Insights > Client Alerts

Client Alerts

BC and CMN regulate Banking as a Service

December 4th, 2025

On November 28, 2025, the Central Bank of Brazil (“BC”) and the Brazilian National Monetary Council (“CMN”) issued Joint Resolution No. 16, aimed at regulating the provision of Banking as a Service (“BaaS”) by financial and payment institutions, as well as other entities authorized to operate by the BC.

The new regulations establish a specific regulatory framework for the provision of BaaS services by financial and payment institutions, as well as other entities authorized by the BC. The regulation defines the scope of eligible services, establishes regulatory responsibilities, imposes governance, security, and monitoring requirements, and governs the contractual relationship between the service provider and the contracting entity.

Below, we highlight the most relevant aspects of Joint Resolution No. 16.

 

Definitions

Provision of BaaS Services Refers to the execution of a contract between the BaaS service provider and the BaaS service recipient so that specific financial and payment services are provided to end clients through the BaaS service recipient. The following operational arrangements do not fall under this definition:

  • Provision of correspondent services in Brazil;
  • Provision of data processing, data storage, and cloud computing services;
  • Partnerships under Open Finance; and
  • Activities carried out by sub-acquirers and network service providers, as regulated under the payment arrangements integrating the Brazilian Payment System.
BaaS Service Provider Financial institutions, payment institutions, and other entities authorized to operate by the BC, entering into agreements with BaaS service recipients to provide specific financial or payment services to end clients.
BaaS Service Recipient Legal entities duly established in Brazil, offering specific financial and payment services to clients under a contract executed with the BaaS service provider.
Client: An individual or legal entity that maintains a contractual relation with:

  • BaaS service provider of specific financial and payment services; and
  • BaaS service recipient of other services.

 

BaaS Service Providers

Financial and payment institutions, as well as other entities authorized to operate by the BC, are eligible to act as BaaS providers, as long as they meet the following requirements:

  • Hold an operating license granted by the BC;
  • Ensure that the services offered fall within the transactions and activities established in the regulations applicable to their segment – in the case of institutions whose regulatory framework encompasses an exhaustive list of authorized transactions, activities, and services; and
  • Comply with all applicable laws and regulations governing the performance of such transactions, activities, and services.

Services will be provided through electronic channels, using system, platform, interface, or process integration between the BaaS service provider and the BaaS service recipient, in compliance with the procedures defined in the contract, as well as the provisions of Joint Resolution No. 16 and all applicable laws and regulations.

 

Scope of BaaS Services

Scope of BaaS Services Notes
Opening, maintenance, and closing of demand deposit accounts, savings deposit accounts, prepaid payment accounts, or postpaid payment accounts For the provision of services related to account opening, maintenance, and closing, such accounts must be held by the client at the BaaS service provider.
Provision of payment services carried out through demand deposit accounts, savings deposit accounts, prepaid payment accounts, or postpaid payment accounts. When providing payment services, payment transactions must originate from or be destined exclusively to accounts held by the client at the BaaS service provider.
Provision of merchant acquiring services for the acceptance of payment instruments within payment arrangements. Accredited merchants must be direct clients of the BaaS service provider.
Provision of credit transaction services, including offering, contracting, administration, and collection. The provision of such services requires that the customer be the debtor of the credit transaction contracted with the BaaS service provider.
Other services that may be included

 

Contracting BaaS Services

   
Policies, Strategies, and Structures BaaS service providers must ensure that their risk management policies, strategies, and structures required under applicable regulations include rules and criteria for the provision of BaaS services.

  • If both the BaaS provider and the BaaS recipient are institutions authorized to operate by the BC, each must comply with this requirement.
  • Such policies, strategies, and structures must be approved by the board of directors or, if none exists, by the executive management of the institution authorized by the BC.
Prohibitions Institutions cannot enter into BaaS service agreements in the following cases (except if the BaaS recipient belongs to the same prudential conglomerate as the BaaS provider):

