CVM Resolution 175, virtual assets, and tokenization: what changes for funds and issuers
Direct answer
CVM Resolution 175 consolidated the regime for Brazilian investment funds and, for the first time, admitted virtual assets as investable assets, with limits and custody requirements. The CVM's jurisdiction, however, is defined by the nature of the asset: a token is a security when it constitutes a collective investment contract (Article 2, IX, of Law 6,385/76), under the terms of CVM Guidance Opinion 40/2022; in that case, the offering, custody, and service providers fall under the CVM's regime. Virtual assets that are not securities follow Law 14,478/2022 and the Central Bank.
Key takeaways
- ›CVM Resolution 175 unified the framework for funds and allowed, within limits, that FIFs invest in virtual assets traded on regulated entities, in Brazil or abroad.
- ›The jurisdictional boundary is not the token's label: if it qualifies as a collective investment contract (Article 2, IX, of Law 6,385/76), it is a security and the CVM regulates the offering.
- ›CVM Guidance Opinion 40/2022 applies a functional test (the essence of Howey) to classify payment tokens, utility tokens, and asset-backed tokens.
- ›Receivables tokens and fixed-income tokens tend to be securities and may amount to securitization (Law 14,430/2022), in accordance with CVM/SSE Circular Letters 4 and 6 of 2023.
- ›The use of DLT or a smart contract does not strip the asset of its status as a security, nor does it waive registration, qualified custody, and governance.
- ›Secure key custody, asset segregation, smart contract auditing, and cyber risk management become compliance controls, not just IT controls.
What CVM Resolution 175 changed for funds
Published in December 2022, CVM Resolution 175 replaced CVM Instruction 555 and dozens of related rules, consolidating into a single regime the constitution, operation, and provision of services of investment funds. The structure came to separate a general part, common to all funds, from regulatory annexes by type, among them Annex I (Financial Investment Funds, FIF) and Annex II (Receivables Investment Funds, FIDC).
The change that directly matters to those operating in crypto and tokenization was the express recognition of virtual assets as an investable class. Previously, exposure to crypto assets required offshore vehicles; with 175, Brazilian funds can invest in virtual assets traded on entities authorized to operate by regulators in Brazil or in jurisdictions with equivalent regulation, subject to concentration limits that vary according to the fund's audience, from retail to qualified and professional investors.
For the manager, the practical consequence is that crypto exposure ceases to be an offshore legal engineering exercise and becomes a product decision subject to the rules on asset eligibility, mark-to-market, and, above all, custody and internal controls. It is at this point that regulatory compliance and information security stop being parallel tracks.
The jurisdictional boundary: security (CVM) or virtual asset (BACEN)
The question that defines the applicable regime is not whether the asset uses blockchain, but what its legal nature is. Law 14,478/2022 and the Central Bank handle virtual asset service providers (VASPs) and virtual assets in general. But this law is explicit in excluding from its concept of virtual asset that which is already a security, whose discipline remains with the CVM.
The criterion is in Article 2, item IX, of Law 6,385/76: securities are, when offered publicly, any instruments or collective investment contracts that grant a right of participation, partnership, or remuneration whose earnings derive from the effort of the entrepreneur or of third parties. A token that combines these elements — public fundraising, investment of money, expectation of return, and dependence on the effort of a third party — is a security, even if it calls itself a utility token.
In practice, the same asset has two possible paths. If it is a security, the offering, trading, custody, and service providers are under the CVM, and issuance without registration or an exemption is irregular. If it is not, it follows the track of Law 14,478/2022 and BACEN. A misreading of this boundary is one of the main sources of regulatory risk for tokenization companies and investment fintechs.
When a token is a security: CVM Guidance Opinion 40/2022
In October 2022, the CVM published Guidance Opinion 40, which consolidates the agency's understanding of crypto assets in the securities market. The document adopts a functional approach: what matters is the economic essence of the asset, not the name or the technology. From this, it proposes an initial taxonomy with payment tokens, utility tokens, and asset-backed tokens.
The classification analysis applies, in essence, the internationally established test (Howey), already incorporated into the CVM's case law around the collective investment contract: contribution of money, collective character, expectation of economic benefit, and the preponderant effort of an entrepreneur or of third parties. Where these elements are present in a public offering, there is a security. The Opinion reinforces that the characterization is independent of any prior CVM statement and that it is up to the offeror to assess the classification.
