Central Bank Changes Regulations for Institutions and Information Technology Service Providers within the National Financial System and the Brazilian Payment System.

On September 05, 2025, the Central Bank of Brazil (“BC”) published BCB Resolutions No. 494, 495, 496, 497, and 498, aiming to improve security mechanisms and ensure compliance for financial and payment institutions within the National Financial System (SFN) and the Brazilian Payment System (SPB).

The new rules introduce transaction limits, change authorization deadlines, impose additional technical requirements, and reinforce the obligations applicable to information technology service providers (ITSPs) that process data for institutions’ access to the communication infrastructure within the context of their operations within the SFN.

Below, we highlight the most relevant aspects of the new resolutions.

1. BCB Resolution No. 494

Amends BCB Resolution No. 80 of March 25, 2021, which regulates the incorporation and operation of payment institutions, establishes new parameters for operating authorization requests, and regulates the provision of payment services by other institutions authorized to operate by the Central Bank.

1.1. Mandatory Authorization

• Payment institutions must request authorization from the Central Bank to begin providing payment services.
• Payment institutions must include in their application for operation all payment service modalities they intend to provide.
• Authorization to operate must be requested from May 01, 2026, until May 31, 2026 by:
  • • ✓ electronic money issuers that began providing this service before March 01, 2021, and are not authorized to operate by the Central Bank; and
    • ✓ the issuer of a postpaid payment instrument and the acquirer that began providing any of these services before September 05, 2025, and is not authorized to operate by the Central Bank.
• An institution that fails to submit its application in a timely way for authorization to operate as a payment institution may only continue to carry out such activities within 30 days after May 31, 2026.
• At the Central Bank’s discretion, an institution that fails to properly submit its application for authorization to operate as a payment institution may only continue to carry out such activities within 30 days from the date of notification by the Central Bank.

1.2. Effective Date

• BCB Resolution No. 494 came into effect on the date of its publication.

2. BCB Resolution No. 495

Amends BCB Resolution No. 81, dated March 25, 2021, which regulates the authorization processes related to the operation of payment institutions and the provision of payment services by other institutions authorized to operate by the Central Bank.

2.1. Additional Requirements and Certifications

• The following are now included in the list of requirements for authorizations related to the operation of payment institutions and the provision of such services:
• • • ✓ Technical training of administrators, compatible with the functions to be performed during their term of office;
    • ✓ Compliance with the minimum capital and equity requirements set forth in current regulations; and
    • ✓ Information on the address of the institution’s headquarters, which must be for the effective and exclusive use of the payment institution. The designation of a coworking, virtual office, or other shared space address as the institution’s headquarters is prohibited, except in the case of institutions that are part of the same conglomerate.
• The Central Bank may require technical certification or an assessment issued by a qualified independent company to attest the compliance with the authorization requirements.
• Payment institutions already authorized to operate by the Central Bank on September 05, 2025, must comply with the address requirements as stipulated in the regulation.

2.2. Denial or Shelving of the Application for Authorization to Operate

• In the event of denial or shelving of the application for authorization to operate for which no further appeal is possible, the payment institution already providing payment services must, within 30 days of receiving notification of the Central Bank’s decision:

1. 1. Cease providing payment services;
   2. Communicate the cessation of activities to its users and other interested parties through its communication and customer service channels, clearly and prominently indicating the procedures and deadlines for refunds and settlement of transactions; and
   3. Return any balances in their users’ payment accounts by transferring them to payment accounts or deposit accounts held by those users and held at institutions authorized to operate by the Central Bank.

2.3. Effective date

• BCB Resolution No. 495 came into effect on the date of its publication.

3. BCB Resolution No. 496

Amends BCB Resolution No. 1 of August 12, 2020, which establishes PIX as a payment system and approves its regulations. The provisions related to the authorization criteria for payment institutions that operate without prior authorization from the Central Bank and participate in PIX were adjusted.

3.1. Deadline for payment institutions participating in PIX, or in the process of joining PIX, to request operating authorization

• Payment institutions not authorized to operate by the Central Bank but participate in PIX, in the process of joining PIX, or that have submitted an application to join PIX by December 31, 2024, must, as a condition for participating in PIX, request authorization to operate from the Central Bank, pursuant to BCB Resolutions No. 80 and 81 of March 25, 2021, according to the following cases and deadlines, whichever occurs first:

1. 1. if they reach the financial transaction amounts set forth in Article 10 of BCB Resolution No. 80, and the deadlines set forth in Article 10 must be followed; or
   2. regardless of the volume of their financial transactions, subject to the following deadlines:

• • • ✓ by March 31, 2025, for payment institutions that joined PIX by December 31, 2022;
    • ✓ between April 01, 2025, and December 31, 2025, for payment institutions that joined PIX between January 01, 2023, and June 30, 2024; and
    • ✓ between January 01, 2026, and December 31, 2026, for other payment institutions that are PIX participants or in the process of joining PIX.

