The recent initiative by the Central Bank for Brazil crypto regulation is, in principle, a welcome development. The pursuit of greater legal certainty and investor protection is a noble and necessary goal for the maturation of the sector. However, a deeper analysis of the new resolutions reveals an approach that, under the pretext of protection, creates an environment of surveillance, control, and risk that threatens the fundamental principles of blockchain technology and the security of citizens.
Although regulation is essential, the way Brazil crypto regulation is being implemented by the current government raises serious concerns. The centralization of data, the restriction of economic freedom, and the government’s problematic history of protecting sensitive information create a scenario that could be more harmful than beneficial for Brazilians.
The End of Self-Custody and the Centralization of Risks
One of the pillars of Bitcoin and cryptocurrencies is self-custody: the ability of an individual to be the sole owner and guardian of their own assets, without depending on third parties. The new regulation, by forcing all operations to go through licensed Virtual Asset Service Providers (VASPs), directly attacks this principle. In practice, the government is encouraging users to hand over their keys and, consequently, the ownership of their assets, to companies that become central targets for hacker attacks and government pressure.
This approach ignores the mantra “Not your keys, not your coins,” which is the foundation of security in the crypto world. Instead of educating users about best security practices, the government opts for a third-party custody model that, ironically, recreates the same points of failure of the traditional financial system that cryptocurrencies sought to overcome.
Mass Surveillance: Your Crypto Data in the Government’s Hands
The biggest and most alarming criticism of the new Brazil crypto regulation lies in the massive collection of user data. The resolutions, especially the one dealing with reporting information to the Central Bank, create an unprecedented financial Big Brother. VASPs will be required to send a gigantic volume of information about their clients and their operations, including:
• Personal Data: Full name, CPF (Brazilian individual taxpayer registry), address.
• Transaction Data: Amounts, dates, counterparties.
• Wallet Addresses: Possibly even the addresses of self-custody wallets where funds are sent.
Handing this mountain of data to a government with a recent and disastrous cybersecurity track record is, to say the least, reckless. Brazil has been the scene of industrial-scale data leaks, many of them originating from government agencies. In 2024, records of data leaks in the federal government skyrocketed, doubling the total of the previous three years combined. Emblematic cases, such as the exposure of data of more than 243 million Brazilians by the Ministry of Health, show the state’s inability to protect the information it already possesses.
Now, imagine this same data, plus your entire financial history in crypto assets, available to be exploited by hackers, criminals, and, potentially, by malicious actors within the government itself. It is an invitation to disaster.
The History that Fuels Distrust: The INSS Case
To understand the danger, one need not look far. The recent INSS (National Social Security Institute) fraud scandal, which diverted billions of reais from retirees and pensioners, is a clear example of how the centralization of data in a politically compromised environment can be devastating. The Federal Police investigation revealed a scheme of improper deductions from benefits, operated by associations and unions, some with direct political connections.
The case becomes even more worrying when entities linked to figures close to the President of the Republic, such as his brother, are investigated, and the government apparatus seems to act to shield them from deeper investigations. If the government cannot protect the data and money of retirees, what confidence can we have that it will protect our data in the context of Brazil crypto regulation?
The message is clear: the centralization of sensitive data in the hands of a government with a history of security incompetence and suspicions of corruption is a recipe for disaster. Hackers and criminals will be grateful.
The Regulatory Wall: Article 91 and the Connection to International Sanctions
As if internal surveillance were not enough, BCB Resolution No. 520, in its Article 91, creates a true regulatory wall, a “fenced-in area” that isolates Brazil from the global crypto market. The article expressly prohibits Brazilian institutions from operating with foreign counterparts that are not authorized by the Central Bank.
“Art. 91. It is forbidden for financial institutions, payment institutions, and other institutions authorized to operate by the Central Bank of Brazil to carry out or facilitate operations in the virtual asset market that have as counterparts entities that provide virtual asset services and are not authorized or in the process of authorization to operate in the country by this Autarchy…”
This measure is a direct blow to the financial freedom of Brazilians, preventing access to global exchanges, decentralized finance (DeFi) platforms, and a much more liquid and competitive market. The justification of “security” is fragile; in practice, the measure serves to ensure that the entire flow of capital in crypto passes under the watchful eye and control of the Central Bank.
The question that remains is: why this isolation? An analysis of the recent geopolitical context raises a worrying hypothesis. In 2025, the United States applied Magnitsky Act sanctions to Brazilian authorities, including the blocking of assets and the restriction of access to the American financial system, which includes cryptocurrency exchanges that operate with US correspondents .
ISO 20022: The Shocking Truth Behind the New Order!
Article 91, implemented months after these sanctions, can be interpreted as a protectionist maneuver by the Brazilian government. By creating this “wall,” the government ensures that citizens and, especially, politically exposed figures, cannot use the global crypto market to circumvent international sanctions or move resources out of Brazilian jurisdiction without the knowledge of the authorities. It is a measure that, under the guise of regulation, may serve to protect political allies and limit the freedom of ordinary citizens.
Conclusion: A Regulation in the Service of Control, Not Protection
Brazil crypto regulation is inevitable and, if well done, positive. However, the approach adopted by the Central Bank of Brazil, under the current administration, is deeply flawed and dangerous. It trades the freedom and security of self-custody for the convenience of centralization, exposes the financial data of millions of Brazilians to a government with a terrible security record, and creates an environment of control that seems more motivated by political interests than by investor protection.
We are in favor of regulation, but not this regulation. Smart regulation should focus on educating the user, punishing fraud in an exemplary manner, ensuring the transparency of companies, and, above all, respecting the principles of privacy and freedom that gave rise to this technology. The current path leads us to a future of surveillance and control, where the greatest risk to your crypto assets may not be market volatility, but the government itself.
