Aug 11, 2022
5 min read

How to Comply with AML in Brazil—the Biggest StartUp Hub in Latin America

A complete and fully updated guide on AML regulations in Brazil prepared by Sumsub.

As one of South America’s and most technologically developed countries, Brazil has recently become a hotspot for international startups. Yet, it’s important to learn about all the specifics of the country’s AML regulations before launching there.

Brazil has been continuously working to minimize money laundering and comply with international standards set by the Financial Action Task Force (FATF). To achieve these goals, the government of Brazil has strengthened its Anti-Money Laundering (AML) regulations. 

In 2019, the FATF expressed overall satisfaction with Brazil’s AML performance. Just several years earlier, in 2016, FATF was highly concerned about the level of money laundering activities in the country, considering it a membership issue. 

According to the Basel AML index, Brazil received a risk score of 4.98, where 10 is the worst AML performance and 0 is the best. This is an improvement from 2020, when the country scored 5.02. That being said, Brazil’s performance has fluctuated over the past several years, scoring 6.2 in 2017 and 4.96 in 2018. 

Since Brazil is continuously developing its AML regulations, it’s important that companies operating in the country stay up to date with new rules. That’s why Sumsub prepared this guide to complying with Brazil’s AML framework. We will be updating the guide as new regulations are introduced.

Who is affected?

AML regulations affect companies licensed by the Central Bank of Brazil. According to Law 9,613/98, companies must follow AML rules if they are engaged with:

  • the reception, brokerage, and investment of third parties’ funds in Brazilian or foreign currency;
  • the purchase and sale of foreign currency or gold as a financial asset;
  • the custody, issuance, distribution, clearing, negotiation, brokerage, or securities management.

In addition, Law 9,613/98 provides a list of companies and individuals falling under these obligations, which include, but are not limited to:

  • exchanges;
  • companies dealing with insurance;
  •  payment or credit card administrators;
  • consumer funds; 
  • property distributors; 
  • companies engaging in leasing and factoring activities.

The complete list of entities can be found here under Article 9.

What are the main regulations? 

There are three main laws encompassing Brazil’s AML framework.

Brazilian Central Bank Circular 3,798/20

Circular 3,798/20 was adopted in 2020 after the FATF’s evaluation of the country. While FATF saw an improvement in Brazil’s AML activities, the country still had room to develop compared to some other Latin American countries, such as Mexico. 

The Circular states that financial institutions need to implement and maintain policies that prevent their use for money laundering and terrorist financing. This includes guidelines on identification and verification of customers and implementing a risk-based approach—meaning that financial institutions have to conduct checks according to the particular risks posed by their customers, transactions, operations, products, and services. Accordingly, the Circular states that companies need to implement proper internal risk evaluations of customers and operations. 

The Circular also states that all transactions should be registered by the financial institution processing them. This should allow the overseeing institution to identify the involved parties, the origin and recipient and, when applicable, the receipt and transfer of funds. 

Law 9,613/98

Law 9,613/98 was enacted in 1998. The Law stated that entities have to comply with AML regulations and the measures they should take to do so. The Law also explains how to administer identification, reporting and record-keeping processes. It also established the Council for Financial Activities Control (COAF) to monitor the activities of regulated entities.

Law 12,683/12

Law 12,683/12 was established in 2012 in response to the earlier FATF recommendations. Law 12,683/12 amended Law 9,613/98, tightening penalties for money laundering activities. It also widened the scope of money laundering activities by revoking the specific list of criminal activities that fall into the category of money laundering. 

Who’s the regulator?

The Central Bank of Brazil is the country’s principal monetary authority. The role of the Central Bank is to ensure that national financial institutions comply with the AML framework.

The Council for Financial Activities Control (originally Conselho de Controle de Atividades Financeiras), also known as the COAF, is the Financial Intelligence Unit operating in Brazil. Since 2020, the COAF operates under the Central Bank of Brazil. However, it acts independently from the Central Bank and is only administratively linked to it. 

