1 Legal and enforcement framework

1.1 In broad terms, which legislative and regulatory provisions govern the fintech space in your jurisdiction?

In general terms:

  • the Central Bank of Brazil regulates fintechs operating in the credit and payments segments;
  • the Securities and Exchange Commission (CVM) regulates fintechs operating with securities (eg, digital security brokers, equity crowdfunding platforms and platforms that operate with security tokens); and
  • the Superintendency of Private Insurance (SUSEP) regulates insurtechs.

Fintechs that operate with payments are governed by, among others:

  • Law 12,865/13;
  • Resolution 4,282/13 issued by the National Monetary Council; and
  • Circulars 3,680/13, 3,681/13, 3,682/13 and 3,885/18.

Fintechs that operate with credit are governed by Law 4,595/64 and Resolution 4,656/18, among others.

Fintechs that operate with securities are governed by Law 6,385/76 and Instructions 400/03, 476/09 and 588/17 issued by the CVM.

It is expected that insurtechs will be able to avail of a regulatory sandbox established by SUSEP, as set forth in Resolution 381/20 issued by the National Private Insurance Council and Circular 598/20, which creates an experimental regulatory environment for insurance companies with innovative business models.

Finally, fintechs must comply with:

  • the General Data Protection Law (13,709/18, expected to come into force in 2021);
  • the Anti-money Laundering Law (9,613/98); and
  • the Bank Secrecy Law (Complementary Law 105/01).

Regarding their online presence, fintechs must also comply with the Internet Civil Rights Framework (Law 12,965/14).

1.2 Do any special regimes apply to specific areas of the fintech space?

Yes. Special regimes apply to fintechs operating with payments, credit, securities and insurance.

1.3 Which bodies are responsible for enforcing the applicable laws and regulations? What powers do they have?

The bodies responsible for enforcing the applicable laws and regulations are:

  • the Central Bank of Brazil, for fintechs that deal with credit and/or payments;
  • the CVM, for fintechs that deal with securities; and
  • SUSEP, for fintechs that deal with insurance.

The Central Bank is responsible for:

  • regulating and supervising credit and foreign capital in Brazil;
  • monitoring financial institutions; and
  • imposing penalties.

The Central Bank is the competent body for granting authorisations to financial institutions that intend to:

  • operate in Brazil;
  • establish or transfer their headquarters or subsidiaries to Brazil;
  • engage in M&A activity; and
  • perform operations involving exchange, real state credit, government bonds, credit securities, debentures and others.

The Central Bank also liaises with foreign and international institutions on behalf of Brazil's federal government and permanently monitors companies acting, whether directly or indirectly, in the financial and capital markets.

The CVM is the competent regulatory body for matters involving, among others:

  • the issuance and distribution of securities;
  • negotiation and intermediation in securities and derivatives markets;
  • organisation, functioning and operation in the stock markets; and
  • the auditing of publicly held companies.

Pursuant to Law 6,385/76, some of the most common assets categorised as ‘securities' under Brazilian law include shares, debentures, subscription bonuses (as well as coupons, rights, receipts and certificates), securities deposit receipts, shares of investment funds and future agreements.

Finally, SUSEP is responsible for supervising the constitution, organisation and operation of insurance companies. To this end, SUSEP has the power (without limitation) to:

  • process authorisation requests for constitution and M&A activity involving insurance companies;
  • regulate insurance operations;
  • dictate conditions for policies, operation plans and fees to be mandatorily adopted in the insurance market; and
  • approve limits to insurance operations.

1.4 What is the regulators' general approach to fintech?

The Brazilian regulators are generally very supportive of the growth and development of fintechs. For instance, the Central Bank of Brazil is leading important initiatives, such as the implementation of the open banking ecosystem, the instant payments system and the regulatory sandbox (all expected to be implemented in 2020).

Similarly, the Brazilian Securities and Exchange Commission and the Brazilian Superintendency of Private Insurance are also implementing a regulatory sandbox which would temporarily allow companies to operate and implement disruptive business models.

