The Brazilian payment system moves trillions of reais per year. Pix, by itself, has surpassed traditional instruments and become the backbone of transactions in the country. Behind this infrastructure, operating in the background and often invisible to the end user, are the PSTIs: the Information Technology Service Providers that connect banks, fintechs, and cooperatives to the National Financial System Network (Rede do Sistema Financeiro Nacional).

For years, this critical role was exercised with moderate regulatory oversight. The second half of 2025 changed that. A series of cyber incidents with great financial impact, all with common points, revealed a truth the sector already knew in theory: anyone operating in the critical infrastructure of the financial system is, by definition, a target. And targets need active defense, not just good contractual practices.

BCB Resolution No. 498, published on September 5, 2025, was the regulatory response to this realization.

What the regulation actually requires

Resolution 498 is extensive. It covers corporate governance, minimum capital, continuity management, internal controls policies, annual external audit, and a series of essential technical security requirements. For those who have not yet read the full text, Art. 17 is the heart of the regulation from a cybersecurity perspective.

It is there that the Central Bank details what a PSTI’s information and cybersecurity policy must contemplate, at a minimum. There are fourteen items. Item XIV is what most distinguishes this regulation from everything the regulator had published before:

“cyber intelligence actions, including the monitoring of information of interest (clients, keys, credentials, vulnerabilities, etc.) on the Internet, Deep and Dark Web, in addition to private communication groups.”

It is the first time the Central Bank has used the term “cyber intelligence” literally and positively in a resolution. And not by chance: it was exactly the absence of this type of monitoring that allowed company credentials to circulate freely in environments no one was observing, until someone successfully used them.

IN 664/2025, which complemented Resolution 498 with implementation deadlines, placed cyber intelligence actions in the group of priority requirements, with an adaptation period of only 15 days for PSTIs already in operation. The BC left no doubt about the urgency it attributes to the topic.

The problem the regulation leaves open

Resolution 498 says what must be done. It does not say how.

This is absolutely normal: regulations define requirements, not methodology. But it creates a real challenge for PSTIs, especially smaller ones. An item in Art. 17 that mentions “monitoring of credentials on the Deep and Dark Web and private communication groups” immediately raises a practical question: how does a technology company in the financial system, which is not a security company, structure this capability?

There are three paths. The first is to hire an off-the-shelf threat intelligence platform and believe that solves it. The second is to try to assemble an internal team capable of operating in depth on the surface, deep, and dark web, which can be expensive. The third is to hire a platform that includes a specialized service and analysts dedicated to your context.

Experience shows that apparent compliance does not translate into real protection. An off-the-shelf platform delivers data. Which can be truly useful, but it is not the same as having people fighting for you. That is, real analysts, interested in the context of your operation.

Intelligence is data analyzed by specialists who understand what that data means for your organization, for your sector, at that moment.

What Resonant delivers for PSTIs

Resonant was created as an analyst-driven, not dashboard-driven, threat intelligence service. The model starts from a simple premise: Item XIV of Art. 17 of Resolution 498 cannot be fulfilled only with a data feed subscription. It requires active, contextualized monitoring capable of generating action.

Monitoring of credentials and client data in external environments

The vector of recent attacks has been credential compromise and the co-option of employees (insiders). Resolution 498 explicitly requires the monitoring of credentials on the Internet, Deep and Dark Web. Resonant maintains active coverage in these environments, with the capacity to identify when credentials of a PSTI or its client institutions appear in leaks, clandestine marketplaces, or specialized forums, before they are used.

Monitoring of private communication groups

The regulation explicitly mentions “private communication groups,” which includes channels on Telegram, groups on Discord, and closed communities where attacks are planned, tools are commercialized, and targets are discussed. This type of coverage requires specific presence and methodology, in addition to an ability to navigate the cybercrime ecosystem, mastering its own language and nuances, something that cannot be automated.

Coverage of Pix keys and assets in the payment ecosystem

Resolution 498 includes “keys” among the items of interest to be monitored. Pix Keys, digital certificates, domains, and other assets critical to a PSTI’s operation are elements that can be exploited as attack vectors. Resonant structures monitoring around the specific asset profile of each client.

Actionable alerts, not compliance reports

The difference between an intelligence service and an off-the-shelf product for compliance purposes is what happens after detection. A generic alert about a credential leak does not help a PSTI decide what to do in the next thirty minutes. An analyst who knows your infrastructure, your risk profile, and the active threats in your sector can help translate the finding into a decision.

Sectoral context: Brazilian financial system

The threat ecosystem affecting PSTIs in Brazil has specific characteristics. Groups operating against the national financial system, techniques prevalent in the regional context, campaign patterns that repeat in the sector. This contextual intelligence is not available in global feeds. It is built by those who monitor the scenario closely, in the right language, with the right sources.

What happens when compliance is apparent

It is tempting to view Item XIV of Art. 17 of Resolution 498 as just another box to check in the accreditation process. Hire a decontextualized platform that will flood your team with noise, generate evidence that some monitoring is underway, and move on.

The risk of this approach is not just regulatory. It is operational.

The Central Bank made it clear in Art. 31 of Resolution 498 that it can adopt precautionary measures in case of security incidents, including the total or partial suspension of connection to the RSFN. In a successful attack scenario, not having active and contextualized monitoring of external environments is not just a compliance failure. It is the absence of the capability that can prevent an incident.

And, in context, after the attacks reported in the press, no one in the Brazilian financial system should need another example to understand what that means.

Resonant was built so that the next target is not you.

Talk to our team.