Cybersecurity for Startups · Compliance & Regulation

BACEN and Open Finance cybersecurity requirements for fintechs

In short

Fintechs regulated by the Central Bank of Brazil must comply with Resolution BCB No. 85/2021, which requires a formalized cybersecurity policy, an incident response plan, reporting of relevant incidents to BACEN, a designated responsible director, and compliant cloud contracts. Open Finance participants must also implement APIs with ICP-Brasil certificates, the FAPI 1.0 Advanced security profile, granular consent, and registration in the official directory of the governing body.

Decripte is a cybersecurity company serving businesses from 1 to 100,000+ employees — from MVPs to scale-ups. A full platform and services, starting with the free Threat Management plan.

Key takeaways

  • Resolution BCB No. 85/2021 requires every authorized institution to maintain a documented cybersecurity policy that is updated periodically.
  • The incident response plan must cover detection, containment, eradication, and recovery, with regular testing and reporting to BACEN within 72 hours for relevant incidents.
  • A statutory director or equivalent must be formally designated as responsible for the institution's cybersecurity policy.
  • Contracts with cloud providers (IaaS, PaaS, and SaaS) must include mandatory clauses on auditability, data location, service continuity, and BACEN access.
  • Open Finance Brasil requires FAPI 1.0 Advanced, ICP-Brasil certificates, Mutual TLS (mTLS), and registration in the participant directory maintained by the governance body.
  • BACEN's cybersecurity compliance program integrates with the LGPD (Law No. 13.709/2018) and may be complemented by PCI DSS for fintechs that process card data.

Resolution BCB No. 85/2021 and the cybersecurity policy

Resolution BCB No. 85/2021, which repealed Resolution CMN No. 4.658/2018, establishes the cybersecurity guidelines applicable to institutions authorized to operate by the Central Bank of Brazil. The regulation covers banks, payment fintechs, direct credit companies, credit unions, and other entities in the national financial system, regardless of size.

The cybersecurity policy is the central document required by the rule. It must be approved by the board of directors or by executive management, published on a channel easily accessible to employees, and reviewed at least annually. The document must cover objectives, responsibilities, classification of information assets, vulnerability-management and access-control procedures, as well as guidelines for the secure use of cloud computing.

Incident response plan and reporting to BACEN

Beyond the policy, Resolution BCB No. 85/2021 requires the institution to maintain a response and recovery plan for relevant incidents. This plan must cover the phases of preparation, identification and analysis, containment, eradication, recovery, and lessons learned, with clearly assigned roles and responsibilities. Periodic testing of the plan is mandatory, with records kept available to BACEN.

When an incident is deemed relevant — a criterion defined internally based on impact to the confidentiality, integrity, or availability of data and services — the institution has up to 72 hours to report it to the Central Bank through official channels. The report must describe the nature of the incident, the systems affected, the measures taken, and the recovery status. Failure to report in a timely manner is considered an offense punishable by administrative sanctions.

Start with visibility

See for free what has already leaked and where your startup is exposed.

Decripte's free Threat Management plan maps vulnerabilities, monitors threats and shows leaked credentials — no credit card and no security team required.

Start free now

Responsible director and contracting cloud services

The rule requires the formal designation of a director responsible for the cybersecurity policy. In smaller institutions, the same director may hold additional roles, but the assignment must be recorded in the minutes and reported to BACEN through the system for registering responsible officers. This professional answers to the regulator for compliance with the obligations set out in the resolution.

For contracting cloud processing and storage services, Resolution BCB No. 85/2021 imposes mandatory contractual requirements: the provider must allow auditing by the institution and by BACEN, disclose the geographic location of the data and backups, guarantee service continuity in the event of contract termination, and ensure that data will be returned or destroyed at the end of the relationship. Foreign providers must meet the same requirements, and the institution remains fully responsible for compliance.

Security in Open Finance Brasil: FAPI, mTLS, and the participant directory

Open Finance Brasil is regulated by the Central Bank through specific rules and technical documentation maintained by the governing body. The APIs of participating institutions must follow the FAPI 1.0 Advanced (Financial-grade API) security profile, an extension of OAuth 2.0 designed for high-risk environments. FAPI requires the use of Pushed Authorization Requests (PAR), signed JWTs for all authorization objects, and binding between the access token and the client certificate (mTLS Token Binding).

Each participant must hold certificates issued by a Certificate Authority accredited by ICP-Brasil for mutual authentication (mTLS) in calls between institutions. In addition to transport certificates, signing certificates are mandatory for sensitive operations. Registration in the participant directory — maintained by the governance body of Open Finance Brasil — is a prerequisite for any operation in the ecosystem. The directory stores authentication metadata, authorized scopes, and Software Statements, which are cryptographically verifiable artifacts that identify each registered application.

Consent in Open Finance is granular, revocable at any time, and time-limited. The data-receiving institution must collect explicit consent for each set of data accessed, store the record of it, and ensure that the data is deleted or anonymized after the consent ends. These requirements overlap with LGPD obligations (Law No. 13.709/2018), which requires a legal basis for all processing of personal data, the implementation of technical and administrative security measures, and notification to the National Data Protection Authority (ANPD) in the event of an incident posing relevant risk to data subjects.

Fintechs that process, store, or transmit payment card data are also subject to PCI DSS (Payment Card Industry Data Security Standard). The standard defines 12 technical and operational requirements, including segmented network controls, encryption of data at rest and in transit, vulnerability management, and annual penetration testing. PCI DSS compliance is complementary to BACEN's program and can be verified by an accredited Qualified Security Assessor (QSA).

