The Financial Technology Law Review: Brazil


Brazilian financial technology (fintech) has developed considerably in recent years. The latest version of FintechLab Radar (June 2019) demonstrated a growth of 30.9 per cent in the number of total companies acting in this market, compared with the previous edition published in August 2018. According to the mapping created by the publication, Brazilian fintech operates in 11 different sectors: payments, financial management, credit and loans, investment, insurance, funding, digital banks, debts, cryptocurrencies, exchange and multiservices. Among these, the payments and loans sectors performed the highest growth rates – 43 per cent and 36 per cent respectively.

This diversity of the ecosystem shows the strength of the financial technology market in the country. Given this scenario, Brazilian regulatory entities demonstrated a strong interest in knowing such players and, in some cases, already published specific norms for some of their activities. National laws and governmental entities, such as the Central Bank of Brazil (BACEN) and the Brazilian Securities and Exchange Commission (CVM), regulate the Brazilian financial system. Other agencies also have regulatory power in specific areas, such as the Private Insurance Superintendence (SUSEP) for the insurance industry.

Some initiatives that have already resulted in or are about to become Rules that can directly affect fintech exemplifies the agencies' regulatory interest. This is the case, for example, of CVM Rule No. 588/2017, which provides standards for the investment-based crowdfunding industry in the country or the proposals for peer-to-peer lending and crowd-lending regulations, currently before the BACEN (Public Hearing No. 55/2017). In addition, the same government agencies conduct studies on the fintech sector, as evidenced by the creation of the CVM's Fintech Hub of Innovation in Financial Technologies.

The development of specific innovations in the financial sector is notable, more specifically in the areas of credit and payment, which are showing consistent showing a signficant growth. The year 2018 was marked by the regularisation of peer-to-peer lending (P2P) in Brazil, through Central Bank Resolution No. 4,656/2018, which regulates financial institutions that use electronic platforms to connect creditors and debtors (SEPs) or to lend their own resources (SCDs). In addition, in 2019 the BACEN structured an instant payment architecture that will replace the current resource transfer system in November 2020. With the start of the new protocol, such transfers will be made instantly and will be available 24 hours a day, all year round.

Although there is no regulation of the whole fintech sector, nor any tax incentives, there has been a significant increase in the activities, which are becoming increasingly relevant to the market. In this sense, regulatory agencies are promoting a fintech-friendly policy, this being their major objective to ensure the integrity and security of financial operations.

There are broader legislative discussions about what is known as the 'Start-up Point', a package of laws and regulations that could bring a series of benefits not only to fintechs, but to all companies that fit the definition of 'start-up'. Such benefits will be of a labour, tax, corporate and investment nature, among others. However, there is still no certainty about when or how these new rules will be implemented; in 2019, the Brazilian government held several meetings with the private sector in order to raise demands and map possible incentives. Further developments are expected to occur in 2020.

In addition, Law No. 13,709/2018 – the Brazilian General Data Protection Law (LGPD), inspired by international guidelines and legislation, especially the EU General Data Protection Regulation, was enacted in August 2018 and will become effective from August 2020. The LGPD applies to any processing of personal data, by public and private entities, in the online and offline environments, using automated and non-automated means – reaching, therefore, the activities of fintech companies involving the handling of personal data.

Thus, it is possible to consolidate the regulatory and policy approach for fintech companies considering that while the financial sector itself is heavily regulated, state entities have been adopting a benign and favourable view of the development of tech-based financial enterprises so far. Their actions demonstrate that developing an innovation-driven economy may be one of the main goals for the next years.


i Licensing and marketing

Brazilian legislation does not provide a specific type of operating licence for fintechs. In practice, the nature of the services offered by these companies will dictate which rules are applicable to them, such as those of a particular economic sector.

Most of these rules are enacted by entities that are part of the National Financial System (SFN), whose competences are fixed in Article 192 of the Federal Constitution of 1988. The SFN is divided into three main organs and their respective operating sectors:2

  1. the National Monetary Council, which regulates currency, credit, capital and exchange;
  2. the National Council for Private Insurance, responsible for private insurance; and
  3. the National Council for Complementary Pension, which regulates closed pension funds.

