The Financial Technology Law Review: Brazil


The Brazilian financial technology sector (fintech) has developed considerably in recent years. The latest version of FintechLab Radar (August 2020)2 evidenced that, since the issuance of the first edition of the publication in November 2017, 683 new fintechs or financial efficiency initiatives have been founded. According to the mapping created by the publication, Brazilian fintech operates in 12 different sectors: payments, financial management, credit and loans, investment, insurance, funding, digital banks, debts, cryptocurrencies and distributed ledger technology (DLT), exchange, multi-services and techfin. Among these, the payments and financial management sectors performed with the highest growth rates.

This diversity of the ecosystem shows the strength of the financial technology market in the country. Given this scenario, Brazilian regulatory entities demonstrated a strong interest in knowing these players and, in some cases, have already published specific norms for some of their activities. National laws and governmental entities, such as the Central Bank of Brazil (BACEN) and the Brazilian Securities and Exchange Commission (CVM), regulate the Brazilian financial system. Other agencies also have regulatory power in specific areas, such as the Private Insurance Superintendence (SUSEP) for the insurance industry.

One of the biggest initiatives from regulators to foster competition in the financial and capital markets is open banking, which is regulated by BACEN, with the goal of providing transparent and clear information to customers. Regulation defines open banking as the standardised sharing of data and services by opening and integrating information systems platforms and infrastructures. Open banking is now in the final stages of implementation and is expected to evolve to a new era of open finance – expanding the sharing of information from a simple registration of customers to a more complex network of services, such as insurance, investments, foreign exchange, payments and accounts.

Furthermore, on 15 May 2020, the CVM published Instruction No. 626, which regulates the constitution and functioning of the regulatory sandbox, an experimental regulatory environment that allows the participation of legal entities to test models of innovative businesses in activities related to the securities market. This initiative has the potential to foster innovation in the capital markets as it may provide more legal certainty to participants through guidance on regulatory issues while decreasing costs of the development of innovative products, services and business models, and to the clients of participants, which will increase financial inclusion.

Still within the efforts to modernise Brazilian rules and regulations to foster competition, the Brazilian government enacted Law No. 14,286 on 29 December 2021, known as the new Legal Framework for Foreign Exchange, which aims to update many of the outdated rules in the foreign exchange market, facilitating the use of Brazilian currency in international transactions, making it more consistent with international practices and meeting the needs of Brazilian companies.

Finally, Law No. 13,709/2018 (the Brazilian General Data Protection Law (LGPD)), inspired by international guidelines and legislation, especially the EU General Data Protection Regulation (GDPR), became effective in September 2020 (with the exception of the effectiveness of its provisions on administrative sanctions, which were delayed until August 2021). The LGPD applies to any processing of personal data, by public and private entities, in the online and offline environments, using automated and non-automated means, therefore reaching the activities of fintech companies involved in the handling of personal data.

Therefore, it is possible to consolidate the regulatory and policy approach for fintech companies considering that while the financial sector itself is heavily regulated, regulators have been adopting a benign and favourable view of the development of tech-based financial enterprises so far. Their actions demonstrate that developing an innovation-driven economy may be one of the main goals in the coming years.


i Licensing and marketing

Brazilian legislation does not provide a specific type of operating licence for fintechs. In practice, the nature of the services offered by these companies will dictate which rules are applicable to them, such as those of a particular economic sector.

Most of these rules are enacted by entities that are part of the National Financial System (SFN), whose competences are fixed in Article 192 of the Federal Constitution of 1988. The SFN is divided into three main organs and their respective operating sectors:3

  1. the National Monetary Council, which regulates currency, credit, capital and exchange;
  2. the National Council for Private Insurance, responsible for private insurance; and
  3. the National Council for Complementary Pension, which regulates closed pension funds.

Within each sector there are also supervisory bodies:

  1. BACEN, which regulates financial institutions, money, credit, payments and exchanges;
  2. CVM, responsible for the regulation of securities, commodities and futures;
  3. SUSEP for the insurance industry; and
  4. the National Complementary Pension Superintendence, for the private closed pension funds segment.

ii Cross-border issues

In general, Brazilian law does not prohibit the offering of financial products or services, it only regulates the way in which certain transactions need to be conducted. Therefore, it is necessary to understand the nature of the service or product offered by the fintech company to verify if there are any requirements to be complied with to enable foreigners to operate in the country.

