On August 2, the Central Bank of Brazil (BCB) published BCB Resolution 406/24 and BCB Resolution 407/24, with the objective of regulating the sharing of payment transaction initiation services without redirection in Open Finance. The service allows the offer of Pix by approximation and other possible payment solutions.

The new regulation was already expected since July, when the Central Bank held a press conference.

Among the rules released at the beginning of July, Joint Resolution 10/24 included the sole paragraph in article 9 of Joint Resolution 1/20, which establishes the normative principles to regulate the payment transaction initiation service without redirection.

Non-Redirect Journey (JSR)

Sharing payment transaction initiation services without redirection in Open Finance is divided into two steps:

  • account linking; and
  • payment transaction.

The first step consists of obtaining the user consent by a payment transaction initiator (ITP) for the purpose of linking an account of their own – or over which they have transactional powers – to a specific electronic device of their interest (such as their smartphone, smartwatch, etc.).

For security reasons, this initial process is carried out according to the traditional Open Finance consent journey. This consent journey includes also a redirection between institutions for the authentication and confirmation of the costumer’s consent to the ITP.

In general, after granting consent to the ITP, the customer must be redirected to the institution’s app or internet banking that holds the account to be linked to their electronic device. Within the institution’s environment, the customer must authenticate and confirm his consent.

After the authentication and confirmation of the customer's consent, the institution that initially requested consent must request:

  • customer action to generate security credentials on their electronic device, in accordance with the security mechanism defined by the Open Finance governance structure; and
  • authorization to capture and move a security credential component to the institution that holds the linked account owned by the customer (security credentials are nothing more than digital documents that link the user's identity to some form of proof of authenticity, such as a certificate, password, or a PIN).

After completing this process, the customer will be able to use a single consent (during its validity period) to carry out payment transactions through their ITP, without new redirects to the environment of the institution holding their account.

The second step of the journey without redirection consists of the authentication and confirmation process of the customer to initiate a certain payment transaction – or a set of payment transactions – based on the account linked to their electronic device.

To authenticate a payment transaction order issued in an ITP, the institution holding the account must use the security credentials created by the user. Both the ITP and the institution holding the account itself will carry out additional security checks.

Once the consent authentication is completed, the confirmation process takes place in the ITP environment itself, which will be responsible for finalizing the transaction without any redirection (JSR).

Special activity for payment institutions

A payment institution participating in Open Finance and authorized to operate as an ITP that wishes to offer to its customers the payment solutions based on JSR must comply with the following additional regulatory requirements:

  • be responsible for the records, technological environments and electronic systems provided by the ITP to carry out the stages of account linking and payment transactions;
  • comply with the risk management measures in the technical specifications and applicable regulations;
  • ensure that no failures occur in its procedures and internal controls aimed at ensuring the reliability, integrity, availability, security and confidentiality of its environments and electronic systems or any failures that compromise the ability of the institution holding the account to authenticate the customer; and
  • pay in additional capital stock in the amount of BRL2 million to carry out this new activity, as well as permanently maintain net equity in the amount of BRL2 million, without prejudice to the capital requirements arising from the applicable prudential regulations.

We further clarify that the implementation of ITP service sharing without redirection will be mandatory:

  • as of November 14, of this year, for institutions holding accounts that belongs to conglomerates and cooperative systems in which 99% of the total payment transactions successfully carried out within the scope of Open Finance;[1] and
  • as of January 2, 2026, for all account-holding institutions required to participate in the Pix payment arrangement.

 

[1] The identification of conglomerates and cooperative systems must be carried out by classifying, by institution and in descending order, the total number of payment initiation transactions carried out in Open Finance, considering the information reported by the conglomerates and cooperative systems to the Central Bank for the 24 weeks prior to the date of publication of BCB Resolution 406/24.