Within each sector there also supervisory bodies:

  1. the BACEN, which regulates financial institutions, money, credit, payments and exchanges;
  2. the CVM, responsible for the regulation of securities, commodities and futures;
  3. SUSEP for the insurance industry; and
  4. the National Complementary Pension Superintendence (PREVIC), for the private closed pension funds segment.

Thus, a fintech operating in Brazil needs to observe, in addition to the general laws, specific rules that affect the markets in which it operates, established by the competent bodies.

In this way, even if there is no special licence for fintech companies to function in the country, the services or products they offer – or even the market in which they operate – may determine whether their businesses require any particular authorisation or if there are specific rules for such activities. Financial institutions such as banks, for example, may only operate in the country if authorised by the BACEN and if they comply with certain requirements, such as the obligation to be constituted as a sociedade por ações (a commercial partnership whose capital stock is divided into shares and in which each shareholder has a limited responsibility according to the sum of money he has invested)3 or other rules envisaged by the financial authority.4

Another heavily regulated sector of fintech is the securities market. In this sector, the CVM provides rules for many services related to the trading of securities and related activities. The agency controls and regulates, among others, capital markets and investment funds (CVM Rules No. 400/2003, 476/2009, 555/2014 and 578/2016, and others), asset management (the most important being CVM Rule No. 558/2015) and investment advisory services (represented by the recently edited CVM Rule No. 592/2017). The use of automated systems or algorithms is permitted for both asset management5 and advisory activities.6

Another industry commonly associated with fintech is investment-based crowdfunding, which is regulated according to CVM Rule No. 588/2017. Following international standards, the norm established the rules for the operation of collective financing platforms and determines that if some precedent requirements (set forth in the law) are present, the distribution of certain securities is exempt from registration before the entity, which is usually very costly for the issuing company.

Thus, some securities-related sectors in which fintech is present – such as robot advisers and investment-based crowdfunding platforms – are regulated by the CVM and companies that operate in these sectors must observe the rules issued by the CVM.

The Consumer Protection and Defence Code equates banking, financial, credit and insurance services to the general delivery of services. Consequently, consumer protection law applies to service suppliers such as banks or credit institutions, if it is possible to verify a consumer relationship between them and the clients.

One of the outcomes of this legal treatment is the existence of rules regarding credit information services. The Code states that consumer databases must be objective, clear, created in a language that is easy to understand and may not contain negative credit information relating to a period exceeding five years. Upon a consumer's request, inaccurate and outdated personal information must be corrected within five business days. Consumers are further entitled to access their personal information and request their exclusion from a database, except for credit information relating to a period of less than five years.

ii Cross-border issues

In general, Brazilian law does not prohibit the offering of financial products or services, only regulating the way certain transactions need to be conducted. As described, the SFN is composed of several entities, each with specific competence in relation to activities of a financial nature. In this way, it is necessary to understand the nature of the service or product offered by the fintech company to verify if there is any requirement for foreigners to operate in the country.

Any activity developed in Brazil is primarily subject to national legislation. However, some international entities rulings may guide the standards of the national regulations, since Brazilian authorities are part of many transnational organisations such as the Basel Committee on Banking Supervision and IOSCO, for example. Recent legal initiatives also considered international experience, as the Investment-based Crowdfunding Rule (CVM Rule No. 588/2017), which is inspired by the regulatory approach used in Israel, France, the United Kingdom, the United States, Portugal and Canada, among others. Another relevant recent regulatory change is CVM Rule No. 619/2020,7 which allows for securities-related investment advisers to have their domicile abroad and is a result of the understandings established between Brazil and the Organisation for Economic Co-operation and Development (OECD) aiming to align Brazil with the OECD's Codes of Liberalisation of Capital Movements and the Brazilian market with international best practices.

Some activities are restricted to financial institutions (banks), such as the custody of third-party resources and the intermediation and application of their own or third-party financial resources.8 In these cases, it is necessary to comply with the banking regulation in the country, which determines that foreign banks may operate in Brazil if registered within the BACEN and explicitly authorised by a decree enacted by the President of the Republic.

