Fintech 2022 Comparisons

The year 2021 marked an important turning point for the fintech sector in Brazil, with the maturity of the Brazilian financial system, inclusion of different players in the market and the establishment of an innovative, purely digital financial ecosystem. Two of the reasons for such growth are the consolidation of Pix and the establishment of "open banking".

Pix is the Brazilian instant payment ecosystem, created by the Central Bank of Brazil (Banco Central do Brasil – BCB) in 2020 (BCB Resolution No 1/2020), that allows its users (individuals, legal entities and governmental bodies) to send or receive payment transfers 24 hours a day, seven days a week. As an open payment scheme, Pix transactions can be settled between financial institutions, payment institutions and even credit fintechs authorised to operate by BCB. Since its launch in November 2020, more than 120 million users have effectively used Pix to make payments and receive funds – such numbers demonstrate that the Brazilian population has already noticed the advantages offered by the new system. However, its potential to grow is still to be observed by the market during 2022; see www.bcb.gov.br for further details.

Open banking represents the sharing of data, products and services between regulated entities (financial institutions, payment institutions and other authorised entities) if the customers so desire, with the goal of enhancing the effectiveness of the credit/payment market, promoting a more competitive environment and reducing the costs borne by consumers. In accordance with BCB, the focus of the open banking environment is to enhance the efficiency of the credit and payments markets by promoting a more inclusive and competitive business environment. Created by Joint Resolution No 1/2020, the implementation of open banking in Brazil was divided in four incremental phases. 

• phase 1 comprised products and services related to deposit, savings and pre-paid payment accounts, credit card and retail credit transactions;
• phase 2 is related to customer data (registration information of the customer and transaction information of the products and services of phase 1);
• phase 3 included payment initiation transactions and forwarding loan proposals;
• phase 4 comprises products and services related to foreign exchange transactions, services in payment schemes, term deposit accounts and other investment products, insurance and open pension funds.

We are currently on phase 4, with a full implementation expected to happen by May 2022. See Open Banking for further details.

Additionally, from an insurance perspective, the Superintendence of Private Insurance (Superintendência de Seguros Privados – SUSEP) announced the creation of "open insurance" (an ecosystem that will allow consumers of insurance, pension plan and capitalisation products and services to share their information among different companies authorised to operate SUSEP). Together with open banking, they will comprise a completely open environment called "open finance".

Another important development is the regulatory sandboxes implemented by BCB, the SUSEP and the Brazilian Securities Commission (Comissão de Valores Mobiliários – CVM) in order to promote innovative initiatives.

If 2021 was a milestone on the fintech market, 2022 is expected to be the year in which the financial sector will go through a massive transformation. By the time both open finance and Pix are 100% up and running, the market will be able to experiment in the creation of innovative products, new entities, different types of business and financial solutions. Activities known as "embedded finance" and "embedded fintech" will allow entities of different sectors to build financial solutions in their businesses, while financial institutions will be able to expand their portfolio beyond banking. Not to mention the impact the digital universe (or the "metaverse") will have on the credit fintechs.

There are different types of fintechs in Brazil, depending on the segment such companies operate in. Most of the fintechs created in the country in the last few years are focused on payment/transfer services; the reason for the boom of such companies is directly related to the significant number of individuals without access to traditional banking services in Brazil.

Other predominant business models in Brazil include:

• financial management;
• lending;
• investments;
• cryptocurrency;
• insurance;
• crowdfunding;
• debt negotiation;
• digital banks;
• multiservice; and
• foreign exchange.

There are different regulatory regimes applicable to the fintech industry participants depending on the segment, asset classes and activities to be performed, as follows:

• financial institutions;
• payment institutions – issuers of electronic currency (prepaid cards), issuers of post-paid instruments (credit cards), acquirers and payment initiation entities;
• credit fintechs – Sociedade de Crédito Direto (SCD) and Sociedade de Empréstimo entre Pessoas (SEP);
• investment advisers;
• portfolio managers;
• crowdfunding platforms;
• insurance and reinsurance companies; and
• insurance brokers.

The compensation model for credit fintechs, financial institutions, payment institutions and related entities vary depending on the products/services to be offered and the target clients.

Financial institutions, for example, are generally allowed to charge fees, commissions and interest rates from their customers, provided that the effective rates and costs involved on the transactions are clearly disclosed.

Credit fintechs, which have been compared to financial institutions for purposes of the applicable regulation (CMN Resolution No 4,656/2018) are also allowed to charge fees and interest rates higher than the ones charged by non-financial entities (which are subject to the usury law).

Payment institutions are usually remunerated by application fees, usage fees, assignment or credits and early payment of receivables.

