The Central Bank (BC) promoted adjustments in the regulation of Information Technology Service Providers (PSTI) that operate in the National Financial System (SFN) and the Brazilian Payment System (SPB). The changes alter a resolution published in September 2025which deals with the accreditation and operations of these companies.
According to the BC, the initiative aims to improve provisions of the current standard, making the requirements more complete, clear and objective. The changes also make the accreditation process more rigorous, aligning the requirements applicable to PSTI with practices already adopted in other regulated segments.
Main resolution changes
Share capital and net worth
The Central Bank may require, at any time, values of share capital and net worth higher than those presented in the initial accreditation, reinforcing the financial capacity of providers.
Accreditation Requirements
There were adjustments to the reputation and technical capacity criteria of administrators, in line with other regulated sectors, in addition to the inclusion of definitions on share control and new compliance analysis mechanisms.
Governance and risk management
The standard reinforces the requirements for corporate governance, internal controls and compliance, with the obligation to prepare annual reports and adopt traceability mechanisms.
De-accreditation
The procedures were simplified, making the process more objective and agile in situations of non-compliance with the rules.
Provision of information to the BC
Expansion of communication obligations, including corporate changes and replacement of directors.
Precautionary measures
Inclusion of new hypotheses that authorize the BC to adopt preventive measures, such as in cases of prolonged absence of a responsible director.
Adaptation
The period for implementing the changes was extended from four to eight months, allowing for a safer and more predictable transition.
The Central Bank also informed that, during the adjustment period, institutions that connect to the National Financial System Network (RSFN) through PSTI continue to be subject to the limit of R$ 15 thousand per transaction via Pix and TED, according to the BCB 496 Resolutions and 497until provider accreditation is completed.
In the BC’s assessment, the improvement of the rules strengthens the security, efficiency and transparency of the PSTI’s operations, contributing to a more reliable environment, with a reduction in operational and cyber risks and greater stability of the country’s financial and payments system.
vulnerable link
The decision comes in the same week that the Banco do Nordeste (BNB) was the target of a hacker attack. The incident led the institution to suspend Pix, after the diversion of resources from a pocket account, an instrument that brings together resources from several users in a single account, without individual identification of the holders.
Since last year, attacks on third-party service providers have become more frequent in the financial system, as they represent a potentially more vulnerable link in the technological chain. This type of strategy allows criminals to bypass large banks’ robust layers of protection by exploiting flaws in integrated systems.
The strengthening of regulation occurs in a context of increased investments in cybersecurity by financial institutions, driven both by the digitalization of services and the growth of Pix as the country’s main payment method.
Last year, the B.C. suspended several companies from the Pix system that served banks and tightened the rules on security for payment institutions.