The Opinion also clarifies that tokens can take on hybrid natures and change classification over time, which makes the analysis a continuous exercise, and not a stamp at issuance. For the legal team of a tokenization company, this means documenting the classification thesis, monitoring changes in the token's functionality, and treating the smart contract as part of the regulatory design, because it is in the smart contract that the economic rights promised in the white paper actually materialize or fail.
Receivables and fixed-income tokens: securitization in another guise
In 2023, upon detecting issuances of tokens promising income, the CVM's Securitization Supervision Office published CVM/SSE Circular Letters 4/2023 and 6/2023. The message is direct: receivables tokens and fixed-income tokens, when offered publicly with a promise of remuneration, tend to qualify as collective investment contracts and, in many cases, amount to securitization operations governed by Law 14,430/2022.
The circular letters consolidate three points relevant to product design. First, the use of DLT in the issuance does not strip the asset of its nature as a security. Second, the offering requires registration or an exemption at the CVM and compliance with the applicable regime, including securitization where relevant. Third, the service providers involved in the tokenization take on regulatory responsibilities, and not just technological ones.
For tokenization companies, this repositions the product: the origination of the receivables, the verification of the backing, the custody of the underlying assets, and the fidelity between what the smart contract executes and what the offering materials promise become auditable compliance elements. The divergence between code and prospectus ceases to be a bug and becomes a legal risk.
Custody, segregation, and service providers under the 175 regime
Resolution 175 organizes the chain of essential fund service providers, with emphasis on the administrator and the manager, and provides for responsibilities of custody, controllership, and bookkeeping. When the fund's asset is a virtual asset, two classic principles of the capital markets take on new technical contours: the segregation of the fund's assets from those of the service provider, and the safe custody of the assets.
Segregating assets, in the crypto world, is not merely accounting. It involves effective segregation of addresses and wallets by fund, control of who holds the private keys, a policy on the use of cold and hot wallets, and signature governance. Qualified custody of crypto assets means, in practice, being able to demonstrate that the entity controls the keys, that they are protected against compromise and loss, and that there is tested recovery in a scenario of disaster, loss of a signatory, or an incident.
Service providers that take on custody and administration of funds with exposure to virtual assets need to treat key management as a first-order financial control. A key leak or a failure in the governance of multiple signatures is not an isolated IT incident: it can mean the definitive loss of the fund's asset and expose the provider to liability before unitholders and the regulator.
Information security and risk management as a compliance duty
Both the fund regime and capital markets regulation expect service providers to have internal controls, risk management, and information security compatible with the nature and complexity of the activity. For those dealing with virtual assets and tokenization, these controls have an additional layer: the risk that a technical failure — in keys, in smart contracts, or in integrations — converts directly into irreversible loss of assets and regulatory non-compliance.
In practice, a security policy is expected that covers identity and access management with segregation of duties, monitoring and incident response, continuity and recovery management, periodic penetration testing of applications and infrastructure, and independent auditing of smart contract code before and after deployment. In tokenization, the smart contract is part of the regulated product: vulnerabilities in reentrancy, access control, or mint and burn logic have a direct effect on investors' rights.
This is where security and legal converge. Documenting the token's classification thesis, maintaining audit trails, evidencing secure key custody, and proving tests and audits come to make up the compliance dossier that sustains the relationship with the CVM and with unitholders. Treating security as regulatory evidence, and not as an IT cost, is what sets a mature operation apart.
How Decripte supports managers, fintechs, and tokenization companies
Decripte is a Brazilian B2B cybersecurity company. For the crypto capital markets, we operate where technical security meets compliance: in the protection of custody and keys, in the audit of what actually runs in production, and in building the evidence that the regulator and unitholders expect.
Within the Web3 Security and Regulatory Security practices, we support the review of custody and key management architecture, the audit of smart contracts before deployment, penetration testing of applications and infrastructure, and the structuring of risk management and incident response controls aligned with what the fund regime and the securities market expect.
The goal is practical: to enable legal to defend the classification thesis with technical grounding, the manager to demonstrate adequate custody and segregation, and the tokenized product to go live with audited code and a documented security posture. Compliance and security, on the same track.
How to comply
- 1
Classify the asset before designing the product
Before issuance, assess whether the token constitutes a collective investment contract (Article 2, IX, of Law 6,385/76) in light of CVM Guidance Opinion 40/2022. Document the classification thesis in writing and identify whether the track is the CVM (security) or Law 14,478/2022 and BACEN.
