Brazil's virtual asset regulatory framework is administered by the Banco Central do Brasil (BCB) under Law 14.478/2022 (the Brazilian Virtual Assets Act) and complemented by Normativa BCB 6/2023, which established the formal registration requirements for Virtual Asset Service Providers (VASPs). The national register of authorised VASPs is called the CNAD (Cadastro Nacional de Prestadores de Serviços de Ativos Virtuais). Registration became mandatory for firms operating in Brazil from mid-2023, with the BCB assuming primary supervisory authority over most VASP activities. Any firm providing virtual asset exchange, transfer, custody, or administration services to Brazilian clients or incorporated in Brazil must hold BCB registration before operating. Operating without registration exposes firms to administrative sanctions, fines, and reputational consequences that institutional partners take seriously.
This guide covers every material element of obtaining and maintaining a Brazil crypto licence: who is caught by the requirement, the corporate and capital thresholds, the AML/CFT programme the BCB expects, the cybersecurity obligations under BCB Resolution 85/2021, the step-by-step application process, and the ongoing compliance programme that sustains registration. It also addresses the common confusion between "CNAD" and "DASP" and positions Brazil's framework relative to other LATAM jurisdictions.
Brazil's Crypto Regulatory Framework
Law 14.478/2022, signed into law in December 2022, is the legal foundation for virtual asset regulation in Brazil. It defines virtual assets, establishes the BCB as the primary regulatory authority for VASP licensing and supervision, and sets out the broad obligations that regulated entities must meet. The law drew extensively on FATF Recommendation 15 and the EU's approach to crypto asset regulation, creating a framework that institutional market participants recognise as substantive rather than symbolic.
The BCB's implementing regulation, Normativa BCB 6/2023, operationalised the registration requirement. It specified the categories of service that require registration, the minimum information to be submitted, the ongoing reporting obligations, and the BCB's examination and enforcement powers. The Normativa also addressed the transition period for firms already operating in Brazil before the framework came into force.
There is a deliberate jurisdictional split in Brazil's framework that firms must understand before structuring their operations. The BCB regulates VASPs that provide exchange, transfer, custody, and related services involving virtual assets as instruments of payment or investment. The Comissão de Valores Mobiliários (CVM), Brazil's securities regulator, retains jurisdiction over crypto assets that qualify as securities under Brazilian law. If a token exhibits characteristics of a collective investment scheme, a debt instrument, or an equity security, CVM registration or exemption requirements apply. Firms issuing tokens or operating platforms where security-like tokens trade must conduct a careful legal analysis of which regulator governs each product. Many firms fall under both regulators for different parts of their business.
The BCB has made clear that it views the Brazilian market as significant enough to warrant active supervision. Brazil has one of the largest crypto user bases in the world by transaction volume, and the BCB has invested substantially in building supervisory capacity. Firms that treat BCB registration as a formality rather than a genuine operational obligation misjudge the supervisory environment.
Who Must Register with the BCB
The registration obligation is broad. Any entity providing any of the following services to Brazilian residents or clients, or incorporated in Brazil, must hold BCB registration:
- Virtual asset exchange services, including fiat-to-crypto and crypto-to-crypto conversion
- Virtual asset transfer services, including payment processing that routes through virtual assets
- Virtual asset custody services, including the safekeeping of private keys on behalf of clients
- Virtual asset administration, including portfolio management involving virtual assets
- Operation of virtual asset exchange platforms or trading venues
The geographic scope is deliberate: registration is required if the firm is incorporated in Brazil or if it provides services to Brazilian-resident clients, regardless of where the firm is headquartered. Foreign firms that target Brazilian users through Portuguese-language interfaces, Brazilian payment rails, or Brazilian marketing channels are caught by the requirement. The BCB has indicated it will pursue enforcement against unregistered foreign operators who maintain a material Brazilian user base.
Firms that provide only ancillary technology services to registered VASPs, without directly providing virtual asset services to end clients, are generally outside the registration requirement. However, the boundary between technology provision and service provision can be narrow in practice: firms that hold client keys, process client transactions, or make discretionary decisions over client assets are likely providing regulated services regardless of how the contractual relationship is structured.
