namenationalitydate of birthplace of birthaddressidentity documents
namenationalitydate of birthplace of birthaddressidentity documents
full nametype&date of constitutionaddress
cédula de identidade
Law No. 11,419, Of December 19, 2006 Brazil
Law 12,683 amended in Jul 2012. The previous law was issued in 1998 and updated in 2002 (Law 9.613).
The principal regulator is the Conselho de Controle de Atividades Financeiras (“COAF”)
Banco Central do Brasil (“BCB”), Comissão de Valores Mobiliários [Securities regulator] (“CVM”), Conselho Federal de Contabilidade [Accountancy profession regulator] (“CFC”), Ministério da Previdência Social [Pension regulator] (“PREVIC”), Superintendência de Seguros Privados [Insurance regulator] (“SUSEP”), and Conselho Federal de Corretores Imobiliários [Real Estate Agencies regulator] (“COFECI”)
Yes. All entities subject to the law are required to identify their clients (and ultimate beneficial owners) and keep each client’s KYC profile up-to-date. Whilst the law does not directly require retrospective
review/remediation of clients, it does expect firms to be able to identify their clients.
Yes. The FATF published an executive summary of the mutual evaluation report which summarises the AML/CFT measures in place in the Federative Republic of Brazil (hereinafter “Brazil”) as at the time of the on-site visit (26 Oct 2009 to 7 Nov 2009), and shortly thereafter. On 12 Mar 2012, the Central Bank amended the rules applicable to procedures that must be adopted by financial institutions in the prevention and combat of money laundering and terrorism financing, as a response to the recommendations of FATF. The main measures include: a) enactment of Circular No. 3,583, which sets forth that: a. financial institutions shall not initiate any relationship with clients, or proceed with existing relationships, if it is not possible to fully identify such clients; and b. anti-money laundering procedures are also applicable to agencies and subsidiaries of Brazilian financial institutions located abroad. b) enactment of Circular No. 3,584, establishing that the institutions authorised to operate in the Brazilian foreign exchange market with financial institutions located abroad must verify if the other party is physically present in the country where it was organised and licensed or is object of effective supervision; and c) enactment of Letter 17 Circular No. 3,542 (“Letter Circular No. 3,542”), which increases the list of examples of transactions and situations which may characterise evidence of occurrence of money laundering, tending to improve the communication between financial institutions and the COAF.
No. The thresholds highlighted in the law relate to the reporting of suspicious activities or transactions to COAF. These include:
a) actual or proposed issuance or recharge of one or more store value cards totaling BRL100,000 (approx. USD24,790) in a given calendar month;
b) actual or proposed cash transactions exceeding BRL100,000 (approx. USD24,790);
c) suspected transactions above BRL10,000 (approx. USD2,480) (i.e. those involving suspicious parties or values, or without economic reasons, etc.);
d) transactions apparently intended to sidestep identification mechanisms or controls; and
e) actions suspected of financing terrorist activity
Individuals: Full name, nationality, date and place of birth, address, official ID document (type, number, date of emission and emitting institution), number of inscription on the Cadastro de Pessoa Física
(“CPF”) etc. Full name is to be verified against a local identification document.
Corporations: Full name, type and date of constitution, address, documents containing the same information required for individuals who qualify and authorise the representatives to use the account, number
of inscription on the Cadastro Nacional de Pessoa Jurídica (“CNPJ”) etc. Names of legal entities are verified against the Register of Certification (there are also other detailed requirements)
The law states that, where the client is legal entity (as opposed to a private individual), it is necessary to identify the beneficial owners and other individuals or entities that are authorised to represent that
N/A – The law does not permit reduced/simplified due diligence in any circumstances
N/A – Firms are required to identify and verify identity of all clients, representatives and beneficial owners. Where there is a PEP relationship, firms are required to record that relationship as a PEP
relationship, but the law does not require specific additional due diligence on top of that.
The main measures include: a) enactment of Circular No. 3,583, which sets forth that: a. financial institutions shall not initiate any relationship with clients, or proceed with existing relationships, if it is not possible to fully identify such clients; and b. anti-money laundering procedures are also applicable to agencies and subsidiaries of Brazilian financial institutions located abroad. b) enactment of Circular No. 3,584, establishing that the institutions authorised to operate in the Brazilian foreign exchange market with financial institutions located abroad must verify if the other party is physically present in the country where it was organised and licensed or is the object of effective supervision; and c) enactment of Letter 17 Circular No. 3,542 (“Letter Circular No. 3,542”), which increases the list of examples of transactions and situations which may characterise evidence of occurrence of money laundering, intending to improve the communication between financial institutions and the COAF.
No. Although they are not prohibited, they are closely monitored.
None stated in local regulations or guidance.
Conselho de Controle de Atividades Financeiras (“COAF”)
Yes. All of the following must be reported: a) actual or proposed issuance or recharge of one or more store value cards totaling BRL100,000 (approx. USD24,890) in a given calendar month; b) actual or proposed cash transactions exceeding BRL100,000 (approx. USD24,890); c) suspected transactions above BRL10,000 (approx. USD2,490) (i.e. those involving suspicious parties or values, or without economic reasons, etc.); d) transactions apparently intended to sidestep identification mechanisms or controls; and e) actions suspected of financing terrorist activity.
BRL5,000 (approx. USD1,240)
Yes. The law provides for the following sanction/fines for non-compliance (including non-compliance with reporting requirements): a) warning; b) fine (up to BRL20m (approx. USD5m); and/or c) suspension/ban (private individuals and legal entities).
