New Pix Rules for 2026: Mandatory CPF and CNPJ Validation Against Receita Federal Records

TL;DR: Resolução BCB nº 457/2025 (Brazilian Central Bank Resolution 457) has been in force since July 1, 2025. Every institution participating in Pix (Brazil's instant payment system) must validate CPF/CNPJ against Receita Federal records before registering, changing, or porting keys. This article explains what changed, who is affected, and how to automate compliance via API.

With Resolução BCB nº 457, of March 6, 2025, the Central Bank of Brazil began requiring every institution participating in Pix — banks, fintechs, and payment institutions (PIs) — to verify the registration status of CPFs (Brazilian individual taxpayer IDs) and CNPJs (Brazilian company registration numbers) with the Receita Federal (Brazil's federal tax authority) before any operation involving Pix keys. In practice, that means three things:

  1. Keys linked to CPFs and CNPJs with an irregular registration status are automatically deleted.
  2. New registrations, changes, portability requests, and claims all go through mandatory validation.
  3. Institutions that fail to comply face daily fines of R$ 10,000 (adjusted by institution size), under Resolução BCB nº 506/2025.

What changed with Resolução BCB nº 457/2025

Resolução BCB nº 457/2025 amended the Pix Rulebook to add a mandatory registration check to every operation involving Pix keys. Before this rule, a participating institution would register a key without querying the Receita Federal database — which allowed fraudsters to link keys to names that didn't match the CPF or CNPJ on record.

Under the new rule, before registering, changing, or porting a Pix key, banks, fintechs, and PIs must:

  1. Check the registration status of the CPF or CNPJ with the Receita Federal.
  2. Validate that the end user's name matches the name on the Receita Federal record.
  3. Reject the operation if the CPF/CNPJ is in an irregular status or if the names diverge.

This check applies to every key type — CPF, CNPJ, email, phone, and random key — because the link to the holder always runs through document validation.

What prompted the change

Pix moved more than R$ 26 trillion in 2025 and became Brazil's leading payment method. With that volume, fraud grew too: social engineering scams, money-mule accounts, and keys tied to irregular documents. Resolution 457 is part of a broader anti-fraud framework from the BCB that includes MED 2.0 (the Special Return Mechanism), mandatory queries to BC Protege+, and a penalty regime for non-compliance.

Which CPFs and CNPJs get blocked

The rule spells out exactly which registration statuses prevent Pix key registration:

Registration statuses that block Pix key registration

Important: the restriction refers exclusively to registration status at the Receita Federal. Tax debts, negative credit bureau records at Serasa/SPC, or unpaid taxes do not block Pix usage. A CPF with "Regular" status can carry outstanding debt with the PGFN (Brazil's attorney general's office for the national treasury) and keep using Pix keys normally.

Implementation timeline

Resolução BCB nº 457/2025 timeline — regulatory milestones

Date Milestone
03/06/2025 Publication of Resolução BCB nº 457/2025
07/01/2025 Rule takes effect — mandatory validation for new key registrations
12/01/2025 Mandatory BC Protege+ query for all Pix transactions
12/2025 Deadline for anti-fraud service providers to register in Unicad
01/01–05/01/2026 Window for PIs to request formal authorization from the BCB (Resolução BCB nº 506/2025)
April 2026 Email addresses can no longer change holders as Pix keys
Ongoing Periodic BCB monitoring + fines for non-compliance

Estimated impact: who is affected

According to Central Bank estimates, roughly 1% of all registered Pix keys are affected by the measure. That includes keys tied to CPFs of deceased individuals, documents with spelling errors in the Receita Federal database, and CNPJs of closed or inapt companies that still had active keys.

For the vast majority of Brazilians and companies with a regular registration status, nothing changes in everyday Pix usage. The measure specifically targets accounts that were being used irregularly — often as instruments of fraud.

What changes for fintechs and payment institutions

If your company operates as a payment institution, digital bank, or fintech that processes Pix, the obligations are direct and immediate. Resolution 457 affects the entire chain of participants — from large banks to smaller PIs.

By institution type

E-money issuers: Must validate CPF/CNPJ at digital account opening and before registering any Pix key. Since many run fully digital onboarding at high account volumes, automating the registration check via API is essential to protect account-opening SLAs.

Acquirers and sub-acquirers: Beyond their own merchants' (business) keys, they must ensure that keys tied to payment-split arrangements have a regular registration status. Inapt or closed CNPJs among marketplace sellers are a recurring pain point.

