2026 will be the year in which financial and payment institutions, and other institutions authorized by the Brazilian Central Bank (Bacen) must update their contracts and governance structure related to services characterized as ‘Banking as a Service’ – BaaS.
The Brazilian Joint Resolution No. 16 set December 31, 2026 as the deadline for authorized institutions that provide or contract BaaS services to comply with the new regulation.
See below 7 critical points for regulated institutions providing and receiving BaaS:
1. Scope of ‘Banking as a Service’ (BaaS) in Brazil: The Joint Resolution No. 16 established a definitive list of financial and payment services classified as BaaS, which includes: (i) opening, maintaining, and closing accounts (checking deposits, savings accounts, prepaid and postpaid payment accounts), (ii) payment services linked to these accounts, (iii) accreditation for accepting payment instruments, (iv) credit operations (from offer to collection), and other services that may be included in the future by the Central Bank.
The new regulation separates BaaS from other types of services, such as technological or commercial arrangements, such as cloud, correspondents and sub-accreditation.
2. Which institutions can offer BaaS services: According to the Resolution, Brazilian financial institutions, payment institutions, and other institutions authorized to operate by the Brazilian Central Bank can offer BaaS services.
Credit cooperatives and leasing companies are excluded from providing BaaS services. Service confederations constituted by central credit cooperatives and consortium administrators cannot act as BaaS providers or users of BaaS services.
3. Exclusivity regime and other prohibitions: The formalization of a BaaS contract is prohibited in the following cases (i) in which the contracting entity acts on behalf of the authorized provider institution in making BaaS services available, just as banking correspondents do; (ii) with a user entity that has a BaaS contract in force with another provider institution for the provision of account opening, maintenance and closing services (checking deposits, savings accounts, prepaid and postpaid payment accounts, including payment services for these accounts) – except if such entity is an authorized institution; (iii) with a contracting entity that uses, in its corporate name or trade name, terms characteristic of the nomenclature of institutions auhtorized by the Brazilian Central Bank, without being one.
4. Governance, risk management and liabilities: The Resolution assigns to the BaaS provider the responsibility for the reliability, integrity, availability, security, confidentiality of services and for compliance with applicable legislation and regulations. This scope includes KYC, risk profile analysis, fraud prevention, prevention of money laundering and terrorist financing.
The effectiveness of regulatory compliance must be evaluated through processes, tests and audit trails, appropriate metrics and indicators, and correction of any deficiencies. Such mechanisms must be tested at least annually by the internal audit of the authorized institution.
Furthermore, the authorized institution acting as both a provider and a user of BaaS services must designate a director responsible for compliance with the provisions of Joint Resolution No. 16.
5. BaaS Contract Requirements: The BaaS contract becomes an essential legal instrument in the BaaS relationship.
It must clearly and objectively contain: the object, responsibilities, form of remuneration, data security measures, access of the service provider to information, certifications and reports, limits on contracting third parties, customer service mechanisms, prohibition of subcontracting the core services of Article 4, rules of transparency to the customer, hypotheses and consequences of service termination, as well as termination clauses.
6. Consequences of non-compliance with the Resolution: In case of non-compliance with the new regulation, the Central Bank may (i) veto or impose restrictions on the contracting of BaaS services, as well as limit operations, establishing a deadline for the adaptation of said services and corresponding contracts; and (ii) determine the suspension or termination of the BaaS contract, in cases that affect the security and soundness of the National Financial System and the Brazilian Payment System.
7. Transition period for BaaS services currently underway: Institutions that already had BaaS contracts covered by the Resolution on the date it came into effect (November 28, 2025) have until December 31, 2026 to fully comply, which includes mapping existing contracts, contract review, policy adaptation, monitoring and control mechanisms, among others.
The development of a well-structured BaaS contract will be key for both the provider and the contracting institution, and is a relevant to-do list for 2026.
