Brazil -- AML/CFT Compliance Regulatory Overview

Brazil's cryptocurrency and virtual asset service providers must comply with comprehensive AML/CFT requirements established under the Virtual Assets Law and enforced by multiple regulatory bodies.

Legal Framework

Primary Legislation: Law No. 14,478/2022 (Brazilian Virtual Assets Law or BVAL) provides the foundational regulatory framework for virtual assets and virtual asset service providers (VASPs)[1][5]. This law became effective on June 20, 2023, and was amended to include VASPs among entities subject to anti-money laundering control mechanisms[5].

Supporting Regulatory Framework: The Central Bank of Brazil (BCB) issued three key resolutions to structure crypto operations[1]:

• Resolution BCB N. 519: Establishes authorization procedures and minimum requirements for incorporation, operation, and governance structures for VASPs[1]
• Resolution BCB N. 521: Extends AML/CFT protections to foreign exchange and virtual asset operations, incorporating them into Brazil's exchange regulatory framework[1]

These resolutions entered into force on February 2, 2026, with certain provisions of Resolution 521 taking effect in May 2026[1].

Customer Due Diligence and KYC Requirements

VASPs must implement stringent know-your-client (KYC) procedures to verify customer identities[4][5]. Under internal control requirements, institutions must maintain identification of clients and legal entities with up-to-date records[3].

A USD 100,000 limit applies to transactions with non-authorized counterparties—a threshold specifically designed as a risk mitigation measure and to reduce exposure to unsupervised entities commonly associated with illicit finance[1].

Suspicious Transaction Reporting

VASPs must monitor transactions for suspicious activities and report unusual transactions to the appropriate authorities[4]. The following transactions require reporting to COAF (Council for Financial Activities Control):

• Cash transactions equal to or greater than BRL 10,000[3]
• Transactions to non-Brazilian bank accounts equal to or greater than BRL 100,000[3]
• Immediate reporting of suspicious transactions within 24 hours of identifying suspicion[3]
• Reporting of sanctions matches and serious evidence of terrorism financing[3]

Brazil also enforces the FATF-aligned Travel Rule for cryptocurrency transactions exceeding BRL 10,000, requiring CASPs to collect and share identifying information[4].

Record-Keeping and Internal Controls

Institutions must maintain updated and effective training programs for employees on appropriate legal measures[3]. Required governance policies encompass fraud and crime prevention mechanisms, business continuity planning, and detailed procedures for monitoring atypical transactions[1].

The resolution requires nomination of at least one Executive or administrator responsible for AML/CFT compliance, internal controls, and risk management, aligning institutions with international best practices[1].

VASPs must declare virtual assets transferred abroad or received from other jurisdictions, aligning virtual asset operations with AML/CFT obligations applicable to cross-border capital movements[1].

Regulatory Oversight and Compliance Authority

Central Bank of Brazil (BCB) serves as the primary regulator responsible for authorizing, regulating, and supervising VASPs, establishing operational rules and compliance standards[2][4].

Council for Financial Activities Control (COAF) is Brazil's financial intelligence unit for AML/CFT, responsible for regulating financial institutions, enforcing sanction policies, investigating suspicious transactions, and monitoring clients or accounts posing serious risks to Brazil's financial sector[3][5].

Securities and Exchange Commission (CVM) has jurisdiction over cryptoassets qualifying as securities, regulating their public offerings and trading[2].

Federal Revenue Service (RFB) also oversees CASP compliance with legal requirements[4].