PTEN
← Back to Blog
2026-06-24@an1at

Cybersecurity in the Financial Sector: Understanding the Before and After of the New Central Bank Regulations

CMN Resolution No. 5,274/2025 and BCB Resolution No. 538/2025 changed the game. Find out why what was once 'best practice' is now a legal obligation with strict enforcement around Penetration Testing (Pentests) and financial risk management.

#cybersecurity#central-bank#compliance#fintech#pix#open-finance#pentest#offensive-security

The Brazilian financial market has undergone one of its greatest structural transformations in terms of cybersecurity. With the enactment of CMN Resolution No. 5,274/2025 and BCB Resolution No. 538/2025 by the Central Bank of Brazil, what was previously treated by many companies as a best practice or an optional investment has become a strict legal obligation. The era of reactive security is over, now requiring institutions to actively demonstrate their resilience against digital attacks and fraud.

How the Market Operated Before the New Rules

To understand the weight of this change, we need to look at how the market operated prior to these new regulations. Previously, the landscape was guided by more generic and flexible guidelines, where digital security depended heavily on each company's maturity level and available budget.

Penetration testing (Pentests) was seen by many fintechs and smaller institutions as an occasional procedure, often limited to automated scans carried out by in-house teams. There was no explicit requirement for annual testing cycles, nor any obligation to hire independent auditors. Furthermore, oversight of the technology supply chain and third-party partners was far more lax: a company could secure its internal systems while integrating third-party APIs without demanding the same technical rigor from those providers.

ilustracao.png

The End of Self-Regulation and the Focus on Pix and Open Finance

The new resolutions have definitively broken with that self-regulatory model and established an ecosystem of strict compliance. The regulator's primary goal is to shield the payments system — especially given the rapid expansion of Pix and Open Finance, environments where the attack surface for scams and intrusions has grown considerably.

By adopting the principle of technical symmetry, the Central Bank's regulatory scrutiny spares no one, not even smaller players. Credit cooperatives, finance companies, payment institutions, fintechs, and businesses that operate proprietary credit or intermediate technology-driven transactions all fall under the same scrutiny, regardless of their size.

Operational Costs vs. Survival Risks

This transition brings immediate practical challenges, but also significant benefits. On one hand, the forced maturation of the market makes it possible to identify critical misconfigurations, weaknesses in robust authentication (MFA), and fragile points in integrations before a criminal can exploit them. On the other hand, there are recurring financial costs associated with consulting services and an added burden on IT teams, who must race to remediate the vulnerabilities identified.

The greatest danger for those who ignore the rules goes far beyond heavy fines — it includes the suspension of operating licenses, termination of contracts by major commercial partners, and reputational damage in a market that runs almost entirely on trust.

Non-Negotiable Requirements for Regulatory Compliance

Within this new landscape, there are specific requirements that are absolutely non-negotiable. For an institution to remain compliant, the following are indispensable:

  • Periodic Pentests: Annual penetration tests are mandatory and must be conducted by independent teams or certified professionals.
  • Mitigation Plans: Formal documentation of all identified vulnerabilities and the corresponding action plans for timely remediation.
  • Extended Accountability: Guaranteeing and demonstrating that technology vendors and third-party service providers adhere to the same security standards.
  • Traceability and Audit Trails: Maintenance of records, logs, and testing evidence for a minimum period of 5 years for regulatory inspection purposes.

Pentesting as a Mandatory Strategic Investment

Penetration testing has ceased to be an occasional IT project and has become a mandatory line item in every institution's annual strategic budget. To mitigate the risk of penalties and ensure survival in today's market, the recommended path is to seek specialized offensive security services focused on Web/Mobile Application Pentests, API Security Testing, and Cloud Infrastructure Assessments.

References

Connect with the author for networking and/or questions: LinkedIn

Is your infrastructure really protected?

Don't wait for a real attack to expose your gaps. Schedule a consultation with KATRINASEC.

Request a contact