Licentium

Licensing Hub

Brazil

Brazil licenses virtual asset service providers under Law 14,478/2022 and BCB Resolutions 519-521/2025, with the Banco Central do Brasil as supervisor.

Available licences

SPSAV: Intermediary Modality

BCB authorization as a sociedade prestadora de serviços de ativos virtuais in the intermediary modality, providing exchange between virtual assets and national or foreign currency, exchange between virtual assets, transfer and intermediation services in the name of third parties. Must be organized as a limited-liability company or corporation with main corporate object including virtual-asset services and at least three directors covering business conduct, AML/CFT/CPF, internal controls, compliance, risk, capital, disclosure and cyber security. Subject to client-asset segregation, proof-of-reserves, biennial independent audit, governance, AML/sanctions and FX-classification obligations.

SPSAV: Custodian Modality

BCB authorization as a custodian SPSAV providing custody or administration of virtual assets or instruments enabling control over virtual assets in the name of third parties. Must segregate own virtual assets from client virtual assets using separate wallets, maintain proof-of-reserves with biennial independent audit and public disclosure, define transfer scenarios and appoint a director responsible for patrimonial segregation. May keep own virtual assets in client wallets only for immediate liquidity, capped at 5% of total client virtual assets and clearly disclosed. Use of client assets for own operations is generally prohibited, with limited staking and qualified-investor exceptions.

SPSAV: Broker Modality

BCB authorization as a broker SPSAV undertaking brokerage and intermediation services for virtual-asset transactions in the name of third parties. An SPSAV may only conduct activities expressly permitted for its modality. Subject to the full SPSAV operating framework, including governance, AML/CFT/CPF policies, internal controls, risk management, business continuity, third-party management, cyber security, client disclosures and reporting.

Foreign-Exchange Classification (Resolução BCB 521/2025)

Several virtual-asset operations fall within the Brazilian foreign-exchange framework under Resolução BCB No. 521/2025, including international payments and transfers with virtual assets, transfers to or from self-custody wallets, and purchase, sale or exchange of fiat-referenced virtual assets. For SPSAVs, operations with cash currency are prohibited. International payment or transfer with virtual assets to a non-authorized foreign-exchange counterparty is limited to USD 100,000. Where a foreign VASP is involved, the Brazilian VASP must verify effective prudential or conduct supervision and document its risk assessment. Monthly reporting is required.

CVM Securities Regime for Tokenised Securities

Cryptoassets that qualify as securities remain under CVM jurisdiction under Law No. 6,385/1976. A cryptoasset may be a security where it digitally represents a traditional security, tokenised receivable certificate, collective investment contract, derivative or other capital-markets instrument. Tokenisation itself does not require prior CVM approval, but issuance, public offerings, organized markets, intermediation, bookkeeping, custody, deposit, registration, clearing and settlement services involving securities tokens remain subject to applicable CVM regulation.

DeCripto Tax Reporting (IN RFB 2,291/2025)

Receita Federal DeCripto reporting framework. Applies to cryptoasset service providers tax resident in Brazil, constituted or organized under Brazilian law, managed in Brazil, having a regular place of business in Brazil, or providing cryptoasset services in Brazil. Brazilian service nexus includes use of a Brazilian domain, local commercial arrangements, targeting Brazilian residents through local intermediaries or payment arrangements, or advertising clearly directed to Brazilian residents. Covered operations include purchases, sales, swaps, transfers, airdrops, staking, mining, loans, payments for goods and services, guarantees, self-custody transfers, involuntary loss and asset-referenced primary distribution.

Detailed overview

Brazil: Virtual Asset Service Provider Authorization and BCB Supervision

Regulator

The Banco Central do Brasil is the main federal regulator for virtual asset service providers in Brazil. The Comissão de Valores Mobiliários remains responsible for cryptoassets that qualify as securities or capital-markets instruments. The Receita Federal do Brasil administers separate cryptoasset tax-reporting obligations.

Brazil regulates virtual asset service providers under Law No. 14,478/2022, Decree No. 11,563/2023 and BCB regulations, especially Resoluções BCB Nos. 519, 520 and 521 of 2025.

Law No. 14,478/2022 establishes the federal virtual-asset framework. Decree No. 11,563/2023 assigns regulatory, authorization and supervisory competence to the Banco Central do Brasil. The BCB rules entered into force on 2 February 2026 and created the operational authorization framework for Brazilian virtual asset service providers.

Authorization requirement

A virtual asset service provider may function in Brazil only with prior authorization from the competent federal authority. The competent authority is the Banco Central do Brasil.

The authorization requirement applies to providers that perform covered virtual-asset services in Brazil. Under the BCB framework, functioning in Brazil is characterized by constitution in Brazil and by having headquarters and administration in Brazilian territory, under Brazilian law and Brazilian authorities.

Virtual assets and excluded assets

A virtual asset is a digital representation of value that can be traded or transferred electronically and used for payment or investment purposes.

The statutory definition excludes national and foreign currency, electronic money under Law No. 12,865/2013, loyalty, access or reward instruments, and representations of assets whose issuance, bookkeeping, trading or settlement is already provided for in law or regulation, including securities and financial assets.

