KYC.IO

Global Regulations and Requirements for KYC Onboarding
(powered by KYC-Chain)

KYC to onboard domestic persons

namenationalitydate of birthplace of birthaddressidentity documents

KYC to onboard international persons

namenationalitydate of birthplace of birthaddressidentity documents

corporate requirements

full nametype&date of constitutionaddress

National ID card name

cédula de identidade

National ID Photo

back of national id photo back

Does the country have Esignature Laws?

Law No. 11,419, Of December 19, 2006 Brazil

E-sig law files

What year did the relevant AML laws and regulations become effective?

2012

Further details on AML regime

Law 12,683 amended in Jul 2012. The previous law was issued in 1998 and updated in 2002 (Law 9.613).

Who is the regulator for AML controls for Banking

The principal regulator is the Conselho de Controle de Atividades Financeiras (“COAF”)

Link to site

https://www.coaf.fazenda.gov.br/

Other financial Services

Banco Central do Brasil (“BCB”), Comissão de Valores Mobiliários [Securities regulator] (“CVM”), Conselho Federal de Contabilidade [Accountancy profession regulator] (“CFC”), Ministério da Previdência Social [Pension regulator] (“PREVIC”), Superintendência de Seguros Privados [Insurance regulator] (“SUSEP”), and Conselho Federal de Corretores Imobiliários [Real Estate Agencies regulator] (“COFECI”)

Website of Regulator

http://www.bcb.gov.br

Financial Sector regulator

N/A

Practical Guidance for AML

Yes

Practical guidance PDF's

www.coaf.fazenda.gov.br

Is there a requirement to verify the identity of customers retroactively?

Yes.

Retroactive details

Yes. All entities subject to the law are required to identify their clients (and ultimate beneficial owners) and keep each client’s KYC profile up-to-date. Whilst the law does not directly require retrospective review/remediation of clients, it does expect firms to be able to identify their clients.

Has the country been the subject of FATF mutal evaluation in the last 3 years?

Yes. The FATF published an executive summary of the mutual evaluation report which summarises the AML/CFT measures in place in the Federative Republic of Brazil (hereinafter “Brazil”) as at the time of the on-site visit (26 Oct 2009 to 7 Nov 2009), and shortly thereafter. On 12 Mar 2012, the Central Bank amended the rules applicable to procedures that must be adopted by financial institutions in the prevention and combat of money laundering and terrorism financing, as a response to the recommendations of FATF. The main measures include: a) enactment of Circular No. 3,583, which sets forth that: a. financial institutions shall not initiate any relationship with clients, or proceed with existing relationships, if it is not possible to fully identify such clients; and b. anti-money laundering procedures are also applicable to agencies and subsidiaries of Brazilian financial institutions located abroad. b) enactment of Circular No. 3,584, establishing that the institutions authorised to operate in the Brazilian foreign exchange market with financial institutions located abroad must verify if the other party is physically present in the country where it was organised and licensed or is object of effective supervision; and c) enactment of Letter 17 Circular No. 3,542 (“Letter Circular No. 3,542”), which increases the list of examples of transactions and situations which may characterise evidence of occurrence of money laundering, tending to improve the communication between financial institutions and the COAF.

PDF of FATF review

mutualevaluationreportofbrazil.html

Are there minimum transaction thresholds (Y/N)

More details on minimum transaction thresholds.

No. The thresholds highlighted in the law relate to the reporting of suspicious activities or transactions to COAF. These include: a) actual or proposed issuance or recharge of one or more store value cards totaling BRL100,000 (approx. USD24,790) in a given calendar month; b) actual or proposed cash transactions exceeding BRL100,000 (approx. USD24,790); c) suspected transactions above BRL10,000 (approx. USD2,480) (i.e. those involving suspicious parties or values, or without economic reasons, etc.); d) transactions apparently intended to sidestep identification mechanisms or controls; and e) actions suspected of financing terrorist activity

What are the requirements for customer identification information for individuals

Individuals: Full name, nationality, date and place of birth, address, official ID document (type, number, date of emission and emitting institution), number of inscription on the Cadastro de Pessoa Física (“CPF”) etc. Full name is to be verified against a local identification document.

Details to be Collected on Corporates

Corporations: Full name, type and date of constitution, address, documents containing the same information required for individuals who qualify and authorise the representatives to use the account, number of inscription on the Cadastro Nacional de Pessoa Jurídica (“CNPJ”) etc. Names of legal entities are verified against the Register of Certification (there are also other detailed requirements)

What are the high level requirements around beneficial ownership (identification and verification)?

The law states that, where the client is legal entity (as opposed to a private individual), it is necessary to identify the beneficial owners and other individuals or entities that are authorised to represent that

What circumstances are enhanced customer due diligence measures required?

N/A – The law does not permit reduced/simplified due diligence in any circumstances

How should FI's deal with Politically exposed persons

N/A – Firms are required to identify and verify identity of all clients, representatives and beneficial owners. Where there is a PEP relationship, firms are required to record that relationship as a PEP relationship, but the law does not require specific additional due diligence on top of that.

