An Introduction to Compliance in Brazil for Regulated and International Business

Brazil presents a massive new frontier for digital business, especially in the fintech sector. The opportunity of this landscape is matched only by its complexity and the daunting potential costs of non-compliance, which have historically dissuaded new market entrants. 

Navigating this region requires a deep understanding of key regulations, from the Lei Geral de Proteção de Dados (LGPD) for data protection and stringent Central Bank mandates for cybersecurity to rigorous KYC/KYB protocols and long-term record-keeping obligations.  

Because of the degree of complexity required, a generic compliance solution may leave gaps in an institution’s overall regulatory purview. The recommended approach is to choose a mobile compliance provider that possesses localized expertise and on-the-ground presence.  

Recently, 1GLOBAL has expanded into Brazil in this very way, securing the status of fully regulated Mobile Virtual Network Operator (MVNO). This enables us to develop the critical local knowledge and support necessary to turn Brazil's regulatory challenges into manageable compliance.  

Our global capabilities and deep experience in secure telco and data recording, augmented by this in-country presence, combine to ensure we are well placed to help businesses meet Brazil’s unique demands. 

In this article, 1GLOBAL provides an essential overview for businesses considering entry into the Brazilian market, identifying the critical compliance pillars that will help ensure a successful and secure launch into Latin America's largest economy. 

The Custo Brasil 

As the largest economy in Latin America, Brazil presents a vast consumer market. It also has a reputation as one of the world's most complex and demanding regulatory environments.  

There’s even a term used by local market analysts – the Custo Brasil  – which refers to all the indirect expenses associated with the country's intricate landscape. This is naturally not ever included as a line item on a budget but is used as a catch-all: including a complex tax system, both legal and physical logistical hurdles, and an evolving raft of regulatory obligations.    

While the Brazilian government has initiated significant reforms aimed at simplification, including the 2024 Regula Melhor Strategy and new procurement laws, new entrants still face a steep learning curve.   

Businesses must equip themselves for a multi-layered system of governance, with distinct yet sometimes overlapping rules at federal, state, and municipal levels.  

Access to localized expertise and a proactive strategy for compliance is required.    

It’s easy to assume the Custo Brasil is just another name for the usual one-time entry fees typical of starting up in any new market. The office space, the facility fees, licenses, hardware and sundry capex. Local experts will tell you, however, that where the reais start to mount is through the persistent operational drag on the business.  

Regulatory frameworks prone to frequent change need constant monitoring and adaptation, and can consume significant management time and resources.  

This perpetual ‘stealth tax’ on operational agility means that success in Brazil requires preparing for the unique regulatory demands that precede it. Finding local partners and experts to navigate this maze can add another layer of complexity and expense. 

Trust at a premium 

The bedrock of Brazil's regulatory architecture for all data handling is the Lei Geral de Proteção de Dados (LGPD). It is the Brazilian government's primary instrument for restoring and maintaining trust in the digital economy.   

Introduced in August 2018 and fully enforceable with sanctions since August 2021, the LGPD has a long reach. Its scope is extraterritorial and fully applies to any business that processes data within Brazil, offers services to the Brazilian population, or handles personal data collected from within the country, regardless of physical headquarters.  

This means that not only should firms targeting this market consider themselves subject to the full scope of Brazilian law, but so should any organization thinking of doing business near Brazil.    

The law imposes a series of comparatively clear obligations. Central to these is the requirement to have a valid legal basis for any and all processing of personal data. Organizations must adhere to core principles of accountability, transparency, and minimization, which it defines as collecting only what is strictly necessary for the specified purpose.  

Other key mandates include the appointment of a Data Protection Officer (DPO) to oversee compliance, the implementation of robust security measures to protect data, and adherence to specific rules for international data transfers. Businesses must also establish effective processes to handle requests for access, correction, or deletion effective within a15-day timeline. They must also self-report data breaches to the national authority without “undue delay”.    

