Brazilian Fintech Compliance Skill
About This Skill
This skill provides comprehensive guidance for Brazilian financial regulatory compliance, covering LGPD data protection, BCB regulations, PIX/Boleto standards, and security patterns required for fintech applications in Brazil.
When to Use This Skill
Use this skill when:
- •Implementing LGPD (Lei Geral de Proteção de Dados) compliance
- •Designing PIX instant payment systems following BCB standards
- •Creating Boleto payment workflows with proper regulations
- •Setting up data protection and privacy controls
- •Implementing Brazilian financial security patterns
- •Validating compliance with BCB (Banco Central do Brasil) requirements
- •Creating audit trails for financial operations
- •Designing user consent management systems
Key Compliance Areas
🛡️ LGPD (Lei Geral de Proteção de Dados)
Core Principles
- •Lawfulness, Fairness, and Transparency: Process data lawfully and transparently
- •Purpose Limitation: Collect data for specified, explicit, and legitimate purposes
- •Data Minimization: Collect only necessary data for intended purposes
- •Accuracy: Maintain accurate and up-to-date personal data
- •Storage Limitation: Retain data only as long as necessary
- •Integrity and Confidentiality: Ensure appropriate security of personal data
- •Accountability: Demonstrate compliance with LGPD principles
Implementation Requirements
typescript
interface LGPDCompliance {
// Data subject rights implementation
userRights: {
access: boolean; // Right to access personal data
correction: boolean; // Right to correct inaccurate data
deletion: boolean; // Right to erasure ("right to be forgotten")
portability: boolean; // Right to data portability
information: boolean; // Right to information about data processing
objection: boolean; // Right to object to processing
};
// Legal bases for processing
legalBases: [
'consent', // Explicit consent
'contract', // Contract necessity
'legal_obligation', // Legal requirement
'vital_interests', // Protection of vital interests
'public_interest', // Public interest tasks
'legitimate_interests' // Legitimate interests
];
// Data protection measures
protectionMeasures: {
encryption: 'AES-256',
anonymization: 'automatic_after_retention',
access_control: 'role_based_with_audit',
breach_notification: '72_hours'
};
}
🏦 BCB (Banco Central do Brasil) Regulations
PIX System Requirements
- •Follow BCB Circular No 4.015 for PIX implementation
- •Implement end-to-end encryption for all transactions
- •Maintain transaction logging for 5 years minimum
- •Ensure 24/7 availability with 99.9% uptime
- •Implement fraud detection and prevention mechanisms
- •Provide user support for dispute resolution
Open Banking Compliance
- •Follow BCB Circular No 4.842 for Open Banking
- •Implement API security with OAuth 2.0 and TLS 1.3
- •Provide data sharing with user consent
- •Maintain API documentation and version control
- •Implement rate limiting and abuse protection
- •Ensure service level agreements (SLAs) compliance
💳 PIX Payment Standards
Technical Requirements
typescript
interface PIXStandards {
transactionLimits: {
instant: {
maximum: 1000, // R$ 1.000 per transaction
daily: 10000, // R$ 10.000 per day
monthly: 100000 // R$ 100.000 per month
};
scheduled: {
maximum: 50000, // R$ 50.000 per scheduled transaction
advanceScheduling: 60 // Maximum 60 days in advance
};
};
responseTimes: {
processing: '2_seconds_maximum',
confirmation: 'real_time',
settlement: 'end_of_day'
};
securityMeasures: {
multiFactorAuth: 'required_for_high_value',
transactionLimits: 'user_configurable',
fraudDetection: 'real_time_monitoring',
encryption: 'end_to_end'
};
}
Key Validation Requirements
- •PIX Key Format Validation: CPF, CNPJ, email, phone, or random key
- •Recipient Verification: Validate recipient identity before transfer
- •Transaction Limits: Enforce individual and daily limits
- •Fraud Prevention: Implement behavioral analysis and anomaly detection
- •Reversal Handling: Support for limited transaction reversals within 24 hours
🧾 Boleto Payment Standards
Boleto Registration Requirements
typescript
interface BoletoStandards {
registration: {
bankCode: '3_digit_febraban_code',
currency: '980_for_real',
dueDateCalculation: 'business_days_only',
barcodeGeneration: 'modulo11_validation'
};
validation: {
barcode: '44_digits_with_verification',
lineCode: '47_digits_with_verification',
amountValidation: 'decimal_precision_2',
dueDate: 'minimum_2_business_days'
};
processing: {
registration: 'same_day_cutoff',
payment: 'real_time_confirmation',
settlement: 'd_1_business_day'
};
}
🔒 Security Implementation Patterns
Data Protection Architecture
typescript
const securityImplementation = {
encryption: {
atRest: {
algorithm: 'AES-256-GCM',
