Brazilian financial technology (fintech) has developed considerably in recent years. The latest version of FintechLab Radar (August 2018) demonstrated a growth of 21.4 per cent in the number of total companies acting in this market, compared with the previous edition published in November 2017. According to the mapping created by the publication, Brazilian fintech operates in 10 different sectors: payments, financial management, credit and loans, investment, insurance, funding, data collection, cryptocurrency and distributed ledger technology (DLT), exchange and multiservices. Among these, the loans and insurance sectors performed the highest growth rates – 92 per cent and 75 per cent respectively.

This diversity of the ecosystem shows the strength of the financial technology market in the country. Given this scenario, Brazilian regulatory entities demonstrated a strong interest in knowing such players and, in some cases, already published specific norms for some of their activities. National laws and governmental entities, such as the Central Bank of Brazil (BACEN) and the Brazilian equivalent of the Securities and Exchange Commission (CVM), regulate the Brazilian financial system. Other agencies also have regulatory power in specific areas, such as the Private Insurance Superintendence (SUSEP) for the insurance industry.

Some initiatives that have already resulted in or are about to become Rules that can directly affect fintech exemplifies the agencies' regulatory interest. This is the case, for example, of CVM Rule No. 588/17, which provides standards for the investment-based crowdfunding industry in the country or the proposals for peer-to-peer lending and crowd-lending regulations, currently before the BACEN (Public Hearing No. 55/2017). In addition, the same government agencies conduct studies on the fintech sector, as evidenced by the creation of the CVM's Fintech Hub of Innovation in Financial Technologies.

Although there is no regulation regarding the whole fintech sector, nor any tax incentives, there has been a significant increase in the activities, organisation and protagonism of such companies. In this sense, regulatory agencies are promoting a fintech-friendly policy, this being their major objective to ensure the integrity and security of financial operations.

Thus, it is possible to consolidate the regulatory and policy approach for fintech companies considering that while the financial sector itself is heavily regulated, state entities are adopting a benign and favourable view of the development of tech-based financial enterprises so far. Their actions demonstrate that developing an innovation-driven economy may be one of the main goals for the next years.


i Licensing and marketing

Brazilian legislation does not provide a specific type of operating licence for fintech. In practice, the nature of the services offered by these companies will dictate which rules are applicable to them, such as those of a particular economic sector.

Most of these rules are elaborated by entities that are part of the National Financial System (SFN), whose competences are fixed in Article 192 of the Federal Constitution of 1988. The SFN is divided into three main organs and their respective operating sectors:2

  1. the National Monetary Council, to regulate the segment of currency, credit, capital and exchange;
  2. the National Council for Private Insurance, responsible for private insurance; and
  3. the National Council for Complementary Pension, which regulates closed pension funds.

Within each sector there also supervisory bodies:

  1. the BACEN, which regulates financial institutions, money, credit, payments and exchanges;
  2. the CVM, responsible for the regulation of securities, commodities, futures;
  3. SUSEP for the insurance industry; and
  4. the National Complementary Pension Superintendence (PREVIC), for the private closed pension funds segment.

Thus, fintech operating in Brazil needs to observe, in addition to the general laws, specific rules that affect the markets in which it operates, established by the competent bodies.

In this way, even if there is no special licence for fintech companies to function in the country, the services or products they offer – or even the market in which they operate – may determine whether their businesses require any particular authorisation or if there are specific rules for such activities. Financial institutions such as banks, for example, may only operate in the country if authorised by the BACEN and if they comply with certain requirements, such as the obligation to be constituted as a sociedade por ações (a commercial partnership whose capital stock is divided into shares and in which each shareholder has a limited responsibility according to the sum of money he has invested)3 or other rules envisaged by the financial authority.4

Another heavily regulated sector of fintech is the securities market. In this sector, the CVM provides rules for many services related to the trading of securities and related activities. The agency controls and regulates, among others, capital markets and investment funds (CVM Rules No. 400, 476, 555 and 578, and others), asset management (the most important being CVM Rule No. 558) and investment advisory services (represented by the recently edited CVM Rule No. 592). The use of automated systems or algorithms is permitted for both asset management5 and advisory activities.6

Another industry commonly associated with fintech recently admitted by the Brazilian legal system is investment-based crowdfunding, which is now regulated according to CVM Rule No. 588/17. Following international standards, the norm established the rules for the operation of collective financing platforms and determines that if some precedent requirements (set forth in the law) are present, the distribution of certain securities is exempt from registration before the entity, which is usually very costly for the issuing company.

