Back

Brazil’s Travel Rule: What VASPs Need to Know

13 Mar, 2026

Brazil introduced its Travel Rule framework through the Central Bank’s Resolutions No. 520 and No. 521. The resolutions establish rules for virtual asset service providers (Sociedades Prestadoras de Serviços de Ativos Virtuais, SPSAVs) and other authorised institutions, aligning Brazil’s regulatory framework with the FATF’s Recommendation 16.

TL;DR

Brazil introduced its Travel Rule through Central Bank’s Resolutions No. 520 and No. 521, aligning its framework with FATF Recommendation 16.
The rules apply broadly to virtual asset service providers (SPSAVs/PSAVs) and other authorised institutions, including banks and brokerage firms.
Originator VASPs must transmit specific originator and beneficiary data to counterparties for each qualifying virtual asset transfer.
VASPs must implement robust risk management, internal controls, AML/CFT monitoring, and report suspicious transactions to the Central Bank of Brazil.
Travel Rule data must be stored electronically for at least 5 years.
Transactions involving self-hosted wallets trigger additional reporting obligations and require verification of wallet ownership.
Compliance requires not only data exchange but also secure IT systems, due diligence procedures, and effective governance frameworks.

Understanding the Regulatory Obligations for Virtual Asset Service Providers (PSAVs)

Scope of the Travel Rule in Brazil

The Brazilian Travel Rule applies to all virtual asset service providers (PSAVs) and authorised entities, defined under Article 4 of Central Bank Resolution No. 520, that offer virtual asset services.

This includes:

Virtual asset service provider companies (SPSAVs*) acting as custodians, intermediaries, or brokers.
Commercial banks, foreign exchange banks, investment banks, multiple banks, and the state-owned Caixa Econômica Federal.
Securities brokerage firms, securities distribution firms, and foreign exchange brokerage firms.

*According to Law No. 14,478/2022, SPSAVs are legal entities that, on behalf of third parties, perform at least one of the following activities:

(i) Exchange between virtual assets and fiat currency;
(ii) Exchange between one or more virtual assets;
(iii) Transfer of virtual assets;
(iv) Custody or administration of virtual assets or instruments that allow control over them; or (v) Participation in financial services and the provision of services related to the offering or sale of virtual assets by an issuer.

Download the Brazilian Travel Rule Overview

Download Now

Obligations of VASPs

Under Section VI of No. 520 (Seção VI: Do controle e monitoramento das operações), originator and beneficiary VASPs have an array of obligations.

Firstly, originator VASPs must provide their counterparty with the required Travel Rule information set out in Article 44 of No. 520 (specified below: Required Travel Rule Data).

Moreover, its risk management policies and internal controls need to meet the requirements set forth in Articles 43 and 44.

The originator VASP is also responsible for identifying, in accordance with applicable legislation, suspicious or irregular transactions under the laws and regulations governing the prevention of criminal use of the National Financial System, such as those related to money laundering, the financing of terrorism, and the proliferation of weapons of mass destruction.

In the event of identification of said transactions, records need to be kept and made available to the responsible authorities and other competent bodies, such as the Central Bank of Brazil.

Additionally, if an originator VASP is unable to, or is experiencing difficulties in controlling and monitoring virtual asset transactions arising from practices adopted by other authorised institutions, the Central Bank of Brazil is to be notified immediately.

In procedures intended for the control and monitoring of transactions involving virtual assets, VASPs must implement measures for the identification and due diligence of customers and users, business partners, and outsourced service providers, in accordance with the other requirements outlined in the specific regulation.

Finally, VASPs are required to maintain Travel Rule data in an electronic format for a minimum period of 5 years.

Required Travel Rule Data

At a minimum, the originating VASP must provide the receiving institution with:

Originator’s name (individual or legal entity);
Originator’s fiat account at the originating institution (payment or deposit account if domestic, or equivalent account if international);
Originator’s residential address;
Originator’s CPF, CNPJ, or international identification number;
Originator’s virtual asset wallet address;
Beneficiary’s name (individual or legal entity);
Beneficiary’s fiat account at the beneficiary institution (payment or deposit account if domestic, or equivalent account if international);
Beneficiary’s virtual asset wallet address.

Self-Hosted Wallets

For transactions to or from self-hosted wallets* involving a VASP, VASPs must report the following information to the Central Bank of Brazil:

Customer name (originator or beneficiary);
CPF, CNPJ, or international identification number;
Verification of wallet ownership or control;
Transaction date;
Virtual asset involved;
Value of the virtual assets transferred;
Transaction value in Brazilian reais;
Indication of whether the wallet is the origin or destination of the transaction.

VASPs are also expected to implement technological mechanisms to verify wallet control, such as AOPP, micro-transfer ownership tests (e.g. “Satoshi Tests”) or message-signing requests.

* Under No. 521. Art. 76-A § 1º II self-hosted wallets are defined as wallets where “The owner holds control of the respective private key, being able to transfer it without the need for the involvement of a virtual asset service provider.”

21 Travel Rule and the Brazilian Travel Rule

21 Analytics’ on-premises solution is designed to support strict compliance with Resolutions 520 and 521 by enabling direct, peer-to-peer transmission of Travel Rule data.

By operating within the VASP’s own infrastructure, the solution strengthens institutional control over identity and access management, continuous monitoring, incident response, and broader cybersecurity safeguards. This supports the regulatory expectation that VASPs implement robust measures to ensure the security, resilience, and proper functioning of their IT environments.

Because Travel Rule data is exchanged in a true peer-to-peer manner, no central hub or external processor is involved in the transmission. This reduces exposure to third-party data leakage, limits the overall attack surface, and mitigates risks associated with multi-tenant or shared compliance networks. Sensitive personal data remains under the VASP’s direct control at all times.

For transfers involving self-hosted wallets, 21 Analytics provides VASPs with tools to verify wallet ownership in a quick and user-friendly manner. The solution supports multiple verification methods, including the Satoshi Test and AOPP.

AOPP has been widely adopted by European VASPs and their customers. Through a one-click verification flow compatible with over 500 wallets, institutions can meet regulatory expectations while preserving operational efficiency and user experience.