Brazil is the largest fintech market in Latin America and one of the ten largest globally by number of active companies. Entrepreneurs entering this market face a structured but demanding regulatory environment administered by the Banco Central do Brasil (BCB) and, in some segments, the Comissão de Valores Mobiliários (CVM). Getting the corporate structure and licensing pathway right from the outset determines whether a company reaches market within 12 months or spends years in regulatory limbo. This article maps the legal framework, licensing categories, structuring options, compliance obligations, and the most consequential risks for international founders and investors entering the Brazilian fintech and payments space.
Brazil';s payments and fintech sector is governed primarily by Lei n. 12.865/2013 (the Payments Law), which established the legal concept of payment institutions and payment arrangements. This statute gave the BCB authority to regulate, authorize, and supervise entities that operate payment accounts, issue electronic money, and process transactions outside the traditional banking system. Complementary legislation includes Lei n. 4.595/1964 (the Banking Reform Law), which governs financial institutions broadly, and Resolução BCB n. 80/2021, which consolidated the authorization requirements for payment institutions.
The BCB introduced the concept of the Instituição de Pagamento (payment institution) as a distinct legal category, separate from banks and other financial institutions. Payment institutions do not take deposits in the traditional sense and cannot lend from their own balance sheet unless separately licensed. This distinction is commercially significant: a payment institution can hold client funds in segregated accounts, issue prepaid cards, process transfers, and operate digital wallets, but it cannot extend credit using those funds without a separate authorization as a Sociedade de Crédito Direto (SCD) or Sociedade de Empréstimo entre Pessoas (SEP).
The CVM';s jurisdiction becomes relevant when a fintech offers investment products, tokenized securities, or operates a crowdfunding platform. Resolução CVM n. 88/2022 governs equity crowdfunding platforms, while tokenized asset offerings may trigger securities law obligations under Lei n. 6.385/1976. International founders often underestimate how quickly a product feature - such as a yield-bearing wallet - can shift regulatory oversight from the BCB to the CVM or require dual authorization.
A non-obvious risk is that operating payment services without BCB authorization, even during a pilot or beta phase, constitutes an administrative infraction and can trigger enforcement action, fines, and reputational damage before the company has formally launched.
Choosing the right corporate vehicle is the first structural decision and has direct consequences for licensing eligibility, foreign investment rules, tax treatment, and exit options.
The Sociedade Limitada (Ltda.) is the most common vehicle for early-stage fintechs. It offers flexible governance, lower administrative costs, and simplified profit distribution rules. However, the Ltda. structure can create friction when raising institutional venture capital, because Brazilian VC funds and foreign investors typically prefer the Sociedade Anônima (S.A.) for its clearer share class mechanics, transferability of equity, and compatibility with international term sheets.
The Sociedade Anônima (S.A.) - either closely held (fechada) or publicly listed (aberta) - is the preferred structure for companies planning to raise Series A and beyond, or that anticipate a future IPO on the B3 exchange. The S.A. structure is also required for certain regulated entities: SCDs and SEPs must be constituted as S.A. under BCB rules. Conversion from Ltda. to S.A. is legally straightforward but involves notarial costs, registration with the Junta Comercial (commercial registry), and a minimum capital verification process.
Foreign ownership is generally permitted in Brazilian fintechs without sector-specific caps, except for financial institutions where Lei n. 4.595/1964 historically imposed restrictions. Presidential Decree n. 3.040/1999 and subsequent executive orders have progressively liberalized foreign participation in financial institutions, but BCB authorization for each transaction involving foreign control remains mandatory. In practice, many international founders establish a Brazilian holding S.A. owned by a foreign parent, with the operating fintech entity held beneath it. This structure facilitates repatriation of dividends, which are currently exempt from withholding tax under Brazilian law, and allows the foreign parent to hold intellectual property and brand rights outside Brazil.
A common mistake is registering the operating entity as a Ltda. and only converting to S.A. after BCB authorization has been sought, which restarts portions of the authorization process and delays market entry by several months.
To receive a checklist for corporate structuring and pre-licensing preparation for fintech companies in Brazil, send a request to info@vlolawfirm.com
The BCB recognizes several categories of payment institution, each with distinct authorization requirements, minimum capital thresholds, and operational scope. Understanding which category fits the intended business model is the most consequential early decision.