In other situations, if the fintech provides any securities-related products or services, its activities are subject to the CVM Rules. The management of securities portfolios (asset management), for example, can only be done by a natural person or legal entity headquartered in Brazil and authorised by the CVM.9

Finally, the inflow and outflow of funds to and from Brazil is permitted, since individuals and companies are free to send money abroad and realise investments of any nature offshore. However, these transactions must be completed through Brazilian financial institutions authorised by the BACEN to operate in the foreign exchange market. Those institutions are under the supervision of the Brazilian financial authorities and thus must comply with know-your-customer (KYC) and anti-money laundering provisions contained in Brazilian regulation, including identification of the ultimate beneficial owner of the corporate structure. Moreover, the BACEN issues an annual basis regulation determining that any Brazilian holding investments abroad of an amount higher than a given threshold shall declare this investment to the BACEN for statistical purposes. In addition, capital gains obtained abroad will be subject to taxation as provided for in Brazilian tax law.

Digital identity and onboarding

In Brazil, there are various types of identification documents, but many of them can be substituted with a driver's licence that can be transferred onto a digital version. The paper document will not be discontinued and is still mandatory as a driving permission, but now citizens can conveniently carry a digital copy on their smartphones.

It is worth mentioning that Federal Law No 13.444/2017 created the national identity document (DNI), a digital document that will waive the obligation imposed on citizens to hold, as the case may be, documents such as birth and marriage certificates, voter registration and taxpayer registry identification. Nonetheless, the DNI is still under development and has not been implemented yet. Meanwhile, Presidential Decree No 9.723/2019, issued in February 2019, mandates that the taxpayer registry identification number is sufficient for identification purposes for access to information, services and the exercise of rights or benefits. Although this rule is destined exclusively for identification before executive entities, it may reflect on the practices of other institutions, private or public, that might want to simplify identification procedures.

As of the use of documents by financial service providers, BACEN Resolution No. 4.474/2016 authorises institutions to discontinue the use of physical copies once they are digitised and secured within their systems. The only change with regard to digital onboarding comes from BACEN Resolution No. 4.753/2019, in force since 1 January 2020, which establishes rules for opening and closing of deposit accounts (such as current, savings or salary accounts), simplifying the procedure and allowing for clients to request the aforementioned services through any service channels provided by the financial institution except through a phone call.

According to the new Resolution, financial institutions must adopt procedures that allow for the verification of the account holder's identity and of its representatives, as the case may be, as well as the authenticity of the information provided by the clients.

Digital markets, payment services and funding

i Crowdfunding

The law regulates transactions involving securities and, therefore, this market has specific rules established by the agency responsible for overseeing it: the CVM. Brazilian law adopts an open concept for security, considering as such any title or collective investment scheme that generates the right to participation, partnership or remuneration, which income is originated in the effort of entrepreneurs or third parties, including the ones resulting from the rendering of services.10 If any specific collective investment scheme falls under this description, it is subject to the determinations of the law and the CVM Rules, which may regulate how they are distributed, offered and commercialised inside Brazilian territories or abroad, if the investment schemes are issued by Brazilian companies. All regulations regarding the SFN apply to fintech organisations, if legally prescribed services or products are offered.

Nonetheless, Brazilian authorities have legally recognised investment-based crowdfunding as a possible fundraising option for small companies.11 Currently, the Brazilian innovation ecosystem benefits from CVM Rule No. 588/2017, enacted specifically to regulate the distribution of securities through platforms established for this purpose, without the need to register the offer before the CVM – which, as explained above, is the general rule and might be very expensive for small companies. The Rule came into force in 2017 following a market public consultation conducted by the CVM,12 and its current version establishes some requirements and responsibilities for the operation of the platforms, details the possible offers and recognises the possibility of syndicated investments, that is, those led by an investor well known in the market.

ii Intermediation of loans and lending models – P2P lending and crowd-lending

The intermediation of loans is a private activity of financial institutions, as determined by the law that constitutes the SFN. Thus, any organisation that collects money from third parties for loans or intermediate transactions of this nature must be registered and authorised to operate as a financial institution according to Brazilian law and is subject to the supervision and regulation of the BACEN. In order to foster innovative lending models, in 2017, the BACEN proposed a public hearing to deal with P2P lending and crowd-lending, seeking to guarantee the safety and legality of such loans. As a result, in April 2018, the BACEN published Resolution No. 4.656/2018, which created two special types of financial institutions, allowing them to use SEPs or SCDs.13 Both need to request an authorisation to operate before the BACEN. Nonetheless, the authorisation procedure used by these institutions is easier and faster than the one required by traditional financial institutions.

iii Payment services

Payment services are subject to the rules regarding the Brazilian payment system (SPB), created by Law No. 10.214/2001, and to the supervision of the BACEN. The SPB comprises services or systems that, subject to authorisation by the competent authorities, may:

  1. clear credit notes;
  2. clear and settle electronic debit and credit orders;
  3. transfer funds and other financial assets;
  4. clear and settle securities transactions; and
  5. clear and settle commodities and future transactions.

