The Central Bank of Brazil ("Bacen") and the National Monetary Council ("CMN") published, on November 28, 2025, Joint Resolution No. 16 ("Joint Resolution No. 16"), establishing the regulatory framework for the provision of services under Banking as a Service ("BaaS") arrangements by financial institutions, payment institutions, and other institutions authorized to operate by Bacen. The new rule is the result of Public Consultation Notice No. 108/2024, published in October 2024, which submitted to market participants the proposal to regulate partnership models in the BaaS modality.
Under these arrangements, non-financial entities, through agreements with institutions authorized to operate by Bacen, may offer financial and payment services to their clients.
These partnerships gained relevance in recent years with the development of Direct Credit Companies (Sociedades de Crédito Direto), Peer-to-Peer Lending Companies (Sociedades de Empréstimo Entre Pessoas), and payment institutions that, although subject to Bacen's regulation and supervision, were subject to more flexible operating requirements compared to those applicable to traditional financial institutions. Nevertheless, beyond fintechs and payment institutions, this new industry also includes the participation of banks, credit, financing, and investment companies, and other traditional financial institutions, many of which have BaaS as their primary business model.
BaaS arrangements developed from the regulatory framework for payment agent services (correspondente no país), which underwent a minor reform in 2021 to contemplate the offering of financial services through fully digital channels, resulting in CMN Resolution No. 4,935, dated July 29, 2021 (in force since February 2022) ("Resolution No. 4,935").
As the market matured, Bacen deemed it necessary to establish specific rules for BaaS, shifting part of what had been structured under the payment agent framework to a dedicated regime, guided by security principles, with a more explicit separation of the roles and responsibilities of the parties.
Prior to publishing Joint Resolution No. 16, dated November 28, 2025, Bacen issued Public Consultation Notice No. 108/2024, which was the subject of a specific advisory published by FreitasLeite and is accessible via this link, aimed at gathering contributions on the definition of BaaS, the scope of the services involved, the minimum content of agreements, risk management and governance mechanisms, and client relationship duties.
Among the main points established by Joint Resolution No. 16, we highlight the following:
DEFINITION OF THE SCOPE OF BAAS SERVICES
The Resolution established a specific list of transactions that may form the scope of a BaaS service agreement, exhaustively[1] defining which services may be offered under this model. In this context, the rule provides that a BaaS agreement must cover, exclusively, one or more of the following services: opening, maintenance, and closure of demand deposit accounts, savings accounts, and prepaid or postpaid payment accounts; the provision of payment services carried out through such accounts; the provision of credentialing services for the acceptance of payment instruments within payment arrangements; and the provision of credit transaction services (in market parlance, bankarization), including origination, contracting, administration, and collection.
The rule expressly excluded the following services from BaaS: (a) payment agent services (correspondente no país), (b) data processing and storage and cloud computing, and partnerships within the scope of Open Finance; and (c) activities performed by sub-acquirers (subadquirentes) and payment network service providers.
Furthermore, services related to the foreign exchange market, for example, are not covered by the modalities currently permitted under Joint Resolution No. 16, it being noted that Bacen may include new services eligible for BaaS through the publication of specific acts (subject to the excluded services indicated in the paragraph above).
INDEPENDENT OPERATION OF THE PARTIES, WITHOUT AN AGENCY RELATIONSHIP
Unlike the framework of Resolution No. 4,935, which establishes that the payment agent acts on behalf of and under the guidelines of the contracting institution, under the framework of Joint Resolution No. 16, each party acts in its own name in the context of the provision of BaaS services, with no agency relationship. This does not, however, eliminate the duty of the BaaS service provider to monitor compliance with the obligations assumed by the service taker.
Under this model, the legal relationship for the provision of the financial and payment services set forth in the Resolution is established between the client and the BaaS service provider, with the service taker acting as intermediary in making such services available to the client, as well as providing the client with any other services not covered by the rule as BaaS services. Accordingly, the client maintains a contractual relationship with the provider for financial and payment services, and with the service taker for the other services offered by the latter.
PROVISION OF BAAS SERVICES EXCLUSIVELY THROUGH ELECTRONIC CHANNELS
The services covered by the BaaS agreement must be provided solely through electronic channels, by means of systems integration, platforms, APIs, and other tools established between the BaaS service provider and the service taker.
