Financial institutions must boost cybersecurity and capital to remove limits on Brazil’s instant payment and wire systems
09/25/2025
/i.s3.glbimg.com/v1/AUTH_63b422c2caee4269b8b34177e8876b93/internal_photos/bs/2025/X/O/FGJuG0RTihqIWWSyJxzw/investe02.jpg)
Brazil’s Central Bank has detailed the requirements for financial institutions using third-party technology providers to request a waiver from the R$15,000 limit per instant payment (Pix) or same-day wire transfer (TED) transaction, announced earlier this month. Among the conditions, firms must implement real-time transaction monitoring and maintain a capital buffer as collateral.
Earlier in the month, the Central Bank had indicated that financial institutions using IT Service Providers (PSTIs) to connect to Brazil’s National Financial System Network (RSFN) could apply for a 90-day exemption from the cap if certain security controls were in place. The regulation, now published in the Official Gazette, defines what those controls are.
PSTIs are tech firms that enable smaller firms to connect to the RSFN, allowing them to operate services like Pix for clients. Two of these providers were recently hit by cyberattacks that compromised millions of accounts managed by institutions using Central Bank infrastructure. In response, the regulator tightened rules for both the providers and their client institutions to strengthen cybersecurity.
The new regulation outlines the conditions under which the Central Bank may authorize a temporary waiver of transaction limits. To obtain permanent exemption, both institutions and their PSTIs must comply with the more comprehensive security controls published on September 5.
Kenneth Ferreira, a partner at law firm Lefosse specializing in banking and financial services, said the exemption is not “broad,” but an “exception contingent on technical robustness and control,” aimed at increasing the safety of institutions using PSTIs.
The waiver applies only on weekdays between 6:30 a.m. and 6:30 p.m. in the case of Pix transactions. For both Pix and TED, the waiver can be renewed for additional 90-day periods, provided the firm has not experienced “serious operational deficiencies or failures.”
Rodrigo Caldas de Carvalho Borges, a partner at law firm CBA Advogados, said the time-bound nature of the waiver enhances security, as the limited timeframe increases oversight, potentially allowing for quicker detection and response to incidents.
To qualify for the waiver, financial institutions must maintain a capital reserve equal to 100% of the highest daily interbank transfer volume processed through their Instant Payment Account (Conta PI) in August, in the case of Pix. For TED, the reserve is based on the highest daily transaction volume made from their Reserve Account or Settlement Account.
Mr. Borges noted that this requirement serves as a financial cushion. “The institution must prove it has unencumbered capital equivalent to its peak transfer day in August. The goal is to ensure that, in the event of large-scale fraud, the institution can absorb the losses on its own, avoiding collapse and systemic risk,” he said.
Firms must also meet governance criteria, including not sharing or storing private keys used to sign RSFN messages within PSTI environments—one of the vulnerabilities exploited in recent cyberattacks.
They must also use distinct digital certificates for different systems and regularly update access permissions, especially for third-party contractors with access to core systems or reserve operations.
Mr. Ferreira said that while the new rules will likely improve security and reduce vulnerabilities, they won’t eliminate the risk of hacking. “Security depends not just on regulations, but also on technical excellence in implementation, audits, penetration testing, corporate governance, incident response, continuity planning, and constant review,” he noted.
To be eligible for the waiver, financial institutions must demonstrate real-time monitoring of atypical or fraudulent transactions. The regulation also requires mechanisms to suspend transaction processing in the event of a suspected severe compromise of their own systems or those of the contracted PSTI.
“We’re seeing an escalation in cyberattacks, and recent events have taught us important lessons,” said Ailton de Aquino Santos, the Central Bank’s director of supervision, during an event in São Paulo. “Criminal activity is migrating from the physical to the virtual world, and financial stability increasingly depends on cybersecurity.”
(Vinícius Lucena contributed reporting from São Paulo.)
*By Gabriel Shinohara, Valor — Brasília
Source: Valor International
https://valorinternational.globo.com/