BACEN Resolution No. 664/2025 establishing a deadline for the adaptation measures of the PSTIs has been published

The Central Bank of Brazil (Bacen) has published Normative Instruction BCB No. 664, which regulates and sets deadlines for Information Technology Service Providers (PSTIs) to comply with the rules established in BCB Resolution No. 498, of September 5, 2025.

Based on this instrument, PSTIs must:

• Within 15 days, adapt their information security policy to include the adoption of transaction traceability mechanisms, access control, network protection, among other measures;
• Within 30 days, implement a fraud management policy; and
• Within 15 days, send a reasonable assurance report, prepared by an audit firm registered with the CVM, to BACEN, certifying the full compliance with the procedures of the Normative Instruction.

The instruction also emphasizes that failure to meet these deadlines may subject the PSTI to cautionary measures, which include, among other penalties, suspension of connection to the RSFN (National Financial System Network), suspension of specific services provided by the PSTI, restriction on contracting new clients or expanding services, etc.

Furthermore, according to BCB Resolutions No. 498/2025 and No. 495/2025, for unauthorized payment institutions and those connecting to the National Financial System Network via Information Technology Service Providers (PSTIs), the limit for TED and Pix transfers is set at R$15,000. This limitation may be removed when the participant and its respective PSTI comply with the new security control processes. Provisionally, participants who certify the adoption of information security controls may be exempted from the limitation for up to 90 days.

By Dr. Patricia Peck (CEO and Founding Partner), Dr. Graziella Rosa (Digital Consulting Manager), and Dr. Giovanna Pieralli (Lawyer Specializing in Digital Law and Banking Regulation).

AUTHOR

• Giovanna Pieralli
• Patricia Peck
• Graziella Rosa