Understanding KYC and KYB requirements in Brazil for fintech
Disclaimer: The information provided is not intended to constitute legal advice; all information provided is for general informational purposes only and may not constitute the most up-to-date information. Any links to other third-party websites are only for the convenience of the reader.
Brazil is one of the most dynamic fintech markets in the world. It’s a prime environment for growth, with a large unbanked population, accelerating digital adoption, and government-led support for financial inclusion. Consider Nubank, which gained more than 100 million users in a decade and underscores the market’s potential.
In this environment, the opportunity to expand financial access is significant, but so are the regulatory hurdles. Brazil’s Know Your Customer (KYC) and Know Your Business (KYB) requirements are tightly enforced, with sector-specific rules and strict reverification timelines.
The consequences for noncompliance can include steep fines, regulatory audits, and potential loss of licensure. In 2023 alone, a record R$ 38 million in AML fines across 26 administrative proceedings were imposed by Brazil’s financial intelligence unit, the Council for Financial Activities Control (COAF). That number is a 727% increase over 2022.
If you're thinking about launching in or expanding to Brazil, you may be wondering how to navigate Brazil's regulatory environment. In this article, we’ll outline Brazil's KYC and KYB requirements. Learn what’s required, who enforces KYC and KYB, and how to stay compliant as you grow.
KYC and KYB compliance: how Brazil differs from the US
Brazil takes a more prescriptive approach to KYC/KYB than the US. Banco Central do Brasil (BCB) Circular 3.978/2020 establishes sector-specific rules that clearly outline expectations for KYC and KYB, including customer onboarding, beneficial ownership verification, and ongoing monitoring.
Many industries are subject to mandatory reverification at specific intervals. Customer records must be kept “up to date,” and certain events (like a change in risk profile) require immediate review.
In contrast, the US regulatory framework is broader and more principle-based. This gives institutions more flexibility in how they design their compliance programs, but also introduces more ambiguity.
In the US, the Bank Secrecy Act (BSA) establishes KYC/KYB requirements, which are enforced by FinCEN. Under the Customer Due Diligence (CDD) Rule, financial institutions must collect and verify both customer identity and beneficial ownership information.
However, unlike Brazil, US regulations do not mandate reverification intervals. Instead, institutions are expected to update records only when “triggering events” occur, such as suspicious activity or changes in ownership.
What are the customer identification requirements in Brazil?
You’re required to collect detailed identity information for both individuals and businesses under Brazil’s KYC and KYB rules. These rules are supervised by Brazil’s central bank, Banco Central do Brasil (BCB).
KYC in Brazil
For KYC, you’ll need to collect and verify the following information, at minimum, according to BCB Circular 3.978/2020:
Legal name
Individual tax ID number (CPF, or Cadastro de Pessoas Físicas)
Residential address
A note about residential addresses: Originally, BCB Circular made address information mandatory for all customers. However, BCB Res. 119 moved this requirement to the customer due diligence process. Practically speaking, this makes address information optional for low-risk customers.
KYB in Brazil
For KYB, you’ll need to collect and verify the following information:
Legal name
Business tax ID number (CNPJ, or Cadastro Nacional da Pessoa Jurídica)
Address of headquarters
Information about the ultimate beneficial owners, or those who own 25% or more of the company (Circ. 3,978 Art. 24-25), including identification (Art. 16-18, Art. 24)
What are CVM’s requirements for customer identification?
It’s worth noting that different regulators may have slightly different requirements. For example, CVM, the securities and exchange regulator in Brazil, requires you to collect the following (CVM Resolution 50/2021, Annex B, Art 1.):
Address
Date of birth
Occupation or source of income
Phone number
Email address
If your company offers products or services that could be regulated by BCB and/or CVM, the best practice is to follow the stricter rule.
What are the identity verification requirements in Brazil?