In 2018, the BACEN enacted regulations with the expectation to promote financial inclusion, as well as enabling a more competitive market through the SPB. BACEN Resolution No. 4,707/2018 and Circular No. 3,924/2018 regulate the use of payment arrangement receivables as collateral for credit transactions. This should make lending to smaller companies feasible, as such receivables usually represent a significant portion of their assets, and the creditor will be granted more protection when entering into contracts with them.

The aforementioned rules will be valid only until 3 August 2020, when Resolution No. 4,734/2019 and Circular No. 3.952/2019 will become effective, replacing the current regulation applicable to the aforementioned kind of collateralised transactions. The new rules incorporate principles and dispositions contained in BACEN Resolution No. 4,707/2018 and Circular No. 3,924/2018 while also introducing several modifications related to registration of receivables of credit and debit payment instruments. As soon as they enter into force, financial institutions will have to ensure that receivables from payment arrangements used as collateral for their credit transactions or assigned in discount transactions are recorded in registration systems, operated by a registry authorised by the BACEN. The new regulation will also impose thresholds on the use of collateral over receivables from payment instruments.

With Circular No. 3,925/2018, which amended the Annex to Circular No. 3,682/2013, the BACEN addresses the provision of payment services within the framework of the arrangements of the SPB, establishing guidelines and standards these service providers need to abide by.

Furthermore, in line with the ongoing technological revolution, the BACEN published Circular No. 3,985/2020, defining the components of the instant payment system (SPI) infrastructure and establishing the participation of financial institutions and of payment institutions under the SPI, and Circular Letter No. 4,006/2020, setting out the form of registration of participants for the process of adhering to the instant payments system (PIX) – and the SPI. This is an important step taken by the BACEN with the aim of implementing an instant payment ecosystem in Brazil. By creating the SPI, the BACEN intends to foster the creation of an infrastructure that will allow people and companies to transfer money at any time, using more accessible payment mechanisms, such as QR codes in cell phones. This type of transfer tends to be more practical than those currently used, such as the available electronic transfer (TED) and credit order document (DOC), as it allows for instant transfer, does not require an intermediary and has lower costs. The BACEN itself will operate and coordinate the PIX. This infrastructure coordinates the relationship between service providers and instant payments.

Financial institutions with more than 500,000 active customers are now required to participate in the instant payment infrastructure and, consequently, of SPI, in order to settle instant payment transactions whenever they involve a transfer between instant payment accounts from different SPI participants. On the other hand, participation in the SPI is optional for entities that provide clearing and settlement services exclusively for the purpose of settling private liquidity supply operations carried out among SPI participants within the instant payment infrastructure.

The SPI provides for two forms of participation: direct and indirect. The first involves a direct connection of the participant institution to the SPI. Institutions that do not hold an operating permit from the BACEN are not allowed to participate in the direct form. The indirect participation form applies to institutions that do not hold a direct connection to the SPI and that do not have an SPI account. These institutions will operate through an intermediary, which must be a direct participant of the SPI infrastructure and will be responsible for registering and settling the operation entered under the SPI. Commercial banks, multiple banks with commercial portfolios, clearing and settlement service providers, among others, are not allowed to participate indirectly in the SPI.

The new rule is a step forward in BACEN's initiative of establishing an SPI in Brazil, following the Bulletin No. 32,927 of 21 December 2018, in which the authority recognised the validity of instant payments and addressed the fundamental requirements for its environment within the Brazilian payment system regulatory framework. The implementation of the instant payments ecosystem in Brazil is expected to happen in November 2020. This model is favourable to the emergence of fintechs whose purpose is the development of innovative solutions to ease payment transactions. As announced by the BACEN, fintechs will be able to act as payment institutions, supplying customers with payment accounts, or as payment initiation service providers. They may also offer other services such as insurance, credit, investments and tax payments, among others, fostering the development of innovative and competitive models and allowing for the reduction of social costs related to the use of paper-based instruments.14 The measures enable the inclusion of new players in the financial market, which is of extreme significance in a country with high rates of banking concentration such as Brazil.