1.5 Are there any trade associations for the fintech sector?

Yes. There are several fintech associations in Brazil, including the following:

  • ABFintechs (Brazilian Fintechs Association) represents innovative technology companies that are currently reinventing products and financial services.
  • ABCD (Brazilian Association of Digital Credit) was established in 2016 as the result of a coordinated initiative by Brazilian fintechs acting in the credit segment. ABCD focuses on challenging the high interest rates imposed by traditional credit institutions.
  • ABIPAG (Brazilian Payment Institutions Association) is dedicated to promoting innovation and competition in the Brazilian electronic payments market. According to ABIPAG, newcomers must contend with a highly verticalised payments market, with substantial barriers to competition.
  • PAGOS (Management of Electronic Payments Association) is an association for companies that issue, process and manage prepaid payment cards (and any other players in this sector) used in day-to-day payment systems (eg, payment of workers' benefits, such as meal and transportation allowance; gift cards); and
  • ABRANET (Brazilian Association on Internet Matters) supports companies offering services or information, and performing research and development activities or other activities relating to information and communication technology and the Internet.

2 Fintech market

2.1 Which sub-sectors of the fintech industry have become most embedded in your jurisdiction?

The sub-sectors of the fintech industry that are most embedded in Brazil are payments, credit, securities and insurance.

2.2 What products and services are offered?

In general terms, fintechs offer (local and cross-border) payments services and credit (mainly directed to small and medium-sized enterprises and individuals). Additionally, Brazilian fintechs offer foreign exchange services (international payment facilitators and digital brokers), among other services.

2.3 How are fintech players generally structured?

Most regulated fintechs in Brazil are structured as:

  • payment institutions (electronic money issuers, acquirers and credit card issuers);
  • direct credit companies;
  • insurtechs (digital insurance brokers); and
  • crowdfunding platforms.

Most non-regulated fintechs are structured as sub-acquirers and international payment facilitators.

2.4 How are they generally financed?

Often, initial investments (seed and early growth) in fintech are provided by angel investors. Financing also occurs through venture capital and private equity.

In some cases, fintechs integrate into an economic group or are part of a financial conglomerate which finances its activities in Brazil.

2.5 How are they positioned within the broader financial services landscape?

The financial sector in Brazil has been marked by concentration, a trend which is still in evidence today. Nonetheless, fintechs have been growing their market share in the country since 2010, due mostly to the booming payments sector, the growth of e-commerce and the dissemination of digital technologies within the population.

The implementation of the open banking ecosystem in Brazil (expected by the end of 2020) will enhance efficiencies in the credit and payments markets by promoting a more inclusive and competitive business environment, potentially further fostering the growth and development of fintechs.

2.6 Do start-ups generally outsource back office functions and is there a developed market for them to access? What are the legal implications of outsourcing?

In Brazil, it is common for start-ups to outsource back office functions, in order to minimise costs by using technologies and expertise that already exist, as it is cheaper, faster and easier to outsource than to develop these from scratch.

The main legal implications concern data protection, exposure and leakage of clients' data.

3 Technologies

3.1 How are the following key technologies in the fintech space regulated and what specific legal issues are associated with each? (a) Internet (e-commerce); (b) Mobile (m-commerce); (c) Big data (mining); (d) Cloud computing; (e) Artificial intelligence; and (f) Distributed ledger technology (Blockchain, cryptocurrencies)

(a) Internet (e-commerce)

The main normative instruments that fintechs should be aware of in this regard are:

  • Law 12,965 of 23 April 2014 – the Internet Civil Rights Framework; and
  • Law 13,709 of 14 August 2018 – the General Data Protection Law.

The Internet Civil Rights Framework sets forth principles, prerogatives, rights and obligations relating to the use of the Internet in Brazil.

The Internet Civil Rights Framework provides that agents are free to create new business models to be promoted on the Internet, and encourages innovation and new technologies – as long as they comply with the standards established therein.

It is essential to promote and encourage free initiative and free competition. However, it is also important to ensure strong consumer protection, especially regarding users' privacy and personal data, which receives special treatment and thus demands close attention and compliance by companies that operate online in the country.

The Internet Civil Rights Framework guarantees the following rights, among others, to Brazilian internet users:

  • the inviolability of their intimacy and private life, with a right to compensation for material and moral damages in case of violation;
  • the confidentiality of their communication flows and privacy of conversations on the internet;
  • clear and complete information on service agreements, with special attention to the protection regime applicable to connection and access registers; and
  • the protection of personal data, together with clear and complete information on the treatment of such personal data.