For identity verification, check the list of accepted government-issued identity documents in BCB Normative Instruction No. 2/2020 (Art. 1). Most common government IDs include:
National ID card, known as CIN (Carteira de Identidade Nacional). It’s commonly referred to as RG (Registro Geral, or General Registration).
Driver’s license, known as CNH (Carteira Nacional de Habilitação).
Foreigner ID card, known as CRNM (Carteira de Registro Nacional Migratório). In older documents, you may sometimes see it referred to as CIE (Cédula de Identidade de Estrangeiro).
Passport (Passaporte brasileiro).
Once you’ve collected these documents, you’ll need to verify them against “public and private databases” (BCB Circular 3.978, Art. 16 § 1), such as:
Serpro (Serviço Federal de Processamento de Dados). This Brazilian government-owned company provides IT and data services, including a database of driver’s licenses.
RFB (Receita Federal do Brasil). This Brazilian revenue service agency maintains the official registry of CPFs and CNPJs.
Other private or authoritative databases. Often, these come from credit card and telecommunications companies.
Two requirements for Customer Due Diligence in Brazil
Customer due diligence (CDD) involves assessing the risk of working with an individual or organization. The goal is to prevent financial crimes such as money laundering and financial terrorism. It’s a core part of Brazil’s anti-money laundering (AML) and counter-terrorist financing (CFT) framework.
Once you’ve verified the customer’s identity, you must “classify clients into risk categories defined in their internal risk assessment” (Art. 20), and implement due diligence processes appropriate for the risk level. This often involves evaluating factors such as the customer’s profile and behavior, products and services involved, and geographic locations.
The following are explicitly required as part of CDD, according to BCB Resolution 119/2021, amended by BCB Circular 3.978/2020:
Financial capacity assessment, which serves as a baseline to determine suspicious activities (BCB Circular 3.978, as amended by BCB Resolution 119/2021, Art. 18 §1 III; Art. 39 I (c)). To do this, companies typically use the customer’s occupation or source of income information.
Proof-of-address verification is another requirement of CDD (BCB Circular 3.978, as amended by BCB Resolution 119/2021, Art. 18 §1 I-II). Organizations typically perform this using official documents (like utility bills and bank statements). They must have been issued within 90 days and show the customer’s name and a Brazilian address.
Additionally, customers must be screened against UN sanctions lists and Brazil’s national sanctions list, according to the “Sanctions Law” (Law 13.810).
What’s required for enhanced due diligence?
For high-risk individuals or transactions, companies are expected to apply enhanced due diligence (EDD). This often includes requesting additional identity documents or verifying the individual’s source of funds before approving the transaction.
Your organization will define the specific risk levels and red flags that trigger EDD. Bottom line, they should account for individuals engaging in unusual or complex activity patterns, like large cash transactions, cross-border payments, ties to high-risk jurisdictions, or unclear beneficial ownership.
Transactions involving politically exposed persons (PEPs) — including their relatives and close associates (RCAs) (Art. 19, 27) — are also considered higher risk and should trigger EDD. Initiating a business relationship with a PEP customer requires senior-management approval (Circular 3.978, Art. 19 §2).
Is ongoing KYC and KYB monitoring required in Brazil?
Like in the US, compliance in Brazil requires ongoing monitoring and reverification. Specifically, you’re required to keep customer identification information “up to date” (BCB Circular 3.978, Art. 17). It’s up to you to decide how often to reverify individuals and what events should trigger it (Art. 22).
Outside of that, the law states that “whenever there are changes in [the customer’s] risk profile” (Art. 20), you’re required to review their risk categories. Let’s say that a customer becomes an elected official (i.e., becomes a PEP) or moves to a high-risk country. If that happens, you’ll need to make sure their information is current and reassess their risk level.
It’s worth noting two sector-specific rules for reverification:
For the securities sector, you must reverify customers at least every 5 years and log the date (CVM Resolution 50/2021, Art. 4 § 1).
