The Financial Technology Law Review: Brazil


The Brazilian financial technology sector (fintech) has developed considerably in recent years. The latest version of FintechLab Radar (August 2020) evidenced that, since the issuance of the last edition in June 2019, 270 new fintechs or financial efficiency initiatives were founded, which represents almost 35 per cent of the total amount of 771 mapped by the Brazilian report,2 the most prestigious in the area. According to the mapping created by the publication, Brazilian fintech operates in 12 different sectors: payments, financial management, credit and loans, investment, insurance, funding, digital banks, debts, cryptocurrencies and distributed ledger technology (DLT), exchange, multiservices and techfin. Among these, the payments and financial management sectors performed with the highest growth rates, of 28 per cent and 18 per cent, respectively.

This diversity of the ecosystem shows the strength of the financial technology market in the country. Given this scenario, Brazilian regulatory entities demonstrated a strong interest in knowing these players and, in some cases, already published specific norms for some of their activities. National laws and governmental entities, such as the Central Bank of Brazil (BACEN) and the Brazilian Securities and Exchange Commission (CVM), regulate the Brazilian financial system. Other agencies also have regulatory power in specific areas, such as the Private Insurance Superintendence (SUSEP) for the insurance industry.

Some initiatives that have already resulted in or are about to become regulation that can directly affect fintech exemplify the agencies' regulatory interest. This is the case, for example, of CVM Rule No. 588/2017, which provides standards for the investment-based crowdfunding industry in the country. In addition, the same government agencies conduct studies on the fintech sector, as evidenced by the creation of the CVM's Fintech Hub of Innovation in Financial Technologies.

Standing for its regulatory function, CVM published Instruction No. 626 on 15 May 2020, which regulates the constitution and operation of its regulatory sandbox, an experimental environment that allows the participation of legal entities to test models of innovative businesses in activities related to the securities market. This initiative has the potential to foster innovation in the capital markets as it may provide more legal certainty to participants through guidance on regulatory issues while decreasing costs both to the development of innovative products, services and business models, and to the clients of participants, which will increase financial inclusion. The process of admission of participants to the regulatory sandbox, including its eligibility criteria and other requirements, was published in November 2020 and accepted proposals until 15 January 2021. At this point, the authority has until 20 April 2021 to assess the proposals. Whichever projects are selected, it is expected that this initiative will positively affect participants and customers in these markets.

The development of specific innovations in the financial sector is notable, more specifically in the areas of credit and payment, which are showing significant growth. The last few years were marked by the regularisation of peer-to-peer lending (P2P) in Brazil, through Central Bank Resolution No. 4,656/2018, which regulates financial institutions that use electronic platforms to connect creditors and debtors (SEPs) or to lend their own resources (SCDs). In addition, in 2019, BACEN structured an instant payment architecture that resulted in the publication of Resolution No. 1/2020, which entered into force on 1 September 2020, implementing an instant payment system scheme, known as PIX, which allows immediate money transfers, 24 hours a day, all year round.

BACEN and the National Monetary Council published Joint Resolution No. 1 and BACEN Circular No. 4,015 on 4 May 2020, which implement and regulate open banking in Brazil. With the goal of providing transparent and clear information to customers, the novel regulation defines open banking as the standardised sharing of data and services by opening and integrating information systems platforms and infrastructures. Although it started on 30 November 2020, its implementation is divided into four parts with full implementation expected in October 2021.

Although there is no regulation of the whole fintech sector, nor any tax incentives, there has been a significant increase in activities that are becoming increasingly relevant to the market. In this sense, regulatory agencies are promoting a fintech-friendly policy, this being their major objective to ensure the integrity and security of financial operations.

In this context, the initiative broadly known as the Legal Framework for Start-ups is almost at the end of its legislative procedure in the National Congress of Brazil. Proposed through the Supplementary Law Bill (PLP) No. 146/2019, it represents a more dynamic commercial and regulatory environment not only for fintechs, but also to all companies that fit the definition of 'start-up' as set forth in the bill. As a result, if approved, it is an opportunity to increase competitiveness within the Brazilian start-up market, with special attention paid to fintech companies because of the coordinated efforts among national authorities and the private sector, which have demonstrated themselves to be sensitive to their demands. PLP No. 146/2019 is under the Chamber of Deputies' review and, if it approves the text amendment by the Federal Senate, the proposal will be sent for presidential sanction.

In addition, Law No. 13,709/2018 – the Brazilian General Data Protection Law (LGPD), inspired by international guidelines and legislation, especially the EU General Data Protection Regulation – became effective in September 2020. The LGPD applies to any processing of personal data, by public and private entities, in the online and offline environments, using automated and non-automated means, reaching, therefore, the activities of fintech companies involving the handling of personal data.

Thus, it is possible to consolidate the regulatory and policy approach for fintech companies considering that while the financial sector itself is heavily regulated, regulators have been adopting a benign and favourable view of the development of tech-based financial enterprises so far. Their actions demonstrate that developing an innovation-driven economy may be one of the main goals for the next few years.


i Licensing and marketing

Brazilian legislation does not provide a specific type of operating licence for fintechs. In practice, the nature of the services offered by these companies will dictate which rules are applicable to them, such as those of a particular economic sector.