Thus, some securities-related sectors in which fintech is present – such as robot advisers and investment-based crowdfunding platforms – are regulated by the CVM and companies that operate in these sectors must observe the rules issued by the CVM.

The Consumer Protection and Defense Code equates banking, financial, credit and insurance services to the general delivery of services. Consequently, consumer protection law applies to service suppliers such as banks or credit institutions, if it is possible to verify a consumer relationship between them and the clients.

One of the outcomes of this legal treatment is the existence of rules regarding credit information services. The Code states that consumer databases must be objective, clear, created in a language that is easy to understand and may not contain negative credit information relating to a period exceeding five years. Upon a consumer's request, inaccurate and outdated personal information must be corrected within five business days. Consumers are further entitled to access their personal information and request their exclusion from a database, except for credit information relating to a period of less than five years.

ii Cross-border issues

In general, Brazilian law does not prohibit the offering of financial products or services, only regulating the way certain operations need to be conducted. As described, the SFN is composed of several entities, each with specific competence in relation to activities of a financial nature. In this way, it is necessary to understand the nature of the service or product offered by the fintech company to verify if there is any requirement for foreigners to operate in the country.

Any activity developed in Brazil is primarily subject to national legislation. However, some international entities rulings may guide the standards of the national regulations, since Brazilian authorities are part of many transnational organisations such the Basel Committee on Banking Supervision and IOSCO, for example. Recent legal initiatives also considered international experience, as the Investment-based Crowdfunding Rule (CVM Rule No. 588/17), which is inspired by the regulatory approach used in the European Union, France, the United Kingdom, the United States, Portugal and Canada, among others.

Some activities are restricted to financial institutions (banks), such as the custody of third-party resources and the intermediation and application of their own or third-party financial resources.7 In these cases, it is necessary to comply with the banking regulation in the country, which determines that foreign banks may operate in Brazil if registered within the Central Bank and explicitly authorised by a decree from the executive branch (President of the Republic).

In other situations, if the fintech provides any securities-related products or services, its activities are subject to the CVM Rules. The management of securities portfolios (asset management), for example, can only be done by a legal entity headquartered in Brazil and authorised by the CVM.8 The same applies to investment advisers,9 who also need entity authorisation to carry out their activities.

Finally, the inflow and outflow of funds to and from Brazil is permitted, since individuals and companies are free to send money abroad and realise investments of any nature offshore. However, these transactions must be completed through Brazilian financial institutions authorised by the BACEN to operate in the foreign exchange market. Those institutions are under the supervision of the Brazilian financial authorities and thus must comply with know-your-customer (KYC) and anti-money laundering provisions contained in Brazilian regulation. Moreover, the BACEN issues an annual basis regulation determining that any Brazilian holding investments abroad of an amount higher than a given threshold shall declare this investment to the BACEN for statistical purposes. In addition, capital gains obtained abroad will be subject to taxation as provided for in Brazilian tax law.


In the second half of 2018 and in early 2019, there were few regulatory changes regarding the identification of Brazilian citizens. However, some relevant developments are in sight.

There are some types of identification documents, but many of them can be substituted with a driver's licence that can be transferred onto a digital version. The paper document will not be discontinued and is still mandatory as a driving permission, but now citizens can conveniently carry a digital copy on their smartphones.

Considering the use of documents by financial service providers, the scenario remains almost the same. BACEN Resolution No. 4.474/16 authorises institutions to discard the use of physical versions once they are digitised and secured within their systems. Financial institutions are also authorised to perform onboarding of clients using a fully digitised process, as provided by BACEN Resolution No. 4.480/16. According to this Resolution, companies must adopt high-security procedures in the opening of accounts by electronic means, in order to guarantee the authenticity of the information and the identity of the proponents.

