Key restrictions and responsibilities

The Financial Activities Control Council (COAF)*, Brazil’s financial intelligence unit, has imposed strict rules for the use of Generative Artificial Intelligence (GAI) within the institution through Ordinance No. 4/2025, published on March 2 in the Federal Official Gazette. The guidelines aim to ensure the security of confidential data and compliance with regulatory standards.

Among the main determinations is the prohibition of using external GAI platforms, including Microsoft Copilot (Windows, 365, and Bing), for processing confidential information, such as those related to financial intelligence, supervision of regulated entities, and sensitive personal data. Additionally, the use of these technologies will be monitored and must follow protocols approved by COAF’s General Information Technology Coordination (COTIN) and Governance and Management Committee (CGG).

The Ordinance also requires employees using GAI to handle internal data to assume full responsibility for reviewing generated content, ensuring the absence of incorrect, discriminatory, or harmful information. Thus, failures resulting from inappropriate use of the technology do not exempt the user/employee from responsibility.

Another addressed point is the prohibition of using COAF corporate credentials, such as institutional email and business phone, for creating accounts on external GAI platforms. Any application of this technology within the institution must undergo prior analysis, considering risks and digital security best practices.

Regulatory impacts and trends

The measure reflects not only COAF’s concern with protecting strategic information but also an important market movement regarding security measures for Generative AI use, especially those with broad public access, in line with measures proposed in Bill No. 2338/23, which aims to regulate AI use in Brazil. This demonstrates that, even before the bill’s approval, its measures are already being considered due to the need for regulation and practical applicability.

The COAF Ordinance establishes a significant regulatory framework for Generative AI use within the institution, reflecting growing concerns about data security and regulatory compliance, serving as an example for other institutions and companies seeking to adopt AI technologies responsibly and safely.

In this context, developing an AI Governance Program for artificial intelligence tools becomes increasingly essential for companies’ and their clients/users’ security, especially considering confidentiality, protection, and data privacy obligations.

[Notes:

• COAF (Conselho de Controle de Atividades Financeiras) is Brazil’s Financial Intelligence Unit, equivalent to FinCEN in the United States or NCA in the UK.]