CDC, LGPD and BACEN: what each regulation requires for automated collections
A practical guide to the three regulatory pillars every AI-powered collections operation in Brazil must follow, and how Dyvit implements each one by design.
Automated collections in Brazil does not operate in a regulatory vacuum. Quite the opposite: it is one of the most heavily regulated segments of the financial market, with overlapping rules covering consumer relations (CDC), personal data processing (LGPD), and payment infrastructure (BACEN).
Companies that treat compliance as an afterthought, something to be dealt with when regulators come knocking, are building on sand. Companies that embed compliance into their architecture are building with a competitive advantage.
This guide is not legal advice. It is a practical mapping of the key obligations and how each one is implemented in an AI-powered collections system.
CDC: Consumer Defense Code
The CDC (Codigo de Defesa do Consumidor) is the foundation. Article 42 establishes the core principle: a delinquent consumer cannot be publicly shamed, threatened, or subjected to harassment. Simple in theory, complicated in practice when you have hundreds of human agents with autonomy over tone.
What the CDC prohibits in collections
Prohibited hours: contact for collection purposes before 8 AM and after 8 PM on weekdays, and on Sundays and holidays. Many automated systems ignore this. The risk is not just a fine: it is the nullification of the entire collection procedure and moral damages owed to the consumer.
Disclosure to third parties: it is forbidden to reveal the debtor's delinquency status to third parties, including neighbors, coworkers, and relatives. Collection at a workplace is only permitted when there is no other means of contact.
Threats and harassment: any language that implies disproportionate consequences, references nonexistent criminal charges, or applies abusive psychological pressure constitutes a violation. "Your information will be forwarded to the Public Prosecutor's Office": a lie and a violation.
The agent operates within windows configured by the creditor, with a hard limit on CDC-mandated hours. Every message passes through a language filter that identifies and blocks harassment patterns before sending. Tone is configurable, but legal boundaries are not.
The "automated agent" question in consumer relations
The CDC does not explicitly address AI agents. It was written in 1990. But SENACON (the National Consumer Secretariat) has already published technical notes indicating that consumer relations mediated by AI are governed by the same principles: transparency, identification, and respect for the consumer.
In practice: the agent must identify itself as automated when asked. It does not need to introduce itself as a "robot" in every message, as that would be counterproductive, but it cannot claim to be human. Dyvit configures the agent to identify itself as "Dyvit assistant" and, if directly questioned about its nature, confirm that it is an automated system.
LGPD: General Data Protection Law
The LGPD (Lei Geral de Protecao de Dados, Brazil's equivalent of the GDPR) came into force in 2020 and established a comprehensive framework for processing personal data in Brazil. For collections operations, the critical points are: legal basis for processing, purpose limitation, data minimization, retention periods, and data subject rights.
Legal basis for collections
Debt collection falls under two LGPD legal bases: fulfillment of a legal obligation (when there is a contract with the debtor) and legitimate interest (for credit recovery). This means you do not need the debtor's consent to collect, but you do need proportionality and transparency.
What does require explicit consent: using the debtor's data for purposes beyond collection (profile enrichment for marketing, for example). Using data for a debt unrelated to the original relationship. Sharing with third parties for purposes not originally specified.
Data subject rights that impact operations
| LGPD Right | Impact on Collections | How to implement |
|---|---|---|
| Access to data | Debtor can request which data you hold about them | Privacy portal with export within 15 days |
| Correction | Debtor can correct inaccurate data (phone, email) | Direct channel for updates with confirmation |
| Objection to processing | Can object to the use of data for automated collection | Immediate and permanent opt-out recorded in the system |
| Portability | Can request their data in a structured format | Export in JSON/CSV within 15 days |
| Deletion | Can request erasure after debt settlement | Deletion within 30 days after settlement, subject to mandatory minimum retention |
Data retention: the deadline everyone forgets
The LGPD does not set a single retention period. It requires that retention be proportional to the purpose. For credit operations, Brazil's Civil Code prescribes a 5-year statute of limitations for collections. BACEN requires financial transaction records to be maintained for 5 years. In practice: collections data must be retained for 5 years after settlement or prescription, then deleted or anonymized.
100% storage in Brazilian data centers. Automatic 5-year retention policy with scheduled deletion. Data subject rights portal integrated into the creditor dashboard. Immutable consent and opt-out logs.
BACEN: Central Bank of Brazil
BACEN (Banco Central do Brasil) regulates collections both indirectly (through regulation of financial institutions that originate credit) and directly (through regulation of Pix and the payment system). For an AI-powered collections company, three points are relevant.
Incident recording and auditability
All collection communications mediated by a digital platform must be auditable. BACEN requires financial institutions to maintain records of all interactions with delinquent customers for a minimum of 5 years, with the ability to provide quick access in the event of a complaint filed with the Central Bank or PROCON (Consumer Protection Agency).
In practice, this is a requirement for complete conversation logs. Every message sent, every response received, every Pix link generated: everything must be recorded and linked to the specific contract.
Pix regulation in the collections context
BCB Resolution No. 1 governs Pix collection links. The main requirements: clear identification of the beneficiary (the creditor), explicit amount and due date, a valid Pix key registered in the DICT (Directory of Transaction Identifiers), and cancellation of the original collection link when a discount agreement is reached. You cannot generate a new link and leave the original one active.
White-label and subcontracting
Collection companies operating on behalf of BACEN-regulated financial institutions are subject to the Central Bank's indirect scrutiny. This means the creditor is responsible for the acts of its collection service provider. Due diligence must be documented.
Compliance is not a cost. It is a filter that eliminates competitors who cut corners. CDC, LGPD, and BACEN regulations create a barrier to entry for those who build correctly from the start, and a barrier to exit for those who ignore the rules until they are penalized. For those who operate within the rules, regulation is an asset.
Compliance by design, not by patch
See how Dyvit implements every regulatory requirement natively, with no additional customization or extra cost.
Book a demo