Operating a payments business in Brazil without proper authorisation from the Banco Central do Brasil (the central bank, commonly styled BCB) is not a grey area. It is an enforcement risk that can freeze your banking rails, void your contracts and expose the business to administrative sanction – often before you realise the exposure exists. Brazil's regulatory perimeter for payment institutions is well-defined, actively supervised and expanding to cover digital-asset payment flows with increasing precision.
For an inbound business – a crypto exchange, a stablecoin operator, a cross-border remittance platform or an EMI (electronic money institution) seeking Brazilian fiat rails – the legal question turns on one determination: does the activity you intend to conduct fall within the Brazilian payment institution regime, and if so, which licence category applies? The answer shapes the entire go-to-market structure, the banking relationships available to you and the compliance programme you must operate before the first real transaction settles.
This page maps the regulated perimeter, the licence categories, the application process, the cross-border interaction with banking and tax, and the decision point at which engaging specialised counsel materially changes the outcome.
What activity triggers the Brazilian payment institution regime?
The Brazilian payment institution regime, established under the relevant payment-system legislation and supervised by Banco Central do Brasil, captures any business that performs payment-account management, the issuance of payment instruments, the acquisition of payment transactions, or the remittance of funds – whether in domestic or cross-border flows. The regime does not distinguish on the basis of the instrument used: fiat and digital-asset payment flows can both trigger the same authorisation requirement if the economic function is the same.
BCB has made its position on digital-asset payment firms explicit in successive regulatory communications. A business that holds client funds in a payment account, converts between currencies including digital assets and fiat, or settles obligations between two counterparties in Brazil is, in substance, operating a payment institution. The label a business applies to itself – fintech, crypto gateway, DeFi bridge – does not determine regulatory status. Function does.
Businesses we advise that have encountered this perimeter most commonly fall into three fact patterns: a foreign exchange platform adding a Brazilian payment layer, a stablecoin issuer seeking local settlement infrastructure, and a cross-border remittance operator moving value between Brazil and another hub. Each triggers the BCB regime differently. Each also intersects, in its own way, with the parallel digital-asset framework that Brazil has been building since the enactment of its crypto law framework – the regime that brought virtual asset service providers (VASPs) formally within BCB's supervisory scope.
The cross-border dimension matters immediately. A business incorporated in the EU, the UAE or Singapore that processes Brazilian-origin or Brazil-destination payments without BCB authorisation is exposed even if it has no Brazilian legal entity. BCB's jurisdictional reach extends to the economic activity, not only to the incorporated seat.
To map your specific activity against the regulated perimeter before committing to a structure, contact OBOLUS at info@oboluslaw.com. The process above describes the standard path. Your facts – the entity, the user base, the banking – change the analysis.
Which licence category applies to your business?
BCB authorises payment institutions across several functional categories, and the correct category determines capital requirements, ongoing reporting obligations and the banking relationships you can access. Selecting the wrong category – or attempting to operate across multiple functions under a single narrow authorisation – is one of the most common structural mistakes we see in inbound applications.
The principal categories are as follows. An issuer of payment instruments is authorised to create and manage the instruments that fund a payment account – prepaid cards, digital wallets and their functional equivalents. An payment account manager holds client balances and executes payment orders from those balances. An acquirer enables merchants to accept payment transactions. A payment initiator initiates payments on behalf of users without holding funds. And a remittance operator moves value across borders.
For a crypto-facing business, the most relevant categories are typically the issuer of e-money instruments and the payment account manager, because these are the functions that most closely map to holding stablecoins or fiat balances on behalf of clients and executing settlement. A VASP that also wants to issue a local payment instrument or run a merchant-acquiring layer will need to consider whether a multi-function authorisation or separate authorised entities are the correct structure.
BCB also operates a regulatory sandbox and a staged authorisation process for innovative payment models. Startups and scale-ups entering Brazil with a novel structure sometimes begin in a limited-operation mode while pursuing full authorisation. This can reduce time-to-market, but it is not a shortcut: the substantive compliance requirements apply from day one of the sandbox, and BCB expects the full authorisation application to be in process concurrently.