keyManagement: 'hardware_security_module',
rotationPolicy: '90_days'
},
inTransit: {
protocol: 'TLS 1.3',
certificateValidation: 'strict',
perfectForwardSecrecy: true
}
},
authentication: {
methods: ['biometric', 'multi_factor', 'device_trust'],
sessionManagement: 'short_lived_with_refresh',
passwordPolicies: 'complex_with_regular_expiration'
},
authorization: {
principle: 'least_privilege_access',
rbac: 'role_based_with_context',
auditLogging: 'comprehensive_with_tamper_protection'
}
};
Compliance Validation Framework
Automated Compliance Checks
LGPD Compliance Checklist
- • Consent Management: Explicit consent collection and recording
- • Data Mapping: Complete inventory of personal data processing
- • Rights Implementation: All 7 LGPD rights accessible to users
- • Data Minimization: Only necessary data collected and processed
- • Retention Policies: Data retention schedules defined and automated
- • Security Measures: Appropriate technical and organizational measures
- • Breach Response: Incident response plan with 72-hour notification
- • DPO Appointment: Data Protection Officer designated and contactable
BCB Compliance Checklist
- • PIX Implementation: Following BCB Circular No 4.015
- • Transaction Limits: Appropriate limits configured and enforced
- • Fraud Prevention: Detection systems implemented and monitored
- • Availability Requirements: 99.9% uptime with proper monitoring
- • Record Keeping: 5-year transaction history maintenance
- • User Support: Dispute resolution mechanisms available
- • API Documentation: Complete and up-to-date API specifications
- • Security Audits: Regular security assessments and penetration testing
Testing Compliance Implementation
Unit Testing for Compliance
typescript
describe('LGPD Compliance Tests', () => {
test('user consent is properly recorded', async () => {
const consentData = {
userId: 'user-123',
purpose: 'payment_processing',
granted: true,
timestamp: new Date(),
ipAddress: '192.168.1.1'
};
const result = await recordConsent(consentData);
expect(result).toMatchObject({
consentId: expect.any(String),
recorded: true
});
// Verify audit log entry
const auditLog = await getConsentAuditLog(result.consentId);
expect(auditLog).toContain('Consent recorded for payment processing');
});
test('data anonymization after retention period', async () => {
const expiredData = await getExpiredUserData();
const anonymizedData = await anonymizeUserData(expiredData);
expect(anonymizedData.name).toBe('Usuário Anonimizado');
expect(anonymizedData.cpf).toBe('***.***.***-**');
expect(anonymizedData.email).toMatch(/^[a-z]{2}\*\*\*@.*$/);
});
});
Integration Testing for PIX
typescript
describe('PIX Compliance Tests', () => {
test('PIX transaction within daily limits', async () => {
const userData = await getUserDailyTotals('user-123');
const newTransaction = { amount: 5000 }; // R$ 5.000
const dailyLimit = 10000; // R$ 10.000
const currentTotal = userData.dailyTotal;
expect(currentTotal + newTransaction.amount).toBeLessThanOrEqual(dailyLimit);
});
test('fraud detection triggers on suspicious patterns', async () => {
const suspiciousTransaction = {
amount: 999.99,
recipient: 'new_user',
timeOfDay: '02:30',
deviceLocation: 'unusual_location'
};
const fraudScore = await calculateFraudScore(suspiciousTransaction);
expect(fraudScore).toBeGreaterThan(0.7); // High risk threshold
});
});
Quick Reference
Essential LGPD Terms
- •Dado Pessoal: Personal data (any information related to an identified or identifiable person)
- •Dado Sensível: Sensitive personal data (health, religion, political opinions, biometrics)
- •Titular: Data subject (person to whom the personal data refers)
- •Controlador: Controller (person who makes decisions about personal data processing)
- •Encarregado: DPO (Data Protection Officer)
PIX Key Formats
- •CPF: 123.456.789-09
- •CNPJ: 12.345.678/0001-90
- •Email: user@domain.com
- •Telefone: (11) 98765-4321
- •Chave Aleatória: 123e4567-e89b-12d3-a456-426614174000
BCB Regulatory References
- •Circular No 4.015: PIX system regulations
- •Circular No 4.842: Open Banking regulations
- •Resolution No 4.827: Security requirements for payment institutions
- •Normative Instruction No 101: Financial data security standards
References
For detailed implementation patterns and examples, see:
- •
references/lgpd-implementation.md- Complete LGPD implementation guide - •
references/pix-standards.md- PIX technical specifications - •
references/boleto-processing.md- Boleto implementation patterns - •
examples/compliance-tests.md- Compliance testing examples - •
scripts/compliance-validator.py- Automated compliance validation
Built for Brazilian fintech compliance with enterprise-grade security and regulatory adherence. 🇧🇷🛡️