The only change with regard to digital onboarding comes from a presidential decree issued in February 2019 that makes the taxpayer registry identification number enough for identification purposes for access to information and services and exercise of rights or benefits. Although this rule is destined exclusively for identification before executive entities, it may reflect on the practices of other institutions, private or public, that might want to simplify identification procedures.


The law regulates transactions involving securities and, therefore, this market has specific rules established by the agency responsible for overseeing it: the CVM. Brazilian law adopts an open concept for security, considering as such any title or collective investment scheme that generates the right to participation, partnership or remuneration, which income is originated in the effort of entrepreneurs or third parties, including the ones resulting from the rendering of services.10 If any specific collective investment scheme falls under this description, it is subject to the determinations of the law and the CVM rules, which may regulate how they are distributed, offered and commercialised inside Brazilian territories or involving national companies or individuals. All regulations regarding the SFN applies to fintech organisations, if legally prescribed services or products are offered.

Recently, Brazilian authorities have legally recognised investment-based crowdfunding as a possible fundraising option for companies that the Rule considers small.11 Now, the Brazilian innovation ecosystem uses a Rule created specifically to regulate the distribution of securities through platforms established for this purpose, without the need to register this offer with the CVM – which is usually the rule and may be very expensive for small companies. The standard came into force in 2017 following a public consultation of the market conducted by the entity,12 and its current version determines some requirements and responsibilities for the operation of the platforms, details of the possible offers and recognises the possibility of syndicated investments, that is, the ones led by an investor with a high reputation in the market.

The intermediation of loans is a private activity of financial institutions, as determined by the law that constitutes the SFN. Thus, any organisation that collects money from third parties for loans or intermediate transactions of this nature must be registered and authorised to operate as a financial institution according to Brazilian law and then is subject to the supervision and regulation of the BACEN. In order to foster innovative lending models, the entity in 2017 proposed a public hearing that deals with peer-to-peer lending and crowd lending, seeking to guarantee the safety and legality of such loans. As a result, in April 2018, the BACEN published Resolution No. 4.656/18, which created two special types of financial institutions that are allowed to use electronic platforms to match creditors and borrowers (SEPs) or to lend their own resources (SCDs).13 Both need to request before the Central Bank authorisation to operate, but they represent a softer, easier and faster process than the one required to traditional financial institutions.

Payment services are subject to the rules regarding the Brazilian payment system (SPB), created by Law No. 12.214/01, and other entities of the SFN such as the BACEN and the CVM also regulate their operations. The members of the SPB are services or systems that:

  1. clear credit notes;
  2. clear and settle electronic debit and credit orders;
  3. transfer funds and other financial assets;
  4. clear and settle securities transactions;
  5. clear and settle commodities and futures transactions;
  6. are referred to as financial market infrastructure; and
  7. maintain payment arrangements and payment institutions, as provided by Law No. 12.865/13.

In order to guarantee the security of the transfer of resources, the regulation of the Brazilian payment system is quite solid and robust. In addition, the BACEN also manages and operates technological systems that guarantee interoperability among institutions, as with the System for the Transfer of Resources.

Regarding payment services, it is important to highlight the presence of the CIP – Interbank Payment Chamber – an entity composed of financial institutions, also a member of the SPB, which maintains technological solutions used by participants in payment settlement processes. In 2017, marketplaces of all kinds were determined to be part of payment arrangements, submitting themselves to the centralised settlement rules of their users' resources.

Moreover, 2018 was relevant to the means of payment market, as the BACEN introduced provisions expected to innovate and promote financial inclusion, as well as enabling a more competitive market.

By means of Resolution No. 4,707 and Circular No. 3,924 , both of 19 December 2018, the BACEN governs the use of payment arrangement receivables as collateral for credit transactions. This should make loaning to smaller structures feasible, as such receivables usually represent a significant portion of their assets, and the creditor will be granted more protection when entering into contracts with them.

With Circular No. 3,925 of 20 December 2018, which amended the Annex to Circular No. 3.682 as of 4 November 2013, the BACEN addresses the provision of payment services within the framework of the arrangements of the Brazilian Payment System, establishing guidelines and standards these service providers need to abide by.

By means of Communiqué No. 32,927 of 21 December 2018, the BACEN recognises instant payments as valid and addresses the fundamental requirements for its environment within the Brazilian payment system regulatory framework. This enables the inclusion of new players in the financial market, which is of extreme significance in a country with high rates of banking concentration such as Brazil.

