CPF and CNPJ API for Crypto & Blockchain: KYC and AML Compliance
At CPF.CNPJ, we simplify and streamline access to essential information about individuals and companies.
The Challenge: KYC and AML Compliance in Crypto Exchanges under CVM Instruction 617
Brazilian crypto exchanges face one of the most rigorous regulatory frameworks in Latin America: CVM Instruction 617/2020 sets mandatory KYC (Know Your Customer), AML/CFT (Anti-Money Laundering/Counter-Terrorism Financing) and AML requirements equivalent to the banking sector. CVM requires identity validation of 100% of customers against official Receita Federal databases before allowing any operation with crypto assets. Non-compliance results in fines from R$ 50,000 to R$ 5 million per audit, suspension of operations, or even revocation of the virtual asset service provider registration.
The crypto market attracts fraudsters on a global scale: studies show that 3-5% of transactions on unregulated exchanges involve money laundering, terrorism financing or fraud. For Brazilian exchanges under CVM regulation, implementing rigorous KYC is an essential competitive barrier but also an operational bottleneck: customers expect instant onboarding (2-5 minutes) as in international exchanges, but manual validations take 24-72 hours. This conflict results in abandonment of 70-85% of started registrations.
Crypto exchanges operate 24/7/365 with volume peaks during extreme volatility: when Bitcoin rises/falls 20% in 24 hours, the volume of new registrations increases 10-30x. Manual KYC processes are unfeasible at this scale: an exchange processing 100,000 registrations in 48 hours during a bull market would require a team of 800-1,200 analysts if done manually (cost of R$ 6-9 million in 2 days), operationally unfeasible. Intelligent automation that validates identity in real time without compromising compliance is a critical requirement for survival in the regulated crypto market.
How the CPF.CNPJ API Solves It
1. Instant KYC for Crypto Onboarding
The API allows the documentary validation layer of crypto KYC to be fully automated. During registration on the exchange, the customer fills in CPF, name, date of birth and submits a selfie + document. Simultaneously, the system captures data and calls the API in parallel to validate the CPF against Receita Federal, returning in 0.4-2 seconds whether the CPF exists, is regular, and confirming the full official name. The system automatically cross-checks declared data with official data using a decision engine.
An automated decision engine applies rules: (1) the CPF must be Regular at Receita Federal; (2) the declared name must have at least 85% similarity to the official name (Levenshtein + phonetic algorithm allows variations); (3) the date of birth must match when available; (4) the customer must be 18+ years old (legal crypto requirement); (5) the CPF cannot be on sanctions lists (OFAC, UN, UIF). If all criteria are met, validation is approved instantly and the process moves to biometric verification (liveness + face match). In case of divergences, the case proceeds to manual review without fully blocking.
2. AML Screening and Sanctions Lists
CVM 617 regulation art. 8 requires "verification of customers against national and international sanctions lists" and "identification of PEPs (Politically Exposed Persons)". The API allows this screening layer to be integrated into the KYC flow: after validating CPF/CNPJ, the system automatically cross-checks data with restrictive lists (OFAC, UN, TCU, CGU, PEP lists) and AML risk databases.
If a customer is identified as a PEP (politician, relative of a politician, strategic public office), the system applies enhanced due diligence: requests additional documents (proof of income, source of funds), limits the value of initial transactions (e.g., R$ 10,000/month in the first 90 days), and requires manual compliance approval before releasing operations. For CNPJs, validation cross-checks the ownership structure with PEP lists: if the ultimate beneficial owner is a PEP, the empresa receives a higher risk classification. This automated screening meets CVM compliance and protects the exchange from reputational risk.
3. Continuous Monitoring and Periodic Re-KYC
Crypto compliance does not end at onboarding: CVM 617 art. 9 requires "periodic updating of registration data and re-KYC of customers according to risk profile". The API allows automated monitoring to be implemented through batch jobs that re-validate the base of active CPFs/CNPJs. The system sends a list of documents via bulk API (optimizes costs) and receives updated status.
If a CPF changed from Regular to Canceled, Suspended, Null, or Canceled by Multiplicity, the system generates an automatic alert and suspends transactions until regularization. For high-risk customers (PEPs, high transactional volume, risk countries), re-KYC is done quarterly. For low-risk customers, annually. The system integrates with a transaction monitoring platform (Chainalysis, Elliptic) to correlate registration changes with suspicious on-chain transaction patterns. This creates an additional AML protection layer that international exchanges do not have.
Real Cases: Coinext and BrasilBitcoin
Coinext, one of the largest crypto exchanges in Brazil with hundreds of thousands of active users, faced a critical compliance bottleneck under CVM 617 regulation: a team of 45 KYC analysts could not scale to meet demand peaks during bull markets without compromising quality. During the Bitcoin rally in Q4/2023, registration volume rose to 80,000/week, creating a 12-15 day queue for approval. The abandonment rate reached 87%, resulting in the loss of millions in potential trading fee revenue.
Implementing automatic validation via API integrated with a decision engine (4-layer decision: CPF API + facial biometrics + AML screening + device fingerprinting) allowed automating 91% of approvals. Only cases with an irregular CPF, high AML score, or data divergences proceed to human review. The average KYC time dropped from 8 days to 4 minutes. The approval rate increased to 84% (reduction of false positives from 42% to 16%). During the next bull market, the exchange processed 120,000 registrations/week with the same compliance team. ROI: R$ 18.5M annually in operational savings + R$ 67M in additional trading fee revenue from improved conversion.
BrasilBitcoin, an exchange focused on the Brazilian market with a strong presence in Northeastern states, faced regulatory risk: a CVM audit identified 3,200 irregular CPFs (Canceled, Suspended) with active accounts trading crypto assets, a direct violation of Instruction 617. The potential fine reached R$ 12 million. CVM issued an adjustment term requiring remediation within 60 days under penalty of operational suspension and market ban.
Massive validation via API of the complete base of 180,000 active CPFs identified more than 4,800 irregular CPFs. The system implemented automatic account suspension with customer notification for regularization within 30 days. Re-KYC was required of all affected. Automated biweekly validation began re-checking all active customers, generating proactive alerts. Complete remediation in 52 days avoided a millionaire fine and suspension. Implementation cost: R$ 850k. Savings: R$ 12M in fines + the incalculable value of keeping operations active. The exchange became a compliance benchmark in the Brazilian crypto market.
Expected Metrics and ROI
- 91-94% KYC automationReduction of manual review from 100% to 6-9% of cases
- 4 minutes vs 8 daysInstant approval increases conversion from 13% to 84%
- R$ 185-320 savings per KYCAutomation reduces cost from R$ 350 to R$ 30-165 on average
- 84% onboarding conversionvs 13-18% with a slow manual process (8+ days)
- 100% CVM 617 complianceReceita Federal validation + AML screening + audit logs
- CVM fines preventionR$ 50k-5M per audit with non-compliance avoided
- Bull market capacityProcess 100k-150k KYCs/week with the same compliance team
- 7,800% ROIExchange 50k KYCs/month: investment R$ 1.8M/year vs savings R$ 140M/year + additional revenue
