By Luciano Fantin
In Brazil, so far, we can identify the following categories of fintechs: payment, financial management, loan, investment, financing, insurance, debt negotiation, cryptoactives and Distributed Ledger Technologies (DLTs), FX, and multiservices.
The regulated fintechs, in the strict sense, are financial institutions authorized by the Central Bank of Brazil (BCB), which must comply with National Monetary Council (CMN) Resolution 4,656/18, with amendments brought by CMN Res. 4,792/20. The two modalities foreseen are the Direct Credit Society (DCS) and the Personal Loan Society (SEP).
The market also refers to Payment Institutions (PIs), as fintechs, in a broad sense, although they are not financial institutions. PIs were regulated, in the National Financial System, from the enactment of Law 12,865/13, and one of the main regulations is Resolution BCB 80/21, which, among other things, regulates the constitution and operation of PIs.
But what is common between these legal vehicles, financial institutions, on the one hand, and payment service providers, on the other?
Their common link is the regulation provided for by the CMN and BCB, with regard to prudential rules, risk management and internal controls. Despite being essential for good business management, the aforementioned regulations bring with them a relevant compliance cost. There are many Resolutions, Circulars, Circular Letters, which deal with the entire environment of controls, risk management, governance, compliance, AML, accounting, financial and procedural aspects, among many others.
In this brief article, I would like to focus on three fundamental pillars, and common to fintechs, that have great attention from the regulator. If they are well balanced in your fintech, you can rest assured, not only about regulatory compliance, but also about the prudent management of your business.
The fintechs have their origin in products based on Information Technology. Technology as an essential business lever is in the DNA of these companies. It is a great virtue of this industry, but it may also be its greatest risk.
The informality that enables the accelerated launch of products may have left behind controls and information security aspects that lead to operational and reputational risks (see recent cases of hacker invasion, information leakage and discontinuation of services in the cloud) .
The CMN and the BCB, aware of this situation, determine rules that address the cyber security policy, action plan and incident response, contracting data processing and storage and cloud computing services. These are CMN Resolution 4,893/21 (financial institutions) and BCB Resolution 85/21 (PIs).
The question is not whether or not to meet the totality of these standards: they are standards, and they have to be met. The secret lies in making the correct decision for the moment that fintech is experiencing, its complexity, its business model, choosing solutions that meet the standard without making the business unfeasible.
Such solutions arise especially from professionals with experience in the subject, who have the baggage to look at the challenge in a more comprehensive than localized way.
Money laundering prevention
There was, recently, a major advance in the regulation of the prevention of money laundering and terrorist financing, arising from Circular 3978/20, which revoked Circular 3461/09.
These aforementioned regulations regulate Law 9,613/98 in the National Financial System and bring a great step forward for Brazil’s alignment with international practices, with a view to its entry into the OECD (Organization for Economic Cooperation and Development).
The challenge, however, is that they are complex requirements, involving registration, registration and monitoring of transactions, reports to COAF (Council for Financial Activities Control), risk-based approach, from customers, employees, partners, monitoring and control mechanisms, etc. This is not a checklist, “to comply with the table”, but an entire internal governance focused on a very serious and sensitive issue, which in Brazil, in recent years, has brought criminal liability not only to the perpetrators involved, but also to the institutions financial and other authorized that ended up serving as a means (often naively) for such crimes.
There is no lack of examples of statutory executives punished with imprisonment, fines and disqualifications. It is always good to remember that, even in a PI, as a “non-financial” institution, executives also respond personally to the BCB.
The fintechs are subject to compliance with CMN Resolution 4.557/17 (financial institutions) and Circular 3681/13 (PIs), which bring a number of requirements relating to risk management and capital.
Many of them, small and medium, will have to do their utmost to provide this service, appointing persons responsible (with statutory binding), who will legally be responsible for this management. There will also be impacts on the cost base, since it involves the implementation of processes, controls, systems and governance, which are often non-existent.
What we can conclude is that, even if aligned with the risk profile and the size of the business, the necessary environment for regulatory compliance purposes has an important weight in the structures of fintechs. Because of this, it is vital that the design and implementation are tailored, case-by-case, so that they are neither excessive, compromising profitability, nor lenient, bringing risks to the good management of the business, and regulatory sanctions, to fintechs and their executives.