Any activity developed in Brazil is primarily subject to national legislation. However, some international entities' rulings may guide the standards of the national regulations, as Brazilian authorities are part of many transnational organisations, such as the Basel Committee on Banking Supervision and the International Organization of Securities Commissions. Recent legal initiatives also considered international experience, such as the Investment-based Crowdfunding Rule (CVM Rule No. 588/2017), which is inspired by the regulatory approach used in Israel, France, the United Kingdom, the United States, Portugal and Canada, among others.

Some activities are restricted to financial institutions (banks), such as the custody of third-party resources and the intermediation and application of their own or third-party financial resources.4 In these cases, it is necessary to comply with the banking regulation in the entity's home country, which determines that foreign banks may operate in Brazil if registered with BACEN and explicitly authorised by a decree enacted by the President of the Republic.

In other situations, if the fintech provides any securities-related products or services, its activities are subject to CVM rules.

Finally, the inflow and outflow of funds to and from Brazil is permitted, as individuals and companies are free to send money abroad and realise investments of any nature offshore. These transactions must be completed through institutions authorised by BACEN to operate in the foreign exchange market. Those institutions are under the supervision of the Brazilian financial authorities and thus must comply with know-your-customer and anti-money laundering provisions contained in Brazilian regulation, including identification of the ultimate beneficial owner of the corporate structure.

Digital identity and onboarding

In Brazil, there are various types of identification documents although many of them can be substituted with a driver's licence that can be transferred into a digital version. The paper licence will not be discontinued and is still mandatory as a driving permission, but now citizens can conveniently carry a digital copy on their smartphones.

It is worth mentioning that Federal Law No. 13,444/2017 created the national identity document (DNI), a digital document that will waive the obligation imposed on citizens to hold documents such as birth and marriage certificates, voter registration and taxpayer registry identification. Nonetheless, the DNI is still under development and has not been fully implemented yet. Meanwhile, Presidential Decree No. 9,723/2019, issued in February 2019, mandates that the taxpayer registry identification number is sufficient for identification purposes for access to information, services and the exercise of rights or benefits. Although this rule is destined exclusively for identification before executive entities, it may be used by other institutions, private or public, that may want to simplify identification procedures.

As for the use of documents by financial service providers, BACEN Resolution No. 4,474/2016 authorises institutions to discontinue the use of physical copies once they are digitised and secured within their systems.

The only change with regard to digital onboarding comes from BACEN Resolution No. 4,753/2019, which establishes rules for opening and closing deposit accounts (such as current, savings or salary accounts), simplifying the procedure and allowing clients to request the aforementioned services through any service channels provided by the financial institution, except through a phone call. According to this Resolution, financial institutions must adopt procedures that allow for the verification of the account holder's identity and of its representatives, as the case may be, as well as the authenticity of the information provided by clients.

Digital markets, payment services and funding

i Crowdfunding

The law regulates transactions involving securities and, therefore, this market has specific rules established by the agency responsible for overseeing it: the CVM. Brazilian law adopts an open concept for security, considering as such any title or collective investment scheme that generates the right to participation, partnership or remuneration, whose income is originated in the effort of entrepreneurs or third parties, including the ones resulting from the rendering of services.5 If any specific collective investment scheme falls under this description, it is subject to the determinations of the law and the CVM rules.

Currently, the Brazilian innovation ecosystem benefits from CVM Rule No. 588/2017, enacted specifically to regulate investment-based crowdfunding (i.e., the distribution of securities through platforms established for this purpose) without the need to register the offer before the CVM. The Rule establishes some requirements and responsibilities for the operation of the platforms, details the potential offers and recognises the possibility of syndicated investments; that is, those led by an investor well known in the market.

