‘Bank as a Service’ (BaaS) in Brazil has just been redefined by the Brazilian Central Bank (Bacen).
Joint Resolution No. 16, of November 28, 2025, re-establishes the BaaS model in Brazil, making it heavily regulated.
See below 7 critical points for regulated institutions providing and receiving BaaS:
1. Scope of ‘Bank as a Service’ (BaaS) in Brazil: The Joint Resolution 16 restricts BaaS to a range of financial services, which includes: (i) opening, maintaining and closing accounts (checking accounts, savings accounts, prepaid and postpaid payment accounts), (ii) payment services linked to these accounts, (iii) accreditation for accepting payment instruments, (iv) credit operations (from offer to collection) and other services that may be included in the future by the Central Bank.
The new regulation separates what is BaaS from what are other types of services, such as technological or commercial arrangements, such as cloud, correspondents and sub-accreditation.
Institutions providing and receiving BaaS should review products, flows and communication to the market so as not to define as BaaS operations that do not fall within this scope.
2. Which institutions can offer BaaS services: According to the Resolution, Brazilian financial institutions, payment institutions, and other institutions authorized to operate by the Central Bank of Brazil can offer BaaS services.
Credit cooperatives and leasing companies are excluded from providing BaaS. Service confederations constituted by central credit cooperatives and consortium administrators cannot act as BaaS providers or users of BaaS services.
3. Exclusivity regime and restriction on multiple providers: The Resolution prohibits the same BaaS contractor from simultaneously maintaining BaaS contracts with different service providers for opening, maintaining, and closing accounts of the same type (demand deposits, savings, prepaid and postpaid payment accounts, including payment services for these accounts), except when dealing with institutions from the same prudential conglomerate.
4. Governance, risk management, and due diligence on the BaaS service recipient: BaaS providers must explicitly incorporate specific criteria for BaaS provision into their policies, strategies, and risk management structures, including KYC, KYS, ALM, among others.
Before contracting and continuously, the provider must verify that the recipient entity has governance, controls, certifications, data security, technical and financial capacity compatible with the risks of the arrangement, in addition to guaranteeing access to independent reports, when available, and operational data for monitoring service quality.
BaaS providers should begin to conduct regulatory onboarding of the contracting party.
5. Drafting a well-structured Brazilian law BaaS Contract will be key for both the BaaS provider and the contracting party: The BaaS contract becomes an essential legal instrument in the BaaS relationship.
It must clearly and objectively contain: the object, responsibilities, form of remuneration, data security measures, access of the service provider to information, certifications and reports, limits on the contracting of third parties, customer service mechanisms, prohibition of subcontracting the core services of Article 4, rules of transparency to the customer, hypotheses and consequences of service termination, as well as termination clauses.
6. Centralization of responsibilities (liabilities) in the BaaS service provider: The Resolution assigns to the BaaS service provider full responsibility for the reliability, integrity, availability, security, confidentiality of services and for compliance with applicable legislation and regulations.
This scope includes KYC, risk profile analysis, fraud prevention, prevention of money laundering and terrorist financing, and compliance with credit regulations.
The onboarding of new contractors and the ongoing relationship will require strict compliance by BaaS service providers.
7. Transparency of the BaaS relationship with the end customer: In its relationship with the end customer, the BaaS provider must ensure that its identification as a provider of financial services is clear, visible, and accessible in channels, contracts, documents, and payment instruments, without preventing the borrower from also identifying itself as an offerer of other unregulated services.
At the same time, the BaaS contracting institution is obliged to explicitly inform that it is not an institution authorized by the Central Bank, when applicable.
8. Transition period for BaaS services currently underway: Institutions that already had BaaS contracts covered by the Resolution on the date it came into effect have until December 31, 2026 to fully comply, which includes contract review, policy adaptation, monitoring and control mechanisms, among others.
Joint Resolution 16 inaugurates a new phase of BaaS in Brazil, with well-defined regulatory, compliance and responsibility parameters for BaaS provider institutions, which should have a significant impact on the market.