How does the BCB authorisation process work in practice?
The BCB authorisation process is document-intensive, sequenced and — for a business new to the Brazilian market — longer than comparable processes in more internationally familiar hubs. Applicants should plan for a process measured in months, not weeks, with BCB retaining discretion on information requests that can extend the timeline materially.
The process begins with a pre-application assessment. BCB publishes guidance on the categories of information it expects, but the preparation work – entity structure analysis, the draft internal-control framework, the AML/CFT programme design, and the corporate governance documentation – all precede formal submission. For an inbound business, this phase typically involves establishing or validating the Brazilian legal entity, since BCB generally requires an authorised person to be a Brazilian-incorporated entity or to have a Brazilian-incorporated subsidiary as the regulated vehicle.
The formal submission triggers BCB review, during which the regulator assesses the technical and financial fitness of the applicant, the adequacy of the proposed governance and risk management, and the fit of the business model within the relevant licence category. BCB will issue requests for additional information; response quality and speed materially affects the total timeline.
Approval results in a conditional authorisation, after which the business must demonstrate operational readiness – technology systems, safeguarding infrastructure, AML controls live – before BCB grants a full operating licence. In our practice, the businesses that move through BCB review most efficiently are those that enter the pre-application phase with a complete file, allied counsel who know the BCB's current supervisory priorities, and a banking relationship already scoped.
The banking relationship is not a formality. BCB requires authorised payment institutions to maintain client funds in segregated accounts at regulated Brazilian financial institutions. Securing that banking relationship before or during the application – not after approval – is a sequencing decision that has caused significant delays for businesses that left it late.
How does Brazil's crypto law framework interact with payment institution licensing?
Brazil's VASP framework – established under the crypto-asset legislation that brought virtual asset service providers formally within BCB's supervisory perimeter – operates alongside, not instead of, the payment institution regime. A business that both provides crypto-asset services and conducts payment institution activity needs to satisfy both regimes. They are not alternatives.
BCB is the designated supervisor for VASPs in Brazil – a structural choice that consolidates crypto and payments supervision in a single authority. This is significant for two reasons. First, it means BCB can and does assess a crypto-payment business against both frameworks in a single supervisory relationship. Second, it means that the AML/CFT standards BCB applies to payment institutions – derived from FATF Recommendation 15 and the Travel Rule (the obligation to transmit originator and beneficiary data with a virtual-asset transfer) – apply with equal force to VASPs.
For an exchange or stablecoin operator seeking Brazilian fiat rails, this means the compliance programme must satisfy the intersection of VASP obligations and payment institution obligations simultaneously. In practice, this increases the scope of the AML programme, the customer due-diligence requirements and the transaction-monitoring architecture relative to what either regime would require in isolation.
A micro-matter from our recent work illustrates the point. A payments company with an existing EU payment institution authorisation sought to extend its Brazilian fiat-rail capability to support stablecoin on-ramp and off-ramp services for corporate clients. The entity was already MiCA-compliant for its EU operations. In preparation for the BCB process, we identified that the Travel Rule implementation standard in Brazil diverged from the EU standard in a specific respect relevant to the client's cross-chain transaction architecture. The client rebuilt the relevant transaction-monitoring module before submission, avoiding a request for information that would otherwise have extended the timeline by the equivalent of a full review cycle.
What is the cross-border interaction with banking and tax?
For a foreign parent funding a Brazilian payment institution subsidiary, the cross-border capital and liquidity structure raises transfer-pricing and withholding questions that sit at the intersection of Brazilian tax law and BCB's foreign-capital rules. Brazil maintains a registration requirement for foreign capital – both equity and loan – entering the country, and BCB's systems are the gateway for that registration. An inbound investor that overlooks this step can find the capital legally stranded at the point it needs to satisfy the payment institution's capital requirements.
