The new version of the Pix return mechanism follows the money trail | finance

The Special Return Mechanism (MED) 2.0, which comes into optional use on the 23rd of this month and becomes mandatory on February 2nd, will attack precisely this point, but sector entities still see important security issues to be solved, such as the immediacy of the system in high-value transactions.

MED currently only works on the account that originally received the fraudulent Pix. The problem is that when a customer complains, that account is almost always empty. “The development of MED 2.0 is precisely aimed at avoiding and curbing this triangulation that is taking place,” says Fernanda Larranja, Vice President of Zeta.

According to the Central Bank (BC), MED 2.0 will map the paths taken by funds after fraud and share this path with the institutions involved, allowing returns within 11 days after the dispute.

In practice, the mechanism targets the “modus operandi” of criminals, who distribute money across several accounts quickly. “MED 2.0 will block money from the underlying layers,” says Leandro Vilan, president of the Brazilian Banking Association (ABBC), adding that in five minutes, money passes through up to five different accounts.

Ivo Mosca, Director of Innovation, Products, Services and Security at the Brazilian Federation of Banks (Febraban), recalls that there was a technical agreement between BC and Febraban to accelerate the development of MED 2.0. Mosca expects there will be significant demand for institutional participation, even with the initially voluntary commitment. “We should see mainly large institutions jumping in and connecting to MED 2.0 in the first few weeks.”

Reducing real-time transfers via high-value Pix is ​​one of the priority points for associations in this sector. The Technical Forum of Entities in the Payment Sector – which brings together ABBC, the Brazilian Association of Credit Cards and Service Companies (Abecs), the Brazilian Association of Payment Institutions (Abipag), the Brazilian Internet Association (Abranet), Febraban and Zetta – sent a proposal to the BC to keep large amounts in destination accounts.

Phelan says this measure does not attack the initial transfers, but rather the subsequent transfers. “You guarantee settlement, that the transaction has gone through and it’s irrevocable, but the funds are blocked there (in the destination account) to see if there will be any fraud alert. That’s for high value transactions. For the majority of the population, it won’t impact anything.”

If the money can indeed be traced, one bottleneck remains the use of orange accounts, which has not yet been addressed by specific regulation. According to Phelan, he notes that there is already a regulated market for renting accounts. “People earn between R$200 and R$250 a week.”

The thesis defended by the associations is to provide more legal certainty for the forced closure of accounts used in fraud, even when their owner claims ignorance. “He (the person renting the account) can no longer participate in the Pix system if he uses it incorrectly and promotes crime,” says the ABBC boss.

There are ongoing initiatives, such as BC’s Protege Mais, that allow customers to decide whether or not to accept accounts opened in their name. This functionality has yet to be expanded to include Pix keys.

In the hacker attacks that occurred this year, the market realizes that the vulnerability was in the human link, not in the Pix infrastructure.

In July and August, two major hacker attacks on the financial system were announced. The first and largest of these attacks hit C&M, a PSTI service provider that connects financial institutions to the Pix system. The transfer of values ​​from accounts held by C&M client institutions was estimated at more than R$1 billion. In August, a similar attack occurred with Sinqia, also PSTI, where R$710 million was embezzled, according to the company. Both incidents occurred using legitimate credentials to access the systems, but they were used incorrectly.

“Pix itself is a very secure system,” says Zeta’s Larranja. “Pix has a problem rate of 0.01%, which is lower than any other arrangement within the system.” “There is no problem with the BIX system, it is an encrypted system in which transactions on all sides are very secure. The issue is social.”

The president of the Brazilian Fintech Association (ABFintechs), Diego Pérez, agrees that Pix is ​​a secure infrastructure and highlights that the vulnerabilities found were in access to the system. “It’s a very strong structure,” he says.

Regarding the new minimum capital requirements announced by BC last week, Perez stated that there is a high possibility that companies will find it difficult to leverage capital and, as a result, there may be mergers and acquisitions activity. The president of ABFintechs recognizes that this measure is necessary, but states that there are concerns about its impact on competition.

“We do not support this excessive innovation, which does not guarantee the security of the system, but from the moment you increase capital requirements too much, you end up pushing more towards a slowdown in innovation and competition,” he says.

The measures announced this week represent a change in the logic of calculating the minimum capital required for institutions. Instead of considering the type of organization, the rule now takes into account the type of activity. As a result, requirements have been raised for different types of actors, such as banks, cooperatives and payment institutions.

In announcing the measures, BC Director of Inspection Ailton de Aquino said innovation and security must go hand in hand. “There is no attack from the central bank’s board when it comes to the innovation process. We will continue to work resolutely on the innovation agenda in the financial system. But we need to work on this innovation agenda that also depends on security,” he said.