BACEN Regulations
Brazil's Central Bank mandates comprehensive employee training across anti-money laundering, cybersecurity, and suitability requirements. Roleplays transforms these obligations into practical, measurable skill development.
What are BACEN regulations?
The Banco Central do Brasil (BACEN) issues a comprehensive regulatory framework governing financial institutions operating in Brazil. For training and compliance purposes, three regulatory pillars are most relevant: anti-money laundering and counter-terrorism financing (PLD/FT), cybersecurity and information security, and investment suitability requirements.
These regulations apply to all institutions authorized by BACEN: commercial banks, investment banks, fintechs with payment institution licenses (IPs), credit cooperatives, brokerages (CTVMs and DTVMs), and payment initiators. With Brazil's rapidly growing fintech ecosystem, the scope of BACEN oversight continues to expand.
BACEN enforcement has intensified significantly in recent years. Administrative sanctions for non-compliance can include fines of up to R$250,000 per infraction per individual, temporary or permanent bans from the financial sector, and revocation of operating licenses. The Central Bank conducts both scheduled inspections and surprise audits, with training documentation being a standard review item.
Circular 3.978
PLD/FT
Anti-money laundering and counter-terrorism financing. Requires KYC procedures, suspicious transaction reporting, and mandatory employee training programs.
Resolution 85
Cybersecurity
Cybersecurity policy and incident response requirements. Mandates security awareness training for all employees with access to financial systems and customer data.
CVM 539
Suitability
Investment suitability requirements. Ensures financial advisors recommend products aligned with client risk profile, investment objectives, and financial capacity.
Training requirements
Each BACEN regulation contains specific training mandates that financial institutions must fulfill and document.
Circular 3.978 — PLD/FT Training
Article 6 of Circular 3.978 requires financial institutions to implement a continuous training program for prevention of money laundering and terrorism financing. Training must be specific to each employee's role and must cover: identification of suspicious transactions, KYC (Know Your Customer) procedures, reporting obligations to COAF (Conselho de Controle de Atividades Financeiras), and documentation requirements.
Training frequency must be at least annual, with additional sessions required when there are significant regulatory changes, new product launches, or identified deficiencies. New employees must receive PLD/FT training within 30 days of hiring.
What BACEN inspectors verify: Training records per employee showing content covered, date, and assessment results. Inspectors cross-reference training dates with suspicious transaction reports (STRs) to verify that employees who flagged transactions had received adequate training.
Resolution 85 — Cybersecurity Training
Resolution 85 (which consolidates and replaces Resolution 4.658) requires financial institutions to maintain a cybersecurity policy that includes employee awareness and training programs. All employees, contractors, and third-party service providers with access to the institution's systems must receive cybersecurity training.
Training must cover: identification of phishing and social engineering attacks, secure handling of credentials and authentication, incident reporting procedures, data classification and handling, and acceptable use of technology resources. The institution must also conduct periodic incident response drills.
What BACEN inspectors verify: Evidence that cybersecurity training is continuous (not one-time), covers all in-scope personnel, and is updated to reflect current threats. Incident response drill documentation is also reviewed.
CVM 539 — Suitability Training
CVM Instruction 539 (enforced in conjunction with BACEN oversight for bank-affiliated brokerages) mandates that financial institutions verify the suitability of investment recommendations. Employees who recommend or distribute investment products must be trained to assess client risk profiles, match products to investor profiles, and document the suitability analysis process.
Training must address: risk profile categorization (conservative, moderate, aggressive), product risk classification, conflict of interest management, and the obligation to refuse transactions that clearly violate a client's declared investment profile.
What CVM/BACEN inspectors verify: That advisors can demonstrate understanding of suitability requirements, that training records are current, and that there are no patterns of mismatched product recommendations in client portfolios.
How Roleplays helps
Simulations that train banking teams on real regulatory scenarios — and generate the evidence BACEN expects.
KYC/PLD scenario simulations
Train employees to identify red flags during customer onboarding: inconsistent documentation, structuring behavior (smurfing), politically exposed persons (PEPs), and unusual transaction patterns. AI-powered personas simulate real-world customers attempting suspicious activities, testing whether employees follow proper KYC procedures per Circular 3.978.
Suspicious transaction identification
Simulations present employees with realistic transaction scenarios that may or may not contain suspicious patterns. Employees must identify red flags, decide whether to escalate, and articulate their reasoning. The multi-AI evaluation system scores accuracy of identification, quality of analysis, and proper escalation procedures.
Suitability matching training
Simulate client consultations where advisors must assess risk profiles, recommend appropriate products, and properly document the suitability analysis. AI clients present complex financial situations, test boundary cases (e.g., conservative investor asking for high-risk products), and evaluate whether advisors follow CVM 539 protocols.
Social engineering defense
Resolution 85 requires cybersecurity awareness training. Roleplays simulates vishing calls, phishing attempts, pretexting attacks, and insider threat scenarios specific to banking environments. Employees practice recognizing manipulation tactics, following credential security protocols, and properly escalating suspicious contacts.
Audit-ready documentation
Every simulation generates a complete training record: employee ID, date, time, scenario content, full interaction transcript, evaluation criteria, and competency scores. Export reports by regulation (PLD/FT, cybersecurity, suitability), department, or individual — ready for BACEN inspection at any time.
Continuous training cycles
Configure training frequencies per regulation and role. PLD/FT annual retraining, quarterly cybersecurity updates, and suitability refreshers whenever new products launch — all tracked automatically. The platform flags overdue training and sends reminders before deadlines are missed.
Frequently asked questions
Does Roleplays cover all three BACEN training requirements?
Yes. Roleplays provides scenario templates for PLD/FT training (Circular 3.978), cybersecurity awareness (Resolution 85), and investment suitability (CVM 539). Each regulation has its own set of scenarios, evaluation criteria, and reporting formats. You can track compliance across all three requirements from a single dashboard.
How realistic are the PLD/FT training scenarios?
Highly realistic. AI personas simulate customers with complex financial backgrounds, inconsistent documentation, structuring behavior, and other red flags that employees encounter in daily operations. Scenarios are designed by compliance specialists and include edge cases that generic training platforms miss — such as PEP identification challenges, shell company structures, and cross-border transaction patterns.
Can we differentiate training by role (teller, advisor, compliance officer)?
Absolutely. Roleplays supports role-based training paths. A bank teller receives scenarios focused on cash transaction red flags and basic KYC, while a relationship manager gets complex suitability scenarios with high-net-worth clients. Compliance officers receive advanced scenarios covering regulatory edge cases and STR filing procedures. Each role has distinct evaluation criteria calibrated to their responsibilities.
How does Roleplays handle the 30-day new hire training requirement?
New employees can be immediately assigned onboarding training paths that include all required PLD/FT, cybersecurity, and suitability scenarios. The platform tracks their start date and training completion progress, ensuring they complete all required modules within the 30-day window mandated by Circular 3.978. Managers receive alerts if onboarding training is at risk of missing the deadline.
Is the platform suitable for fintechs with payment institution (IP) licenses?
Yes. Fintechs with IP licenses face the same BACEN training requirements as traditional banks. Roleplays is particularly well-suited for fintechs because it scales instantly — no classroom logistics, no scheduling constraints. As your team grows rapidly, training keeps pace. The platform also supports the Portuguese language natively, critical for Brazilian regulatory compliance.
Get compliant faster.
Train your banking team on PLD/FT, cybersecurity, and suitability requirements with simulations that generate the documentation BACEN expects.