Superintendencies strengthen due diligence on critical vendors

Executive Summary

The Central Bank of Brazil and the Bank of Spain announced coordinated inspections of critical banking infrastructure vendors after incidents involving exposure of PIX and SEPA sender data. Supervisors require proof of environment segregation and immutable audit trails for partners that process KYC or instant payments. In the United States, FinCEN published preliminary guidance for beneficial owner records in virtual asset operations using third-party identity providers. At the same time, the Brazilian Federal Revenue applied fines to installment payment companies for failures in identifying crypto cash-outs. The expectation is that banks and fintechs will update contracts, continuity plans, and third-party portals before the 2026 renewal round.

Top Signals

1. Central Bank of Brazil targets PIX vendor governance

Joint circular with the Monetary Council requires updated API inventory, confidentiality agreements, and role-based access controls for providers that process PIX messages.

Why it matters: banks that outsource infrastructure will need to review SLAs and ensure real-time alerts on authentication failures.

2. Bank of Spain audits SEPA Instant providers

Inspection letters were issued to verify compliance with the SEPA Instant scheme, with focus on immutable consent logs and incident response policies.

Why it matters: PSPs with presence in Latin America will need to harmonize controls to meet Spanish and European requirements simultaneously.

3. FinCEN guides beneficial owner registration for VASPs

Preliminary guidance defines that VASPs must maintain beneficial owner records equivalent to data required by the Corporate Transparency Act when using third-party identity providers.

Why it matters: exchanges will need to validate whether KYC partners store evidence in US territory or under robust contractual safeguards.

4. Federal Revenue fines marketplaces for crypto cash-out

Joint inspection with COAF identified e-commerce companies that offered stablecoin cash-out without enhanced due diligence.

Why it matters: marketplaces and acquirers will need to declare continuous monitoring routines for alternative settlement methods.

Deep Dives

Regulation & Supervision

The Central Bank of Brazil added semi-annual control verification questionnaires for providers that receive PIX user data, including requirements for environment segregation and evidence of penetration tests. The Bank of Spain requires PSPs to demonstrate how they ensure integrity of digital consents and minimum retention of five years in logs. Both bodies align with the Basel Committee, which is preparing a guide on critical outsourcing.

Practical impact: Banks must update vendor catalogs and validate contracts before on-site exams. Fintechs need to prove independence of development environments. Vendors must offer recurring external audits. Regulators gain granular visibility to trigger administrative sanctions in 2026.

Tech & Typologies

FinCEN observes growth of structures that use VASPs as invisible settlement layers in e-commerce transactions. The model combines payment APIs with institutional wallets, making beneficiary identification difficult. Cases investigated in Brazil involved cash-out to stablecoins with settlement outside the country, triggering Revenue fines and communications to COAF.

Practical impact: Banks need to map technical dependencies in instant payment flows. Fintechs must implement alerts for use of virtual asset wallets in cash-out. Vendors must offer immutable audit trails and dependency visualization tools. Regulators strengthen coordination with tax authorities.

Data Points

5 years minimum log retention requested by the Bank of Spain.
12 hours for incident notification on PIX providers after the new circular.
18% quarterly growth in crypto cash-outs monitored by COAF.

Watchlist

Basel Committee public consultation on critical outsourcing scheduled for November 6.
FinCEN workshop with VASPs and acquirers on October 28 to discuss beneficial owner standards.