This content is from: Local Insights

Brazil: New fintech and cybersecurity procedures

On April 26 2018, the Brazilian Central Bank issued new regulations (i) allowing certain types of transactions by credit fintechs, exclusively through electronic lending platforms; and, (ii) covering the areas of cybersecurity, data storage and cloud computing applicable to financial and payment institutions.

Credit fintechs

Under previous rules, only financial institutions were allowed to directly intermediate, on a regular and professional basis, loans between borrowers and lenders. Additionally, the interest rate that could be charged on loans provided by non-financial institutions had legal limitations. Creative solutions have been implemented by fintechs to support their operating procedures over the past few years, mainly through partnerships with financial institutions. However, high costs arising from such partnerships were undermining the sector's main competitive advantage – lower rates.

The new regulation gives credit fintechs operational autonomy to directly carry out loan transactions by introducing two categories of financial institutions. The peer-to-peer lending company (P2P) enables the granting of loan transactions among peers. The direct credit company (DCC) sells or assigns previously acquired credit rights and lends its own capital but cannot publicly raise funds for such purposes.

P2P and DCC companies benefit from a more lenient prudential regulation, with simplified reference equity and risk management structural requirements as long as certain conditions provided in the new regulation are met. Brazilian authorities followed the regulatory template of developed markets such as the UK, the US, Canada, Japan and Switzerland – a regulatory sandbox safehouse, where prudential rules gain more stringency as the entity grows.

P2P and DCC companies must also comply with minimum capital requirements – BRL1 million ($280,000) – anti-money laundering (AML) and know-your-customer (KYC) regulations, and set up a permanent internal audit structure.


The new regulation on cybersecurity, data storage and cloud computing fits in with a growing trend in using electronic and mobile payment tools.

In 2017, developed countries such as Germany and China were among the most affected by banking malware attacks (with a 4.44% and 3.05% victimisation rate, respectively). Given this margin of victimisation in the sector in developed countries, Brazilian authorities expect the new regulation to strengthen the financial and payment institutions' technological capacity to resist cyberattacks, in line with the data protection legislation under discussion in the Congress.

The new rules stipulate that financial and payment institutions must implement cybersecurity measures including, among others: (i) controls and technology applied to reduce the system's vulnerability; (ii) notification of incidents to the Brazilian Central Bank; (iii) sharing of data on incidents with other institutions; (iv) sharing information with clients concerning the security measures adopted; and, (v) in the event of hiring of data processing, storage and cloud computing services, the institutions must provide a notice to the Brazilian Central Bank and the services must meet minimum certification, quality control, data access and segregation requirements.

Institutions holding existing contracts with service providers must submit an adjustment plan to the Brazilian Central Bank by the end of October 2018 in relation to the new regulation.

The fintech sector and Brazilian authorities are jointly committed in improving the existing regulation to keep pace with new technology and provide lower costs to the end consumer, while safeguarding the financial system.

Maurício SantosLuiz Felipe Di SessaVinicius Sahione

© 2021 Euromoney Institutional Investor PLC. For help please see our FAQs.

Instant access to all of our content. Membership Options | 30 Day Trial