Finally, there are currently no rules obliging institutions to make client or product data accessible to third parties. They are allowed to share with other financial institutions some information that can make the settling and clearing of payments faster, safer or more efficient. Nevertheless, this process must observe the applicable legal limits, as the Constitution (and specific laws such the Supplementary Law No. 105/01) protects and assures the inviolability of banking secrecy, in most cases.


There is no specific regulation in Brazil for blockchain technology. In fact, considering Brazil as a civil law jurisdiction, it would be necessary to modify a large number of laws, rules and other types of regulations to include legal provisions for all the currency and non-currency applications of such technology. Therefore, the Brazilian law does not recognise or establish a concept for blockchain or any of its applications, including cryptocurrencies.

Yet some financial authorities from Brazil have issued documents regarding cryptocurrencies and initial coin offerings (ICOs). Though not enforceable like laws, they are a good demonstration of how governmental agencies tend to define such assets.

Firstly, the BACEN stated that cryptocurrencies are not coins and cannot be equated with 'electronic coins', already defined in law as the virtual representation of fiat money. In Bulletin No. 31.379 from 16 November 2017, the entity issued an alert about the risk of operations involving cryptocurrencies and still remarked that such operations are subject to exchange rules and taxes on transactions referred in foreign currencies. The authority also conducts some tests regarding different possibilities of blockchain technology applications, such as an alternative system for transactions settlement and identity management.14

The CVM, in its competence regulating the securities market, published a note containing its perceptions about ICOs. The authority remembered that the law provides a description for security and the characteristics that can frame any asset into this concept. If a token give its owner any right as described in the law,15 it may be considered security and the capital market regulations will apply to its offering, distribution and other transactions. Consequently, besides the laws suitable to securities, CVM Rules No. 400 (public offerings), No. 476 (limited efforts public offerings), No. 588 (crowdfunding) and others regarding securities operations need to be observed during an ICO process, and it does not matter if the issuer is Brazilian or foreign. The CVM also stated that investment funds cannot perform direct operations on crypto assets in Brazil. However, in September 2018, the regulator authorised indirect investment in cryptoactives through, for instance, the acquisition of quotas of funds and derivatives, among other assets traded in third jurisdictions, provided that they are admitted as being regulated in those markets.

Finally, the Revenue Service determined that taxpayers must declare any gain obtained from transactions involving 'virtual coins' such Bitcoin and other crypto assets. If the operation is for an amount higher than 35,000 reais, the individual must pay 15 per cent over the earnings as income tax.


Self-executing contracts, also known as 'smart contracts', are important deployments in the context of Blockchain technology. Therefore, since there is no specific regulation for technological applications of this nature, smart contracts are not yet foreseen in Brazilian law and may face questions regarding their legality, enforceability, validity and other characteristics necessary for contracts. However, they are not prohibited and if the basic contractual requirements are fulfilled, in specific cases smart contracts may be entered into in the same way as regular contracts.

As for the automated investment operations, it is necessary to distinguish two important professionals: the consultants – authorised only to advise investors, without managing funds of third parties – and portfolio managers (asset management) – who can make investments on behalf of third parties. For both, there is a legal provision for the use of algorithms and automated systems, whose source code must be delivered to the CVM and that do not exempt professionals from any responsibility in the provision of services. All agents are subject to securities market regulation, including third-party websites that provide or compare information about financial products.

If a sole investor wants to perform operations using automated algorithms like trading bots, they may execute orders before brokers using such systems.16 To do that, it is imperative that they comply with the rules established by the exchange itself and, mainly, securities regulation. Caution is needed by a bot user in order to avoid market manipulation and illegal practices such layering and spoofing, all of which are forbidden by the authorities; if this happens, the user will be responsible for any illegal act the system performs.

According to the latest version of FintechLab Radar (August 2018), the fintech market in Brazil can be divided into 10 major sectors: payments, financial management, credit and loans, investment, insurance, funding, data collection, cryptocurrencies and DLT, exchange and multiservices. It is also possible to highlight some new business models shown by specific companies that are very relevant in the market.

