The president of Brazil's Central Bank, Gabriel Galípolo, held a press conference (watch the video) on September 5, 2025, accompanied by directors and the executive secretary, to announce emergency information security measures for the financial system. The primary motivation was recent cyberattacks by organized crime against financial institutions which, although they did not cause losses to customers, demonstrated repetitive patterns requiring an adequate regulatory response, impacting all participants in the national financial system.

Announced Measures

1. Transfer value limits (BRL 15,000)

  • Affected entities: Unauthorized Payment Institutions (PIs) AND institutions operating through IT Service Providers (PSTIs).
  • Scope: Limit of BRL 15,000 per PIX or wire transfer (TED) transaction.
  • Rationale: This value represents the 99th percentile of corporate transactions.
  • Impact: Affects only 3% of total accounts in the system.
  • Effective date: Immediately upon publication in the Official Gazette (9 PM on September 5, 2025).

2. Accelerated authorization timeline

  • Change: Deadline for authorization of unauthorized PIs moved up from December 2029 to May 2026.
  • Current backlog: 72 PI applications under review, 70 from other institutions.
  • Prohibition: No new institution may begin operating without Central Bank authorization.

3. Additional controls for Payment Institutions

  • PIX participants: Only S1, S2, S3, or S4 institutions (excluding cooperatives).
  • Technical certification: The Central Bank may require independent certification provided by an external company specialized in security.
  • Shutdown deadline: 30 days after authorization denial.

4. Requirements for IT Service Providers (PSTIs)

  • Minimum capital: BRL 15 million (previously nonexistent).
  • Governance: New security risk management requirements.
  • Compliance deadline: 4 months.
  • Penalties: Precautionary measures and decertification for non-compliance.

Technical and Operational Aspects

During the meeting, in addition to the information provided in the introduction, specialized journalists asked a series of questions that revealed important aspects about current and projected regulation for the sector.

Key Figures

  • PSTIs: Approximately 250 institutions operate through these providers.
  • PIX volume: Over 250 million transactions per day, 20,000 transactions per second.
  • Percentage affected: Only 0.03% of transactions (1% of 3%).

Minimum Capital

  • PIs: Will be raised to approximately BRL 7 million (calculation methodology under review, expected within 1-2 months).
  • PSTIs: BRL 15 million (new requirement).

Institutional Positions

On Organized Crime

Galípolo emphasized that fintechs and financial institutions are victims of organized crime, not perpetrators. The financial system is united in combating these threats, with support from all industry associations and federations.

Cascading effect of regulation

The Central Bank president stressed that there is zero tolerance regarding information security within the financial system. He also stated that the problem is not limited to PSTIs, but extends to the overall information security governance process. Institutions that contract PSTIs will also be held to higher security standards going forward.

Announced Future Measures

  1. Pooling accounts: Specific regulation under development.
  2. Virtual Assets (VASPs): Three public consultations in their final stage.
  3. Mule accounts: Specific measures to combat fraudulent use.
  4. Transaction blocking: Clear rules on immediate blocks with penalties.

Important Clarifications

  • System security: The Central Bank reinforced that the Brazilian financial system remains robust, secure, and solvent.
  • Central Bank infrastructure: There was no compromise of Central Bank systems.
  • Cooperation: Active partnership with the Federal Police, state police forces, and COAF (Financial Activities Control Council).
  • Investigations: The Central Bank does not disclose fraud amounts to avoid compromising police investigations.
  • BRB-Master case: A collegiate decision protected by banking secrecy; therefore, information cannot yet be disclosed.

Implementation and Effective Dates

  • Regulations published at 6 PM on September 5, 2025.
  • Effective from 9 PM after publication in the Official Gazette.
  • Exceptional measures with a transitional nature.
  • Reversal contingent upon institutions demonstrating compliance.

This post was summarized from its original version using AI, with human review.