The Emissor de Moeda Eletrônica (electronic money issuer) is authorized to issue prepaid payment instruments and maintain payment accounts. This is the foundational license for digital wallet operators, prepaid card issuers, and neobanks that do not lend. The Emissor de Instrumento de Pagamento Pós-Pago (postpaid payment instrument issuer) covers credit card issuers that do not fund from deposits. The Credenciador (acquirer) is the license for entities that enable merchants to accept card payments, covering the acquiring side of the payments ecosystem. The Iniciador de Transação de Pagamento (payment transaction initiator) is a newer category introduced under the Open Finance framework, covering companies that initiate payments on behalf of users without holding funds.
Resolução BCB n. 80/2021 sets out the authorization process in two phases. The first phase is a preliminary authorization request, during which the BCB assesses the business plan, corporate documents, compliance framework, and the technical and financial capacity of the applicant. The second phase involves operational authorization, granted after the company demonstrates that its systems, controls, and governance are fully operational. The total timeline from submission to operational authorization typically runs between 12 and 24 months, depending on the complexity of the model and the completeness of the initial submission.
Minimum capital requirements vary by category. Electronic money issuers and acquirers face capital floors set by BCB regulation, which are periodically adjusted. These amounts are not trivial for early-stage companies and must be fully paid in and verifiable at the time of authorization. Founders who underestimate this requirement often face a funding gap that delays authorization.
The BCB also operates a regulatory sandbox under Resolução BCB n. 52/2020, which allows innovative business models to operate under a temporary and limited authorization for up to 24 months. The sandbox is a viable pathway for companies with genuinely novel models that do not fit neatly into existing categories, but it is not a shortcut for companies whose model clearly falls within an existing license category.
For companies that need to operate quickly while the full authorization is pending, a common approach is to partner with an already-licensed institution under a white-label or Banking-as-a-Service arrangement. This allows the fintech to offer regulated services through the licensed partner';s authorization while pursuing its own license in parallel. The contractual and compliance structure of such arrangements requires careful drafting, as the BCB holds the licensed partner responsible for the conduct of its white-label clients.
The Sociedade de Crédito Direto (SCD) and Sociedade de Empréstimo entre Pessoas (SEP) are separate authorization categories for fintechs that wish to lend. The SCD lends using its own capital; the SEP operates as a peer-to-peer lending platform connecting borrowers and investors. Both must be constituted as S.A. and are subject to capital adequacy rules under Resolução BCB n. 4.656/2018. The credit fintech segment is among the most heavily regulated, with ongoing reporting obligations to the Sistema de Informações de Crédito (SCR), the BCB';s credit information system.
Brazil';s Open Finance framework and the Pix instant payment system have fundamentally altered the competitive dynamics of the payments market and created new structuring considerations for fintech entrants.
Pix, launched by the BCB, is a mandatory instant payment infrastructure for financial and payment institutions above a certain size threshold. Participation in Pix is compulsory for institutions with more than 500,000 active customers, and voluntary but commercially essential for smaller players. The legal basis for Pix is Resolução BCB n. 1/2020 and its subsequent amendments. For a new payment institution, integrating Pix from day one is not merely a product decision - it is a compliance and competitive necessity. The technical and operational requirements for Pix participation, including security standards and transaction monitoring, add to the compliance burden during the authorization phase.
Open Finance in Brazil is governed by a series of BCB joint resolutions and operates in phases, progressively expanding the scope of data and services that must be shared between institutions via standardized APIs. For a new entrant, Open Finance creates both an opportunity and an obligation. The opportunity is access to customer financial data from incumbents, enabling better credit scoring and product personalization. The obligation is that once authorized, the institution must itself expose its data and services through the Open Finance infrastructure, which requires significant technical investment.
The Iniciador de Transação de Pagamento (payment transaction initiator) license is specifically designed for companies that want to leverage Open Finance to initiate payments on behalf of users. This license does not require the initiator to hold client funds, which significantly reduces the capital and operational burden. However, it requires robust security infrastructure, explicit customer consent management, and adherence to the BCB';s Open Finance technical standards.
A practical scenario: a European fintech with an existing account aggregation product wants to enter Brazil. The most efficient path is to apply for the Iniciador de Transação de Pagamento license, establish a Brazilian S.A., and build the Open Finance API integration in parallel with the authorization process. This avoids the higher capital requirements of the electronic money issuer category and allows the company to launch a compliant product faster.
