backOn September 28, 2023, the Central Bank of Brazil (Bacen) published in the official gazette two (2) important regulations regarding security incidents involving the PIX infrastructure. Resolution No. 342/2023 and Normative Instruction (IN) No. 412/2023. Both came into force on the date of their publication.
Resolution No. 342/2023
Resolution No. 342/2023 amends the text of the PIX Regulation (BCB Resolution No. 1, of August 12, 2020) to include the duty of banks and financial institutions to notify data subjects about any occurrence of a personal data breach involving the PIX infrastructure. This communication must take place regardless of the size of the risk and reason of failure, even if the incident has not generated damage or negative impacts for users.
The obligation to communicate to such data subjects differs from the rules provided by the Brazilian General Data Protection Law (LGPD), which does not oblige the communication of incidents that do not create a relevant risk to the personal data subject.
The said text also amends PIX Penalties’ regulation (BCB Resolution No. 177, of December 22, 2021) to include new infractions subject to sanction, such as failure to meet minimum technical security requirements, resulting in an information security incident.
IN No. 412/2023
IN No. 412/2023 establishes the procedures to be adopted by banks and financial institutions to notify data subjects in the event of security incidents involving personal data within the PIX infrastructure.
In addition, Bacen will define the deadline for the communication of such incidents, which must be made clearly, individually, and using the channel usually used by the PIX participant to communicate with the user, in order to guarantee an authenticated and secure environment.
***
Our office is available to assist our clients concerning banking and financial sector regulations, including those involving technology and data protection matters.
share
