The governance question in LATAM banking has a specific and concrete form that does not exist in other markets. When a customer files a fraud dispute under MED 2.0, the bank has 11 days to trace the funds across the chain of intermediate accounts, apply preventive blocks at each node, and either recover the funds or explain why they could not be recovered. That process requires an AI system that can map real-time transaction chains, identify fraudulent flows, and trigger automated responses faster than the fraudster can move the money. A bank that meets this obligation with a rule-based system or a batch-scored model is not meeting it at all — the system cannot do what the obligation requires.
This is governance in its most practical form: building AI infrastructure that actually does what the regulatory requirement needs it to do, rather than infrastructure that appears to satisfy the requirement on paper while failing in practice. The banks that learned this at their own expense are the ones that built Pix fraud models which scored off the critical path, achieved strong offline performance metrics, and discovered at the point of a regulatory enquiry or a high-value fraud event that their model was detecting fraud rather than preventing it. The distinction, as established in the earlier pieces in this series, is not refinement. It is the entire value of the programme.
Brazil’s regulatory stack creates specific architecture requirements
The Banco Central do Brasil’s requirements for Pix fraud governance are unusually precise by global standards, because the specific failure mode is well understood: the MED mechanism was designed to address fraud that rules-based systems allowed through, and MED 2.0 was designed to address the limitation of the original MED that fraudsters learned to exploit by moving funds quickly through chains of mule accounts. Each iteration of the regulatory requirement reflects a specific technical failure in the previous architecture. Institutions that understand this pattern — that the BCB is responding to demonstrated technical failures, not imposing generic governance standards — build their AI systems against the actual failure mode rather than the apparent requirement.
BCB Resolution 6 mandates information sharing on suspected fraud cases among financial institutions — a requirement that creates both a data access opportunity and a governance obligation. Institutions contributing to and consuming from shared fraud intelligence need AI systems that can incorporate external signals, apply them in real-time scoring, and maintain the audit trail that documents how each signal was used. The LGPD data localisation constraint means this must happen on domestically resident infrastructure: models trained on data that includes customer transaction information cannot be run on external servers outside Brazil’s regulatory jurisdiction. This is not primarily a compliance overhead — it is a design constraint that shapes the entire AI architecture. Institutions that discover it late face expensive re-engineering of deployed systems.
CNBV guidance in Mexico, SBS requirements in Peru, and Superfinanciera guidance in Colombia are at earlier stages of development than Brazil’s framework but are converging on similar requirements: explainable AI models for credit decisions, audit trails for fraud determinations, and governance documentation proportionate to the risk of the decision system. The BCB’s framework is the preview of where these national regulators are heading. Institutions building governance-grade AI infrastructure for Brazil today are building the template for the rest of the region.
The compliance view and the advantage view produce different institutions
The framing that produces poor outcomes is the same everywhere, with a LATAM-specific manifestation. Under the compliance view: governance is a box to check, documentation is a cost to minimise, explainability constrains model development, and audit trails are legal liabilities. In the Pix context, this framing produces banks that build fraud models with strong offline performance metrics that score off the critical path, satisfy the letter of BCB reporting requirements while failing the substance of MED 2.0’s multi-hop tracing obligation, and cannot demonstrate to examiners that their model was actually positioned to prevent the losses it claims to have addressed.
The advantage view produces materially different outcomes. Banks that build Pix fraud models with inline scoring architecture — positioned before payment initiation — prevent losses rather than detecting them. Banks that build audit trail infrastructure into their fraud systems accumulate labelled outcome data on every Pix transaction scored, creating a continuously improving model that rule-based competitors and models without logging cannot match. Banks that build thin-file credit models with governance documentation from the outset can deploy to the informal-sector customer base that represents the most significant credit market expansion available in Latin America, because they can demonstrate to BCB examiners and internal credit committees that the model’s decisions are explainable and its performance is measurable. And banks that build LGPD-compliant locally-trained models on domestic infrastructure are building the architecture that serves the Brazilian market correctly, rather than discovering compliance gaps in production.
The financial difference between these postures is quantifiable. Retrofitting inline scoring architecture, MED 2.0-compliant tracing infrastructure, and LGPD-compliant data localisation onto models that were not designed to accommodate them typically costs three to five times more than building them correctly from the start — because the work touches payment processing pipelines, real-time scoring infrastructure, model serving architecture, and regulatory documentation across the entire deployment. The recovery rate data makes the case precisely: Brazil’s Pix-specific fraud losses reached R$6.5 billion in 2025, with an estimated 7% fund recovery rate under the original MED mechanism. The marginal cost of building inline scoring from the start is a fraction of R$6.5 billion annually. The cost of building it retrospectively, under MED 2.0 enforcement conditions, is substantially higher than building it correctly the first time.
The regional opportunity compounds for those who move first
The strategic argument in LATAM has a dimension absent from every other region in this series: Colombia, Chile, and Peru are deploying instant payment platforms directly modelled on Pix. The fraud challenges Brazil faces today — irrevocable settlement, social engineering at scale, thin-file exclusion — will reach these markets as their real-time payment volumes grow. Brazil is not an isolated case. It is the leading indicator of the regional trajectory.
An institution that builds governance-grade AI fraud infrastructure for the Brazilian Pix context builds something that scales. The model architecture, the inline scoring infrastructure, the MED 2.0-compliant tracing capability — none of these are Brazil-only investments. They are the foundation for regional AI infrastructure that extends across LATAM as each market reaches the same inflection point Brazil has already passed. The outcome data accumulated on Brazilian Pix transactions provides a training base that models deployed in Colombia, Chile, or Peru will benefit from, because the fraud typologies, the social engineering patterns, and the mule account structures share substantial commonality across the region.
The three paths available to institutions are the same as in every other market in this series. Lead, by building governance-grade AI for the highest-priority decision — real-time Pix fraud scoring — with inline architecture, MED 2.0-compliant tracing, and the governance infrastructure that turns each decision into a labelled training example. Follow, by waiting for internal consensus at the cost of first-mover advantage in model quality and a shortening window before MED 2.0 enforcement consequences accumulate. Or defer, which in the Brazilian Pix context ends in the same place deferred programmes always end — a crisis-driven reactive programme, built under enforcement pressure, in the worst possible conditions.
Brazil processed 63.4 billion transactions in 2024 on an irrevocable rail. The number grows every month. The fraud surface expands with it. The institutions that build prevention capability before the fraud rate compounds are building on their own terms. The ones that wait are building under conditions they do not control.
Part 3 of 3.
Sources
Banco Central do Brasil. Pix Transaction Statistics. 2024 Annual Data. Banco Central do Brasil. MED 2.0 — Special Refund Mechanism enhanced version. Mandatory compliance from February 2, 2026; enforcement penalties from May 2026. Banco Central do Brasil. Resolution No. 6 — Mandatory fraud intelligence sharing among financial institutions. 2023. Banco Central do Brasil. BCB Resolution 589 — Self-service MED functionality requirement. Effective October 2025. Brazil. Lei Geral de Proteção de Dados (LGPD) — data localisation and processing requirements. Silverguard. X-Ray of Pix Scams 2024. MED refund denial rate analysis. ClearingPost. Brazil Enforces Pix MED 2.0 After R$6.5 Billion in 2025 Losses. March 2026. CNBV (Mexico). AI Model Governance and Explainability Guidance. SBS (Peru). Digital Credit Risk Management Requirements. Superfinanciera (Colombia). AI in Financial Services Guidance.
