Juliana Braz: "You can’t verify what you can’t uniquely identify."

Jualiana Braz leads International Business Development and serves as a spokesperson at Serpro, Brazil’s federal technology backbone—bringing together law, public administration, and engineering to tackle one of the state’s hardest problems: proving who’s who at national scale. She cut her teeth helping transform Brazil’s paper driver’s license into the award-winning Digital CNH and has since become a clear, pragmatic voice on digital identity, fraud prevention, and citizen rights. For Juliana, identity is a public good and “security by design” is non-negotiable: biometrics and tokenization where they add real trust; strict LGPD compliance and role-based access to protect privacy; and inclusive paths so technology never locks people out.

She champions Gov.br’s graduated assurance model (Bronze, Silver, Gold) as a blueprint for scalable trust—while pushing for interoperability across data silos to stop synthetic identities and social-engineering rings. Realistic about deepfakes and SIM-swap risk, she argues for culture and training to match the tools. Looking ahead, she envisions a CPF-anchored ecosystem moving toward SSI, with Serpro as Brazil’s sovereign trust layer and real-time anti-fraud intelligence hub.

Question: Juliana, your career combines law, public administration, and technology. What motivated you to specialize in identity and fraud topics in your role at Serpro? Answer: My motivation to specialize in identity and fraud at Serpro stems directly from my practical experience developing crucial national systems. I began my career at Serpro working with the existing National Driver's License (CNH) database, already one of Brazil's primary identification sources.

It was through my active participation in the project to create the Digital CNH—an initiative that transformed a physical document into a high-security credential, earning national recognition with important awards like the iBest—that I became profoundly fascinated by this field. I realized that Identity is the most fundamental asset of Public Administration and that technology is the ultimate solution for complex problems of trust and large-scale fraud.

Therefore, my specialization at Serpro is the logical evolution of that work. I use my Public Administration background and technical knowledge to understand the vulnerabilities in processes (where fraud occurs) and then apply the most advanced technologies—such as biometrics and tokenization—to design robust security solutions, protecting the citizen and ensuring the integrity of government digitalization.

Q: As a manager at a key institution for government digitalization, what have you learned about the value of digital identity for citizens and the state? A: My experience managing government digitalization initiatives has taught me that the value of Digital Identity is absolutely foundational, acting as the core driver for a modern, efficient, and inclusive state. It's not just a technological upgrade; it fundamentally redefines the relationship between the citizen and the government, transforming historical inefficiencies into agile and reliable services. For the citizen, the value is universal inclusion and streamlined access. Digital Identity eliminates the need for physical presence, queues, and paperwork, allowing millions of people to access vital services from anywhere, anytime, ensuring that rights reach those who need them. Furthermore, a strong digital identity, often backed by biometrics, is significantly more secure against fraud than physical documents, which not only protects the individual from identity theft but also grants them greater control over their own data. For the government, Digital Identity is the pillar of good governance and fiscal integrity. It generates efficiency and cost savings by standardizing and automating authentication processes across all agencies. More importantly, it is the most powerful anti-fraud tool. By ensuring that every citizen is a unique and verifiable individual, the State guarantees that public funds, such as social benefits and emergency aid, are delivered only to the correct recipient, preventing diversion and duplicate payments. Finally, digital identity enables the secure consolidation and cross-referencing of data between government silos, providing a single, accurate view of the citizen for formulating more effective and targeted public policies.

Q: Identity fraud in Brazil is a constant challenge. From your perspective, what are the main vulnerabilities that criminals exploit today? A: Identity fraud in Brazil is a persistent challenge that criminals strategically exploit by attacking the intersection of legacy systems, the proliferation of stolen data, and human fragility. From a digitalization and security standpoint, the vulnerabilities begin with the leakage of personal data. The main fuel for fraud is the vast quantity of stolen and leaked personal data—including CPF, mother's name, and date of birth—available on the dark web, serving as the basis for fraudulent account openings and mass social engineering. Furthermore, criminals exploit cadastral fragmentation by creating synthetic identities, combining a legitimate stolen CPF with fictitious data to pass initial onboarding checks in sectors that lack a unified view of the citizen. Secondly, criminals are masters at attacking processes and the weakest link in any system: the human being. Social Engineering and Phishing remain the most effective tactics, with fraudsters using leaked data to build compelling narratives, manipulating the victim into handing over security codes themselves. Likewise, the SIM Swap attack exploits a procedural vulnerability at telecom operators: by porting the victim's phone number to a new chip, the criminal receives the SMS-based multi-factor authentication (MFA) codes, bypassing application security. Finally, legacy systems perpetuate vulnerabilities, as the historical multiplicity of state ID documents and reliance on manual processes facilitate the forgery and use of stolen documents. Compounding this, emerging technological threats challenge new defenses. As facial biometrics become standard, criminals invest in deepfake videos and high-quality digital masks to deceive the liveness detection mechanisms during account opening. Also, supply chain attacks have become sophisticated, targeting smaller, less-protected third-party vendors to steal sensitive data or inject malicious code into widely used systems.

