The beginning of March marks a peak period promoted by fintechs. The Central Bank regulations, coming in the wake of cases of hacker attacks against Pix systems in 2025, try to move forward against changes in the profile of scams against financial institutions.
Regulations stipulated by the regulator seek to standardize the regulatory environment and strengthen the security of data communication infrastructures and payment systems of the National Financial System (SFN) and the Brazilian Payment System (SPB).
The points included by the BC in the changes had already been subject to audits with financial institutions. The changes range from ensuring encryption mechanisms, ensuring data leak prevention to backup management.
“What I see most strongly, however, is the topic of threat intelligence”, says the business director of Clavis Information Security, Leonardo Pinheiro. “It is the intelligence for monitoring the deep and dark web, monitoring credential leaks, brand mentions”, explains the expert.
As Pinheiro explains, the greatest concern with this topic is mainly due to a change in the profile of financial fraud, previously marked by an opportunistic profile. “Today, part of these attacks is orchestrated. And they are often dealt with in scenarios such as the deep and dark web, forums that we do not see.”
Hacker attacks in 2025 were responsible for the theft of billion-dollar amounts from Brazilian financial institutions. Two of them, involving service providers C&M and Sinqia, took advantage of access to the Pix environment to access values from financial institutions.
Continues after advertising
Pinheiro points out that the change in the profile of scams was also impacted by the specific regulation facilitated for the founding of fintechs: “The central point says that, if you want to be a fintech, you have to start looking at this [inteligência de ameaça]”.
The point is that these companies, in many cases, do not have the tools to carry out monitoring. Clavis — which provides technology for the adaptation of financial institutions — assesses that those who seek to implement the changes will now no longer have time to follow the rules stipulated more specifically in resolutions no. 538 and CMN no. 5,274.
“Those looking from now on will not have time. It takes time to carry out a project of this magnitude. Two to three months of new tools, adjustments and an increase in the level of maturity”, points out Pinheiro.
