TL;DR: Brazil’s Banco Central do Brasil has published resolutions that bring custodians, exchanges, intermediaries, and cross-border stablecoin activity into a formal authorisation and supervision framework, with capital thresholds, AML obligations, cybersecurity safeguards, and a February 2026 deadline, according to Chainalysis. The practical shift is that crypto firms now have to operate like regulated financial institutions, not adjacent technology businesses.
At a glance
What this is: Brazil has moved crypto activity into a formal regulatory and supervision framework, with new authorisation, AML, cybersecurity, and cross-border transfer requirements.
Why it matters: For compliance, IAM, and security teams, the key issue is that regulated crypto operations now need auditable controls across identity, transaction monitoring, access, resilience, and third-party governance.
By the numbers:
- In 2024, Brazil received an estimated $318.8 billion in crypto value, nearly one-third of LATAM, with a 109.9% period-over-period growth rate.
- In 2024, $2.2 billion was stolen from cryptocurrency services.
- In the first six months of 2025, the $1.5 billion hack of centralized exchange ByBit marked the largest hack in crypto history.
👉 Read Chainalysis’ analysis of Brazil’s new crypto regulation and compliance requirements
Context
Brazil’s new crypto framework is fundamentally a governance story, not just a market update. It brings virtual asset activity into the same supervisory mindset that already applies to traditional finance, which means firms now need to treat authorisation, controls, monitoring, and resilience as part of the operating model rather than optional add-ons.
That matters because regulated crypto environments depend on identity decisions as much as transaction rules. Once custodians, exchanges, intermediaries, and overseas firms are forced into a supervised model, the control surface expands to include client identification, access control, records, incident response, and third-party oversight.
Key questions
Q: How should firms align crypto onboarding with transaction monitoring under new regulation?
A: They should treat onboarding as the first control point, not the only one. Identity verification, risk scoring, sanctions screening, and transaction telemetry must feed the same workflow so suspicious behaviour can be re-evaluated as funds move. In regulated crypto markets, static KYC alone cannot support Travel Rule, reporting, or cross-border supervision requirements.
Q: Why do stablecoins create more compliance complexity than traditional transfers?
A: Stablecoins combine real-time settlement with cross-border reach, so compliance must keep pace with the transfer itself. Differing thresholds, reporting rules, and supervisory expectations make manual processes brittle, and that fragility grows as transaction volume and jurisdiction count increase.
Q: What control failures matter most in regulated crypto operations?
A: The most common failure is fragmentation between compliance, security, and operations. If identity checks, access control, asset segregation, audit trails, and incident response are managed separately, firms cannot prove who authorised what or whether customer assets were protected. Regulators will treat that as a governance failure, not a tooling gap.
Q: Who is accountable when a crypto firm’s controls fail under supervision?
A: Accountability sits with the licensed entity and its designated control owners, not with the regulator or the technology stack. Firms need named responsibility for each activity, documented policies, and clear escalation paths for incidents, audits, and third-party dependencies. That is what turns supervision into an enforceable operating model.
Technical breakdown
Authorization pathways and supervised operating models
The resolutions create an authorisation regime for Sociedades Prestadoras de Serviços de Ativos Virtuais, or SPSAVs, covering both new entrants and incumbents. That matters because regulatory permission is now tied to operating structure, local presence, and ongoing supervision, not just to offering a service. Overseas firms must either establish a local entity or partner with a licensed one, which changes governance, legal accountability, and operational control. This is a classic shift from informal market participation to supervised financial intermediation.
Practical implication: Practitioners should map every crypto service line to its authorisation status, legal entity, and supervisory owner before the deadline.
Identity controls, monitoring, and Travel Rule obligations
Brazil’s framework places client identification, transaction monitoring, and reporting squarely inside compliance expectations for virtual asset transfers, including stablecoin activity treated as FX transactions. In practice, that means firms need reliable identity workflows, sanctions and risk screening, and monitoring that can distinguish legitimate cross-border activity from suspicious movement patterns. For IAM and fraud teams, this is where digital identity, account control, and transaction telemetry begin to converge. Traditional onboarding alone is not enough when movement risk changes transaction by transaction.
Practical implication: Firms should align onboarding, transaction monitoring, and account review processes so identity decisions can support Travel Rule and reporting workflows.
Cybersecurity safeguards for regulated crypto operations
The framework also requires documented cybersecurity measures, continuity planning, incident response, and protection of sensitive information. It additionally calls for risk assessment and ongoing monitoring of smart contracts when they are used in service delivery. That is important because smart contracts can create operational exposure even when the business logic is sound, especially if controls for vulnerability review, change governance, or runtime monitoring are weak. The regulatory message is clear: resilience and access governance are now part of the compliance baseline, not separate technical concerns.
Practical implication: Security teams should tie smart contract review, incident response, and access control evidence into the same compliance control set.
Threat narrative
Attacker objective: The objective is to move or steal crypto value while avoiding detection and exploiting gaps between financial compliance and technical control coverage.
- Entry occurs through weak oversight of crypto service operations, exposed transaction pathways, or vulnerable smart contract dependencies in a regulated transfer environment.
- Escalation follows when attackers abuse gaps in identity verification, monitoring, or third-party controls to move value or mask suspicious activity.
- Impact is realised through fraud, illicit transfer, service disruption, or theft at scale across regulated crypto workflows.