- 2
Define the offering regime and the service providers
If it is a security, map the need for registration or an exemption, the possible qualification as securitization (Law 14,430/2022), and the mandatory service providers. For funds, align the exposure to virtual assets with the limits and requirements of CVM Resolution 175 according to the target audience.
- 3
Structure custody and key segregation
Deploy segregation of wallets by fund or issuance, a cold and hot wallet policy, and governance of multiple signatures. Ensure the entity can prove control of the private keys and that there is a tested recovery procedure in the event of loss or compromise.
- 4
Audit the smart contract before deploying
Submit the smart contract to an independent security audit, checking access control, issuance and redemption logic, and the absence of known vulnerabilities. Confirm that what the code executes matches what the offering materials promise investors.
- 5
Implement security and risk management controls
Establish identity management with segregation of duties, monitoring and incident response, continuity and recovery, and periodic penetration testing of applications and infrastructure, scaled to the criticality of virtual asset custody.
- 6
Assemble the auditable compliance dossier
Gather the classification thesis, code audit reports, evidence of custody and segregation, penetration test records, and incident trails. This set sustains the relationship with the CVM, with auditors, and with unitholders, and reduces risk under supervision.
- 7
Monitor changes in functionality and rules
Treat classification as a continuous exercise: reassess when the token changes functionality and follow the CVM's regulatory agenda, which keeps adjusting the annexes of 175 and the crowdfunding rules aimed at the tokenization of receivables.
Frequently asked questions
Does CVM Resolution 175 allow Brazilian funds to invest in cryptocurrencies?
Yes. CVM Resolution 175 recognized virtual assets as an investable class and allows Financial Investment Funds to have exposure to virtual assets traded on entities authorized by regulators in Brazil or in jurisdictions with equivalent regulation, subject to concentration limits that vary according to the fund's audience. Before 175, this exposure depended on offshore vehicles.
How do I know if my token is a security or a virtual asset?
The criterion is legal nature, not technology. If the token, offered publicly, constitutes a collective investment contract (Article 2, IX, of Law 6,385/76), with contribution, collective character, expectation of return, and the effort of third parties, it is a security and falls under the CVM, according to Guidance Opinion 40/2022. If it does not combine these elements, it follows as a virtual asset, under Law 14,478/2022 and the Central Bank.
Are receivables and fixed-income tokens securities?
As a rule, they tend to be. In CVM/SSE Circular Letters 4/2023 and 6/2023, the CVM indicated that receivables tokens and fixed-income tokens offered publicly with a promise of remuneration usually constitute a collective investment contract and, frequently, amount to securitization operations under Law 14,430/2022, requiring registration or an exemption and compliance with the applicable regime.
Does using blockchain or a smart contract waive registration with the CVM?
No. The CVM is explicit in stating that the use of DLT or any other technology in the issuance does not strip the asset of its nature as a security. If there is a security in a public offering, the requirements of registration or an exemption, custody, and service providers apply, regardless of the technological layer used.
What security controls does the CVM expect from those who custody virtual assets?
Although the technical details vary, the regime expects internal controls, risk management, and information security compatible with the activity. In practice, this includes secure and segregated key custody, signature governance, monitoring and incident response, continuity and recovery, penetration testing, and smart contract auditing, with documented evidence for supervision purposes.
What is the difference between Resolution 175 and Law 14,478/2022?
Law 14,478/2022 is the legal framework for virtual assets and VASPs, with the Central Bank as regulator, and it excludes from its concept what is already a security. CVM Resolution 175 is the framework for investment funds and addresses, among other points, the exposure of funds to virtual assets. The same token can fall into one track or the other depending on its legal nature.
Can a token's classification change over time?
Yes. CVM Guidance Opinion 40/2022 recognizes hybrid tokens and accepts that classification may evolve as the asset's functionality changes. For this reason, it is recommended to treat classification as a continuous analysis, reassessing with each relevant change in the token's functionality, governance, or promise of return.
How does Decripte help a manager or tokenization company become compliant?
Decripte is a B2B cybersecurity company that operates at the intersection of technical security and compliance. We support the review of custody and key management architecture, smart contract auditing, penetration testing, and the structuring of risk management and incident response controls, generating the technical evidence that sustains the classification thesis and the relationship with the CVM and unitholders.
Sources
Decripte implements compliance — without you building an in-house team.
Adherence assessment, auditable technical controls, pentest and documentation for the regulator/auditor. Or start free by seeing what is already exposed.
