Brazil's Central Bank has introduced new Pix security rules limiting transfers on unrecognised devices and enabling precautionary holds.
Under the new rules, users accessing their accounts from a device not yet registered with their financial institution will face a temporary transfer limit of approximately USD 40 (BRL 200) per transaction, with a daily ceiling of USD 201 (BRL 1.000). These restrictions remain in place until the device is formally validated by the relevant bank.
Precautionary holds and fraud detection
Alongside the device-based limits, the updated framework introduces a precautionary lock mechanism. Financial institutions, including Nubank, Itaú Unibanco, and Caixa Econômica Federal, are now authorised to hold incoming transfers for up to 72 hours when transactions are flagged as potentially suspicious. During this period, the funds remain in the recipient's account but are unavailable for use while the institution conducts an internal review. If the transaction is cleared, the funds are released in full. If fraud is confirmed, the amount is returned to the sender's account.
The Central Bank stated that the device validation requirement is designed to confirm that account access is being carried out by the legitimate account holder, rather than a third party. The restriction is triggered automatically whenever the system detects access that falls outside a user's established usage pattern.
Existing night-time limits retained
The previously established overnight transfer limit (USD 20/BRL 1.000 for individual users between 20:00 and 06:00) has been retained. This measure was originally introduced to mitigate crimes such as express kidnappings and extortion, which have historically been more prevalent during those hours. Users may request an increase to this limit, though financial institutions conduct a risk assessment prior to any approval, and the process is not instantaneous.
Context and implications
Launched in November 2020, Pix has grown into one of the most widely adopted instant payment systems globally, processing billions of transactions annually across Brazil. Its rapid uptake has been accompanied by a corresponding rise in fraud, including social engineering attacks and unauthorised account access. The new measures represent a continuation of the Central Bank's incremental approach to tightening the system's security architecture without significantly disrupting the user experience for standard transactions conducted on recognised devices.
The precautionary hold mechanism, in particular, reflects a broader shift towards real-time fraud intervention at the institutional level, placing greater responsibility on banks to monitor transaction patterns and act accordingly. For the payments ecosystem, these updates signal that regulatory expectations around fraud liability and detection capabilities are likely to continue rising as instant payment volumes grow.