What enhanced due diligence must be performed for correspondent banking relationships?

The main measures include: a) enactment of Circular No. 3,583, which sets forth that: a. financial institutions shall not initiate any relationship with clients, or proceed with existing relationships, if it is not possible to fully identify such clients; and b. anti-money laundering procedures are also applicable to agencies and subsidiaries of Brazilian financial institutions located abroad. b) enactment of Circular No. 3,584, establishing that the institutions authorised to operate in the Brazilian foreign exchange market with financial institutions located abroad must verify if the other party is physically present in the country where it was organised and licensed or is the object of effective supervision; and c) enactment of Letter 17 Circular No. 3,542 (“Letter Circular No. 3,542”), which increases the list of examples of transactions and situations which may characterise evidence of occurrence of money laundering, intending to improve the communication between financial institutions and the COAF.

Are relationships with banks who might be considered a 'shell' and without substance permitted?

No. Although they are not prohibited, they are closely monitored.

In what circumstances is additional due diligence required for non face-to-face transactions and/or relationships?

None stated in local regulations or guidance.

To whom are SAR's made? (suspicious activity reports)

Conselho de Controle de Atividades Financeiras (“COAF”)

Link to website of SAR reporting

www.coaf.fazenda.gov.br

Other Suspicious or unusual transactions obligations.

Yes. All of the following must be reported: a) actual or proposed issuance or recharge of one or more store value cards totaling BRL100,000 (approx. USD24,890) in a given calendar month; b) actual or proposed cash transactions exceeding BRL100,000 (approx. USD24,890); c) suspected transactions above BRL10,000 (approx. USD2,490) (i.e. those involving suspicious parties or values, or without economic reasons, etc.); d) transactions apparently intended to sidestep identification mechanisms or controls; and e) actions suspected of financing terrorist activity.

Are there any de-minimis thresholds below which transactions do not need to be reported?

BRL5,000 (approx. USD1,240)

Are there any penalties for non compliance with reporting requirements e.g. tipping off?

Yes. The law provides for the following sanction/fines for non-compliance (including non-compliance with reporting requirements): a) warning; b) fine (up to BRL20m (approx. USD5m); and/or c) suspension/ban (private individuals and legal entities).

Are there any requirements (legal or regulatory) to use automated Suspicious Transaction monitoring technology?

No.

Is there a requirement to obtain authority to proceed with a current/ongoing transaction that is identified as suspicious?

Yes, in some cases the COAF requests the Bank does not terminate the account or relationship with the client so that the COAF can best investigate the transactions of a particular customer. In this case all

Does the local legislation allow transactions to be monitored outside the jurisdiction?

The bank secrecy law prevents a client's activities from being monitored or reported outside the country

Is there a legal requirement for a bank’s external auditor/other external organisation to report on the bank’s AML systems and controls?

No. However, there is a legal requirement (Resolution CFC 1445/13) which requires external auditors to communicate to COAF if they suspect issues at their clients. The main objective of the Resolution is

If an external report on the bank’s AML systems and controls is required: a) how frequently must the report be provided?

N/A

To whom should the report on AML systems be submitted?

N/A

Is an AML system part of the financial statement audit?

N/A

What are the requirements for the content of this external report on a bank’s AML systems and controls? Does it require: a) sample testing of KYC files? b) sample testing of SAR reports? c) examination of risk assessments?

N/A

Data Protection Laws And Personal Data

Yes. Article 5 of the Brazilian Constitution provides that the “privacy, private life, honor and image of persons are inviolable, and the right to compensation for property or moral damages is ensured.” Article 5 also grants habeas data. It guarantees the right of privacy and ensures consumers have the right to know what data are held about them and they have the right to correct that data. However, these rights of knowledge and correction under the Constitution currently exist only with respect to records or databases of government agencies or agencies of a public character.

Data Protection for Corporate Data

Yes. The Consumer Protection Law of 1990 regulates consumer databases held by banks, credit agencies, and other companies. “Consumer” is defined broadly under the Law as “any individual or body corporate who acquires or uses any product or service as an end user.” The law requires that any consumer data stored in a database should be truthful, objective, and easily understood, and prohibits containing the same piece of the storage of any negative information about a consumer for more than five years. If the consumer did not request that his or her information be stored, the collector must notify the consumer in writing of the inclusion of his or her name in a database. Additionally, consumers are given the right to correct information about themselves. Article 43 of the Consumer Protection Law grants consumers free access of any of their own information stored in a database. It also gives consumers the right to request the prompt correction of an inaccuracy in his information and requires that the requested correction must be made within five days.

Data protection for "sensitive Data" and additional protections.

Yes. The Constitution and the Civil Code apply to all individuals and legal entities. The Consumer Protection Code applies to relationships between consumers and service/product providers, including those performed on the internet.