The regulation applicable to the industry participants differs depending on, among others, the type and size of the entity, the activities to be provided, the transaction volumes and the geographical presence.

Financial institutions, for example, are subject to prudential rules that are proportional to their size and complexity – which facilitate the entrance of new financial players in the market.

For payment institutions, the level of regulatory requirements were the same for new players and large-size conglomerates until the regulations issued by BCB in 2022. On 11 March 2002, the BCB issued a series of regulations (Resolutions No 197, 198, 199, 200, 201 and 202) aiming at enhancing prudential rules for payment institutions. The new framework should facilitate the entrance of new competitors in the payments industry – increasing the competition in the market – while maintaining a high level of requirements for legacy players that are relevant in the market.

The set of rules extends to financial conglomerates controlled by payment institutions the proportionality of the regulatory requirements that are already applicable for conglomerates of financial institutions. According to BCB, the enhancement of the regulation became necessary due to the diversification and sophistication of the segment since the establishment of the legal framework in 2013. During the following years, several payment institutions incorporated financial subsidiaries, without proportional prudential requirements. At the same time, the regulation maintained simplified rules for conglomerates controlled by payment institutions with no integration with financial institutions.

The simplified treatment and easier requirements for new players that bring innovative products and services to the market is essential for the development of the fintech sector in Brazil.

Financial and Payment Services Sandbox

The financial and payment services sandbox, created by the CMN and the BCB on 26 October 2020 (CMN Resolutions No 4,865 and BCB Resolution No 29), comprises an environment in which BCB grants a temporary authorisation for companies and entities to test innovative projects (experimental product or service that uses technological innovation or promotes an alternative use of existing technology), with due observance of a specific set of regulatory provisions. All participants authorised to operate in the BCB sandbox must also comply with the consumer protection regulations and anti-money laundering and terrorist financing regulations.

During the first cycle of the regulatory sandbox, seven projects have been selected by BCB:

• loan with real estate collateral proposed by HIMOV, with a bullet payment, combined with a specific insurance;
• technological solution for the execution of multi-currency payment instructions, to be exclusively used by foreign exchange institutions with the purpose of immediate exchange of reserves, proposed by JP Morgan;
• payment transactions with extension of credit through Pix, proposed by ITAUCARD;
• platform for the primary and secondary issuance of banking credit certificates (BOLSA OTC);
• development of a secondary market for banking credit certificates (INCO);
• implementation of a network of physical points that provide transfer of funds in kind, presented by MERCADO PAGO; and
• platform for the transfer of funds between two or more accounts – "temporary or settlement" accounts – presented by IUPI.

Capital Markets Sandbox

The Capital Markets Sandbox, created on 15 May 2020 (CVM Instruction No 626), comprises an environment in which CVM grants a temporary authorisation for companies and entities to test innovative projects (business models that use technological innovation or develop a product or service that has not been offered on the market) with due observance of a specific set of regulatory provisions.

During the first cycle of the capital markets sandbox, three projects have been selected by CVM:

• Basement Soluções de Captação e Registro Ltda., a securities underwriter that will provide services for limited liability companies that have carried out or are in the process of carrying out public offerings of securities, with a focus on small-sized companies;
• Beegin Soluções em Crowdfunding Ltda., Câmara Interbancária de Pagamentos – CIP e Flow Representações S.A. – Finchain, offer of debentures of small-sized companies and quotas of investment funds; and
• Vórtx Distribuidora de Títulos e Valores Mobiliários Ltda. e Vórtx QR Tokenizadora Ltda., public offer, in an organised over-the-counter market, of securities issued or represented in the form of tokens on blockchain networks.

Insurance Sandbox

The Insurance Sandbox, created by CNSP Resolution No 381, dated 4 March 2020, and SUSEP Circular No 598, dated 19 March 2020, comprises an environment in which SUSEP grants a temporary authorisation for insurance companies to develop innovative projects (products and/or services that are offered or developed from new methodologies, processes, procedures or existing ones applied in a different way) with due observance of a specific set of regulatory provisions.

During the first cycle of the insurance sandbox in 2020, 11 projects have been selected involving different insurance products (cell phones, notebooks, tablets, cars, pets, etc). In the second cycle, which occurred in 2021, 21 companies have been approved in different business models (cars, leasing, pets, trucks, airplane tickets, sports, etc).

There are different regulators that have jurisdiction over industry participants depending on the relevant segment and the activities to be performed, as follows:

• the National Monetary Council (Conselho Monetário Nacional – CMN) and BCB regulate, at national level, the entities that offer banking/financial services, such as financial institutions, payment institutions, participants of payment arrangements and credit fintechs (Sociedade de Crédito Direto – SCD – and Sociedade de Empréstimo entre Pessoas – SEP);
• CMN and CVM regulate, at national level, the securities markets and the respective players, such as issuers, underwriters, investment advisers, portfolio managers, crowdfunding platforms and investment funds;
• the National Council of Private Insurance (CNSP) and SUSEP regulate, at national level, the insurance and reinsurance companies, insurance brokers and the insurance market.

