As anticipated by BrownPipe Consultoria in ep. 396 of the Segurança Legal podcast, Brazil's Central Bank decided to strengthen financial system security measures following recent attacks that diverted millions. The new rules take effect on September 5, 2025, and aim to establish stricter controls over financial operations and IT service providers.
One of the key measures establishes a R$ 15,000 limit for TED and Pix transactions carried out by unauthorized payment institutions and those that connect to the National Financial System Network through Information Technology Service Providers (PSTI). The restriction may be lifted when the participant and its respective PSTI meet the new security control processes, with a possible transitional waiver of up to 90 days for those that demonstrate adoption of adequate controls.
The deadline for unauthorized payment institutions to apply for operating authorization was drastically moved up from December 2029 to May 2026. From now on, no payment institution may begin operating without prior authorization from the Central Bank. Those whose authorization requests are denied will have only 30 days to wind down their activities, and the regulator may require independent technical certification to verify compliance with requirements.
For Information Technology Service Providers, requirements were significantly expanded, including a minimum capital requirement of R$ 15 million and new governance and risk management requirements. Currently active PSTIs have a four-month deadline to comply with the new rules, subject to precautionary measures or even deregistration. Additionally, only institutions in segments S1, S2, S3, or S4 that are not cooperatives may act as responsible parties in Pix for unauthorized payment institutions.
This post was summarized from its original version using AI, with human review.
With information from Brazil's Central Bank