ii Intermediation of loans and lending models – P2P lending and crowd-lending

The intermediation of loans is a private activity of financial institutions, as determined by the law that constitutes the SFN. Thus, any organisation that collects money from third parties for loans or intermediate transactions of this nature must be registered and authorised to operate as a financial institution according to Brazilian law and is subject to the supervision and regulation of BACEN. In April 2018, BACEN published Resolution No. 4,656/2018, which created two special types of financial institutions: companies for loans between people (SEPs), which are electronic platforms to connect creditors and debtors, and direct credit companies (SCDs), which are digital platforms that grant loans with their own resources.6

iii Payment services

Payment services are subject to the rules regarding the Brazilian payment system (SPB), created by Law No. 10,214/2001, and to the supervision of BACEN. The SPB comprises services or systems that, subject to authorisation by the competent authorities, may:

  1. clear credit notes;
  2. clear and settle electronic debit and credit orders;
  3. transfer funds and other financial assets;
  4. clear and settle securities transactions; and
  5. clear and settle commodities and future transactions.

With Resolution No. 150/2021, BACEN addresses the provision of payment services within the framework of the arrangements of the SPB, establishing guidelines and standards that these service providers need to abide by. Payment institutions, on the other hand, are regulated mainly by BACEN Resolutions Nos. 80/2021 and 81/2021.

Furthermore, in line with the ongoing technological revolution, BACEN published Resolution No. 1/2020, which entered into force on 1 September 2020, implementing PIX, a new instant payment method with the aim of making the cost of payment and transfer transactions cheaper. Instant payments comprise the electronic transfer of money between different institutions or persons in a way that allows the final beneficiary to receive the transferred funds in real time, 24 hours a day and every day of the year. Instant payments are now available for transfers between two persons, a person and a company, and between companies. This is also available for transfers involving government entities, such as for tax payments by individuals or legal entities, or social benefits and grants, among others, paid by governments to persons or to companies. PIX also allows for the payment of bills and even the collection of taxes and service fees, through the use of more accessible payment mechanisms, such as QR codes on mobile phones.

The rule is a step forward in BACEN's initiative of establishing an instant payment system in Brazil, following Bulletin No. 32,927 of 21 December 2018, in which the authority recognised the validity of instant payments and addressed the fundamental requirements for its environment within the Brazilian payment system regulatory framework. This model is favourable to the emergence of fintechs whose purpose is the development of innovative solutions to ease payment transactions. As announced by BACEN, fintechs can act as payment institutions, supplying customers with payment accounts, or as payment initiation service providers. They may also offer other services such as insurance, credit, investments and tax payments, fostering the development of innovative and competitive models and allowing for the reduction of social costs related to the use of paper-based instruments.7

Finally, there are currently no rules obliging institutions to make client or product data accessible to third parties. They are allowed to share with other financial institutions some information that can make the settling and clearing of payments faster, safer or more efficient. Nevertheless, this process must observe the applicable legal limits, as the Brazilian Federal Constitution (and specific laws such as Supplementary Law No. 105/01) protects and assures the inviolability of banking secrecy, in most cases. With respect to clients' personal data, under the LGPD, the process shall also be grounded on one of the legal bases provided for in the law. In this sense, possible legal bases that could be used to justify sharing are the consent of clients, the protection of credit and the legitimate interest of the financial institution.

iv Marketplaces

A marketplace is a platform that connects buyers and sellers of goods or services with each other, providing an infrastructure with the purpose of facilitating a transaction. They are used in some business models as payment settlers to the extent that they receive the full amount paid by the customer and then pass the paid value on to sellers, which are their business partners, upon remuneration. In this kind of operation, marketplaces play the role of sub-accreditors, also called sub-acquirers or payment facilitators.

BACEN Resolution No. 150/2021 defines the role of sub-accreditors and how they interact with payment arrangement providers. It also defines objective criteria for requiring the participation of sub-accreditors in a centralised settlement system in a single grid, which is also regulated by Circular Letter No. 3,872/2018. Resolution No. 150/2021 categorises sub-accreditors that facilitate the acceptance of a payment instrument by the recipient, without being part of the transaction as a creditor, thus being the link between the end user and the accreditors, as participants in the payment arrangement infrastructure.

Moreover, the Resolution determines that the intermediation of payments under the sub-accreditor model, which might include marketplaces, must comply with the payment arrangement infrastructure regulatory framework.