Regulated activities (performed by regulated entities duly authorised to operate by BCB, CVM or SUSEP) can only be outsourced with due observance of the applicable regulation, provided that the institutions remain liable before third parties and regulators.

One of the most common forms of outsourcing in the fintech industry comprises the use of banking correspondents in credit platforms (service providers engaged by banks to offer financial services and products in the capacity of agents). Although the activities of banking correspondents are supervised by BCB, there is no need for such entities to obtain a specific licence, which avoids regulatory burdens.

Outsourcing of non-regulated activities are also permitted and widely used by fintechs in Brazil, including collection services, credit analysis, and marketing.

Fintech entities that provide services and products to customers in Brazil (on their online platform) may be considered as "gatekeepers" with responsibility for the activities performed in such platforms, especially in relation to consumer protection rights. Online lending platforms, for example, structured by means of the use of banking correspondents (as mentioned in 2.7 Outsourcing of Regulated Functions), subject the owner of the platforms to several liabilities in terms of consumer compliance (marketing, discrimination, fair lending, debt collection, etc). In addition, such entities are subject to data privacy, as well as anti-money laundering and terrorist financing regulations.

The relevant regulators in Brazil have the competence to monitor, investigate and impose penalties to entities that fail to observe the applicable regulation.

Within the Brazilian financial system, the BCB, for example, has the authority to supervise the market taking into consideration macroprudential factors (eg, vulnerabilities that may impact the system as a whole) and microprudential factors (eg, risks to which the supervised entities are exposed, as well operational and prudential limits applicable to such entities). In the last couple of years, BCB's supervising process has been improved through the execution of bilateral agreements with other financial regulators (CVM and SUSEP) with the purpose of sharing a wide range of data and information for better assessment of the compliance of the regulated entities with the Brazilian regulation.

In practical terms, if BCB or CVM understands that if any entity is not compliant with the legislation and/or regulatory rules related to financial and capital markets, an administrative and/or judicial proceeding may be initiated in accordance with Law No 13,506/2017.

Sanctions by CVM and BCB for breaches of applicable laws and regulations include:

• warnings;
• fines;
• suspension of the right to take management and supervisory roles;
• suspension or cancellation of operating licences; and
• temporary prohibition to practice certain transactions or activities.

Additionally, violation of specific rules (eg, insider trading, market manipulation, operating without licence, white collar-related crimes) constitutes a criminal offence, and sanctions thereto include fine and imprisonment to be imposed generally by federal courts. In certain cases, the breaching party may have the right to present a Term of Commitment (which shall contain, among others, obligations to cease the infraction, measures to remedy the infraction, and the amount of contribution to be paid to BCB) in order to suspend the administrative procedure.

The General Data Protection Law – LGPD (Law No 13,709 of 2018) is Brazil’s main privacy and cybersecurity regulation. It regulates how companies shall process any data that may identify an individual and thereby:

• holds data controllers and processors accountable and liable for compliance with data protection principles (transparency, data minimisation, accuracy, etc);
• secures the lawfulness of any processing activity encompassing personal data (legal basis assessment – eg, consent, legitimate interest, complying with a legal duty and performance of an agreement with the data subject);
• fulfils data subjects rights (right of access, rectification, portability, etc);
• carries out specific mandatory assessments in order to mitigate risks to data subjects (such as a data protection impact assessment – DPIA).

The LGPD also established the Brazilian Data Protection Authority (ANPD) as an supervisory authority to secure compliance and issue penalties for violations, including pecuniary penalties of up to BRL50 million per infraction; it is also responsible for regulating the data protection framework.

The LGPD also instructs companies to implement robust technical, organisational and administrative controls in order to protect personal data from any potential breach or violation to the LGPD. Furthermore, we also have regulations specifically for financial services:

• Normative SARB No 25/2021, from the Brazilian Bank Federation, establishes principles and guidelines to be adopted by the financial institutions in their relationships with personal data subjects;
• Resolution No 85 of 2021, from BCB, regulates the cybersecurity policies and other requirements for the contracting of data processing and storage and cloud computing services by payment institutions; and
• Resolution No 4,893 of 2021, from the National Monetary Council, regulates the cybersecurity policies and other requirements for the contracting of data processing and storage and cloud computing services by financial institutions.

