Explore by category
EconomyUser experienceElectronic SignatureRisk ManagementLegal Framework Digital Onboarding RPA - AutomationDigital TransformationIdentity VerificationX TechFraud PreventionElectronic InvoiceCustomer Hub for sales

KYC/PLD Compliance in Brazil: Regulatory Framework and How to Comply

11 August 2025·Reading time: 5 minutes
enes
Share

Index

    icon newsletter
    Get the latest news right in your inbox

    The Brazilian regulatory landscape has undergone a significant transformation in recent years, especially with regard to KYC (Know Your Customer - Conheça seu Cliente) and AML (Anti-Money Laundering - Prevenção à Lavagem de Dinheiro - PLD) processes that have become a strategic priority and unavoidable legal obligation for institutions in Brazil

    Against this backdrop, the rigorous application of AML policies, or as it is known in Brazil as "Conheça seu Cliente", has become a fundamental piece for the integrity and security of the Brazilian financial system.

    Brazil, as one of the most important emerging economies in Latin America, has implemented a robust regulatory framework that seeks to combat money laundering, terrorist financing and other financial crimes. This regulatory context requires financial institutions and supervised companies to adopt comprehensive measures for the identification, verification and continuous monitoring of their clients.


    The diversity of the Brazilian financial system, which includes banks, fintechs and cryptocurrencies, requires advanced technological solutions for regulatory compliance. RegTech platforms and KYC (Know Your Customer) tool providers are critical to automate processes, reduce costs and improve the effectiveness of anti-money laundering controls

    CTA Discover how to streamline your customer verification with Tecalis KYC.

    KYC regulatory framework in Brazil: Law No. 9.613/98 and BACEN Circulars

    KYC in Brazil is regulated by Law No. 9.613/98, which defines not only identification standards but also money laundering (PLD in Brazilian). This law, amended over time, criminalizes money laundering, terrorist financing and other financial crimes, and establishes obligations for a wide range of entities, both financial and non-financial. 

    The law requires these entities, known as "obliged entities," to implement AML programs that include Client Identity verification, risk-based due diligence, recording transactions and reporting suspicious transactions to the competent authority.

    In the financial sector, the main regulatory body is the Central Bank of Brazil (BACEN), which has issued a series of circulars and resolutions to detail and complement the provisions of Law No. 9,613/98. 

    • BACEN Circular No. 3,978 of 2020. This is a fundamental document that operationalizes the law for financial institutions. It establishes, for example, that institutions must adopt a risk-based approach to due diligence, which implies greater or lesser information requirements depending on the customer's profile. 
    • BCB Resolution No. 119 of 2021, which updates the circular, requires financial institutions to collect the residential address of customers.

    The other key player in this ecosystem is the Financial Activities Control Council (COAF), which acts as Brazil's financial intelligence unit (FIU). The COAF receives, analyzes and disseminates the suspicious transaction reports that obliged entities send it. 

    Through Law No. 13,974/2020, COAF has been consolidated as an independent authority with an administrative link to BACEN, which strengthens its autonomy and capacity to combat financial crime. COAF's regulations, together with those of BACEN, are the main mirror that most sector regulators follow to establish their own KYC regulations for operating in Brazil.

    Identification of clients and beneficial owners in sectors supervised by COAF

    Proper customer identity verification is the first and most critical step in any KYC process carried out in Brazil. Brazilian regulations, supervised by COAF, require obliged entities to collect and verify a series of essential data to establish the customer's identity. For individuals this includes :

    • Full name
    • Date of birth
    • Address
    • E-mail address
    • Telephone number

    However, the central pillar of identity verification in Brazil is the Cadastro de Pessoas Físicas (CPF), a unique tax identification number. Verification of the CPF against the Receita Federal (Treasury) databases is an indispensable step to confirm the existence of the individual and his or her personal data.

    Identification does not stop at the direct client. The regulation also places special emphasis on the identification of beneficial owners. A beneficial owner is the natural person who ultimately owns or controls a company, or the person on whose behalf a transaction is carried out. 

    This is crucial to prevent complex corporate structures from being used to hide true ownership and launder money. Obliged entities must take reasonable steps to identify these beneficial owners, even if they are not the direct account holders. This involves a review of the corporate structure and ownership of the company (KYB - Know Your Business), which often requires the collection of additional documents.

    Brazilian man using KYC with his mobile in accordance with Brazil's PLD law

    GDPA (General Data Protection Act) requirements for data processing and retention in KYC processes.