  • With the purpose of having the BaaS recipient act on behalf of the provider to deliver BaaS services, as regulated under correspondent banking rules in Brazil;
  • With BaaS recipients that have an active BaaS service agreement with another provider for the opening, maintenance, and closing of demand deposit accounts, including payment services through such accounts;
  • With BaaS recipients that have an active BaaS service agreement with another provider for the opening, maintenance, and closing of savings deposit accounts, including payment services through such accounts;
  • With BaaS recipients that have an active BaaS service agreement with another provider for the opening, maintenance, and closing of prepaid payment accounts, including payment services through such accounts;
  • With BaaS recipients that have an active BaaS service agreement with another provider for the opening, maintenance, and closing of postpaid payment accounts, including payment services through such accounts;
  • With BaaS recipients whose corporate name includes terms characteristic of institutions within the Brazilian Financial System or the Brazilian Payment System, or similar expressions in Portuguese or foreign languages, except when the recipient is an institution authorized by the BC, subject to specific regulations.
Contracting Requirements by BaaS Providers Before contracting and throughout the provision of services, BaaS providers must implement procedures that include, at least:

  • Implementation of corporate governance and risk management practices compatible with exposures arising from the agreement; and
  • Verification of the BaaS recipient’s ability to ensure:
    • Contractual compliance with applicable laws and regulations;
    • Access by the BaaS provider to information on the effectiveness of data and information transfers related to the services provided;
    • Confidentiality, integrity, availability, and recovery of data and information on services provided;
    • Compliance with certifications, when required by the BaaS provider for service execution;
    • Access to reports prepared by independent specialized firms, if available, regarding procedures and controls used by the BaaS recipient;
    • Provision of information and adequate management resources for monitoring the services provided;
    • Quality of access controls aimed at protecting personal data, in compliance with applicable laws, and information on services provided; and
    • Financial and technical capacity to perform the services established in the BaaS service agreement.
Mandatory Items in the BaaS Service Agreement The agreement must include, at least:

  • The object of the agreement;
  • Roles and responsibilities of the contracting parties;
  • Remuneration arrangements between the BaaS recipient and the BaaS provider;
  • Security measures for the BaaS recipient to receive and store data or information on services offered to clients, as well as customer-provided data;
  • Access by the BaaS provider to:
    • Information supplied by the BaaS recipient to verify whether it has an active BaaS agreement with another provider for the opening, maintenance, and closing of prepaid payment accounts, including payment services through such accounts;
    • Information on certifications and reports; and
    • Adequate information and management resources for monitoring the services provided.
  • Obligation of the BaaS recipient to notify the BaaS provider in advance of any engagement of third parties to process or store data or information considered relevant by the provider;
  • Permission for the BC to access the agreement, documentation, and information regarding data and services provided, procedures, and access codes, as well as any other information related to the provision of BaaS services;
  • Possibility for the BaaS provider to adopt measures as determined by the BC;
  • Obligation of the BaaS recipient to keep the BaaS provider permanently informed of any limitations that may affect the services provided or compliance with applicable laws and regulations;
  • Procedures for handling client requests;
  • Prohibition on the BaaS recipient charging, on its own behalf, any fee, commission, or other form of remuneration for products or services offered by the BaaS provider to clients;
  • Declaration that the BaaS recipient is fully aware that performing, on its own account, transactions reserved for financial institutions or other prohibited transactions under applicable law subjects the offender to penalties under Laws No. 7,492 of June 16, 1986, and No. 13,506 of November 13, 2017;
  • Grounds for early termination of the agreement and related consequences;
  • Prohibition on the BaaS recipient conducting payment transactions, receipts, or deposits in its own account for amounts related to services provided by the BaaS provider to clients;
  • Prohibition on subcontracting by the BaaS recipient;
  • In the event the BC imposes a resolution regime on the BaaS provider:
    • The BaaS recipient must provide the resolution authority with full and unrestricted access to all contracts, agreements, documentation, and information related to the service, including any procedures and access codes in its possession.
    • The BaaS service provider must give prior written notice to the person responsible for the resolution regime of its intention to discontinue the contracted services, at least thirty (30) days before the scheduled interruption date, provided that:
      • The BaaS recipient is required to accept any request by the resolution authority for an additional thirty (30) days to postpone the service interruption; and
      • Prior notification must also occur when the interruption is due to non-compliance with the remuneration terms agreed between the contracting parties.
  •  In the event of contract termination:
    • A provision stating whether the BaaS provider will continue or discontinue the provision of services to the client;
    • The obligation of the BaaS recipient to ensure proper transparency to the client, including clarifications regarding the consequences of continuing or discontinuing services provided by the BaaS provider; and
    • A provision allowing the customer to choose to terminate its relationship, as applicable, with either the BaaS provider or the BaaS recipient.