Both of the resolutions above highlight specific cybersecurity controls that financial companies must implement, such as having a specific policy for cybersecurity, a data breach response plan, carrying out periodic training sessions, as well as establishing independent audit processes. There are specific penalties for any failure to comply with both resolutions.

In addition, we have the Software Law (Law No 9,609 of 1998), regarding software development in relation to intellectual property. Contracts with any developer, either employee or a third-party vendor, are essential to secure ownership. Ultimately, the Brazilian Advertising Self-Regulatory Council (CONAR) established non-mandatory regulations with respect to how marketing may be carried out on social media.

Besides the rules issued by the applicable regulators and governmental agencies, there are different market associations in Brazil that establish self-regulatory codes, additional rules and guidelines (ANBIMA, FEBRABAN, ABBC, etc).

ANBIMA (the Brazilian Financial and Capital Markets Association) is one of the most important self-regulators in the capital markets industry in Brazil. Created in October 2009 by the merger of the former National Association of Investment Banks (ANBID) and the former National Association of Financial Market Institutions (ANDIMA), ANBIMA represents banks, asset managers, brokers, securities dealers and investment advisers; as a mission, it is dedicated to the development of a stronger capital market in Brazil. See ANBIMA's website for further information.

FEBRABAN (the Brazilian Federation of Banks) is the main self-regulatory entity representing the Brazilian banking industry. Founded in 1967, FEBRABAN, as a not-for-profit association, serves as a liaison between the Brazilian government (including the executive, the legislature and the judiciary) and banking/financial entities. See FEBRABAN's website for further information.

ABBC (the Brazilian Bank Association), founded in 1987, represents the interests of banks of different sizes, Brazilian or international, payment institutions, private individuals, national companies and fintechs. See ABBC's website for further information.

There is an international trend towards the combination of unregulated and regulated products and services by the industry participants. In Brazil, it is no different.

Embedded Finance

Embedded finance is a concept used in the fintech industry that represents the integration of financial services by non-financial companies. In the lending sector, for example, in which only Brazilian authorised entities are allowed to extend credit and financings, a new lending model has been implemented by fintech entities over the last years. Under the "banking correspondent arrangement" mentioned in 2.7 Outsourcing of Regulated Functions, non-finance companies can provide financial services to their customers on their online platforms without the need to comply with strict regulations and licences. Embedded finance services offer simplified transactions and new lines of businesses to the consumer.

Embedded Fintech

Embedded fintech is the expression used to describe the adoption of fintech services into the business processes of financial institutions. Brazilian banks have long realised that the majority of the new generation of consumers rely on their mobile banking apps to access their accounts. In this sense, they need to provide their customers with a digital platform that is user-friendly, cost-effective and modern. Instead of spending time and money developing and testing the technology, banks are incorporating fintech services provided by fintech companies into their businesses.

Under the Brazilian AML Law, both regulated and unregulated fintech companies are required to implement certain policies, procedures and internal controls that are compatible with the size and volume of their transactions and capable of preventing their services from being used for financial criminal activities.

The internal controls are expected to identify and monitor risks and also to allow the fintech to report to the Brazilian authorities any transaction that may represent an indication of (or be related to) money laundering, to the financing of terrorism or to financial frauds of any type.

Unlike unregulated fintech companies, regulated fintech companies may also be subject to specific AML requirements provided by the resolutions and circular letters issued by the COAF, the BCB or the CVM, for instance. Thus, regulated fintech companies may be required to develop policies with specific procedures on risk-based approaches, measures to identify and monitor final beneficiaries and control politically exposed persons (PEPs), for example.

Automated investment systems (robots) are services that use algorithms to identify the profile and manage the investor's assets, recommend an asset portfolio, and even operationalise the sending and cancellation of orders to the organised negotiation systems. Investment robot services can be offered both by fintech companies and traditional financial institutions (including banks and brokerage entities).

Under the Brazilian framework, automated investment services can be divided into two main categories: robo-adviser (which can be divided into two further categories, robo-managers and robo-advisers) and robo-trader (or order robots).

The main difference between the robo-adviser and the robo-manager is that, in the first case, the robot suggests an asset portfolio but the client is responsible for the implementation of the recommendation. The robo-manager, on the other hand, not only recommends a portfolio, but is also responsible for making the investments and rebalancing the portfolio automatically.

The robo-trader, in turn, comprises an automated system with the objective of identifying opportunities and appropriate moments to perform securities transactions (including the moment to enter and exit a position), analysing the price fluctuation of the securities without the need for human intervention.

Robo-advisers are subject to registration with the CVM under CVM Resolution 19/2021. Robo-managers must be registered with the CVM as a portfolio administrator, in the category of asset manager under CVM Resolution 21/2021. Robo-traders are also subject to registration with CVM, in accordance with Circular Letter No 2/2019/CVM/SIN and CVM Resolution 20/2021.

