Brazilian Fintech Compliance Skill

About This Skill

This skill provides comprehensive guidance for Brazilian financial regulatory compliance, covering LGPD data protection, BCB regulations, PIX/Boleto standards, and security patterns required for fintech applications in Brazil.

When to Use This Skill

Use this skill when:

• Implementing LGPD (Lei Geral de Proteção de Dados) compliance
• Designing PIX instant payment systems following BCB standards
• Creating Boleto payment workflows with proper regulations
• Setting up data protection and privacy controls
• Implementing Brazilian financial security patterns
• Validating compliance with BCB (Banco Central do Brasil) requirements
• Creating audit trails for financial operations
• Designing user consent management systems

Key Compliance Areas

🛡️ LGPD (Lei Geral de Proteção de Dados)

Core Principles

• Lawfulness, Fairness, and Transparency: Process data lawfully and transparently
• Purpose Limitation: Collect data for specified, explicit, and legitimate purposes
• Data Minimization: Collect only necessary data for intended purposes
• Accuracy: Maintain accurate and up-to-date personal data
• Storage Limitation: Retain data only as long as necessary
• Integrity and Confidentiality: Ensure appropriate security of personal data
• Accountability: Demonstrate compliance with LGPD principles

Implementation Requirements

interface LGPDCompliance {
  // Data subject rights implementation
  userRights: {
    access: boolean;        // Right to access personal data
    correction: boolean;    // Right to correct inaccurate data
    deletion: boolean;      // Right to erasure ("right to be forgotten")
    portability: boolean;   // Right to data portability
    information: boolean;   // Right to information about data processing
    objection: boolean;     // Right to object to processing
  };
  
  // Legal bases for processing
  legalBases: [
    'consent',              // Explicit consent
    'contract',             // Contract necessity
    'legal_obligation',     // Legal requirement
    'vital_interests',      // Protection of vital interests
    'public_interest',      // Public interest tasks
    'legitimate_interests'  // Legitimate interests
  ];
  
  // Data protection measures
  protectionMeasures: {
    encryption: 'AES-256',
    anonymization: 'automatic_after_retention',
    access_control: 'role_based_with_audit',
    breach_notification: '72_hours'
  };
}

🏦 BCB (Banco Central do Brasil) Regulations

PIX System Requirements

• Follow BCB Circular No 4.015 for PIX implementation
• Implement end-to-end encryption for all transactions
• Maintain transaction logging for 5 years minimum
• Ensure 24/7 availability with 99.9% uptime
• Implement fraud detection and prevention mechanisms
• Provide user support for dispute resolution

Open Banking Compliance

• Follow BCB Circular No 4.842 for Open Banking
• Implement API security with OAuth 2.0 and TLS 1.3
• Provide data sharing with user consent
• Maintain API documentation and version control
• Implement rate limiting and abuse protection
• Ensure service level agreements (SLAs) compliance

💳 PIX Payment Standards

Technical Requirements

interface PIXStandards {
  transactionLimits: {
    instant: {
      maximum: 1000,        // R$ 1.000 per transaction
      daily: 10000,        // R$ 10.000 per day
      monthly: 100000      // R$ 100.000 per month
    };
    scheduled: {
      maximum: 50000,      // R$ 50.000 per scheduled transaction
      advanceScheduling: 60  // Maximum 60 days in advance
    };
  };
  
  responseTimes: {
    processing: '2_seconds_maximum',
    confirmation: 'real_time',
    settlement: 'end_of_day'
  };
  
  securityMeasures: {
    multiFactorAuth: 'required_for_high_value',
    transactionLimits: 'user_configurable',
    fraudDetection: 'real_time_monitoring',
    encryption: 'end_to_end'
  };
}

Key Validation Requirements

• PIX Key Format Validation: CPF, CNPJ, email, phone, or random key
• Recipient Verification: Validate recipient identity before transfer
• Transaction Limits: Enforce individual and daily limits
• Fraud Prevention: Implement behavioral analysis and anomaly detection
• Reversal Handling: Support for limited transaction reversals within 24 hours

🧾 Boleto Payment Standards

Boleto Registration Requirements

interface BoletoStandards {
  registration: {
    bankCode: '3_digit_febraban_code',
    currency: '980_for_real',
    dueDateCalculation: 'business_days_only',
    barcodeGeneration: 'modulo11_validation'
  };
  
  validation: {
    barcode: '44_digits_with_verification',
    lineCode: '47_digits_with_verification',
    amountValidation: 'decimal_precision_2',
    dueDate: 'minimum_2_business_days'
  };
  
  processing: {
    registration: 'same_day_cutoff',
    payment: 'real_time_confirmation',
    settlement: 'd_1_business_day'
  };
}

