COAF (Conselho de Controle de Atividades Financeiras), or the Financial Activities Control Council, was established with the enactment of Law No. 9,613/98 as a Financial Intelligence Unit (“FIU”) endowed with a certain degree of independence in relation to investigative and judicial bodies. Its purpose was to regulate, investigate, and sanction conduct that indicated the practice of money laundering.
Currently, COAF (Council for Financial Activities Control) operates as an autonomous entity, although it has been linked to the Central Bank of Brazil since January 2020. This institutional alignment enabled the revision of the policy for reporting financial transactions to the intelligence unit in the financial sector as part of anti-money laundering efforts, formalized through Circular No. 3,978 DC/BACEN, dated January 23, 2020.
The implemented change in the regulatory paradigm updates the then-current prescriptive prevention model (“rule-based”) to a risk-based model (“risk-based”). This means establishing a system for identifying and reporting suspicious transactions to COAF guided by the risk of transactions and the profiles of clients and third parties with whom the financial institution contracts. This contrasts with the previous system, which imposed the duty to report based mainly on the amount transacted.
In other words, it will be up to the regulated institutions themselves to identify and analyze, within a margin of discretion, suspicious situations now defined as “any operation or situation that presents evidence of the use of the institution for the practice of money laundering and terrorist financing crimes” (art. 38, §1º), for subsequent reporting to COAF.
This margin of discretion is mentioned because, while the Circular is based on the idea of self-regulation, with institutions guiding their activities based on internal guidelines, it also imposes obligations to collect essential information from the client and the transaction.
The impacts of adopting policies for the prevention of money laundering based on a risk-based approach have already been discussed internationally, especially after the publication of the 4th EU Money Laundering Prevention Directive – Directive [EU] 2015/849, whose full transposition into the national law of Member States became mandatory as of January 2020.
This experience reveals that, while this paradigm shift requires regulated institutions to readjust their institutional structures, make improvements in IT, train personnel, and strengthen compliance teams, it will also demand a lenient approach from COAF itself in the application of future sanctions. This is because the imposition of sanctions arising from any breaches of risk-based prevention duties, based on this greater discretion given to the private sector, will generate a phenomenon of “over-reporting” by regulated institutions. That is, fearing liability, they will lower their internal standards of suspicion and increase the volume of reports sent to COAF.
The 2023 COAF Integrated Management Report revealed that the agency has accumulated over 50 million suspicious transaction reports from obligated entities. Of these, 7.6 million were received in the last year alone. The autonomy of the private sector, coupled with the fear of sanctions for failure to report suspicious conduct, contributes to the high number of reports without necessarily ensuring the quality of the information submitted. This scenario makes it difficult for the agency to conclude on the existence of well-founded evidence of the commission of an offense and to prepare a Financial Intelligence Report for submission to the authorities, thus compromising the effectiveness of the system.
In Europe, this phenomenon of “over-reporting,” in addition to increasing operating costs for the banking sector and public administration, is already associated with a decrease in the level of attention given by agencies, usually explained with recourse to the fable of “the boy who cried wolf,” wherein, analogously, the increase in the volume of reports will lead to a natural discredit of the material received by the financial intelligence unit.
Therefore, the regulatory change to a risk-based prevention system requires significant adaptations from both regulated institutions and COAF. The challenge lies in finding a balance for private sector collaboration with the submission of effectively relevant information, ensuring that COAF focuses its efforts on identifying truly suspicious activities and protecting the financial system.