Sub-accreditors are obliged to participate in the centralised settlement system. The centralised settlement system involves the centralisation of settlement of transactions performed by the payment arrangements that integrate the SPB in one neutral clearing and settlement service provider, defined by the institutions enacting those payment arrangements. The current clearing and settlement service provider is the Interbank Payment Chamber.

The marketplace participation in the centralised settlement system is mandatory, regardless of the volume of the transactions, if the sub-accreditor is the recipient of the flows relating to transaction in payment arrangements subject to centralised settlement. Nonetheless, the participation is optional if the marketplace acts as a payer to end users that receive flows related to transactions in payment arrangements subject to centralised settlement, and the volume of the operations accumulated in the previous 12 months is lower than 500 million reais.

Cryptocurrencies, initial coin offerings (ICO) and security tokens

There is no specific regulation in Brazil for blockchain technology. Brazilian law does not recognise or establish a concept for blockchain or any of its applications, including cryptocurrencies, although there are bills of law currently in Congress that aim to regulate digital assets.

Yet some financial authorities in Brazil have issued documents regarding cryptocurrencies and ICOs. Though not enforceable like laws, they are a good demonstration of how governmental agencies tend to define these assets.

First, BACEN stated that cryptocurrencies are not coins and cannot be equated with 'electronic coins', already defined in law as the virtual representation of fiat money. In Bulletin No. 31,379 of 16 November 2017, the entity issued an alert about the risk of operations involving cryptocurrencies and remarked that these operations are subject to exchange rules and taxes on transactions made in foreign currencies. The authority has also conducted tests on different blockchain technology application use cases, such as an alternative system for transactions settlement and identity management.8

The CVM, in its competence regulating the securities market, published a note containing its perceptions about ICOs. The authority remembered that the law provides a description for the concept of security and the characteristics that can frame any asset into this concept. If a token gives its owner any right as described in the law,9 it may be considered a security and the capital market regulations will apply to its offering, distribution and other transactions. Consequently, in addition to the laws suitable for securities, CVM Rules No. 400 (public offerings), No. 476 (limited efforts public offerings) and No. 588 (crowdfunding), and others regarding securities operations, need to be observed during an ICO process, and it does not matter if the issuer is Brazilian or foreign. The CVM also stated that investment funds cannot perform direct cryptoasset operations in Brazil. However, in September 2018, the regulator authorised indirect investment in cryptoassets through the acquisition of quotas of funds and derivatives, among other assets traded in third jurisdictions, provided that they are admitted as being regulated in those markets.

The Revenue Service determined that taxpayers must declare any gain obtained from transactions involving 'virtual coins' such as Bitcoin and other cryptoassets. If the operation is of an amount higher than 35,000 reais, the individual must pay 15 per cent over the earnings as income tax.

Other new business models

Brazil has seen a major increase in fintech business in recent years. According to the Distrito Fintech Mining Report 2021,10 there were 1,158 fintechs operating at the time of publication, with the majority of these working with payments and credit solutions. There has been a significant increase in banking-as-a-service solutions, with companies outside the financial market implementing payments and banking solutions for clients by using the entire infrastructure of fintechs authorised to operated by BACEN.

There are also businesses operating through self-executing contracts and automated investment operations.

Self-executing contracts, also known as 'smart contracts', are important developments in the context of blockchain technology. Therefore, because there is no specific regulation for technological applications of this nature, smart contracts are not yet foreseen in Brazilian law and may face questions regarding their legality, enforceability, validity and other characteristics necessary for contracts. However, they are not prohibited and if the basic contractual requirements are fulfilled, in specific cases smart contracts may be entered into in the same way as regular contracts.

As for automated investment operations, it is necessary to distinguish two important professionals: (1) consultants, authorised only to advise investors, without managing funds of third parties; and (2) portfolio managers (asset management), who can make investments on behalf of third parties. For both, there is a legal provision for the use of algorithms and automated systems whose source code must be delivered to the CVM and that do not exempt professionals from any responsibility in the provision of services. All agents are subject to securities market regulation, including third-party websites that provide or compare information about financial products.

If a sole investor wants to perform operations using automated algorithms such as trading bots, he or she may execute orders before brokers using these systems. To do so, it is imperative that they comply with the rules established by the exchange itself, particularly in terms of securities regulation. Caution is needed by a bot user to avoid market manipulation and illegal practices such as layering and spoofing, which are forbidden by the authorities; the user is responsible for any illegal act the system performs.