 

Responsibilities

The BaaS provider is responsible for:

 

Obligation BaaS Provider BaaS Recipient
Ensure the reliability, integrity, availability, security, and confidentiality of the services provided under Joint Resolution No. 16, as well as compliance with the applicable laws and regulations governing such services.  

Yes

 Yes, if it is authorized to operate by the BC within its scope of responsibility, including services provided through technological environments and electronic systems it provides.
Responsible for the policy, procedures, and controls related to:

  • Identifying, verifying, and assessing the risk profile of clients;
  • Preventing fraud;
  • Preventing money laundering and terrorism financing.
 Yes, the BaaS provider may rely on the BaaS recipient to perform ancillary tasks related to the procedures and controls established in the main provision of Joint Resolution No. 16, without prejudice to the responsibilities imposed on the BaaS provider.

The BaaS provider must supply the procedures, mechanisms, and tools to be used by the BaaS recipient for performing such tasks.

  

 

 

 

 

No
Adopt mechanisms to ensure cooperation from BaaS recipients in complying with the policy, procedures, and controls.   

 

Yes

  

No
Compliance with applicable regulations regarding credit transactions, including internal controls and risk management.  

Yes

  

No
Appoint an officer responsible for compliance with the provisions of this joint resolution.  

Yes

 Yes, if it is an institution authorized to operate by the BC.
Ensure:

  • The submission of information necessary to identify itself as the provider of the services referred to in Article 4, in an accessible and visible manner to clients, through the channels and interfaces provided, as well as in agreements, other documents, and payment instruments related to the contracted services;
  • The quality and timeliness of data and information provided by the BaaS recipient to the BaaS provider and to clients, limited to the scope of service provision; and
  • Compliance with BaaS service provision to its institutional customer relationship policy, as established in applicable regulations.

 

  

 

 

Yes

  

 

 

No
Handling client requests within the scope of service provision. Yes, may rely on the BaaS recipient to handle client requests, without being exempt from responsibility. No
Implement monitoring and control mechanisms to ensure compliance with the joint resolution, including:

  • Definition of processes, tests, and audit trails;
  • Definition of appropriate metrics and indicators; and
  • Identification and correction of any deficiencies.
  

 

Yes

  

Yes, if it is an institution authorized to operate by the BC.
Implement quality control mechanisms for the performance of the BaaS recipient, considering, among others:

  • Indicators for monitoring customer service quality, including registered requests and complaints; and
  • Parameters regarding service level agreements for systems used or integrated by the recipient.

 

  

 

 

 

 

Yes

  

 

 

No

 

Final provisions

  • Credit cooperatives and leasing companies are not authorized to operate as BaaS service providers.
  • Service confederations formed by central credit cooperatives and consortium administrators are not authorized to operate as BaaS providers or BaaS recipients.
  • Institutions with active agreements for the provision of services under Joint Resolution No. 16, as of its effective date, must comply with the requirements established in this regulation by December 31, 2026.
  • Joint Resolution No. 16 came into effect on the date of its publication.

 

Demarest’s Banking and Finance team is monitoring the developments of this topic and remains available to assist clients as necessary.

 

Related Partners

Marcus Fonseca

mvfonseca@demarest.com.br

Fabio de Almeida Braga

fbraga@demarest.com.br


Related Areas

Banking and Finance

Share

Client Alerts

SEE ALL

Client Alerts

Brazilian Securities and Exchange Commission (CVM) clarifies rules of CVM Resolution No. 175 regarding FIDCs, FIIs, and FIAGROs through official Letter

December 4th, 2025

Client Alerts

BC and CMN issue regulations on credit portability within Open Finance

December 4th, 2025

Client Alerts

BC and CMN regulate nomenclature and public presentation of institutions authorized to operate by the Central Bank of Brazil

December 4th, 2025

Client Alerts

BC and CMN regulate Banking as a Service

December 4th, 2025