🔒 Security Implementation Patterns

Data Protection Architecture

const securityImplementation = {
  encryption: {
    atRest: {
      algorithm: 'AES-256-GCM',
      keyManagement: 'hardware_security_module',
      rotationPolicy: '90_days'
    },
    inTransit: {
      protocol: 'TLS 1.3',
      certificateValidation: 'strict',
      perfectForwardSecrecy: true
    }
  },
  
  authentication: {
    methods: ['biometric', 'multi_factor', 'device_trust'],
    sessionManagement: 'short_lived_with_refresh',
    passwordPolicies: 'complex_with_regular_expiration'
  },
  
  authorization: {
    principle: 'least_privilege_access',
    rbac: 'role_based_with_context',
    auditLogging: 'comprehensive_with_tamper_protection'
  }
};

Compliance Validation Framework

Automated Compliance Checks

LGPD Compliance Checklist

• Consent Management: Explicit consent collection and recording
• Data Mapping: Complete inventory of personal data processing
• Rights Implementation: All 7 LGPD rights accessible to users
• Data Minimization: Only necessary data collected and processed
• Retention Policies: Data retention schedules defined and automated
• Security Measures: Appropriate technical and organizational measures
• Breach Response: Incident response plan with 72-hour notification
• DPO Appointment: Data Protection Officer designated and contactable

BCB Compliance Checklist

• PIX Implementation: Following BCB Circular No 4.015
• Transaction Limits: Appropriate limits configured and enforced
• Fraud Prevention: Detection systems implemented and monitored
• Availability Requirements: 99.9% uptime with proper monitoring
• Record Keeping: 5-year transaction history maintenance
• User Support: Dispute resolution mechanisms available
• API Documentation: Complete and up-to-date API specifications
• Security Audits: Regular security assessments and penetration testing

Testing Compliance Implementation

Unit Testing for Compliance

describe('LGPD Compliance Tests', () => {
  test('user consent is properly recorded', async () => {
    const consentData = {
      userId: 'user-123',
      purpose: 'payment_processing',
      granted: true,
      timestamp: new Date(),
      ipAddress: '192.168.1.1'
    };
    
    const result = await recordConsent(consentData);
    
    expect(result).toMatchObject({
      consentId: expect.any(String),
      recorded: true
    });
    
    // Verify audit log entry
    const auditLog = await getConsentAuditLog(result.consentId);
    expect(auditLog).toContain('Consent recorded for payment processing');
  });
  
  test('data anonymization after retention period', async () => {
    const expiredData = await getExpiredUserData();
    const anonymizedData = await anonymizeUserData(expiredData);
    
    expect(anonymizedData.name).toBe('Usuário Anonimizado');
    expect(anonymizedData.cpf).toBe('***.***.***-**');
    expect(anonymizedData.email).toMatch(/^[a-z]{2}\*\*\*@.*$/);
  });
});

Integration Testing for PIX

describe('PIX Compliance Tests', () => {
  test('PIX transaction within daily limits', async () => {
    const userData = await getUserDailyTotals('user-123');
    const newTransaction = { amount: 5000 }; // R$ 5.000
    
    const dailyLimit = 10000; // R$ 10.000
    const currentTotal = userData.dailyTotal;
    
    expect(currentTotal + newTransaction.amount).toBeLessThanOrEqual(dailyLimit);
  });
  
  test('fraud detection triggers on suspicious patterns', async () => {
    const suspiciousTransaction = {
      amount: 999.99,
      recipient: 'new_user',
      timeOfDay: '02:30',
      deviceLocation: 'unusual_location'
    };
    
    const fraudScore = await calculateFraudScore(suspiciousTransaction);
    expect(fraudScore).toBeGreaterThan(0.7); // High risk threshold
  });
});

Quick Reference

Essential LGPD Terms

• Dado Pessoal: Personal data (any information related to an identified or identifiable person)
• Dado Sensível: Sensitive personal data (health, religion, political opinions, biometrics)
• Titular: Data subject (person to whom the personal data refers)
• Controlador: Controller (person who makes decisions about personal data processing)
• Encarregado: DPO (Data Protection Officer)

PIX Key Formats

• CPF: 123.456.789-09
• CNPJ: 12.345.678/0001-90
• Email: user@domain.com
• Telefone: (11) 98765-4321
• Chave Aleatória: 123e4567-e89b-12d3-a456-426614174000

BCB Regulatory References

• Circular No 4.015: PIX system regulations
• Circular No 4.842: Open Banking regulations
• Resolution No 4.827: Security requirements for payment institutions
• Normative Instruction No 101: Financial data security standards

References

For detailed implementation patterns and examples, see:

• references/lgpd-implementation.md - Complete LGPD implementation guide
• references/pix-standards.md - PIX technical specifications
• references/boleto-processing.md - Boleto implementation patterns
• examples/compliance-tests.md - Compliance testing examples
• scripts/compliance-validator.py - Automated compliance validation

---

Built for Brazilian fintech compliance with enterprise-grade security and regulatory adherence. 🇧🇷🛡️