Fintech & Payments Regulation & Licensing in Brazil

Brazil is one of Latin America';s most active fintech markets, yet it is also one of the most regulated. Any company seeking to operate a payment service, issue electronic money, or provide credit intermediation in Brazil must obtain a specific authorisation from the Banco Central do Brasil (BCB) before commencing operations. Failure to do so exposes founders and directors to civil liability, administrative sanctions, and forced wind-down. This article maps the full regulatory landscape - from licensing categories and corporate prerequisites to ongoing compliance obligations and the most common pitfalls faced by international operators entering the Brazilian market.

Brazil';s fintech and payments sector sits at the intersection of two primary regulatory frameworks. The first is Law No. 12,865/2013, which established the legal basis for payment arrangements and payment institutions, granting the BCB authority to regulate, supervise, and authorise entities in this space. The second is Law No. 4,595/1964, the foundational banking law that governs financial institutions more broadly, including fintechs that extend credit directly from their own balance sheet.

The BCB is the central supervisory authority for all payment institutions and most fintech categories. The Comissão de Valores Mobiliários (CVM) - the Brazilian securities regulator - holds concurrent jurisdiction where fintech activities touch on investment products, securities distribution, or crowdfunding. For credit fintechs operating under the direct credit society model, the BCB exercises exclusive prudential oversight.

Resolution BCB No. 80/2021 and its subsequent amendments consolidated the authorisation requirements for payment institutions. Resolution CMN No. 4,656/2018 created two specific fintech credit categories: the Sociedade de Crédito Direto (SCD, or Direct Credit Society) and the Sociedade de Empréstimo entre Pessoas (SEP, or Peer-to-Peer Lending Society). These instruments define the operational perimeter for the majority of fintech business models active in Brazil today.

The BCB';s regulatory perimeter is broad. It covers not only traditional payment processors but also digital wallets, prepaid card issuers, acquirers, payment initiators under the Open Finance framework, and account-holding institutions. Each category carries its own capital requirements, governance standards, and ongoing reporting obligations.

A non-obvious risk for international operators is the assumption that a foreign payment licence - whether from the European Union, the United Kingdom, or Singapore - provides any form of regulatory passport into Brazil. It does not. Brazil operates a closed licensing system: every entity wishing to provide regulated payment or credit services to Brazilian residents must obtain a standalone BCB authorisation, regardless of existing foreign licences.

The BCB classifies payment institutions into four functional categories, each defined by the specific payment service provided. Understanding which category applies to a given business model is the first and most consequential decision in any market entry strategy.

Issuer of electronic currency - entities that manage prepaid payment accounts, hold client funds, and allow users to make payments and transfers. This is the most common category for digital wallet operators and neobanks that do not hold a full banking licence.

Issuer of post-paid instruments - entities that issue credit cards or similar instruments where the payment obligation arises after the transaction. This category overlaps with consumer credit regulation and requires additional coordination with BCB credit rules.

Acquirer - entities that enable merchants to accept card payments and other electronic payment instruments. Acquirers must participate in or connect to a BCB-regulated payment arrangement.

Payment initiator - a category introduced under the Open Finance framework, covering entities that initiate payment orders on behalf of users without holding client funds. This is the Brazilian equivalent of the EU';s Payment Initiation Service Provider model.

Beyond payment institutions, the SCD and SEP categories address credit fintechs. An SCD may grant credit exclusively using its own capital, without accepting deposits from the public. An SEP operates a peer-to-peer lending platform, connecting borrowers and lenders, but may not use its own capital to fund loans. Both require BCB authorisation under Resolution CMN No. 4,656/2018 and must be incorporated as Brazilian limited liability companies (Sociedade Limitada) or corporations (Sociedade Anônima).

A common mistake made by international founders is attempting to structure a Brazilian fintech operation through a foreign holding company without establishing a locally incorporated entity. The BCB requires the regulated entity itself to be incorporated in Brazil, with its registered office and principal place of business in Brazilian territory.

To receive a checklist of licensing category selection criteria for Brazil, send a request to info@vlolawfirm.com

Capital requirements vary significantly by category and by the scale of operations. The BCB sets minimum capital thresholds that must be maintained on an ongoing basis, not merely at the point of authorisation. For payment institutions managing prepaid accounts, the minimum paid-in capital starts at a level that reflects the volume of funds under management, with the BCB applying a tiered approach based on projected transaction volumes.