Yes, in some cases the COAF requests the Bank does not terminate the account or relationship with the client so that the COAF can best investigate the transactions of a particular customer. In this case all
The bank secrecy law prevents a client's activities from being monitored or reported outside the country
No. However, there is a legal requirement (Resolution CFC 1445/13) which requires external auditors to communicate to COAF if they suspect issues at their clients. The main objective of the Resolution is
Yes. Article 5 of the Brazilian Constitution provides that the “privacy, private life, honor and image of persons are inviolable, and the right to compensation for property or moral damages is ensured.” Article 5 also grants habeas data. It guarantees the right of privacy and ensures consumers have the right to know what data are held about them and they have the right to correct that data. However, these rights of knowledge and correction under the Constitution currently exist only with respect to records or databases of government agencies or agencies of a public character.
Yes. The Consumer Protection Law of 1990 regulates consumer databases held by banks, credit agencies, and other companies. “Consumer” is defined broadly under the Law as “any individual or body corporate who acquires or uses any product or service as an end user.” The law requires that any consumer data stored in a database should be truthful, objective, and easily understood, and prohibits containing the same piece of the storage of any negative information about a consumer for more than five years. If the consumer did not request that his or her information be stored, the collector must notify the consumer in writing of the inclusion of his or her name in a database. Additionally, consumers are given the right to correct information about themselves. Article 43 of the Consumer Protection Law grants consumers free access of any of their own information stored in a database. It also gives consumers the right to request the prompt correction of an inaccuracy in his information and requires that the requested correction must be made within five days.
Yes. The Constitution and the Civil Code apply to all individuals and legal entities. The Consumer Protection Code applies to relationships between consumers and service/product providers, including those performed on the internet.
Yes. The Credit Information Law (“CIL”) of 2011 imposes several requirements on the creation and access to databases related to credit information. The law forbids the processing of data that is unnecessary in deciding whether to grant credit. This prohibition specifically applies to sensitive data such as political, religious, sexual, and health information. Data subjects have the right to access, rectify, and erase data and be informed of the database manager’s identity and the identity of third parties that will have access to the data. Lastly, the law imposes data quality obligations on the data processors. The CIL regulates “the creation and the access to databases related to credit information of citizens and companies”. We highlight that this legal instrument enacts principles and rules related to data quality as objectivity, clearness, truthfulness and comprehensibleness of data. It forbids the processing of excessive information (data not necessary to credit granting or other banking services) and sensitive information (understood as related to social and ethnic origins, health, genetics, sexuality, and political, religious and philosophical convictions) (Article 3°). It covers the purpose principle and rights to the data subjects, so the right to access, the right of rectification and erasure of data, the right to know the criteria used by the banks in order to evaluate the credit’s risk, the right to be informed previously about the existence of the data storage, the data base manager’s identity and about the identity of the third parties that will have access to data, finally the right to be informed about the purpose of the processing and to have a second analysis of a decision based on automatic means (Articles 5° and 7°). Database managers are obliged to inform citizens about all the stored or obtained personal information as well as about the sources through which this information was obtained, to provide information about third parties that have access to personal data and to provide information about citizens’ rights (Article 6°). Last point, CIL also imposes data quality obligations to processors (Article 8°). Medical data may be protected by patient-doctor confidentiality, as well as by individual privacy and personal rights set out in the Constitution. Employment law regulates the use of information collected in background checks (concerning criminal convictions, political beliefs, sexual preferences, and so on). The use of this information may be illegal if used for discriminatory purposes.
Brazil’s law allows only for electronic signatures that utilize the Brazilian public key infrastructure (PKI). While these government-authorized signatures are legal, the use of simple electronic signatures is not provided for under the law.
Summary of law
Brazil generally follows the UNCITRAL Model Law on Electronic Signatures. However, under Article 1, it imposes the additional restriction of allowing only its own version of PKI to be legally recognized. Documents and signatures that use this PKI are considered legal and enforceable for all public and private purposes under Article 10.
The 2012 law is more wide-ranging with regards to the types of illicit activity that fall under the law (now “any harmful act”) and the types of business that are now subject to it (now includes notaries, real estate firms, sports agents, consultants, factoring companies etc.). Furthermore, the maximum value of fines that can be levied under the law has increased from BRL200,000 (approx. USD50,000) to BRL20m (approx. USD5m). The other significant change is the law concerns the reporting of suspicious activities and transactions to regulators – the new law now specifies that such reporting must be to the Conselho de Controle de Atividades Financeiras (“COAF”) and that the submission of such reports must not be discussed with anyone (not just the entity referred to in the report).
Whilst the law does not specifically permit a risk-based approach, it does state that KYC/AML policies established by firms should be compatible (i.e. proportional) to the nature and scale of the firm’s
Original documentation is required to be presented as part of the identification and verification process. The law is silent on when firms can or cannot accept independently verified or authenticated copies of
There are no restrictions on the international transfer of data, provided the subject consented to the initial gathering and processing. It is advisable, when consent is obtained, for the data subject to be
Yes. Any personal data submitted by or obtained from a data subject may be regulated under the general provisions of the Constitution, Civil Code and Consumer Protection Code, including: name, personal address, identification number, income, bank account, credit card number and any personal communication exchanged without any intent to go public (such as personal e-mails, internet logs and messaging).