Brazilian internet users also have the right to not have their personal data disclosed to third parties without their free and informed consent and may request, at any time, definitive exclusion of personal data collected by a company.

Breach of any provisions of the Internet Civil Rights Framework can incur the following penalties:

  • a warning;
  • a fine of up to 10% of the company's economic group income in its last accounting year;
  • the temporary suspension of activities involving personal data; or
  • a prohibition on conducting activities involving personal data.

A foreign company is jointly liable for any fine imposed on a branch, subsidiary, office or commercial establishment located in Brazil.

Fintechs must also observe the provisions of the General Data Protection Law, which is expected to come into force as of 2021.

The General Data Protection Law was established to centralise in a single statute the main rules on the processing of data relating to natural persons, across all sectors. As the activities of fintechs frequently involve personal data, the provisions of the law and its implications must be given special consideration by these players.

Fintechs acting in the e-commerce segment must also comply with the Brazilian Consumer Defence Code.

(b) Mobile (m-commerce)

There is no special regime governing m-commerce in Brazil, so the general legislation relating to the Internet, the protection of personal data and consumer protection will apply (ie, the same regulatory framework as for e-commerce).

(c) Big data (mining)

There is no special regime governing big data, so mining activities must comply with the same regulatory framework as applies to e-commerce (ie, the general legislation on the Internet and the protection of personal data).

(d) Cloud computing

Cloud computing is regulated by the National Monetary Council (CMN) and the Central Bank of Brazil through Resolution 4,658/18 and Circular 3,909/18, respectively.

Resolution 4,658 established new cybersecurity requirements and policies for data processing, data storage and cloud computing that must be observed by financial institutions and institutions licensed by the Central Bank.

Circular 3,909 also addresses matters relating to cybersecurity policy, data storage and the cloud, which must be observed by payment institutions licensed by the Central Bank.

Therefore, fintechs acting as financial institutions, payment institutions or other institutions licensed by the Central Bank must comply with and implement the policies established in the applicable instruments.

(e) Artificial intelligence

There is currently no specific regulation applicable to artificial intelligence (AI) in Brazil, although a bill is before Congress which, if enacted, would regulate the use of AI.

In the meantime, in case of damage caused by AI, the general provisions of the Civil Code (Law 10,406/02) on civil liability may apply.

In addition, if the AI device involves the processing or use of personal data, the company must comply with the General Data Protection Law (Law 13,709/18), expected to come into force in 2021.

(f) Distributed ledger technology (Blockchain, cryptocurrencies)

Cryptocurrencies in Brazil are not as yet regulated. However, the Central Bank of Brazil published Communiqué 25,306 on 19 February 2014 and Communiqué 31,379 on November 16, 2017, both of which clarify the risks relating to the acquisition, storage and negotiation of cryptocurrencies and the performance of transactions involving cryptocurrencies. In these communiqués, the Central Bank clarifies, for instance, that cryptocurrencies should not be confused with electronic currencies (ie, resources stored on a device or electronic system that allows the end user to perform a payment transaction in Brazilian currency).

Additionally, the Central Bank confirms that cryptocurrencies are not issued or guaranteed by any monetary authority, and have no guarantee of conversion to the official currency (fiat currency) or to any real asset. It emphasises that the value of cryptocurrencies may fluctuate dramatically, which could ultimately result in a total loss of value.

As cryptocurrencies can be used in illicit activities, Central Bank states that their owners may be subject to investigations by public authorities. Finally, cryptocurrencies stored in e-wallets could be affected by attacks perpetrated by criminals, resulting in patrimonial losses to their owners.

The Securities and Exchange Commission (CVM) has also issued notes on initial coin offerings (ICOs) stating that it neither recommends nor ratifies ICOs, and limiting its analysis to the identification of whether an offer could represent a public offer of securities (which is regulated by the CVM). In addition, the CVM has warned investors (especially in relation to issuers or offers that are not registered with the CVM) to beware of:

  • the risk of fraud or pyramid schemes;
  • the non-existence of formal suitability procedures;
  • the risk of money laundering and tax evasion;
  • the operation of service providers in breach of the applicable legislation;
  • advertising materials that are not compliant with the CVM's regulations;
  • operational risks in negotiation environments that are not monitored by the CVM;
  • cyber risks;
  • operational risks relating to virtual assets and their systems;
  • volatility relating to virtual assets;
  • liquidity risks associated with virtual assets; and
  • legal and operational challenges in case of litigation with issues arising from the multi-jurisdictional character of transactions involving virtual assets.