    The implementation of KYC policies in Brazil cannot be understood without the General Data Protection Law (GDPL), which came into force in 2020. This law, similar to the European Union's GDPR, regulates the processing of personal data and guarantees the rights of data subjects. For companies implementing KYC, the LGPD introduces an additional layer of complexity and responsibility, as they must balance the need to collect data for crime prevention with the obligation to protect their customers' privacy.

    The key points of the LGPD that impact KYC processes are:

    • Purpose and Transparency: data collection must have a specific and legitimate purpose, and companies must inform customers clearly and transparently about what data is being collected, why it is being collected and how it will be used. In the case of KYC, the purpose is the prevention of money laundering and terrorist financing.
    • Data minimization: Companies should only collect data that is strictly necessary for the stated purpose. This implies a careful analysis of what information is indispensable to comply with AML regulations, avoiding excessive collection of sensitive data.
    • Consent and Legal Basis: Data processing must be based on one of the legal bases established by the LGPD. In the context of KYC processes, the most common legal basis is "compliance with a legal or regulatory obligation" or the company's "legitimate interest" in preventing fraud. However, in some cases, customer consent may also be an important factor.
    • Data retention: The LGPD states that personal data must be deleted once the purpose of its processing has ended. However, Law No. 9,613/98 requires obligated entities to retain customer and transaction records for a minimum period of five years after the end of the business relationship or transaction. Companies should ensure that they have data retention policies that comply with both regulations, deleting information when it is no longer legally required.

    The intersection of the PLD and LGPD regulations creates a scenario where technology and well-defined processes are crucial. Companies must design their KYC systems to be efficient in collecting data, but also robust in protecting it, with security measures in place to prevent unauthorized access and leaks.

    test

    Differences between Simplified, Standard and Enhanced Due Diligence (EDD) for Politically Exposed Persons (PEPs)

    The risk-based approach, promoted by Brazilian regulations, involves the application of different levels of customer due diligence for KYC processes in Brazilian territory, depending on the level of risk they represent. This is divided into three main categories: Simplified, Standard and Enhanced Due Diligence.

    • Simplified Due Diligence (SDD): Applies to low-risk clients. In these cases, the amount of information collected or the frequency of checks can be reduced. For example, in low-value transactions or with customers who already have a transparent transaction history. DDS enables a smoother user experience and reduced costs for the company, without compromising security.
    • Standard Due Diligence (SDD): This is the most common level of diligence and applies to most customers. It involves gathering and verifying basic identity information, understanding the nature of the business relationship and, if necessary, identifying the beneficial owner. This level of diligence is the starting point for most business relationships and lays the foundation for ongoing monitoring of transactions.
    • Enhanced Due Diligence (EDD): This is the most rigorous level of due diligence and applies to high-risk clients. EDD involves additional information gathering and more in-depth verification, which may include searching public sources, reviewing media to identify negative news stories, verifying the origin of funds, and approval by senior management. EDD is mandatory, for example, for Politically Exposed Persons (PEPs).

    A Politically Exposed Person (PEP) is an individual who holds or has held, within the last five years, a relevant public office in any of the three spheres of government (federal, state or municipal). This includes heads of state or government, ministers, senators, deputies, members of the supreme court, ambassadors, high-ranking officers of the armed forces, directors of state-owned companies and their family members and close collaborators. This applies to KYC processes in Brazil as well as in any state. 

    Due to their position and potential to influence government decisions, PEPs are considered high risk for corruption, bribery and money laundering. Therefore, any business relationship with a PEP must be subject to an Enhanced Due Diligence process.

    The EDD process for PEPs involves:

    • Identifying the customer as a PEP through specialized databases and information gathered.
    • Obtaining senior management approval to establish or continue the business relationship.
    • Take reasonable measures to establish the origin of funds.
    • Conduct continuous and more stringent monitoring of the business relationship.

    Detecting PEPs is a complex challenge that often requires the use of global databases and media scanning to ensure accurate identification.

    The Role of Regtechs and Technology Providers in KYC Automation

    The number and complexity of KYC/PLD regulations in Brazil have made manual processes unsustainable. Companies are facing pressure from the speed of digitization and the need to comply with increasingly demanding regulations. This is where Regtechs (Regulatory Technology), companies that use technology to optimize and automate regulatory compliance, come into play.

    Regtechs and technology providers offer KYC solutions that enable companies to:

    • Accelerate Onboarding: reduce the time and effort required for onboarding new customers, improving the user experience and reducing the churn rate.
    • Reduce Compliance Costs: Minimize operational costs associated with manual document review and data verification.
    • Improve Accuracy: Reduce human error and inconsistencies in data collection and verification.
    • Strengthen Security: Implement advanced security measures, such as biometrics and cryptography, to protect customer data.
    • Facilitate Continuous Monitoring: Automate the process of reviewing existing customers and detecting suspicious activity, a key regulatory requirement.

