Skip to content

AML/CFT and KYC

Law No. 14,286/2021 (New Foreign Exchange Framework), while simplifying foreign exchange operations, maintained and reinforced the obligations of financial institutions regarding the prevention of illicit activities. Compliance with Anti-Money Laundering (AML/CFT) and Know Your Customer (KYC) procedures is a requirement for operating in the sector.

Definitions of KYC and AML/CFT

  • KYC (Know Your Customer): Refers to procedures for identifying, qualifying, and verifying the identity of clients. Activities include collecting documents, analyzing risk profiles and financial capacity, and maintaining updated records (ongoing due diligence).

  • AML/CFT (Anti-Money Laundering and Combating the Financing of Terrorism): Refers to the set of policies, controls, and procedures implemented by financial institutions to detect, analyze, and report suspicious activities, in compliance with current regulations. An effective AML/CFT program depends on an effective KYC process.

Compliance Cycle

In practice, these concepts materialize in a continuous cycle of analysis and monitoring, from the first contact with the client.

Onboarding

This is the entry point—no client can operate without first undergoing a rigorous registration and analysis process, which varies in complexity according to the profile. This process includes two critical checks: Screening and identification of PEPs.

  • Screening (List Checks): During onboarding, the client's name (and partners/ultimate beneficiaries in the case of companies) is automatically checked against various national and international restrictive lists. The goal is to identify if the individual is associated with:

    • Sanctions Lists: Such as those from the UN, OFAC (USA), or the European Union, which prohibit transactions with certain people, groups, or countries.
    • Adverse Media: Negative news that may associate the client with criminal investigations, corruption, etc.
    • Internal Watchlists and Regulatory Agency Lists.

  • Identification of PEPs (Politically Exposed Persons): Regulations require the identification of clients who are (or have been in the last 5 years) Politically Exposed Persons. This includes politicians, senior members of the judiciary, executive, and legislative branches, and managers of state-owned companies, as well as their family members and close associates.

    • Why is it important? Clients classified as PEPs represent a higher risk of involvement in corruption and bribery. Therefore, they are subject to more in-depth due diligence (EDD - Enhanced Due Diligence) and more rigorous ongoing monitoring of their operations.

Transaction Analysis

After the client's initial registration (Onboarding and KYC), each foreign exchange operation undergoes a second layer of analysis before execution. This step no longer focuses on "who the client is," but rather on "does this specific operation make sense for this client?"

The goal is to assess the legitimacy, legality, and economic compatibility of the transaction with the risk profile and financial capacity of the client, previously established. This analysis is based on three main pillars that will be addressed next.

Economic-Financial Compatibility

Checks if the transaction amount is consistent with the client's declared financial capacity.

  • Example (Individual): A student requests a remittance of US$ 50,000 for "maintenance of a resident." The amount is incompatible with the profile of a student without declared income. The institution will request documents proving the source of funds, such as the parents' income tax return (donors) or the sale of an asset.

  • Example (Company): A consulting company with annual revenue of R$ 500,000 requests a payment of US$ 200,000 to a supplier. The amount is disproportionate to the revenue. The bank will question and request proof of the source of funds, which could be a capital contribution or a bank loan.

Economic Basis and Legality

Checks if the operation has a lawful purpose and is supported by documentation.

  • Example (Company): An import company pays for "marketing consulting" to a company in a high-risk jurisdiction. The nature of the service is subjective and the destination is a risk factor. The bank will require the service contract to validate the legitimacy of the transaction.

  • Example (Individual): A client requests to send US$ 30,000 abroad for "payment of services." The description is generic—the institution will request the invoice or service contract specifying what is being paid for, to whom, and for what reason, ensuring it is not a simulated operation.

Ongoing Transaction Monitoring

The analysis is not only static but dynamic. The institution's systems monitor client behavior over time to identify deviations from the expected pattern—examples of common alerts ("Red Flags"):

  • Structuring (Smurfing): A client carries out several operations of US$ 9,500 on consecutive days. This is a strong indication that they are intentionally splitting a larger operation to try to avoid automatic reporting limits.

  • Sudden Profile Change: An exporter who always received payments from Germany and the USA starts receiving multiple smaller transfers from various Eastern European countries, without a clear commercial justification.

  • Triangulation of Operations: A company imports a product from China, but the payment order is to an intermediary entity in Panama, which has no apparent relationship with the original exporter.

Reporting to COAF

If, after analysis, a transaction or behavior pattern is considered suspicious, the financial institution is legally required to report it to COAF (Financial Activities Control Council). COAF analyzes this data and, if it identifies evidence of a crime, forwards the information to the competent authorities.

Impact of the New Foreign Exchange Framework on Compliance

Law No. 14,286/2021 replaced prior procedural control with a model focused on the responsibility of the financial institution. The greater freedom in formalizing transactions was accompanied by greater demands on the robustness of compliance systems. The focus of regulatory supervision has therefore shifted from the form of the process to the assessment of the effectiveness of the AML/CFT programs implemented by the institution, where screening processes and the identification and treatment of PEPs are fundamental.