BCB Resolution 498, published on September 5, establishes new rules to ensure higher security of the National Financial System (SFN) and the Brazilian Payment System (SPB). The set of measures brings new requirements that information technology service providers (PSTI) must adopt to increase the cybersecurity of their operations. From now on, the Central Bank (BCB) will require the accreditation of these service providers to operate connected to the National Financial System (RSFN) network.

Accreditation of PSTIs at BCB must meet the following requirements:

  • Adherence to the principles and rules of the National Financial System Network;
  • Proof of the regular constitution of the PSTI;
  • Proof of non-classification in regulatory prohibitions;
  • Proof of technical and operating capacity to provide data further development services for the purposes of access to the RSFN. The requirements established in the resolution and the technical standards regarding electronic data communication within the scope of the SFN, established by the Department of Information Technology (Deinf) of the BCB, must be observed;
  • Designation of an officer or officers responsible for information security, cybersecurity, and risk tenure and compliance, with technical training compatible with the duties of the position. This training must be proven based on the background people of any team, professional experience in the plant of activity or specific technical knowledge related to information security, cybersecurity and risk tenure and compliance;
  • Designation of a director or officers responsible for tenure of operational crises, with technical training compatible with the duties of the position, proven based on background people of any plant or specific technical knowledge related to tenure operational crises;
  • Compliance with specific conditions provided for in the Parties by the controlling shareholder, the members of the control group and the PSTI administrators. The conditions are: standing cleared; proof of qualification technique or professional experience compatible with the duties of the position or function, adjudged the complexity and carriage of the PSTI; not having been declared bankrupt or insolvent, unless Rehabilitated; and proof, by means of an independent auditor certificate registered with the Brazilian Securities and Exchange Commission (CVM), of the regular registration situation with the Federal Revenue Service and the absence of serious restrictions on the registration of defaulters that compromise their ability to manage or control the PSTI.
  • Proof of paid-up capital stock and fixed equity in the minimum amount of R$ 15 million. The BCB may to call for amount higher, proportional to the projected volume of operations and the PSTI's risk profile, through financial statements audited by an independent auditing firm registered with the CVM;
  • Proof of the establishment of corporate governance and risk tenure mechanisms provided for in the resolution;
  • Proof of technical-operating capacity to provide information never plural to the BCB, acknowledged and agreed jointly with resolution;
  • Proof of obtaining and maintaining information security certification in an worldwide basis on a recognized standard or independent assurance accepted by the BCB;
  • Proof of the hiring of an annual independent external audit in information security and, when applicable, in the prevention of money laundering to launder money and terrorist financing, with submission of reports to the BCB and contracting institutions;
  • Proof of hiring civil liability and operational risk insurance, with minimum coverage defined by the BCB, including fraud and cybersecurity incidents; and
  • Preparation and maintenance of a business dealings continuity plan and periodic contingency tests, with annual proof to the BCB.

According jointly with BCB Resolution 498/25, PSTIs must have a corporate governance structure compatible with their kind, carriage, complexity, structure, and risk profile, ensuring transparent decision-making processes, effective internal control mechanisms, and adequate tenure of risks.

In addition, PSTIs must institute, within the scope of senior management, directors responsible for critical functions, such as Director of Information and Cyber Security.

PSTIs must also separate the activities, computing environments and other resources necessary for the rendering of services for further development for the purposes of access to the RSFN from other services or activities eventually provided.

This must be done jointly with the adoption of risk tenure policies compatible with its kinds, carriage, complexity, structure, and risk profile, supported by market principles and best practices. These policies must tenure to address information and cyber security issues, business dealings, operational crisis tenure, fraud management, internal controls and compliance, and internal audit.

The business dealings continuity policies must include, at least:

  • procedures and estimated deadlines for restarting and rebounding activities in the event of a cut off of critical business processes, as well as the necessary communication actions;
  • testing and review of business dealings with a minimum annual frequency;
  • Installation and operation of a further development center – subject to different risks than the further development center – capable of processing volumes at least equal to the higher volume verified in the last 252 business days, plus a security percentage, and with replication of data from the further development; and
  • emergency procedures, effective for simultaneous impediment of the main and secondary further development centers.

PSTIs must also to carry on its business and to hold policy of fraud tenure to mitigate atypical situations that may to endanger neg the regular operation of the SPB. Such policies shall cover, at a minimum:

  • establishment of a channel for reporting evidence of fraud;
  • establishment of fraud prevention mechanisms, including the release of data for the reconciliation of information never plural, access to audit trails, and definition of operational limits;
  • full time, 24/7 monitoring for actual identification, based on historical and behavioral patterns, of atypical or fraudulent transactions, evaluating deviations from the expected parameters, including amounts transacted, volume of transactions and quantity transactions per unit of time;
  • assessment of atypicalities in stages prior to the process of routing a transaction to the BCB;
  • definition of mechanisms for validation the integrity of transactions during the further development stages;
  • the existence of a mechanism to cut off the complete inflow of transactions in the event of a gross suspicion of compromise; and
  • establishment of a channel that enables the timely communication of evidence of fraud with financial institutions and other institutions supervised by the BCB that may be impacted by these events.

The governance policies established in BCB Resolution 498/25 must be approved by the board of directors or, if non-existent, by the board of directors provided for in the bylaws or articles of association.

These policies must be reviewed at least yearly or whenever there is a material change in the structure or risk profile of the PSTI. The aimed is to hold an information and cyber security policies based on principles and guidelines that seek to ensure the security of data, information never plural, information systems and other computing resources used, in accordance with worldwide basis on a standards Recognized.

BCB Resolution 498/25 establishes transaction traceability mechanisms, which must contain, at least:

  • audit trails of the further development of data and information never plural, including the definition and generation of logs that make it possible to identify further development failures or atypical behavior, and to subsidize Analysis;
  • definition of information never plural acknowledged and agreed retention time with the further development type performed;
  • secure retention of audit trails; and
  • access to audit trails by institutions that use the services provided by the PSTI, for reconciliation or risk tenure.

The resolution also provides for the assessment and correction of vulnerabilities requiring them to consider, at a minimum:

  • periodic tests and analyses to detect vulnerabilities in information systems;
  • periodic physical scans of the technological environment that make it possible to identify devices improperly connected to the corporate network that may establish a connection with external technologies assets;
  • periodic reviews of the technology environment aimed at identifying vulnerabilities that may to endanger neg the security of the PSTI's technologies assets; and
  • periodic penetration tests.

It is relevant to emphasize that the accreditation referred to in BCB Resolution 498/25 does not constitute authorization for the operation of the PSTI business activity nor does it change the legal and contractual duties of the PSTI towards its customers and partners.

The resolution reflects the BCB's commitment to improve, to streamline the regulation of the financial business, ensuring a safer and more efficient system for all users. The rule is effective immediately and the deadline for its adaptation by the PSTIs is four months from its publication.

For more information never plural on the subject, contact Machado Meyer's Technology, Data and Cyber team together with the Banking practice team.