Brazilian financial tenchology (fintech) has developed considerably in recent years. The latest version of FintechLab Radar (November 17) demonstrated a growth of 36 per cent in the number of total companies acting in this market, compared with the previous edition published in February of the same year. According to the mapping created by the publication, Brazilian fintech operates in 10 different sectors: payments, financial management, credit and loans, investment, insurance, funding, data collection, cryptocurrency and distributed ledger technology (DLT), exchange and multiservices. Among these, the loans and insurance sectors performed the highest growth rates – 92 per cent and 75 per cent respectively.

This diversity of the ecosystem shows the strength of the financial technology market in the country. Given this scenario, Brazilian regulatory entities demonstrated a strong interest in knowing such players and, in some cases, already published specific norms for some of their activities. National laws and governmental entities, such the Central Bank of Brazil (BACEN) and the CVM (the Brazilian equivalent of the Securities and Exchange Commission), regulate the Brazilian financial system. Other agencies also have regulatory power in specific areas such as the Private Insurance Superintendence (SUSEP), for the insurance industry.

Some initiatives that have already resulted in or are about to become Rules that can directly affect fintech exemplifies the agencies’ regulatory interest. This is the case, for example, of CVM Rule No. 588/17, which provides standards for the investment-based crowdfunding industry in the country or the proposals for peer-to-peer lending and crowd-lending regulations, currently before the BACEN (Public Hearing No. 55/2017). In addition, the same government agencies conduct studies on the fintech sector, as evidenced by the creation of the CVM’s Fintech Hub of Innovation in Financial Technologies.

Although there is no regulation regarding the whole fintech sector, nor any tax incentives, there has been a significant increase in the activities, organisation and protagonism of such companies. In this sense, regulatory agencies are promoting a fintech-friendly policy, this being their major objective to ensure the integrity and security of financial operations.

Thus, it is possible to consolidate the regulatory and policy approach for fintech companies considering that while the financial sector itself is heavily regulated, state entities are adopting a benign and favourable view of the development of tech-based financial enterprises so far. Their actions demonstrate that developing an innovation-driven economy may be one of the main goals for the next years.


i Licensing and marketing

Brazilian legislation does not provide a specific type of operating licence for fintech. In practice, the nature of the services offered by these companies will dictate which rules are applicable to them, such as those of a particular economic sector.

Most of these rules are elaborated by entities that are part of the National Financial System (SFN), whose competences are fixed in Article 192 of the Federal Constitution of 1988. The SFN is divided into three main organs and their respective operating sectors:2 (1) the National Monetary Council, to regulate the segment of currency, credit, capital and exchange; (2) the National Council for Private Insurance, responsible for private insurance; and (3) the National Council for Complementary Pension, which regulates closed pension funds.

Within each sector there also supervisory bodies: the BACEN, which regulates financial institutions, money, credit, payments and exchanges; the CVM, responsible for the regulation of securities, commodities, futures; SUSEP for the insurance industry; and the National Complementary Pension Superintendence (PREVIC), for the private closed pension funds segment. Thus, fintech operating in Brazil needs to observe, in addition to the general laws, specific rules that affect the markets in which it operates, established by the competent bodies.

In this way, even if there is no special licence for fintech companies to function in the country, the services or products they offer – or even the market in which they operate – may determine whether their businesses require any particular authorisation or if there are specific rules for such activities. Financial institutions such as banks, for example, may only operate in the country if authorised by the BACEN and if they comply with certain requirements, such as the obligation to be constituted as a sociedade por ações (a commercial partnership whose capital stock is divided into shares and in which each shareholder has a limited responsibility according to the sum of money he has invested)3 or other rules envisaged by the financial authority.4

Another heavily regulated sector of fintech is the securities market. In this sector, the CVM provides rules for many services related to the trading of securities and related activities. The agency controls and regulates, among others, capital markets and investment funds (CVM Rules No. 400, 476, 555 and 578, and others), asset management (the most important being CVM Rule No. 558) and investment advisory services (represented by the recently edited CVM Rule No. 592). The use of automated systems or algorithms is permitted for both asset management5 and advisory activities.6

Another industry commonly associated with fintech recently admitted by the Brazilian legal system is investment-based crowdfunding, which is now regulated according to CVM Rule No. 588/17. Following international standards, the norm established the rules for the operation of collective financing platforms and determines that if some precedent requirements (set forth in the law) are present, the distribution of certain securities is exempt from registration before the entity, which is usually very costly for the issuing company.

