Brazil's VASP 2026: What Stablecoin Payment and Remittance Operators Need to Prepare for Custody
Phoebe Duong
Author
Brazil's central bank rolled out new rules for its $318.8 billion crypto market in February 2026, with a final deadline on October 30, 2026. This is the largest crypto market in Latin America, where stablecoins already make up around 90% of total volume, according to Chainalysis.
After that deadline, any BCB-licensed institution will no longer be allowed to work with unlicensed VASPs.
Quick takeaways (TL;DR)
- Stablecoins make up 90% of Brazil's crypto volume.
- After October 30, 2026, no authorization means no transactions with licensed banks or payment firms.
- Custody architecture is a key area where many operators are underprepared , fix it in the next 60 days, not six months.
You have six months to ensure your custody, data infrastructure, and corporate structure are ready for authorization.
Who This Actually Affects
Before going further, here is a precise breakdown of which operators are in scope and why the regulation matters for each profile.
| Company Profile | Why This Is Urgent |
|---|---|
| Cross-border payment platform serving Brazilian users | Stablecoin transfers treated as FX operations under Resolution 521; requires authorization or a licensed local partner |
| LATAM remittance operator (e.g. Philippines-Brazil, Mexico-Brazil corridors) | $100K cap on transfers with unauthorized counterparties; PIX connectivity at risk after October 30 |
| Stablecoin issuer or distributor with Brazilian user base | Must disclose stablecoin selection methodology; subject to custody and segregation requirements |
| Foreign crypto platform currently serving Brazilian users | Must transfer activities to a locally authorized entity by October 30 or cease operations |
| Fintech building on crypto rails for B2B settlement | Your licensed Brazilian partners cannot continue working with you after the deadline if you are not in the authorization process |
At scale, this is really about institutional flows.
Brazil’s crypto market is already driven by stablecoins (USDT, USDC), powering large-value payments, remittances, and B2B settlement across LATAM and beyond.
If you are incorporated outside Brazil but processing flows that touch Brazilian users or counterparties, you are still in scope. Both the BCB framework and Brazil's data protection law (LGPD) apply based on who your users are, not where you are headquartered.
The Regulatory Foundation in Plain Terms
Three BCB resolutions, published November 10, 2025 and effective February 2, 2026, created Brazil's first formal authorization regime for virtual asset service providers, called SPSAVs (Sociedades Prestadoras de Serviços de Ativos Virtuais).
To put it simply, VASP is the general term for crypto businesses (like exchanges or wallets), while SPSAV is the license required to legally operate in Brazil. In other words, every SPSAV is a VASP, but not every VASP is allowed to operate unless it passes the BCB’s authorization process.
- Resolution 519 sets out the authorization process, documentation requirements, suitability criteria for directors, and minimum capital thresholds.
- Resolution 520 establishes operational standards covering governance, risk management, cybersecurity, and segregation of client assets, as well as AML and counter-terrorism financing obligations.
- Resolution 521 integrates virtual asset transactions into Brazil's foreign exchange framework, defining conditions for cross-border transfers.
For stablecoin operators, Resolution 521 changes your operational reality most directly. If your product moves USDT, USDC, or any fiat-pegged stablecoin across Brazil's border, you are now inside the FX regulatory perimeter, not outside it.
Cross-border transaction limits apply: virtual asset services may be offered in the foreign exchange market up to the equivalent of USD 500,000 for banks and authorized financial institutions, and USD 100,000 for standard VASPs.
Beginning October 30, 2026, financial institutions and payment institutions supervised by the BCB are prohibited from conducting or facilitating any virtual asset operations with counterparties that provide VASP services without BCB authorization. This ban covers intermediation, custody, FX involving virtual assets, payment accounts, and payment transactions.
What the BCB Requires for Custody
Custody is where most operators are underprepared. The BCB does not treat it as an operational preference. It is a first-class regulatory obligation with structural requirements that touch your key management, audit posture, and vendor relationships simultaneously.
The First Decision: Custodian or Intermediary?
The framework creates two tiers. Your choice between them determines your capital requirement, your technical build, and your timeline.
The comparison in detail:
If you hold private keys on behalf of users, even temporarily during settlement, the BCB will treat you as a custodian VASP regardless of how your product is described.
Asset Segregation: Technical, Not Just Accounting
Resolution 520 requires segregation of client assets from firm assets, robust cybersecurity standards, and policies to mitigate conflicts of interest. This is not a balance sheet entry. Firms must validate full separation between client and firm assets at both the technical and operational levels.
For a stablecoin payments operator, the on-chain wallets holding end-user funds cannot co-mingle with your operational treasury. This separation must be demonstrable in your authorization filing, not just described in a policy document.
Key Management Architecture
The BCB does not prescribe specific cryptographic standards, but cybersecurity controls, continuity plans, identity management, and incident response procedures are explicit regulatory requirements, reflecting the scale of recent global crypto hacks and targeted attacks on the PIX ecosystem.