PROHIBITION ON POOLED ACCOUNTS, CONTRACTING OF MULTIPLE PROVIDERS, AND USE OF REGULATED INSTITUTION NOMENCLATURE
The rule (a) prohibits the use of "pooled account" (contas-bolsão) structures in the provision of payment services within the BaaS framework, requiring that transactions originate from or be directed to individualized accounts held in the name of end clients; (b) prohibits a single service taker from entering into BaaS agreements for the opening and maintenance of the same type of account with more than one service provider, except where the BaaS service provider and service taker belong to the same prudential conglomerate; and (c) generally prohibits the service taker from using the nomenclature of institutions of the Brazilian National Financial System (Sistema Financeiro Nacional), such as "bank," "banco," "payment institution," or "payment methods" (meios de pagamento).
The service taker is also prohibited from conducting payment transactions, receipts, and deposits in its own account of amounts related to services provided by the service provider to clients, reinforcing the requirement that financial flows pass exclusively through the clients' individualized accounts held with the provider.
MINIMUM CONTENT OF BAAS AGREEMENTS
The rule sets out the minimum conditions to be provided for in a BaaS service agreement, including the subject matter of the agreement (from among the eligible services listed above), the responsibilities of the parties, the form of remuneration, the stipulation of security measures for the receipt and storage of data and information (including client data), the possibility for the service provider to adopt measures pursuant to Bacen's determinations, the prohibition on the service taker charging, in its own name, any remuneration for the products and services offered by the service provider, and the prohibition on subcontracting of BaaS services by the service taker.
The prohibition on subcontracting represents an important departure from the payment agent (correspondente bancário) framework (which had hitherto been used in BaaS arrangements), which permits the sub-delegation of the agreement at a single level, subject to the provisions of the applicable Resolution.
Among the responsibilities of the parties to be included in the BaaS service agreement is the duty to inform clients about portability procedures, with the prohibition of impeding portability as a result of credit origination via BaaS, and the possibility of assignment of credit transactions by the BaaS provider, providing clarity on the terms of the assignment and access to the contact information of the new creditor and any relationship that may be maintained with the BaaS service provider following the assignment (e.g., collection and renegotiation).
RESPONSIBILITIES OF THE SERVICE PROVIDER
The service provider remains fully responsible for the reliability, integrity, availability, security, and confidentiality of the services provided, as well as for compliance with all applicable legislation and regulations. The service provider is also responsible for defining the policies, procedures, and controls related to client identification and qualification and risk profile analysis, fraud prevention mechanisms, and anti-money laundering rules, and may rely on operational support from the service taker to carry out ancillary tasks relating to the procedures described above, without, however, being relieved of its own regulatory responsibility.
Furthermore, the service provider must ensure that the client has access to the information necessary to identify the service provider, and must ensure the quality and timeliness of the data transmitted to the service taker, and must charge the same fees permitted under applicable regulations in respect of services offered under the BaaS framework.
RESTRICTIONS ON INSTITUTIONAL PARTICIPATION IN BAAS ARRANGEMENTS
Joint Resolution No. 16 prohibits credit cooperatives and leasing companies (sociedades de arrendamento mercantil) from acting as BaaS service providers. There is no prohibition, however, on such institutions acting as service takers.
Service confederations formed by central credit cooperatives and consortium administrators, in turn, may not act either as BaaS service providers or as service takers, which in practice prevents them from participating in BaaS arrangements.
ADAPTATION PERIOD FOR THE NEW RULES
The new rules are in force as of their publication date, it being noted that institutions authorized to operate by Bacen that have existing agreements for the provision of services covered by the new rules will have until December 31, 2026 to comply with the new standards.
Joint Resolution No. 16 may be accessed via this link.
For further information, please contact the Capital Markets team at FreitasLeite Advogados.
[1] In addition to defining this list of services, the Resolution expressly provides that the list may be expanded in the future, conferring upon the Central Bank the authority to detail the scope of BaaS transactions and to include new services within its regulatory purview, by means of a specific act, in accordance with technological and market developments.