Capital and Corporate Requirements
The BCB imposes capital adequacy requirements on registered VASPs. The minimum paid-in capital threshold is calibrated to the scope of services provided: firms offering custody services face higher capital requirements than those offering exchange-only services, reflecting the different risk profiles involved. Firms must demonstrate capital adequacy at the time of application and maintain it on an ongoing basis. The BCB has authority to require additional capital if it concludes that a firm's risk profile warrants it following a supervisory examination.
The corporate structure requirement is non-negotiable: only a Brazilian legal entity can hold BCB registration. The two most common structures are a Limitada (LTDA), broadly equivalent to a limited liability company, and a Sociedade Anônima (S.A.), a joint-stock company. S.A. structure is preferred for firms anticipating institutional investment or eventual public listing, as it accommodates more complex shareholder arrangements and governance requirements.
A registered office in Brazil is mandatory. The BCB expects a genuine operational presence, not merely a registered address with a nominee director. Management personnel must be resident and available for supervisory contact. The BCB also requires that the entity's actual control and management take place in Brazil, meaning that purely brass-plate arrangements do not satisfy the requirement.
Corporate governance requirements include the formal appointment of an AML compliance officer (designated under Brazil's AML framework as the PLD/FT officer). This individual must be a senior officer of the entity, not an external consultant, and must be named in the BCB application. The PLD/FT officer holds personal responsibility for the adequacy of the entity's AML programme and must be identifiable to regulators at all times. Changes to the PLD/FT officer must be notified to the BCB promptly.
AML/CFT Operational Requirements
Brazil's AML/CFT framework for VASPs is comprehensive and operationally demanding. The BCB requires registered VASPs to maintain a written Programa de PLD/FT (anti-money laundering and counter-terrorism financing programme) that meets the standards set by BCB regulation and FATF Recommendation 15. The programme must be more than a policy document: it must reflect the firm's actual business model, risk appetite, and operational controls.
Suspicious transaction reporting goes to COAF (Conselho de Controle de Atividades Financeiras), Brazil's financial intelligence unit. COAF is the institutional recipient of suspicious transaction reports (STRs) from all regulated financial and quasi-financial entities, including VASPs. The obligation to file STRs is strict: firms that identify suspicious activity and fail to report it within the required timeframe face administrative sanctions. COAF data feeds into broader law enforcement and tax authority investigations, and the BCB monitors whether registered VASPs are actually filing STRs at a rate consistent with their transaction volumes.
The core operational requirements of the PLD/FT programme include:
- Customer due diligence (KYC): identity verification at onboarding, ongoing review of customer risk profiles, and enhanced due diligence (EDD) for high-risk customers including politically exposed persons (PEPs). Brazilian KYC standards align with FATF guidance and require document verification, liveness checks for remote onboarding, and source-of-funds assessment for higher-value clients.
- PEP screening: systematic screening of all customers and beneficial owners against domestic and international PEP lists. Brazil's PEP population includes federal, state, and municipal officials across all three branches of government, military officers, and their close associates and family members.
- Transaction monitoring: automated systems capable of identifying unusual transaction patterns, structuring activity, and transactions involving sanctioned parties or high-risk jurisdictions. The BCB expects monitoring systems to be calibrated to the firm's specific business model rather than generic off-the-shelf rules.
- Record retention: all KYC documentation, transaction records, and AML programme reviews must be retained for a minimum of five years. The BCB may require longer retention in connection with specific investigations or supervisory examinations.
- Employee training: all staff who handle client transactions or KYC processes must receive regular AML training. Training records must be maintained and available for inspection.
The BCB conducts supervisory examinations of registered VASPs to assess whether AML programmes are functional in practice. Firms that have written policies but no evidence of operational controls (no transaction monitoring alerts, no escalation records, no STR filings consistent with business volume) fail these examinations. The BCB does not accept the argument that the absence of STR filings reflects the absence of suspicious activity in a high-volume crypto operation.
For KYC and AML operational controls that satisfy BCB scrutiny, the programme must demonstrate documented alert management, a clear escalation path from front-line staff to the PLD/FT officer, and evidence of decisions made on borderline cases. The BCB examiner looks for decision trails, not just policy statements.
Cybersecurity and IT Security Requirements
Registered VASPs are subject to BCB Resolution 85/2021, the BCB's cybersecurity regulation for financial institutions. Resolution 85 applies to the full population of BCB-regulated entities, which now includes VASPs following their integration into the BCB's supervised universe. The requirements are substantive and operationally demanding:
Cybersecurity policy: firms must maintain a documented cybersecurity policy approved at board level. The policy must address the firm's specific risk profile, its technology architecture, and the controls in place to protect client assets and data. A generic template does not satisfy the requirement; the policy must be tailored to the firm's actual operating environment.