    Regtechs in Brazil offer a set of technological tools that address the specific challenges of the local market, from CPF validation to facial biometrics.

    Person holding their Brazilian ID in accordance with KYC regulations

    Digital identity verification using CPF query at Receita Federal and facial biometrics

    Digital identity verification technology has revolutionized the way companies comply with KYC in Brazil. Two of the pillars of this process are CPF query and facial biometrics.

    • CPF query: CPF validation is the first and most important step in the digital KYC process in Brazil. Technology providers can connect their systems directly to the Receita Federal database to verify the validity of the CPF number, the holder's name and date of birth. This instant verification confirms the existence of the individual and ensures that the information provided is accurate. In addition to Receita Federal, it is also possible to consult other official databases for additional information, such as the Electoral Justice database, which together build a more robust customer profile.
    • Facial Recognition (Biometrics): This has become an indispensable tool in the fight against identity fraud. This technology allows companies to compare a customer's selfie with the photo stored in government biometric databases, such as those of the Superior Electoral Court (TSE) or the National Traffic Department (Denatran). The process usually works as follows: the customer takes a selfie through the company's app, and the facial biometrics technology verifies whether the person being registered is the same person shown in the photo on the ID card. In addition, many solutions include "proof of life" to ensure that the photo is not a static image or pre-recorded video.

    The combination of CPF query and facial biometrics offers an unprecedented level of security and accuracy in identity verification.

    Additional considerations and the future of KYC in Brazil

    The KYC landscape in Brazil is constantly evolving. Accelerated digitization, the entry of new players and the sophistication of fraud threats drive regulators to continuously update regulations. The future of KYC in Brazil is likely to be characterized by:

    • Increased technology integration: interoperability between public and private databases will be key for more efficient and accurate identity verification.
    • Artificial Intelligence and Machine Learning: The use of these technologies will expand for real-time transaction monitoring and detection of anomalous behavior patterns that may indicate money laundering activities.
    • Sovereign Digital Identity: The trend towards digital identity, where citizens control their own identity data, could influence how identity verification is performed in the future.
    • Global Focus: Harmonizing KYC regulations in Brazil with international standards, such as those of the Financial Action Task Force (FATF), will continue to be a priority to strengthen Brazil's position in the global fight against financial crime.

    In conclusion, compliance with KYC/PLD regulations in Brazil is a complex, but crucial challenge for any company aspiring to operate safely and legally in the market. The combination of a solid regulatory framework, Law no. 9,613/98, BACEN and COAF, together with the technological innovation of Regtechs, is paving the way for a more transparent and resilient financial system. The correct implementation of KYC, is not only an act of compliance, but a strategic investment in customer trust, reputation protection and long-term business sustainability.

    We help you comply with KYC/AML regulations in Brazil and around the world.

    Tags
    Legal Framework Identity VerificationFraud Prevention
    Newsletter icon

    Get the latest news right in your inbox

    Ft
    aifintech
    regtech
    etica
    techbehemoths
    finnovating
    ecija

    Trust, identity and automation services

    Tecalis creates disruptive digital product to make the most innovative companies grow and evolve. We drive growth and digital transformation processes to bring the future to businesses today.
    Identity

    KYC (Know Your Customer) Video Identity Verification, Digital Onboarding and Authentication (MFA/2FA) solutions and services enable our customers to provide their users with an agile and secure experience.

    Our RPA (Robot Process Automation) software enables the creation of sustainable, scalable, productive and efficient business models through BPM (Business Process Management), allowing unlimited growth.

    Digitization

    Advanced and Qualified Electronic Signature and Certified Communication services (Electronic Burofax) allow customer acquisition, contracting and acceptance processes that used to take days or weeks to be completed and approved in minutes or seconds.

    Customer Onboarding (eKYC), Digital Signature (eSignature) services and Automated Fraud Prevention are making it possible for companies to operate online and without borders.

    Trust

    As an EU-certified Trust Services Provider and an established RegTech partner, we help organizations comply with the most demanding regulatory standards in their sector and region, including AML (Anti-Money Laundering), eIDAS (Electronic IDentification, Authentication and etrust Services), GDPR (General Data Protection Regulation), SCA (Strong Customer Authentication) or PSD2 (Payment Services Directive) regulations thanks to Tecalis Anti-Fraud Controls and Document Verification.

    Union europea
    Union europea