This week, Brazil’s Central Bank published BCB Resolution No. 342 of September 26, 2023, which created a new obligation for financial institutions to report security incidents related to Pix – the Brazilian instant payment method, created by the Central Bank to transfer funds between accounts in seconds.
The obligation to report security incidents to account owners (if that owner is a natural person) arises from any incident involving personal data in databases related to Pix's infrastructure or its components.
Therefore, reporting is mandatory when the Pix database is involved, even if the financial or payment institution that is established as a the participant providing the account is not responsible for the incident.
It is particularly interesting that the resolution states that reporting is mandatory "even if it does not entail a relevant risk or damage to the data subjects," which expressly bypasses the triggers contained in the Brazilian General Data Protection Law (LGPD).
The Central Bank of Brazil will also establish the operating procedures for the report in a future document.
It should be noted that penalties under BCB Resolution No. 177 of December 22, 2021 (Pix Penalties Manual) may be applied if these incidents are not reported.