Traditional financial institutions in Brazil and newly formed fintechs are riding the robo-advisers wave. As technology proves to be a fruitful way to create different types of business, both legacy players and new players are focusing on implementing automated investment systems, aiming at reducing the costs, improving security and offering a diversified investment strategy to Brazilian consumers.

In the last couple of years, traditional Brazilian players (banks, brokerage companies, asset management companies) have noticed the relevance that robo-advisers have gained in the market and are already incorporating the automated systems into their investment platforms.

The Brazilian framework for robo-advisers is quite new and certain risks are still being assessed by the market and the regulators, but the challenges may include investment recommendations based on a risk profile that may be incorrect or misleading, conflict of interest and protection of financial/personal data.

As for data privacy and robo-advisers, it is worth mentioning that, according the LGPD, every automated decision based on personal data that is likely to affect data subjects' interests is considered a high-risk processing activity. Therefore, said decisions, such as those regarding individuals creditworthiness, can be reviewed as per the data subject's request. Data subjects are also entitled to request further explanation on the criteria and procedures used to achieve the decision. Data controllers are also required to carry out a specific data protection impact assessment to assess the corresponding risks to the data subjects and envision measures to mitigate them. Those are quite challenging legal compliance measures that companies are still adjusting to, and that may even affect technical business secrets related to how the algorithms are created and effectively work.

Under the Brazilian financial system regulation, the offer of financial services and products (such as loans) is considered a regulated activity that can only be performed by entities duly authorised to operate by BCB. The licence depends on the activities that will be performed, the clients that will be targeted and the size and presence the entity will have on the market.

In this sense, entities that intend to extend credit to individuals and/or micro and small-sized companies, in small amounts, should pursue a different authorisation from the institutions that intend to offer loans to large-sized companies or governmental entities. In addition, certain credit fintechs, for example, are only allowed to intermediate credit transactions that are carried out electronically, regardless of the type of the clients.

In summary, different types of licences can be pursued by the entities that intend to provide/intermediate loans to the clients, as follows:

• financial institution ("regular" bank);
• credit fintechs (Sociedade de Crédito Direto – SCD – and Sociedade de Empréstimo entre Pessoas – SEP);
• credit union (Cooperativa de Crédito);
• financing entity (Sociedade de Crédito, Financiamento e Investimento); and
• microentrepreneur credit companies (Sociedade de Crédito ao Microempreendedor e à Empresa de Pequeno Porte).

It is important to mention the creation of a new type of entity called a simplified credit company (Empresa Simples de Crédito), the only non-financial institution legally allowed to provide loans exclusively to individual microentrepreneurs (microempreendedores individuais), micro-companies (microempresas) and small-sized companies (empresas de pequeno porte).

As financial services are regulated in Brazil, there are different levels of compliance requirements/underwriting processes depending on the activities performed and on the licence received (as mentioned in 4.1 Differences in the Business or Regulation of Loans Provided to Different Entities).

Having said that, in addition to the minimum requirements provided by the regulation (mainly related to personal/registration information, risk management, anti-money laundering and origin of the funds), the institutions should implement their own compliance policies that must be compatible with their size and relevance in the market.

In the last years, participants of online lending platforms have begun to employ a variety of underwriting models, using advanced algorithms and artificial intelligence to evaluate the credit risk of consumers; such algorithms comprise credit scores, social media, employment history, etc.

Sources of funds for loans depend on the type of entity that is offering the product. Regular financial institutions, for example, are allowed to be funded by means of different sources (deposits from clients, self-funding, issuance of securities, etc). Credit fintechs, on the other hand, have specific restrictions in terms of funding (CMN Resolution No 4,656/2018) as follows.

• The Sociedade de Crédito Direto (SCD) is only allowed to grant loans with its own capital – no deposit-taking is permitted. The SCD is allowed to raise funds from its shareholders, from the Brazilian Development Bank (BNDES) and by means of the assignment of receivables to financial institutions, investment funds and/or securitisation vehicles.
• The Sociedade de Empréstimo entre Pessoas – SEP: as a peer-to-peer lending platform, the funds collected from the lenders must be directed to the borrowers. The SEP can neither carry out loan and financing operations with its own funds nor hold shares of financial institutions.

Syndication of loans is a practice that has been used in Brazil for decades by financial institutions. However, in the fintech industry, although permitted, syndication of loans has not yet become a common practice among participants. One of the models in which syndication is becoming more popular is the peer-to-peer lending platform (performed through the Sociedade de Empréstimo entre Pessoas – SEP).