Finally, there are currently no rules obliging institutions to make client or product data accessible to third parties. They are allowed to share with other financial institutions some information that can make the settling and clearing of payments faster, safer or more efficient. Nevertheless, this process must observe the applicable legal limits, as the Brazilian Federal Constitution (and specific laws such as the Supplementary Law No. 105/01) protects and assures the inviolability of banking secrecy, in most cases. With respect to clients' personal data, under the LGPD, the process shall also be grounded on one of the legal bases provided for in the law. In this sense, possible legal bases that could be used to justify sharing are the consent of clients, the protection of credit and the legitimate interest of the financial institution. As already mentioned, the LGPD is still not effective, so the exact content and limits of the legal bases above are yet to be tested by Brazilian courts and further regulated by the Brazilian Data Protection Authority, which, as detailed in Section V below, was created by the LGPD, but will only initiate activities when the LGPD comes into force.

iv Marketplaces

A marketplace is a platform that connects buyers and sellers of goods or services with each other, providing an infrastructure with the purpose of facilitating a transaction. They are used in some business models as payment settlers to the extent that they receive the full amount paid by the costumer and then pass the paid value on to sellers, which are their business partners, upon remuneration. In this kind of operation, marketplaces play the role of sub-accreditors, also called sub-acquirers or payment facilitators.

BACEN Circular No. 3.886/2018, which modifies Circular No. 3.682/2013, defines the role of the sub-accreditors and how they interact with payment arrangement providers. It also defines objective criteria for requiring the participation of sub-accreditors in a centralised settlement system in a single grid, which is also regulated by Circular Letter No. 3,872/2018. Circular No. 3.886/2018 categorises sub-accreditors that facilitate the acceptance of a payment instrument by the recipient, without being part of the transaction as a creditor, thus being the link between the end user and the accreditors, as participants in the payment arrangement infrastructure.

Moreover, the Circular determines that the intermediation of payments under the sub-accreditor model, which might include marketplaces, must comply with the payment arrangement infrastructure regulatory framework. Not all marketplaces are considered sub-accreditors. In cases where the transaction is carried out directly between the payer and the marketplace's business partner, the marketplace will not be considered a sub-accreditor. In these cases, the seller itself will be the end user receiving the transaction payment.

Sub-accreditors are obliged to participate in the centralised settlement system. The centralised settlement system involves the centralisation of settlement of transactions performed by the payment arrangements that integrate the SPB in one neutral clearing and settlement service provider, defined by the institutions instituting those payment arrangements. The current clearing and settlement service provider is the Interbank Payment Chamber.

The marketplace participation in the centralised settlement system is mandatory, regardless of the volume of the transactions, if the sub-accreditor is the recipient of the flows relating to transaction in payment arrangements subject to centralised settlement. Nonetheless, the participation is optional if the marketplace acts as a payer to end users who receive flows related to transactions in payment arrangements subject to centralised settlement, and the volume of the operations accumulated in the last 12 months is lower than 500 million Brazilian reais. Brazilian legislation does not provide for special rules relating to digital or cryptoassets in marketplaces.

Cryptocurrencies, initial coin offerings (ICO) and security tokens

There is no specific regulation in Brazil for blockchain technology. In fact, considering Brazil as a civil law jurisdiction, it would be necessary to modify a large number of laws, rules and other types of regulations to include legal provisions for all the currency and non-currency applications of such technology. Therefore, the Brazilian law does not recognise or establish a concept for blockchain or any of its applications, including cryptocurrencies.

Yet some financial authorities from Brazil have issued documents regarding cryptocurrencies and initial coin offerings (ICOs). Though not enforceable like laws, they are a good demonstration of how governmental agencies tend to define such assets.