Thus, some securities-related sectors in which fintech is present – such as robot advisers and investment-based crowdfunding platforms – are regulated by the CVM and companies that operate in these sectors must observe the rules issued by the CVM.

The Consumer Protection and Defence Code equates banking, financial, credit and insurance services to the general delivery of services. Consequently, consumer protection law applies to service suppliers such as banks or credit institutions, if it is possible to verify a consumer relationship between them and the clients.

One of the outcomes of this legal treatment is the existence of rules regarding credit information services. The Code states that consumer databases must be objective, clear, created in a language that is easy to understand and may not contain negative credit information relating to a period exceeding five years. Upon a consumer’s request, inaccurate and outdated personal information must be corrected within five business days. Consumers are further entitled to access their personal information and request their exclusion from a database, except for credit information relating to a period of less than five years.

ii Cross-border issues

In general, Brazilian law does not prohibit the offering of financial products or services, only regulating the way certain operations need to be conducted. As described, the SFN is composed of several entities, each with specific competence in relation to activities of a financial nature. In this way, it is necessary to understand the nature of the service or product offered by the fintech company to verify if there is any requirement for foreigners to operate in the country.

Any activity developed in Brazil is primarily subject to national legislation. However, some international entities rulings may guide the standards of the national regulations, since Brazilian authorities are part of many transnational organisations such the Basel Committee on Banking Supervision and IOSCO, for example. Recent legal initiatives also considered international experience, as the Investment-based Crowdfunding Rule (CVM Rule No. 588/17), which is inspired by the regulatory approach used in the European Union, France, the United Kingdom, the United States, Portugal and Canada, among others.

Some activities are restricted to financial institutions (banks), such as the custody of third-party resources and the intermediation and application of their own or third-party financial resources.7 In these cases, it is necessary to comply with the banking regulation in the country, which determines that foreign banks may operate in Brazil if registered within the Central Bank and explicitly authorised by a decree from the executive branch (President of the Republic).

In other situations, if the fintech provides any securities-related products or services, its activities are subject to the CVM Rules. The management of securities portfolios (asset management), for example, can only be done by a legal entity headquartered in Brazil and authorised by the CVM.8 The same applies to investment advisers,9 who also need entity authorisation to carry out their activities.

Finally, the inflow and outflow of funds to and from Brazil is permitted, since individuals and companies are free to send money abroad and realise investments of any nature offshore. However, these transactions must be completed through Brazilian financial institutions authorised by the BACEN to operate in the foreign exchange market. Those institutions are under the supervision of the Brazilian financial authorities and thus must comply with know-your-customer (KYC) and anti-money laundering provisions contained in Brazilian regulation. Moreover, the BACEN issues an annual basis regulation determining that any Brazilian holding investments abroad of an amount higher than a given threshold shall declare this investment to the BACEN for statistical purposes. In addition, capital gains obtained abroad will be subject to taxation as provided for in Brazilian tax law.


There is no digital identity accessible to Brazilian citizens to date. Therefore, the identification documents valid in the country are the General Registry (RG), which can be substituted by the driver’s licence or the professional registry; and the Individual Taxpayers Registry (CPF), which contains individual taxpayers’ data. However, none of these documents is completely digital.10 By July 2018, the Brazilian government plans to implement a national unified identity document, which will have a widely accepted digital version.11

Considering the use of documents by financial service providers, BACEN Resolution No. 4.474/16 authorises them to discard the use of physical versions once they are digitised and secured within the institution’s systems. The financial institutions are also authorised to perform onboarding of clients using a fully digitised process, as provided by BACEN Resolution No. 4.480/16. According to the latter, companies must adopt high-security procedures in the opening of accounts by electronic means, in order to guarantee the authenticity of the information and the identity of the proponents.