On 3 May 2019 the Brazilian Federal Revenue issued Normative Instruction 1,888, governing the obligation to report transactions involving crypto assets to the Special Secretariat of the Brazilian Federal Revenue on a monthly basis, under penalty of fine.

Additionally, Law 9,613 of 3 March 1998, as amended (the Anti-money Laundering Law), applies to transactions involving cryptocurrencies.

Blockchain is not regulated in Brazil.

4 Activities

4.1 How are the following key activities in the fintech space regulated and what specific legal issues are associated with each? (a) Crowdfunding, peer-to-peer lending; (b) Online lending and other forms of alternative finance; (c) Payment services (including marketplaces that route payments from customers to suppliers (eg, Uber and AirBnb); (d) Forex; (e) Trading; (f) Investment and asset management; (g) Risk management; (h) Roboadvice; and (i) Insurtech.

(a) Crowdfunding, peer-to-peer lending

Crowdfunding is regulated by Instruction 588, issued by the CVM on 13 July 2017.

Instruction 588/17 establishes that investment-based crowdfunding (ie, a public offer of securities in order to raise funds) for small-sized companies does not require prior registration with the CVM if:

  • the funds raised do not exceed BRL 5 million and the fundraising term is no longer than 180 days;
  • the offer complies with the procedures set forth in the instruction;
  • investors are guaranteed a seven-day cooling-off period; and
  • the amount raised is not used for operations involving other companies (eg, mergers and acquisitions, acquisitions of shares or securities, concession of credit).

Except as provided in the instruction, annual investments in crowdfunding are limited to BRL 10,000 per investor.

An electronic crowdfunding platform must be duly constituted and organised in Brazil and requires prior authorisation from the CVM. To register with CVM, the platform must fulfil the requirements laid down in the instruction, which include a minimum paid-in capital of BRL 100,000.

Fintechs that aim to raise funds through crowdfunding must thus comply with the instruction or fulfil the requirements for exemption from prior registration. Fintechs that aim to operate as crowdfunding platforms in Brazil must observe the instruction, together with other determinations of the CVM.

Peer-to-peer lending in Brazil is usually structured through:

  • a bank correspondent of a financial institution, which performs credit-linked transactions with creditors and borrowers; or
  • a peer-to-peer credit company, which is a financial institution regulated by the National Monetary Council (CMN) through Resolution 4,656 of 26 April 2018. Peer-to-peer credit companies must have a strict social purpose and their operations must comply with the terms and conditions set forth in Resolution 4,656/18.

Consequently, Instruction 588/17 and Resolution CMN 4,656/18 have brought clarity and legal security to companies, platforms and investors. They constitute a solid framework which must be mandatorily observed by agents.

(b) Online lending and other forms of alternative finance

The most common fintechs providing online lending through electronic platforms are the credit fintechs regulated by Resolution 4,656, issued by the National Monetary Council on 26 April 2018, which provides for two different types of credit fintechs:

  • direct credit companies; and
  • peer-to-peer credit companies.

In addition, several digital platforms operate as bank correspondents in Brazil through partnership with a financial institution that originates the credit.

Regarding online lending, Resolution 4,656 sets out:

  • which entities can act as creditors and debtors in lending operations;
  • the requirements and procedures for online lending operations;
  • the provisions that must be included in instruments supporting lending operations; and
  • the terms for release of the applicable funds.

Peer-to-peer credit companies are forbidden from, among other things:

  • performing lending operations with their own resources;
  • owning participating interests in financial institutions; and
  • remunerating or using for their own benefit funds related to lending operations.

Pursuant to the resolution, a peer-to-peer credit company shall intermediate lending operations, providing services to the parties and thereby being entitled to charge fees for such purpose.

Additionally, a creditor must not participate in operations with the same debtor beyond a limit of BRL 15,000.