Tax treatment of digital-asset transactions in Brazil has evolved alongside the regulatory framework. The Brazilian tax authority – the Receita Federal – treats crypto-asset gains as taxable events, and Brazilian entities conducting payment institution activities with a digital-asset component will be assessed on their transaction revenues accordingly. The specific rates and characterisation rules vary by transaction type and entity structure; we address these qualitatively because they turn on facts that require detailed analysis rather than a general statement.
On the banking side, a Brazilian payment institution licence does not, by itself, guarantee access to correspondent banking. Global banks operating in Brazil have their own risk-appetite frameworks for crypto-adjacent clients, and the practical question of which correspondent banks will support a crypto-payment institution – and on what terms – is a commercial negotiation, not a regulatory right. In our practice, we have seen businesses secure BCB authorisation and then spend additional months locating a correspondent that would process the transaction volumes the business model required. Scoping the banking question in parallel with the licensing process is not optional for a business with cross-border payment flows.
If your build involves a foreign parent structure, a cross-border payment flow, or a combination of crypto and fiat settlement, the interaction between the Brazilian licensing, tax and banking layers deserves dedicated analysis before the structure is set. To map that interaction, write to OBOLUS at info@oboluslaw.com. If a prior application stalled or an account was closed, a second read can surface the structural reason and the route back.
What are the most common structural mistakes inbound businesses make?
The most common mistake is the assumption that an existing offshore or EU licence removes the need for Brazilian authorisation. It does not. BCB's regime is self-contained. A MiCA CASP authorisation, a Singapore DPT service licence, or a BVI VASP registration provides no automatic right to conduct payment institution activity in Brazil. Each provides regulatory comfort in its own jurisdiction; none substitutes for BCB authorisation where BCB-regulated activity is being conducted.
The second common mistake is treating the Brazilian legal entity as an administrative formality rather than a substantive regulatory vehicle. BCB assesses the Brazilian entity – its governance, its capital, its compliance infrastructure – and not the foreign group of which it is a subsidiary. A Brazilian subsidiary that relies entirely on group-level compliance systems, without demonstrating that those systems are tailored to the Brazilian regulatory requirements and operated by personnel with BCB accountability, will generate requests for information that extend the timeline and signal to BCB that the governance model is not fit for purpose.
Third: undercapitalisation relative to the licence category sought. BCB sets minimum capital requirements by category, and the capital must be fully paid up and held in an eligible form before authorisation. A business that builds its financial model around a category with a lower capital requirement – and then operates in a way that actually requires the higher-capital category – faces the choice of either retroactive recapitalisation or a restructuring of the product.
Fourth: leaving the banking relationship to last. As noted above, BCB requires segregated client-fund accounts at a regulated Brazilian financial institution. The time required to open those accounts – with AML due diligence, credit-risk assessment and correspondent-bank approval layered on top – routinely exceeds the time businesses allocate to it. Start early.
Which operator profile should pursue a Brazilian payment institution licence?
The decision to pursue full BCB authorisation in Brazil is, for most inbound businesses, a bet on the Brazilian market being large enough to justify the compliance investment. Brazil is, by most measures, one of the largest digital-asset and payments markets in Latin America and globally, with a sophisticated regulatory counterpart and a banking infrastructure that – once accessed – supports significant payment volumes. The question is whether your business model generates sufficient Brazilian-origin revenue to justify the cost and time of full authorisation, versus accessing Brazilian market exposure through a licensed local partner or agent.
Profile A – a major crypto exchange or stablecoin operator with a Brazilian user base already in the tens of thousands and a plan to offer local on-ramp and off-ramp: full BCB authorisation is almost certainly the right path. The regulatory risk of operating without it at that scale is acute, and a licensed local partner arrangement is unlikely to satisfy BCB's expectations once activity reaches that threshold.