Enforcement is overseen by the Autoridade Nacional de Proteção de Dados (ANPD) which is vested with both significant power and latitude to achieve its goals. Penalties for non-compliance are potentially severe.  

In a market where consumer anxiety over fraud is high, a company's approach to data protection will ideally go well beyond what’s strictly necessity and instead position itself as a competitive differentiator.  

A business that meets the minimum LGPD requirements will be compliant, but one that proactively (and publicly) communicates its robust cybersecurity, encryption, and secure handling policies will be directly addressing consumer pain points.  

Cybersecurity and Banco Central 

While the LGPD establishes a universal baseline for data protection, financial service providers operating in Brazil are subject to a second and often more rigid layer of oversight. This comes from the Banco Central do Brasil (BCB), the nation's central bank and primary financial authority.  

The BCB has detailed a framework for cybersecurity, risk management, and the governance of third-party service providers, all of which are a mandatory condition for maintaining a license to operate.    

The main points are two BCB Resolutions both issued in 2021, which were No. 4893 concerning financial institutions and No. 85 for payment handlers. These regulations require that all ‘regulated institutions’ must implement and maintain a formal, documented and demonstrable cybersecurity policy.  

This is part of a wider policy throughout the BCB Resolutions that actively requires a standard of confidentiality, integrity, and data completeness. A particularly important section of the BCB Resolutions deals with how businesses source their data processing, storage, and cloud services. The BCB has recognized the financial sector's increasing reliance on cloud infrastructure, and so established a rigorous due diligence process that institutions must follow before engaging any cloud service provider.  

A checklist of criteria that must be proven to have been evaluated, include the provider's ability to: 

• Ensure full compliance with all current Brazilian legislation and regulation.  

• Guarantee the confidentiality, integrity, and ready availability of all stored data.

• Provide reports from an independent, licensed audit firm endorsing the provider's procedures and controls.

• Demonstrate physical and digital systems to silo client data.

The Regulations also get into the complex issue of cross-border data flows. The BCB does not have a data sovereignty requirement, and client data does not necessarily need to be stored within Brazil's borders.  

The trade-off is a condition in Resolution Article 16 where offshore services can only operate in jurisdictions where there’s an existing agreement for cooperation and information exchange with the BCB. This has some flexibility, as a cloud provider can still operate in other territories, but will require explicit approval by the BCB. The effective takeaway is that Brazilian data processing can happen outside Brazil, but only where that data can be ‘extradited’ on demand.  

For any business operating locally, this makes the process of selecting cloud providers a complex legal and strategic consideration.   

KYC and KYB in Brazil 

Brazil’s authorities have introduced vigorous anti-money laundering (AML) and counter-terrorist financing (CTF) frameworks designed to win the confidence of international business and overseas institutions. 

Central to this are detailed Know Your Customer (KYC) and Know Your Business (KYB) obligations that have virtually zero tolerance for anonymous financial activity.  

It’s increasingly evident that for regulated service providers all over the world, compliance requires far more than passive data collection. The evolution of the requirements under laws including DORA, GDPR, MiFID II, MiFIR (etc) have created de facto requirements for advanced tools like AI transcription processing, without actually explicitly saying so.  

Both American and European authorities have simply increased the standards of required performance until advanced technologies are the only viable solutions. The Brazilian landscape is arguably more straightforward, as it clearly demands active, tech-enabled verification that cross-references with official government databases. 

1998’s Law No. 9613 serves as the foundational local AML framework, criminalizing money laundering and creating the national financial intelligence unit, the Conselho de Controle de Atividades Financeiras (COAF).  

A characteristic of the Brazilian system is that simple collection of KYC and KYB information is insufficient, as the regulations specify ‘active’ verification. This means that the ID numbers provided by the customer can’t just be recorded but queried, verified and cross-referenced with the databases of the Federal Revenue service.  