Q: Brazil has invested in biometrics and digital solutions to authenticate millions of people. What do you think has worked well, and what limitations still persist in these initiatives? A: Brazil's commitment to using biometrics and digital solutions for mass authentication has been pioneering. We have seen significant successes, particularly in consolidating key data, but we also face persistent challenges that must be overcome to achieve true universal digital security.

The Gov.br platform, which uses authentication matching with official government databases (like the National Driver's License/Denatran and the Federal Revenue Service), has been a major achievement. It uses graded authentication levels (Bronze, Silver, Gold), incentivizing citizens to increase their security by using biometrics, thereby providing the state with a robust, verified digital identity layer for accessing thousands of services. But we still struggle with the lack of seamless interoperability between different major government databases. We have several high-quality biometric "silos" that do not yet fully or easily communicate with one another. This fragmentation forces different agencies to run redundant verification checks and complicates the creation of a truly unified identity history.

Q: When discussing anti-fraud technology, people often think only of tools. But from your experience, how important is organizational culture and team training in fraud prevention? A: That is an excellent point. While the public often focuses on the latest tech tools—biometrics, AI, and encryption—my experience shows that organizational culture and team training are just as important as the technology itself, if not more so.

Anti-fraud success is built on a triangle: Technology, Process, and People. If the people and culture sides are weak, even the most advanced technology will fail.

A strong anti-fraud culture must start at the top and permeate every layer of the institution. It transforms fraud prevention from a compliance checklist into a core business value. Technology provides the alerts, but well-trained people provide the context, analysis, and rapid response.

Q: At Serpro, you work with massive-scale data. How do you balance the need for security and accuracy in identification with respect for citizens' privacy and rights? A: Working with massive-scale government data at an institution like Serpro requires a rigorous approach to balance three equally critical needs: security (preventing fraud), accuracy (correct identification), and privacy (citizen rights).

This balance isn't achieved through a single tool, but through a deeply embedded framework of governance, technology, and legal compliance.

The starting point is a strict adherence to the law, particularly Brazil’s Lei Geral de Proteção de Dados (LGPD). This provides the non-negotiable legal foundation. We enforce the "need-to-know" principle. Data collection and usage are strictly limited to what is absolutely necessary for the service. For instance, to verify a user's age, we only access the date of birth, not their address or parent's names. This is built into the architecture from the ground up. Also, every data query or transfer must have a clear, lawful, and specific purpose. We ensure that data collected for tax purposes, for example, is not indiscriminately used for a health service unless authorized by law or explicit consent. We ensure citizens are informed about what data is being used and why. Furthermore, we strictly respect their rights under the LGPD, including the right to access their data, correct it, or request its anonymization where legally applicable.

Technology is used to secure the data and ensure its accurate use, rather than simply maximizing access. Access to sensitive identification data is compartmentalized, monitored, and highly restricted. We use robust role-based access control (RBAC) to ensure only authorized personnel can touch the data, and every access is logged and auditable. For tasks like fraud pattern analysis, quality testing, or machine learning, we prioritize using data that has been anonimized (stripped of personal identifiers) or pseudonymized (identifiers replaced with tokens). This allows us to gain intelligence on trends without exposing individual identities. Data is encrypted both in transit (when moving between systems) and at rest (when stored in databases). Furthermore, we use tokenization for digital identity, where the actual sensitive data (like a full CPF) is replaced with a meaningless digital token for transactions, exposing minimal information.

Q: In recent years, more sophisticated frauds have emerged, such as deepfakes or synthetic identity use. How do you see Brazil's capacity to anticipate these emerging threats? A: Sophisticated threats like deepfakes and synthetic identity fraud represent the cutting edge of cybercrime, demanding a shift from reactive defense to proactive anticipation.

Brazil's capacity to handle these emerging threats is a mixed picture: we have robust strengths in large-scale data and regulatory foundations, but we still face gaps in unified intelligence and technological readiness.

