BRAZIL Law and Practice Contributed by: Eduardo Castro, Pedro Nasi and Gabriel Libanori, Machado, Meyer, Sendacz e Opice
Actions that can be taken in response to administra - tive wrongdoings include: • making the sanctioning public; • pecuniary sanctions; • prohibiting the provision of certain services for a specific period; • prohibiting certain activities or operations for a specific period; • prohibiting individuals from acting as officers or assuming statutory roles in entities authorised to operate by the BCB for a specific period; and • licence cancellation. It should be noted that the BCB and the CVM are legally allowed to enter into administrative agreements (settlement terms) with the relevant regulated entities and individuals, pursuant to certain rules and require - ments. 2.11 Implications of Additional, Non- Financial Services Regulations All public and private Brazilian entities that process personal data must comply with the Brazilian General Data Protection Law ( Lei Geral de Proteção de Dados Pessoais LGPD). In addition, fintech companies authorised to operate by the BCB must comply with specific cybersecurity regulations. In general terms, applicable regulations establish that these entities must: • guarantee the confidentiality, integrity and availabil - ity of the data and information systems; • put in place internal policies, procedures and controls to prevent incidents related to the cyber environment; and • ensure the security of sensitive information. An action and response plan in respect of security incidents must be established as well. Recently, the CMN and BCB tightened the frame - work by altering the supervisory stance towards minimum cybersecurity requirements and reinforcing the requirements for critical environments connected to the National Financial System Network ( Rede do Sistema Financeiro Nacional RSFN) and Pix. Also,
accreditation procedures have been introduced for information technology service providers ( prestadores de serviços de tecnologia da informação PSTI) with access to RSFN, which may affect vendor selection, contracting and governance in fintech outsourcing chains. 2.12 Review of Industry Participants by Parties Other Than Regulators Institutions duly authorised by the BCB must conduct internal and independent audits. Current regulations set forth that such entities must have internal audit units and retain independent auditors duly registered with the CVM. Depending on the size of the institution, additional requirements may apply, such as the incor - poration of a statutory audit committee. Market self- regulatory bodies may also audit their participants, such as card scheme settlors, ANBIMA, B3 (the Bra - zilian Stock Exchange) and FEBRABAN (the Brazilian Federation of Banks). 2.13 Conjunction of Unregulated and Regulated Products and Services Generally, institutions regulated by the BCB can only conduct the activities listed in the specific regulation applicable to them and that have been duly included in the institution’s corporate purpose statement. Depending on the type of institution, additional ser - vices may be rendered only: • through the establishment of a subsidiary, subject to prior authorisation from the BCB in the case of financial institutions; • if the services are supplementary to their core busi - ness, in the case of payment institutions; or • when not expressly forbidden. 2.14 Impact of AML and Sanctions Rules Federal Law No 9,613/98 (the “AML Law”) sets forth a set of obligations that certain individuals and legal entities must comply with, in accordance with the rules issued by their relevant supervisory authority, summarised as follows: • identify clients and keep the relevant information updated; • record transactions;
105 CHAMBERS.COM
Powered by FlippingBook