KYC and AML Requirements for Crypto in Brazil (BACEN & CVM)

Brazil's Crypto Regulatory Framework

Brazil solidified its position as Latin America's largest crypto market when President Lula signed the Marco Legal das Criptomoedas (Law 14,478/2022) in December 2022. This legislation established a formal legal framework for virtual asset service providers (VASPs), creating licensing requirements and designating the Banco Central do Brasil (BACEN) as the primary regulator for crypto assets used as payment instruments.

The law came into effect in June 2023 and marked a significant shift from Brazil's previously unregulated crypto environment to one with clear compliance obligations, including comprehensive KYC and AML requirements.

Key Regulatory Bodies

BACEN (Banco Central do Brasil)

BACEN was designated as the main regulator for virtual asset service providers. Its responsibilities include licensing crypto exchanges, establishing operational standards, and enforcing compliance with anti-money laundering rules. BACEN has been actively developing secondary regulations to implement the Marco Legal framework.

CVM (Comissao de Valores Mobiliarios)

The CVM, Brazil's securities regulator, retains authority over crypto assets that qualify as securities tokens. If a token represents an investment contract, equity stake, or debt instrument, it falls under CVM jurisdiction and must comply with securities registration and disclosure requirements. The boundary between BACEN and CVM oversight depends on the nature and function of each token.

COAF (Conselho de Controle de Atividades Financeiras)

The COAF is Brazil's financial intelligence unit, equivalent to the UIF in other Latin American jurisdictions. All VASPs must report suspicious transactions to COAF and maintain robust transaction monitoring systems. COAF analyzes financial intelligence and shares relevant information with law enforcement agencies.

KYC Requirements for Crypto Companies in Brazil

Under the Marco Legal and BACEN's implementing regulations, crypto exchanges and VASPs must implement comprehensive customer identification programs.

Individual Customer Verification

• CPF (Cadastro de Pessoas Fisicas): Brazil's individual taxpayer identification number is mandatory for all customers.
• Government-issued ID: RG (Registro Geral), CNH (driver's license), or passport.
• Proof of address: Utility bill, bank statement, or similar document dated within 90 days.
• Biometric verification: Increasingly required for remote onboarding, particularly for higher-value accounts.
• Source of funds: Required for transactions exceeding defined thresholds.

Legal Entity Verification

For corporate customers, VASPs must verify:

• CNPJ (Cadastro Nacional da Pessoa Juridica) registration
• Articles of incorporation and current corporate bylaws
• Identification of all beneficial owners holding 25% or more
• Proof of legal representation and signing authority

Enhanced Due Diligence

Higher-risk customers, including PEPs, non-resident individuals, and entities from high-risk jurisdictions, require enhanced due diligence measures such as additional documentation, senior management approval, and more frequent account reviews.

Joinble's AI-powered identity verification streamlines these processes for Brazilian crypto platforms, supporting CPF validation, Brazilian document verification, and biometric matching in a single automated flow. To understand the fundamentals, explore our guide on what is KYC.

AML Compliance Under Brazilian Law

Brazil's AML framework for crypto is anchored in both the Marco Legal and the broader Law 9,613/1998 (Anti-Money Laundering Law), as amended. Key obligations include:

Transaction Monitoring

VASPs must implement automated systems to detect suspicious patterns, including:

• Structuring (breaking large transactions into smaller ones to avoid thresholds)
• Rapid movement of funds through multiple wallets
• Transactions with sanctioned jurisdictions or wallets
• Activity inconsistent with the customer's declared profile

Suspicious Activity Reporting

All suspicious transactions must be reported to COAF through the SISCOAF electronic system. Reports must be filed within 24 hours for urgent matters, and VASPs must not inform the customer that a report has been filed (tipping-off prohibition).

Record Keeping

All customer identification records and transaction data must be retained for a minimum of five years from the date of the transaction or the end of the business relationship, whichever is later.

Travel Rule Compliance

Brazil is progressively implementing the FATF Travel Rule, which requires VASPs to share originator and beneficiary information for crypto transfers above defined thresholds. Compliance with this requirement demands technical infrastructure to transmit and receive this data securely between institutions.