Most of these rules are enacted by entities that are part of the National Financial System (SFN), whose competences are fixed in Article 192 of the Federal Constitution of 1988. SFN is divided into three main organs and their respective operating sectors:3

  1. the National Monetary Council, which regulates currency, credit, capital and exchange;
  2. the National Council for Private Insurance, responsible for private insurance; and
  3. the National Council for Complementary Pension, which regulates closed pension funds.

Within each sector there also supervisory bodies:

  1. BACEN, which regulates financial institutions, money, credit, payments and exchanges;
  2. CVM, responsible for the regulation of securities, commodities and futures;
  3. SUSEP for the insurance industry; and
  4. the National Complementary Pension Superintendence (PREVIC), for the private closed pension funds segment.

Thus, a fintech operating in Brazil needs to observe, in addition to the general laws, specific rules that affect the markets in which it operates, established by the competent bodies.

Thus, even if there is no special licence for fintech companies to operate in the country, the services or products they offer – or even the market in which they operate – may determine whether their businesses require any particular authorisation or if there are specific rules for such activities. Financial institutions, such as banks, may only operate in the country if authorised by BACEN and if they comply with certain requirements, such as the obligation to be constituted as a a commercial partnership whose capital stock is divided into shares and in which each shareholder has a limited responsibility according to the sum of money they have invested4 or other rules envisaged by the financial authority.5

Another heavily regulated sector of fintech is the securities market. In this sector, CVM provides rules for many services related to the trading of securities and related activities. The agency controls and regulates, among others, capital markets and investment funds (CVM Rules No. 400/2003, 476/2009, 555/2014 and 578/2016, and others), asset management (represented by the recently enacted CVM Resolution No. 21/2021) and investment advisory services (CVM Resolution No. 19/2021). The use of automated systems or algorithms is permitted for both asset management6 and advisory activities.7

Another industry commonly associated with fintech is investment-based crowdfunding, which is regulated according to CVM Rule No. 588/2017. Following international standards, the norm establishes the rules for the operation of collective financing platforms and determines that if some precedent requirements (set forth in the law) are present, the distribution of certain securities is exempt from registration with the entity, which is usually very costly for the issuing company.

Thus, some securities-related sectors in which fintech is present – such as robot advisers and investment-based crowdfunding platforms – are regulated by CVM and companies that operate in these sectors must observe the rules issued by CVM.

The Consumer Protection and Defence Code equates banking, financial, credit and insurance services to the general delivery of services. Consequently, consumer protection law applies to service suppliers such as banks or credit institutions, if it is possible to verify a consumer relationship between them and the clients.

One of the outcomes of this legal treatment is the existence of rules regarding credit information services. The Code states that consumer databases must be objective, clear, in an understandable language and may not contain negative credit information relating to a period exceeding five years. Upon a consumer's request, inaccurate and outdated personal information must be corrected within five business days. Consumers are further entitled to access their personal information and request their exclusion from a database, except for credit information relating to a period of less than five years.

ii Cross-border issues

In general, Brazilian law does not prohibit the offering of financial products or services, only regulating the way certain transactions need to be conducted. As described, SFN is composed of several entities, each one with specific competence in relation to activities of a financial nature. In this way, it is necessary to understand the nature of the service or product offered by the fintech company to verify if there is any requirement for foreigners to operate in the country.

Any activity developed in Brazil is primarily subject to national legislation. However, some international entities rulings may guide the standards of the national regulations, as Brazilian authorities are part of many transnational organisations such as the Basel Committee on Banking Supervision and IOSCO, for example. Recent legal initiatives also considered international experience, such as the Investment-based Crowdfunding Rule (CVM Rule No. 588/2017), which is inspired by the regulatory approach used in Israel, France, the United Kingdom, the United States, Portugal and Canada, among others.

Some activities are restricted to financial institutions (banks), such as the custody of third-party resources and the intermediation and application of their own or third-party financial resources.8 In these cases, it is necessary to comply with the banking regulation in the country, which determines that foreign banks may operate in Brazil if registered within BACEN and explicitly authorised by a decree enacted by the President of the Republic.

In other situations, if the fintech provides any securities-related products or services, its activities are subject to the CVM Rules. The management of securities portfolios (asset management), for example, can only be done by a natural person or legal entity headquartered in Brazil and authorised by CVM.9

Finally, the inflow and outflow of funds to and from Brazil is permitted, as individuals and companies are free to send money abroad and realise investments of any nature offshore. However, these transactions must be completed through Brazilian financial institutions authorised by BACEN to operate in the foreign exchange market. Those institutions are under the supervision of the Brazilian financial authorities and thus must comply with know-your-customer (KYC) and anti-money laundering provisions contained in Brazilian regulation, including identification of the ultimate beneficial owner of the corporate structure. Moreover, BACEN issues an annual basis regulation determining that any Brazilian holding investments abroad of an amount higher than a given threshold shall declare this investment to BACEN for statistical purposes. In addition, capital gains obtained abroad will be subject to taxation as provided for in Brazilian tax law.