In conclusion, a fintech that aims to provide online lending services in Brazil must adapt its business model to the structure required under the current legislation, alongside the applicable requirements.

(c) Payment services (including marketplaces that route payments from customers to suppliers (eg, Uber and AirBnb)

Payment service providers are generally regulated in Brazil as sub-acquirers, which do not need a licence from the Central Bank of Brazil to operate.

Under Brazilian law, a ‘sub-acquirer' is a participant in a payment scheme that enables the recipient end user to accept the payment instrument issued by a payment institution or financial institution participating in the same payment scheme. The sub-acquirer does not participate in the liquidating process of payment transactions as a creditor of the issuer.

As sub-acquirers, such payment services providers shall enter into agreements with acquirers and therefore join the payment scheme as participants. Such companies must comply with the applicable legislation on payment schemes (including Circulars 3,885, 3,886 and 3,887 issued by the Central Bank of Brazil), together with know-your-customer and anti-money laundering prevention mechanisms, among others.

Sub-acquirers in Brazil still face a centralised market, as traditional banks dominate most segments of the payment chain.

(d) Forex

Under Brazilian regulation, forex activity is regarded as derivatives activity and is therefore subject to Law 6,385/76 (which regulates securities and exchange activities) and general control and inspection by the CVM.

Pursuant to Law 6,385/76, a public offer of forex must be registered with CVM and must be made by an institution participating in the securities distribution system. CVM's Instruction 400/03 regulates the distribution of such assets.

Therefore, the offering of investments relating to forex to Brazilian individuals must strictly comply with the Brazilian regulations on the subject.

According to CVM's understanding, with regard to forex brokers, a fundraising will be deemed valid only if:

  • the prospection activity was performed abroad; and
  • the operation cannot be characterised as a public offer made in Brazil, according to the current regulation.

Otherwise, the offer is illegal, potentially constituting either an administrative violation before CVM or even a crime against the national financial system (as defined by Law 7,492/86).

In conclusion, any agent that aims to offer forex-related services or products to the Brazilian market must be rigorously cautious and, if possible, initiate activities only following prior consultation with the CVM.

(e) Trading

The most relevant players in the Brazilian trading sector are:

  • securities and exchange brokers;
  • securities and exchange distributors; and
  • financial institutions whose main or secondary purpose is the intermediation of operations in regulated securities markets.

Such services involve the execution of securities and exchange sale and purchase orders for clients, but may also include:

  • providing information on investment analysis;
  • managing securities portfolios (including investment funds); and
  • providing custody services.

Trading operations involving securities in regulated securities markets must comply with CVM Instruction 505/11. To operate in this segment, the company must be authorised to act as a participant in the distribution system and fulfil the requirements set forth in CVM Instruction 505/11.

With regard to exchange operations, a bill of law is pending deliberation by the Brazilian Congress which aims to modernise the national exchange regime (Bill of Law 5,387/19) and open the market to foreign investment. The bill would consolidate 39 legal instruments that variously govern exchange operations and appoint the National Monetary Council as the competent body for issuing supplementary provisions.

(f) Investment and asset management

CVM Instruction 558/15 provides for the professional management of securities portfolios. Players can be registered as fiduciary managers or resource managers, and may perform asset management activities only with the prior authorisation of the CVM and in compliance with the instruction's terms and conditions.

(g) Risk management

The Central Bank of Brazil provides that the risk management structures of payment institutions must consider operational, credit and liquidity risks. Such structures must:

  • be compatible with the nature of the institution's activity and the complexity of the services rendered;
  • be separate from the unit performing the internal audit function;
  • allow for the identification, measurement, monitoring, control and mitigation of risks in a continuous and integrated manner;
  • present policies and strategies reviewed by the institution's board at least annually; and
  • maintain all documentation regarding risk management policies and strategies, so that it can be accessed by the Central Bank at its discretion.

Regarding operational risks, the structure shall provide, among other things, for:

  • a contingency plan and mechanisms guaranteeing continuity of services;
  • mechanisms for the protection and security of data, network, sites, servers and communication channels;
  • procedures for monitoring, tracking and limiting access to sensitive data; and
  • user authentication mechanisms.