Do any restrictions on the transfer of credit reports exist?

Yes. The Credit Information Law (“CIL”) of 2011 imposes several requirements on the creation and access to databases related to credit information. The law forbids the processing of data that is unnecessary in deciding whether to grant credit. This prohibition specifically applies to sensitive data such as political, religious, sexual, and health information. Data subjects have the right to access, rectify, and erase data and be informed of the database manager’s identity and the identity of third parties that will have access to the data. Lastly, the law imposes data quality obligations on the data processors. The CIL regulates “the creation and the access to databases related to credit information of citizens and companies”. We highlight that this legal instrument enacts principles and rules related to data quality as objectivity, clearness, truthfulness and comprehensibleness of data. It forbids the processing of excessive information (data not necessary to credit granting or other banking services) and sensitive information (understood as related to social and ethnic origins, health, genetics, sexuality, and political, religious and philosophical convictions) (Article 3°). It covers the purpose principle and rights to the data subjects, so the right to access, the right of rectification and erasure of data, the right to know the criteria used by the banks in order to evaluate the credit’s risk, the right to be informed previously about the existence of the data storage, the data base manager’s identity and about the identity of the third parties that will have access to data, finally the right to be informed about the purpose of the processing and to have a second analysis of a decision based on automatic means (Articles 5° and 7°). Database managers are obliged to inform citizens about all the stored or obtained personal information as well as about the sources through which this information was obtained, to provide information about third parties that have access to personal data and to provide information about citizens’ rights (Article 6°). Last point, CIL also imposes data quality obligations to processors (Article 8°). Medical data may be protected by patient-doctor confidentiality, as well as by individual privacy and personal rights set out in the Constitution. Employment law regulates the use of information collected in background checks (concerning criminal convictions, political beliefs, sexual preferences, and so on). The use of this information may be illegal if used for discriminatory purposes.

Regulator Acronym

COAF

Year of last FATF mutual evaluation

2016

Field 67

none stated

National ID card details

Compulsory to be issued since the age of 18

Compulsory?

National ID source

https://en.wikipedia.org/wiki/Brazilian_identity_card

Passport Photo

practical Guidance yes / no

Legal Requirement

Requirement to proceed

Yes

requirement to use automated suspicious transaction tools

Who are SARS made to?

COAF

shell banks

EDD for correspondent banking

Yes

PDF of case law

Minimum transactions

BRL 100,000

Min transaction USD

24790

Personal Data protection

Data Protection for Corporates

Personal Data Protection Act

https://www.constituteproject.org/constitution/Brazil_2014.pdf

key restrictions

There are no critical restrictions under the law.

Summary

Brazil’s law allows only for electronic signatures that utilize the Brazilian public key infrastructure (PKI). While these government-authorized signatures are legal, the use of simple electronic signatures is not provided for under the law. Summary of law Brazil generally follows the UNCITRAL Model Law on Electronic Signatures. However, under Article 1, it imposes the additional restriction of allowing only its own version of PKI to be legally recognized. Documents and signatures that use this PKI are considered legal and enforceable for all public and private purposes under Article 10.

Are e-signatures acceptable

If the AML laws and/or regulations became effective in the last 2 years, what were the requirements of the previous AML regime?

The 2012 law is more wide-ranging with regards to the types of illicit activity that fall under the law (now “any harmful act”) and the types of business that are now subject to it (now includes notaries, real estate firms, sports agents, consultants, factoring companies etc.). Furthermore, the maximum value of fines that can be levied under the law has increased from BRL200,000 (approx. USD50,000) to BRL20m (approx. USD5m). The other significant change is the law concerns the reporting of suspicious activities and transactions to regulators – the new law now specifies that such reporting must be to the Conselho de Controle de Atividades Financeiras (“COAF”) and that the submission of such reports must not be discussed with anyone (not just the entity referred to in the report).

Non financial sector (e.g. casinos, high value goods etc.)

N/A

Does the country have a risk based approach?

Whilst the law does not specifically permit a risk-based approach, it does state that KYC/AML policies established by firms should be compatible (i.e. proportional) to the nature and scale of the firm’s operations.

Where copies of identification documentation are provided, what are the requirements around independent verification or authentication?

Original documentation is required to be presented as part of the identification and verification process. The law is silent on when firms can or cannot accept independently verified or authenticated copies of original documentation.

Is there case law, other constitutional law or any other laws or regulations that may impact upon the transfer of information to this jurisdiction?

There are no restrictions on the international transfer of data, provided the subject consented to the initial gathering and processing. It is advisable, when consent is obtained, for the data subject to be

List of case law, constitutional law or any other laws or regulations that may impact upon the transfer of information.

Yes. Any personal data submitted by or obtained from a data subject may be regulated under the general provisions of the Constitution, Civil Code and Consumer Protection Code, including: name, personal address, identification number, income, bank account, credit card number and any personal communication exchanged without any intent to go public (such as personal e-mails, internet logs and messaging).