The Central Bank of Brazil (Bacen) and the National Monetary Council (CMN) published on Tuesday, the 23rd, Joint Resolution 6/23, which provides for the sharing of data related to indications of fraud by financial institutions, payment institutions, and other institutions authorized by Bacen to operate among themselves.
The rule aims to reduce the asymmetry of information between these institutions by establishing a minimum list of data and information that must be shared by them in their internal procedures and controls for prevention of fraud.
Who is subject to the rule?
- Financial institutions, payment institutions, and other institutions authorized to operate by Bacen.
- Consortium administrators are expressly excluded from the scope of the resolution.
- Institutions subject to the rule will be able to participate in the sharing system both at the point of registration and at the point of access to the data and information registered.
What should be shared?
- Those who supposedly carried out or attempted to carry out the fraud, according to the available evidence, where applicable. This determination, in turn, should be based on procedures and criteria defined and documented by the institutions in a detailed manner and compatible with their risk profile, legislation, and regulations in force (including, at a minimum, verification with data contained in systems, registers, and other databases available for consultation).
- A description of the indications that fraud has occurred or has been attempted.
- The institution responsible for recording data and information.
- Details of the recipient account and its holder in the event of transfer or payment of funds.
The record does not apply to confidential data and information, under the terms expressed in special legislation, related to evidence of commission of the crimes of laundering or concealment of assets, rights, and valuables and financing of terrorism.
Does the customer need to consent?
- Institutions should obtain from customers with whom they have a relationship prior and general consent to record their data and information, for the purpose of processing and sharing information on indications of fraud under the terms of the resolution.
- Consent may be included in the contract between the client and the institution, in a prominent clause, or obtained through another valid legal instrument. In both cases, the documentation must be made available to Bacen.
- The provisions of the resolution do not remove the duty of confidentiality, protection of personal data, and free competition to be observed by the institutions.
What will sharing look like?
- The regulation provides for the implementation and use of an electronic system that allows, at a minimum, registration of data and information on indications of occurrence or attempted fraud identified by the institutions, as well as alteration, deletion, and consultation
- Sharing must also comply with the principles listed in the standard, which include security and privacy, as well as full and non-discriminatory access by institutions to the system's functionalities.
- Joint Resolution 6/23 also establishes security, data protection, and interoperability requirements to be observed by the institutions. Among the requirements, it is worth highlighting the need to identify and segregate the data recorded by means of physical or logical controls, as well as to adopt a single and common communication standard that allows execution of the system's functionalities.
- Institutions should also adopt control mechanisms to ensure effective compliance with the resolution, including definition of processes, tests and audit trails, metrics and indicators, as well as identification and correction of any deficiencies.
- The institution may hire third parties to provide the data sharing service, remaining responsible for compliance with the resolution and for observing the applicable regulations (mainly Bacen Resolution 4,893/21, on the contracting of data processing and storage and cloud computing services).
- Institutions should make documentation on the electronic system and compliance with the requirements applicable to its implementation - including security, data protection, and interoperability - available to Bacen.
- The data shared by the system and the documentation containing the criteria and procedures for identifying the possible perpetrator of the fraud attempt should be available for ten years.
- Data, records, and information on application of the system's control mechanisms should remain available for five years, from each application of the controls.
- Bacen may adopt the measures necessary for implementation of the resolution, such as establishing additional functionalities for the electronic system, observing the minimum content provided, and detailing the parameters on service level agreements in the execution of the functionalities.
Compliance with the provisions of Joint Resolution 6/23 does not exempt the institution from the responsibility to carry out procedures and controls for fraud prevention provided for in the regulations in force or to report information on fraud to the competent authorities, as provided for by law.