For SCD and SEP fintechs, Resolution CMN No. 4,656/2018 establishes a minimum paid-in capital of BRL 1 million (approximately USD 200,000 at current rates) as a baseline, though the BCB may require higher amounts depending on the business plan submitted. In practice, applicants with ambitious growth projections should budget for capital requirements well above the statutory minimum.

Corporate governance requirements are detailed and non-negotiable. The BCB requires payment institutions and credit fintechs to maintain a board structure appropriate to their size and risk profile, with clear segregation between executive management and oversight functions. For entities above certain size thresholds, an independent audit committee and a risk management function are mandatory under Resolution BCB No. 265/2022.

The fit-and-proper assessment - known in Brazilian regulatory practice as the análise de idoneidade - applies to all controlling shareholders, directors, and members of the fiscal council (conselho fiscal). The BCB evaluates criminal records, prior regulatory sanctions, financial history, and professional qualifications. Foreign nationals serving as directors of a Brazilian regulated entity must provide apostilled documentation from their home jurisdiction, translated by a sworn translator (tradutor juramentado) registered in Brazil.

A practical consideration for international groups is the requirement that at least one director be resident in Brazil. This is not merely a formality: the BCB expects the resident director to be genuinely involved in day-to-day management and to be reachable for supervisory purposes. Appointing a nominee director without operational involvement creates both regulatory and criminal exposure.

The BCB also scrutinises the ultimate beneficial ownership structure of applicants. Complex offshore holding chains - particularly those involving jurisdictions with limited transparency - attract heightened due diligence. Applicants should prepare a full corporate chart with supporting documentation for every layer of the ownership structure, including trust arrangements and nominee shareholdings.

The BCB authorisation process for payment institutions and credit fintechs follows a structured sequence defined in Resolution BCB No. 80/2021. The process has two main phases: a preliminary consultation phase and a formal authorisation phase.

The preliminary consultation (consulta prévia) allows applicants to present their business model to the BCB before committing to a full application. This step is not mandatory, but in practice it is strongly advisable for any business model that does not fit neatly into an existing category. The BCB';s response to a preliminary consultation typically takes between 60 and 90 days and provides informal guidance on the applicable regulatory category and likely capital requirements.

The formal authorisation application requires submission of an extensive documentation package, including:

• Detailed business plan covering at least three years of projected operations
• Corporate documents of the Brazilian entity and all entities in the ownership chain
• Fit-and-proper documentation for all qualifying individuals
• Technology and cybersecurity assessment aligned with Resolution BCB No. 85/2021
• Anti-money laundering and counter-terrorism financing (AML/CTF) programme documentation under Resolution BCB No. 44/2020
• Evidence of minimum capital contribution

The BCB';s formal review period is not fixed by statute, but in practice ranges from six to eighteen months depending on the complexity of the application and the responsiveness of the applicant. Applications that are incomplete at submission, or that require multiple rounds of supplementary information, routinely take longer. Applicants should treat eighteen months as a realistic planning horizon for a first-time authorisation.

During the review period, the BCB may conduct on-site inspections of the applicant';s premises and technology infrastructure. It may also request interviews with proposed directors and key function holders. These interactions are formal supervisory acts and should be treated accordingly.

A common mistake is submitting a business plan that describes the intended product in marketing terms rather than in regulatory terms. The BCB expects applicants to map each product feature to a specific regulatory category and to explain how the proposed technology architecture satisfies the applicable technical standards.

Costs at this stage are material. Legal advisory fees for preparing and managing a BCB authorisation application typically start from the low tens of thousands of USD, depending on the complexity of the structure and the number of regulatory categories involved. Technology compliance assessments add further cost. Founders should budget for these expenditures before initiating the process.

To receive a checklist of BCB authorisation documentation requirements for Brazil, send a request to info@vlolawfirm.com

Brazil';s Open Finance framework - established under Joint Resolution BCB/CMN No. 1/2020 and its subsequent phases - has fundamentally altered the competitive dynamics of the payments market. Open Finance requires regulated financial institutions to share customer data (with customer consent) through standardised APIs, and to accept payment initiation requests from authorised third-party providers.