Similarly, regarding liquidity risks, the structure shall provide for:

  • procedures for identification, assessment, monitoring and control of exposure to liquidity risks; and
  • liquidity contingency plans, which must anticipate liabilities and set out procedures for situations of liquidity stress.

For credit risks, the structure shall provide for:

  • transaction limits;
  • procedures for identification, assessment, monitoring and control of exposure to credit risks; and
  • procedures for credit recovery.

Central Bank Circular 3,680/13 provides that payment institutions must also implement risk management systems aimed at preventing money laundering and combating terrorist financing.

On the other hand, for an insurtech to be allowed to participate in the regulatory sandbox (implemented by Resolution 381/20 of the Superintendency of Private Insurance), it must have had previously analysed the major risks regarding its activities, including risks relating to cybersecurity and a mitigation plan for occasional damages.

Lastly, pursuant to Instruction 588/17 of the CVM, electronic platforms that aim to offer investment-based crowdfunding must, among other requirements for eligibility, present a code of conduct setting out rules, procedures and internal controls for the identification, analysis and mitigation of risks. Such platforms must also obtain prior confirmation from investors of acknowledgement of the risks involved in such operations.

In conclusion, a fintech that aims to act as a payment institution under Brazilian law may face more robust regulation of its risk management structure (which could result in specific expenses in order to ensure compliance). Insurtechs and crowdfunding platforms must also be aware of possible risks and present appropriate plans for mitigation.

(h) Roboadvice

Roboadvisers provide services regulated by the CVM. The rules in this regard are the same as those applicable to humans providing the same services, such as those set out in Instructions 539, 558, and 592, and in the General Data Protection Law (expected to come into force in 2021). Nonetheless, no particular regime applies in this regard to roboadvice; the applicable rules will be the same in terms of the fiduciary duties of human advisers.

(i) Insurtech

Currently, insurtechs are regulated and supervised like traditional entities by the Superintendency of Private Insurance (SUSEP). The Brazilian insurance market is comprised of large insurance and reinsurance companies, private pension funds and insurance and reinsurance brokers.

The insurance sector is regulated by Decree-Law 73 of 21 November 1966 and Complementary Law 126/07.

In March 2020 SUSEP published Resolution 381/20, which sets forth conditions for the temporary authorisation and operation by companies participating in an experimental regulatory environment (regulatory sandbox). To be eligible, interested companies must, among other things, offer a product and/or service that is deemed innovative and use remote devices in operations relating to insurance plans.

The regulatory sandbox for insurtechs reflects the regulator's desire to modernise the insurance sector opening it up to new business models and ideas.

5 Data security and cybersecurity

5.1 What is the applicable data protection regime in your jurisdiction and what specific implications does this have for fintech companies?

The General Data Protection Law, expected to come into force in 2021, sets out a strong baseline data protection framework for Brazil and elevates it to a new level regarding the collection, use, access, storage and other processing of personal data.

The law will apply regardless of the form of processing (physical or digital, face to face or remotely) of any information relating to an identified or identifiable natural person.

The law will apply to companies that are not established in Brazil, where:

  • the processing is carried out in the national territory;
  • the purpose of the processing purpose is to offer or supply goods or services to individuals located in the national territory;
  • the data processed is from individuals located in the national territory; or
  • the data was collected in the national territory.

Pursuant to the law, ‘personal data' is defined as any data relating to an identified or identifiable natural person, including identification numbers, location data and electronic identifiers. The nature of the relationship between the data subject and the processing agent does not matter, but the nature of the processed data is important (if it identifies or allows the person to be identified). The law also defines ‘sensitive personal data', which includes personal data on racial or ethnic origin, religious and political convictions, health or sex life, and genetic or biometric data, among others.

Regarding fintech companies, many of the information contained in big data databases (which are commonly used by fintechs) is information that, according to the law, should be considered personal data or even sensitive personal data, which is collected directly by payment institutions through their platforms, or indirectly through databases provided by third parties. It is therefore necessary to protect them in the manner provided for by legislation.

5.2 What is the applicable cybersecurity regime in your jurisdiction and what specific implications does this have for fintech companies?

In addition to the General Data Protection Law, in terms of regulation, the National Monetary Council and the Central Bank of Brazil have issued significant rules on this matter.