The law regulates transactions involving securities and, therefore, this market has specific rules established by the agency responsible for overseeing it: the CVM. Brazilian law adopts an open concept for security, considering as such any title or collective investment scheme that generates the right to participation, partnership or remuneration, which income is originated in the effort of entrepreneurs or third parties, including the ones resulting from the rendering of services.12 If any specific collective investment scheme falls under this description, it is subject to the determinations of the law and the CVM rules, which may regulate how they are distributed, offered and commercialised inside Brazilian territories or involving national companies or individuals. All regulations regarding the SFN applies to fintech organisations, if legally prescribed services or products are offered.

Recently, Brazilian authorities have legally recognised investment-based crowdfunding as a possible fundraising option for companies that the Rule considers small.13 Now, the Brazilian innovation ecosystem uses a Rule created specifically to regulate the distribution of securities through platforms established for this purpose, without the need to register this offer with the CVM – which is usually the rule and may be very expensive for small companies. The standard came into force in 2017 following a public consultation of the market conducted by the entity,14 and its current version determines some requirements and responsibilities for the operation of the platforms, details of the possible offers and recognises the possibility of syndicated investments, that is, the ones led by an investor with a high reputation in the market.

The intermediation of loans is a private activity of financial institutions, as determined by the law that constitutes the SFN. Thus, any organisation that collects money from third parties for loans or intermediate transactions of this nature must be registered and authorised to operate as a financial institution according to Brazilian law and then is subject to the supervision and regulation of the BACEN. In order to foster innovative lending models, the entity in 2017 proposed a public hearing that deals with peer-to-peer lending and crowd lending, seeking to guarantee the safety and legality of such loans. The document proposes the creation of two special types of financial institutions that are allowed to use electronic platforms to match creditors and borrowers (SEPs) or to lend their own resources (SCDs).15 Both need to request before the Central Bank authorisation to operate, but it would be a softer, easier and faster process than the one required to traditional financial institutions. Until the closing of this review, the public consultation was not made into a rule and there is no legal provision for these lending operations.

Payment services are subject to the rules regarding the Brazilian payment system (SPB), created by Law No. 12.214/01, and other entities of the SFN such the BACEN and the CVM also regulate their operations. The members of the SPB are services or systems that:

  1. clear cheques;
  2. clear and settle electronic debit and credit orders;
  3. transfer funds and other financial assets;
  4. clear and settle securities transactions;
  5. clear and settle commodities and futures transactions;
  6. are referred to as financial market infrastructure; and
  7. maintain payment arrangements and payment institutions, as provided by Law No. 12.865/13.

In order to guarantee the security of the transfer of resources, the regulation of the Brazilian payment system is quite robust. In addition, the BACEN also manages and operates technological systems that guarantee interoperability among institutions, as with the System for the Transfer of Resources.

Regarding payment services, it is important to highlight the presence of the CIP – Interbank Payment Chamber – an entity composed of financial institutions, also a member of the SPB, which maintains technological solutions used by participants in payment settlement processes. In 2017, marketplaces of all kinds were determined to be part of payment arrangements, submitting themselves to the centralised settlement rules of their users’ resources.

Finally, there are no rules obliging institutions to make client or product data accessible to third parties. They are allowed to share with other financial institutions some information that can make the settling and clearing of payments faster, safer or more efficient. Nevertheless, this process must observe the legal limits, as the Constitution (and specific laws such the Supplementary Law No. 105/01) protects and assures the inviolability of banking secrecy, in most cases.


There is no specific regulation in Brazil for blockchain technology. In fact, considering Brazil as a civil law jurisdiction, it would be necessary to modify a large number of laws, rules and other types of regulations to include legal provisions for all the currency and non-currency applications of such technology. Therefore, the Brazilian law does not recognise or establish a concept for blockchain or any of its applications, including cryptocurrencies.

Yet some financial authorities from Brazil have issued documents regarding cryptocurrencies and initial coin offerings (ICOs). Though not enforceable like laws, they are a good demonstration of how governmental agencies tend to define such assets.

