Brazil 2026 KYC Playbook to Improve First Pass Rate

Overview

The first-pass gap is real and recoverable

Brazil clears fewer first-attempt verifications than its reputation as Latin America's digital-finance leader suggests. Across early 2026, fewer than four in five checks passed on the first try, and close to one in seven documents carried a fraud signal. The same data shows that gap is recoverable.

75.40% Brazil's average first-pass rate

98.62% First-pass rate with Shufti

13.70% Document fraud rate

The first-pass gap Shufti closes: Brazil average 75.40% versus 98.62% with Shufti, a gain of 23.22 points

Regulatory Context

Why Brazil's KYC bar sits higher than its reputation suggests?

Brazil asks more of onboarding than most emerging markets because its digital finance scaled faster than almost anywhere. Pix, the central bank's instant-payment system, live since November 2020, reached more than 150 million users over 70% of the population by mid-2024. Account creation that easy invites the exact abuse regulators now watch for: dummy accounts, money mules, and synthetic identities opened at scale.

Three supervisors set the bar, and most regulated firms answer to at least one of them.

Three Brazilian supervisors — COAF, Banco Central (BCB) and CVM — routing obligations down to obliged entities, defined as every business onboarding Brazil's customers. — Three supervisors route obligations down to obliged entities

Data protection sits on top of all three: the ANPD enforces the LGPD (Law 13.709/2018) over the personal data every KYC flow collects, so checks have to be thorough and minimal at once. The pressure does not ease in 2026, it concentrates.

Timeline of Brazil's KYC milestones: Nov 2020 Pix goes live; 2022 CIN rollout begins with the CPF as the single ID number; 1 Jan 2025 regulated betting live with mandatory facial recognition; 2030 CIN replaces the legacy RG entirely.

A fourth pressure point arrived with regulated betting. Law 14.790/2023 opened a licensed online betting and iGaming market that went live on 1 January 2025, supervised by the Secretariat of Prizes and Bets (SPA). It makes facial recognition mandatory at registration and first deposit, and the CPF mandatory to register turning biometric onboarding into a legal requirement overnight.

Scope

What a Brazil verification actually has to cover?

A Brazil verification answers to several regulators and has to read the documents a continent-sized, document-diverse country puts in front of it. Knowing both is what separates a configured flow from a generic one.

Three regulated buyer groups

SPA-Licensed

Regulated Betting

Facial recognition at registration and first deposit, AML screening, every account tied to a CPF.

Fintech / Pix

Fintech & Payments

Central-bank KYC duties; each Pix customer verified against the tax registry.

CVM-Supervised

Crypto & Investment

CVM-supervised exchanges and tokenised-asset platforms meet the same due-diligence bar.

The documents in play

The new Carteira de Identidade Nacional (CIN) uses the CPF as a single national identity number, replacing the old state-by-state RG. Rollout began in 2022; around 30 million had been issued by mid-2025, and the CIN will replace the RG entirely by 2030. The legacy RG still circulates in five card variations, driving licences (CNH) appear in three including an official digital version with the same legal validity and passports are also used.

Failure Modes

Why first-pass rates drop in Brazil?

Most Brazil verification failures are capture and document-structure problems before they are fraud, though fraud is high: the document fraud rate sits at 13.70%, close to one in seven. Around one in four first attempts fails. The most common rejection reasons are submitted screenshots, scanned copies, and screen-in-screen captures, and Brazilian documents add structural traps that generic OCR walks straight into.

The cost lands fast. A betting or fintech operator that rejects a genuine applicant either pushes that customer toward a competitor or into a manual-review queue, where every case costs analyst time and slows onboarding.

Paper cards and faded print merge the data

Many states still issue the RG on laminated paper rather than polycarbonate, and years in a wallet add creases, smudging, and ink loss. When the print degrades, adjacent values name, CPF, date of birth, and the two filiação lines bleed together, so OCR returns one merged string and a genuine card fails.

Faded state-issued RG from Minas Gerais where print loss merges adjacent fields into one string. — Faded state-issued RG (Minas Gerais): print loss merges adjacent fields into one

One CPF, many positions

The CPF never sits in a fixed place on a Brazilian ID, which breaks any engine that reads by coordinates. The same number can replace the document-number field, sit top-left, or drop to the bottom-left and five RG variations and three CNH variations circulate at the same time. A template tuned to one layout reads the wrong zone and returns a number that is not the CPF.

CPF in the bottom-left corner of an RG — CPF bottom-left corner

CPF in the top-left field of a card — CPF top-left field

CPF in the bottom-left of a different RG layout — CPF bottom-left, alt layout

Unlabelled fields and stamps over the data

Older Brazilian cards give OCR nothing to anchor to. Labels are inconsistent or missing, and the two parental names print together under a single filiação heading with no split between father and mother. Issuing offices also stamp across the CPF, parental names, and address and that ink sits on top of the very data an extraction and authenticity check needs to read.

A São Paulo RG with an official stamp printed directly over the CPF and address. — An official stamp printed directly over the CPF and address (São Paulo RG)

Screenshots, scans and screen-in-screen

Most Common

Brazil's three most common rejection reasons are all capture problems. A screenshot or a photo of one screen taken on a second phone hands the engine a screen instead of a document, and the moiré patterns, glare, and missing depth fail liveness and authenticity at once. A flat scan or colour copy strips the security features the check depends on, so a real card submitted the wrong way is correctly refused.

