TL;DR: Resolução BCB nº 457/2025 (Brazilian Central Bank Resolution 457) has been in force since July 1, 2025. Every institution participating in Pix (Brazil's instant payment system) must validate CPF/CNPJ against Receita Federal records before registering, changing, or porting keys. This article explains what changed, who is affected, and how to automate compliance via API.
With Resolução BCB nº 457, of March 6, 2025, the Central Bank of Brazil began requiring every institution participating in Pix — banks, fintechs, and payment institutions (PIs) — to verify the registration status of CPFs (Brazilian individual taxpayer IDs) and CNPJs (Brazilian company registration numbers) with the Receita Federal (Brazil's federal tax authority) before any operation involving Pix keys. In practice, that means three things:
- Keys linked to CPFs and CNPJs with an irregular registration status are automatically deleted.
- New registrations, changes, portability requests, and claims all go through mandatory validation.
- Institutions that fail to comply face daily fines of R$ 10,000 (adjusted by institution size), under Resolução BCB nº 506/2025.
What changed with Resolução BCB nº 457/2025
Resolução BCB nº 457/2025 amended the Pix Rulebook to add a mandatory registration check to every operation involving Pix keys. Before this rule, a participating institution would register a key without querying the Receita Federal database — which allowed fraudsters to link keys to names that didn't match the CPF or CNPJ on record.
Under the new rule, before registering, changing, or porting a Pix key, banks, fintechs, and PIs must:
- Check the registration status of the CPF or CNPJ with the Receita Federal.
- Validate that the end user's name matches the name on the Receita Federal record.
- Reject the operation if the CPF/CNPJ is in an irregular status or if the names diverge.
This check applies to every key type — CPF, CNPJ, email, phone, and random key — because the link to the holder always runs through document validation.
What prompted the change
Pix moved more than R$ 26 trillion in 2025 and became Brazil's leading payment method. With that volume, fraud grew too: social engineering scams, money-mule accounts, and keys tied to irregular documents. Resolution 457 is part of a broader anti-fraud framework from the BCB that includes MED 2.0 (the Special Return Mechanism), mandatory queries to BC Protege+, and a penalty regime for non-compliance.
Which CPFs and CNPJs get blocked
The rule spells out exactly which registration statuses prevent Pix key registration:
Important: the restriction refers exclusively to registration status at the Receita Federal. Tax debts, negative credit bureau records at Serasa/SPC, or unpaid taxes do not block Pix usage. A CPF with "Regular" status can carry outstanding debt with the PGFN (Brazil's attorney general's office for the national treasury) and keep using Pix keys normally.
Implementation timeline
| Date | Milestone |
|---|---|
| 03/06/2025 | Publication of Resolução BCB nº 457/2025 |
| 07/01/2025 | Rule takes effect — mandatory validation for new key registrations |
| 12/01/2025 | Mandatory BC Protege+ query for all Pix transactions |
| 12/2025 | Deadline for anti-fraud service providers to register in Unicad |
| 01/01–05/01/2026 | Window for PIs to request formal authorization from the BCB (Resolução BCB nº 506/2025) |
| April 2026 | Email addresses can no longer change holders as Pix keys |
| Ongoing | Periodic BCB monitoring + fines for non-compliance |
Estimated impact: who is affected
According to Central Bank estimates, roughly 1% of all registered Pix keys are affected by the measure. That includes keys tied to CPFs of deceased individuals, documents with spelling errors in the Receita Federal database, and CNPJs of closed or inapt companies that still had active keys.
For the vast majority of Brazilians and companies with a regular registration status, nothing changes in everyday Pix usage. The measure specifically targets accounts that were being used irregularly — often as instruments of fraud.
What changes for fintechs and payment institutions
If your company operates as a payment institution, digital bank, or fintech that processes Pix, the obligations are direct and immediate. Resolution 457 affects the entire chain of participants — from large banks to smaller PIs.
By institution type
E-money issuers: Must validate CPF/CNPJ at digital account opening and before registering any Pix key. Since many run fully digital onboarding at high account volumes, automating the registration check via API is essential to protect account-opening SLAs.