In practice, it is important to consider that the BCB';s Open Finance standards evolve frequently, and technical specifications that were current at the time of authorization may require updates within 12 to 18 months of launch. Building a compliance monitoring function into the operating model from the outset is more cost-effective than retrofitting it later.
To receive a checklist for Pix integration and Open Finance compliance for payment institutions in Brazil, send a request to info@vlolawfirm.com
Brazil';s tax environment is among the most complex in the world, and fintech companies with cross-border structures face specific challenges that require careful planning before incorporation.
The primary taxes affecting fintech operations include IRPJ (Imposto de Renda da Pessoa Jurídica, corporate income tax), CSLL (Contribuição Social sobre o Lucro Líquido, social contribution on net income), PIS/COFINS (contributions on revenue), ISS (Imposto Sobre Serviços, municipal services tax), and IOF (Imposto sobre Operações Financeiras, tax on financial transactions). The combined effective tax rate on fintech revenues can be substantial, and the choice between the Lucro Real (actual profit) and Lucro Presumido (presumed profit) tax regimes has significant cash flow implications depending on the company';s margin profile.
IOF is particularly relevant for payment institutions. Transactions involving credit, foreign exchange, and certain payment operations are subject to IOF at rates that vary by transaction type. Cross-border remittances, including dividend repatriation and intercompany payments, trigger IOF at rates set by Decreto n. 6.306/2007 and its amendments. International founders who structure intercompany royalty or technology licensing arrangements must account for IOF on remittances and withholding tax on cross-border payments.
Brazil';s transfer pricing rules were historically based on fixed margin methods that diverged from the OECD arm';s length standard. Lei n. 14.596/2023 introduced a comprehensive reform aligning Brazilian transfer pricing rules with the OECD standard, with mandatory application from 2025. This reform has significant implications for fintech groups with intercompany IP licensing, shared service arrangements, or intragroup financing. Structures that were tax-efficient under the old rules may require restructuring under the new arm';s length framework.
A common mistake made by international founders is establishing the IP holding entity in a low-tax jurisdiction and licensing the IP to the Brazilian operating entity without adequate economic substance in the holding jurisdiction. Under the new transfer pricing rules and Brazil';s controlled foreign corporation (CFC) rules under Lei n. 12.973/2014, such arrangements face heightened scrutiny and potential recharacterization.
The Simples Nacional regime, a simplified tax system for small businesses, is not available to financial institutions or payment institutions regulated by the BCB. This is a frequently overlooked point that affects early-stage fintechs that assumed they could benefit from the simplified regime during their initial operating phase.
For fintech companies planning to raise foreign venture capital, the structure of the investment vehicle matters. Foreign investors typically invest through a Brazilian S.A. holding structure or directly into the operating entity. The BCB requires registration of foreign capital inflows through the Sistema de Registro de Operações (ROF) or the Registro Declaratório Eletrônico (RDE) system. Failure to register foreign capital correctly can complicate future repatriation and trigger regulatory issues.
Authorization is the beginning, not the end, of the regulatory relationship with the BCB. Ongoing compliance obligations are extensive and require dedicated internal resources or external legal and compliance support from the outset.
The Lei Geral de Proteção de Dados (LGPD, Lei n. 13.709/2018) is Brazil';s data protection law, broadly equivalent to the GDPR. Payment institutions process large volumes of sensitive personal and financial data, making LGPD compliance a core operational requirement. The Autoridade Nacional de Proteção de Dados (ANPD) is the supervisory authority. LGPD requires appointment of a Data Protection Officer (DPO), maintenance of records of processing activities, implementation of data subject rights mechanisms, and breach notification within two working days of becoming aware of a significant incident. Fines under LGPD can reach 2% of the company';s Brazilian revenue, capped at a significant absolute amount per infraction.
Anti-money laundering and counter-terrorism financing (AML/CFT) obligations are set out in Lei n. 9.613/1998 (the AML Law) and BCB Resolução n. 44/2020. Payment institutions must implement a risk-based compliance program, conduct customer due diligence, maintain transaction records for at least five years, and report suspicious transactions to the Conselho de Controle de Atividades Financeiras (COAF), Brazil';s financial intelligence unit. The BCB conducts periodic supervisory inspections and can impose fines, suspend operations, or revoke authorization for AML failures.
