Brazil May Cut Off Pix Access for Cyber-Weak Banks
Fintech
Key Facts
—The plan. Brazil’s central bank is studying rules to restrict Pix access for institutions with weak cyber defences.
—The trigger. Cyberattacks drained more than 1.5 billion reais from the financial system in a year.
—The sanctions. Firms could face limits on Pix transaction times and values, or a ban on new keys.
—The audit. The bank sent a 400-question survey to 1,745 regulated institutions on their cyber controls.
—The worst case. A June 2025 breach at tech provider C&M Software siphoned about 813 million reais.
—The timing. The new framework is still in draft and could take months to finalise.
Pix access is a lifeline for any bank operating in Brazil, and the central bank is now ready to use it as a weapon. The message to weak links is blunt: fix your defences or lose the button.

Pix is the payment system almost every Brazilian uses, and criminals have noticed. A run of cyberattacks has drained huge sums from the financial system.
Now the regulator is preparing a tougher response. It wants the power to cut off the weakest institutions before they become the next entry point.
What the Pix access rules would do
The core idea is preventive. The central bank is studying rules that let it restrict Pix access for banks and fintechs that fail to meet cyber-security standards.
The penalties would have teeth. Offending firms could face limits on the times, days or values of Pix transactions, or a ban on registering new Pix keys.
There is a gap in the current rules. Today the regulator can act mainly on breaches of Pix rules, not on firms that simply failed to build required cyber defences.
The new framework aims to close that gap. It would let the supervision team apply preventive measures, nudging firms to invest more in digital security before an attack lands.
Why Pix access is under review now
The numbers explain the urgency. Cyberattacks siphoned more than one and a half billion reais, over two hundred and eighty million dollars, from the system in the past year.
The attacks are getting sharper. Of forty-three incidents reported to the regulator by May, thirty-four were tied directly to cyber fraud.
One case towers over the rest. In June last year a breach at C&M Software, a tech firm linking smaller institutions to the system, drained about eight hundred and thirteen million reais.
That attack set a grim record. It was the largest event of its kind ever recorded in Brazil, and it exposed how a single weak supplier can endanger the whole network.
It was not the only big breach. Weeks later, an attack on another technology provider hit systems used by a foreign bank and a cooperative lender, adding hundreds of millions in losses.
The regulator has already responded once. After the 2025 attacks it capped certain transfers routed through third-party tech providers at fifteen thousand reais per operation.
The audit already under way
The bank is not waiting to act. It has launched a system-wide review, sending a detailed questionnaire to every regulated institution to map their risks.
The scope is huge. The survey went to one thousand seven hundred and forty-five firms, with more than four hundred questions on staffing, artificial intelligence and data protection.
There is important context here. Experts stress the attacks usually exploit weaknesses inside individual firms, not flaws in the Pix system itself.
Why it matters
For anyone living in Brazil, Pix is simply how money moves. Making it safer protects the everyday payments of nearly the entire adult population.
For investors, this is another squeeze on smaller players. Rising security demands, on top of new capital rules, raise the cost of staying in the game and could push consolidation.
The honest caveat is that nothing is final yet. The framework is still in draft and months from taking effect, so the exact thresholds and penalties could still change.
Frequently Asked Questions
What is the central bank proposing?
Brazil’s central bank is studying rules to restrict Pix access for banks and fintechs with weak cyber defences. Penalties could include limits on Pix transaction times and values, or a ban on registering new Pix keys.
Why is this happening?
Cyberattacks drained more than one and a half billion reais from Brazil’s financial system in a year, and the largest was a June 2025 breach at tech provider C&M Software that siphoned about eight hundred and thirteen million reais, exposing how one weak supplier can threaten the whole network.
Is Pix itself unsafe?
Experts stress the attacks usually exploit weaknesses inside individual institutions, not flaws in the Pix system itself. The proposed rules aim to stop firms with poor controls from putting the wider network at risk.
LatAm Markets: Live Signals → — real-time movers, turnover leaders and FX across Latin America.
Read More from The Rio Times