Acquirers and sub-acquirers: Beyond their own merchants' (business) keys, they must ensure that keys tied to payment-split arrangements have a regular registration status. Inapt or closed CNPJs among marketplace sellers are a recurring pain point.
Payment transaction initiators (PISPs): While they don't register keys directly, initiators are required to query BC Protege+ before initiating a transaction. Cross-checking against registration status strengthens the anti-fraud layer.
Digital and traditional banks: Must implement validation for both individual and business customers, including continuous monitoring of already-registered keys. Size is no exemption — the fine scales, but the obligation is the same.
Operational obligations
Onboarding and KYC: Account opening and key registration flows must include real-time validation of the CPF/CNPJ registration status. Validating the document format is not enough — you must confirm its standing with the Receita Federal.
Continuous monitoring: This is not just a one-time check at registration. Institutions must run 24×7 anti-fraud monitoring with behavioral pattern analysis, with the ability to block suspicious operations.
Unicad registration: IT service providers (PSTIs) working on Pix anti-fraud must be registered in the BCB's Unicad system.
Audit reports: PSTIs must present a reasonable assurance report issued by an independent auditor.
Formal authorization (PIs): Resolução BCB nº 506/2025 sets a window between January 1 and May 1, 2026 for payment institutions to request formal authorization from the BCB. PIs that miss this deadline lose their status as Pix participants.
If your company is not a PI but uses Pix to receive payments, the impact is indirect: just keep your CNPJ in active status with the Receita Federal. If the CNPJ is suspended, inapt, or closed, the Pix keys linked to it will be deleted automatically.
MED 2.0: returns and anti-fraud blocking
Resolution 457 is part of a regulatory package that includes the evolution of the Special Return Mechanism (MED), now informally called MED 2.0. The main changes hit the operational flows of fintechs and PIs directly:
Immediate blocking with partial returns: Returns used to be a single-shot process. Now, funds can be returned in installments under strict deadlines, enabling recovery even when the money has been dispersed across multiple accounts.
Broader definition of fraud: MED now covers social engineering scams — where the victim is induced to make the transfer voluntarily, but under manipulation.
Transaction flagging: Once an account receives a fraud infraction notice, all Pix transactions involving that user are blocked (except returns). Key portability and claims are also barred.
BC Protege+ queries: Since December 1, 2025, institutions must query the BC Protege+ system before processing transactions, identifying fraud-flagged accounts in real time.
How to validate CPF and CNPJ via API
For fintechs and PIs that need to automate registration status checks, FonteData offers dedicated CPF and CNPJ lookup endpoints via REST API. Instead of integrating directly with the Receita Federal (a bureaucratic process, with no SLA and prone to instability), the FonteData API returns up-to-date Receita Federal data with sub-200ms latency.
Validation example in Python
import requests
FONTEDATA_API = "https://app.fontedata.com/api/v1/consulta"
API_KEY = "sua_chave_aqui"
SITUACOES_BLOQUEADAS_PF = {"SUSPENSA", "CANCELADA", "TITULAR FALECIDO", "NULA"}
SITUACOES_BLOQUEADAS_PJ = {"SUSPENSA", "INAPTA", "BAIXADA", "NULA"}
def validar_documento(documento: str) -> dict:
"""
Validates a CPF or CNPJ for compliance with Resolução BCB 457/2025.
Returns a dict with 'aprovado' (bool), 'situacao' and 'nome'.
"""
doc_limpo = documento.replace(".", "").replace("-", "").replace("/", "")
if len(doc_limpo) == 11:
tipo = "cpf"
bloqueadas = SITUACOES_BLOQUEADAS_PF
elif len(doc_limpo) == 14:
tipo = "cnpj"
bloqueadas = SITUACOES_BLOQUEADAS_PJ
else:
return {"aprovado": False, "erro": "Documento inválido"}
resp = requests.get(
f"{FONTEDATA_API}/{tipo}/{doc_limpo}",
headers={"X-API-Key": API_KEY},
timeout=10
)
resp.raise_for_status()
dados = resp.json()
situacao = dados.get("situacao_cadastral", "").upper()
return {
"aprovado": situacao not in bloqueadas,
"situacao": situacao,
"nome": dados.get("nome") or dados.get("razao_social"),
"tipo": tipo,
}
# Usage
resultado = validar_documento("11.222.333/0001-81")
if resultado["aprovado"]:
print(f"✓ {resultado['nome']} — situação: {resultado['situacao']}")
else:
print(f"✗ Bloqueado — situação: {resultado['situacao']}")
The situacao_cadastral field returns the exact status from the Receita Federal. Just check whether the value is in the blocked-status list to decide if the Pix key operation can proceed.
