
Brazil's central bank now requires VASPs to submit an independent audit from a CVM-registered entity before licensing. The rule follows Operation Hidden Flow, which uncovered $5 billion in irregular crypto movements linked to a designated terrorist group.
The Central Bank of Brazil has added a new gatekeeping step for any virtual asset service provider (VASP) seeking an operating license. Under Normative Instruction No. 739, issued on Friday, applicants must now submit an independent audit from an entity registered with the Brazilian Securities and Exchange Commission (CVM) before the central bank will approve their authorization.
The requirement targets the audit itself, not just the applicant's internal controls. The bank wants a third-party “reasonable assurance report” that verifies compliance across several specific areas. This is not a one-time checkbox. The audit must assess the VASP's institutional policy, organizational structure, employee training, and internal risk assessment regarding the use of its products for money laundering and terrorism financing. It also must evaluate the company's procedures for customer due diligence, transaction monitoring, and reporting of suspicious activity.
The regulatory push follows Operation Hidden Flow, a high-stakes operation that targeted six fintech companies moving over $5 billion irregularly. Authorities detected the use of digital assets for money laundering in those cases. The Primeiro Comando da Capital, a drug trafficking organization recently designated by the Trump Administration as Specially Designated Global Terrorists (SDGT), is suspected to be behind these operations.
According to local media, the use of cryptocurrency for illicit purposes has skyrocketed in Brazil, with criminal groups leveraging digital assets to move funds. The central bank stated that the new audit measures aim to “increase the security of decisions in authorization processes, while reinforcing the country’s alignment with international practices and standards for combating these crimes.” It also reinforced that “verification by independent audit contributes to greater transparency and reliability in the controls adopted by companies in the sector.”
The independent audit must cover five distinct areas:
For any exchange or VASP targeting the Brazilian market, the new rule raises the cost and timeline of entry. The audit must come from an entity registered with the CVM, which limits the pool of approved auditors. The report itself must be a “reasonable assurance” engagement, a higher standard than a simple review. This means the auditor tests the controls, not just checks that a policy document exists.
Larger, already-regulated international exchanges with established compliance teams in Brazil have a head start. They likely already maintain the documentation and controls the audit will test. The burden falls hardest on smaller fintechs and startups that lack dedicated AML/CTF compliance staff. For them, the cost of hiring a CVM-registered auditor and building the required control framework could delay or block their license application entirely.
The central bank is using the independent audit as a pre-authorization filter, not a post-licensing check. This is a structural change. Previously, a VASP could submit its own compliance documentation and await approval. Now, the bank will not even begin the authorization process until a third-party auditor has signed off on the company's controls. This shifts the burden of proof from the regulator to the applicant and its auditor.
Confirmation: If the central bank begins rejecting applications based on audit findings, or if the number of new VASP licenses drops sharply in the next 12 months, the thesis that this is a meaningful barrier is confirmed.
Weakens: If the central bank grandfathers existing licensed VASPs from the audit requirement, or if a large number of CVM-registered auditors quickly enter the crypto audit space and drive down costs, the barrier becomes less significant.
Risk to watch: The requirement does not specify a recurring audit frequency. If the central bank mandates annual or biannual audits, the ongoing compliance cost becomes a permanent operating expense, not just a one-time licensing cost.
Brazil already had one of the stricter licensing regimes in Latin America. The new audit requirement adds to that framework. It aligns Brazil with jurisdictions like Singapore and Dubai, where independent audits are part of the licensing process. It also distances Brazil from more permissive regimes like El Salvador or certain European Union member states that rely on registration rather than licensing.
For traders and investors evaluating crypto exposure to Brazil, the key question is whether this regulation accelerates or slows institutional adoption. Stricter licensing tends to push retail activity toward unregulated peer-to-peer channels, which can increase the very illicit activity the regulation targets. At the same time, a clean license from the Central Bank of Brazil becomes a stronger signal of legitimacy, which could attract institutional capital.
The Central Bank of Brazil has made it harder to get a crypto license. The independent audit requirement is a concrete, enforceable gate that adds cost and time. For VASPs already operating in Brazil, the risk is that the central bank applies the rule retroactively. For those seeking entry, the path just got narrower. The next catalyst to watch is the central bank's first rejection based on an audit finding, which will set the precedent for how strictly the rule is enforced.
For related analysis on crypto regulation and enforcement trends, see Trump's Crypto Stance Threatens Industry's Landmark Bill and Lummis Warns: CLARITY Act Stalls Until 2030.
Prepared with AlphaScala editorial tooling from the source reporting linked above. Indexable analysis may include a cited Alpha Score value. Publishing checks screen each story before release. Educational coverage, not personalized advice.