PIX is the BCB';s instant payment infrastructure, launched under Resolution BCB No. 1/2020. PIX operates on a 24/7 basis with near-zero transaction costs and has achieved mass adoption across both consumer and business segments. Participation in PIX is mandatory for financial institutions above a certain size threshold, and optional but commercially necessary for smaller payment institutions. For any fintech offering account-to-account transfers or bill payments, PIX integration is effectively a market entry prerequisite.

The payment initiator category under Open Finance creates a distinct licensing pathway for fintechs that want to initiate PIX payments on behalf of users without holding client funds. This model - sometimes described as a "thin" payment institution - carries lower capital requirements and a narrower regulatory perimeter than a full prepaid account issuer. For international operators whose primary use case is payment initiation rather than account holding, this category merits serious consideration.

A non-obvious risk in the Open Finance context is the data governance obligation. Entities participating in Open Finance must implement data sharing protocols that comply with the Lei Geral de Proteção de Dados (LGPD, Law No. 13,709/2018), Brazil';s general data protection law. The LGPD is enforced by the Autoridade Nacional de Proteção de Dados (ANPD), a separate authority from the BCB. A fintech that obtains BCB authorisation but fails to implement LGPD-compliant data practices faces enforcement action from the ANPD, with fines of up to 2% of the company';s Brazilian revenue per violation.

The BCB has also introduced a regulatory sandbox framework under Resolution BCB No. 52/2020, allowing innovative business models to operate on a limited basis while the BCB assesses their regulatory classification. The sandbox is time-limited (typically 24 months) and subject to specific conditions, but it provides a legitimate pathway for models that do not fit existing categories. Applicants must demonstrate genuine innovation and a credible plan for transitioning to full authorisation at the end of the sandbox period.

Three practical scenarios illustrate the range of entry strategies available to international operators:

• A European neobank seeking to offer Brazilian residents a prepaid digital wallet must incorporate a Brazilian entity, obtain payment institution authorisation as an issuer of electronic currency, satisfy minimum capital requirements, and integrate with PIX. The full process from incorporation to operational launch typically spans 18 to 24 months.

• A US-based lending platform wishing to offer consumer credit in Brazil must obtain SCD authorisation, demonstrate that lending will be funded exclusively from its own capital, and comply with BCB consumer credit rules under Resolution CMN No. 4,558/2017. The SCD model prohibits deposit-taking, which limits funding options but simplifies the regulatory perimeter.

• A fintech offering payment initiation services to corporate clients via Open Finance APIs requires payment initiator authorisation, LGPD compliance, and participation in the BCB';s Open Finance directory. This is the narrowest and most accessible entry point for international operators with a B2B focus.

Obtaining BCB authorisation is the beginning of the compliance journey, not the end. Regulated payment institutions and credit fintechs face a continuous stream of reporting, governance, and operational obligations that require dedicated internal resources or external specialist support.

The BCB';s AML/CTF framework for payment institutions is set out in Resolution BCB No. 44/2020, which requires entities to implement a risk-based compliance programme covering customer due diligence, transaction monitoring, suspicious activity reporting to the Conselho de Controle de Atividades Financeiras (COAF), and periodic internal audits. COAF is Brazil';s financial intelligence unit and operates under the supervision of the BCB. Failure to file suspicious activity reports within the prescribed timeframe - 24 hours for urgent cases under certain thresholds - constitutes a regulatory violation.

Cybersecurity obligations are governed by Resolution BCB No. 85/2021, which requires payment institutions to maintain a documented cybersecurity policy, conduct annual penetration testing, implement incident response procedures, and report material cybersecurity incidents to the BCB within 72 hours of detection. Cloud service providers used by regulated entities must be registered with the BCB under the outsourcing notification regime.

The BCB';s enforcement toolkit is broad. Administrative sanctions range from formal warnings and fines to suspension of operations and cancellation of authorisation. Directors and controlling shareholders may be held personally liable for regulatory violations under Law No. 13,506/2017, which expanded the BCB';s sanctioning powers. Personal fines for individuals can reach BRL 2 billion in the most serious cases, though in practice enforcement actions against fintechs have focused on operational failures and AML deficiencies rather than systemic misconduct.

