4/30/2021
2020 was a remarkable year for Brazil and the world for reasons ranging from scientists’ relentless pursuit to find a vaccine and curb the damage caused by the COVID-19 pandemic, to the concern, which was also largely accentuated by COVID-19, on how to advance technologically to keep most services operating, ensuring the correct functioning of the economy.
In such an atypical and difficult period, it was possible to observe a growth never seen before in the use of digital services. Regarding technological advances, in fact, the financial sector was the private sector responsible for most of the resources invested in Brazil and worldwide in such sector. In this sense, the Pesquisa FEBRABAN de Tecnologia Bancária 2020[1] (a survey made by the Brazilian Bank Federation), whose base year is 2019, recorded a 48% increase in technology investments by Brazilian banks. In the context of the COVID-19 pandemic, transactions between individuals on digital channels reached 74% of the transactions carried out.
In parallel with the growth of technology and the boosting of competition in the banking sector, a concern that has existed in Brazil since 2018, when the Brazilian Data Protection Law (“LGPD”) was enacted, it once again took center stage in the daily lives of players in the financial sector: cybersecurity and personal data. After all, it was during the troubled year of 2020 that the LGPD came into force, despite various expectations of its postponement.
Regarding security incidents, the McAfee Threat Report issued in December 2017[2] points out that the great majority of security incidents occur in North, South and Central America, and that Brazil is second in the ranking of countries with the largest amount of cyber-attacks in the world. The IMF[3] also points to Brazil as one of the countries that are most at risk in this regard.
In this scenario, in February 2020, two important standards came into force in Brazil: Decree No. 10.222/2020, which describes the Brazilian Cybersecurity Strategy, created by the Brazilian authorities and which shall be valid until 2023, and Decree No. 10.139/2019 which obliged the agencies and entities of the federal public administration to review and consolidate their regulations, to rationalize the regulatory stock.
Regarding the Brazilian Cybersecurity Strategy created as an initiative to protect state digital systems, it was possible to observe an important movement: the financial sector (along with the energy, telecommunications, transport, etc.) sectors was treated by the Decree nº 10.222/2020 as a critical infrastructure sector, precisely because of the relevance of its activities, and it is the sector that has been best adapted to cybersecurity guidelines.
This revision process had an impact on about 2600 current regulations issued by the Central Bank of Brazil (“BCB”) and by the National Monetary Council (“CMN”), among them Resolution No. 4.658/2018 and Resolution No. 4.752/2019, which dealt with cybersecurity and have been compiled in the body of CMN Resolution No. 4.893/2021, which repeals previous rules on the subject and addresses cybersecurity policies and requirements for contracting services for processing and storing data in the cloud by institutions authorized to operate by the BCB.
Although CMN Resolution No. 4.893/2021 presents almost nothing new in relation to previous regulations, this resolution was structured considering international cybersecurity standards and determines, as main points, that the institutions regulated by the BCB develop a security policy. cybernetics, an incident response action plan and a business continuity action plan. In addition to such documents, institutions must stipulate requirements for contracting cloud services, in Brazil or abroad.
It should be noted, however, that CMN Resolution No. 4.893/2021 made it clear that the provisions of such regulation do not apply to payment institutions (“PIs”). This is because there is a specific rule for PIs, BCB Resolution No. 3909/2018. It should be noted, however, that the regulations of this standard are also very similar to the determinations of CMN Resolution No. 4.893/2021.
It must be borne in mind that cybersecurity for payment institutions, called fintechs, is an even more relevant issue. This is because, in general, large financial institutions have large sectors of technology and robust security policies, which is more difficult for smaller fintechs, which often cannot allocate large amounts to this area, since they need to focus on gain market and develop some innovative solution.
Investing in cybersecurity, in addition to being a legal requirement, is essential for fintechs to demonstrate consumers structural strength and create greater confidence, attracting customers, in addition to avoiding fraud that could compromise their financial health, as the volume of transactions may not be as significant. This can be clearly seen by the increase in the number of structured fintechs concerned with the sustainable development of the market.
Finally, it is emphasized that both financial institutions and payment institutions must strictly comply with the provisions of the LGPD, due to the high degree of security implemented by this law. Due to the volume of personal data and sensitive customer data, these institutions need to adopt the controls and mechanisms necessary to protect the company and the data.
All these mechanisms demonstrate Brazil’s concern to become safer, which, in turn, will attract greater entrepreneurship, investment and competition in the sector, which makes solutions increasingly attractive and facilitating the path of customers.
Coauthors: Cassia Monteiro Cascione, Nathalia Fernandes Gonçalves, Esther Jerussalmy Cunha and Fabricio Bertini Polido
