Brazil's crypto legal framework: what changes in security and compliance for exchanges and VASPs

Direct answer

Law 14,478/2022 created Brazil's regulatory framework for virtual asset service providers (VASPs), defining virtual asset, requiring prior authorization from the executive branch and delegating supervision to the Central Bank. The obligations cover anti-money-laundering, segregated custody of client assets, security controls for cryptographic keys and compliance with the LGPD. Non-compliance subjects the company to fines, suspension and cancellation of authorization.

Key takeaways

  • Law 14,478/2022 legally defines 'virtual asset' and 'virtual asset service provider' (VASP) in Brazil, putting an end to the regulatory gray area for exchanges and custodians.
  • The Central Bank of Brazil was designated by Decree 11,563/2023 as the prudential and conduct regulator of VASPs, with the power to authorize, supervise, sanction and order intervention.
  • VASPs must implement an AML/CFT program aligned with Law 9,613/1998 and the resolutions of the COAF, including KYC, transaction monitoring and reporting of suspicious operations.
  • The segregation of client assets from the exchange's own assets is an express obligation of the law — hot wallets with exposure limits and cold wallets with HSM/MPC custody are the technical response.
  • Smart contracts used for custody, DeFi or tokenization require independent source-code auditing before deployment; vulnerabilities such as reentrancy and oracle manipulation are regulatory and loss-event vectors.
  • The LGPD fully applies to the KYC/AML data lifecycle of VASPs; biometric data and identity documents are sensitive data with stricter consent and minimization requirements.

What Law 14,478/2022 establishes

Published on December 21, 2022, Law 14,478 established the legal regime for virtual asset service providers in Brazil. It defines 'virtual asset' as the digital representation of value that can be traded or transferred electronically, explicitly excluding national currency, foreign currency, regulated payment instruments and securities subject to the CVM.

The law creates the regulatory category of the VASP — Virtual Asset Service Provider — which includes exchanges, custodians, over-the-counter brokers and transfer platforms. Any company that carries out these activities on a regular basis in Brazil will need prior authorization from the competent body, under penalty of falling under the crimes of irregular operation of a financial institution.

The text also criminalizes specific offenses in the virtual asset environment: pyramid fraud backed by crypto and the use of virtual assets to facilitate crimes against the financial system now have their own criminal framing, which broadens the liability of operators who fail to implement adequate controls.

The Central Bank as regulator and the regulation underway

Decree 11,563 of June 2023 designated the Central Bank of Brazil as the supervisory authority for VASPs. This means that exchanges and custodians now orbit the same regulatory ecosystem as payment institutions, with obligations regarding minimum capital, governance, internal controls and periodic reporting.

The Central Bank published public consultations and secondary regulations throughout 2024 and 2025 detailing authorization requirements, exposure limits for hot wallets, independent audit requirements and minimum information security standards. The rules follow the principle of proportionality: the larger the volume of assets under custody, the more rigorous the controls required.

Companies already operating in the market have an adaptation period defined by the Central Bank's regulations. Ignoring these deadlines turns a regulatory obligation into an immediate criminal liability, since the law provides for a crime for operating without authorization.

AML/CFT obligations: preventing money laundering and terrorist financing

VASPs are required to comply with Law 9,613/1998 (the Money Laundering Law) and the resolutions of the COAF. In practice, this translates into a robust KYC policy — identity verification, screening against national and international sanctions lists (OFAC, UN), and enhanced due diligence for PEPs and high-risk legal entities.

The Travel Rule, already consolidated in the FATF recommendations and provided for in the Central Bank's regulation, requires VASPs to share originator and beneficiary data in transfers above a certain amount. This demands technical integration between platforms — a security requirement that goes beyond regulatory compliance and requires authenticated APIs and encrypted channels.

The continuous monitoring of transactions with automatic alerts for suspicious patterns — mixing, smurfing, structured withdrawals — must be documented and tested. The COAF accepts timely reports; what it does not accept is the absence of a system or the lack of evidence that the program works.

Technical security: custody, cryptographic keys and wallet architecture

The segregation of client assets from the exchange's own assets is one of the pillars of Law 14,478/2022. From a technical standpoint, this requires individualized custody accounts or an accounting equivalent, hot/cold wallet policies with exposure limits defined by internal policy and approved by the board, and transfer processes between hot and cold wallets with multiple signatures.

Hot wallets should store only the balance needed for operational liquidity — typically 1% to 5% of the total under custody, depending on the exchange's profile. The remainder should stay in cold wallets with Hardware Security Modules (HSMs) or Multi-Party Computation (MPC) schemes, which eliminate the single point of failure of private keys without introducing dependence on a single holder.

The management of the key lifecycle — generation, storage, rotation, revocation and destruction — needs a formal and tested procedure. Exchanges that suffered historic hacks (Mt. Gox, Bitfinex, FTX) had in common the absence of, or disregard for, basic custody controls. Brazilian regulation turns this negligence into an administrative and potentially criminal offense.

Smart contract auditing and API security

Smart contracts that manage custody, staking, receivables tokenization or DeFi operations linked to a regulated VASP must undergo source-code auditing by an independent firm before deployment to mainnet. Critical vectors include reentrancy, arithmetic overflow, price oracle manipulation, unauthorized access to administrative functions and block timestamp dependence.

The audit result must be documented, critical and high vulnerabilities must be fixed before launch, and the report must be archived as regulatory evidence. Contract updates — even in upgradeable patterns such as UUPS proxies — require a new round of auditing of the altered components.

