Joint Resolution No. 16/2025 – Banking as a Service Regulation Enters into Force
Joint Resolution No. 16, dated November 28, 2025 and published in the Federal Official Gazette on December 1, 2025 (“RC 16”), issued jointly by the Central Bank of Brazil (“BCB”) and the National Monetary Council (“CMN”), constitutes a comprehensive regulatory milestone for the provision of Banking as a Service (“BaaS”) by financial institutions, payment institutions and other entities authorized to operate by the BCB (referred to in RC 16 as BaaS service providers). The regulation is introduced at a time of significant expansion of business models based on technological integration between regulated institutions and companies seeking to offer financial and payment services to their users, strengthening legal certainty and standardizing market practices.
RC 16 reflects the enhancements discussed during the Public Consultation Notice (“ECP”) No. 108/2024, whose comment period was subsequently extended by ECP No. 115/2025. The draft text initially submitted for discussion presented a more principles-based regulatory framework than its final version, which is more objective and operational.
The new regulation consolidates definitions and establishes the scope of services that may be provided under the BaaS model, including the opening, maintenance and closing of transactional accounts, payment services, merchant acquiring for acceptance of payment instruments and credit operations. The regulation also defines what does not qualify as BaaS, such as, for example, correspondent services in Brazil, cloud computing, integrations within the scope of Open Finance and the activities carried out by sub-acquirers and network service providers, as set forth in the regulations governing payment schemes within the Brazilian Payment System. In doing so, it curtails broad interpretations that had been adopted by the market.
In the contractual sphere, RC 16 introduces detailed rules governing the relationship between the BaaS service provider and the entity contracting BaaS services. The agreement must set out the roles and responsibilities of each party, information security mechanisms, remuneration conditions, rules for data sharing, customer service procedures and specific obligations related to transparency. The regulation reinforces that the contracting entity may not act on behalf of the regulated institution and must always clearly indicate to customers the nature of its role.
RC 16 also substantially strengthens governance and risk management requirements. Service provider institutions must incorporate BaaS into their internal policies, ensuring that the onboarding of BaaS clients is subject to an assessment of their technical, financial and operational capacity, as well as an analysis of security controls, fraud prevention and compliance with anti–money laundering and counter–terrorist financing rules. The contracting entity, in turn, must demonstrate its capacity to provide adequate information for monitoring, maintain security standards and make reports and certifications available whenever required.
The resolution further prohibits entering into BaaS service contracts with contracting entities that use, in their name, terms that characterize institutions belonging to the National Financial System or the Brazilian Payment System or similar expressions, in any language (e.g., “bank”), except where the BaaS contracting entity is itself an institution authorized to operate by the BCB.
The responsibility of the BaaS service provider remains fundamental: it is responsible for ensuring regulatory compliance, confidentiality, integrity, reliability and security of the services provided, as well as for maintaining timely customer service to end clients, even if it may use the contracting entity as operational support for ancillary tasks related to procedures and controls that fall within the remit of the BaaS service provider, such as customer service.
From a practical standpoint, the new regulation will require significant adjustments by financial institutions, payment institutions, fintechs and digital platforms. Any existing contractual relationships whose subject matter encompasses the services identified in RC 16 must be reviewed to ensure compliance with the new requirements by December 31, 2026.
It is also worth noting the requirement to appoint an officer responsible for ensuring compliance with RC 16. This officer may accumulate such role with other existing functions, provided there is no conflict of interest.
Given that the regulation takes effect as from its official publication date, i.e., December 1, 2025, institutions and companies involved in BaaS arrangements are advised to review their contracts, map affected processes, assess governance and security requirements and update customer service and communication procedures, in order to minimize operational and regulatory risks and preserve service continuity and compliance before the BCB.