Profile B – an international payments platform testing Brazilian market demand with a B2B product and a small initial client set: a licensed local partner or white-label arrangement under an existing BCB-authorised entity may be the correct first step, with full authorisation pursued once commercial traction is established. This path has its own legal complexity – the contractual and liability structure of a partner arrangement needs careful drafting – but it defers the capital and time investment in BCB authorisation until the market case is proven.
Profile C – a fintech group with an existing EU or APAC payment institution licence that sees Brazil as part of a regional expansion: the cross-border structure question is the first decision. Does the group operate a Brazilian subsidiary with full BCB authorisation, or does it partner with an existing Brazilian PI? The answer depends on the product, the data-localisation requirements, the group's risk appetite, and the tax and transfer-pricing implications of the chosen structure.
In all three profiles, the decision is better made with a clear view of the full licence, banking and compliance stack before any commitment is made to a specific structure.
Related at OBOLUS
- Banking, Payments & EMI Onboarding for Digital Asset Businesses – how we structure and execute the full payments-licensing and banking stack for operators globally
- Legal Counsel for Crypto Payment Firms – tailored advisory for payment businesses with digital-asset product lines
- Token Sale Agreement Drafting in France (AMF/PSAN) – structuring token issuance in an EU jurisdiction with a comparable authorisation regime
FAQ
Why do banks close crypto company accounts?
Banks apply their own risk-appetite frameworks to client onboarding and ongoing review. Crypto companies are frequently assessed as high-risk due to perceived AML exposure, regulatory uncertainty in the client's operating jurisdictions, and the difficulty of applying standard transaction-monitoring tools to on-chain flows. Account closure commonly follows a periodic review in which the bank concludes that the client's compliance documentation does not meet its internal threshold. The solution is structural: demonstrating regulatory standing – for example, a BCB authorisation in Brazil – materially changes the risk characterisation a bank applies to the account relationship.
How can a VASP onboard with an EMI?
A VASP seeking to onboard with an EMI (electronic money institution) must typically satisfy the EMI's AML due-diligence process, which is more intensive than standard business onboarding. The EMI will assess the VASP's regulatory status, its AML programme, its transaction-monitoring capability, and its customer due-diligence practices. VASPs with a formal licence – BCB authorisation, a MiCA CASP, a Singapore DPT licence – are significantly easier to onboard because the regulatory record provides a due-diligence shortcut. VASPs operating in unregistered or grey-zone markets face materially lower acceptance rates across EMI networks.
What does client-money safeguarding require?
Under Brazil's payment institution regime, a BCB-authorised entity must hold client funds in segregated accounts at a regulated Brazilian financial institution, ring-fenced from the institution's own operational funds. This safeguarding requirement is structural: the accounts must be established, documented and operationally maintained before BCB will grant a full operating licence. Equivalent obligations apply under the EU's payment services framework and MiCA for certain token issuers. In practice, safeguarding is as much a banking-relationship question as a legal one: the institution holding the segregated accounts must be willing to maintain them on terms consistent with the regulator's expectations.
OBOLUS is an independent digital-asset law boutique acting only for businesses. We advise exchanges, custodians, token issuers and funds on licensing across 70+ jurisdictions, on disputes and on-chain asset recovery across 25+ forums, and on the tax, banking and compliance that sit around them. Digital assets are the entirety of our practice – we act only for businesses, not for individuals. Our team maps the licence, banking and compliance stack across operating, custody and payment layers before a client commits to a structure, because a structural fix after launch costs orders of magnitude more than a structural design before it. To discuss your situation, contact info@oboluslaw.com or message us via t.me/oboluslaw.
By Victor Olsen, Regulatory & Compliance Analyst – specialising in payment institution licensing, VASP regulatory perimeter analysis and cross-border compliance design for digital-asset businesses.
This publication is general information about the law and does not constitute legal advice. It is not a substitute for advice tailored to your circumstances. OBOLUS accepts no liability for action taken or not taken on the basis of this material. For advice on your situation, contact info@oboluslaw.com.