To combat identity fraud, the rules about KYC/KYB are supported by biometrics and two-factor authentication. The ‘knowing’ also isn’t treated as a one-time onboarding event, as the regulations explicitly require firms to keep customer identification information "up to date" through ongoing monitoring. This includes continuous transaction monitoring, and any cash transactions with a client of more than R$50,000 (just under €8,000) in a day will trigger a reverification process and a report to COAF.    

If a business detects any suspicious activity, it will have just 24 hours to report it to the COAF, but if there aren’t any reportable events in a year, they’ll still need to file an entirely different “Zero Activity Report” with the same authority.  

This direction of ever-greater digital integration with state systems is one of the major trends in Brazil's compliance ecosystem. It’s intended to provide an authoritative ‘single source of truth’, as opposed to a fragmented patchwork of public records, credit bureaus, and private data aggregators. The ultimate goal is that state systems are not just used as databases for business to cross-refence with, but the gatekeeper of the entire national financial infrastructure.  

This idealized centralization would be highly reliable and definitive, but it’s also presenting both market entrants and state institutions with an enormous challenge.  

A business’s system must be capable of securely and reliably integrating with the specific APIs of Brazilian government databases. A generic, one-size-fits-all KYC solution won’t meet the specific technical and legal requirements.  

Predictably, this is creating a critical bottleneck where a business’s ability to onboard customers and remain compliant depends on how well the government systems are behaving.  

Speaking at the University of São Paulo in 2025, the President of COAF Ricardo Saadi explained that for the approximately 7.5 million reports of suspicious transactions received that year, there were a grand total of nine people available to analyze the data, using computer systems installed before the turn of the Millennium.  

Brazil’s targets for financial data compliance are ambitious, but in some cases are still beyond the resources available. This is among the best reasons that a business operating in the area needs to be sure it can totally depend on its own digital architecture when questions of compliance are raised, making robust and localized technology an absolute necessity. 

Data Retention & Reporting 

A standout feature of Brazil's financial regulatory landscape is its approach to data retention, which for businesses translates into long-term data stewardship obligations and the need for systems capable of meeting sophisticated electronic reporting standards. 

From mid 2020, the BCB extended the mandatory retention period for all records potentially related to AML and illicit financing from five to a full ten years. The scope of this rule is as broad as it is long, covering all information collected during KYC and KYB procedures, as well as detailed records of all interactions, transactions, products, and services contracted by the client.  

The BCB, in collaboration with the National Monetary Council (CMN) in 2023 also passed a resolution that not only must financial institutions share data regarding indications of fraud with the government, but also with one another.  

Using the central electronic system, the goal is to create a cross-institutional view of fraudulent activities and actors, allowing for more effective and informed prevention: all of which must be done in strict compliance with LGPD principles.    

Your strategic partner for Brazilian compliance 

The Brazilian market has almost unrivalled potential but also requires the awareness and tools to navigate its unique compliance landscape. Any business operating in (or proximate to) the region can fully expect a series of non-negotiable regulatory hurdles as part of a multi-layered and interconnected system of oversight.  

Businesses must fully adhere to the foundational data privacy principles of the LGPD. On top of this are the multiple prescriptive, sector-specific mandates around cybersecurity, cloud governance, and risk management.  

With those obligations served, pursuing daily business will still depend on meeting the granular KYC/KYB verification processes, all of which are uniquely tied to the country's centralized and proprietary government mainframe.  

The presence of 1GLOBAL as a registered MVNO in Brazil – complete with our new São Paulo office – provides businesses with the peace of mind that there exists a knowledgeable, local mobile compliance provider capable of helping businesses chart a compliant path through the knotty regulations. 1GLOBAL is therefore perfectly placed to help businesses meet the stringent demands of the BCB and the ANPD.  

By partnering with 1GLOBAL, organizations can confidently manage the complex recording, verification, and mobile recording compliance challenges inherent to the Brazilian market. We provide the tools and expertise to ensure a secure, compliant, and ultimately successful participation in one of the world's most dynamic and rewarding economies. 

Contact 1GLOBAL’s compliance team today to discuss further how we can support your business in Brazil.