Subscribe to the Non-Human & AI Identity Journal

SPSAV

A Sociedades Prestadoras de Serviços de Ativos Virtuais is the regulated entity type created for firms that provide virtual asset services in Brazil. The designation matters because it links crypto activity to a supervised legal structure, local accountability, and specific operating obligations.

Expanded Definition

SPSAV refers to the regulated entity category used in Brazil for firms that provide virtual asset services under a supervised legal structure. In practice, the designation helps distinguish an operating company from a loosely defined crypto business, because it ties activity to accountability, compliance duties, and jurisdiction-specific oversight. For glossary purposes, the key point is not the technology itself but the legal wrapper around the service provider.

Definitions vary across jurisdictions, and the term should be read as a regulatory status rather than a product label. A firm may exchange, custody, transfer, or intermediate virtual assets, but it is SPSAV status that signals the entity is expected to meet local governance, conduct, and control obligations. That makes the term relevant to identity and access governance, recordkeeping, and operational resilience, especially where customer funds or privileged systems are involved. The broader control logic aligns well with the NIST Cybersecurity Framework 2.0, which emphasises governance, risk management, and protective practices across digital operations.

The most common misapplication is treating SPSAV as a generic synonym for any crypto company, which occurs when analysts ignore whether the entity is actually licensed, supervised, and bound by Brazil-specific obligations.

Examples and Use Cases

Implementing SPSAV status rigorously often introduces licensing and compliance overhead, requiring organisations to weigh market access against the cost of supervision, controls, and ongoing reporting.

  • A Brazilian virtual asset exchange operates under SPSAV obligations and maps customer onboarding, transaction monitoring, and incident response to its regulated role.
  • A custody provider separates client asset administration from internal treasury functions so that privileged access, approvals, and audit trails align with supervised operations.
  • A cross-border firm entering Brazil reviews whether its local service model triggers SPSAV requirements before launching exchange, transfer, or brokerage services.
  • A compliance team uses the entity designation to determine which contracts, disclosures, and internal controls must be adapted for Brazilian regulatory scrutiny.
  • An incident response team treats privileged wallet access and key management as regulated operational dependencies, not just technical concerns, when the business is structured as an SPSAV.

For organisations building controls around virtual asset services, the terminology should be anchored to formal governance models such as NIST Cybersecurity Framework 2.0 and, where identity assurance is involved, the principles in NIST SP 800-63 Digital Identity Guidelines.

Why It Matters for Security Teams

SPSAV matters because the legal status of the service provider changes how security responsibilities are assigned, evidenced, and audited. Once a virtual asset firm is treated as a regulated entity, identity assurance, privileged access, segregation of duties, logging, and incident handling stop being optional good practice and become part of a defensible operating model. That is especially important where administrators can move assets, approve withdrawals, or alter custody workflows, because identity failures can become financial failures very quickly.

For security teams, the practical challenge is translating regulatory status into controls that can survive examination. That means knowing who can approve what, which secrets protect wallets and APIs, how access is revoked, and how evidence is retained for investigations or reporting. The same governance logic appears in the NIST Cybersecurity Framework 2.0 and the identity assurance concepts in NIST SP 800-63 Digital Identity Guidelines. Organisations typically encounter the full weight of SPSAV obligations only after a regulatory inquiry, exchange incident, or custody dispute, at which point the designation becomes operationally unavoidable to address.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0 and NIST SP 800-63 set the technical controls, while DORA, NIS2 and PCI DSS v4.0 define the regulatory obligations.

Framework Control / Reference Relevance
NIST CSF 2.0 GV.OC-01 Defines organisational context and regulatory environment for supervised entities.
NIST SP 800-63 AAL2 Supports identity assurance where regulated service access depends on strong authentication.
DORA Relevant where operational resilience and ICT risk controls support regulated financial activity.
NIS2 Covers risk management and incident reporting obligations for essential digital services.
PCI DSS v4.0 7.2 Access restriction and role-based control logic are useful analogues for regulated operations.

Align incident handling, resilience, and third-party oversight to supervised operating duties.