In practice, a software-only key management setup with no threshold controls is unlikely to pass BCB scrutiny. Hardware-backed custody, whether through hardware security modules (HSMs) or MPC-based key management where private keys never exist in full on any single device, satisfies both the security requirements and the auditability requirements at the same time.
Proof-of-Reserves and Audit Trails
Resolution 520 requires proof-of-reserves mechanisms and independent audits. For BCB purposes, proof-of-reserves is a regulatory obligation, not a voluntary marketing exercise. Your custody infrastructure must generate this data on-demand for supervisory purposes. Firms must prepare audit logs and reporting packages for monthly disclosures and the biannual independent audit cycle.
Travel Rule and Know-Your-Wallet (KYW)
Brazil's Travel Rule applies with zero threshold. The Travel Rule applies to all virtual asset transfers regardless of amount. The originator institution must transmit identifying information about both the originator and the beneficiary.
Beyond VASP-to-VASP transfers, the framework also covers self-custody wallets. Institutions must identify who controls any self-hosted wallet involved in a transaction, extending KYC practices into Know-Your-Wallet (KYW) and ensuring transparency even when assets move out of a custodial environment.
The LGPD Layer: Where Data Meets Custody
The BCB framework and Brazil's General Data Protection Law (LGPD) are separate compliance obligations, but they converge on the same infrastructure decisions. Many operators treat them as separate workstreams. That is a mistake that costs time and forces redesign.
The LGPD applies to any processing operation regardless of where the company is headquartered or where the data is stored, provided that the processing is carried out in Brazil, the purpose is to offer goods or services to individuals in Brazil, or the personal data was collected in Brazil.
The three intersection points in practice:
KYC and transaction records. Every KYC document, wallet address, and Travel Rule data packet associated with a Brazilian user is personal data under LGPD. The data you generate to comply with BCB requirements is simultaneously data you must manage under LGPD, with retention limits, access controls, and breach notification obligations applying at the same time.
Cross-border data flows. If your infrastructure stores data outside Brazil, you need a lawful transfer mechanism. Brazil entered 2026 with a mutual adequacy decision with the EU, bringing legal certainty for businesses operating across both jurisdictions. For operators on US or Singapore infrastructure, standard contractual clauses or equivalent mechanisms are required.
Know-Your-Wallet data. The wallet-address-to-identity mapping your KYW process generates is personal data. Where it is stored, how long it is retained, and who can access it are LGPD questions, not just compliance checkbox items.
The practical implication: where your keys live, where your transaction logs live, and where your KYC data lives must all be defensible under both frameworks at the same time. These cannot be separate design decisions.
What Minimum Viable Compliance Looks Like
This is the floor for a credible BCB authorization filing.
Corporate structure. Foreign platforms must transfer activities to a locally authorized VASP within the 270-day transition period. For most operators, this means incorporating a Brazilian subsidiary and running the authorization process for that entity. Management must reside in Brazil and meet fit-and-proper criteria. The BCB assesses appointed directors individually, so budget time for this process.
Capital. Minimum capital requirements reach up to R$37.2 million for full custodian authorization. If this makes the custodian VASP model uneconomical at your current stage, the intermediary model, where you partner with an already-authorized custodian, may be the faster and more practical path to market.
Custody infrastructure. At minimum: segregated on-chain wallets (technically demonstrable, not just documented), HSM or MPC-backed key management, proof-of-reserves capability, and tamper-evident audit logs for monthly disclosures and biannual audits.
Compliance program. An AML program equivalent to a Brazilian payment institution: transaction monitoring, suspicious activity reporting to COAF (Brazil's financial intelligence unit), sanctions screening, documented risk procedures, and a fully operational Travel Rule and KYW implementation.
The Broader Risk: It Is Not Just Your License
Operators often frame this as their own license problem. If they do not file, they simply do not operate in Brazil. The exposure is broader than that.
Beginning October 30, 2026, financial institutions and payment institutions supervised by the BCB are prohibited from facilitating virtual asset operations with counterparties providing VASP services without BCB authorization. This ban covers intermediation, custody, FX involving virtual assets, payment accounts, and payment transactions.
Your Brazilian banking and payment partners face legal liability for continuing to work with you after October 30 if you are not in the authorization process. Their compliance teams will ask about your status well before the deadline. Six months is not actually six months once you account for your partners' own review cycles.
How Fystack Solves the Custody Problem
The custody architecture requirements under BCB Resolutions 519-521, specifically asset segregation, MPC or HSM-backed key management, audit trails, and proof-of-reserves, describe a set of infrastructure problems with a clear solution profile. Fystack is built to address them directly.
The problem operators face. Stablecoin payment and remittance operators need custody infrastructure that satisfies BCB's technical requirements without handing control of their keys to a third-party custodian. Delegating key custody to an external party introduces its own regulatory and operational risk: you are accountable for that vendor's behavior under Resolution 520, but you have limited visibility into their operations.