In the insurance sector, you’re required to review your full customer database at least annually to identify newly designated PEPs. You must also verify PEP status during certain transactions (e.g., cancellations, payouts, renewals, or redemptions) if more than 6 months have passed since the last review (SUSEP Circular 612/2020, Art. 33-34).
What do I need to report to regulators in Brazil?
All suspicious transactions and high-value currency movements must be reported through the appropriate channels, typically as a suspicious activity report (SAR), suspicious transaction report (STR), or Currency Transaction Report (CTR).
If you encounter any suspicious activities, you have 24 hours to report them to COAF, according to Law 9.613. If there are no reportable events in a year, you only need to file a “zero-activity report” (Art. 11 I-III).
What’s considered a suspicious activity? BCB Circular 3.978 adds further criteria for suspicious activities (Art. 39). Notably, this law gives you 45 days to analyze and determine whether the activity is suspected of money laundering or terrorist financing (Art. 43).
You’re also required to report any cash transaction of R$ 50,000 or more to COAF within one business day of the transaction or provisioning (Art. 49). This includes cash deposits, cash withdrawals, checks, payment orders, and transfers.
Recordkeeping and data retention requirements for KYC/KYB in Brazil
Regardless of whether any activity is deemed suspicious, you’re required to keep records of “all operations carried out [and] products and services contracted, including withdrawals, deposits, contributions, payments, receipts and transfers of funds” (BCB Circ. 3.978, Art. 28).
According to Law 9.613, the foundational AML statute, you’ll need to preserve KYC and transaction data for a minimum of 5 years after a business relationship ends or a transaction is completed (Law 9.613, Art. 10 § 2).
Check the rules for your sector, as this period can be “extended by the competent authority” (Art. 10 § 2). In the financial sector, for example, BCB Circular 3.978 requires 5 years for internal documents (e.g., formal AML/CFT policies, procedure manuals) and 10 years for KYC/KYB files and transaction data (Art. 66, Art. 67 I-IV).
Below, we’ve outlined the minimum required data you’ll need to record (based on BCB Circular 3978):
| Minimum required for all transactions (Art. 28 § 1-3) conversions | Additional information required for certain transactions (Art. 30-35) |
| For all transactions:
|
For payments & transfers:
|
*Cash withdrawal requests of R$ 50,000 or more must be made at least 3 days before the withdrawal. This request number must be stored (Art. 36).
Data privacy and retention intersect closely with Brazil's General Data Protection Law (LGPD) and require a careful balance between maintaining records and safeguarding privacy. Collect and store only the sensitive personal information needed for compliance.
Which financial regulators oversee KYC and KYB compliance in Brazil?
Brazil combats anti-money laundering (AML) and counter-terrorist financing (CFT) through a multi‑layered framework of statutory laws, regulatory rules, and sector-specific requirements.
Two primary regulators oversee KYC and AML compliance:
The Central Bank of Brazil (BCB) (Banco Central do Brasil, or “BACEN”) issues and enforces AML/KYC regulations across the financial sector, including banks, credit unions, payment institutions, and fintechs. As of 2023, it also covers virtual asset service providers (VASPs) (Law 14.478/2022).
COAF (Conselho de Controle de Atividades Financeiras, Council for Financial Activities Control) is Brazil’s financial intelligence unit. It oversees sectors not overseen by other regulators. This includes lawyers, accountants, real estate agents, jewellers, and art dealers.
You may also be subject to sector-specific regulators that issue their own guidance. For example:
CVM (Comissão de Valores Mobiliários) oversees securities, exchanges, fund managers, and crypto token issuers.
SUSEP (Superintendência de Seguros Privado) regulates the insurance and pension industry.
ANS (Agência Nacional de Saúde Suplementar) oversees the health plan operators.
ANPD (Autoridade Nacional de Proteção de Dados, National Data Protection Authority) enforces Brazil's “General Data Protection Law” (LGPD, Law 13.709/2018).