Resolution 4,658/18 provides cybersecurity policies and requirements for data processing services, data storage, and cloud computing that must be observed by financial institutions and other institutions licensed by the Central Bank.

Circular 3,909/18 also regulates cybersecurity policies and requirements for data processing services, data storage, and cloud computing that shall be observed by payment institutions licensed by the Central Bank.

Therefore, provided that fintech companies largely employ data processing and cloud computing in their core activities, such companies must strictly comply with the abovementioned regulation.

6 Financial crime

6.1 What provisions govern money laundering and other forms of financial crime in your jurisdiction and what specific implications do these have for fintech companies?

The Central Bank of Brazil is responsible for supervising and ensuring that all licensed entities comply with Law 9,613/98, which provides for the prevention of money laundering and terrorist funding in the national financial system. Fintechs and other entities acting in the financial and capital markets in Brazil (whether or not licensed by Central Bank) must implement controls to prevent financial crime, including onboarding procedures, anti-corruption policies and internal anti-money-laundering controls.

Law 13,810/19 provides for the imposition of sanctions by the United Nations Security Council in relation to the targets of investigations into terrorism, financing or related acts.

The Financial Activities Control Council is responsible for all investigations relating to financial crimes, including bitcoin and cryptocurrencies.

Fintechs operating in Brazil must comply strictly with the applicable regulations.

7 Competition

7.1 Does the fintech sector present any specific challenges or concerns from a competition perspective? Are there any pro-competition measures that are targeted specifically at fintech companies?

From a competition perspective, fintechs operating in Brazil (especially in the credit and payments segments) still face substantial barriers. In the credit segment, traditional credit institutions still impose high interest rates; in the payments segment, newcomers are confronted with a highly verticalised market and, in order to comply with the regulations, must often rely on other players to perform their activities (eg, sub-acquirers).

However, in the last few years, the regulators have expressed their intention to modernise and increase competitiveness in the financial sector.

As an example, in 2020 Brazilian Securities and Exchange Commission (CVM) paved the way for the regulatory sandbox in Brazil. In opening discussions with players proposing innovative solutions in the financial and capital markets, the CVM is keen to hear from these players about the main challenges they face and possible changes in terms of regulation.

Another pro-competition initiative that is expected to benefit fintechs is the implementation of open banking (expected to occur this year). As open banking will give consumers the autonomy to share their financial information, fintechs will have access to databases that are currently controlled by traditional institutions. This measure aims to increase efficiencies and competition in the national financial system, boosting the environment for newcomers.

8 Innovation

8.1 How is innovation in the fintech space protected in your jurisdiction?

In Brazil, IP rights are divided into industrial property and authors' rights. Industrial property encompasses trademarks, patent and utility models, and is regulated by the Industrial Property Law (9,279/96). The Brazilian National Institute of Industrial Property (INPI) is the governmental entity responsible for executing the norms with regard to industrial property according to its social, economic, legal and technical purpose. Authors' rights, on the other hand, are regulated by two federal laws:

  • the Software Law (9,609/98), on software; and
  • the Authors' Rights Law (6,610/98), on artistic works.

Pursuant to the applicable legislation regarding industrial property, only inventions and utility models can be registered as patents (and therefore be protected under the Industrial Property Law, along with registered trademarks). ‘Know-how', computer programs and commercial or financial methods, for instance, are deemed neither inventions nor utility models, and in this sense cannot be subject to patent registration.

Although software may be registered with INPI under the Software Law in order to prove ownership, it is legally protected even if it is not registered.

Technological know-how is commonly subject to licensing or transfer agreements, which set out conditions for the acquisition of knowledge that is not protected as property rights.

8.2 How is innovation in the fintech space incentivised in your jurisdiction?

The Central Bank of Brazil, the Brazilian Securities and Exchange Commission and the Brazilian Superintendency of Private Insurance are promoting innovation by introducing some important initiatives which will open up the regulatory environment to new possibilities, such as:

  • the regulatory sandbox for banking and insurtechs (an experimental regulatory environment for disruptive companies and business models);
  • open banking (which may ultimately allow access to consumer databases exclusively owned by traditional banks); and
  • instant payment regulation (fostering the implementation of more flexible payment instruments).

