BioCatch blog channel

Browse topics

A journey through Brazil’s regulatory maze

Written by:

Diego Baldin

A journey through Brazil’s regulatory maze featured image

Para ler este blog em português, clique aqui.

Driven by new payment behaviors (Pix overtaking cash, debit, and credit as the nation’s preferred payment method in just four years), sophisticated criminal operations (organized crime relying on fraud as a reliable income source), and an increasingly assertive regulatory agenda, financial crime in Brazil has transformed drastically in recent years. 

Brazilian banks now find themselves forced to navigate one of the world’s most dynamic regulatory frameworks.

A foundation of LGPD

Before Brazil could begin to even talk about fraud prevention, it needed to first address the data itself. That foundation is the LGPD (Lei Geral de Proteção de Dados), Brazil's equivalent of the GDPR. While not a Central Bank rule, Law No. 13,709/2018 became the bedrock for the entire ecosystem. It forced every company to confront a critical question: How do we handle customer data?

The practical impact was seismic, compelling a complete mapping of the data lifecycle and creating new roles like the data protection officer (DPO). While this brought the pain of adapting legacy systems and a constant fear of multi-million dollar fines, its benefit was undeniable. It fostered a culture of legal certainty and forced the market to treat customer information with the seriousness it deserves. Suddenly, when a customer exercised their right to know what data a bank held on them, there had to be a clear process in place. The data era had officially begun.

The revolution of immediacy

With the data foundation laid, the stage was set for a dramatic shift from reactive analysis to real-time action. Two key regulations in 2020 ignited this revolution.

  1. Circular 3.978 (AML/CFT): Often called the AML/CFT Bible, this rule modernized Brazil's approach to combating money laundering. It forced institutions to abandon superficial checks and adopt a formal risk-based approach (RBA). This meant creating robust KYC (know your customer) matrixes, monitoring transactions based on actual risk profiles, and changing the culture. Historically focused on growth, business teams had to learn to understand and embrace new risk barriers. For the first time, institutions had strong regulatory backing to refuse or terminate relationships with high-risk accounts, such as those used by money mules.

  2. Pix: Pix introduced a new instant payment infrastructure and significantly raised operational and security responsibilities for participating institutions, making real-time fraud monitoring a matter of survival. Fully automated monitoring then forced the adoption of sophisticated risk engines.

This is where technologies like behavioral intelligence became critical. How could you stop a scam happening in milliseconds without adding friction for a legitimate user? By analyzing the how and not just the what.

If a customer attempts a large transfer at 2 a.m., the system recognizes changes in the user’s typing speed, the way they’re holding their device, and signs of remote access, in addition to the sum of the transfer. While this created the new headache of managing false positives, it marked the beginning of truly intelligent, real-time fraud prevention.

In parallel, the Central Bank also introduced preventive controls within the Pix scheme itself (such as transaction limits and stricter rules for changing limits), shifting part of the fraud strategy from pure detection to structural risk reduction across the customer journey.

The power (and pain) of collaboration

The next major leap was understanding that no institution could fight financial crime alone. The ecosystem needed to connect.

  1. Joint Resolution No. 6: In 2023, the paradigm shifted from isolation to mandatory collaboration. This landmark resolution forced all financial institutions to share data related to fraud indicators associated with customers, accounts, and transactions. The Banco Central do Brasil (BC) created APIs for banks in the country to communicate with one another, creating the possibility of a 360-degree view of risk. Before approving a transaction, a bank could now check a market-wide fraud score.

    This also created new pain points. The data shared was often of variable quality, making it risky to automate decisions based solely on a flag from another institution. The market needed to evolve into a real-time intelligence ecosystem, sharing the context of fraud.

  2. Resolution No. 507: If Resolution No. 6 was the rule, Resolution No. 507 gave it teeth. Taking full effect in 2025, it established financial penalties for non-compliance. Suddenly, implementing the data-sharing framework morphed from an IT project to a top-priority strategic initiative. With fines reaching up to R$50 million (approx. $10 million USD), bank boards no longer hesitated to allocate resources. This ensured that there would be no weak links in the chain, as a collaborative system is only as strong as its least-committed member. The pain? Justifying the ROI for a compliance project while competing for budget with revenue-generating departments — a familiar battle for any risk professional.

What are MED and MED 2.0?

The MED (Special Return Mechanism) is a process created by BC that allows funds transferred via Pix, in cases of fraud, scams, or operational errors, to be blocked and returned to the customer through a structured flow between the financial institutions involved.

In practice, MED introduced a formal and standardized process for communication, blocking, and investigation between banks, replacing the manual and unstructured procedures that existed in the early days of Pix.

As scams have evolved — becoming faster, more fragmented, and increasingly dependent on mule accounts — the market is now moving toward what has been commonly referred to as MED 2.0.

MED 2.0 expands this concept by enabling a deeper, multi-layer analysis of the fraud chain, looking not only at the account that initially received the funds but also at the transaction path, behavioral signals, and indications of involvement by intermediary or mule accounts.

MED 2.0 and the age of litigation

And that brings us to the future. The next great challenge on the horizon is MED 2.0, the evolution of the special refund mechanism for Pix.

MED 2.0 is expected to enable broader blocking and recovery of illicit funds across multiple layers of a fraud chain. For the victim, this is fantastic news, as it increases the chances of getting their money back. For institutions, it's an opportunity to mitigate losses previously considered unrecoverable. But it comes at a price: a massive increase in operational complexity and cost. Analyzing multi-layered fraud chains and handling the inevitable explosion of legal disputes will require significant resources, forcing banks to prove an account in the middle of a chain was a willing money mule and not just another victim.

The immense operational and legal costs of MED 2.0 can only be managed with a two-pronged strategy powered by tools like behavioral intelligence.

  • Prevention: Banks must first reduce the number of incidents at the source. This means identifying not just the creation of mule accounts but also detecting the social engineering attacks themselves, in real time, before any money ever leaves a would-be-victim’s account.
  • Defense: Second, for the cases that do get through, the legal team needs irrefutable evidence. Behavioral data provides powerful risk insights, showing how a transaction was performed. Was there hesitation? Remote access tooling? Use of an emulator? This data provides a robust foundation for defending a block, proving fraudulent intent, and navigating the new era of mass litigation.
  • Activity plummets after halftime show: The commercial break into the start of the second half accounts for the greatest deviation in banking activity between gameday and the following Sunday.
  • Fraud activity remains constant: While consumers spent significantly less time banking during game time, it appears the habits of fraudsters (who are often located outside of the U.S.) aren’t impacted by the game.

At the same time, all these new controls, investigations, and recovery processes significantly impact customer experience, forcing institutions to constantly balance security, friction and trust at every digital interaction.

The evolution of fraud regulation in Brazil shows a clear trajectory from foundational rules to real-time action. Today, the industry moves deeper into mandatory collaboration and complex recovery. Every step along the way has increased the burden on institutions but has also made the ecosystem stronger and safer.

As we stand on the precipice of the MED 2.0 era, the right technology appears crucial to both a viable prevention strategy and a defensible legal one.

Recent Posts

Romance scams in the age of AI: How love, loneliness, and algorithms are fueling a global crisis
February 09, 2026 Romance scams in the age of AI: How love, loneliness, and algorithms are fueling a global crisis
Read article
Digital banking habits and fraud during the Super Bowl Fraud
February 03, 2026 Digital banking habits and fraud during the Super Bowl
Read article
A good start with a missed landing: Why the UK’s Stop! Think Fraud campaign faltered Fraud
January 19, 2026 A good start with a missed landing: Why the UK’s Stop! Think Fraud campaign faltered
Read article