The exclusion does not mean that the activity is unregulated. It means that another legal regime may apply. Tokenised securities, derivatives, receivables certificates, fund interests, electronic money and regulated financial assets require separate legal classification.

Licensable activities

A legal person is a virtual asset service provider where it performs, for third parties, at least one covered service. Covered services include exchange between virtual assets and national or foreign currency, exchange between one or more virtual assets, transfer of virtual assets, custody or administration of virtual assets or instruments enabling control over virtual assets, and participation in financial services or services related to an issuer’s offer or sale of virtual assets.

A centralised exchange, crypto broker, OTC desk, custodial wallet, hosted wallet, virtual-asset transfer service, custody provider, private-key control provider, brokerage platform or token-offer support provider is likely to fall within the VASP perimeter if it performs those services for third parties.

A pure software provider or non-custodial technology provider requires separate analysis. The decisive question is whether the provider actually performs exchange, transfer, custody, administration, intermediation or issuer-offer-related services, not how the provider describes itself.

SPSAV modalities

The BCB framework created the sociedade prestadora de serviços de ativos virtuais, or SPSAV. An SPSAV is a BCB-authorized institution that provides virtual-asset services in the name of third parties.

SPSAVs are classified into modalities, including intermediary, custodian and broker. An SPSAV may only conduct activities expressly permitted for its modality.

An SPSAV must be organized as a limited-liability company or corporation. Its corporate objects must include virtual-asset service provision as a main activity. It must have at least three directors or administrators responsible for business conduct, anti-money laundering, counter-terrorism financing, counter-proliferation financing, internal controls, compliance, risk management, capital management, disclosure and cyber security. It may not have a single natural person as its sole shareholder.

Local presence and transition

Existing VASPs active when Resolução BCB No. 520/2025 entered into force must apply for BCB authorization within 270 days from 2 February 2026. Timely applicants may continue operating while the authorization process is pending, subject to BCB restrictions. They may not assume a different modality while relying on the transition.

Providers that fail to file by the transition deadline must cease services within 30 days after the deadline.

Foreign entities active in the Brazilian virtual-asset market when the BCB rule entered into force must transfer their operations and clients to an authorized institution or to an SPSAV operating or formed for the transition within 270 days. The transfer must satisfy continuity, security, transparency, informed-consent, asset-segregation, governance, control and data-protection conditions.

Authorization process and timing

A BCB authorization application is substantive. The BCB assesses the economic and financial capacity of controllers, lawful source of capital, financial viability, IT infrastructure, governance, good reputation, management knowledge, technical capacity, minimum capital and net worth, physical headquarters and business plan.

The BCB may also review corporate changes, including change of modality, transfer of control, mergers, spin-offs, incorporations, transformations, administrator appointments, capital changes, corporate-name changes and corporate-object changes.

For active VASPs, the BCB authorization process is conducted in phases. The first phase verifies whether the entity was active at entry into force, whether it satisfies transition requirements, whether controllers and qualified holders meet reputation and eligibility standards, and whether minimum capital requirements are met. The second phase reviews the remaining authorization requirements.

The BCB’s official norm repository lists maximum decision periods of up to 1,080 days for authorization of active SPSAVs and 720 days for authorization of non-active SPSAVs. It also lists the active-company process in two phases of 360 days and 720 days. These figures should be verified against the certified official text before being used for implementation planning.

Governance and operating requirements

An SPSAV must maintain policies and procedures covering business conduct, operation records and monitoring, fraud and crime prevention, risk management, business continuity, third-party management, private keys and other control instruments, anti-money laundering, counter-terrorism financing, counter-proliferation financing, institutional security, cyber security, cloud services, data management and data protection.

The business must also maintain internal risk assessments, regular training, client education, emergency contacts, and information-sharing procedures for suspicious activity and restrictive lists.

Customer-facing disclosures must be clear and available before contracting. An SPSAV must disclose its authorization status or authorization-in-analysis status, licences, policies, terms, entities involved in the business, conflicts of interest, coverage, funds or insurance, custody arrangements, storage processes, control mechanisms and self-custody risks.

Custody, segregation and client asset protection

The BCB framework contains detailed client-asset protection rules.

An SPSAV must segregate its own financial resources from client and user financial resources through individualized payment or deposit accounts in the names of clients and users. It must also segregate its own virtual assets from client and user virtual assets.

The SPSAV must maintain separate wallets, proof-of-reserves methods, a biennial independent audit with reasonable assurance and public disclosure of the audit report. It must also define transfer scenarios and designate a director or administrator responsible for patrimonial segregation.

An SPSAV may keep its own virtual assets in client wallets only for immediate liquidity. That amount is capped at 5% of the total client and user virtual assets and must be clearly identified and contractually disclosed.

An SPSAV generally may not use client, user or counterparty assets for its own operations. Limited exceptions apply, including staking under the BCB rule and certain operations with assets of qualified or professional investors where there is express consent and clear risk disclosure.

