President Lula signed Law 15.397 on April 30, 2026. The law amends Article 171 of Brazil's Criminal Code to criminalize the lending or renting of bank accounts for fraudulent transactions for the first time. Account cession carries a penalty of one to five years' imprisonment plus a fine. Electronic fraud committed through PIX or similar digital payment systems carries four to eight years under a new qualified subsection of Article 171.
The legislation targets the conta laranja networks that launder PIX fraud proceeds through chains of mule accounts. PIX fraud losses reached R$6.5 billion in 2025. The legacy MED mechanism recovered approximately 7% of disputed funds that year. The ABBC confirmed 12 cyberattacks targeting PIX-connected infrastructure in the first four months of 2026. Brasscom projects Brazil requires R$105 billion in fraud prevention and cybersecurity investment through 2028.
Law 15.397 adds a criminal enforcement layer to the BCB's existing administrative anti-fraud stack, which includes MED 2.0 multi-hop fund tracing and Resolution 554 automatic settlement account blocking. MED 2.0 entered full supervisory enforcement on May 11 after a 97-day grace period. The law requires proven intent for conviction. Passive or inadvertent account sharing does not constitute a crime. Social engineering scams, estimated at 80 to 90 percent of current PIX fraud losses by value, remain harder to prosecute under the new statute since victims initiate the payments themselves.