KYC at Banks in Brazil: BCB requirements and how to curb fraud in 2025

Key takeaways
 

Brazil recorded 3.47M fraud attempts in Q1-2025—about one every 2.2 seconds; banking concentrated 54% of all attempts.

After the July 2025 attacks, the BCB set a R$ 15,000 per-transaction cap for certain participants and requires rejecting payments when there is well-founded suspicion of fraud.

Effective defense blends document verification, biometrics with liveness, device signals (IN 491) and continuous monitoring.

Didit cuts fraud with more automation, no-code/API workflows, and a free, unlimited KYC plan with transparent pricing.

Brazil faces an alarming level of fraud: 3.47 million attempts in Q1-2025—one every 2.2 seconds. In the same period, banks and cards accounted for 54% of attempts, confirming financial institutions remain the main target. In July 2025, the country also suffered a large-scale cyberattack on a provider connected to the Pix ecosystem, diverting at least R$ 400 million and affecting multiple institutions—exposing weaknesses in critical connections with the SPB.

The response was swift: the Banco Central do Brasil (BCB) tightened rules with a R$ 15,000 per-transaction limit for certain participants and mandatory rejection of payments to accounts with a “well-founded suspicion of fraud.”

If you’re concerned about bank fraud in Brazil, this article gives a clear guide to KYC/AML processes, the evolution of the regulatory framework, and how to build anti-fraud defenses without degrading customer experience.

What KYC is and how it differs from CIP in Brazil

Though often paired, KYC (Know Your Customer) and CIP (Customer Identification Program) are not the same. KYC is the end-to-end framework for identification, verification, and risk profiling across the customer lifecycle, while CIP is the specific identification procedure that verifies data provided by the customer (name, date of birth, etc.).

In Brazilian banking, CIP maps to the procedimentos de identificação do cliente required by the PLD/FT (AML/CFT) framework and lays the groundwork for the ongoing KYC regulators expect.

Brazil’s framework reinforces this risk-based logic. Circular BCB 3,978/2020 and subsequent adjustments (e.g., Resolução BCB 119/2021) require institutions to maintain PLD/FT policies and controls covering customer identification/verification and continuous monitoring across the entire lifecycle. In practice: know the customer at onboarding, and keep knowing them afterward (behavioral changes, reverifications, audit trail).

Additional rules affect KYC execution in Brazil. Resolução Conjunta nº 6/2023 institutionalizes sharing data on fraud indicators across institutions, closing gaps and speeding coordinated blocks; the BCB maintains a public FAQ with practical guidance.

In the Pix ecosystem, Instrução Normativa BCB nº 491/2024 adds a critical operational layer: device registration and management for initiating transactions and managing keys. To reduce fraud, unregistered devices face per-transaction limits (R$ 200) and daily caps (R$ 1,000).

Finally, after the 2025 incidents, the BCB approved Resolução BCB nº 501/2025: it requires rejecting payments sent to accounts with well-founded suspicion of fraud and communicating the decision to the customer; see also Note 20832 for scope and timelines.

A snapshot of bank fraud in Brazil

Mobile phone theft remains the main entry point for financial crime. That’s why reducing fraud in Brazil’s telecom sector is key. The modus operandi is clear: once criminals have the device, they force access via social engineering, leaked credentials, or even extortion. With device control, they can intercept SMS, emails, and other OTPs to break into financial platforms—starting a nightmare for users and banks alike.

The scale is significant: between January and March 2025, Brazil logged 3,468,255 fraud attempts (~1 every 2.2 s) and the banking/cards segment amassed 1,871,979 (54%). Looking at people and money harmed, over 24 million Brazilians were scammed via Pix or fake boletos between June 2024 and June 2025, with an average loss of R$ 1,198 per person and an aggregate impact near R$ 29 billion.

What are “fake boletos” and why do they matter?

In Brazil, a boleto bancário is a payment slip with a barcode or QR. In fake boletos, that code is manipulated so the payment goes to the fraudster’s account—even if the PDF or layout looks legitimate. To mitigate, banks should validate the beneficiary (name and CNPJ), the issuing bank, and the QR in authenticated channels, and reinforce KYC on the recipient (new or atypical accounts).