NHI Mgmt Group analysis
Regulated crypto is becoming an identity and controls problem, not just a payments problem. Brazil’s framework makes client identification, monitoring, and recordkeeping part of the operating baseline for virtual assets. That pulls identity governance, transaction surveillance, and compliance evidence into one operating model. For practitioners, the operational lesson is that crypto services now need the same discipline applied to access, assurance, and auditability as other financial systems.
Crypto supervision now depends on control evidence that can survive audit. The rules require clear disclosure, segregation of client assets, independent audits, governance policies, and documented security measures. That combination raises the cost of weak process design because gaps will not stay hidden behind product narratives or platform abstractions. Practitioners should assume that missing evidence is now a control failure, not an administrative inconvenience.
Cross-border virtual asset activity is being reclassified as a governance-heavy risk surface. Treating stablecoin transfers as FX transactions changes how institutions must think about identity assurance, monitoring thresholds, and accountability across entities and jurisdictions. This is the point where digital identity, AML controls, and operational resilience stop being adjacent functions and become one control chain. For practitioners, the question is whether current governance can prove who acted, what moved, and under which authority.
Smart contract risk now sits inside financial supervision expectations. Brazil’s requirement to assess, test, and monitor smart contracts signals that code-level dependencies are no longer outside the compliance boundary. That matters because technical weaknesses can become regulatory failures when they affect customer assets or service continuity. Practitioners should treat contract assurance as a governed control domain, not a developer-only concern.
Brazil is setting a regional template for crypto governance convergence. By aligning crypto activity with existing financial-sector regulation, the framework points toward a broader LATAM pattern in which firms will need stronger controls before they can scale. That will likely favour institutions able to prove identity, monitoring, and resilience maturity. For practitioners, the market signal is clear: governance capability is becoming a competitive prerequisite.
What this signals
Cross-border crypto supervision is pushing identity teams toward evidence-first governance. Brazil’s model shows how quickly transactional controls, account assurance, and auditability can become one control chain once regulators treat digital assets as part of finance. For practitioners, the immediate signal is to tighten evidence collection around identity decisions, access approvals, and monitored transfer activity before audit expectations harden.
Fragmentation will be the main implementation risk for firms operating across jurisdictions. When authorisation, compliance, security, and third-party oversight sit in separate systems, proving control effectiveness becomes slow and unreliable. The operational test is whether teams can produce one traceable record from customer identity to transaction review to incident response without manual stitching.
Brazil’s approach also reinforces the case for lifecycle thinking in access governance. Firms need not just onboarding and monitoring, but entitlement review, third-party offboarding, and documented control ownership across the service chain. That is where identity governance stops being a compliance formality and becomes a resilience capability.
For practitioners
- Map SPSAV authorisation requirements Build a control inventory that maps every crypto activity to the SPSAV authorisation pathway, supervising authority, and local operating structure before February 2026.
- Align client identity and transaction monitoring Connect onboarding, Travel Rule screening, and transaction monitoring so high-risk transfers can be traced back to a verified customer identity and documented decision path.
- Document cybersecurity and continuity evidence Create auditable records for incident response, continuity, access control, and sensitive-data protection so operational security can be demonstrated during supervision.
- Assess smart contract dependencies Require formal testing, change review, and ongoing monitoring for any smart contract used in service delivery, with escalation criteria for anomalies and vulnerabilities.
Key takeaways
- Brazil has turned crypto participation into a supervised financial-control problem, with identity, monitoring, and resilience now part of the baseline.
- The scale of Brazil’s market and the sector’s theft exposure make the new rules operationally consequential, not merely legal.
- Firms that cannot evidence authorisation, transaction control, and smart contract oversight will struggle to operate at regulated scale.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the technical controls, while ISO/IEC 27001:2022 define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Access control and identity assurance underpin regulated crypto operations. |
| NIST SP 800-53 Rev 5 | AC-2 | Account management is central to SPSAV governance and auditability. |
| ISO/IEC 27001:2022 | A.5.15 | Access control policy is directly relevant to regulated financial and crypto environments. |
Map onboarding, access review, and transaction approval controls to PR.AC-4 and document evidence trails.
Key terms
- SPSAV: A Sociedades Prestadoras de Serviços de Ativos Virtuais is the regulated entity type created for firms that provide virtual asset services in Brazil. The designation matters because it links crypto activity to a supervised legal structure, local accountability, and specific operating obligations.
- Travel Rule: A Travel Rule is a regulated requirement for financial platforms to exchange originator and beneficiary information during qualifying transfers. In crypto, it turns transfer handling into an identity and compliance workflow, where the platform must know which counterparties can receive data and how that exchange is recorded.
- Client asset segregation: Client asset segregation means customer assets are kept separate from the firm’s own holdings and cannot be reused for the firm’s purposes. In regulated crypto markets, it is a core protection for customer funds and a key audit point for proving responsible custody.
- Smart contract monitoring: Smart contract monitoring is the ongoing review of contract activity, behaviour, and risk signals after deployment. In practice it combines code assurance, runtime observation, and incident response so vulnerabilities or abuse patterns can be detected before they become customer losses.
What's in the full article
Chainalysis's full analysis covers the operational detail this post intentionally leaves for the source:
- Detailed resolution breakdown for SPSAV authorisation, supervision, and cross-border operating requirements
- Specific AML, reporting, and Travel Rule obligations for virtual asset and stablecoin transactions
- Capital threshold treatment by activity type and the practical implications for market entry
- Chainalysis commentary on how banks, custodians, and issuers may adjust their operating models
Deepen your knowledge
NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, and identity lifecycle control. It is designed for practitioners who need to connect access evidence, operational accountability, and governance in real programmes.
Published by the NHIMG editorial team on July 12, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org