Firstly, the BACEN stated that cryptocurrencies are not coins and cannot be equated with 'electronic coins', already defined in law as the virtual representation of fiat money. In Bulletin No. 31.379 from 16 November 2017, the entity issued an alert about the risk of operations involving cryptocurrencies and still remarked that such operations are subject to exchange rules and taxes on transactions referred in foreign currencies. The authority also conducts some tests regarding different possibilities of blockchain technology applications, such as an alternative system for transactions settlement and identity management.15

The CVM, in its competence regulating the securities market, published a note containing its perceptions about ICOs. The authority remembered that the law provides a description for the concept of security and the characteristics that can frame any asset into this concept. If a token give its owner any right as described in the law,16 it may be considered a security and the capital market regulations will apply to its offering, distribution and other transactions. Consequently, besides the laws suitable to securities, CVM Rules No. 400 (public offerings), No. 476 (limited efforts public offerings), No. 588 (crowdfunding) and others regarding securities operations need to be observed during an ICO process, and it does not matter if the issuer is Brazilian or foreigner. The CVM also stated that investment funds cannot perform direct cryptoassets operations in Brazil. However, in September 2018, the regulator authorised indirect investment in cryptoassets through, for instance, the acquisition of quotas of funds and derivatives, among other assets traded in third jurisdictions, provided that they are admitted as being regulated in those markets.

Finally, the Revenue Service determined that taxpayers must declare any gain obtained from transactions involving 'virtual coins' such as Bitcoin and other cryptoassets. If the operation is of an amount higher than 35,000 Brazilian reais, the individual must pay 15 per cent over the earnings as income tax.

Digital assets

Other new business models

Self-executing contracts, also known as 'smart contracts', are important deployments in the context of Blockchain technology. Therefore, since there is no specific regulation for technological applications of this nature, smart contracts are not yet foreseen in Brazilian law and may face questions regarding their legality, enforceability, validity and other characteristics necessary for contracts. However, they are not prohibited and if the basic contractual requirements are fulfilled, in specific cases smart contracts may be entered into in the same way as regular contracts.

As for the automated investment operations, it is necessary to distinguish two important professionals: the consultants – authorised only to advise investors, without managing funds of third parties – and portfolio managers (asset management) – who can make investments on behalf of third parties. For both, there is a legal provision for the use of algorithms and automated systems, whose source code must be delivered to the CVM and that do not exempt professionals from any responsibility in the provision of services. All agents are subject to securities market regulation, including third-party websites that provide or compare information about financial products.

If a sole investor wants to perform operations using automated algorithms like trading bots, they may execute orders before brokers using such systems.17 To do that, it is imperative that they comply with the rules established by the exchange itself and, mainly, securities regulation. Caution is needed by a bot user in order to avoid market manipulation and illegal practices such layering and spoofing, all of which are forbidden by the authorities; if this happens, the user will be responsible for any illegal act the system performs.

Some new business models shown by specific companies that are very relevant in the market have gained attention in recent years. The credit card operator 'Nubank' is particularly successful in Brazil. Their business models provide innovative approaches to traditional services, and sometimes regulatory discussions may directly impact their activities. In 2018, Nubank sold 5 per cent of its capital to the Chinese-based multinational investment holding TenCent, in exchange for a contribution of capital of approximately US$200 million. This makes Nubank one of the most valuable start-ups in Latin America, and one more LatAm unicorn.

PagSeguro Digital and Stone Pagamentos also experienced an astonishing capital growth in 2018, despite analysts alerting that the euphoric cycle of the American stock exchanges has ended. PagSeguro raised approximately US$ 2.27 billion in its initial public offering on the New York Stock Exchange, while Stone Pagamentos raised US$1.2 billion in the electronical Stock Exchange Nasdaq.

Another good example is Geru Tecnologia e Serviços SA (Geru), an online lending platform. Geru Credit Rights Investment Fund (FIDC) is a fund structured as a closed condominium. Its portfolio of rights will be composed of bank credit notes, representing loans granted to debtors via Geru's online platform. In August 2019, the fund received a Standard & Poors rating. Currently, the company is the only Brazilian lending fintech that has been rated by one of the three largest risk assessment agencies in the world. Creditas is also a successful case worth mentioning. Creditas is an online secured loan platform, which in August 2019 received a contribution of US$231 million from SoftBank Vision Fund and SoftBank Group Corp.

Intellectual property and data protection

Generally, software in Brazil is protected by copyright law. Briefly, this means that source codes are equated to authorship works such as literary or artistic works, and it is not necessary to register it with the authorities to ensure protection. Therefore, any ownership dispute may be solved with proof of authorship.18 Nevertheless, it is possible to register the source code with the entity responsible for the registration and management of industrial property in the country – the National Institute for Industrial Property.