Consumer protection obligations under the Código de Defesa do Consumidor (CDC, Lei n. 8.078/1990) apply to all fintech products offered to retail customers. The BCB has issued specific resolutions on transparency, fee disclosure, and complaint handling for payment institutions. Resolução BCB n. 96/2021 requires payment institutions to maintain a customer service channel (SAC) and an ombudsman function once they reach a certain scale.
Cybersecurity requirements for payment institutions are set out in Resolução BCB n. 85/2021, which mandates a formal cybersecurity policy, incident response procedures, third-party risk management, and annual reporting to the BCB. Cloud service providers used by payment institutions must meet BCB requirements for data localization and access by supervisory authorities.
A practical scenario: a Brazilian neobank reaches 600,000 customers within 18 months of launch. At this point, Pix participation becomes mandatory, Open Finance phase obligations expand, and the BCB';s supervisory attention increases. Companies that built compliance infrastructure incrementally often find themselves in a reactive posture, spending significantly more on remediation than they would have spent on proactive compliance design.
A non-obvious risk is that the BCB';s supervisory approach has become increasingly data-driven, with automated monitoring of transaction patterns and regulatory reporting. Gaps in reporting systems that go undetected during early operations can accumulate into material compliance findings during a formal inspection.
We can help build a strategy for regulatory compliance and ongoing BCB reporting obligations. Contact info@vlolawfirm.com to discuss your specific situation.
To receive a checklist for ongoing BCB compliance and LGPD obligations for payment institutions in Brazil, send a request to info@vlolawfirm.com
What is the most significant risk of launching a fintech product in Brazil before obtaining BCB authorization?
Operating payment services without BCB authorization constitutes an administrative infraction under Lei n. 12.865/2013 and can result in enforcement action, substantial fines, and mandatory cessation of operations. Beyond the direct penalties, an unauthorized operation creates reputational risk with future banking partners, investors, and the BCB itself during the subsequent authorization process. The BCB has demonstrated willingness to act against unauthorized operators, including those operating under the guise of a technology company rather than a payment institution. The risk of inaction - delaying the authorization application while continuing to operate - compounds over time as the customer base and transaction volumes grow.
How long does BCB authorization take, and what does it cost to obtain?
The BCB authorization process for a payment institution typically takes between 12 and 24 months from submission of a complete application. The timeline depends heavily on the complexity of the business model, the quality of the initial submission, and the BCB';s current processing workload. Legal and advisory fees for preparing and managing the authorization process generally start from the low tens of thousands of USD and can reach six figures for complex models requiring multiple rounds of BCB queries. In addition, the company must demonstrate paid-in capital meeting the BCB';s minimum thresholds, which varies by license category. Founders should budget for at least 18 months of operating costs before generating revenue from regulated activities, as the authorization period requires ongoing expenditure without corresponding income.
Should a foreign fintech enter Brazil through a greenfield setup or by acquiring an existing licensed entity?
Both pathways are viable, and the choice depends on the founder';s timeline, capital availability, and risk tolerance. A greenfield setup allows full control over corporate structure, technology architecture, and compliance culture from inception, but requires the full authorization timeline. Acquiring an existing licensed payment institution provides immediate regulatory standing and an existing operational infrastructure, but introduces legacy compliance risks, technology debt, and the complexity of a BCB-supervised change of control process, which itself requires prior authorization. A change of control in a BCB-regulated entity requires submission of documentation comparable to a new authorization application, and the BCB can impose conditions on the approval. In practice, acquisition is faster only if the target entity has a clean regulatory history and the acquirer has already prepared its own compliance and governance documentation.
Brazil';s fintech and payments market offers substantial commercial opportunity, but the regulatory and structural requirements demand serious preparation before market entry. The BCB';s authorization framework is rigorous, the tax environment is complex, and ongoing compliance obligations are resource-intensive. Companies that invest in correct corporate structuring, early regulatory engagement, and robust compliance infrastructure from the outset consistently reach market faster and with fewer costly corrections than those that treat these elements as secondary to product development.
Our law firm VLO Law Firms has experience supporting clients in Brazil on fintech licensing, corporate structuring, BCB authorization processes, and ongoing regulatory compliance matters. We can assist with entity formation, preparation of authorization submissions, Open Finance compliance frameworks, LGPD implementation, and cross-border structuring for international founders entering the Brazilian market. To receive a consultation, contact: info@vlolawfirm.com