Brazil Financial Crime & AML Compliance: Regulators, Laws, and What Foreign Banks Need to Know

Who regulates financial crime in Brazil?

Three bodies share oversight of financial crime in Brazil. Knowing which one governs your business determines which rulebook you follow.

BACEN (Banco Central do Brasil) is the primary regulator for banks, payment institutions, and credit cooperatives. It issues binding circulars and resolutions on AML/CFT obligations, conducts on-site and remote inspections, and imposes administrative sanctions including fines and licence revocation. BACEN covers both prudential standards and financial-crime controls. It's the regulator that matters most for any institution taking deposits or processing payments in Brazil. The AML/CFT supervisory framework is published at bcb.gov.br.

COAF (Conselho de Controle de Atividades Financeiras) is Brazil's Financial Intelligence Unit. Since 2019, COAF sits administratively within BACEN following Medida Provisória 893/2019, though it retains operational independence for intelligence analysis and dissemination. COAF receives suspicious transaction reports and mandatory cash transaction reports, analyses the data, and shares financial intelligence with law enforcement and prosecutors. It also supervises non-financial sectors where no sectoral regulator exists: real estate brokers, accountants, jewellery dealers, and lawyers. COAF's guidance and reporting portal are at gov.br/coaf.

CVM (Comissão de Valores Mobiliários) is the securities regulator. It sets AML/CFT rules for broker-dealers, investment managers, and capital-market intermediaries through CVM Resolution 50/2021, which updated the earlier CVM Instruction 301/1999. CVM coordinates with BACEN and COAF through the CMN framework, and both bodies report to the Ministry of Finance.

Brazil is a FATF member and underwent its most recent mutual evaluation in 2010, with a follow-up review completed in 2016. The FATF's published country assessment is at fatf-gafi.org.

What are the key AML and fraud laws in Brazil?

Lei 9.613/1998 (the Lei de Lavagem de Dinheiro) established Brazil's AML framework and created COAF as the FIU. The original statute drew sustained criticism for its closed list of predicate offences, which let defendants argue that the specific crime generating the proceeds wasn't covered.

Lei 12.683/2012 eliminated that problem entirely. The 2012 amendment removed the closed list. Any criminal offence can now serve as a predicate for a money-laundering charge. The reform also extended AML obligations to a broader set of entities, raised maximum prison sentences from eight to sixteen years for aggravated laundering, and introduced corporate criminal liability. Both statutes are on the Planalto official legislation portal.

For banks and payment institutions, BACEN Circular 3.978/2020 is the operational rulebook. It mandates a board-approved risk-based AML/CFT policy, formal governance with a designated officer, customer risk classification, and transaction monitoring systems. The circular's risk-stratified logic aligns Brazil with FATF Recommendation 1 on the risk-based approach and reflects the same customer due diligence standards codified in FATF Recommendation 10. Record-keeping obligations, including the five-year retention requirement, track directly to FATF Recommendation 11.

Lei 13.810/2019 gave Brazil a domestic mechanism for implementing UN Security Council sanctions. Institutions must screen against UN consolidated lists and freeze assets without a court order on a confirmed match. Prior to 2019, there was no statutory basis for this.

LGPD (Lei 13.709/2018) adds a data-privacy layer that intersects directly with AML obligations. BACEN's position is that statutory AML requirements provide a valid legal basis for processing personal data under LGPD, but that basis must be documented in the institution's privacy framework. The tension with data-minimisation principles is a live operational issue for teams designing CDD systems.

For politically exposed persons, Brazil's 2012 reforms reinforced the enhanced due diligence regime consistent with FATF Recommendation 12 on PEPs. For crypto, Lei 14.478/2022 (the Crypto Assets Act) brought virtual-asset service providers under BACEN licensing and full AML/CFT supervision, consistent with FATF Recommendation 15 on new technologies. Brazil is among the first countries in Latin America with an operative VASP licensing regime.

What controls do Brazil regulators expect?

BACEN Circular 3.978/2020 is explicit: a written AML/CFT policy, board-level approval, a dedicated compliance structure, and annual effectiveness reviews are all mandatory. The core control expectations are as follows.

CDD and KYC. Customer due diligence is required at onboarding and must be refreshed whenever a customer's risk profile changes. BACEN classifies customers by risk level, and high-risk customers including PEPs, offshore entities, and customers in designated high-risk sectors must receive enhanced due diligence. For legal entities, institutions must identify the ultimate beneficial owner (UBO) down to natural persons owning 25% or more or exercising effective control. Brazil's Receita Federal maintains the CNPJ company registry, but it doesn't substitute for institution-level UBO verification. Ongoing CDD must be proportionate to risk.

Transaction monitoring. Institutions must maintain systems capable of detecting unusual patterns in real time. Under BACEN rules, transaction monitoring includes mandatory reporting of cash transactions above R$50,000 (roughly USD 10,000 at mid-2024 rates) to COAF via Siscoaf. STRs (Comunicações de Operações Suspeitas) carry no value threshold; suspicion, not the transaction amount, is the trigger.

Sanctions screening. Since Lei 13.810/2019, real-time sanctions screening against the UN consolidated list is a statutory obligation. BACEN's risk-based framework also expects screening against OFAC and EU lists for internationally active institutions.

SAR/STR filing. Reports go to COAF's Siscoaf portal. Terrorist financing suspicion must be reported within 24 hours of confirmation. Other suspicious activity reports are due within 48 hours. Late or incomplete filings have drawn administrative sanctions in documented BACEN cases.

Record keeping. Transaction records and CDD documentation must be retained for at least five years, consistent with both Lei 9.613/1998 and the record-keeping obligations Brazil incorporated from FATF guidance.

What is unique about compliance in Brazil?

Several features of Brazil's compliance environment catch foreign teams off guard.

