Introduction

The Brazilian Law No. 9,613/1998(“Brazilian AML Law”) is a landmark for the regulatory anti-money laundering and combating the financing of terrorism (“AML/CFT”) landscape, indicating an active role for obligated persons – whether legal entities or natural persons.

In the past few years, technological developments – particularly in the financial sector trough innovation, crypto-assets, artificial intelligence and digital platforms – have created a more complex framework for money laundering, requiring regulators and authorities to constantly adapt to keep pace with these changes.

In this regard, in August 2025, the Federal Revenue of Brazil (“RFB”) published the Normative Instruction No 2,278 (“IN 2,278”), which brings a key regulatory shift: payment institutions, including fintech companies and participants in payment arrangements, are now required to comply with the same regulations applicable to banks and other institutions submitted to Brazilian AML Law and Law No. 12,865/2013 (“Payment Arrangements Law”). The IN 2,278 signals heightened enforcement efforts from Brazilian authorities, especially in the wake of recent money laundering scandals related to fintech and criminal organizations.

On this matter, AML/CFT compliance programs must implement and constantly update Know Your Client (“KYC”) policies, as these policies represent an essential safeguard to mitigate liability arising from clients’ potential unlawful activities. This article seeks to examine KYC, outlining its mechanisms and evaluating its effectiveness in AML/CFT enforcement.

The foundations of KYC

Know Your Client refers to a structured set of procedures set to collect, validate, and verify clients’ information, ensuring appropriate due diligence in their identification, qualification, and risk classification. While primarily applied by financial institutions, KYC is also mandatory across different sectors to prevent unlawful activities, as well as mitigate regulatory exposure.

On this subject, under Article 9 of Brazilian AML Law, the duty to implement KYC measures extends beyond financial institutions to a wide range of obligated persons from different sectors. These include but are not limited to: (i) securities; (ii) insurance, capitalization and private pension; (iii) real estate; (iv) luxury or high-value goods; and (v) virtual assets’ operators.

Amongst other obligations, these obligated persons are responsible for monitoring clients’ data and transaction history and to report of any suspicious or atypical transactions to the Financial Activities Control Council (“Coaf”), which is Brazil’s Financial Intelligent Unit. Further to that, some sectors are regulated by special authorities and need to comply with targeted regulation, such as the financial institutions by Brazilian Central Bank (“BCB”), the insurance market by Superintendency of Private Insurance (“SUSEP”) or the securities market by the Securities and Exchange Commission (“CVM”). For all sectors that do not have a specific regulatory authority, supervisory responsibility rests with Coaf.

Failure to comply with KYC and other AML/CFT obligations may result in severe sanctions, including, but not limited to warning and monetary fines – which are capped at BRL 20 million, as well as sanctions for the administrators involved, as temporary disqualification, for up to ten years, from serving as an officer or director of regulated entities. In addition to that, companies involved money laundering scandals might face serious reputational damage, as seen previously in Operation Car Wash – Brazil’s largest anti-corruption and AML taskforce.

Know Your Client: in practice

Brazilian authorities require obligated persons to implement and maintain customer due diligence procedures proportionate to their size and operations – in other words, a tailored KYC for the risk of each company. The framework follows the risk-based approach recommended by the Financial Action Task Force (FATF) and adopted by COAF and other regulators, requiring enhanced measures for higher-risk situation

Client identification must include the collection, verification, and validation of data, including for remote transactions – which can be specially challenging. Qualification involves assessing the client’s financial capacity, determining whether they are a politically exposed person (“PEP”), and ensuring sufficient information to establish a reliable risk profile. Risk classification, in turn, must reflect categories defined in the company’s internal assessment. The reoccurrence of these analysis needs to be proportionate to the client’s risk classification, ensuring that higher-risk clients are subject to more frequent revalidation.

For fintech, implementing robust KYC can be particularly challenging. Their highly digital and fast-paced operations, with restricted human and financial resources, increase exposure to clients who may attempt to conceal their identities through complex structures. For this reason, it is not uncommon for companies to outsource KYC procedures to specialized firms or outside counsel, particularly in cases involving more complex analyses where independent expertise adds value to the compliance process.

A central component is the identification of the Ultimate Beneficial Owner (“UBO”), defined as the individual who ultimately control, influence, or benefit from a legal entity, directly or indirectly. Obligated persons must extend risk classification to administrators, partners, representatives, and proxies, and are prohibited from initiating relationships without completing the required identification and qualification procedures. This requirement is especially sensitive given the use of shell companies, front men/company and other mechanisms designed to obscure the UBO and disguise unlawful activities, which significantly heightens the complexity of AML/CFT compliance for financial institutions.

Case study and conclusions

In 2025, a massive scandal was discovered involving one of Brazil’s biggest criminal organizations that disguised billions of reais through fintechs and other financial institutions for money laundering. At the time these unlawful acts were perpetrated, certain payment institutions, including fintech companies and participants in payment arrangements, were not subjected to AML/CFT regulation. Hence, the scheme remained invisible to authorities.

This criminal organizations employed several strategies to conceal and disguise the UBO. This case shed light on the deficiencies in KYC procedures, which stemmed from the regulatory gaps created by the IN No. 2,278. As of this regulation, one of the obligations is the submission of the e-Financeira, a digital report of high-value financial transactions that enables authorities to monitor suspicious activities more effectively.

This obligation, alongside with properly designed and affectively enforced KYC policies, could have mitigated or even prevented the unlawful acts. While no compliance framework ensures absolute prevention, robust AML/CFT mechanisms significantly reduce exposure to acts unlawful acts, as well as it serves as a defensive mechanism against regulatory sanctions and a strategic tool for safeguarding corporate integrity and reputation.

Ultimately, the growing role of KYC in Brazil’s regulatory framework reflects a broader global trend toward heightened accountability for AML/CFT. For companies operating in this environment, compliance is no longer confined to meeting minimum legal requirements; it demands a culture of vigilance, ethical responsibility, and continuous improvement.

In this regard, entities that prioritize KYC not only mitigate legal and reputational risks but also position themselves as trusted players in a market where integrity has become a decisive competitive advantage.

Authors: Leonardo Kozloswki , Isabelly Nunes, Salim Saud.

More from Saud Advogados