Crypto KYC in Brazil: Navigating the Virtual Asset Framework in Latin America's Largest Market

The Regulatory Framework

Marco Legal das Criptomoedas

Law 14.478/2022, commonly known as the Marco Legal, established the legal basis for regulating virtual assets in Brazil. The law defines virtual assets, creates a licensing framework for VASPs, establishes consumer protection requirements, and designates the BCB as the primary regulatory authority.

The Marco Legal takes a risk-based approach. VASPs are categorized by their service type and transaction volume, with regulatory obligations scaled accordingly. All VASPs must register with the BCB and maintain compliance with AML/CFT obligations, but the specific requirements vary based on the risk profile of the services offered.

Banco Central Supervision

The BCB assumed supervisory responsibility for VASPs in June 2023 and has been progressively implementing regulatory requirements. The BCB's approach mirrors its supervision of traditional financial institutions: licensing requirements, capital adequacy rules, operational standards, and ongoing reporting obligations.

For KYC specifically, the BCB requires VASPs to comply with the same customer due diligence standards that apply to banks and payment institutions under the Brazilian AML framework (Law 9.613/1998 and BCB Circular 3.978/2020). This means full identity verification at onboarding, ongoing monitoring, and suspicious transaction reporting.

CVM (Securities Commission) Overlap

For digital assets that qualify as securities under Brazilian law, the Comissão de Valores Mobiliários (CVM) maintains concurrent jurisdiction. Token offerings, investment fund tokens, and security tokens must comply with CVM registration requirements in addition to BCB VASP regulations. Platforms handling these assets face dual compliance obligations.

Identity Documents in Brazil

CPF (Cadastro de Pessoas Físicas)

The CPF is Brazil's individual taxpayer registration number, administered by the Receita Federal (Federal Revenue Service). It is the single most important identity artifact for financial services in Brazil — equivalent in importance to the SSN in the United States, but more widely used in daily life.

Every Brazilian citizen and resident must have a CPF, and it is required for virtually all financial transactions including opening bank accounts, making investments, and purchasing property. For crypto platforms, CPF verification is the foundational identity check. The Receita Federal provides API access for CPF validation, confirming that the number is valid, active, and matches the provided name.

However, CPF verification alone is not sufficient for KYC compliance. A CPF confirms that a tax registration exists — it does not verify the identity of the person presenting it. CPF numbers are widely available through data breaches, and fraudsters routinely use stolen CPFs to create accounts. Full identity verification requires CPF validation combined with document authentication and biometric matching.

RG (Registro Geral)

The RG is Brazil's general identity card, issued by state-level public security secretariats (Secretarias de Segurança Pública). Unlike the CPF (which is federal and standardized), the RG varies by issuing state — different states use different formats, different security features, and different numbering systems.

This creates a significant verification challenge. A platform must recognize and authenticate RG documents from all 26 states plus the Federal District, each with their own design, security features, and format variations. Additionally, RGs have been issued across multiple design generations, meaning that older cards from the same state may look substantially different from current versions.

Brazil is in the process of transitioning to a new unified national identity document (Carteira de Identidade Nacional — CIN), which uses the CPF as the unique identifier. The CIN standardizes the format nationally and includes modern security features. However, the transition is gradual, and platforms must continue accepting legacy RG documents during the migration period.

CNH (Carteira Nacional de Habilitação)

The CNH is Brazil's national driver's license and is widely accepted as identity documentation. It includes the holder's CPF, photo, and signature, making it a convenient single document for identity verification. The CNH format is nationally standardized (unlike the RG), which simplifies verification.

Passport

Brazilian passports follow ICAO standards and include NFC chips with biometric data. For platforms serving Brazilian users abroad or processing international transactions, passport verification provides the highest-assurance identity check available.

KYC Requirements for Brazilian VASPs

Onboarding Requirements

Under the BCB framework, VASPs must verify the identity of all customers before enabling account functionality. The minimum onboarding requirements include full legal name (matching CPF registration), CPF number (validated against Receita Federal), date of birth, residential address, and government-issued photo identification (RG, CIN, CNH, or passport).

For individual customers, a risk-based approach determines the depth of verification. Low-risk customers (low transaction volumes, domestic transactions only) may be onboarded with basic CPF validation and document capture. Higher-risk customers (high transaction volumes, international transfers, institutional accounts) require enhanced due diligence including source of funds documentation and additional identity cross-checks.

Enhanced Due Diligence

Enhanced due diligence applies to customers classified as higher risk: politically exposed persons (PEPs), customers with transactions above defined thresholds, customers from higher-risk jurisdictions, and customers whose activity patterns suggest elevated risk.

Enhanced measures include source of funds and source of wealth documentation, additional identity verification steps (such as in-person or video verification), more frequent ongoing monitoring, and senior management approval for the customer relationship.

Ongoing Monitoring

VASPs must maintain continuous monitoring of customer transactions and update customer information on a risk-based schedule. Transaction monitoring must detect unusual patterns, structuring (breaking large transactions into smaller ones to avoid reporting thresholds), and activity inconsistent with the customer's stated profile.

Suspicious Transaction Reports (Comunicações de Operações Suspeitas — COS) must be filed with COAF (Conselho de Controle de Atividades Financeiras), Brazil's financial intelligence unit, within 24 hours of detection.

The Digital ECA and Age Verification

Brazil's Estatuto Digital da Criança e do Adolescente (Digital ECA), which took effect on March 17, 2026, introduced mandatory age verification for digital platforms interacting with children and adolescents. While primarily targeting social media and content platforms, the Digital ECA has implications for crypto platforms that must ensure users meet minimum age requirements.

The Digital ECA mandates biometric age verification — one of the most prescriptive approaches globally. Platforms must implement technology capable of confirming a user's age through biometric analysis rather than relying on self-declaration. For crypto platforms, this means the onboarding verification flow must include age confirmation as a mandatory step.

Expanding Across Latin America

Colombia

Colombia's Superintendencia Financiera regulates crypto exchanges through a regulatory sandbox framework. VASPs must register and comply with AML/CFT requirements under Law 1762 of 2015. The cédula de ciudadanía (national identity card) is the primary verification document. Colombia's approach is more permissive than Brazil's but is tightening as transaction volumes grow.

Argentina

Argentina's Comisión Nacional de Valores (CNV) oversees crypto exchanges under the Fintech Law. The DNI (Documento Nacional de Identidad) is the primary identity document. Argentina's volatile economic environment drives high crypto adoption, but the regulatory framework is still maturing relative to Brazil.

Mexico

Mexico's Fintech Law (Ley para Regular las Instituciones de Tecnología Financiera) establishes a licensing framework for crypto platforms through the CNBV (Comisión Nacional Bancaria y de Valores). The CURP (Clave Única de Registro de Población) and INE voter ID are the primary verification documents. Mexico has one of the more developed regulatory frameworks in the region, with clear KYC and AML obligations.

The Cross-Border Challenge

Platforms operating across multiple Latin American markets face a fragmented compliance environment. Each country has its own regulatory authority, its own document types, its own reporting obligations, and its own enforcement posture. A platform that is compliant in Brazil may not be compliant in Colombia, and the documents accepted in Mexico differ from those accepted in Argentina.

This fragmentation creates demand for verification infrastructure that handles the full range of Latin American identity documents — CPF, RG, CIN, CNH in Brazil; cédula in Colombia; DNI in Argentina; CURP and INE in Mexico — through a single integration. Platforms that build separate verification integrations for each country accumulate technical debt and operational complexity that compounds as they expand.