Digital identity and onboarding

In Brazil, there are various types of identification documents, but many of them can be substituted with a driver's licence that can be transferred onto a digital version. The paper document will not be discontinued and is still mandatory as a driving permission, but now citizens can conveniently carry a digital copy on their smartphones.

It is worth mentioning that Federal Law No. 13,444/2017 created the national identity document (DNI), a digital document that will waive the obligation imposed on citizens to hold, as the case may be, documents such as birth and marriage certificates, voter registration and taxpayer registry identification. Nonetheless, the DNI is still under development and has not been fully implemented yet. Meanwhile, Presidential Decree No. 9,723/2019, issued in February 2019 mandates that the taxpayer registry identification number is sufficient for identification purposes for access to information, services and the exercise of rights or benefits. Although this rule is destined exclusively for identification before executive entities, it may reflect on the practices of other institutions, private or public, that might want to simplify identification procedures.

As for the use of documents by financial service providers, BACEN Resolution No. 4,474/2016 authorises institutions to discontinue the use of physical copies once they are digitised and secured within their systems. The only change with regard to digital onboarding comes from BACEN Resolution No. 4,753/2019, in force since 1 January 2020, which establishes rules for opening and closing of deposit accounts (such as current, savings or salary accounts), simplifying the procedure and allowing for clients to request the aforementioned services through any service channels provided by the financial institution except through a phone call.

According to the new Resolution, financial institutions must adopt procedures that allow for the verification of the account holder's identity and of its representatives, as the case may be, as well as the authenticity of the information provided by clients.

Digital markets, payment services and funding

i Crowdfunding

The law regulates transactions involving securities and, therefore, this market has specific rules established by the agency responsible for overseeing it: CVM. Brazilian law adopts an open concept for security, considering as such any title or collective investment scheme that generates the right to participation, partnership or remuneration, whose income is originated in the effort of entrepreneurs or third parties, including the ones resulting from the rendering of services.10 If any specific collective investment scheme falls under this description, it is subject to the determinations of the law and the CVM Rules, which may regulate how they are distributed, offered and commercialised inside Brazilian territories or abroad, if the investment schemes are issued by Brazilian companies. All regulations regarding SFN apply to fintech organisations, if legally prescribed services or products are offered.

Nonetheless, Brazilian authorities have legally recognised investment-based crowdfunding as a possible fundraising option for small companies.11 Currently, the Brazilian innovation ecosystem benefits from CVM Rule No. 588/2017, enacted specifically to regulate the distribution of securities through platforms established for this purpose, without the need to register the offer before the CVM – which, as explained above, is the general rule and might be very expensive for small companies. The Rule came into force in 2017 following a market public consultation conducted by CVM,12 and its current version establishes some requirements and responsibilities for the operation of the platforms, details the potential offers and recognises the possibility of syndicated investments; that is, those led by an investor well known in the market.

ii Intermediation of loans and lending models – P2P lending and crowd-lending

The intermediation of loans is a private activity of financial institutions, as determined by the law that constitutes the SFN. Thus, any organisation that collects money from third parties for loans or intermediate transactions of this nature must be registered and authorised to operate as a financial institution according to Brazilian law and is subject to the supervision and regulation of BACEN. In order to foster innovative lending models, in 2017, BACEN proposed a public hearing to deal with P2P lending and crowd-lending, seeking to guarantee the safety and legality of such loans. As a result, in April 2018, BACEN published Resolution No. 4,656/2018, which created two special types of financial institutions, allowing them to use SEPs or SCDs.13 Both need to request an authorisation to operate before BACEN. Nonetheless, the authorisation procedure used by these institutions is easier and faster than the one required by traditional financial institutions.

iii Payment services

Payment services are subject to the rules regarding the Brazilian payment system (SPB), created by Law No. 10,214/2001, and to the supervision of BACEN. SPB comprises services or systems that, subject to authorisation by the competent authorities, may:

  1. clear credit notes;
  2. clear and settle electronic debit and credit orders;
  3. transfer funds and other financial assets;
  4. clear and settle securities transactions; and
  5. clear and settle commodities and future transactions.

In 2018, BACEN enacted regulations with the expectation to promote financial inclusion, as well as enabling a more competitive market through SPB. BACEN Resolution No. 4,707/2018 and Circular No. 3,924/2018 regulate the use of payment arrangement receivables as collateral for credit transactions with the aim to make lending to smaller companies feasible, as such receivables usually represent a significant portion of their assets, and the creditor will be granted more protection when entering into contracts with them.

The aforementioned rules will be valid only until 7 June 2021, when Resolution No. 4,734/2019 and Circular No. 3,952/2019 will become effective, replacing the current regulation applicable to the aforementioned kind of collateralised transactions. The new rules incorporate principles and dispositions contained in BACEN Resolution No. 4,707/2018 and Circular No. 3,924/2018 while also introducing several modifications related to registration of receivables of credit and debit payment instruments. As soon as they enter into force, financial institutions will have to ensure that receivables from payment arrangements used as collateral for their credit transactions or assigned in discount transactions are recorded in registration systems, operated by a registry authorised by BACEN. The new regulation will also impose thresholds on the use of collateral over receivables from payment instruments.

With Circular No. 3,925/2018, which amended the Annex to Circular No. 3,682/2013, BACEN addresses the provision of payment services within the framework of the arrangements of the SPB, establishing guidelines and standards these service providers need to abide by.