Except for the systems operated by BCB, payment systems, securities settlement systems, central counterparties, central securities depositories and trade repositories must be previously authorised by BCB and/or CVM, pursuant to their respective jurisdictions. Therefore, players that operate in the payment system must use an existing payment rail or request an authorisation to create a new one.

The Brazilian foreign exchange market is highly regulated and comprises all types of cross-border transactions (conversion of foreign currency, international payments, remittances, etc).

Based on the current regulation, all foreign exchange transactions in Brazil are permitted, without limitation in relation to amounts and nature, provided that such transactions are performed by financial institutions duly authorised to operate by BCB and meet the following requirements:

• legality of the transaction;
• economic grounds; and
• availability of supporting documentation.

The financial institution that performs the foreign exchange transaction is responsible before BCB for verifying compliance with the above-mentioned requirements and maintaining the relevant documentation for a period of five years. Note, however, that BCB has not established a list of documents and information that must be presented to the financial institution for settlement of the foreign exchange transactions – the intermediary entities must elaborate their own compliance policies in order to identify the clients and the legality of the transactions.

Fund administrators and managers are regulated and supervised by CVM and must obtain a prior authorisation in order to initiate their activities (Resolution 21/2021).

As mentioned in 6.1 Regulation of Fund Administrators, the activities performed by fund administrators are highly regulated, not only by CVM (the supervisory regulator), but also by market associations (such as ANBIMA). Administrators must comply with:

• strict rules of conduct provided by the regulation;
• the by-laws and other documents of the fund;
• agreements executed with the service providers (manager, custodian, consultants, advisors, etc); and
• self-regulation imposed by the industry.

Exchanges and Trading Platforms

Stock exchanges, organised and non-organised over the counter exchanges, securities markets and operators of such markets (brokers, dealers, etc) are heavily regulated by CVM or BCB depending on the products/services provided, and different rules apply to companies with shares trading on each of these markets.

Crowdfunding Platforms

Electronic crowdfunding platforms (electronic participative investment platforms) must be registered with CVM. However, equity fundraising performed by small-sized companies through such electronic crowdfunding platforms are exempt from CVM registration, provided that certain requirements are met, including:

• the issuer's annual gross revenue must not exceed BRL10 million;
• the offer may not exceed BRL5 million; and
• the amounts invested by each investor in such securities are limited to BRL10,000 (CVM Instruction No 588/2017).

Peer-to-Peer Marketplace Platform

As mentioned in 4.3 Sources of Funds for Loans, peer-to-peer lending platforms are subject to registration by BCB.

Different asset classes have different regulatory regimes, as mentioned in 2.2 Regulatory Regime.

Currently, there is no specific legislation in Brazil that regulates cryptocurrencies or crypto-assets. There are, however, several bills of law on crypto-assets currently being discussed. The Brazilian Senate's Economic Affairs Committee has recently approved a bill of law that recognises and regulates the cryptocurrency market in Brazil (PL No 3,825/2019). The bill, which is currently awaiting for the National Congress’s approval, defines virtual assets and classifies their service providers, giving the federal government the authority to determine which agency will be responsible for regulating and approving transactions with cryptocurrencies.

According to the bill, virtual asset service providers are required to prevent money laundering and asset concealment while combating criminal organisations, financing of terrorism and the proliferation of weapons of mass destruction.

In addition, BCB, CVM and the Brazilian Federal Revenue have published guidelines, statements and warnings in this regard, as follows.

BCB

BCB has informed that cryptocurrencies/virtual currencies are not to be confused with real/official currencies or with the electronic currency deposited with financial institutions or payment institutions that allows the clients to make payments and transfers. Therefore, such cryptocurrencies and the entities that issue such cryptocurrencies are not regulated, guaranteed or endorsed by BCB.

CVM

Similar to BCB, CVM released a statement informing that crypto-assets are not considered financial assets (ativos financeiros) for purposes of CVM regulation. As a consequence, Brazilian investment funds are not allowed to invest directly in crypto-assets or cryptocurrencies. There is, however, a permission for such funds to indirectly invest in crypto-assets (eg, investment funds that acquire quotas of offshore funds that, in turn, invest in such crypto-assets or cryptocurrencies). In addition, initial coin offerings (ICOs) may be subject to registration with CVM as such assets may be considered as securities under Brazilian law (security tokens) (Communications No 25,306/2014 and No 31,379/2017).

Brazilian Federal Revenue

The Brazilian Federal Revenue issued a normative instruction establishing certain obligations to report transactions with crypto-assets to the tax authorities. According to such regulation, the reporting obligations are applicable to Brazilian crypto-asset exchanges and Brazilian individuals or legal entities that transact with crypto-assets in amounts higher than BRL30,000 per month (Normative Instruction No 1,888/2019).

