.svg)
Tighter deadlines, stricter authorisation and higher capital thresholds are set to reshape how institutions and IT providers connect to Pix, with smaller players facing the greatest pressure.
Approved earlier this week, the reforms impose stricter compliance requirements on payment institutions and the technology providers that connect them to the financial system.
The changes appear to be in response to recent cyberattacks that have taken place using the Pix system.
Reports suggest that attackers stole $130m from Brazil’s real-time payment system last week using valid credentials for an IT service provider.
According to an ongoing forensic probe, unauthorised fund transfers at Brazilian fintech provider Sinqia, part of Evertec, were carried out using compromised IT vendor credentials.
Sinqia, which operates a Pix connection platform used by 24 of the country’s banks, suspended transaction processing after detecting the breach. It also engaged external cybersecurity experts, and some of the stolen funds have since been recovered.
Stricter authorisation and transfer limits
Payment institutions are now required to obtain prior authorisation from the BCB to operate, with the deadline for firms previously unlicensed brought forward from December 2029 to May 2026.
In addition, companies that started issuing e-money before March 2021, as well as post-paid instrument issuers and acquirers active before this month, must apply for authorisation by May 2026.
The authorisation process has also been tightened, requiring firms to provide a physical headquarters address and, in some cases, independent technical certification.
Institutions denied authorisation must cease operations within 30 days, notify customers and return all funds to user accounts at licensed institutions.
The new rules also cap TED, Brazil’s traditional payment system, and Pix transfers at BRL15,000 ($2,765) for unauthorised payment institutions and those connecting through information technology service providers (PSTIs).
The cap appears to be temporary, and may be lifted once institutions implement approved security controls, with temporary exemptions allowed for up to 90 days.
Pix management has also been restricted, with only larger payment institutions in regulatory segments S1 to S4, excluding cooperatives, permitted to act as managers. Existing contracts must be updated within 180 days.
For PSTIs, governance and risk management requirements have been expanded and a new minimum capital threshold of BRL15m has been set.
Any evidence of non-compliance with this could lead to precautionary measures or revocation of accreditation, with existing providers given until January 2026 to meet the new standards.
Challenges ahead
The bar for the new compliance requirements is set high for banks, payment institutions and their technology providers, particularly smaller players and those operating without full authorisation.
Payment institutions can no longer operate without BCB approval, and now face a much tighter deadline.
Applicants unable to demonstrate key pillars such as strong governance risk being denied authorisation, forcing them to cease operations and return customer funds within 30 days.
For banks and larger firms in regulatory segments S1 to S4, the impact is different: they are now the only entities permitted to act as Pix managers for unauthorised institutions, and this increases their oversight responsibilities.
These firms will need to strengthen due diligence and compliance monitoring of smaller partners connecting to Pix under their umbrella.
For PSTIs, the tougher requirements may result in a consolidation drive, with Pix’s connectivity limited to a much smaller pool of well-capitalised providers.
Access to Pix is inevitably about to become more difficult for smaller fintechs that previously relied on intermediaries and lighter regulatory obligations.
Unauthorised firms will face stricter limits, including the cap on transfers until they adopt new security measures, and some will also struggle with the cost and complexity of compliance.
Customers could experience fewer choices and a slowdown in new entrants to the Pix ecosystem.
However, the trade-off is greater system resilience against fraud and cybercrime, which should mean a safer experience for consumers and ensure that Pix’s reputation survives this cyberattack.