Custody contracts must address wallet types, risks and mitigation, control methods, communication channels, authentication, client instructions, third-party and foreign service providers, tariffs, applicable laws, controls, audits, staking responsibilities and custody-transfer arrangements.

AML, sanctions and monitoring

Brazil’s VASP framework integrates anti-money laundering, counter-terrorism financing, counter-proliferation financing, sanctions and financial-crime controls.

Law No. 14,478/2022 amended Brazil’s AML law to include VASPs among obliged persons. BCB rules require policies and procedures for AML, counter-terrorism financing, counter-proliferation financing, fraud and crime prevention, operation monitoring, restrictive-list controls and suspicious-activity handling.

The BCB framework also contains phased implementation for virtual-asset market information monitoring. Authorized VASPs must have mandatory monitoring in place from 2 February 2028, with transitional arrangements before that date.

Mechanisms that hinder detection, investigation or prosecution of crimes or irregular conduct are prohibited. The BCB rule expressly identifies mixers, tumblers and robots used to obscure authors or beneficiaries as examples of prohibited mechanisms.

FX, stablecoins and cross-border transfers

Virtual-asset activity can fall within Brazilian foreign-exchange and international-capital regulation.

Resolução BCB No. 521/2025 brings several virtual-asset operations into the foreign-exchange framework. These include international payments and transfers with virtual assets, virtual-asset transfers to or from clients of VASPs for international card or electronic-payment obligations, transfers to or from self-custody wallets, and purchase, sale or exchange of fiat-referenced virtual assets.

For SPSAVs, operations involving cash currency are prohibited. International payment or transfer with virtual assets where the counterparty is not an authorized foreign-exchange institution is limited to USD 100,000. Other authorized financial-market participants may have different limits depending on their regulatory category.

Where a foreign VASP is involved, the Brazilian VASP must verify that the foreign entity is subject to effective prudential and conduct supervision or consolidated group supervision. If the foreign jurisdiction does not have such requirements, the Brazilian VASP must document its risk assessment.

Monthly reporting is required for covered operations. Reported information includes customer identification, asset denomination, quantity, value in Brazilian reais, foreign payer or recipient name and country, and self-custody wallet owner and origin or destination information.

Securities tokens and CVM treatment

Cryptoassets that qualify as securities remain under CVM jurisdiction. The BCB virtual-asset framework does not apply to assets representing securities subject to Law No. 6,385/1976 and does not alter CVM competence.

CVM recognizes that cryptoassets may function as payment tokens, utility tokens or asset-backed tokens. The label is not decisive. A cryptoasset may be a security if it digitally represents a traditional security, a tokenised receivable certificate, a collective investment contract, a derivative or another capital-markets instrument.

Tokenisation itself is not subject to prior CVM approval or registration. However, securities issuers, public offerings, organized markets, intermediation, bookkeeping, custody, deposit, registration, clearing and settlement services involving securities tokens remain subject to applicable CVM regulation.

A platform dealing in tokenised shares, debentures, receivables certificates, fund interests, derivatives, collective investment contracts or income-sharing instruments should complete a CVM analysis in addition to the BCB VASP analysis.

Tax reporting

Brazilian cryptoasset tax reporting is separate from BCB authorization.

IN RFB No. 2,291/2025 created the DeCripto reporting framework. It applies to cryptoasset service providers that are tax resident in Brazil, constituted or organized under Brazilian law, managed in Brazil, have a regular place of business in Brazil, or provide cryptoasset services in Brazil.

A service may be treated as provided in Brazil where the provider uses a Brazilian domain, has local commercial arrangements, targets Brazilian residents through local intermediaries or Brazilian payment arrangements, or directs advertising clearly to Brazilian residents.

DeCripto covers operations such as purchases, sales, swaps, transfers, airdrops, staking income, mining income, loans, goods and services, guarantees, transfers to a provider or self-custody, involuntary loss, primary distribution of asset-referenced declarable cryptoassets and redemption of underlying assets.

The DeCripto framework entered into force with staged effects in 2026. Earlier reporting obligations under IN RFB No. 1,888/2019 remain relevant during the transition until the applicable revocation effects under IN RFB No. 2,291/2025 apply.

Consumer protection

The Brazilian Consumer Defense Code applies, where applicable, to relationships between final users of virtual assets and virtual asset service providers.

Retail-facing exchanges, brokers, custodians, payment services and wallet providers should address consumer disclosures, complaint handling, transparency, unfair terms, marketing, information duties and liability risk.

Regulatory outlook

Brazil has moved from a framework statute to an implemented BCB authorization and operating regime. The key regulatory dates are 2 February 2026, when the BCB’s core VASP rules entered into force; the 270-day transition deadline for existing active providers; and the later phased dates for monitoring and tax-reporting implementation.

New entrants should treat Brazil as an authorization jurisdiction, not a mere notification or AML-registration jurisdiction. Existing active providers should focus on transition filing, local-entity structure, client-transfer arrangements, custody segregation, proof-of-reserves, AML and sanctions controls, foreign-exchange classification and CVM classification for securities tokens.

Ready to launch legally?

Book a 30-minute consultation. We'll map your licensing path and tell you exactly what's required, in plain language.

Get Started