Incident response plan: the firm must have a documented and tested incident response plan covering cyber incidents, including scenarios involving theft of client assets, compromise of signing keys, and data breaches involving personal data. The BCB expects evidence that the plan has been rehearsed, not merely written. Tabletop exercises with documented outcomes satisfy this requirement.
Cloud security governance: firms using cloud infrastructure must maintain documented policies governing their use of cloud services. This includes provider selection criteria, data residency requirements, access control standards, and the allocation of security responsibilities between the firm and the cloud provider. The BCB's focus on cloud security reflects the reality that most VASPs rely heavily on cloud infrastructure for core operations.
Third-party risk management: VASPs that rely on third-party technology providers for core services, including custody infrastructure, KYC verification, transaction monitoring, and exchange matching engines, must maintain a third-party risk management framework. The framework must include vendor due diligence, contractual security requirements, and ongoing monitoring. BCB Resolution 85 makes clear that outsourcing a function does not outsource the regulatory obligation.
Annual reporting: registered VASPs must submit an annual cybersecurity report to the BCB. The report covers the firm's cybersecurity posture, incidents experienced during the year, and planned improvements. The annual report is a key supervisory tool and is reviewed by BCB examiners when planning supervisory engagements.
The BCB's cybersecurity framework should be understood as an operational security obligation, not a box-ticking exercise. Firms that approach it as a documentation project rather than a genuine security programme create material risk: not only do they fail BCB examinations, but they also leave themselves exposed to the operational incidents the framework is designed to prevent. For context on how the DORA compliance framework in the EU addresses similar concerns for financial institutions, the parallels with BCB Resolution 85 are instructive.
Application Process and Timeline
BCB VASP registration applications are submitted through the UNICAD system, the BCB's online portal for supervised entity management. The UNICAD submission requires a complete application package; incomplete submissions are returned and the clock effectively restarts.
The required documents for a complete UNICAD submission include:
- Articles of incorporation and corporate documents demonstrating the legal entity structure
- Evidence of minimum paid-in capital, including audited or certified financial statements
- Complete AML/CFT programme documentation (the Programa de PLD/FT)
- Curriculum vitae and criminal record clearances for all directors, officers, and controlling shareholders
- Fit and proper declarations from each director and officer
- Detailed description of services to be provided, including the technology architecture supporting those services
- Documented IT security policy and cybersecurity programme consistent with Resolution 85/2021
- Evidence of a registered office and operational presence in Brazil
- Identification of the designated PLD/FT officer with evidence of their qualifications
The BCB charges no application fee, but the professional costs of preparing a complete and compliant application are substantial. Legal counsel experienced in BCB regulation, an AML specialist to draft the Programa de PLD/FT, and a cybersecurity consultant to prepare the Resolution 85 documentation are all typically required. Cutting costs in application preparation generally extends the timeline and increases the risk of rejection.
The typical processing time for a complete, well-prepared application is 60 to 120 days. Applications that require clarification, supplemental documentation, or are materially incomplete take longer. The BCB has discretion to request additional information at any point during the review process, and the clock does not run during those periods. Firms should plan for a minimum six-month runway from decision to commence operations to commencement of regulated activity, accounting for preparation time before submission.
During the application review period, firms must not commence regulated VASP activities. Operating prior to registration exposes the firm to enforcement action regardless of whether the application is ultimately approved.
Ongoing Compliance Obligations
BCB registration is not a one-time event. Registered VASPs face a continuous compliance programme that includes both periodic reporting obligations and event-driven notification requirements.
Periodic reporting includes quarterly financial submissions to the BCB and annual reports covering both financial position and the cybersecurity programme under Resolution 85. The BCB also collects transaction data from registered VASPs and uses aggregate data to monitor market activity and identify systemic risks. Firms must maintain data systems capable of producing the BCB's required reporting formats.
Event-driven notifications are required for material changes to the registered entity. These include: changes to ownership structure or controlling shareholders, appointment or departure of directors and officers, changes to the PLD/FT officer, material changes to the services offered, and significant technology incidents. The BCB defines "material" broadly in practice, and firms should err on the side of notification rather than risk an allegation of failure to disclose.