What Fystack provides, mapped to the BCB requirements:
| BCB requirement | What Fystack delivers |
|---|---|
| Key management security (no single point of failure) | Self-hosted MPC: private keys never exist in full on any single device or server; signing requires distributed key shares within your own infrastructure |
| Asset segregation at the technical level | Client fund wallets and operational wallets are separated at the key-management layer, not just at the accounting layer |
| Audit-ready transaction logs | Tamper-evident logging designed to support BCB's monthly disclosure and biannual independent audit cycle |
| Multichain support for remittance corridors | LATAM remittance flows typically span multiple chains (USDT on Tron, USDC on Solana, ETH-based stablecoins). Fystack's multichain indexer handles custody and transaction tracking across chains without requiring separate infrastructure per chain |
| Supervisory access for BCB oversight | Architecture designed to grant regulators access to audit trails without exposing private keys |
Self-hosted means control stays with you. Unlike third-party custodians where your keys live on someone else's infrastructure, Fystack's MPC custody runs within your own environment. This matters for BCB authorization because the "essential service provider" oversight obligation under Resolution 520 is easier to satisfy when you control the infrastructure, not when you are dependent on a vendor's audit cooperation.
Who Fystack is the right fit for:
- If you are pursuing an intermediary VASP license and need a custody layer that satisfies BCB's supervisory access requirements without building it from scratch, Fystack's infrastructure is designed to be that layer.
- If you are going for full custodian VASP status and need custody infrastructure that can support a biennial independent audit, Fystack's audit trail architecture is built specifically for this requirement.
- If you are a LATAM remittance operator running multi-corridor flows and need a single custody layer that works across chains without fragmented key management, Fystack's multichain architecture covers this without requiring per-chain infrastructure.
Contact the Fystack team at here for a technical assessment of your current custody setup against BCB Resolution 520 requirements.
90-Day Action Priorities
The BCB is not known for fast authorization processing. Filing before October 30 puts you “in the authorization process,” which provides continued operating latitude. Filing an incomplete application in late October is not the same as demonstrable progress, and your banking partners will evaluate your actual status, not just your filing date.
If Brazil’s framework plays out as expected, it could become an important reference point for the region. That means operators building for Brazil today may have an advantage when expanding into other LATAM markets with similar regulatory direction.
With platforms like Fystack, that advantage comes from standardizing early. Custody architecture, asset segregation, access controls, and audit logging can be designed upfront to meet strict compliance expectations. As a result, expansion into new markets doesn’t require rebuilding from scratch, only adapting to local requirements.
In other words, this is less about “build once, scale forever,” and more about building it right the first time so you can scale faster and with less friction.
October 30, 2026 is a hard stop. The operators who navigate it without disruption are the ones who resolve their custody architecture question in the next 60 days, not the next six months.
Not ready yet?
Join our Telegram to follow architecture updates and product discussions: https://t.me/+9AtC0z8sS79iZjFl
FAQ
What is the Brazil crypto license deadline for 2026?
The hard deadline is October 30, 2026, which is 270 days from the February 2, 2026 effective date of BCB Resolutions 519, 520, and 521. After this date, every BCB-licensed bank and payment institution in Brazil is legally prohibited from transacting with unauthorized VASPs. Many press articles reference "November 2026" as shorthand, but the legal deadline is October 30.
Does Brazil's VASP regulation apply to foreign stablecoin and remittance operators?
Yes. The BCB framework applies based on who your users are, not where you are incorporated. If you serve Brazilian users, process stablecoin flows that touch Brazilian counterparties, or route remittances through Brazilian infrastructure, you are in scope. Foreign firms must transfer activities to a locally authorized VASP or incorporate a Brazilian entity by October 30, 2026.
What are the custody requirements for Brazil VASP authorization?
BCB Resolution 520 requires technical asset segregation between client and firm funds, MPC or HSM-backed key management, proof-of-reserves mechanisms, and biennial independent audits. Segregation must be demonstrable at the on-chain and key-management level, not just reflected in accounting records. Custody can be outsourced to a licensed custodian, but regulatory accountability cannot be transferred.
Are USDT and USDC transfers subject to FX rules under Brazil's new crypto framework?
Yes. Resolution 521 classifies fiat-pegged stablecoin transfers as foreign exchange operations. Stablecoin flows are now subject to FX reporting rules, AML obligations, and a $100,000 per-transaction cap when the counterparty is unauthorized. Reporting via the DeCripto form begins May 2026. Authorized banks can transact up to $500,000.
What is the difference between a Custodian VASP and an Intermediary VASP in Brazil?
A Custodian VASP holds private keys directly on behalf of clients and carries the highest regulatory burden: biennial independent audits, proof-of-reserves, and full cybersecurity scrutiny under Resolution 520. An Intermediary VASP delegates custody to a BCB-authorized custodian, which reduces its own compliance surface but does not eliminate accountability. Intermediaries remain responsible for vendor due diligence, contractual clarity, and ensuring the custodian can satisfy BCB supervisory access requirements.