3.2. Requirements to act as a Pix Responsible Participant

• Pix participants who fulfill the following criteria will qualify:

1. 1. fall under the “transactional account provider” or “special liquidator” categories;
   2. are a direct participant in the Instant Payment System (SPI);
   3. are members of segments S1, S2, S3, or S4, as per Resolution No. 4,553 of January 30, 2017, including the institutions covered by BCB Resolution No. 436 of November 28, 2024; and
   4. are not a service confederation or credit union.

3.3. Transaction amount when the paying user’s transactional account provider is a payment institution

• Transaction amount limits for PIX participants connecting to the National Financial System Network (“RSFN”) through a PSTI (Brazilian Social Service Provider) must be a maximum of BRL 15,000.00.
• The maximum limit of BRL 15,000.00 does not apply when the PIX participant:

1. 1. Accesses the RSFN through a PSTI that has completed the accreditation process with the Central Bank (BC), in accordance with current regulations; and
   2. Demonstrates, through a reasonable assurance report issued by an independent audit firm registered with the Brazilian Securities and Exchange Commission (“CVM”), that it:

• • • ✓ does not share with the PSTI the private keys registered with the Central Bank used to sign Pix messages;
    • ✓ validates the integrity of transactions before signing, ensuring that data has not been corrupted or manipulated during the message generation process;
    • ✓ uses different certificates for different environments (approval and production, for example) for PIX; and
    • ✓ adopts separate certificates for signing messages and establishing a PIX channel.
• Upon request by the participant, the Central Bank may waive, for a period of 90 days or until the requirements set forth above are met, whichever occurs first, the observance of the BRL 15,000.00 limit, provided that:

1. 1. The request is accompanied by a formal document presenting the guarantees and a description of the measures already adopted by the institution to improve its information security controls; and
   2. The guarantees and measures are, at the Central Bank’s discretion, adequate to mitigate the risks involved.

3.4. Effective date

• Resolution No. 496 comes into effect:

1. 1. After 120 days of its publication, regarding the changes made to art. 26 of the regulation attached to BCB Resolution No. 1, of August 12, 2020, regarding the requirements to act as a responsible PIX participant; and
   2. On the date of its publication, for the remaining provisions.

4. BCB Resolution No. 497

Amends BCB Resolution No. 256, of November 01, 2022, which regulates Electronic Transfers (“TED”).

4.1. New Definitions

• Funds transfer order: order through which a transfer between participant settlement accounts is commanded in a funds transfer settlement system.
• RSFN: data communication structure, whose purpose is to support the flow of information within the SFN for authorized services, under current regulations.
• PSTI: entity authorized to provide data processing services for access to the RSFN, to institutions authorized to operate by the BC, under current regulations.

 4.2. Transaction Limit

• TEDs in favor of a customer of an amount equal to or greater than BRL 15,000.00 may not be issued by an institution that connects to the RSFN through PSTI.
• The maximum limit of BRL 15,000.00 does not apply when the institution:

1. 1. Accesses the RSFN through a PSTI that has completed the accreditation process with the Central Bank, in accordance with current regulations; and
   2. Demonstrates, through a reasonable assurance report issued by an independent audit firm registered with the CVM, that it:

• • • ✓ does not share with the PSTI the private keys registered with the Central Bank used to sign messages;
    • ✓ validates the integrity of transactions prior to signing, ensuring that the data has not been corrupted or manipulated during the message generation process; and
    • ✓ uses different certificates for different environments.
• Upon request of the institution, the Central Bank may waive the BRL 15,000.00 limit for a period of 90 days or until the established requirements are met, whichever occurs first, provided that:

1. 1. the request must be accompanied by a formal document presenting the guarantees and describing the measures already adopted by the institution to improve its information security controls; and
   2. the guarantees and measures must be, at the Central Bank’s discretion, adequate to mitigate the risks involved.

4.3. Effective date

• BCB Resolution No. 497 came into effect on the date of its publication.

5. BCB Resolution No. 498

Regulates, within the scope of the SFN and the SPB, the requirements, procedures, and conditions for PSTI accreditation, among other measures.

 5.1. Definitions

• Electronic data communication: the process of transferring information between computer systems.
• RSFN: a data communication structure designed to support the flow of information within the SFN for authorized services.
• PSTI: an accredited entity authorized to provide data processing services for access to the RSFN, financial institutions, and other institutions supervised by the Central Bank.