There are some cases in which patents can be issued regarding software and computer programs. This happens if it fills the requirements of characterisation of an industrial creation (a process or product associated with the process); thus, if the solution implemented by a computer program solves a problem found in the art and scope a technical effect that does not only concern how the computer program is written, it may be considered an invention and would be patentable.

To verify whether a new financial technology includes an invention protected by patent rights, it is necessary to know if it fits the following basic requirements: novelty; inventive step; industrial application; and technical effect. Note that the first three criteria apply to all patents, while the latter concerns the patentability of computer programs or software. The novelty requirement is broadly met when creation did not exist and was invented, that is, it is entirely new. Meanwhile, inventive step means that the invention was not obvious or obvious from the state of the art (a legal term used for what already exists and is available to the public). Industrial application is the possibility of using or producing the creation in any type of industry.

The technical effect considers the practical effects achieved throughout the steps developed by the invention implemented by the computer program. The general rule is that in order to grant a patent registration for software, there must be practical application in addition to the patentability requirements. In short, the industrial creation implemented by software may be subject to protection by patent rights if:

  1. it solves a problem found in the technique; and
  2. it achieves a technical effect that does not only concern how the software is written.

It is important to note that the patent application process involves accurately describing the invention created. This precise description will be the one that is protected. In this sense, a new version of the same software would not be covered by the same patent protection.

In any case, to determine the immediate ownership of software or computer program developed by third parties even before any registration or patent, it is necessary to verify the relationship with the author or inventor. If the creator is an employee and thus contracted under employment relationships, the rule of thumb provided by law is that the employer owns the intellectual property of software and computer programs developed in the context of the employee's activities. The contract executed between the parties may determine different aspects, but in the case of omission, this is the general rule.

Regarding data protection, data privacy legislation is going through important modifications in Brazil: as mentioned, the LGPD, that regulates any treatment of personal data, by public and private entities, in the online and offline environments, using automated and non-automated means was enacted in August 2018. The Law was inspired by international guidelines, especially those provided by the EU General Data Protection Regulation, but will only come into force in August 2020.

Currently, there are several pieces of legislation in Brazil dealing with different scopes of privacy and data protection such as intimacy, private life, honour, image and secrecy of correspondence, bank operations and communications. Such pieces of legislation include the Federal Constitution, the Civil Code, the Consumer Protection and Defence Code, the Banking Secrecy Law, the Brazilian Internet Act and the Criminal Code. However, the LGPD is the first omnibus law in Brazil that deals specifically with personal data protection without limiting its applicability to certain categories of agents and subjects (e.g., consumers, employees, financial institutions) or types of treatment (e.g., operation in the online environment).

The LGPD set standards and establishes important definitions to Brazilian data privacy regulation, such as personal data, sensitive personal data, anonymised data, data controller and data processor, among others. It adds to the framework surrounding data processing, including compliance with a legal or regulatory obligation, the fulfilment of a contractual or legal obligation and the controller's legitimate interest, as well as determining the details on how the user's consent must be collected to legitimise personal data processing.

The LGPD also addresses international transfer of personal data, rules on liability, data breach and penalties related to the violation of data privacy rights. The effects of the LGPD extend to any treatment of personal data carried out in the Brazilian territory, any treatment of personal data collected in the Brazilian territory, or any treatment of personal data made with the purpose of offering or supplying goods or services to individuals located in the Brazilian territory.

The LGPD further provided for the creation of the Brazilian National Data Protection Authority (ANPD). The ANPD will initiate its activities when LGPD is effective. Among other things, the ANPD will have authority to supervise the application of the LGPD, prosecute data incidents and apply penalties in the administrative sphere, and to issue regulations about specific points of the LGPD (such as the approval of standard contractual clauses and the list of countries offering a level of data protection similar to Brazil for the purposes of international transfer of personal data, security standards, duties of data protection officers, etc.).

Note that there are still some points pending with respect to the ANPD that should be resolved before August 2020: the appointment of the chairman and the other four executive officers of the ANPD, as well as 23 out of the 25 members of the ANPD's advisory board are yet to be appointed, and the procedural rules applicable to future administrative proceedings to be conducted by the ANPD (e.g., prosecution of data incidents) are also open questions.

