In a busy month for fintech regulations, payments companies in Brazil are being told to update their security frameworks and make a plan to deal with breaches.
The new rules came at the same time as Brazil’s Central Bank proposed welcoming fintechs into microfinance, and Mexico published a first draft of new rules for payments companies.
Brazilian payments companies must set out a cybersecurity policy and an action plan for responding to incidents, under new rules announced last week.
The cybersecurity direction by Brazil’s Central Bank followed a debilitating cyber attack on Mexico’s central payments network, the SPEI, earlier this year.
“Companies in general use electronic payments services extensively, and mainly through remote access channels,” the Central Bank said. “Adopting controls and systems designed specifically to be resilient to cyberattacks is important.”
Payment companies’ plans must include protocols for sharing information with other financial institutions in the case of a security breach. And companies will be required to report annually on how they have complied.
The regulator also stipulated how payments companies should use third party services, including cloud storage. Companies must report to the Central Bank on third party providers they work with. And the bank stressed that the payments gateways themselves are responsible for ensuring that any third party services are secure and trustworthy.
But companies have been given a long lead time to comply: The rules come into effect in September 2019.
Microfinance rules under review
Brazil’s financial regulator is also updating rules for microfinance, and encouraging fintech startups into the market. The bank wants to simplify the rules around the types of institutions that can offer microloans, as well as to increase the lending limits for microfinance.
It hopes that by encouraging the use of tech in microfinance, the new rules will make micro-lending cheaper and easier to access, Otávio Damaso, the bank’s regulatory director, said in a statement.
The Brazilian Central Bank is taking public comments on the proposals until September 14.
Mexico consults on secondary regs for payments
Mexico’s central bank is also consulting on new rules for payments companies. The proposal is the first public look into the secondary regulations that will determine the policy details of Mexico’s fintech law.
Among other measures, the rules open the door to companies processing cryptocurrencies.
Interested parties have just 10 days – until August 29 – to submit their comments. The short timeline is a result of the September 10 deadline for the Central Bank to publish the secondary regulations.