Brazilian compliance regulations that fintechs should pay attention to
Brazil has a complex regulatory landscape, with multiple norms and regulators. If you’re thinking about launching in Brazil, you’ll need to pay attention to four key areas of regulation.
To help you comply with KYC/AML regulations in Brazil, we’ve distilled the main legal requirements below. The information is based on the primary requirements from BCB Circular 3.978, which COAF and most regulators mirror.
1. Brazil’s “AML Law” (Law 9.613/1998)
This regulation is the foundation for Brazil’s KYC/AML framework. It criminalizes money laundering, creates the national financial intelligence unit (FIU), and requires a wide list of ‘obliged entities’ to verify customers and beneficial owners, apply risk-based due diligence, file suspicious activity reports (SARs) to the FIU, and maintain records.
Over time, Brazil has updated the AML Law to close gaps, provide clarity, and make improvements. For example:
The “Sanctions Law” requires asset freezes for sanctioned individuals on the United Nations sanctions list, according to Law 13.810/2019.
COAF is now an independent authority with an administrative link to the BCB (Law 13.974/2020). This update establishes COAF's autonomy as a FIU while allowing it to leverage BCB's operational infrastructure.
The AML law now applies to VASPs, bringing them under the supervision of BCB (Law 14.478/2022).
2. KYC rules, overseen by BCB
BCB Circular 3.978 of 2020 operationalizes the “AML Law” (Law 9.613) for the financial sector. Think of it as the primary guidance for KYC compliance in Brazil.
The Circular 3.978 has been updated multiple times. Most notably, BCB Resolution 119/2021 requires financial institutions to collect customers’ residential addresses (Art. 18).
3. KYC rules, overseen by COAF resolutions
This covers KYC for all sectors not governed by the BCB — but that are listed in Law 9.613. The following laws are worth noting:
Resolution 31/2019 mirrors the overarching risk-based KYC policies of the Circular 3.978.
Resolution 36/2021 mandates immediate asset-freeze and reporting requirements for the United Nations sanctions list.
Resolution 40/2021 updates the list of PEPs and applies to all COAF-supervised entities.
4. Sector-specific regulations
While BCB circulars and COAF resolutions serve as the foundation for KYC compliance, other sector-specific regulations may have more specific KYC requirements. For example:
Real estate: KYC, UBO identification, and rapid reporting are required for transactions R$ 100,000 or higher (COFECI Resolution 1.336/2014).
Telecommunications: Photo ID and tax-ID checks are required before SIM activation, according to ANATEL Resolution 477/2007.
Ride-hailing: The “Uber Law” requires apps to keep driver, license, and vehicle identification data on file for city regulators (Law 13.640/2018).
Gambling, gaming, and lotteries: The “Bets Law” requires documentary verification and facial recognition verification for KYC compliance (Law 14.790/2023).
How Persona can help
Staying compliant in Brazil requires navigating a web of evolving regulations, managing sensitive data, and maintaining ongoing KYC and KYB processes. It’s a lot to keep up with, especially when requirements vary by sector and enforcement is split across multiple regulators.
Persona simplifies this complexity with a flexible, unified platform built for end-to-end identity management. With Persona, you won’t need to stitch together separate tools for individual checks, document collection, ongoing monitoring, and case management. Instead, you can do it all in one secure, seamless platform.
From onboarding to ongoing due diligence, Persona helps you stay compliant, adapt quickly to regulatory changes, and deliver an outstanding user experience. Interested in learning more? Start for free or get a demo today.
FAQs
How do Brazil’s digital IDs change verification?
Toggle description visibility
In 2023, Brazil began to issue digital IDs per Decree 10.977/2022 (Art. 5). New national ID cards and driver’s licenses now include a QR code for verification (Art. 2 VI).
Going forward, the CPF number will be the key identifier to verify against databases. RG numbers, which vary by state, will be phrased out. While older ID cards will still display a CPF number and remain verifiable, expired IDs generally should not be used for verification.