Firstly, the BACEN stated that cryptocurrencies are not coins and cannot be equated with ‘electronic coins’, already defined in law as the virtual representation of fiat money. In the Bulletin No. 31.379, from 16 November 2017, the entity issued an alert about the risk of operations involving cryptocurrencies and still remarked that such operations are subject to exchange rules and taxes on transactions referred in foreign currencies. The authority also conducts some tests regarding different possibilities of blockchain technology applications, such as an alternative system for transactions settlement and identity management.16

The CVM, in its competence regulating the securities market, published a note containing its perceptions about ICOs. The authority remembered that the law provides a description for security and the characteristics that can frame any asset into this concept. If a token give its owner any right as described in the law,17 it may be considered security and the capital market regulations will apply to its offering, distribution and other transactions. Consequently, besides the laws suitable to securities, CVM Rules No. 400 (public offerings), No. 476 (limited efforts public offerings), No. 588 (crowdfunding) and others regarding securities operations need to be observed during an ICO process, and it does not matter if the issuer is Brazilian or foreign. The CVM also stated that investment funds cannot perform operations on crypto assets, even if they are located abroad.

Finally, the Revenue Service determined that taxpayers must declare any gain obtained from transactions involving ‘virtual coins’ such Bitcoin and other crypto assets. If the operation is for an amount higher than 35,000 reais, the individual must pay 15 per cent over the earnings as income tax.


Self-executing contracts, also known as ‘smart contracts’, are important deployments in the context of Blockchain technology. Therefore, since there is no specific regulation for technological applications of this nature, smart contracts are not yet foreseen in Brazilian law and may face questions regarding their legality, enforceability, validity and other characteristics necessary for contracts. However, they are not prohibited and if the basic contractual requirements are fulfilled, in specific cases smart contracts may be entered into in the same way as regular contracts.

As for the automated investment operations, it is necessary to distinguish two important professionals: the consultants – authorised only to advise investors, without managing funds of third parties – and portfolio managers (asset management) – who can make investments on behalf of third parties. For both, there is a legal provision for the use of algorithms and automated systems, whose source code must be delivered to the CVM and which do not exempt professionals from any responsibility in the provision of services. All agents are subject to securities market regulation, including third-party websites that provide or compare information about financial products.

If a sole investor wants to perform operations using automated algorithms like trading bots, they may execute orders before brokers using such systems.18 To do that, it is imperative that they comply with the rules established by the exchange itself and, mainly, securities regulation. Caution is needed by a bot user in order to avoid market manipulation and illegal practices such layering and spoofing, all of which are forbidden by the authorities; if this happens, the user will be responsible for any illegal act the system performs.

According to the latest version of FintechLab Radar (November 2017), the fintech market in Brazil can be divided into 10 major sectors: payments, financial management, credit and loans, investment, insurance, funding, data collection, cryptocurrencies and DLT, exchange and multiservices. Its is also possible to highlight some new business models shown by specific companies that are very relevant in the market.

For this purpose, we may consider the credit card operator ‘Nubank’ and the financial planner ‘GuiaBolso’ as particularly successful in Brazil. Their business models provide innovative approaches to traditional services, and sometimes regulatory discussions may directly impact their activities. Nevertheless, both companies received large investments in 2017.


Generally, software in Brazil is protected by copyright law. Briefly, this means that source codes are equated to authorship works such literary or artistic works and it is not necessary to register anything with the authorities to ensure protection. Therefore, any ownership dispute may be solved easily with proof of authorship.19 Nevertheless, it is possible to register the source code with the entity responsible for issuing patents on industrial property in the country – the National Institute for Industrial Property.

There are some cases in which patents can be issued regarding software and computer programs. This happens if it fills the requirements of characterisation of an industrial creation (a process or product associated with the process); thus, if the solution implemented by a computer program solves a problem found in the art and scope a technical effect that does not only concern how the computer program is written, it may be considered an invention and would be patentable.

In order to verify whether fintech includes an invention protected by patent rights, it is necessary to know if it fits the following basic requirements: (1) novelty; (2) inventive step; (3) industrial application; and (4) technical effect. Note that the first three criteria apply to all patents, while the latter concerns the patentability of computer programs or software.