Payment transaction initiators (PISPs): While they don't register keys directly, initiators are required to query BC Protege+ before initiating a transaction. Cross-checking against registration status strengthens the anti-fraud layer.

Digital and traditional banks: Must implement validation for both individual and business customers, including continuous monitoring of already-registered keys. Size is no exemption — the fine scales, but the obligation is the same.

Operational obligations

Onboarding and KYC: Account opening and key registration flows must include real-time validation of the CPF/CNPJ registration status. Validating the document format is not enough — you must confirm its standing with the Receita Federal.

Continuous monitoring: This is not just a one-time check at registration. Institutions must run 24×7 anti-fraud monitoring with behavioral pattern analysis, with the ability to block suspicious operations.

Unicad registration: IT service providers (PSTIs) working on Pix anti-fraud must be registered in the BCB's Unicad system.

Audit reports: PSTIs must present a reasonable assurance report issued by an independent auditor.

Formal authorization (PIs): Resolução BCB nº 506/2025 sets a window between January 1 and May 1, 2026 for payment institutions to request formal authorization from the BCB. PIs that miss this deadline lose their status as Pix participants.

If your company is not a PI but uses Pix to receive payments, the impact is indirect: just keep your CNPJ in active status with the Receita Federal. If the CNPJ is suspended, inapt, or closed, the Pix keys linked to it will be deleted automatically.

MED 2.0: returns and anti-fraud blocking

Resolution 457 is part of a regulatory package that includes the evolution of the Special Return Mechanism (MED), now informally called MED 2.0. The main changes hit the operational flows of fintechs and PIs directly:

MED 2.0 flow — detection, blocking, and return

Immediate blocking with partial returns: Returns used to be a single-shot process. Now, funds can be returned in installments under strict deadlines, enabling recovery even when the money has been dispersed across multiple accounts.

Broader definition of fraud: MED now covers social engineering scams — where the victim is induced to make the transfer voluntarily, but under manipulation.

Transaction flagging: Once an account receives a fraud infraction notice, all Pix transactions involving that user are blocked (except returns). Key portability and claims are also barred.

BC Protege+ queries: Since December 1, 2025, institutions must query the BC Protege+ system before processing transactions, identifying fraud-flagged accounts in real time.

How to validate CPF and CNPJ via API

For fintechs and PIs that need to automate registration status checks, FonteData offers dedicated CPF and CNPJ lookup endpoints via REST API. Instead of integrating directly with the Receita Federal (a bureaucratic process, with no SLA and prone to instability), the FonteData API returns up-to-date Receita Federal data with sub-200ms latency.

Validation architecture: PI/Fintech → FonteData API → Receita Federal

Validation example in Python

import requests

FONTEDATA_API = "https://app.fontedata.com/api/v1/consulta"
API_KEY = "sua_chave_aqui"

SITUACOES_BLOQUEADAS_PF = {"SUSPENSA", "CANCELADA", "TITULAR FALECIDO", "NULA"}
SITUACOES_BLOQUEADAS_PJ = {"SUSPENSA", "INAPTA", "BAIXADA", "NULA"}

def validar_documento(documento: str) -> dict:
    """
    Validates a CPF or CNPJ for compliance with Resolução BCB 457/2025.
    Returns a dict with 'aprovado' (bool), 'situacao' and 'nome'.
    """
    doc_limpo = documento.replace(".", "").replace("-", "").replace("/", "")

    if len(doc_limpo) == 11:
        tipo = "cpf"
        bloqueadas = SITUACOES_BLOQUEADAS_PF
    elif len(doc_limpo) == 14:
        tipo = "cnpj"
        bloqueadas = SITUACOES_BLOQUEADAS_PJ
    else:
        return {"aprovado": False, "erro": "Documento inválido"}

    resp = requests.get(
        f"{FONTEDATA_API}/{tipo}/{doc_limpo}",
        headers={"X-API-Key": API_KEY},
        timeout=10
    )
    resp.raise_for_status()
    dados = resp.json()

    situacao = dados.get("situacao_cadastral", "").upper()

    return {
        "aprovado": situacao not in bloqueadas,
        "situacao": situacao,
        "nome": dados.get("nome") or dados.get("razao_social"),
        "tipo": tipo,
    }


# Usage
resultado = validar_documento("11.222.333/0001-81")
if resultado["aprovado"]:
    print(f"✓ {resultado['nome']} — situação: {resultado['situacao']}")
else:
    print(f"✗ Bloqueado — situação: {resultado['situacao']}")

The situacao_cadastral field returns the exact status from the Receita Federal. Just check whether the value is in the blocked-status list to decide if the Pix key operation can proceed.

