person holding smart phone with Pix app

Brazil’s central bank to tighten onboarding security as Pix frauds proliferate

Brazil’s low-cost instant payment Pix has been a success by almost every measure.

Launched by the central bank in late 2020, its adoption grew dramatically, reaching more than 122 million individuals and 10 million companies in the country as of last month.

Its swift growth has been key to further digitization of Brazil and inspired many as a fruitful case for disruption in emerging markets. Given its benefits — such as free access to individuals, convenience, and immediacy — it has been an essential driver for inclusion.

But despite its massive gains, it has also become a fertile ground for fraudsters, precisely for the same reasons. 

Scams related to Pix have surged since its launch, with criminals taking advantage of its simplicity and wide availability to conduct fraud. Also, the lack of digital banking experience among many newly banked makes that segment a target for social engineering. 

Estimates by the banks point out that scams can cause losses in the magnitude of 2.5 billion (or $500 million) this year against the Brazilian financial system, of which 70% would originate from Pix transactions. 

Security still weak

Despite its positive contributions, the security of transactions continues to be weak. In that regard, the Central Bank of Brazil is looking for ways to reinforce onboarding security, an official said this month at an event hosted by the local banking association. 

“If I know who paid and I know who sent the money, it easier to track (illicit) transactions,” Ricardo Mourão, head of Banking Operations at the central bank, was quoted as saying by local media. “We will make account opening more robust, with more identity data. This (issue) will be solved.”

Related:

Pix processes a staggering financial volume of almost a trillion reais in monthly payments, or $200 billion. Although scams and frauds, as well as kidnappings (in which criminals demand the user execute a Pix), have been a minority of cases, they have had significant repercussions due to the security concern they generate among Brazilians. 

“Fraud has always existed in Brazil,” Henrique Marise, head of Card Business at Will Bank, told Fintech Nexus. “With Pix, the ability to commit it extended from business hours to 24 hours a day, seven days a week. That is very attractive to scammers.” 

Transaction limits lowered

To discourage crime, the central bank lowered last year the transaction limits for Pix— especially during nighttime — and is looking to hold banks and fintechs accountable when it comes to so-called “orange accounts.” That is, fake accounts signed up by fraudsters exploiting a third person’s identity data.

Amid the pandemic, digital banks in Latin America have benefitted from significant customer acquisition gains, signing up thousands of clients daily. In Brazil, fintechs and digital banks now offer simplified onboarding processes, making it possible to sign up a person in minutes.

This has been key to bringing more Brazilians to the financial system, but it has also generated more significant challenges for companies to spot imposters. 

“The rapid and unexpected adoption of Pix revealed new weaknesses,” said Carlos Augusto de Oliveira, a fintech board member at Bossa Nova Investimentos. “It consolidated the power of mobile as a financial tool, but it greatly increased the attractiveness of illicit, especially in the case of the (newly banked) who are not as aware of social engineering scams.”

Heading in the right direction

Fintech advisors argue that measures by the central bank go in the right direction. In a hearing in Brazilian Congress, the president of the bank, Roberto Campos Neto, said earlier this year that Pix was “safer than already existing transfer methods, which are equally reachable through the smartphone.” 

Roberto Campos Neto headshot
Roberto Campos Neto

With the new regulation, which should be in effect as of January, entities are held responsible when fake accounts are opened to conduct fraud. Prominent fintechs in Brazil have pushed awareness campaigns to prevent losses, explaining clearly what “orange accounts” are and how best to treat financial and personal data. 

To be sure, tighter security could come at the expense of agility.

“Security is always seen as a loss factor in the financial services user experience,” Marise said. “This could limit adoption of new products, for which fintechs need to continue investing in tools that – through intensive use of data – add security to transactions without interfering with the experience.”

  • David Feliba

    David is a Latin American journalist. He reports regularly on the region for global news organizations such as The Washington Post, The New York Times, The Financial Times, and Americas Quarterly.

    He has worked for S&P Global Market Intelligence as a LatAm financial reporter and has built expertise on fintech and market trends in the region.

    He lives in Buenos Aires.