Furthermore, in line with the ongoing technological revolution, BACEN published Resolution No. 1/2020, which entered in force on 1 September 2020, implementing PIX, an instant payment system scheme. PIX is a new instant payment method launched by BACEN with the aim of making the cost of payment and transfer transactions cheaper. Instant payments comprise the electronic transfer of money between different institutions or persons in a way that allows the final beneficiary to receive the transferred funds in real time, 24 hours a day and every day of the year. Instant payments are now available for transfers between two persons, a person and a company, and between companies. This is also available for transfers involving government entities, such as for tax payments by individuals or legal entities, or social benefits and grants, among others, paid by governments to persons or to companies. PIX also allows for the payment of bills and even the collection of taxes and service fees, through the use of more accessible payment mechanisms, such as QR codes on cell phones.

The Resolution No. 1/2020 defines the components of the instant payment system (SPI) infrastructure and establishes the participation of financial institutions and of payment institutions under SPI, setting out the form of registration of participants for the process of adhering to the instant payments system (PIX) and SPI. This is an important step taken by BACEN with the aim of implementing an instant payment ecosystem in Brazil. This type of transfer tends to be more practical than those used so far, such as the available electronic transfer (TED) and credit order document (DOC), as it allows for instant transfer, does not require an intermediary and has lower costs. The BACEN itself is the responsible authority for operating and coordinating the PIX. This infrastructure coordinates the relationship between service providers and instant payments.

Financial institutions and authorised payment institutions with more than 500,000 active customers are required to participate in the instant payment infrastructure and, consequently, of SPI, to settle instant payment transactions whenever they involve a transfer between instant payment accounts from different SPI participants.

SPI provides for three forms of participation: (1) transactional account provider; (2) governmental entity; and (2) special settling. The first involves financial institutions or payment institutions offering deposit account or prepaid payment account to end users. The second involves the National Treasury Secretariat, with the sole purpose of making collections and payments related to its typical activities. The third involves financial institutions or payment institutions authorised to operate by BACEN that: (1) in the scope of PIX, have the exclusive purpose of providing settlement services to other participants, not offering the sending or receiving of a PIX to end users; (2) meet the requirements to act as a settlement participant in the SPI, pursuant to the applicable regulation; and (3) offer a deposit account or prepaid payment account, but do not meet the criteria of having more than 500,000 active customers.

The rule is a step forward in BACEN's initiative of establishing an SPI in Brazil, following the Bulletin No. 32,927 of 21 December 2018, in which the authority recognised the validity of instant payments and addressed the fundamental requirements for its environment within the Brazilian payment system regulatory framework. The implementation of the instant payments ecosystem in Brazil happened in November 2020. This model is favourable to the emergence of fintechs whose purpose is the development of innovative solutions to ease payment transactions. As announced by BACEN, fintechs will be able to act as payment institutions, supplying customers with payment accounts, or as payment initiation service providers. They may also offer other services such as insurance, credit, investments and tax payments, among others, fostering the development of innovative and competitive models and allowing for the reduction of social costs related to the use of paper-based instruments.14 The measures enable the inclusion of new players in the financial market, which is of extreme significance in a country with high rates of banking concentration such as Brazil.

Finally, there are currently no rules obliging institutions to make client or product data accessible to third parties. They are allowed to share with other financial institutions some information that can make the settling and clearing of payments faster, safer or more efficient. Nevertheless, this process must observe the applicable legal limits, as the Brazilian Federal Constitution (and specific laws such as the Supplementary Law No. 105/01) protects and assures the inviolability of banking secrecy, in most cases. With respect to clients' personal data, under the LGPD, the process shall also be grounded on one of the legal bases provided for in the law. In this sense, possible legal bases that could be used to justify sharing are the consent of clients, the protection of credit and the legitimate interest of the financial institution.

iv Marketplaces

A marketplace is a platform that connects buyers and sellers of goods or services with each other, providing an infrastructure with the purpose of facilitating a transaction. They are used in some business models as payment settlers to the extent that they receive the full amount paid by the customer and then pass the paid value on to sellers, which are their business partners, upon remuneration. In this kind of operation, marketplaces play the role of sub-accreditors, also called sub-acquirers or payment facilitators.

BACEN Circular No. 3,886/2018, which modifies Circular No. 3,682/2013, defines the role of the sub-accreditors and how they interact with payment arrangement providers. It also defines objective criteria for requiring the participation of sub-accreditors in a centralised settlement system in a single grid, which is also regulated by Circular Letter No. 3,872/2018. Circular No. 3,886/2018 categorises sub-accreditors that facilitate the acceptance of a payment instrument by the recipient, without being part of the transaction as a creditor, thus being the link between the end user and the accreditors, as participants in the payment arrangement infrastructure.

Moreover, the Circular determines that the intermediation of payments under the sub-accreditor model, which might include marketplaces, must comply with the payment arrangement infrastructure regulatory framework. Not all marketplaces are considered sub-accreditors. In cases where the transaction is carried out directly between the payer and the marketplace's business partner, the marketplace will not be considered a sub-accreditor. In these cases, the seller itself will be the end user receiving the transaction payment.