A screenshot of an RG submitted from a phone gallery — A screenshot submitted from the gallery

A genuine RG photographed off a second phone screen — Screen-in-screen: a photo of a screen

A clean, directly captured RG, for contrast — A clean direct capture, for contrast

Digital IDs declined by config, and altered documents

Two more reasons sit in Brazil's top five, and they pull in opposite directions. Genuine digital credentials the digital CIN and the digital CNH issued through gov.br get declined automatically when a flow is not configured to accept e-documents. At the other end, altered documents are the visible edge of Brazil's 13.70% fraud rate, where the check has to catch a forgery rather than a configuration gap.

There is a quieter cost behind the CPF. Because businesses use the CPF to pull extra data from national databases, a wrong CPF extraction triggers an unnecessary database request, which raises cost for the operator and still ends in a failed check.

The Fix

How Shufti moves Brazil's first-pass rate from 75% to 99%

Shufti raises Brazil's first-pass rate to 98.62% by reading the documents Brazil actually issues and rejecting the captures that should never count. The gain is not a discount on standards it is the same checks, passing more genuine users on the first try.

Capture

Liveness-guided, blocks screen-in-screen.

Read

Zero-shot read locates the CPF wherever it sits.

Validate

CPF checksum before any database call.

Match

3D face liveness confirms a live person.

Screen

AML screening for COAF obligations.

Reading the documents Brazil actually issues

Document Verification uses zero-shot AI to read the five ID-card and three licence variations, find the CPF wherever it sits, separate unlabelled parental names, and recover fields hidden under stamps or merged print with no per-document templates to maintain.
CPF integrity is handled before any lookup. Shufti delivers 98.85% CPF extraction accuracy and runs default checksum validation, so a malformed number is caught before it triggers a costly, pointless database request.
The flow accepts Brazil's official digital credentials the digital CIN and digital CNH so genuine e-documents stop being declined by configuration.
The same engine reads the foreign passports and IDs Brazil's platforms also onboard, across 240+ actively processed countries and territories.

Rejecting the captures that should never count

Face Verification with 3D liveness at iBeta Level 3 conformance confirms a live person rather than a screenshot, a screen-in-screen capture, or a deepfake which also satisfies the facial-recognition step Brazil's betting law now requires.
Authenticity checks flag scans, colour copies, and altered documents before they reach a reviewer. NFC Verification reads the e-passport chip for the highest assurance when the printed card fights the camera.
eIDV cross-checks government registries, and AML Screening covers sanctions, PEP, and adverse-media screening for COAF obligations.

What Higher Pass Rates Are Worth

Moving from 75.40% to 98.62% means roughly 23 in every 100 genuine applicants who used to drop out are now cleared automatically. That is fewer manual reviews, faster onboarding for high-value betting and fintech customers, fewer pointless CPF database lookups, and far less revenue lost at the front door. Teams that prefer to build and price a stack without a sales conversation can configure one directly at any tier.

Summary

The Brazil pass-rate playbook at a glance

Brazil's first-pass losses come from five fixable causes: faded paper print, the floating CPF, unlabelled and stamped fields, screen and scan captures, and declined digital IDs. Each maps to a specific control, summarised below, that recovers genuine users without lowering the bar.

What Fails	Why the Check Drops It	How It Is Solved
Paper cards & faded print	Fields merge and blend into one another	Zero-shot Document Verification separates merged fields and recovers faded print.
The floating CPF	The number sits in a different place on each card	The engine locates the CPF wherever it appears, then checksum-validates it.
Unlabelled fields & stamps	Labels are missing and stamps cover the data	Context-aware reading maps fields without labels and recovers data under stamps.
Screenshots, scans & screen-in-screen	A screen or flat copy is captured, not a document	Liveness-guided capture and authenticity checks reject them at the source.
Declined digital IDs & altered docs	Config blocks genuine e-documents; forgeries slip through	The flow accepts the digital CIN and CNH and flags altered documents.

Frequently Asked Questions

Brazil's average first-pass rate is 75.40%, meaning around one in four identity checks fails on the first attempt, based on Shufti verification data for January to May 2026. With Shufti, the first-pass rate for the same market reaches 98.62%.

Was This Content Helpful ?

The most common reasons are submitted screenshots, scanned copies, and screen-in-screen captures, which strip out or fake the features an authenticity check needs. Brazilian documents add structural traps: low-quality paper that merges fields, a CPF that sits in different positions on different cards, unlabelled parental names, and official stamps printed over the data.

Was This Content Helpful ?

The new Carteira de Identidade Nacional (CIN) uses the CPF as a single national number and is replacing the old state-issued RG, which still circulates in five variations. Driving licences (CNH) appear in three variations, including an official digital version, and passports are also used. The CPF is the central identifier across all of them.

Was This Content Helpful ?

COAF is the financial intelligence unit and AML/CFT supervisor, the Banco Central do Brasil supervises banks, payment institutions, and fintechs, and the CVM oversees securities and crypto-asset issuers. The ANPD enforces the LGPD data-protection law, and the SPA supervises the regulated betting market.

Was This Content Helpful ?

Law 14.790/2023 opened a licensed online betting and iGaming market that went live on 1 January 2025. It makes facial recognition mandatory at account registration and first deposit, and requires a CPF to register, so biometric onboarding is now a legal condition of operating.

Was This Content Helpful ?

Take the next steps to better security.