Many underappreciate the ongoing reporting burden. The BCB requires payment institutions to submit monthly prudential reports (Documento 2060) covering capital adequacy, liquidity, and operational data. Annual audited financial statements must be prepared in accordance with Brazilian GAAP (BR GAAP) and submitted to the BCB within 90 days of the financial year end. For entities above certain size thresholds, semi-annual reporting is required.

A hidden pitfall for international groups is the interplay between BCB prudential requirements and the group';s home-country accounting standards. Brazilian GAAP differs from IFRS in several material respects, and the BCB does not accept IFRS-only financial statements for prudential reporting purposes. Groups that consolidate under IFRS must maintain a parallel BR GAAP reporting stream for the Brazilian regulated entity.

The risk of inaction is concrete: operating a payment service in Brazil without BCB authorisation exposes the entity and its directors to criminal liability under Law No. 7,492/1986 (the "White Collar Crime Law"), which criminalises the unauthorised operation of a financial institution. Prosecutors have applied this provision to unlicensed payment operators, and the BCB has issued public cease-and-desist orders against foreign platforms offering payment services to Brazilian residents without authorisation.

We can help build a strategy for BCB authorisation and ongoing compliance. Contact info@vlolawfirm.com to discuss your specific business model and regulatory pathway.

To receive a checklist of ongoing compliance obligations for BCB-regulated payment institutions in Brazil, send a request to info@vlolawfirm.com

What is the most significant practical risk for a foreign fintech entering Brazil without local legal counsel?

The most significant risk is misclassifying the business model under Brazilian regulatory categories. A payment initiator, a prepaid account issuer, and an SCD credit fintech each face different capital requirements, governance standards, and operational restrictions. Misclassification at the application stage can result in the BCB requesting a complete resubmission, adding six to twelve months to the authorisation timeline. Beyond delay, operating under the wrong category - even inadvertently - can trigger enforcement action once the BCB identifies the discrepancy during routine supervision. International operators frequently underestimate how granular Brazilian regulatory categories are compared to frameworks they know from Europe or Asia.

How long does the BCB authorisation process take, and what are the main cost drivers?

Realistic planning should assume 18 months from the submission of a complete application to receipt of authorisation, with more complex structures taking longer. The main cost drivers are legal advisory fees for preparing the application and supporting documentation, technology compliance assessments (particularly cybersecurity under Resolution BCB No. 85/2021), the cost of establishing and capitalising a Brazilian legal entity, and the ongoing cost of maintaining a resident director with genuine operational involvement. Legal fees for a full authorisation process typically start from the low tens of thousands of USD. Capital requirements add further cost depending on the category and projected transaction volumes. Founders who underestimate these costs often find themselves undercapitalised at the point of authorisation, which the BCB treats as a material deficiency.

When should a fintech consider the regulatory sandbox rather than a direct authorisation application?

The sandbox under Resolution BCB No. 52/2020 is appropriate when the business model genuinely does not fit an existing regulatory category and the applicant needs time to demonstrate its risk profile to the BCB before committing to a full capital and governance structure. It is also useful for models that combine payment initiation with data aggregation or embedded finance features that span multiple regulatory perimeters. The sandbox is not a shortcut: applicants must still demonstrate a credible compliance framework and a realistic transition plan. For models that clearly fit an existing category, a direct authorisation application is faster and provides greater operational certainty. The sandbox should be considered a tool for genuine regulatory ambiguity, not a way to defer compliance investment.

Brazil';s fintech and payments regulatory framework is detailed, technically demanding, and actively enforced. The BCB operates a closed licensing system with no equivalence for foreign licences, mandatory local incorporation, and ongoing prudential and AML obligations that require dedicated compliance infrastructure. International operators who approach the Brazilian market with a clear understanding of the applicable category, realistic timelines, and adequate capital and legal resources are well positioned to build sustainable, compliant businesses in one of the world';s most dynamic fintech markets. Those who underestimate the regulatory burden - or who attempt to operate without authorisation - face material legal and reputational risk.

Our law firm VLO Law Firms has experience supporting clients in Brazil on fintech regulation, payment institution licensing, and BCB authorisation matters. We can assist with regulatory category analysis, application preparation, corporate structuring, AML programme design, and ongoing compliance management. To receive a consultation, contact: info@vlolawfirm.com