Practical implementation: the validation flow
The recommended flow for Resolution 457 compliance in the Pix key registration process:
Implementation watch-outs:
Latency: The API call must be fast enough not to degrade the user experience. APIs like FonteData respond in under 200ms — compatible with real-time onboarding flows.
Cache carefully: It's tempting to cache registration lookups, but statuses change (a CNPJ can be closed between one query and the next). We recommend caching registration status for no more than 24 hours, with mandatory revalidation on every new key operation.
Fallback: If the lookup API is unavailable, the key operation should be queued (not rejected), with automatic reprocessing when the service recovers. Rejecting on downtime creates unnecessary friction — especially for PIs with high onboarding volume.
Audit logs: Every query and decision (approval or rejection) should be logged with a timestamp, the document queried, the status returned, and the decision made. The BCB can request this evidence during inspections.
Penalties for non-compliance
Resolução BCB nº 506/2025 complements 457 with a structured penalty regime:
Daily fine: A base amount of R$ 10,000 per day of non-compliance, adjusted by institution size. For smaller fintechs and PIs, the amount can be lower; for large banks, significantly higher.
Precautionary suspension: The BCB can suspend an institution's participation in Pix if it finds violations of operational rules, technical manuals, or security standards.
Loss of participation (PIs): Payment institutions that fail to request formal authorization within the January–May 2026 window automatically lose their status as Pix participants.
Periodic monitoring: The BCB actively monitors participant conduct. Institutions with high rates of keys tied to irregular documents or with systematic validation failures will be notified and penalized.
Compliance checklist
To make sure your institution — bank, fintech, or PI — is compliant with Resolução BCB nº 457/2025:
- Implement real-time CPF/CNPJ registration status validation via API
- Validate the holder's name against the Receita Federal record
- Delete existing keys tied to documents with an irregular status
- Integrate BC Protege+ queries into the transaction flow
- Set up 24×7 anti-fraud monitoring with behavioral analysis
- Register anti-fraud service providers in Unicad (if applicable)
- Obtain an assurance report from an independent auditor (for PSTIs)
- Implement audit logs for every key registration decision
- Configure alerts for registration status changes of existing holders
- Request formal BCB authorization within the Jan–May 2026 window (for PIs)
- Document a compliance plan with an up-to-date timeline
Conclusion
Resolução BCB nº 457/2025 is not just another regulation — it is a structural change in Pix security. Mandatory CPF and CNPJ validation against Receita Federal records raises the level of trust in the instant payments ecosystem and makes money-mule accounts and fraudulent keys significantly harder to use.
For fintechs, PIs, and banks, compliance is mandatory and the deadlines are already in effect. The good news is that the technical implementation is relatively simple: one API call in the key registration flow handles most of the compliance work.
FonteData offers CPF and CNPJ lookup endpoints with up-to-date Receita Federal data, sub-200ms responses, and integration in a few lines of code. Ideal for anyone who needs to automate compliance without reinventing the wheel.
Try the FonteData API
Look up CPF, CNPJ, registration status, and 100+ Brazilian data endpoints. Create your account and get R$ 50 in credits to test — no credit card required.
Read next
- Alphanumeric CNPJ 2026: What Changes for Developers
- ECA Digital: Age Verification via CPF
- CPF Lookup via API: How to Automate Validations
This article is provided for informational and educational purposes only. It does not constitute legal advice, a legal opinion, or a regulatory recommendation. The information reflects the authors' understanding as of the publication date and may not account for subsequent regulatory changes. For specific guidance on regulatory compliance, consult a lawyer specializing in banking and regulatory law.
References
Try the FonteData API
Query Brazilian company and individual data via API — CNPJ, CPF, KYC, compliance and more. R$50 in free credits to test.
Create free account →