Traditional banks are also developing innovation programmes involving fintechs, such as Bradesco's InovaBR, Itau's Cubo and BTG's Boostlab.

9 Talent acquisition

9.1 What is the applicable employment regime in your jurisdiction and what specific implications does this have for fintech companies?

Start-ups and fintechs do not have a specific labour regime in Brazil, and must therefore comply with the general labour regime laid down by the Consolidation of Labour Laws.

In general, compliance with the law seems to be a distant issue for early-stage start-ups. This notwithstanding, as these companies grow and external investment rounds take place, labour issues may arise and could become a liability.

Start-ups may outsource their activities to contracting companies that provide services to third parties. In this case, the start-up will not have employment bonds with the employees designated by the outsourcing company, as the latter remains responsible for complying with labour obligations and managing those employees.

However, the start-up that is contracting the outsourced services must guarantee suitable working conditions for performance of the services and has subsidiary liability for compliance with the labour obligations set out in the Consolidation of Labour Laws, in the event that the outsourcing company fails to do so.

Nevertheless, if the start-up outsources services, but the four requirements that must be met under the Consolidation of Labour Laws for an employment relationship to exist (ie, individuality, regularity, generosity and subordination) are satisfied, the service provider is deemed to be a full-time employee for all intents and purposes under the law, regardless of his or her consent otherwise through any other form of engagement.

9.2 How can fintech companies attract specialist talent from overseas where necessary?

As the fintech ecosystem in Brazil is in its early stages, strategies to attract specialists from overseas are still nascent.

Regarding national talent, fintechs often attract young talent keen to innovate and join a non-traditional workspace, but strategies to attract more experienced professionals are still being designed. Some start-ups are offering competitive salaries and generous benefit packages to this end.

In terms of regulation, there is no specific immigration regulation regarding specialist talent. However, to hire an employee from overseas, it is mandatory to request a temporary working visa and/or permission of residence in Brazil, which allows for the issuance of all documents necessary for regular work in Brazil.

10 Trends and predictions

10.1 How would you describe the current fintech landscape and prevailing trends in your jurisdiction? Are any new developments anticipated in the next 12 months, including any proposed legislative reforms?

On 4 May 2020 the Central Bank of Brazil issued the Open Banking Regulation, which, with the customer's consent, will permit fintech entities to have access to data from traditional financial institutions regarding their clients, products and transactions. Open banking is expected to be implemented by the second semester of 2020.

Regarding bitcoin and cryptocurrencies, the Central Bank is monitoring their evolution in order to take the appropriate measures when necessary. Bills of law regarding cryptocurrencies are being discussed, and one of the ideas that have been proposed is to regulate transactions through electronic platforms and to include cryptocurrencies within the concept of electronic currencies. The Central Bank would oversee transactions involving cryptocurrencies. The issue of cryptocurrencies by legal entities is also being discussed.

Regarding foreign exchange operations, a bill of law is being discussed in Congress which aims to modernise the national exchange regime (Bill of Law 5,387/19) and open the market to foreign investment. The bill would consolidate 39 legal instruments that variously govern exchange operations and appoint the National Monetary Council as the competent body for issuing supplementary provisions.

Finally, the Central Bank has announced the launch of its instant payments system (PIX) as part of a wider innovation programme that aims to modernise the Brazilian payments system. The idea is to provide a cheaper, more accessible and more inclusive alternative to perform payment transactions. PIX is expected to be implemented by November 2020.

11 Tips and traps

11.1 What are your top tips for fintech players seeking to enter your jurisdiction and what potential sticking points would you highlight?

With all regulations under discussion, mainly by the Central Bank of Brazil, we can expect a more open, competitive and favourable financial market, with many opportunities for fintechs.

As sticking points, although the Brazilian regulators are showing increasing interest in promoting innovation and competition in the ecosystem, fintechs must still face the same conditions as other companies operating in Brazil. The rigidity of the tax and labour regimes requires a cautious approach for newcomers in order to reduce liabilities and expenditures.

In addition, although promising changes are expected to be implemented in the near future, such as open banking and instant payments, the credit sector remains very concentrated and dominated by traditional institutions, resulting in competitive barriers for fintechs operating in this segment.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.