The Central Bank of Brazil (Bacen) and the National Monetary Council (CMN) published on Tuesday, May 23, the Joint Resolution 6/23. It provides for the sharing of data related to evidence of fraud by financial institutions, payment institutions, and other institutions authorized by Bacen to carry out transactions with one another.

The rule aims to reduce the asymmetry of information among these institutions by establishing a minimum set of data and information that must be shared by them in their procedures and internal controls for fraud prevention.

Who is subject to the rule?

  • Financial institutions, payment institutions and other institutions authorized to operate by Bacen.
  • Administrators of purchasing consortia are expressly excluded from the scope of the resolution.
  • Institutions subject to the rule may participate in the sharing system both in terms of registration and access to registered data and information.

What must be shared?

  • Information identifying those who allegedly have carried out fraud or attempted to do so, according to available probable cause, when applicable. This verification, in turn, should occur from procedures and criteria defined and documented by the institutions in a way that is detailed and compatible with their risk profile, legislation and regulations in force. This includes, as a minimum requirement, the verification of data from systems, registers and other databases available for consultation.
  • The description of probable cause of the occurrence or attempt of fraud.
  • Information identifying the institution responsible for registering of the data and information.
  • The data of the recipient account and its holder if there has been a transfer of funds or payment.

The registry does not apply to confidential data and information - in the terms expressed in specific legislation - related to probable cause of laundering or concealment of assets, rights and valuables, and financing of terrorism.

Is it necessary for the customer to consent?

  • Institutions must obtain prior and general consent from the customer with whom they have a relationship to record their data and information for the purpose of processing and sharing information on probable cause of fraud under the terms of the resolution.
  • Consent may be included in the agreement signed between the customer and the institution, in a highlighted clause, or obtained through another valid legal instrument. In both cases, the documentation must be made available to Bacen.
  • The provisions of the resolution do not remove the duty of confidentiality, protection of personal data and free competition to be observed by the institutions.

How will data be shared?

The resolution provides for the implementation and use of an electronic system that allows, as a minimum requirement, for the registration of data and information on probable cause of occurrence or attempted fraud identified by the institutions, as well as their alteration, removal and consultation.

  • Sharing must also observe the principles listed in the standard, which include security and privacy, as well as full and non-discriminatory access by institutions to the system's functionalities.
  • Joint Resolution 6/23 also establishes security, data protection and interoperability requirements to be observed by the institutions. Among them, it is worth mentioning the need to identify and segregate the data recorded by means of physical or logical controls, as well as to adopt a single and common communication standard that allows the system functionalities to be executed.
  • Institutions must also adopt control mechanisms to ensure effective compliance with the resolution, including the definition of processes, tests and audit trails, metrics and indicators, as well as the identification and correction of any deficiencies.
  • The institution may hire third parties to provide the data sharing service, remaining responsible for compliance with the resolution and for observing the applicable regulations (mainly Bacen Resolution 4,893/21, concerning the contracting of data processing and storage and cloud computing services).

Roles of Bacen

  • Institutions must share with Bacen documentation about the electronic system and compliance with the requirements applicable to its implementation - including security, data protection and interoperability.
  • The data shared by the system and the documentation containing the criteria and procedures for identifying the person possibly responsible for the fraud attempt must remain available for ten years.
  • Data, records, and information about the application of the system's control mechanisms must remain available for five years from each application of the controls.
  • Bacen may adopt the necessary measures for executing the resolution, such as establishing additional functionalities for the electronic system, observing the minimum content expected, and detailing the parameters on service level agreements in the execution of the functionalities.
  • Compliance with the provisions of Joint Resolution 6/23 does not exempt the institution from the responsibility to carry out procedures and controls for fraud prevention provided for in the regulations in force or to report information on fraud to the competent authorities, as provided for by law.