Brazil's Central Bank is evaluating limits on financial institutions with cybersecurity weaknesses in the Pix system. Preventive measures could include restrictions on hours, values or bans on new keys. The move follows attacks that caused resource diversions in 2025.
The monetary authority seeks to adjust rules to allow preventive sanctions by the supervision area. Current penalty processes are viewed as bureaucratic and slow, according to consulted technicians.
The Central Bank sent a questionnaire with over 400 questions to regulated institutions to assess risks and information technology controls. Responses will help identify who may receive precautionary measures.
In 2025, diversions via Pix and TED totaled about R$ 1.5 billion. The largest case involved C&M Software in June that year, with R$ 813 million diverted. After the incident, the BC imposed a R$ 15,000 limit on operations of institutions connected through PSTIs.