Sub-accreditors are obliged to participate in the centralised settlement system. The centralised settlement system involves the centralisation of settlement of transactions performed by the payment arrangements that integrate the SPB in one neutral clearing and settlement service provider, defined by the institutions instituting those payment arrangements. The current clearing and settlement service provider is the Interbank Payment Chamber.

The marketplace participation in the centralised settlement system is mandatory, regardless of the volume of the transactions, if the sub-accreditor is the recipient of the flows relating to transaction in payment arrangements subject to centralised settlement. Nonetheless, the participation is optional if the marketplace acts as a payer to end users who receive flows related to transactions in payment arrangements subject to centralised settlement, and the volume of the operations accumulated in the last 12 months is lower than 500 million Brazilian reais. The Brazilian legislation does not provide for special rules relating to digital or cryptoassets in marketplaces.

Cryptocurrencies, initial coin offerings (ICO) and security tokens

There is no specific regulation in Brazil for blockchain technology. In fact, considering Brazil as a civil law jurisdiction, it would be necessary to modify a large number of laws, rules and other types of regulations to include legal provisions for all the currency and non-currency applications of such technology. Therefore, Brazilian law does not recognise or establish a concept for blockchain or any of its applications, including cryptocurrencies.

Yet some financial authorities from Brazil have issued documents regarding cryptocurrencies and initial coin offerings (ICOs). Though not enforceable like laws, they are a good demonstration of how governmental agencies tend to define such assets.

Firstly, BACEN stated that cryptocurrencies are not coins and cannot be equated with 'electronic coins', already defined in law as the virtual representation of fiat money. In Bulletin No. 31,379 from 16 November 2017, the entity issued an alert about the risk of operations involving cryptocurrencies and remarked that such operations are subject to exchange rules and taxes on transactions referred in foreign currencies. The authority also conducts some tests regarding different possibilities of blockchain technology applications, such as an alternative system for transactions settlement and identity management.15

CVM, in its competence regulating the securities market, published a note containing its perceptions about ICOs. The authority remembered that the law provides a description for the concept of security and the characteristics that can frame any asset into this concept. If a token gives its owner any right as described in the law,16 it may be considered a security and the capital market regulations will apply to its offering, distribution and other transactions. Consequently, besides the laws suitable to securities, CVM Rules No. 400 (public offerings), No. 476 (limited efforts public offerings), No. 588 (crowdfunding) and others regarding securities operations need to be observed during an ICO process, and it does not matter if the issuer is Brazilian or foreign. CVM also stated that investment funds cannot perform direct cryptoassets operations in Brazil. However, in September 2018, the regulator authorised indirect investment in cryptoassets through, for instance, the acquisition of quotas of funds and derivatives, among other assets traded in third jurisdictions, provided that they are admitted as being regulated in those markets.

Finally, the Revenue Service determined that taxpayers must declare any gain obtained from transactions involving 'virtual coins' such as Bitcoin and other cryptoassets. If the operation is of an amount higher than 35,000 Brazilian reais, the individual must pay 15 per cent over the earnings as income tax.

Other new business models

Self-executing contracts, also known as 'smart contracts', are important deployments in the context of blockchain technology. Therefore, because there is no specific regulation for technological applications of this nature, smart contracts are not yet foreseen in Brazilian law and may face questions regarding their legality, enforceability, validity and other characteristics necessary for contracts. However, they are not prohibited and if the basic contractual requirements are fulfilled, in specific cases smart contracts may be entered into in the same way as regular contracts.

As for the automated investment operations, it is necessary to distinguish two important professionals: (1) the consultants, authorised only to advise investors, without managing funds of third parties; and (2) portfolio managers (asset management), who can make investments on behalf of third parties. For both, there is a legal provision for the use of algorithms and automated systems, whose source code must be delivered to CVM and that do not exempt professionals from any responsibility in the provision of services. All agents are subject to securities market regulation, including third-party websites that provide or compare information about financial products.

If a sole investor wants to perform operations using automated algorithms like trading bots, they may execute orders before brokers using such systems.17 To do that, it is imperative that they comply with the rules established by the exchange itself and, mainly, securities regulation. Caution is needed by a bot user to avoid market manipulation and illegal practices such as layering and spoofing, all of which are forbidden by the authorities; if this happens, the user will be responsible for any illegal act the system performs.

Some new business models shown by specific companies that are very relevant in the market have gained attention in recent years. The credit card operator 'Nubank' is particularly successful in Brazil. Their business models provide innovative approaches to traditional services, and sometimes regulatory discussions may directly impact their activities. Nowadays, Nubank is not only a Brazilian unicorn, but also one of the few decacorns of the entire world.

Nubank has reached interesting numbers even in the pandemic scenario. Between April 2020 and May 2020, it has registered the highest flow of deposits in the history of its digital bank account ('NuConta'). Throughout the year, the company has made three acquisitions, including the Brazilian brokerage firm Easynvest, which indicates Nubank's interest in the brokerage market. Moreover, Nubank announced two new contributions of capital in the pandemic period: one for US$300 million in August 2020, and another for US$400 million in January 2021. This establishes the company as the fourth most valuable financial institution in Latin America, now valuated in US$25 billion, overcoming prestigious banks and financial institutions such as BTG Pactual, Stone Pagamentos, XP Investimentos and Banco do Brasil, a state-owned bank.