COAF reporting obligations continue throughout the registration period. Registered VASPs must file STRs within the timeframes prescribed by COAF's regulations. The BCB monitors STR filing rates as part of its supervisory process, and a registered VASP that files no STRs over an extended period while processing significant transaction volumes will attract supervisory attention.
The BCB has the right to conduct supervisory examinations of registered VASPs at any time. Examinations may be desk-based, involving a review of submitted documentation, or on-site, involving BCB examiners visiting the firm's premises and meeting with management. Firms must cooperate fully with supervisory examinations and must have their documentation and systems available for review at short notice.
CNAD, DASP, and the Search Gap Explained
There is a persistent source of confusion in search queries related to LATAM crypto licensing: the use of the acronyms "CNAD" and "DASP" as if they were interchangeable or referred to the same jurisdiction.
CNAD in the Brazilian context refers to the Cadastro Nacional de Prestadores de Serviços de Ativos Virtuais, the BCB's national registry of registered VASPs. It is a purely Brazilian institution. Being registered on the CNAD means the BCB has approved the entity to operate as a VASP in Brazil under Law 14.478/2022.
DASP (Digital Asset Service Provider) is the term used in El Salvador's regulatory framework, administered by the Banco Central de Reservas (BCR) under El Salvador's Bitcoin Law and subsequent virtual asset legislation. El Salvador's DASP licence requirements are materially different from Brazil's CNAD registration: different regulator, different law, different capital requirements, different AML framework.
Searchers arrive at queries combining "CNAD" and "DASP" because both acronyms are used in the context of LATAM crypto licensing, and because regulatory research in this space often crosses jurisdictional lines without careful attention to which framework applies where. This post addresses the Brazil-specific CNAD/BCB framework in full. The El Salvador DASP framework is covered separately.
MiCA and International Context
Brazil is not a member of the European Union and is not subject to the Markets in Crypto-Assets Regulation (MiCA). However, the BCB's regulatory framework was substantially influenced by FATF Recommendation 15, the Financial Action Task Force's standard for virtual asset regulation, which MiCA also addresses. The conceptual architecture of the two frameworks shares common elements: mandatory registration, AML programme requirements, capital adequacy, and supervisory examination rights.
For Brazilian VASPs seeking to access EU markets, BCB registration does not confer any equivalence benefit under MiCA. A separate MiCA compliance process is required, involving authorisation as a Crypto-Asset Service Provider (CASP) in an EU member state. The two licences are independent of each other, and the operational programmes required for each must be maintained separately.
Brazilian VASPs that intend to serve both Brazilian and EU clients must maintain two fully operational compliance programmes, with separate AML reporting chains (COAF in Brazil, the relevant EU FIU via the CASP's member state regulator), separate cybersecurity frameworks (Resolution 85 and MiCA/DORA requirements), and separate capital structures. The administrative burden is significant, and firms should structure their group entities accordingly from the outset rather than attempting to retrofit a dual-jurisdiction structure later.
Brazil's framework is broadly aligned with international standards and is viewed positively by institutional counterparties. Brazilian BCB-registered VASPs generally find it easier to establish correspondent banking relationships and institutional partnerships than VASPs registered in jurisdictions with weaker or less transparent regulatory frameworks.
Operational Security and BCB Scrutiny
The BCB's supervisory examination process is the critical operational test for registered VASPs. Examiners are not reviewing whether a firm has produced the correct documents; they are assessing whether the firm's operations actually comply with the registered framework. This distinction matters enormously for how firms should approach their compliance infrastructure.
The most common failures identified in BCB supervisory examinations of financial institutions (including emerging VASPs) involve gaps between documented policy and operational reality. A firm may have an AML programme document that correctly describes the controls required by Normativa BCB 6/2023, but if the transaction monitoring system has not been properly calibrated, if KYC remediation backlogs are unaddressed, or if the PLD/FT officer has no genuine authority or budget, the programme fails the operational test regardless of what the policy says.
The same applies to cybersecurity under Resolution 85. A cybersecurity policy document is necessary but not sufficient. The BCB examiner will ask: has the incident response plan been tested? Can you show the results of the last penetration test? What happened when the last security alert fired? Who has access to the signing keys for client custody operations, and how is that access controlled?