Deepfakes, SIM swap, and impersonation: point solutions aren’t enough

Biometrics alone (a one-off selfie) won’t stand up to spoofs and deepfakes. It works best as part of defense-in-depth: document verification, 1:1 Face Match, liveness, device and behavioral signals to authorize sensitive operations.

With the theory clear, close the gaps. Some widely used platforms in Brazil show limits: IDWall leans heavily on manual reviews (more latency, more cost), while Unico focuses on binary photo/CPF risk and doesn’t offer an end-to-end platform with document verification, AML, and flexible workflows.

In a high-fraud environment, these gaps translate into losses and friction.

Regulatory framework for banks: the key 2025 rules

• Resolução Conjunta nº 6/2023 (BCB/CMN). Mandates standardized sharing of fraud indicators/data among institutions to speed coordinated responses. The BCB maintains a specific FAQ with practical guidance.
• Instrução Normativa BCB nº 491/2024. Directives to register and manage devices that initiate Pix transactions/manage keys. Unregistered devices: R$ 200 per transaction and R$ 1,000 daily.
• BCB package — September 2025 (Res. 496, 497, 498). R$ 15,000 per-operation cap (Pix/TED) when the payer’s account provider is an unauthorized IP or the participant connects to RSFN via a PSTI; the cap can be lifted if controls are evidenced. Res. 498 defines PSTI accreditation requirements (governance, security, monitoring, audit).
• Res. BCB nº 501/2025 (Sep 11). Requires institutions to reject payments to accounts with well-founded suspicion; immediate effect and short deadlines for system updates. See Note 20832.

How fraud is fought: applying defense-in-depth to bank KYC

1. Cross-checking documents. OCR and AI analysis to detect tampering; validations against official sources and IP/geo correlation.
2. Biometrics. 1:1 Face Match, Liveness Detection, and biometric authentication to reuse credentials in high-risk operations.
3. Continuous monitoring. Screening against sanctions/PEP lists, adverse media, shared negative lists (RC 6/2023), with real-time alerting.
4. Traceable, auditable consent. Verifiable, revocable consent history (device changes, Pix keys, limits).
5. Integration with Celular Seguro. One-tap lock after phone theft and fast signal-sharing with banks/authorities.

Pix ecosystem best practices

The July 2025 incident against a Pix connectivity provider exposed third-party weaknesses; reports point to ≥ R$ 400 million diverted and multiple institutions affected. The regulator reacted immediately: a R$ 15,000 cap for unauthorized IPs or connections via PSTI (Provedor de Serviços de Tecnologia da Informação), followed days later by a mandate to reject payments to suspicious accounts—reinforcing banks’ responsibility for the decision and its substantiation.

How Didit helps Brazilian banks reduce fraud

For compliance teams that need to reduce fraud without clogging onboarding, Didit delivers more signals, more automation, and less manual review. The platform combines document verification, biometrics with liveness and 1:1 Face Match, validation against official sources, and AML Screening to cut impersonation, synthetic identities, and deepfakes with depth manual flows can’t match.

Didit’s core rests on three layers:

1. Document + biometrics (ID Verification, 1:1 Face Match, and Liveness Detection) to ensure a real person, present at verification.
2. Validation with official/government sources, where available, to reinforce what the camera captures.
3. AML Screening and continuous monitoring, to assess users against global sanctions/PEP/adverse media and reevaluate risk in real time.

Together, these layers reduce fraud and false positives with audit-grade traceability. Orchestration is another differentiator: no-code workflows to launch in minutes and open APIs/SDKs for bespoke flows. Our pricing is transparent, too: we offer the first and only free, unlimited KYC plan, with premium features, no subscriptions or minimums, and non-expiring prepaid credits. You only pay for completed verifications for precise cost control.

The outcome for compliance: less manual review, faster sign-ups, better conversion, and control from second one—without sacrificing UX, plus instant sandbox deployment.