According to Inside Fintech Report 2020,18 the fintech sector in Brazil raised US$1.9 billion throughout the year, overcoming the values presented in 2019, when the publication showed that US$1.1 billion was raised. In this sense, Creditas, a platform for online credit, raised US$255 million while C6 Bank, a digital bank, raised US$241 million in 2020. Nubank is mentioned as the highest contribution of capital raised for the announcement of US$300 million mentioned above. This is the same value raised by the digital bank Neon in September 2020.

Furthermore, companies that built their businesses outside of the digital environment have taken big steps into the internet domain over the year. This is the case with Magazine Luiza, a major retail company that acquired or invested in 11 enterprises only in 2020. Among them are tech-based companies such as AiQFome, a delivery platform (Hubsales), a marketplace focused on Factory to Consumers (F2C), Stoq, which develops a tech solution focused on a restaurant's needs called a 'point of sale system' (PDV) and InLoco Media, a digital advertising tech company.

i Open banking

BACEN, in its efforts to adapt its regulatory framework to the innovation environment, launched Public Consultation No. 73/2019 on 28 November 2019 to gather the market's opinion on a draft resolution regulating open banking. The public consultation was published after Announcement No. 33,455, dated 24 April 2019, in which BACEN established the guidelines for the implementation of open banking in Brazil. As a result of these efforts, on 4 May 2020, BACEN and the National Monetary Council published Joint Resolution No. 1 and BACEN Circular No. 4,015, finally implementing and regulating the matter.

The concept of open banking is based on a kind of platform that integrates Application Program Interfaces (APIs), a set of programming standards that enable the interaction of different systems. It aims to provide transparency and clarity in the information provided to customers, similar authentication compared to the direct access on institution, and simplicity, security and efficiency.

The novel regulation defines open banking as the standardised sharing of data and services by opening and integrating information systems platforms and infrastructures. The regulation encompasses the sharing of the following data and services: (1) exchange of data on access channels, institutions' products and services, and clients' registration and transactions; and (2) services related to payments transactions and credit operations proposals.

Data can only be shared upon the customer's prior approval. Participating institutions should provide data sharing interfaces, standardised in accordance with a convention to be entered among participating institutions.

In the case of data sharing, participation in open banking will be mandatory for institutions included in the S1 and S2 segments.19 Further, it is optional for further institutions authorised by BACEN to operate as financial or payment institutions, provided that some requirements are met, such as registration in a participants' repository and the availability of interfaces dedicated to transfer the data.

As with the sharing of services, participation is mandatory for account-holding institutions; institutions that initiate payment transaction services; and financial institutions or institutions authorised by BACEN that have entered into a correspondent agreement providing services related to payment transactions and credit operations proposals. Institutions that are part of prudential conglomerates and do not provide services related to customer transaction data are not covered by the regulation.

The regulation also provides for the possibility of non-authorised third parties participating in open banking, as long as they enter into a contract with an authorised institution.

The implementation of open banking will be divided into four parts, started on 30 November 2020, with the full implementation target by October 2021, according to the following timeline:

  1. Part I – public access to detailed information about products and services provided by the participating institutions of open banking;
  2. Part II – sharing of the customer registration information and representatives between participating institutions in the system;
  3. Part III – sharing of the transaction initiation service between participating institutions; and
  4. Part IV – expansion of the scope of data such as foreign exchange operations, investments and insurance.

The new regulation seeks to allow the integration of information systems platforms and infrastructures, paving the way for lower interest rates, increased competition and the emergence of new business models with inclusive and customised service solutions for different users' profiles.

ii The Regulatory Sandbox

On 15 May 2020, CVM published Instruction No. 626, which regulates the constitution and functioning of the Regulatory Sandbox, an experimental regulatory environment that allows the participation of legal entities to test models of innovative businesses in activities related to the securities market.

The creation of the Regulatory Sandbox aims to:

  1. provide a regulatory environment that fosters innovation in the capital market;
  2. provide more legal certainty to participants through guidance on regulatory issues;
  3. decrease costs and time in the development of innovative products, services and business models;
  4. achieve greater visibility of innovative business models and observers among service providers and suppliers of financial products;
  5. achieve financial inclusion through costs reduction; and
  6. improve the regulatory environment related to regulated activities.

In November 2020, CVM published a notice to the market announcing the process for admission of participants to the Regulatory Sandbox, indicating, among others, the eligibility criteria of the participants, the content of the proposals and the maximum number of applicants to be selected.

To participate in the Regulatory Sandbox, applicants had to fulfil eligibility criteria, including, among others:

  1. performing an activity that fits the concept of an innovative business model;
  2. demonstrating technical and financial capacity to develop the proposed activity;
  3. having administrators and controlling partners authorised to perform their functions with institutions and with other entities authorised to operate by regulatory agencies;
  4. having protections against cyber-attacks, production and storage of records and information and prevention of money laundering and financing of terrorism; and
  5. that the innovative business model has been preliminarily validated by means of proof of concept or prototypes.