Pix and real-time payment monitoring. Brazil's instant payment system launched in November 2020 and processed over 42 billion transactions in 2023 (BACEN data). That volume creates transaction monitoring challenges that batch systems built for wire transfers can't handle. BACEN expects near-real-time detection of Pix-facilitated fraud patterns, and the regulator has explicitly flagged Pix-enabled scam typologies as an emerging supervisory priority. Legacy monitoring configurations need to be rebuilt, not adapted.

PEP exposure. Brazil's political corruption history makes PEP screening unusually demanding. Operação Lava Jato (Operation Car Wash, 2014-2021) implicated executives at Petrobras, major construction companies, and politicians across multiple parties in schemes that routed proceeds through domestic financial institutions. BACEN expects enhanced due diligence for domestic PEPs as well as foreign ones, consistent with FATF Recommendation 12 on PEPs. A nominal list match won't satisfy an examiner who expects continuous, adversarial adverse media screening alongside list checking.

Data localisation and LGPD. LGPD restricts transfers of personal data to countries without an ANPD adequacy decision. Transfers require standard contractual clauses or binding corporate rules. Institutions using offshore platforms for transaction monitoring or CDD data storage must document the transfer mechanism and include LGPD-compliant terms in vendor contracts. BACEN also requires that core banking data remain accessible to Brazilian supervisors, which limits certain cloud-outsourcing models.

Crypto licensing. Lei 14.478/2022 and BACEN Resolution 316/2023 require VASPs to be authorised before operating and to maintain full AML/CFT programmes including CDD, transaction monitoring, and STR reporting to COAF. The regime is in force, not pending.

Correspondent banking. Brazilian banks are both respondents and correspondents in global networks. BACEN Circular 3.978 sets specific enhanced due diligence requirements for correspondent relationships, consistent with FATF Recommendation 13 on correspondent banking. Foreign banks establishing or reviewing Brazil correspondent lines should expect detailed AML/CFT questionnaires and documentation demands.

Recent enforcement actions in Brazil

BACEN publishes its administrative sanctions in a public register at bcb.gov.br/estabilidadefinanceira/processos_administrativos_punitivos. The record since 2019 shows increased enforcement frequency, broader targeting of fintechs and payment institutions, and individual-liability sanctions against compliance officers and board members, not just the institutions.

In documented cases, BACEN has imposed fines and suspended activities for deficiencies in customer risk classification, failure to file STRs for suspicious activity, and inadequate transaction monitoring systems. Individual liability against named compliance officers is an established feature of Brazilian enforcement. It's not unusual for the same case to produce sanctions against both the institution and the officer personally responsible.

The J&F Investimentos leniency agreement signed with Brazil's Ministério Público Federal in May 2017 totalled R$10.3 billion, the largest financial-crime settlement in Brazilian history. The case arose from the Lava Jato investigation and involved proceeds of corruption routed through domestic financial institutions. While the principal enforcement targets were the corporate group and its owners, the investigation exposed weaknesses in beneficial ownership verification and transaction monitoring at institutions that processed the flows.

The HSBC 2012 enforcement action by US and UK authorities is relevant context. HSBC's compliance failures specifically included inadequate monitoring of correspondent flows from Latin American operations, and HSBC had retail banking operations in Brazil until 2015. The case prompted a wholesale re-evaluation of AML programme standards across international banks operating in the region and is still cited in internal AML governance reviews today.

What foreign banks operating in Brazil need to know

Brazil is not an easy market to enter. BACEN's prior authorisation process typically takes twelve to eighteen months, and compliance programmes must be fully documented before the application goes in.

Licensing. Foreign banks need BACEN authorisation under Lei 4.595/1964 (the Banking Reform Act) before taking deposits or extending credit. Applications require a five-year business plan, audited financial statements, proof of good standing with the home-country regulator, and AML/CFT governance documentation, all in Portuguese. A representative office doesn't permit deposit-taking or lending.

Local compliance officer. BACEN Resolution 44/2021 requires a designated officer for AML/CFT compliance who is based in Brazil, holds appropriate qualifications, and is formally recorded in board minutes. The role can't be delegated to a group compliance function in London, New York, or anywhere outside Brazil.

Portuguese-language requirements. All STR and CTR filings to COAF via Siscoaf must be in Portuguese. BACEN supervisory correspondence is in Portuguese. Examination-ready documentation, internal policies, and staff training materials must be available in Portuguese.

LGPD and outsourcing. Contracts with third-party CDD and transaction monitoring vendors must include LGPD-compliant data processing terms. Where personal data leaves Brazil, the transfer mechanism must be documented. BACEN separately requires that material outsourced functions be notified to the regulator and that local data access for supervisors is maintained at all times.

Reporting timelines. STRs are due within 24-48 hours of confirming suspicion. CTRs for cash transactions above R$50,000 are due by the last business day of the month following the transaction. The timelines are tighter than compliance officers used to US or EU regimes typically expect.

Foreign banks should note that Brazil's framework, while built on FATF principles, diverges in operational detail from frameworks in India and other LATAM markets. Teams with APAC or US compliance backgrounds will need Brazil-specific training before the first BACEN examination.

How FluxForce supports Brazil compliance

FluxForce's real-time transaction monitoring handles Pix-volume data without the batch-processing lag that generates BACEN findings. The platform automates STR drafting in Siscoaf-compatible format, runs continuous PEP and sanctions screening against UN, OFAC, and EU lists, and stores tamper-proof evidence for every decision. CDD workflows cover UBO identification down to natural persons, consistent with Circular 3.978/2020. LGPD data-processing boundaries are configurable at the tenant level, which simplifies the outsourcing documentation examiners review. To see how FluxForce maps to your Brazil compliance programme, book a demo.