Brazil: Central Bank of Brazil regulation on authorisation, penalties and fraud-prevention measures in Pix payment scheme including cybersecurity regulation entered into force

On 30 September 2025, Central Bank of Brazil (BCB) Resolution No. 506 entered into force following its publication in the Official Gazette of the Union, introducing cybersecurity provisions in the Pix payment scheme. The resolution provides that Pix participants may only set transaction limits based on criteria for mitigating risks of fraud and breaches of anti-money laundering and counter-terrorism financing regulations, and requires participants to adopt minimum criteria defined by the BCB for assessing suspected fraud in Pix transactions. It also obliges participants to reject requests for Pix key registrations, portability, or possession claims when users are associated with transactional fraud notifications, and to block all transactions involving such users or accounts except for refunds. Furthermore, Pix participants are required to create and accept fraud notifications, allowing the marking of individual or corporate taxpayer numbers (CPF or CNPJ) linked to specific fraudulent Pix transactions, and the resolution provides that notifications of non-compliance, corrective action plans, and penalties, including suspension and exclusion from Pix, may be applied in cases of failure to comply with these obligations.