5.2. Accreditation

• The Resolution establishes that PSTIs must meet the following requirements:

1. 1. Adherence to the principles and rules of the RSFN;
   2. Proof of regular incorporation of the PSTI;
   3. Proof of compliance with the prohibitions established in Article 6;
   4. Proof of technical and operational capacity to provide data processing services for access to the RSFN, observing the requirements established in BCB Resolution No. 498 and the technical standards for electronic data communication within the SFN, established by the BC’s Information Technology Department (Deinf);
   5. Designation of a director or directors responsible for information security, cybersecurity, and risk management and compliance, with technical qualifications compatible with the responsibilities of the position, demonstrated by academic training, professional experience in the field of activity, or specific technical knowledge related to information security, cybersecurity, and risk management and compliance;
   6. Designation of a director or directors responsible for operational crisis management, with technical qualifications compatible with the duties of the position, demonstrated by academic training, professional experience in the field, or specific technical knowledge related to operational crisis management;
   7. Compliance with the conditions set forth in Article 5 of BCB Resolution No. 498 by the controlling shareholder, members of the controlling group, and PSTI administrators;
   8. Proof of paid-in capital and net equity of at least BRL 15 million, with the Central Bank being able to require a higher amount, proportional to the projected volume of operations and the PSTI’s risk profile, through financial statements audited by an independent audit firm registered with the CVM;
   9. Proof of the establishment of corporate governance and risk management mechanisms provided for in Chapter III;
   10. Proof of technical and operational capacity to provide information to the Central Bank as set forth in Chapter IV;
   11. Proof of obtaining and maintaining information security certification in an internationally recognized standard, or independent assurance accepted by the Central Bank;
   12. Proof of contracting an annual independent external audit in information security and, when applicable, in prevention of money laundering and terrorist financing, with reports submitted to the Central Bank and contracting institutions;
   13. Proof of contracting civil liability and operational risk insurance, with minimum coverage defined by the Central Bank, including fraud and cybersecurity incidents; and
   14. Preparation and maintenance of a Business Continuity Plan and periodic contingency tests, with annual proof to the Central Bank.

• The PSTI must demonstrate annually, in the manner and on the date stipulated by the Central Bank, that the requirements continue to be met.
• The PSTI must maintain economic and financial capacity compatible with the critical nature of the services provided and the operational risks assumed.
• The following are conditions for a natural person to be a controlling shareholder or part of the PSTI’s controlling group, directly or indirectly, or to serve as an administrator:

1. 1. Possess an unblemished reputation;
   2. Demonstrate technical qualifications or professional experience compatible with the duties of the position or role, considering the complexity and size of the PSTI;
   3. Not have been declared bankrupt or insolvent, unless rehabilitated; and
   4. Demonstrate, through a certificate from an independent auditor registered with the CVM, regular registration status with the Brazilian Federal Revenue Service (RFB) and the absence of serious restrictions in defaulter registries that compromise their ability to manage or control the PSTI.

5.3 De-accreditation

• The PSTI may be de-accredited:

1. 1. At the request of the PSTI: the PSTI intending to file a request for de-accreditation with the Central Bank must formally notify the contracting institutions, by specific correspondence, at least 30 days in advance of the date of said request, and must present a plan for discontinuing and transitioning the services provided to the Central Bank.
   2. Ex officio, by the Central Bank, in the following cases:

• • • ✓ Accreditation with the Central Bank;
    • ✓ Corporate governance, risk management, and information security;
    • ✓ Provision of information to the Central Bank;
    • ✓ Maintenance of required capital, insurance, and security certification requirements;
    • ✓ Operational failures or security incidents that significantly compromise the integrity, availability, or reliability of the RSFN or the payment services it supports;
    • ✓ Commitment to acts that constitute fraud, willful misconduct, or bad faith in the conducting of PSTI activities;
    • ✓ Failure to comply, within the established deadline, with determinations or preventive measures imposed by the Central Bank under BCB Resolution No. 498; and
    • ✓ Situations that demonstrate a loss of suitability, reputation, or technical qualifications of PSTI controllers and administrators.

5.4 Corporate Governance and Risk Management

• The PSTI must have a corporate governance structure compatible with its nature, size, complexity, structure, and risk profile, ensuring transparent decision-making processes, effective internal control mechanisms, and adequate risk management.
• The governance structure must ensure, at a minimum:

1. 1. Segregation of functions between executive management, risk management, compliance, information security, and internal audit, to avoid conflicts of interest and concentration of powers;
   2. The existence of a collegiate management body (board of directors or equivalent), with proportional participation of independent members, whenever justified by the size or systemic relevance of the PSTI;
   3. The development and dissemination of formal corporate governance policies, including risk management, cybersecurity, compliance, internal audit, and business continuity;
   4. Mechanisms that ensure corporate transparency, including public disclosure of the corporate structure, identification of controlling shareholders and beneficial owners, and timely communication of relevant changes to the Central Bank;
   5. Prior and ongoing assessment of the suitability, reputation, and professional experience of controllers, administrators, and key executives, in accordance with criteria established in BCB Resolution No. 498; and
   6. The existence of an Operational Crisis Management Committee, supported by a formally defined structure, roles, and responsibilities.

