A Joint Resolution No. 6 of May 2023 brings the requirements that financial institutions, payment institutions and other institutions authorized to operate by the Central Bank of Brazil, must observe for sharing data and information, among themselves, in cases where there are indications of fraud, as of November 1, 2023.
The purpose of this sharing is precisely to enable these institutions to have subsidies in their procedures and controls to prevent fraud, bringing important implications regarding the need to comply, not only with the regulations of the Central Bank, but also with the provisions of Law No. 13,709/2018, the General Law of Personal Data Protection - LGPD, and may involve adjustments in processes related to information security.
Data sharing must meet some requirements, as detailed in the Resolution. In short, it is necessary that the registration and consultation of data and information of the evidence of occurrence or attempted fraud be done in a secure electronic system and that allows the modification and exclusion of data by the institutions. The register must contain information such as identification of the person who would have carried out or tried to carry out the fraud, description of the evidence of occurrence or attempted fraud, identification of the recipient account data and its holder, in cases of transfer or payment of funds, and identification of the institution responsible for the register. The massive adoption of interoperable systems between companies raises concerns about system security and reliability, which cannot be underestimated.
It is important to point out that the resolution presupposes that these institutions previously collect the consent of their clients, observing the strict purpose of sharing for fraud evidence purposes and requiring the provision in a prominent clause in the contract with the clients. This provision dialogues with the LGPD, which regulates differently the situations in which consent is required, and needs to be implemented with caution.
The institutions must also leave at the disposal of the Central Bank, for ten years, the shared information and documentation with the criteria and procedures for the identification of evidence of fraud, as well as, for five years, the data, records and information relating to the application of monitoring and control mechanisms.
Our specialized teams are available to assist institutions in complying with this Resolution.