Brazil's central bank has issued a rule that will force companies dealing in virtual assets to pass independent audits before they can get the green light to operate. Normative Instruction No. 739, published by the Banco Central do Brasil, applies to all Virtual Asset Service Providers — VASPs for short — that want to run legally in the country.
What the audit requirement means
The instruction says VASPs must undergo audits carried out by third-party entities that the central bank itself approves. The move effectively gives the regulator a gatekeeping role: no approved audit, no operational authorization. The central bank didn't specify how often audits would be needed or what exactly auditors must check, but the baseline is clear — every firm seeking authorization has to bring in an outside reviewer.
Why the central bank stepped in
Brazil has been tightening its grip on the crypto sector for years. The country's Securities and Exchange Commission (CVM) already regulates certain digital assets, and a 2022 law gave the central bank authority over VASPs. Normative Instruction No. 739 is the first concrete step toward enforcing that law. By requiring independent audits, the central bank aims to ensure that firms have proper controls, accurate records, and enough capital — all without relying on the companies' own word.
Who has to comply
The rule covers any entity that offers services involving virtual assets — exchanges, custody providers, brokers, and similar businesses. The central bank's definition of a virtual asset is broad and includes cryptocurrencies, tokens, and other digital representations of value that can be traded or transferred. Firms that already operate without authorization will need to pass an audit as part of their licensing application. The instruction doesn't give a grace period; it takes effect immediately.
The biggest question now is which audit firms the central bank will approve. The instruction says the regulator will maintain a list of authorized auditors, but that list hasn't been published yet. Companies that want to apply for authorization must first line up an auditor from that future list — a Catch-22 until the central bank releases the names. VASPs are waiting for that list and for any additional guidance on audit scope, timelines, and reporting formats. Without those details, firms can only prepare their books and hope the approved auditors are ready to work quickly.