• PSTI administrators and members of the corporate bodies must be professionals with recognized technical and strategic competence in the field, capable of performing their multiple roles in the pursuit of achieving strategic objectives.
• PSTI must establish, within senior management, directors responsible for critical functions, including, at a minimum:

1. 1. Director of Information and Cybersecurity, responsible for implementing cybersecurity policies and managing operational incidents;
   2. Director of Risk and Compliance, responsible for overseeing regulatory compliance and effectiveness of internal controls;
   3. Director responsible for relations with the Central Bank, responsible for providing information and regulatory liaison; and
   4. Director responsible for operational crisis management and coordinating the Operational Crisis Management Committee.

• The PSTI must segregate the activities, computing environments, and other resources necessary for providing data processing services, for access to the RSFN, from other services or activities that may be provided.
• The PSTI must establish risk management policies aimed at addressing, at a minimum:

1. 1. information and cybersecurity;
   2. business continuity;
   3. operational crisis management;
   4. fraud management;
   5. internal controls and compliance; and
   6. internal audit.

5.5 Provision of Information

• PSTIs must provide various information to the Central Bank, including:

1. 1. Annual financial statements, audited by an independent auditing firm registered with the CVM;
   2. Technical certification whenever renewed or updated;
   3. Any changes to the institution’s corporate structure, control structure, or management team, within ten days of the occurrence;
   4. Operational or information security incidents that may compromise the integrity, availability, or confidentiality of the services provided, immediately upon becoming aware of the incident, accompanied by a report within ten days;
   5. Significant changes to the service architecture or computing environment of the PSTI;
   6. Beginning or ending of relationships with financial institutions and other institutions supervised by the Central Bank;
   7. Beginning of the provision of other data processing services;
   8. Information necessary to monitor the regular operation of the PSTI;
   9. Annual internal audit reports and, where applicable, independent external audit reports, including key findings, action plans, and monitoring of corrections; and
   10. An independent external audit report, issued by a company registered with the CVM, attesting to the PSTI’s full compliance with all procedures and requirements set forth in this resolution and in the RSFN regulatory instruments, to be submitted to the Central Bank annually.

5.6 Precautionary Measures

• The Central Bank is authorized to adopt precautionary measures regarding the PSTI in the following situations:

1. 1. Occurrence of operational, technological, or security incidents, including those caused by cyberattacks or fraud events, which may impact the regular operation of the SPB, or those related to situations in which there is no identified root cause or proof of definitive resolution of the problem.
   2. Significant deficiencies in controls that may have implications for the security, integrity, or availability of data, information, or information systems managed by the PSTI.
   3. Serious or repeated noncompliance with the reporting and transparency obligations set forth in BCB Resolution No. 498.
   4. Operational failures that compromise the integrity, availability, or reliability of the RSFN or the services it supports.

• In the event of any of the above-mentioned situations, the Central Bank may require, individually or cumulatively, the adoption of the following precautionary measures:

1. 1. Compliance with more restrictive operational limits, including those regarding the volume of transactions processed, maximum transaction amounts, or the number of institutions served;
   2. Suspension of the connection to the RSFN, in whole or in part, until proof of definitive resolution of the problem;
   3. Suspension of a specific service provided by the PSTI within the RSFN, in whole or in part, until proof of definitive resolution of the problem;
   4. Immediate reinforcement of technical security, governance, or business continuity requirements is required, with defined deadlines for verification;
   5. Requirement of an extraordinary independent audit, at the expense of the PSTI, to verify the effectiveness of the corrective measures adopted;
   6. Imposition of a corrective action plan, with specific deadlines and compliance targets, to be monitored by the Central Bank;
   7. Restriction on the acquisition of new clients or the expansion of services until proof of correction of identified deficiencies;
   8. Full or partial execution of the orderly exit plan; and
   9. Adoption of other proportionate and necessary measures to safeguard the integrity, stability, and reliability of the RSFN and the payment services it supports.

5.7. Effective date

Resolution No. 498 came into effect on the date of its publication.

With the enactment of the new rules provided for in Resolution No. 498, the Central Bank aims to strengthen the operational structures within the SFN and the SPB, changing the security and compliance criteria of PSTI, whose operations are now subject to due accreditation.

Affected institutions must prepare to comply with the new requirements and deadlines established to ensure the continuity of its operations. Monitoring legal and regulatory aspects is essential to mitigate risks and ensure operational compliance.

Demarest’s Banking and Finance and Blockchain and Digital Assets teams are available to assist clients and partners with any necessary clarifications on this topic.