Law No. 12,414/11, as amended and regulated by Decree No. 9,936/19, regulated the formation and consultation of databases with information on performance, mandating, in its article 12, paragraph 3, that the National Monetary Council (CMN) adopt complementary measures and standards on the provision of information by institutions authorized to operate by the Central Bank of Brazil (BC).
In this sense, CMN Resolution No. 4,737, issued on July 29, addresses the following topics:
- the provision of information to database managers registered by the BC;
- the obtainment of and the scenarios for cancellation of the registration as database managers in the BC; and
- the designation and qualifications required for the positions of officer responsible for database management and officer responsible for information security policy.
Provision of information. With respect to item “a” above, the resolution requires financial institutions and other institutions authorized to operate by the BC to provide registered database managers with the information that makes up the history of transactions conducted with their customers, including: (i) credit transactions; (ii) leasing transactions; (iii) self-financing transactions through consortium groups; and (iv) other transactions with characteristics of credit extension.
For the purposes of the new standard, information on the history of a particular transaction, as well as on amounts involved, form of payment, and installments paid by the customer is considered.
The provision of data on the transactions performed does not imply breach of the bank secrecy provided for in Complementary Law No. 105/01, provided that the (registered) customer has expressly requested its inclusion to the database manager. It is important to highlight that both financial institutions and other institutions authorized to operate by the BC and database managers must comply with the provisions of Law No. 13,709/18, as amended (General Personal Data Protection Law), concerning the parameters applicable to the use of personal data.
The standard also establishes that, upon transfer or sale of a transaction, the institution responsible for providing the data is the one that keeps the accounting record of the transaction among its assets, as provided for in current regulations.
Registration of managers and qualifications required. Resolution No. 4,737/19 defines the requirements for database managers to obtain a registration with the BC, including the designation of the officer responsible for database management and the officer responsible for information security policy. They will hold their positions for a maximum term of four years, renewable for equal periods.
Officers must meet a number of requirements under the new resolution for them to be able to perform their duties, including, but not limited to: (i) having an unblemished reputation; (ii) not being prevented by special law, or convicted of a bankruptcy crime, tax evasion, malfeasance, active and passive corruption, graft, embezzlement, crimes against the popular economy, the public faith, property, or the National Financial System, or sentenced to criminal punishment that prohibits, even temporarily, access to public office; (iii) not being declared unqualified for or suspended from the exercise of the positions of audit committee member, member of the board of directors, executive officer, or managing partner in financial institutions and other institutions authorized to operate by the BC; and (iv) not being declared bankrupt or insolvent.
Both officers must also have technical qualifications commensurate with the duties of their positions, proven on the basis of academic background, professional experience, or technical knowledge specific to their occupations.
The conditions listed above shall also be observed by members of controlling groups, in the case of a database manager organized as a corporation or limited liability company, except for managers controlled exclusively by institutions authorized to operate by the BC. For the purposes of the CMN's resolution, a controlling group is a group that holds partner rights corresponding to the majority of the voting capital of a corporation or 75% of the capital stock of a limited liability company.
Registration of database managers may be rejected by the BC if circumstances that affect the reputation of the members of the controlling group and/or the officers appointed are found. Another scenario for rejection is omission or provision of documents, data, or information that is incorrect or in disagreement with the applicable standards, considering the circumstances of each specific case and the public interest.
Resolution No. 4,737/19 also provides for situations for cancellation of the registration of database managers, which may occur in the event of: (i) non-compliance with the conditions set forth in the standard in question; (ii) omission or provision of documents, data, or information that is incorrect or in violation of legal or regulatory standards; or (iii) absence of appointment of a substitute for the duties of officer responsible for database management or a officer responsible for information security policy, 45 days after the discharge of an officer responsible for these functions. In all cases, database managers will be given a deadline to respond to the cancellation of their registration.