Intellectual property and data protection

Generally, software in Brazil is protected by copyright law. Briefly, this means that source codes are equated to authorship works such as literary or artistic works, and it is not necessary to register it with the authorities to ensure protection. Therefore, any ownership dispute may be solved with proof of authorship.11 Nevertheless, it is possible to register the source code with the entity responsible for the registration and management of industrial property in the country – the National Institute for Industrial Property.

There are some cases in which patents can be issued for software and computer programs. This happens if they fill the requirements of characterisation of an industrial creation (a process or product associated with the process). Thus, if the solution implemented by a computer program solves a problem found in the art and scope of a technical effect that concerns more than the program's source code, it may be considered an invention and would be patentable.

To verify whether a new financial technology includes an invention protected by patent rights, it is necessary to know if it fits the following basic requirements: novelty; inventive step; industrial application; and technical effect. Note that the first three criteria apply to all patents, while the latter concerns the patentability of computer programs or software. The novelty requirement is broadly met when creation did not exist and was invented; that is, it is entirely new. Meanwhile, inventive step means that the invention was not obvious or obvious from the state of the art (a legal term used for what already exists and is available to the public). Industrial application is the possibility of using or producing the creation in any type of industry.

The technical effect considers the practical effects achieved throughout the steps developed by the invention implemented by the computer program. The general rule is that, to grant a patent registration for software, there must be practical application in addition to the patentability requirements. In short, the industrial creation implemented by software may be subject to protection by patent rights if: (1) it solves a problem found in the technique; and (2) it achieves a technical effect that concerns more than the source code.

The patent application process involves accurately describing the invention created. This precise description will be the one that is protected. In this sense, a new version of the same software would not be covered by the same patent protection.

In any case, to determine the immediate ownership of software or a computer program developed by third parties even before any registration or patent, it is necessary to verify the relationship with the author or inventor. If the creator is an employee and thus contracted under an employment relationship, the rule of thumb provided by law is that the employer owns the intellectual property of software and computer programs developed in the context of the employee's activities. The contract executed between the parties may determine different aspects, but in the case of omission, this is the general rule.

Regarding data protection, data privacy legislation is undergoing important modifications in Brazil: the LGPD, which regulates processing of personal data by public and private entities in online and offline environments using automated and non-automated means, was enacted in August 2018. The Law was inspired by international guidelines, especially those provided by the EU GDPR, and came into force in September 2020 (except with respect to certain of its penalties' provisions, as detailed below).

Currently, there are several pieces of legislation in Brazil dealing with different aspects of privacy and data protection, such as intimacy, private life, honour, image and secrecy of correspondence, bank operations and communications. These pieces of legislation include the Federal Constitution, the Civil Code, the Consumer Protection and Defence Code, the Banking Secrecy Law, the Brazilian Internet Act and the Criminal Code. However, the LGPD is the first omnibus law in Brazil to deal specifically with personal data protection without limiting its applicability to certain categories of agents and subjects (e.g., consumers, employees, financial institutions) or types of processing (e.g., operation in the online environment).

The LGPD has set standards and established important definitions within Brazilian data privacy regulation, such as personal data, sensitive personal data, anonymised data, data controller and data processor. It adds to the framework surrounding data processing, including compliance with a legal or regulatory obligation, the fulfilment of a contractual or legal obligation and the controller's legitimate interest, as well as determining the details on how the user's consent must be collected to legitimise personal data processing.

The LGPD also addresses international transfer of personal data, rules on liability, data breach and penalties related to the violation of data privacy rights. The effects of the LGPD extend to any processing of personal data carried out or collected in the Brazilian territory or made with the purpose of offering or supplying goods or services to individuals located in the Brazilian territory.

The LGPD further provided for the creation of the Brazilian National Data Protection Authority (ANPD). Among other things, the ANPD has the authority to supervise the application of the LGPD, prosecute data incidents and apply penalties in the administrative sphere. Additionally, the ANPD can issue regulations about specific LGPD points (such as the approval of standard contractual clauses and the list of countries offering a level of data protection similar to Brazil for the purposes of international transfer of personal data, security standards and duties of data protection officers).