LGPD and Data Protection Considerations

Brazil's Lei Geral de Protecao de Dados (LGPD) creates important obligations for crypto companies collecting KYC data. The interaction between AML compliance and data protection requires careful balancing:

• Legal basis for processing: KYC data collection is justified under the legal obligation basis, but companies must still adhere to data minimization principles.
• Data retention limits: While AML laws require five-year retention, LGPD requires that data not be kept longer than necessary. Companies must have clear retention policies.
• Customer rights: Data subjects retain rights to access, correction, and information about how their data is processed, even within compliance contexts.
• Security requirements: LGPD mandates technical and organizational measures to protect personal data, including encryption, access controls, and incident response plans.

Joinble's platform is designed with privacy by design, ensuring that KYC data collection for Brazilian crypto compliance meets both BACEN requirements and LGPD obligations simultaneously.

Exchange Licensing and Operational Requirements

The Marco Legal requires all VASPs operating in Brazil to obtain authorization from BACEN. Licensing requirements include:

• Minimum capital requirements based on the scope of services offered
• Demonstrated compliance infrastructure, including a designated compliance officer
• Technology systems capable of supporting KYC, AML, and transaction monitoring
• Cybersecurity frameworks meeting BACEN standards
• Segregation of customer funds from operational funds
• Regular reporting to BACEN on operational metrics and compliance activities

Penalties for Non-Compliance

Unlicensed operation carries criminal penalties, including imprisonment of four to eight years plus fines. Licensed entities that violate KYC and AML requirements face administrative sanctions including fines, operational restrictions, and license revocation.

Building a Compliant Crypto Operation in Brazil

For crypto companies seeking to operate compliantly in Brazil, a structured approach is essential:

1. Determine regulatory classification: Establish whether your tokens fall under BACEN or CVM jurisdiction.
2. Apply for licensing: Submit a comprehensive application to BACEN demonstrating compliance readiness.
3. Implement KYC technology: Deploy automated identity verification that supports Brazilian documents and biometric standards. Solutions like Joinble's AI-powered verification platform can accelerate this process.
4. Build AML infrastructure: Implement transaction monitoring, sanctions screening, and COAF reporting capabilities.
5. Address LGPD compliance: Ensure your data processing practices meet LGPD requirements alongside AML obligations.
6. Establish ongoing monitoring: Maintain continuous compliance through regular reviews, staff training, and system updates.

For a comprehensive overview of KYC principles and best practices, visit our resource on what is KYC.

Frequently Asked Questions

What is the Marco Legal das Criptomoedas?

Law 14,478/2022, known as the Marco Legal das Criptomoedas, is Brazil's primary legislation regulating virtual asset service providers. It established BACEN as the main regulator and created licensing, KYC, and AML requirements for crypto companies operating in Brazil.

Which regulator oversees crypto in Brazil, BACEN or CVM?

BACEN regulates crypto assets used as payment instruments and oversees exchange licensing. The CVM regulates tokens that qualify as securities. The applicable regulator depends on the nature and function of the specific crypto asset.

What KYC documents do Brazilian crypto exchanges need to collect?

At minimum, exchanges must collect the customer's CPF, a government-issued ID (RG, CNH, or passport), proof of address, and source of funds for larger transactions. Biometric verification is increasingly required for remote onboarding.

How does LGPD affect crypto KYC compliance in Brazil?

The LGPD requires crypto companies to implement data minimization, maintain clear retention policies, respect data subject rights, and implement robust security measures. KYC data collection is legally justified under compliance obligations, but processing must still adhere to LGPD principles.

What are the penalties for operating a crypto exchange without a license in Brazil?

Unlicensed operation can result in criminal penalties of four to eight years imprisonment plus fines. Administrative violations for licensed entities can lead to fines, operational restrictions, and license revocation.

Does Brazil require crypto companies to comply with the FATF Travel Rule?

Brazil is progressively implementing the Travel Rule, which requires VASPs to share originator and beneficiary information for transfers above specified thresholds. Crypto companies should build technical infrastructure to support this requirement.