where applicable) money laundering and terrorist financing prevention;
• Civil liability and operational risk insurance, including for cybersecurity and fraud incidents;
• Preparing and maintaining a business continuity plan and conducting periodic contingency tests.

The resolution also prohibits certain entities from obtaining accreditation as a PSTI. This includes communication service operators contracted to run the RSFN, providers responsible for network management and monitoring, financial and other institutions authorized by the BCB, as well as parties related to these institutions. In addition, entities whose shareholders or managers do not meet required integrity, reputational, and technical criteria are also not eligible for accreditation.

Financial institutions may act as PSTIs for other entities in the same financial conglomerate, provided they are operationally segregate and compliant with technical and security requirements.

As well as the accreditation requirements, PSTIs must permanently implement a more resilient corporate governance and risk management structure compatible with their nature, size, complexity, risk profile, and the systemic relevance of their operations. This structure must ensure responsibilities are segregated, compliance areas remain independent, and that senior management can effectively carry out its duties.

In this regard, BCB Resolution No. 498 requires policies, procedures, and internal controls to be implemented to identify, assess, monitor, mitigate, and report risks – including operational, cyber, information security, business continuity, and regulatory compliance risks. Furthermore, it determines the need to maintain mechanisms for preventing money laundering and the financing of terrorism, as well as contingency and operational continuity plans, with periodic testing.

Any failure to comply with the regulations may result in PSTIs losing their accreditation, as well as precautionary measures being applied – such as more restrictive operating limits or the suspension of their connection to the RSFN.

BCB Resolution No. 498 took immediate effect on September 5, 2025, and PSTIs in operation will have four months to adapt to the new regulations.

Institutions subject to the BCB that have contracts with PSTIs also must ensure they comply with the regulatory obligations set forth in the resolution, in addition to monitoring security controls, governance, and risk management. Such institutions are responsible for maintaining their private keys and the use of certificates, among other aspects.

Deadlines for PSTIs in operation to comply with new information security and fraud management rules

In addition to Resolution BCB No. 498, the BCB issued Normative Instruction No. 664 on September 11, 2025 (“Instruction 664”), establishing specific deadlines for PSTIs already in operation to implement the necessary adjustments to meet the new accreditation requirements.

Within 15 days from the issuance of Instruction 664, PSTIs must update specific aspects of their information security policy to include mechanisms for transaction traceability, access control, digital certificate management, cyber intelligence actions, network protection measures, and monitoring of relevant information on the Internet, Deep and Dark Web. The remaining elements of the policy required under Resolution BCB No. 498 and not expressly addressed in Instruction 664 must be updated within 30 days.

Additionally, PSTIs must also implement, within 30 days, the fraud management policy established by BCB Resolution No. 498, covering preventive measures, internal controls, and incident response mechanisms.

Following the implementation of the measures set forth in the Instruction 664, PSTIs must submit to the BCB, within 15 days, a reasonable assurance report prepared by an independent auditor registered with the CVM, certifying full compliance with the established requirements and deadlines.

Failure to comply with these deadlines may result in the application of precautionary measures, including operational restrictions and suspension of connectivity to the RSFN. The Instruction 664 came into effect on September 11, 2025.

Authorization schedule for payment institutions operating under the volume threshold brought forward

As per BCB Resolution No. 494, all payment institutions must obtain prior authorization from the BCB to begin operating, regardless of the volume of transactions they carry out.

The rule provides that non-BCB authorized electronic money issuers (emissores de moeda eletrônica) that began providing services before March 1, 2021, as well as issuers of postpaid payment instruments (emissores de instrumento de pagamento pós-pago) and acquirers (credenciadores) that began their activities before September 5, 2025, must apply for a license to operate between May 1, 2026, and May 31, 2026.

BCB Resolution No. 494 took effect on September 5, 2025.

New requirements for payment institution authorization

BCB Resolution No. 495 has introduced a requirement for payment institutions to provide the address of their headquarters as part of the authorization procedure. The resolution requires the address to be for the payment institution’s effective and exclusive use, prohibiting the headquarters from being based at coworking addresses, online offices, or other shared spaces (except for institutions within the same financial conglomerate). This requirement also applies to payment institutions already authorized as of September 5, 2025.

In the event the BCB rejects or definitively archives a payment institution’s authorization request when it is already operating, within 30 days, the institution must cease providing payment services, notify users of the closure, and return any existing balances in its clients’ payment accounts to payment or deposit accounts the clients hold at duly authorized institutions.

The provisions of BCB Resolution No. 495 took effect on September 5, 2025, and also apply to authorization requests submitted prior to this date.

Additional controls for fraud prevention in payment transactions

In line with previous regulatory measures, the BCB issued BCB Resolution No. 501, on September 11, 2025, amending BCB Resolution No. 141, of September 23, 2021, to establish enhanced controls that financial institutions and other entities authorized to operate by the BCB must adopt to prevent fraud in payment transactions.

Under the new provisions, institutions are required to reject payment transactions when there is a well-founded suspicion of fraud involving recipient accounts, including demand deposit accounts, savings accounts, and prepaid payment accounts. The assessment of such suspicion must be based on criteria defined by each institution, which may include information obtained from electronic systems and public or private databases.

The receiving institution must notify the account holder of the rejection of the transaction. In addition, institutions must implement the necessary measures to ensure compliance with the new requirements by October 13, 2025.

For more information on this topic, please contact Mattos Filho’s Banking & Financial Services practice area.