CVM received proposals for the Regulatory Sandbox until 15 January 2021. The authority has until 30 April 2021 to assess the proposals.

With the Regulatory Sandbox proposal, CVM makes clear its intention to innovate the securities market in Brazil, introducing participants to an experimental environment in line with international experience, in which it will be possible to test models that foster innovation and competition in regulated markets. In this way, it expects to positively impact participants in these markets, as well as customers.

Intellectual property and data protection

Generally, software in Brazil is protected by copyright law. Briefly, this means that source codes are equated to authorship works such as literary or artistic works, and it is not necessary to register it with the authorities to ensure protection. Therefore, any ownership dispute may be solved with proof of authorship.20 Nevertheless, it is possible to register the source code with the entity responsible for the registration and management of industrial property in the country – the National Institute for Industrial Property.

There are some cases in which patents can be issued regarding software and computer programs. This happens if it fills the requirements of characterisation of an industrial creation (a process or product associated with the process). Thus, if the solution implemented by a computer program solves a problem found in the art and scope a technical effect that does not only concern how the computer program is written, it may be considered an invention and would be patentable.

To verify whether a new financial technology includes an invention protected by patent rights, it is necessary to know if it fits the following basic requirements: novelty; inventive step; industrial application; and technical effect. Note that the first three criteria apply to all patents, while the latter concerns the patentability of computer programs or software. The novelty requirement is broadly met when creation did not exist and was invented, that is, it is entirely new. Meanwhile, inventive step means that the invention was not obvious or obvious from the state of the art (a legal term used for what already exists and is available to the public). Industrial application is the possibility of using or producing the creation in any type of industry.

The technical effect considers the practical effects achieved throughout the steps developed by the invention implemented by the computer program. The general rule is that, in order to grant a patent registration for software, there must be practical application in addition to the patentability requirements. In short, the industrial creation implemented by software may be subject to protection by patent rights if: (1) it solves a problem found in the technique; and (2) it achieves a technical effect that does not only concern how the software is written.

The patent application process involves accurately describing the invention created. This precise description will be the one that is protected. In this sense, a new version of the same software would not be covered by the same patent protection.

In any case, to determine the immediate ownership of software or computer program developed by third parties even before any registration or patent, it is necessary to verify the relationship with the author or inventor. If the creator is an employee and thus contracted under employment relationships, the rule of thumb provided by law is that the employer owns the intellectual property of software and computer programs developed in the context of the employee's activities. The contract executed between the parties may determine different aspects, but in the case of omission, this is the general rule.

Regarding data protection, data privacy legislation is going through important modifications in Brazil: as mentioned, LGPD, which regulates any treatment of personal data, by public and private entities, in the online and offline environments, using automated and non-automated means was enacted in August 2018. The Law was inspired by international guidelines, especially those provided by the EU General Data Protection Regulation and came into force in September 2020 (except with respect to certain provisions, as detailed below).

Currently, there are several pieces of legislation in Brazil dealing with different scopes of privacy and data protection such as intimacy, private life, honour, image and secrecy of correspondence, bank operations and communications. Such pieces of legislation include the Federal Constitution, the Civil Code, the Consumer Protection and Defence Code, the Banking Secrecy Law, the Brazilian Internet Act and the Criminal Code. However, LGPD is the first omnibus law in Brazil that deals specifically with personal data protection without limiting its applicability to certain categories of agents and subjects (e.g., consumers, employees, financial institutions) or types of treatment (e.g., operation in the online environment).

LGPD has set standards and established important definitions to the Brazilian data privacy regulation, such as personal data, sensitive personal data, anonymised data, data controller and data processor, among others. It adds to the framework surrounding data processing, including compliance with a legal or regulatory obligation, the fulfilment of a contractual or legal obligation and the controller's legitimate interest, as well as determining the details on how the user's consent must be collected to legitimise personal data processing.

LGPD also addresses international transfer of personal data, rules on liability, data breach and penalties related to the violation of data privacy rights. The effects of LGPD extend to any treatment of personal data carried out in the Brazilian territory, any treatment of personal data collected in the Brazilian territory, or any treatment of personal data made with the purpose of offering or supplying goods or services to individuals located in the Brazilian territory.

LGPD further provided for the creation of the Brazilian National Data Protection Authority (ANPD). Among other things, ANPD has the authority to supervise the LGPD application, to prosecute data incidents, and to apply penalties in the administrative sphere. Additionally, ANPD can issue regulations about specific LGPD points (such as the approval of standard contractual clauses and the list of countries offering a level of data protection similar to Brazil for the purposes of international transfer of personal data, security standards, duties of data protection officers, etc.).

At the end of 2020, the chairman and the other four executive officers of ANPD were appointed and it is expected that ANPD will become fully operational and start issuing regulations addressing the points above in the near future. The administrative penalties that may be applied by ANPD to sanction breaches and other violations of privacy law (e.g., fines, interruption and suspension of activities involving the processing of personal data) will be effective as of August 2021.

Year in review

From a data protection standpoint, the most important outcome was the entry into force of LGPD and the start of ANPD's activities. From September 2020, the provisions, concepts, standards and procedures set forth in LGPD started being tested, interpreted and further regulated by Brazilian courts and ANPD.