At the end of 2020, the chair and the other four executive officers of the ANPD were appointed, and they were sworn in at the beginning of 2021. The ANPD began publishing general guidelines on matters such as the notification of data breaches and the implementation of data subjects' rights in early 2021. In February 2022, the ANPD published its first resolution aimed at facilitating the LGPD conformity process for small data processing agents. Further regulation is yet to be enacted by the Authority to address the above points (which is expected to take place between 2022 and 2023, as highlighted in the ANPD's Regulatory Agenda). Finally, the administrative penalties that the ANPD may impose for breaches and other violations of privacy law (e.g., fines, interruption and suspension of activities involving the processing of personal data) became effective in August 2021.

Year in review

One of the most important highlights of innovation in 2021 was the enactment of Law No. 14,286/2021, which regulates the Brazilian foreign exchange market, Brazilian capital abroad, foreign capital in the country and the procedure for sending foreign exchange transaction information to BACEN. The new Law innovated the Brazilian exchange market by including fintechs and other payment institutions in the foreign exchange market; prior to the Law's enactment, only banks could provide foreign exchange market services. In addition, the Law provides that BACEN is responsible for further regulating the rules, which gives it autonomy to adjust rules that are in line with its ideas for the financial and technology sector.

There have also been developments in open banking as the ecosystem advances to the next phase proposed by BACEN. In the first three phases, customers became able to:

  1. gain access to a standardised open data of financial institutions where they can access information about the service channels and the services offered by the financial institutions, including rates and tariffs for each service;
  2. share their data with participating financial institutions so they can be offered better services; and
  3. gain access to financial services, such as payments and forwarding of credit proposals on a single platform, without the need to access the service channels of different financial institutions.

In 2022, open banking advanced to the final phase, which aims to generate the expansion of data, products and services by means of the inclusion of new data that can be shared, in addition to new products and services, such as contracting foreign exchange operations, investments, insurance and private pensions.

Outlook and conclusions

The volume of fintechs and financial efficiency initiatives operating in the Brazilian market has been increasing year on year, which means that this is a growing sector with much potential. The main objectives of recent regulations were to lower entry barriers for new players to develop disruptive initiatives in the financial market and to make systemic and operational guidelines simpler and more transparent but still very secure, and more efficient for financial institutions, whether tech-based or not, and their clients. Thus, it is a logical conclusion that this regulatory scenario has fostered competition between financial institutions in Brazil.

The authorities are showing cooperative behaviour, acting together to produce norms that could affect the market. They are also combining efforts with the private sector, especially fintech players. By working together, authorities can generate regulations to boost the use of technology applications that modernise financial services and make them more efficient.

It is important to ensure adequate levels of safety without the creation of unnecessary regulations that could suppress the activity of companies whose products and services benefit the market. Innovation is a powerful tool in the promotion of financial inclusion of citizens, and designing a legal framework to boost the creation of new technologies is a very important step in the development of the Brazilian society and economy.

In this sense, 2021 demonstrated that there is plenty of evidence that multiple stakeholders, whether from the private or governmental arenas, are willing to promote a tech-friendly ecosystem for years to come.


1 Alexei Bonamin, Marcela Waksman Ejnisman, Carla do Couto Hellu Battilana and Marcus Fonseca are partners, and Victor Cabral Fonseca, Leonardo Medeiros Braghetto and Miguel Lima Carneiro are associates, at TozziniFreire Advogados.

3 For a detailed description of the composition of the National Financial System and functions of each entity, see (in English).

4 See Law No. 4,595/1964.

5 As described in Article 2, IX, Law No. 6,385/1976.

6 These organisations' descriptions may be translated to 'peer-to-peer lending company' and 'direct loans company', respectively.

8 The Central Bank conducted research published in a paper, 'Distributed ledger technical research in Central Bank of Brazil', which can be found at

9 Any title or collective investment scheme that generates the right to participation, partnership or remuneration, the income from which is originated in the effort of entrepreneurs or third parties, including those resultant from rendering of services, as described in Article 2, IX, Law No. 9,385/1976.

11 See Law No. 9,606/98, which regulates intellectual property for computer programs.

The Law Reviews content