For this purpose, we may consider the credit card operator 'Nubank' as particularly successful in Brazil. Their business models provide innovative approaches to traditional services, and sometimes regulatory discussions may directly impact their activities. In 2018, Nubank sold 5 per cent of its capital to the Chinese-based multinational investment holding TenCent, in exchange for a contribution of capital of approximately US$200 million. This makes Nubank one of the most valuable startups in Latin America, becoming the latest LatAm unicorn.

PagSeguro Digital and Stone Pagamentos also experienced an astonishing capital growth in 2018, despite analysts alerting that the euphoric cycle of the American stock exchanges has ended.

PagSeguro raised approximately US$ 2.27 billion in its initial public offering on the New York Stock Exchange, while Stone Pagamentos raised US$1.2 billion in the electronical Stock Exchange Nasdaq.


Generally, software in Brazil is protected by copyright law. Briefly, this means that source codes are equated to authorship works such as literary or artistic works, and it is not necessary to register it with the authorities to ensure protection. Therefore, any ownership dispute may be solved with proof of authorship.17 Nevertheless, it is possible to register the source code with the entity responsible for the registration and management of industrial property in the country – the National Institute for Industrial Property.

There are some cases in which patents can be issued regarding software and computer programs. This happens if it fills the requirements of characterisation of an industrial creation (a process or product associated with the process); thus, if the solution implemented by a computer program solves a problem found in the art and scope a technical effect that does not only concern how the computer program is written, it may be considered an invention and would be patentable.

To verify whether a new financial technology includes an invention protected by patent rights, it is necessary to know if it fits the following basic requirements: novelty; inventive step; industrial application; and technical effect. Note that the first three criteria apply to all patents, while the latter concerns the patentability of computer programs or software.

The novelty requirement is broadly met when creation did not exist and was invented, that is, it is entirely new. Meanwhile, inventive step means that the invention was not obvious or obvious from the state of the art (a legal term used for what already exists and is available to the public). Industrial application is the possibility of using or producing the creation in any type of industry.

The technical effect considers the practical effects achieved throughout the steps developed by the invention implemented by the computer program. The general rule is that in order to grant a patent registration for software, there must be practical application in addition to the patentability requirements. In short, the industrial creation implemented by software may be subject to protection by patent rights if:

  1. it solves a problem found in the technique; and
  2. it achieves a technical effect that does not only concern how the software is written.

It is important to note that the patent application process involves accurately describing the invention created. This precise description will be the one that is protected. In this sense, a new version of the same software would not be covered by the same patent protection.

In any case, to determine the immediate ownership of software or computer program developed by third parties even before any registration or patent, it is necessary to verify the relationship with the author or inventor. If the creator is an employee and thus contracted under employment relationships, the rule of thumb provided by law is that the employer owns the intellectual property of software and computer programs developed in the context of the employee's activities. The contract executed between the parties may determine different aspects, but in the case of omission, this is the general rule.

Regarding data protection, data privacy legislation is going through important modifications in Brazil: the Brazilian General Data Protection Law (LGPD) that regulates the treatment of personal data in public and private sectors was enacted in August 2018. The Law was inspired by international guidelines, especially those provided by the European Union's General Data Protection Regulation, but will only come into force in August 2020.

Currently, there are several pieces of legislation in Brazil dealing with different scopes of privacy and data protection such as intimacy, private life, honour, image and secrecy of correspondence, bank operations and communications. Such pieces of legislation include the Federal Constitution, the Civil Code, the Consumer Protection and Defence Code, the Banking Secrecy Law, the Brazilian Internet Act and the Criminal Code. However, the LGPD is the first law in Brazil that deals specifically with personal data protection.

The LGPD establishes important definitions to Brazilian data privacy regulation, such as personal data, sensitive personal data, anonymised data, data controller and data processor, among others. It adds to the framework surrounding data processing, including compliance with a legal or regulatory obligation, the fulfilment of a contractual or legal obligation and the controller's legitimate interest, as well as determining the details on how the user's consent must be collected to legitimise personal data processing.

The LGPD also addresses international transfer of personal data, rules on liability, data breach and penalties related to the violation of data privacy rights.


From a data protection standpoint, the most important outcome was the enaction of the LGDP, which, although not currently in force, serves as a relevant guideline to personal data treatment in Brazil.

