[Resolution No. 4,658] Financial institutions will have to implement cyber security policy

By October 11, 2019 No Comments
Resolução n° 4.658

[Updated 11.10.2019] & #8211; RESOLUTION 4.658 - AMENDMENT OF COMMUNICATION TO BC

More recently, more precisely on 26 September 2019, the Central Bank (BC) published a new resolution of No. 4,752, which amends the deadline by which institutions (companies) must notify the BC regarding contracting suppliers (services). processing, data storage and cloud computing.

Objectively the new resolution states that:

  • The communication must be made within ten days after hiring the services;
  • Contractual changes that imply modification of the information must be communicated to the Central Bank of Brazil within ten days after the contractual amendment.

Previously, the deadline was 60 (sixty) days prior to contracting the services.

It is noteworthy that in the case of services contracted where there is no agreement (cooperation agreements), the contracting institution must request authorization from the BC, before contracting the service, within a minimum period of 60 (sixty) days. Similar deadline applies to contractual changes that imply modification of information (contractual amendment) when involving services contracted in locations where there is no agreement.

Among the motivators for such changes, we can mention the high number of communications made to the BC by the institutions, without even having been actually contracted by them, due to the prior need of 60 (sixty) days prior notice.

It is important to understand how the Resolution No. 4,658, OF APRIL 26, 2018 which provides for cyber security policy and requirements for contracting data processing and storage and cloud computing services influence financial institutions and other institutions authorized to operate by the Central Bank of Brazil.

Among the requirements, the organization should have a cyber policy plan, incident handling and a definition of how the institution should behave in the event of such incidents. The institution must also define a director responsible for this.

Regarding the hiring of third parties to operate these security services, institutions must inform the Central Bank at least 60 days in advance of the company and the services to be hired.

Download here the resolution in its entirety.


Also worth reading is the article below that analyzes Resolution No. 4,658 as an important infralegal framework with clear parameters for the implementation of the cybersecurity policy.

By @brunofeigelson

April 26, 2018 will surely enter the calendar of dates relevant to the history of exponential law. With the publication of 3 resolutions, the CMN regulated the fintechs credit (Resolutions 4,656 and 4,657) and the cybersecurity policy (Resolution 4,658). Such measures demonstrate the central role that the Central Bank has been assuming in relation to the theme of innovation in Brazil.

Certainly the repercussions of the mentioned norms are many, and here we have a preliminary analysis of the facts that gave rise to such measures, their respective effects and indicatives of what is to come. Thus, I take the risk of commenting on the facts within a few hours of its publication in order to contribute to such a relevant moment for the innovation ecosystem.

Standards are always late!

It is not new to note that the function of legislating tends not to keep up with the speed of social and economic change. However, in the midst of the 4th industrial revolution - in which disruptive dynamics are advancing rapidly - the gap between such changes and the normative response end up exposing the legal system and the law itself.

Just as long years separate the date on which a significant part of the population began to use private transportation applications and the edition of Law No. 13.640 / 2018, which regulated the subject, in the context of financial market regulation, draws attention to the separating the period in which early borrowers borrowed from already multi-million dollar companies - forged under legal uncertainty - and the issue of Resolutions 4,656 and 4,657.

Only now, after investment rounds involving hundreds of millions of reais, companies like Creditas and Guia Bolso, among many others, can breathe a sigh of relief. Legal certainty, or rather its lack, has strongly threatened the development of innovative companies that are revolutionizing lending in Brazil.

In addition, Resolution No. 4,656 has made great strides in regulating SEP, a peer-to-peer loan. Just as Napster made room for Spotify, the case of Brazilian Fairplace gave rise, almost a decade later, to its own legal framework for this type of operation.

What about the other models?

Despite the legitimate celebrations regarding the new regulatory framework of the fintechs However, doubts persist regarding the other models involving this category. According to ABFintechs, 10 are the main verticals of fintechs Brazilian women. Thus, in addition to lending, there are companies in the national ecosystem that work with payments, financial management, investments, insurance, funding, debt negotiation, crypto, bank and multiservices.

That is, part of the regulatory issue involving the fintechs has been resolved with the issue of Resolutions 4,656 and 4,657. However, another substantial fraction of the issue remains unresolved. The fact is that the theme of fintechs is booming in Brazil and will continue this way for a long time. In three years, the number of companies has risen from 54 to 485, just as the number of verticals has expanded. In this way, new dynamics will always emerge, challenging the normative framework posed and implying the elaboration of new resolutions.

At the international level, the need to constantly adjust financial market regulation has been made compatible through the use of the Sandbox figure. The theme has been gaining ground in Brazil and possibly will be used in the future by the Central Bank and the CVM. Although this is not the subject of this article, it should be mentioned that Sandbox - first used in the United Kingdom in 2015 - has as its premise the desire to reduce the time and cost for a product to go to market. , provide more access to capital - from risk mitigation -, the joint work between regulator and entrepreneurs to develop new business and regulatory models, the pursuit of genuine innovation and the greatest benefit to the clients' customers. fintechs.

Data Driven Regulation 

If delays were perceived in relation to the establishment of a model of fintechs In terms of data protection, CMN regulations will certainly enable the Central Bank to take a leading role in this area. Resolution 4,658 took up space in the normative vacuum in which the data issue was in Brazil.

Although recently the PLs involving the subject have returned to the debate, especially due to the scandals involving Facebook, the truth is that expectations are not high that finally a law dealing with the matter leaves the National Congress. Until the issue of Resolution No. 4,658, what was observed were many Brazilian companies concerned about the effects of GDPR as of May 25. The impacts of the European standard on national soil are justified by the fact that the scope of the GDPR encompasses all organizations offering products and services, or monitoring behavior, of personal data of European citizens.

Thus, from the issue of Resolution No. 4,658, which establishes the cybersecurity policy, Brazil has an important infralegal framework with clear parameters for the implementation of such policy. Although the scope of the standard is naturally directed to financial institutions and other institutions authorized to operate by the Central Bank, it is assumed that some parameters set forth therein, - as the incident response and action plan -, may spread to other sectors. In addition, regulating the procurement of data processing and storage and cloud computing services will bring a new level of attention to financial institutions, and consequently also to technology companies related to this sector.

*Bruno Feigelson - Doctoral student and Master in Law from UERJ. Partner of Lima ≡ Feigelson Advogados. President of AB2L (Brazilian Association of Lawtechs and Legaltechs). Head of Futurism by Future Law. He is a university professor, lecturer and author of several books and articles specialized in Law, Innovation and Technology.

Regarding the [SAFEWAY]

SAFEWAY is an Information Security company, recognized by its clients for offering high value added solutions through Information Security projects that fully meet business needs. During these years of experience, we have proudly accumulated several successful projects that have earned us credibility and prominence in our clients, which constitute in large part the 100 largest companies in Brazil.

Today through more than 17 strategic partnerships with global manufacturers and our SOC, SAFEWAY is considered a one stop shopping with the best technology solutions, processes and people.

Let's make the world a safer place to live and do business!

Leave a Reply