The novelty requirement is broadly met when creation did not exist and was invented, that is, it is entirely new. Meanwhile, inventive step means that the invention was not obvious or obvious from the state of the art (a legal term used for what already exists and is available to the public). Industrial application is the possibility of using or producing the creation in any type of industry.

The technical effect considers the practical effects achieved throughout the steps developed by the invention implemented by the computer program. The general rule is that in order to grant a patent licence for software, there must be practical application in addition to the patentability requirements. In short, the industrial creation implemented by software may be subject to protection by patent rights if: (1) it solves a problem found in the technique; and (2) it achieves a technical effect that does not only concern how the software is written.

It is important to note that the patent application process involves accurately describing the invention created. This precise description will be protected. In this sense, a new version of the same software would not be covered by patent protection.

In any case, to determine the immediate ownership of software or computer program developed by third parties even before any registration or patent, it is necessary to verify the relationship with the author or inventor. If the creator is an employee and thus contracted under employment relationships, the rule of thumb provided by law is that the employer owns the intellectual property of software and computer programs developed in the context of the employee’s activities. The contract firmed between the parties may determine different aspects, but in case of omission, this is the general rule.

The scenario is a bit different if there is a service providing contract regulating the creator–company relationship. Although the law also affirms that the intellectual property belongs to the contractor, since a service-rendering link is slightly more fragile than an employment contract, it is highly recommended that the parties create a contract in which the creator waives any economic rights for that code and transfers everything to the contractor. A simple document is enough to prevent disputes in the future.

Regarding data protection, there are several pieces of legislation in Brazil dealing with different scopes of privacy and data protection such as intimacy, private life, honour, image and secrecy of correspondence, bank operations and communications. Such pieces of legislation include the Federal Constitution, the Civil Code, the Consumer Protection and Defence Code, the Internet Bill of Rights and the Criminal Code. Further, the Bill of our Data Protection Law is currently under discussion in the legislative branch. Each provides different aspects for data protection, but the Consumer Protection and Defence Code establish more detailed protection rules, alongside the Internet Bill of Rights.

The Consumer Protection and Defence Code contains specific rules applicable to the treatment of consumers’ data, consumer databases and liabilities connected to the violation of consumers’ data. According to the law, consumers must previously consent in writing to any data collection or, alternatively, be previously informed in writing about the collection. Nevertheless, the consolidated understanding of Brazilian consumer protection authorities and courts is that collection of consumers’ data always requires prior written consent, and any sort of implied consent is not sufficient to legitimise it. To the extent the transfer of consumers’ information to third parties is considered a new procedure for the collection of data, it also depends on consumers’ prior written consent.

Failure to comply with consumer law may also subject the infringer to administrative penalties determined by federal and state bodies, including fines and the temporary suspension of activities. The imposition of any administrative penalty depends on an administrative proceeding, where the infringer must have the opportunity to present its defence, and administrative rulings may be challenged and reviewed by the court.

In the criminal sphere, to prevent or hinder a consumer’s access to his or her personal data is a crime punished with imprisonment of six months to one year or fine; and failure to correct inaccurate information in consumer databases is a crime subject to one to six months’ imprisonment or a fine. Since legal entities are not subject to criminal liability in Brazil (other than for environmental issues), these penalties may potentially be attributed to managers, directors and representatives.

The Internet Bill of Rights establishes principles, guarantees, rights and duties relating to the use of the internet in Brazil. The regulation, in force since June 2016, introduced definitions of personal data and treatment of personal data applicable to the online environment, as follows:

Personal Data: any data related to an identified or identifiable data subject, including identifying numbers, location data or electronic identifiers, whenever they are related to an individual; and

Treatment of Personal Data: any operation involving personal data, such as the collection, production, reception, use, access, reproduction, transmission, distribution, storage, deletion, information control and assessment, communication, transfer, diffusion or extraction.

The Internet Bill of Rights corroborates the general privacy principles of the Consumer Protection and Defence Code that collection, use, storage and treatment of personal data is subject to the prior and express consent of data subjects; and users may request the deletion of their personal data from the database of internet applications at any time (except if the deletion request is against the retention obligations detailed in the law). It further determines that provisions regarding the collection, use, storage and treatment of personal data must be highlighted in the applicable agreement or terms of use of internet applications.


