.svg)
The Central Bank of Brazil (BCB) has introduced new security measures for Pix, the country’s instant payments system, aiming to prevent fraud and enhance compliance.
The freshly updated regulations will require financial institutions and payment providers to ensure that names linked to Pix keys match the official records in Brazil’s Federal Revenue Service databases.
Pix, launched in 2020, has become a dominant payment method in Brazil, widely used for personal and commercial transactions.
Under the new rules, institutions must verify compliance whenever a Pix key is registered, modified, transferred or claimed.
If a CPF (Brazilian individual tax ID) or CNPJ (business tax ID) is listed as “suspended,” “canceled” or otherwise invalid, its associated Pix keys must be removed from the system.
Fraud changes
To strengthen fraud prevention, the central bank has said that it will actively monitor discrepancies between registered Pix names and those in government databases.
It will also ban modifications to random Pix keys and prohibit ownership claims on email-based keys.
The central bank has confirmed that keys linked to a mobile number will still allow ownership transfers, given that prepaid numbers can change hands.
In addition, a previous restriction on returning funds via unregistered devices has been lifted. Returns from such devices had been capped at R$200 ($34), but the new rule allows full refunds initiated by recipients.
The central bank emphasised that these changes will not affect the way users send or receive Pix payments, but are designed to reinforce security.
It reiterated its commitment to maintaining Pix’s reliability and protecting users from fraud.
A flurry of changes
Brazil’s regulatory interventions for Pix have been constant in recent times — as Vixio’s Horizon Scanning tool shows.
Recent changes have focused on the security, governance and user experience of Pix.
For example, a change implemented in February introduced new standards for refunds, withdrawals, transaction limits, QR code interoperability and contact list integration.
It also included updates on Automatic Pix and Scheduled Pix, intended to ensure smoother and more consistent interactions for users.
In addition, changes set out in November 2024 significantly amended the requirements for institutions participating in Pix.
From January 1, 2025, only institutions authorised by the BCB are eligible to apply for Pix participation, and existing participants need to file an authorisation request based on their joining date, with deadlines extending until December 2026.
Also as of November last year, new security measures for Pix transactions on unregistered devices mean that users must register any new device with their financial institution to conduct Pix payments without restrictions.
Transactions on unregistered devices are limited to R$200 per transfer and R$1,000 per day, and two-factor authentication is required for device registration.
Why are changes so frequent?
The frequent changes and resolutions regarding Pix reflect the BCB’s ongoing efforts to improve security and user experience on the instant payments platform.
Pix has become a critical part of Brazil’s financial ecosystem, having rapidly been adopted by individuals, businesses and even government entities.
Its growth means it requires continuous adjustments to address emerging risks and reduce opportunities for bad actors to exploit, such as with fraudulent activity.
For Pix participants, which includes both incumbents and newer payment firms operating in Brazil, this rapid regulatory change means that they must stay constantly updated on regulatory changes, ready to adhere to new requirements.
Financial institutions and payment service providers (PSPs) need to adapt their internal systems, risk management protocols and operational processes to align with evolving rules.
Institutions that fail to comply risk penalties, exclusion from the system or increased regulatory scrutiny.
These frequent updates pose inevitable operational challenges for stakeholders, but they ultimately aim to strengthen Pix’s security, trust and long-term viability.