The Brazilian Stock Exchange (B3) developed special listing segments for companies that offer securities in the market: Bovespa Mais, Bovespa Mais Nível 2, Novo Mercado, Nível 2 and Nível 1. All these segments were created to differentiate corporate governance levels among the companies.

While Novo Mercado requires companies to adopt higher corporate governance standards, Bovespa Mais allows companies to access the market gradually.

There are no specific listing standards for unregulated entities, platforms or virtual assets.

Brazilian brokers and traders (entities duly authorised to operate by CVM and BCB, as the case may be) are subject to strict regulation in relation to their activities, including execution of orders, transactions reports, internal controls and data privacy. The intermediaries must execute the orders in accordance with the instructions of the clients or, in the absence of such instructions, in the best conditions that the market allows. To assess the best conditions for the execution of orders, the intermediary must take into account price, cost, speed, probability of execution and settlement, volume, nature and any other consideration relevant to the execution of the order (CVM Resolution 35/2021).

No formal order handling rules apply for unregulated platforms or entities.

See 4.3 Sources of Funds for Loans and 7.1 Permissible Trading Platforms for further details on the regulatory framework for peer-to-peer platforms.

The Brazilian regulation on best execution of trades have been reformulated in 2021 in order to avoid asymmetry and discrepancies in the market (Resolution CVM 35/2021).

There are no specific regulations on payment for order flow in Brazil, although CVM and B3 have already announced their understanding that the payment for order flow by third parties should not be prohibited, in an attempt to enable the participation of brokerage houses with lower retail flow.

One of the main concerns of BCB, CVM and other Brazilian regulators has always been related to market integrity (prevention of financial crimes, combating money laundering, terrorist financing of terrorism and other related threats to the integrity of the financial system).

A financial system that constantly requires and monitors the compliance with AML rules is more likely to operate in a clean, transparent and accountable way. As a result, it is possible to successfully prevent, detect and remediate financial risks in order to mitigate the negative consequences of such criminal activities, while ensuring market integrity.

Thus, the Brazilian regulation requires that all transactions/trades are clearly identified in the trading systems and that all securities are held in individual accounts at the relevant clearing house, segregated from other clients and/or other custodians. This segregation permits a comprehensive monitoring of market participants by the financial intermediaries, avoiding financial crimes.

There are no specific regulations on the creation and usage of high-frequency and algorithmic trading in Brazil. Please see 3. Robo-Advisers.

There is no specific regulatory regime on high-frequency and algorithmic trading platforms, however, market makers must be duly registered at B3. A case-by-case analysis is necessary in order to assess whether such players are performing regulated activities.

Investment funds are regulated by CVM while brokers/dealers are regulated by BCB and CVM, depending on the activities engaged in.

Programmers who develop and create trading algorithms and other electronic trading tools are not subject to specific regulation. A case-by-case analysis is necessary in order to assess whether programs or programmers are performing regulated activities.

Platforms providing financial research are not specifically regulated by CVM. However, financial research is considered a regulated activity and subject to registration with CVM if the research reports refer to Brazilian securities and are disclosed to the public, including clients.

Certain legal provisions issued by CVM, within the context of public offerings of securities, establish prohibitions regarding the use of privileged information, insider trading, manipulation and deception of the market. In addition, rules related to financial crimes may also apply.

In Brazil, there are no specific rules regarding conversation curation. However, individuals that post to the platform information that can cause price distortion, market manipulation, "pump and dump" schemes and insider information will be subject to administrative and criminal penalties.

As for the platform, it should use best practices to moderate the content posted by users and remove unacceptable comments.

Fintech companies that carry out insurance-related activities are subject to the same rules applicable to traditional insurance companies. In summary, insurance/reinsurance companies, insurance brokers and agents are regulated by SUSEP and CNSP and, consequently, such participants must follow the minimum underwriting requirements provided by such regulators.

Brazilian online insurance platforms usually operate as licensed insurance brokers or agents of a licensed insurer or insurance broker, offering a wide range of insurance products (car, home, life, health, smartphone, etc).

Different types of insurance (eg, life, annuities, property and casualty) have a specific set of rules to be observed by the industry participants, although there is a set of common rules applicable independently of the type of insurance being offered.

Regtech providers are not subject to regulation in Brazil.

As mentioned in 2.7 Outsourcing of Regulated Functions, regulated entities can outsource certain regulated and non-regulated activities with due observance of the applicable regulation, provided that the institutions remain liable before third parties and regulators, even if a specific obligation is violated by the external provider (such as regtechs). To mitigate such risk, financial services firms usually include in their agreements provisions which allow them to inspect and monitor the external providers.