As regards the activities of BACEN, as mentioned above, Resolution No. 4,734/2019 and Circular No. 3,952/2019, while dealing with the use of payment arrangement receivables as collateral for credit transactions, make lending to smaller companies feasible while also introducing several modifications related to register of receivables of credit and debit payment instruments. This will facilitate discount operations of receivables from payment arrangements and credit operation collateralised by these receivables entered between commercial establishments and different institutions.

One of the most important highlights of last year's regulatory innovation was BACEN Resolution No. 1/2020, implementing PIX, with the aim of making the cost of payment and transfer transactions cheaper and allowing for the electronic transfer of money between different institutions or persons in a way that allows the final beneficiary to receive the transferred funds in real time, 24/7, on every day of the year. The expectation is that the measure will improve the fintech environment, as they will be able to develop solutions to make payment transactions easier for payers and payees.

BACEN, in its efforts to adapt its regulatory framework to the innovation environment, on 4 May 2020, published Joint Resolution No. 1 and Circular No. 4,015, which regulate open banking and allow for the sharing of customers' banking information by the financial institutions so that other service providers can also use this information upon the authorisation of the data holder. The new regulation seeks to allow the integration of information systems platforms and infrastructures, paving the way for lower interest rates, increased competition and the emergence of new business models with inclusive and customised service solutions for different users' profiles.

Moreover, the securities market witnessed an innovation initiative proposed by CVM through Instruction No. 626, which regulates the Regulatory Sandbox. As mentioned above, this is an experimental regulatory environment that allows the participation of legal entities to test models of innovative businesses in activities related to the securities market, and its process for admission of participants is now under assessment. The due date for CVM to assess the proposals is 30 April 2021.

From the innovation and entrepreneurship perspectives as a whole, the Supplementary Bill (PLP) 146/2019, which may grant an inviting environment to the Brazilian start-up market, is still on the legislative procedure.

Outlook and conclusions

The volume of fintechs and financial efficiency initiatives operating in the Brazilian market increased from 604 to 771 between June 2019 and August 2020, representing an increase of almost 28 per cent,21 which means that this is a growing sector with a lot of potential. The main objectives of recent regulations were to lower entry barriers for new players to develop disruptive initiatives in the financial market and to make systemic and operational guidelines more transparent, simpler, but still very secure, and more efficient to both financial institutions, whether tech-based or not, including their clients. Thus, it is a logical conclusion that this regulatory scenario has fostered competition between financial institutions in Brazil. The authorities are showing cooperative behaviour, acting together to produce norms that could affect the market.

They are also combining efforts with the private sector, especially fintech players. Working together, the regulation may boost the use of technology applications that modernise and make financial services more efficient.

It is important to ensure adequate levels of safety without the creation of unnecessary regulations that could suppress the activity of companies whose products and services benefit the market. Innovation is a powerful tool to promote the financial inclusion of citizens, and designing a legal framework to boost the creation of new technologies is a very important step in the development of the Brazilian society and economy.

In this sense, 2020 showed that there is plenty of evidence that multiple stakeholders, whether from the private or the governmental arenas, are willing to promote a tech-friendly ecosystem for years to come.


1 Alexei Bonamin, Marcela Waksman Ejnisman and Carla do Couto Hellu Battilana are partners, and Marcus Fonseca, Felipe Borges Lacerda Loiola, Natasha Wiedmann, Victor Cabral Fonseca and Leonardo Medeiros Braghetto are associates at TozziniFreire Advogados.

3 For a detailed description of the composition of the National Financial System and functions of each entity, see (in English).

4 Law No. 4,595/64, which creates the Brazilian National Financial System, determines some specific rules for the operation of financial institutions and other players within this market.

5 Such as BACEN Resolution No. 4,122/2012 that establishes the procedures for the licensing and authorisation granting multiple kinds of banks.

6 Article 19, CVM Resolution No. 21/2021.

7 Article 17, CVM Resolution No. 19/2021.

8 See Law No. 4,595/1964.

9 Among other prerequisites. See CVM Rule No. 558/2015.

10 As described in Article 2, IX, Law No. 6,385/1976.

11 Companies which have an income of 10 million Brazilian reais or less, as defined by Article 2, III, of CVM Rule No. 588/2017.

12 CVM Rule No. 588/2017.

13 These organisations' descriptions may be translated to 'peer-to-peer lending company' and 'direct loans company', respectively.

15 The Central Bank conducted a research published in a paper named 'Distributed ledger technical research in Central Bank of Brazil', which can be found here:

16 Any title or collective investment scheme that generates the right to participation, partnership or remuneration, which income is originated in the effort of entrepreneurs or third parties, including those resultant from rendering of services, as described in Article 2, IX, Law No. 9,385/1976.

17 See Article 15, CVM Rule No. 505/2011.

18 Distrito Dataminer Inside Fintech Report. Available at:

19 S1 and S2 segments encompasses financial institutions whose size (according to criteria designated by BACEN) is larger than 10 per cent of GDP and between 10 per cent and one percent of GDP, respectively.

20 See Law No. 9,606/98, that regulates intellectual property for computer programs.

Get unlimited access to all The Law Reviews content