The security of the API layer is equally critical: authentication with rotating keys, rate limiting per user and per IP, protection against replay attacks on withdrawal endpoints, immutable audit logs and documented periodic penetration tests are requirements that the Central Bank may demand as part of the authorization process and subsequent inspections.

The LGPD and data protection in the crypto context

An exchange's KYC process collects CPF (taxpayer ID), RG (national ID), proof of residence, selfies with a document and, in many cases, biometric data. All of this data falls under the LGPD, with biometrics classified as sensitive data, subject to restricted legal bases — legal obligation or substantiated legitimate interest — and higher protection standards.

The legal basis most used by VASPs for KYC is compliance with a legal obligation, since Law 14,478/2022 and the Central Bank's rules expressly require the identification of clients. This basis is solid, but it does not exempt the adoption of adequate technical and organizational measures: encryption at rest and in transit, role-based access control, access logs for personal data and a security incident response plan.

Incidents that expose the KYC data of exchange clients have a triple consequence: notification to the ANPD, communication to the COAF (if the leak compromises the integrity of the AML/CFT program) and possible activation of the Central Bank. A planned and tested incident response is therefore a simultaneous requirement of three distinct regulatory regimes.

How to comply

  1. 1

    Map your activity and confirm classification as a VASP

    Review all of the company's activities in light of the definition in Law 14,478/2022. If you operate an exchange, custody, over-the-counter brokerage or transfer of virtual assets on a regular basis, the classification is automatic — there is no option to 'not apply.' Document the result of this mapping with a legal opinion.

  2. 2

    Start the authorization process with the Central Bank

    Access the Central Bank's most recent regulations on VASPs, gather corporate documentation, a business plan, internal control and information security policies, and file the authorization request within the defined period. Companies already operating should check the applicable transitional regime.

  3. 3

    Implement and document the AML/CFT program

    Structure KYC policies, onboarding with identity verification, sanctions lists (OFAC, UN, COAF), transaction monitoring and a reporting channel to the COAF. Train the operational team and carry out periodic tests. The program must exist in writing and have evidence that it works.

  4. 4

    Define and implement the custody architecture

    Separate client assets from the company's own assets both in accounting and technical terms. Establish the hot/cold wallet policy with maximum percentages, require multisig or MPC for any cold wallet movement and document the process for managing the cryptographic key lifecycle.

  5. 5

    Contract independent smart contract auditing and exchange pentesting

    For each smart contract in use or in production, hire a specialized firm for source-code auditing. For the exchange infrastructure — APIs, admin panels, withdrawal modules — carry out a pentest with a documented methodology (OWASP, PTES) and fix critical vulnerabilities before any new deployments.

  6. 6

    Bring personal data processing into compliance with the LGPD

    Map all data collected during KYC, define the legal basis (legal obligation), implement encryption at rest and in transit, restrict access by job role and document the procedures for responding to personal data incidents in accordance with the 72-hour deadline required by the ANPD.

  7. 7

    Establish an annual review cycle and inspection readiness

    VASP regulation is dynamic: set aside an annual cycle to review policies against new Central Bank regulations, update the AML/CFT program with new COAF typologies and repeat security tests. Keep a compliance dossier ready to present in an unannounced Central Bank inspection.

Frequently asked questions

What is the legal definition of virtual asset in Law 14,478/2022?

The law defines a virtual asset as the digital representation of value that can be traded or transferred by electronic means and used to make payments or for investment purposes. The definition expressly excludes national currency, foreign currency, payment instruments that are already regulated and securities subject to the regulation of the CVM.

Who oversees cryptocurrency exchanges in Brazil?

Decree 11,563/2023 designated the Central Bank of Brazil as the prudential and conduct regulator of virtual asset service providers. The Central Bank has the power to authorize operations, supervise, apply administrative sanctions and order the intervention or liquidation of VASPs that fail to comply with the regulation.

Does a small exchange also have to comply with Law 14,478/2022?

Yes. The classification criterion is the regularity of the service provision, not the size of the company. The Central Bank may adopt proportionality criteria for capital and governance requirements, but the obligation of authorization, AML/CFT and asset segregation applies to any VASP operating in Brazil, regardless of volume.

What is the Travel Rule and how does it affect Brazilian exchanges?

The Travel Rule is the obligation to transmit originator and beneficiary data in virtual asset transfers above a certain threshold. It derives from the recommendations of the FATF (Financial Action Task Force) and has been incorporated into the Central Bank's regulation. In practice, it requires exchanges to implement technical protocols for the secure sharing of data with other VASPs involved in each transaction.

Why is smart contract auditing a compliance issue and not merely a technical one?

Because smart contracts that manage client assets are part of the VASP's custody infrastructure. Exploitable flaws — such as reentrancy or unauthorized access to admin functions — can result in the loss of client assets, which directly violates the obligation to segregate and protect assets provided for in the law. The Central Bank may require evidence of an audit as a condition for authorization or during inspections.

How does the LGPD interact with an exchange's KYC obligations?

KYC collects personal data and, in many cases, sensitive data (biometrics). The LGPD requires a legal basis, technical and organizational security measures, and an incident response plan. The most robust legal basis for VASPs is compliance with a legal obligation, since the regulation expressly requires the identification of clients — but this does not eliminate the other obligations of protection, minimization and adequate retention of the data.

Sources

Decripte implements compliance — without you building an in-house team.

Adherence assessment, auditable technical controls, pentest and documentation for the regulator/auditor. Or start free by seeing what is already exposed.