Security4Web3's engagement model for BCB-registered VASPs focuses precisely on this operational layer. Building the security infrastructure that passes BCB scrutiny means implementing genuine key management controls, access management frameworks, transaction monitoring integrations, and incident response rehearsals, not producing additional documentation. Firms that engage Security4Web3 before their BCB supervisory examination consistently find that the examination process confirms their operational controls rather than exposing gaps.
Brazil vs. El Salvador vs. Panama: LATAM Comparison
For firms evaluating where to establish a LATAM crypto presence, the three most commonly considered jurisdictions are Brazil, El Salvador, and Panama. They differ substantially on regulatory maturity, cost, market access, and operational complexity.
Brazil is the largest market and the most demanding regulatory environment. The BCB's framework is robust, supervisory examinations are genuine, and capital requirements are significant. The upside is direct access to the largest crypto user base in Latin America and a BCB registration that carries genuine credibility with institutional counterparties, correspondent banks, and international regulators.
El Salvador pioneered Bitcoin as legal tender and has established a dedicated VASP registration framework through the BCR/CNAD process. The framework is developing but lighter-touch than Brazil's, and the market is substantially smaller. The DASP licence requirements are covered separately and represent a meaningful option for firms seeking a LATAM regulatory footprint with lower initial capital and compliance costs.
Panama offers a well-established corporate environment with the US dollar, a strong banking infrastructure, and a competitive tax regime for foreign-source income. The AML framework under Law 23 of 2015 has been strengthened following Panama's removal from the FATF grey list in 2023. The Panama crypto licence process is materially faster and less capital-intensive than Brazil's, but the banking access challenge for crypto firms registered in Panama remains a practical constraint.
The choice between these jurisdictions depends on the firm's target market, capital position, tolerance for regulatory scrutiny, and institutional partnership requirements. Brazil is the right choice for firms that genuinely intend to serve Brazilian clients at scale. El Salvador and Panama serve different strategic purposes, including as regional hubs or as lighter-touch entry points into LATAM regulatory compliance.
Frequently Asked Questions
What is the Brazil crypto licence and who regulates it?
Brazil's crypto licence is a formal VASP registration administered by the Banco Central do Brasil (BCB) under Law 14.478/2022 and Normativa BCB 6/2023. Any entity providing virtual asset exchange, transfer, custody, or administration services to Brazilian clients must obtain BCB registration before operating. The BCB is the primary regulator for most VASP activities; the Comissão de Valores Mobiliários (CVM) retains jurisdiction where crypto assets qualify as securities under Brazilian law.
What is the CNAD in Brazil?
CNAD stands for Cadastro Nacional de Prestadores de Serviços de Ativos Virtuais, the national registry of virtual asset service providers maintained by the Banco Central do Brasil. Registration on the CNAD is the core licensing obligation for VASPs operating in Brazil. Firms submit their application through the BCB's UNICAD system and may only begin regulated operations once registration is confirmed. The CNAD is distinct from the "DASP" concept used in El Salvador; they refer to separate registries in different countries.
What are the capital requirements for a Brazilian VASP licence?
The BCB specifies minimum paid-in capital requirements calibrated to the scope of services offered. Custody and exchange operations face higher capital thresholds than transfer-only services, reflecting the different risk profiles involved. Firms must demonstrate capital adequacy both at application and on an ongoing basis. A Brazilian legal entity is required; foreign-incorporated entities cannot obtain BCB registration directly. The BCB may impose additional capital requirements following a supervisory examination if the firm's risk profile warrants it.
How long does BCB VASP registration take?
A complete, well-prepared BCB VASP registration application typically takes 60 to 120 days to process from submission. This assumes all documents are correctly compiled: articles of incorporation, AML programme, management CVs with criminal record clearances, proof of capital, service descriptions, and the cybersecurity policy. Incomplete applications extend the timeline materially. Professional preparation costs are significant even though the BCB charges no application fee. Firms should plan for at least six months from decision to operate to commencement of regulated activity.
What cybersecurity requirements does the BCB impose on crypto firms?
BCB Resolution 85/2021 applies directly to registered VASPs. Firms must maintain a documented cybersecurity policy, an incident response plan, cloud security governance procedures, and a third-party risk management framework. Annual cybersecurity reporting to the BCB is mandatory. The BCB's supervisory examination assesses whether these controls are genuinely implemented and operational, not merely documented. Firms that produce policy documents without corresponding operational controls consistently fail BCB inspections.