Practical implementation: the validation flow

The recommended flow for Resolution 457 compliance in the Pix key registration process:

Pix key validation flow — from request to decision

Implementation watch-outs:

Latency: The API call must be fast enough not to degrade the user experience. APIs like FonteData respond in under 200ms — compatible with real-time onboarding flows.

Cache carefully: It's tempting to cache registration lookups, but statuses change (a CNPJ can be closed between one query and the next). We recommend caching registration status for no more than 24 hours, with mandatory revalidation on every new key operation.

Fallback: If the lookup API is unavailable, the key operation should be queued (not rejected), with automatic reprocessing when the service recovers. Rejecting on downtime creates unnecessary friction — especially for PIs with high onboarding volume.

Audit logs: Every query and decision (approval or rejection) should be logged with a timestamp, the document queried, the status returned, and the decision made. The BCB can request this evidence during inspections.

Penalties for non-compliance

Resolução BCB nº 506/2025 complements 457 with a structured penalty regime:

Daily fine: A base amount of R$ 10,000 per day of non-compliance, adjusted by institution size. For smaller fintechs and PIs, the amount can be lower; for large banks, significantly higher.

Precautionary suspension: The BCB can suspend an institution's participation in Pix if it finds violations of operational rules, technical manuals, or security standards.

Loss of participation (PIs): Payment institutions that fail to request formal authorization within the January–May 2026 window automatically lose their status as Pix participants.

Periodic monitoring: The BCB actively monitors participant conduct. Institutions with high rates of keys tied to irregular documents or with systematic validation failures will be notified and penalized.

Compliance checklist

To make sure your institution — bank, fintech, or PI — is compliant with Resolução BCB nº 457/2025:

  • Implement real-time CPF/CNPJ registration status validation via API
  • Validate the holder's name against the Receita Federal record
  • Delete existing keys tied to documents with an irregular status
  • Integrate BC Protege+ queries into the transaction flow
  • Set up 24×7 anti-fraud monitoring with behavioral analysis
  • Register anti-fraud service providers in Unicad (if applicable)
  • Obtain an assurance report from an independent auditor (for PSTIs)
  • Implement audit logs for every key registration decision
  • Configure alerts for registration status changes of existing holders
  • Request formal BCB authorization within the Jan–May 2026 window (for PIs)
  • Document a compliance plan with an up-to-date timeline

Conclusion

Resolução BCB nº 457/2025 is not just another regulation — it is a structural change in Pix security. Mandatory CPF and CNPJ validation against Receita Federal records raises the level of trust in the instant payments ecosystem and makes money-mule accounts and fraudulent keys significantly harder to use.

For fintechs, PIs, and banks, compliance is mandatory and the deadlines are already in effect. The good news is that the technical implementation is relatively simple: one API call in the key registration flow handles most of the compliance work.

FonteData offers CPF and CNPJ lookup endpoints with up-to-date Receita Federal data, sub-200ms responses, and integration in a few lines of code. Ideal for anyone who needs to automate compliance without reinventing the wheel.


Try the FonteData API

Look up CPF, CNPJ, registration status, and 100+ Brazilian data endpoints. Create your account and get R$ 50 in credits to test — no credit card required.

Create a free account →



This article is provided for informational and educational purposes only. It does not constitute legal advice, a legal opinion, or a regulatory recommendation. The information reflects the authors' understanding as of the publication date and may not account for subsequent regulatory changes. For specific guidance on regulatory compliance, consult a lawyer specializing in banking and regulatory law.


References

  1. Resolução BCB nº 457, of March 6, 2025
  2. Central Bank of Brazil — Pix anti-fraud and governance framework
  3. Resolução BCB nº 506/2025 — Penalty regime and PI authorization
  4. FonteData — API Documentation

Try the FonteData API

Query Brazilian company and individual data via API — CNPJ, CPF, KYC, compliance and more. R$50 in free credits to test.

Create free account →
Share: LinkedIn Twitter / X
R$ 50 in free credits Create free account