AML/KYC diligence on a Brazilian VASP target requires Brazil-specific knowledge that international acquirers often lack: the COAF reporting regime, the IN 1888 monthly transaction report, the LGPD privacy framework, and the operational practices that distinguish a real compliance program from a paper one. This article is a focused checklist.
Visit the BitcoinP2P Investors Page →
The Brazilian AML Regulatory Stack
Brazilian VASPs operate under a four-layer AML stack: Federal Law 9.613/1998 (the AML Law), COAF resolutions on suspicious activity reporting, BCB regulations under Law 14.478/2022, and Receita Federal IN 1888/2019 reporting. A serious operator has policies, technology, and personnel addressing each layer. A weak operator has gaps in two or more.
What to Inspect in the AML Manual
- Risk-based customer classification with at least three tiers
- Enhanced Due Diligence (EDD) procedures for high-risk customers
- Politically Exposed Persons (PEP) screening processes
- Sanctions screening (UN, OFAC, EU, BCB lists)
- Transaction monitoring rules and thresholds
- SAR (Suspicious Activity Report) escalation procedures
- Compliance officer reporting lines and BCB qualifications
- Employee training records
| Compliance Element | Source | Pass / Fail Criterion |
|---|---|---|
| IN 1888 monthly filings | Receita Federal | Continuous, error-free history |
| COAF SAR reporting | COAF (FIU) | Calibrated rate aligned with volume |
| BCB engagement | Banco Central | Active transition, no formal warnings |
| Compliance officer | Internal | Qualified, separate reporting line |
| LGPD program | ANPD | DPO designated, RIPD on file |
| KYC pipeline | Internal + vendors | Multi-vendor, biometric, address-validated |
What to Inspect in the KYC Pipeline
Brazilian KYC has specific elements that differ from US/EU norms: CPF (individual tax ID) verification, CNPJ (corporate tax ID) verification, source-of-wealth declarations, address validation against utility bills, biometric face-match, document forensic analysis, and Receita Federal status validation. Targets relying on a single vendor or manual processes are operationally fragile.
COAF Reporting Hygiene
The Conselho de Controle de Atividades Financeiras (COAF) is Brazil’s Financial Intelligence Unit. VASPs must report suspicious activities promptly. During DD, review the SAR submission log: count, category, and trend. Operators with very low or very high SAR rates relative to volume warrant additional scrutiny — both ends suggest a poorly calibrated monitoring system.
Talk to the BitcoinP2P M&A Team →
IN 1888 Reporting Quality
IN 1888 is Brazil’s crypto transaction reporting requirement. Operators file monthly aggregates of customer transactions above thresholds. DD elements: timeliness of filings, completeness, error rates, amendment history, Receita Federal queries received and responses provided. A clean IN 1888 record is the most defensible regulatory artifact a Brazilian VASP can produce.
AML/KYC Failure Modes
30%
Targets fail AML DD
Top 1
Failure: IN 1888 gaps
Unfixable
Failure modes
LGPD and Customer Data
Brazilian privacy law (Lei Geral de Proteção de Dados — LGPD) imposes data protection obligations comparable to GDPR. VASPs handle high volumes of sensitive data (CPF, biometrics, transaction history). DD elements: DPO designation, RIPD privacy impact assessments, data processing agreements with vendors, breach notification procedures, ANPD (privacy authority) communications.
“AML failure is not a discount. It is a deal-killer. We have walked away from valuations that would otherwise have been bargains because the SAR log told us the operator was either lying or asleep.”
— Crypto M&A Compliance Partner
Red Flags That Should Kill a Deal
- Material gap or absence of IN 1888 filings during the operator’s claimed history
- No COAF SAR ever filed by an operator with material volume
- No designated compliance officer or compliance officer lacking BCB-relevant credentials
- Sanctions screening absent or vendor-only without internal review
- KYC outsourced to a single foreign vendor with no Brazilian context
- Material undisclosed enforcement actions or formal warnings from any Brazilian authority
Frequently Asked Questions
What is COAF and why does it matter for Brazilian VASP M&A?
COAF is Brazil’s Financial Intelligence Unit. VASPs must report suspicious activities to COAF. The SAR log is a direct proxy for the quality of the operator’s transaction monitoring.
What is IN 1888 and how is it different from regular tax reporting?
IN 1888 is Receita Federal’s crypto transaction reporting requirement, in force since 2019. It applies in addition to regular corporate tax reporting and creates a verifiable compliance fingerprint.
Do Brazilian VASPs need to comply with LGPD?
Yes. LGPD applies fully to VASPs, which process large volumes of sensitive personal data. DPO designation and data protection impact assessments are mandatory.
What is the most important AML element to inspect?
IN 1888 monthly filing history is the single most defensible regulatory artifact. Continuous, error-free filings going back to 2019 are an irreplaceable compliance asset.
Schedule an Introductory Call →
Read also: Crypto Exchange Due Diligence Checklist for Brazil