How Decripte implements the cybersecurity compliance program for fintechs

Decripte delivers the cybersecurity program required by the Central Bank and by Open Finance for fintechs of all sizes — from initial registration with BACEN to operations with more than 100,000 employees. The service includes drafting a cybersecurity policy aligned with Resolution BCB No. 85/2021, structuring the incident response plan with documented testing, supporting the designation and training of the responsible director, and reviewing cloud-provider contracts.

Within Open Finance, Decripte supports alignment with the FAPI 1.0 Advanced profile, the participant-directory registration process, and the implementation of mTLS and ICP-Brasil certificate management. Decripte's own 24x7 SOC monitors client fintechs' environments in real time, with incident detection and response (IR) integrated into the plan required by BACEN. To start at no cost, a fintech can activate the free threat-management plan and assess its current level of adherence before scaling up to the full regulatory-compliance plans.

Practical checklist

  1. 1

    1. Draft the cybersecurity policy

    Document the objectives, scope, responsibilities, asset classification, access controls, and cloud guidelines. Submit it for executive approval, record it in the minutes, and publish it internally. Schedule an annual review with auditable evidence.

  2. 2

    2. Designate the responsible director

    Formally appoint a statutory director or equivalent as responsible for the cybersecurity policy. Register the assignment in the Central Bank's system for responsible officers and train the professional on the requirements of Resolution BCB No. 85/2021.

  3. 3

    3. Structure the incident response plan

    Create the plan covering preparation, identification, containment, eradication, recovery, and lessons learned. Define the criteria for a relevant incident, the reporting flow to BACEN within 72 hours, and run at least one documented test per year.

  4. 4

    4. Review contracts with cloud providers

    Verify that contracts with IaaS, PaaS, and SaaS providers include clauses on auditability, data location, continuity, and the return or destruction of data at termination. Require compliance from providers that do not meet the rule's requirements.

  5. 5

    5. Implement FAPI 1.0 Advanced and ICP-Brasil certificates

    To participate in Open Finance Brasil, configure the APIs with the FAPI 1.0 Advanced profile — PAR, JAR, and mTLS Token Binding. Obtain transport and signing certificates issued by an accredited ICP-Brasil Certificate Authority.

  6. 6

    6. Register in the Open Finance participant directory

    Access the governing body's portal, create the organization, register the applications, and generate the required Software Statements. Keep the metadata up to date and monitor certificate revocations to avoid interruptions in calls between institutions.

  7. 7

    7. Integrate LGPD, PCI DSS, and continuous monitoring

    Map the legal bases for data processing under the LGPD, implement ANPD notification for relevant incidents, and, where applicable, carry out a PCI DSS compliance assessment. Connect all controls to a SOC with 24x7 monitoring for real-time detection and response.

Frequently asked questions

Which fintechs are subject to Resolution BCB No. 85/2021?

All institutions authorized by the Central Bank to operate in Brazil are subject to the rule, including credit fintechs (SCD and SEP), payment institutions (IP), digital banks, and credit unions. The regulator makes no distinction by size for the obligation to have a cybersecurity policy and an incident response plan, although it does allow proportionality in the complexity of the controls.

What defines a relevant incident that must be reported to BACEN?

The institution itself defines the relevance criteria in its cybersecurity policy, but BACEN advises considering the impact on the availability of essential services, the exposure of customer data, the compromise of critical systems, and the potential for contagion to other institutions. Once classified as relevant, the incident must be reported to the Central Bank within 72 hours through official channels.

What is FAPI and why is it mandatory in Open Finance Brasil?

FAPI (Financial-grade API) is an OAuth 2.0 security profile developed by the OpenID Foundation for high-risk financial APIs. Open Finance Brasil adopts FAPI 1.0 Advanced because it requires mutual authentication (mTLS), binding of the token to the client certificate, authorization with signed objects (JAR/PAR), and protection against replay attacks and PKCE bypass. This significantly raises the security of data exchanges between financial institutions.

Do BACEN's requirements replace the LGPD, or are they independent?

They are complementary and independent. The LGPD applies to any organization that processes personal data in Brazil, whereas Resolution BCB No. 85/2021 is sector-specific and deals specifically with cybersecurity in financial institutions. A fintech must comply with both rules simultaneously. In practice, technical controls such as encryption, access control, and incident management partially satisfy both, but the legal obligations — such as notification to the ANPD and to BACEN — are distinct and must be managed separately.

Does a fintech need to obtain an external certification, such as SOC 2 or ISO 27001, to meet BACEN requirements?

Resolution BCB No. 85/2021 does not require specific external certifications such as SOC 2 or ISO 27001. However, these certifications are widely recognized by the market and can serve as robust evidence of compliance during regulatory supervision and audits. Fintechs that process card data also need PCI DSS, which is a mandatory certification imposed by the card networks, not by BACEN.

How does Decripte support fintechs during the BACEN licensing phase?

Decripte engages from the licensing phase, supporting the drafting of the cybersecurity policy and the incident response plan required as mandatory documents in the Central Bank's authorization process. The team also supports the designation of the responsible director, the review of cloud contracts, and, for fintechs planning to join Open Finance, technical alignment with FAPI and the participant directory. Decripte's free plan lets you begin the adherence assessment at no cost.

Security for startups and fintechs

From the first round to enterprise: Decripte grows with you.

A full platform and services: threat management, 24x7 SOC, incident response, pentest and compliance (LGPD, ISO, BACEN). Start free and see what has already leaked from your business.