The COAF collects and analyzes transactions considered to be related to money laundering activities. COAF can also impose administrative fines on companies and help other organizations fight money laundering activities. Notably, COAF establishes guidelines for the financial institutions to fight money laundering activities. 

How to stay compliant

To stay compliant, companies working in Brazil must follow a series of procedures.


When a regulated entity gets established in Brazil, it should register at the respective local authority and/or the COAF. 

Internal controls

Financial institutions have to follow the regulations of the Central Bank of Brazil. Therefore, they must create internal policies and procedures to effectively avoid or manage the risks of money laundering. These internal documents need to be compatible with the risk profiles of:

  • the customers;
  • the financial institution;
  • financial activities;
  • employees, partners, and outsourced companies.

Customer Due Diligence

Financial institutions must implement various Customer Due Diligence (CDD) procedures to comply with Brazil’s regulatory requirements. Thus, entities must have internal controls to complete CDD at the onboarding stage. They should repeat the CDD procedure after a certain period of time, depending on the level of risk of the client, to keep information about the client up-to-date and keep tabs on the risks posed by them.

Financial companies must identify and verify information about their customers. Therefore, they need to collect the following information during the onboarding process from natural persons:

  • name;
  • residential address;
  • registration number from the Register of Individuals (CPF).

For legal entities, the following list is required:

  • company name;
  • head office address;
  • registration number in the National Register of Legal Entities (CNPJ).

Financial institutions need to verify and validate the provided documents by comparing the information with one from available databases. Collected information should be kept up to date.

Financial institutions must also check whether their customers are featured within any sanction lists (OFAC, UN, HMT, EU, DFT, to name a few), PEP lists, adverse media, among others.


If a regulated entity detects suspicious activity from a customer, it must submit a confidential report to the COAF within 24 hours of detection. The report can be digitally made on the COAF official website

Companies can use transaction monitoring and fraud detection systems to detect and report suspicious activities. Unusual behavior from a customer can be a sign of illegal activities, money laundering or terrorism financing. Atypical behavior can include unusually large transactions, transactions with atypical patterns, transactions with no apparent legal or economic purpose, and refusal from the customer to provide personal information.

According to the Normative Resolution 4844, the criteria for reporting vary depending on transaction type. Thus, cash transactions that are equal to or exceed BRL 50,000 (approximately $9,500) should be reported. Meanwhile, the amount of money transferred to non-Brazilian accounts gets reported only if it equals or exceeds BRL 100,000 (roughly $18,800). 

Get in touch with us today to simplify AML/KYC processes in Brazil.

Fines and penalties

Failure to comply with regulations or report suspicious activities can lead to administrative and criminal penalties. Administrative penalties can be as harmless as warnings when regulated entities don’t implement certain AML procedures. A temporary suspension can be implemented if a warned entity does not implement the missing procedure by a given deadline. The final step would be the cancellation of authorization to operate in Brazil. 

Individuals employed by regulated entities are also subjected to penalties for not complying with AML regulations. Thus, managers can be suspended from performing activities within the sector for up to 10 years. 

Administrative penalties vary in terms of monetary fines. Thus, an entity can be fined:

  • at twice the value of the transaction;
  • at twice the actual profit obtained or that presumably would be obtained by the realization of the operation; or
  • the value of BRL 20,000,000.00 (approximately $3,761,000).

How to onboard users in Brazil

Companies working with customers in Brazil, India, Nigeria, and Indonesia can now onboard more than 2 billion users without requesting any documents. All customers need to do is provide their ID number and pass a quick liveness check. After that, Sumsub automatically cross-checks all the data with government databases to onboard the customer.


Brazil is constantly improving its regulations to satisfy international requirements and become safer for businesses, cementing its position as a significant player in the global market. 

As demonstrated by the 2012 and 2020 amendments, Brazil is now implementing FATF recommendations. Therefore, businesses working in the country or planning to launch there must stay up to date.

Let Sumsub help your company comply with AML/KYC regulations in Brazil. Get in touch with us today.

AMLBrazilFATFFinancial InstitutionsKYCPenaltiesReportingRisk-Based Approach