Brazil does not just need to regulate AI. It needs to create it.

Brasília, November 4–6, 2026. The gathering that begins to change that.

Brazil does not just need to regulate AI. It needs to create it.

three women posing

Why AML in Brazil Is Still Reaction, Not Prevention

Why AML in Brazil Is Still Reaction, Not Prevention

Ricardo V. C. Fernandes, Sydnei M. Gomes, Marcos V. Mantovani, Stephannie L. A. P. Chiang Ozawa, Daniel E. Gomes, Guilherme Sardinha

AML in Brazil is still reaction, not prevention. Systems monitor transactions but fail to see the structures behind the risk.

Every time a major anti-money laundering operation comes to light, one question always arises: how did this go unnoticed for so long?

The Federal Police release the numbers. The press echoes them. Regulators issue statements. And the financial sector engages in a collective retrospective exercise: what could have been done before?

The honest answer, in most cases, is: very little, given how the system was built.

Not because there is a lack of regulation, normative acts, or legal obligations. Brazil's AML regulatory framework is robust. Law No. 9.613/1998, BACEN Circular No. 3.978/2020, and COAF's typologies establish a broad set of requirements that institutions must comply with. The problem is not in the rules. It lies in the logic upon which the systems were built to comply with them.

An architecture built for the past

The AML systems that dominate the market today were designed around a central principle: monitor clients' transactional behavior and identify deviations from known patterns.

This approach has value. It works reasonably well for detecting behaviors documented in COAF's typologies, such as fractional movements to avoid reporting thresholds, cash deposits incompatible with the client's profile, circular transfers between related accounts. These are patterns the regulator has mapped, that systems have learned to recognize, and that still represent a significant share of reports submitted to COAF.

But this architecture carries a structural limitation that becomes more evident as money laundering schemes grow more sophisticated: it looks at what happens, not at who is behind it.

What traditional systems fail to see

High-complexity money laundering does not begin with a transaction. It begins with a structure.

Before any financial movement, the organizers of a sophisticated scheme have already built the environment that will allow the money to circulate without raising suspicion. Companies incorporated with low-risk CNAE codes. Partners with no criminal history. Contracts that justify the financial flows. An appearance of normality meticulously constructed, layer by layer.

When the money begins to move, it does so within a structure that has already been prepared to look legitimate. The transactions, in isolation, may not trigger any alerts. The profile of each company, analyzed individually, may appear compatible with its declared activity.

What reveals the scheme is not the behavior of any single entity. It is the pattern of the entire network — the connections between people, companies, and histories that only make sense when observed together.

And here lies the fundamental blind spot of conventional systems: they were built to analyze entities, not networks. To monitor transactions, not structures. To detect the symptom, not to diagnose the cause.



Two recent cases that illustrate the problem

Brazil and the world offer concrete evidence of the cost of the absence of intelligence capable of connecting data in an explainable and auditable manner before the damage occurs.

In May 2026, the Federal Police and GAECO-SP dismantled a structure that moved R$26 billion in funds from criminal factions through the Brazilian financial system. The amounts were distributed across six fintechs that, in the eyes of existing controls, were operating within normal parameters. No institution issued alerts before the police operation. The Central Bank only acted after the scheme had already been exposed. The episode left a question without an easy answer for regulators such as COAF, BACEN, and SUSEP: if the structure was set up and in operation, why didn't the prevention system see it?

Shortly afterward, on July 1, 2026, the United States Department of the Treasury announced sanctions against two Brazilians and four companies for alleged involvement in the PCC's financial structure. The group allegedly moved more than US$190 million in seven months, operating between São Paulo and Florida. Among the targets: a financial services company, a payment solutions company, a construction firm, and a transportation company based in Portugal.

None of them, analyzed in isolation, would have shown obvious signs of risk. What connected them all was the network — that is, the relationships between partners, companies, and financial flows that, when mapped together, revealed the laundering structure behind the apparently legitimate operations. The investigation involved a task force with the FBI, Homeland Security, and the U.S. Department of Justice. It took months of work to reach a conclusion that, with the right intelligence architecture, could have emerged much earlier.

The public data that no one processes

There is a significant irony in this scenario: part of the information needed to identify risk structures is publicly available.

The Official Gazette of the Union (DOU) records daily corporate changes, publication of sanctions, disqualifications of legal entities, and regulatory links of hundreds of entities. DataJud, from the CNJ, aggregates judicial case data across the entire national territory. The Transparency Portal consolidates public contracts and government transfers. The TSE's electoral databases contain information on donors and candidates that allows mapping political exposure.

This data exists. It is open. And it is, to a large extent, inaccessible to the financial sector's compliance systems. Not because it is protected, but because its disordered structure makes automated processing at scale a technical challenge that very few organizations have been able to solve.

The result is that financial institutions make onboarding and monitoring decisions without access to a layer of intelligence that already exists, that is public, and that could significantly change the quality of risk analysis.

Reaction versus prevention: a distinction that matters

The distinction between reaction and prevention is not semantic. It defines the moment at which the financial system intervenes in the laundering chain and, consequently, the damage that can still be avoided.

A reactive system intervenes after. After the structure has been set up, after the transactions have been carried out, after the money has completed its path and been reintegrated into the formal economy. The financial sector's contribution, in this model, is to provide evidence for an investigation that is already underway.

A preventive system intervenes before. Before the account is opened for an entity whose relationship network already presents risk indicators. Before a movement is authorized for a beneficiary whose corporate structure hides links to non-cooperative jurisdictions. Before the damage occurs.

The difference between the two models is not in the quality of the analysts or the rigor of internal procedures. It lies in the architecture of the intelligence that feeds decisions and in what data that architecture is able to process.

What changes with structural intelligence

The evolution needed in the sector is not incremental. It is not about adding more rules to an existing rules engine, or training a statistical model with more transactional data. It is about a paradigm shift in how risk is understood and assessed.

Structural intelligence means analyzing the client not as an isolated entity, but as a node in a network of relationships and assessing the risk of that network as a whole. It means automatically cross-referencing transactional data with corporate, judicial, regulatory, and public transparency data. It means producing, for every compliance decision, a rationale that not only identifies the risk, but explains why it exists, based on what evidence, and with reference to the applicable regulations.

This level of intelligence does not eliminate human judgment — it enhances it. The analyst no longer spends hours manually assembling a risk narrative to focus on what truly requires discernment: evaluating ambiguous contexts, making decisions in borderline cases, and ensuring the institution is complying not only with the letter, but the spirit of regulation.

As long as the financial sector continues to treat AML as a transactional detection problem, the cycle will repeat. The structure will be set up. The money will circulate. And the question "where did we fail?" will continue to be asked afterward.

How NeoLabsAI approaches this problem

Most AML solutions point out a risk. We were built to explain that risk. We use specialized Artificial Intelligence to analyze relationships between people, companies, and risk factors, transforming complex data into traceable and auditable evidence. The result is a deeper, explainable, and defensible analysis to support AML decisions.

Want to understand how NeoLabsAI can transform your institution's AML intelligence?

//

Últimas postagens

//

Last posts

//

Contact

EVIDENCEYOURREGULATORSACCEPT

Generic scores are not defensible under BACEN Circular 3,978. We built what is.


Each alert comes with a legal citation, statistical proof, and recommended action. If you are evaluating an AML stack and care about defensibility, let’s talk.