Brazil's greatest asset is its extensive, high-quality data. State-owned institutions like Serpro manage biometric and cadastral data on a national scale. This massive, verified dataset is the best defense against synthetic identity, as it makes it harder to fabricate a unique persona that passes a cross-check verification. The existence of the LGPD (General Data Protection Law) forces organizations to adopt "security by design" principles and promotes greater accountability. This regulatory pressure encourages continuous investment in advanced security, which includes tools necessary to detect sophisticated data manipulation. And the highly competitive and digitalized Brazilian banking and fintech sector acts as a continuous testing ground. These institutions rapidly deploy advanced fraud techniques, such as real-time behavioral biometrics and enhanced liveness detection in facial recognition, which constantly push the market standard for defending against deepfakes and presentation attacks. Despite these strengths, structural and technological gaps slow down our ability to truly anticipate these threats. While data exists, the intelligence often remains siloed. Fraudsters share their methods globally and instantly. To anticipate, the public sector (police, revenue, electoral court) and the private sector (banks, telecom) must create a legally sound, real-time threat intelligence hub. Without this, detection of a synthetic identity used at a bank may lag significantly behind its use at a government agency. The technology to generate deepfakes is becoming cheaper and more accessible much faster than the technology to detect them. Brazil needs greater, concerted investment in AI-driven anti-spoofing techniques that look beyond simple liveness checks to analyze subtle physiological signals or artifacts in the video feed. This requires sustained R&D and a high level of expertise that is still concentrated in only a few private security labs. Policy is often reactive, closing the barn door after the fraud horse has bolted. Anticipation requires regulatory bodies to issue guidelines not just on current vulnerabilities, but on potential future attack vectors. This means actively modeling how threats like generative AI and quantum computing could break current security protocols.

In summary, Brazil has the raw data power to combat synthetic identity and the market dynamism to react to deepfakes. However, to truly anticipate these emerging threats, we must prioritize cross-sector intelligence sharing and dedicate resources to proactive R&D in AI defense, making defense as agile as the attack.

Q: From your direct experience, what are the critical success factors in a public identity verification project: technology, data governance, collaboration with other agencies... or something else? A: My direct experience shows that the critical success of a public identity verification project hinges on a triad of non-technical foundations, with technology being merely the enabler. The single most critical factor is Data Governance and Uniqueness. Without establishing a Single National Standard and ensuring the core data is clean, accurate, and constantly updated, any advanced biometric or digital solution built on top will fail; you simply cannot verify what you cannot identify uniquely. Secondly, Inter-Agency Collaboration is absolutely crucial; success is achieved not by building a better silo, but by transforming isolated government agencies into a unified, trusted verification network capable of sharing intelligence and cross-referencing information in real-time. Finally, the project must be guided by Usability and Inclusion. The system must be secure enough to fight fraud, but simple enough to achieve near 100% citizen adoption, which means ensuring multiple, accessible pathways for verification to prevent security measures from excluding the most vulnerable populations.

Q: When thinking about financial inclusion and access to services, how can we prevent anti-fraud systems from creating barriers for vulnerable citizens who may not have all the necessary documents or technology? A: The paradox is that security can't become a barrier. To prevent anti-fraud systems from excluding vulnerable citizens, we must shift from rigid compliance to inclusion by design. We use multi-tiered authentication, like the Gov.br levels. A simple service only requires low-security access, while high-risk services (like benefit payouts) require full biometric verification. This ensures most people get easy access. We must maintain human-assisted verification points (like dedicated government centers). For those without a smartphone or stable internet, a trained person must be able to validate their identity, bridging the digital gap. The system must accept alternative proofs of identity and historical data cross-references (like tax or health records), rather than rigidly requiring a single, perfect document.

In short, security must be designed to find a way to say "Yes, this is you" through multiple, accessible paths, instead of being a wall that only the most technologically capable can climb.

Q: Juliana, if you could give advice to a young professional starting in compliance and fraud prevention, what experience or learning would you recommend they prioritize? A: Beyond technical knowledge, I strongly recommend seeking out operational experience and "war stories." Theory is not enough. You need to understand the full life-cycle of fraud by either shadowing the incident response team or actively mapping business processes. The criminal always targets the weakest process gap, so learning to think like an attacker—and understanding how to collect evidence and coordinate a response under pressure—is the most valuable education you can get. This cross-disciplinary expertise is what transforms a compliance specialist into an indispensable leader.

Q: Finally, looking ahead, how do you envision Brazil's digital identity ecosystem in 10 years, and what role should Serpro play in that scenario? A: In ten years, I envision Brazil's digital identity ecosystem being fully consolidated and the CPF as the single, authoritative identifier, moving the country toward a system of Self-Sovereign Identity (SSI). This means the digital identity will be a private, encrypted credential managed by the citizen on their mobile device, allowing them to selectively share only the data required (e.g., proving majority without showing their birth date). This foundation will eliminate the current fragmentation of databases, leading to real-time, high-integrity verification across all public and private services. Crucially, this system will integrate seamlessly with future economic models, providing the digital trust necessary for the widespread adoption of new technologies.

Serpro's role in this future should evolve from being a provider of specific applications to being the Sovereign Trust Enabler and the Intelligence Hub for the Federal Government. This means Serpro must maintain the critical, secure infrastructure where the foundational data lives, and leverage its massive data scale to provide advanced, real-time Anti-Fraud Intelligence as a service. Serpro must become the primary layer of trust that verifies a person's biometric and cadastral data against the authoritative sources for all public services. By focusing on security and data integrity, Serpro enables other government agencies and companies to innovate without worrying about core identity verification.