2017 was a remarkable year for the entire innovation ecosystem. Two factors were particularly responsible for its evolution: first, investment deals for start-ups and tech companies increased, reaching the highest levels ever recorded; secondly, big corporations demonstrated a deep interest in the innovative power of such companies and therefore consolidated many kinds of relationships with them, such as partnerships and open innovation programmes.

The ecosystem’s maturation caught the attention of regulators, which led them to adopt some positions about how these companies should be seen from a legal point of view. Some initiatives deserve special consideration since they created effective rules for some fintech activities. In this sense, the most important regulators for the SFN – the BACEN and the CVM – had norms published or proposed for some specific activities of fintech.

The BACEN issued a bulletin about its stance on the cryptocurrency market and proposed norms to regulate peer-to-peer lending and crowd-lending activities,20 as already described. Furthermore, it changed the conditions for payment arrangements, obliging marketplaces of all kinds to operate as a part of the process and comply with clearing and settlement determinations.

The CVM also stated its thoughts on the ICO operations, considering tokens as security if they meet the legal requirements. The entity regulated investment-based crowdfunding and the activity of investment advisers (considering the use of algorithms). This followed a recent change on venture capital rules in 2016 that also impacted the fintech sector.

Thus, the perceptions of the new regulations demonstrate that financial authorities are adopting tech-friendly positions; it is therefore possible to expect a safer environment for financial technology operations in 2018.


The main objectives of recent regulations were to guarantee better legal certainty, safety and confidence to the market. The authorities are showing cooperative behaviour, acting together in the production of norms that might affect the market. One example is the commentaries on cryptocurrencies and ICOs from the BACEN and CVM, issued on the same day and with similar viewpoints.

They are also combining efforts with the private sector, especially fintech players. Working together, the regulation may foster the use of technology applications that modernise and make financial services more efficient.

It is important to ensure adequate levels of safety without the creation of unnecessary regulations that could suppress the activity of companies whose products and services benefit the market; innovation is a powerful tool to promote the financial inclusion of citizens, and designing a legal framework to boost the creation of new technologies is a very important step in the development of the Brazilian society and economy.

1 Rodrigo de Campos Vieira is a partner, and Victor Cabral Fonseca and Carla do Couto Hellu Battilana are associates at TozziniFreire.

2 For a detailed description of the composition of the National Financial System and functions of each entity, see www.bcb.gov.br/Pom/Spb/Ing/InstitucionalAspects/TheRoleFinancialIntermediaries.asp (in English).

3 The Law No. 4.595/64, which creates the Brazilian National Financial System, determines some specific rules for the operation of financial institutions and other players from this market.

4 Like the Central Bank Resolution No. 4.122/2012, that establish the procedures for the licensing and authorisation granting for multiple kinds of banks.

5 Article 16-A, CVM Rule No. 558/15.

6 Article 16, CVM Rule No. 592/17.

7 See Law No. 4.595/64.

8 Among other prerequisites. See CVM Rule No. 558/15.

9 See CVM Rule No. 592/17.

10 The closest thing available so far is a digital driver’s licence. However, the technology is still in implementation and its validity is yet to be determined.

12 As described in Article 2, IX, Law No. 9.385/76.

13 With an income of 10 million reais or less, as defined by Article 2, III, CVM Rule No. 588/17.

14 CVM Rule No. 588/17.

15 These organisations descriptions may be translated to ‘peer-to-peer lending company’ and ‘direct loans company’, respectively.

16 The Central Bank conducted a research published in a paper named ‘Distributed ledger technical research in Central Bank of Brazil’, which can be found here: https://www.bcb.gov.br/htms/public/microcredito/Distributed_ledger_technical_research_in_Central_Bank_of_Brazil.pdf.

17 Any title or collective investment scheme that generates the right to participation, partnership or remuneration, which income is originated in the effort of entrepreneurs or third parties, including the ones resultant from rendering of services, as described in Article 2, IX, Law No. 9.385/76.

18 See Article 15, CVM Rule No. 505/11.

19 See Law No. 9.606/98, that regulates intellectual property for compute programs.

20 It is expected that such rules will be enacted in 2018.