Both Resolution No 85 of the Central Bank of Brazil and Resolution No 4.893 of the National Monetary Council also require financial services firms to instruct external providers to adopt technical and organisational security controls to protect data, including a robust access control policy, return data upon the termination of the agreement and notify the financial service firm of any subcontractor or about an information security incident.

The use of the blockchain technology by traditional and new financial players (known as blockchain finance) is becoming a reality in Brazil.

Brazilian banks are taking advantage of the new technology aiming at providing personalised services/products for their customers, while ensuring maximum protection in all transactions, with a clear reduction of costs. It is undeniable that blockchain finance is the future in terms of banking security – the "decentralisation" of the system (with the exclusion or reduction of intermediaries) is what guarantees the highest security level of this technology.

There is still no specific regulation in Brazil related to the use of blockchain/distributed ledger technology in the financial service industry (please see 7.3 Impact of the Emergence of Cryptocurrency Exchanges). Nevertheless, BCB has been exploring and testing the use of blockchain technology to improve and make more sophisticated the Brazilian financial sector, in line with the developments around the world.

In 2020, for example, an integrated platform using blockchain was developed by BCB. The Plataforma de Integração de Informações das Entidades Reguladoras, PIER – a platform for regulatory entities' data integration – is focused on streamlining the licensing processes through blockchain technology, by means of the instant sharing of data of legal entities and individuals that operate in the financial system between the regulators (especially BCB, CVM and SUSEP). According to BCB, PIER enhanced the licensing process by eliminating non-automated intermediate steps.

In addition, in 2021, within the regulatory sandbox (please see 2.5 Regulatory Sandbox), BCB approved the creation of Bolsa OTC Brazil, an online platform that will permit the issuance of tokens within the financial system. The company will use the blockchain technology to tokenise securities of private entities, acting as registrar and settler of transactions for the purchase and sale of tokenised assets.

Currently, there is no specific legislation in Brazil that regulates blockchain assets. However, several bills of law on crypto-assets are currently being discussed, such as bill No 3,825/2019. Please see 7.3 Impact of the Emergence of Cryptocurrency Exchanges for further information.

Blockchain issuer are not yet regulated in Brazil. Please see 7.3 Impact of the Emergence of Cryptocurrency Exchanges.

Blockchain asset trading platforms are not yet regulated in Brazil. Please see 7.3 Impact of the Emergence of Cryptocurrency Exchanges.

Please see 7.3 Impact of the Emergence of Cryptocurrency Exchanges.

Please see 7.3 Impact of the Emergence of Cryptocurrency Exchanges.

Decentralised finance platforms are not subject to specific regulation in Brazil. However, BCB is constantly observing the developments of the DeFi market and how the current ecosystem of decentralised finance can be integrated with the real digital platform that is currently under discussions and tests (real digital is a digital currency to be issued by BCB in line with the worldwide concept of CBDC, the Central Bank digital currency).

Please see 12.2 Local Regulators’ Approach to Blockchain.

As mentioned in 1.1 Evolution of the Fintech Market, open banking is a reality in Brazil and is one of the main drivers of the growth of the fintech industry.

Created by Joint Resolution No 1/2020, open banking represents the sharing of data, products and services between regulated entities (financial institutions, payment institutions and other authorised entities) if the customers so desire, with the goal of enhancing the effectiveness of the credit/payment market, promoting a more competitive environment and reducing the costs borne by consumers. According to the resolution, the objectives of open banking are:

• encouraging innovation;
• promoting competition;
• increasing the efficiency of the national financial system and the Brazilian payments system; and
• promoting financial citizenship.

Joint Resolution No 1/2020 also established the competence of BCB to regulate the initial structure responsible for the governance of open banking’s implementation process in Brazil, by means of the promotion of discussions among participating institutions, represented through their national-level representative associations. Based on that competence, BCB Circular No 4,015/2020 established the scope of data and services of open banking.

The full implementation of open banking in Brazil is expected to happen by May 2022.

One of the most common concerns in the context of open banking relates to data sharing. Banks and their technical providers are already making huge efforts to comply with the LGPD and other cybersecurity resolutions issued by the BCB and the CMN. Coping with data security has been a reality for a few years now, especially with respect to transferring data between financial services firms. Therefore, the challenges raised by open banking have not relevantly shifted the risks and compliance measures to be implemented by any company that is willing to do business in the field.

Notwithstanding the above, companies have to implement a consent management system, requiring any customer to effectively give consent to share their data in order to fulfil the goals envisaged by open banking in Brazil. If the customer wants to share their data with more than one institution, a new consent must be obtained. Rules related to such consent follows LGPD’s requirements.

In addition, market players are concerned about allocation of liability among the different parties of the system in case of a breach of any of the rules established by BCB/CMN.