.svg)
The sweeping new regulation obligating banks and authorised payment institutions to reject transactions sent to accounts reasonably suspected of involvement in fraud will require rapid upgrades to processes and systems.
The resolution, approved on September 11, 2025, takes effect immediately, and means that financial institutions in the country have until October 13 to adapt their systems and processes to comply.
According to the resolution, institutions must use all available information, including data from electronic systems and public or private databases, to determine whether an account may be linked to fraudulent activity. They must also notify customers of any actions taken, including blocked transactions.
The measure forms part of a wider effort by the BCB to strengthen the security of Brazil’s National Financial System (SFN) following organised crime attacks on payment and financial institutions.
As covered by Vixio, the central bank last week unveiled a separate package of reforms to Pix and other payment channels. These imposed tighter deadlines, stricter authorisation and higher capital thresholds on payment institutions and the technology providers that connect them to the financial system.
In the attacks that prompted the rule changes, criminals reportedly stole around $130m from Brazil’s real-time payment system using valid credentials from an IT service provider.
One affected company, Sinqia, which operates a Pix connection platform used by 24 banks, suspended transaction processing after detecting the breach and called in external cybersecurity experts. Some of the stolen funds have since been recovered.
The new anti-fraud rules are aimed primarily at money mule accounts and accounts linked to organised crime groups, and the BCB cited recent attacks on financial and payment institutions as a driver for the measure.
The resolution is also designed to identify synthetic or compromised accounts created with stolen credentials or shell entities to move funds undetected.
The challenges ahead
Implementing the rule will require real-time screening across all payment instruments, not just batch or post-transaction checks. As with many wide-ranging rules, smaller payment service providers (PSPs) and fintechs may lack access to the quality of data held by larger organisations, creating inconsistency.
Firms will also need to balance the risk of false positives against liability. Overly aggressive models may block legitimate payments and frustrate customers, but letting fraudulent ones through exposes institutions to regulatory enforcement and reputational damage.
Customers whose payments are rejected may challenge decisions, so firms will need clear procedures for notification and dispute handling. With the deadline imminent, they face a tight timetable to upgrade systems, train staff and refresh customer communication templates.
The onus is on payment firms to review their fraud-detection rules to ensure that recipient accounts with reasonable suspicion of fraud are flagged before transactions settle.
Updating customer notification templates and training frontline staff to explain rejected payments will be essential for firms.
They will also need to maintain detailed records of how reasonable suspicion was assessed, in order to defend against complaints from customers and scrutiny from the BCB.
The new rule marks a decisive step in Brazil’s fight against payment fraud, but its success will hinge on whether firms can adapt quickly without undermining customer trust.