Additionally, in 2018, BACEN issued Resolution 4,658 and Circular Letter 3,909 that rule about cybersecurity policy and the requirements for contracting data processing, data storage and cloud computing services to be observed, respectively, by financial institutions and other institutions (including payment institutions) authorised to operate by BACEN. Financial and payment institutions subject to Resolution 4,658 and Circular Letter 3,909 must create and implement a cybersecurity policy that assures data confidentiality, integrity and availability that is compatible with the company's size and characteristics, to the nature and complexity of the operations, as well as to the sensitivity of the data involved in the operations.

These new regulations state that financial and payment institutions should ensure that their policies, strategies and structures for risk management under the regulations in force, specifically regarding the decision criteria concerning to the outsourcing of services, contemplate the contracting of relevant processing services and storage of data and cloud computing, in Brazil or abroad. The regulations also bring specific requirements that should be observed in agreements involving data processing and cloud computing services.

Lastly, in 2018 BACEN published regulating acts that promoted innovation and the inclusion of new players to the market, including Resolution 4,656/18, which established new types of financial institutions: the direct credit company (SCD) and the peer to peer company (SEP). It presents standards (simpler than those applicable to other types of Brazilian financial institutions) to the incorporation, authorisation, operation, transfer of corporate control and corporate reorganisation of SCDs and SEPs.

The new rules are expected to facilitate the business environment of a large number of fintechs that used to operate as bank correspondents of other financial institutions.


The main objectives of recent regulations were to guarantee better legal certainty, safety and confidence to the market. The authorities are showing cooperative behaviour, acting together in the production of norms that might affect the market. One example is the commentaries on cryptocurrencies and ICOs from the BACEN and CVM, issued on the same day and with similar viewpoints.

They are also combining efforts with the private sector, especially fintech players. Working together, the regulation may foster the use of technology applications that modernise and make financial services more efficient.

It is important to ensure adequate levels of safety without the creation of unnecessary regulations that could suppress the activity of companies whose products and services benefit the market; innovation is a powerful tool to promote the financial inclusion of citizens, and designing a legal framework to boost the creation of new technologies is a very important step in the development of the Brazilian society and economy.


1 Alexei Bonamin and Carla do Couto Hellu Battilana are partners and Ivan Antonio Monteiro Marques, Maria Eugenia Geve de Moraes Lacerda, Thaís Helena Valente Teixeira Lima and Victor Cabral Fonseca are associates at TozziniFreire Advogados.

2 For a detailed description of the composition of the National Financial System and functions of each entity, see www.bcb.gov.br/Pom/Spb/Ing/InstitucionalAspects/TheRoleFinancialIntermediaries.asp (in English).

3 Law No. 4.595/64, which creates the Brazilian National Financial System, determines some specific rules for the operation of financial institutions and other players from this market.

4 Like Central Bank Resolution No. 4.122/2012, that establishes the procedures for the licensing and authorisation granting multiple kinds of banks.

5 Article 16-A, CVM Rule No. 558/15.

6 Article 16, CVM Rule No. 592/17.

7 See Law No. 4.595/64.

8 Among other prerequisites. See CVM Rule No. 558/15.

9 See CVM Rule No. 592/17.

10 As described in Article 2, IX, Law No. 9.385/76.

11 With an income of 10 million reais or less, as defined by Article 2, III, CVM Rule No. 588/17.

12 CVM Rule No. 588/17.

13 These organisations descriptions may be translated to 'peer-to-peer lending company' and 'direct loans company', respectively.

14 The Central Bank conducted a research published in a paper named 'Distributed ledger technical research in Central Bank of Brazil', which can be found here: https://www.bcb.gov.br/htms/public/microcredito/Distributed_ledger_technical_research_in_Central_Bank_of_Brazil.pdf.

15 Any title or collective investment scheme that generates the right to participation, partnership or remuneration, which income is originated in the effort of entrepreneurs or third parties, including the ones resultant from rendering of services, as described in Article 2, IX, Law No. 9.385/76.

16 See Article 15, CVM Rule No. 505/11.

17 See Law No. 9.606/98, that regulates intellectual property for computer programs.