Year in review

From a data protection standpoint, the most important outcome will be the entry into force of the LGPD and the start of the ANPD's activities. From August 2020, the provisions, concepts, standards and procedures set forth in the LGPD will start being tested, interpreted and further regulated by Brazilian courts and the ANPD.

As regards the activities of the BACEN, as mentioned above, Resolution No. 4,734/2019 and Circular No. 3.952/2019, while dealing with the use of payment arrangement receivables as collateral for credit transactions, make lending to smaller companies feasible while also introducing several modifications related to register of receivables of credit and debit payment instruments. This will facilitate discount operations of receivables from payment arrangements and credit operation collateralised by these receivables entered between commercial establishments and different institutions.

One of the most important highlights of last year's regulatory innovation was BACEN Circular No. 3,985/2020, defining the components of the SPI infrastructure and establishing the participation of financial institutions and of payment institutions under the SPI. The creation of the SPI is an important step forward in allowing people and companies to transfer money at any time, using more accessible payment mechanisms. The expectation is that the measure will improve the fintech environment, since they will be able to develop solutions to make payment transactions easier for payers and payees.

It is also worth mentioning that the BACEN, in its efforts to adapt its regulatory framework to the innovation environment, launched Public Consultation No. 73/2019,on 28 November 2019 in order to gather the market's opinion on a draft resolution regulating open banking, which means the disclosure of the customer's banking information by the financial institutions so that other service providers can also use this information upon the authorisation of the data holder. Open banking has the potential to increase competition within the financial sector. The Consultation was open until 31 January 2020. Following the measure, on 3 March 2020, the BACEN published Ordinance No. 107,101, in which it created a working group with the task of proposing a structure responsible for the governance of the implementation of open banking in Brazil. New regulatory measures on the matter are expected soon.

Outlook and conclusions

The volume of fintechs operating in the Brazilian market increased from 453 companies to 604 between August 2018 and June 2019, representing an increase of 33 per cent,19 which means that this is a growing sector with a lot of potential. The main objectives of recent regulations were to guarantee greater legal certainty, safety and confidence to the market while fostering competition between financial institutions. The authorities are showing cooperative behaviour, acting together to produce norms that could affect the market.

They are also combining efforts with the private sector, especially fintech players. Working together, the regulation may boost the use of technology applications that modernise and make financial services more efficient.

It is important to ensure adequate levels of safety without the creation of unnecessary regulations that could suppress the activity of companies whose products and services benefit the market; innovation is a powerful tool to promote the financial inclusion of citizens, and designing a legal framework to boost the creation of new technologies is a very important step in the development of the Brazilian society and economy.


1 Alexei Bonamin, Marcela Waksman Ejnisman and Carla do Couto Hellu Battilana are partners, and Marcus Fonseca, Felipe Borges Lacerda Loiola, Natasha Wiedmann and Victor Cabral Fonseca are associates at TozziniFreire Advogados.

2 For a detailed description of the composition of the National Financial System and functions of each entity, see (in English).

3 Law No. 4.595/64, which creates the Brazilian National Financial System, determines some specific rules for the operation of financial institutions and other players within this market.

4 Such as BACEN Resolution No. 4.122/2012, that establishes the procedures for the licensing and authorisation granting multiple kinds of banks.

5 Article 16-A, CVM Rule No. 558/2015.

6 Article 16, CVM Rule No. 592/2017.

7 Amending CVM Rule No. 592/2017.

8 See Law No. 4.595/1964.

9 Among other prerequisites. See CVM Rule No. 558/2015.

10 As described in Article 2, IX, Law No. 6.385/1976.

11 Companies which have an income of 10 million Brazilian reais or less, as defined by Article 2, III, of CVM Rule No. 588/2017.

12 CVM Rule No. 588/2017.

13 These organisations' descriptions may be translated to 'peer-to-peer lending company' and 'direct loans company', respectively.

15 The Central Bank conducted a research published in a paper named 'Distributed ledger technical research in Central Bank of Brazil', which can be found here:

16 Any title or collective investment scheme that generates the right to participation, partnership or remuneration, which income is originated in the effort of entrepreneurs or third parties, including those resultant from rendering of services, as described in Article 2, IX, Law No. 9.385/1976.

17 See Article 15, CVM Rule No. 505/2011.

18 See Law No. 9.606/98, that regulates intellectual property for computer programs.

Get unlimited access to all The Law Reviews content