Febraban SEC reached its third edition with a new name, a new venue, and an agenda that reflects the maturity of Brazil's financial sector in the face of a problem that keeps growing. On March 18–19, the Transamerica Expo Center brought together bank executives, regulators, law enforcement, and international specialists to discuss a central question: how to protect the financial system in an increasingly sophisticated and hostile digital environment.
The event — known in previous editions as the Congress for Fraud Prevention, Repression, and Cybersecurity — expanded in scope and ambition. This edition also featured a partnership with Felaban and the Latin American Banking Security Congress (CELAES), extending the conversation to a regional dimension.
The problem is no longer the password — it's the identity
For years, banking security was built around credentials: password, token, two-factor authentication. The logic was simple — protect access, protect the account.
What Febraban SEC 2026 made clear is that this model is no longer sufficient. The most sophisticated attacks today don't try to break the password. They take over the identity.
SIM swap, fraudulent number portability, straw accounts opened with valid documents, social engineering attacks that convince the legitimate account holder to hand over access — the attack vector has shifted. The boundary of the problem has moved from access to identity itself.
Cybersecurity as a systemic pillar, not a contractual obligation
One of the defining themes of the congress was the shift in perspective from Brazil's Central Bank. The message was unambiguous: cybersecurity has moved from a contractual obligation between institution and client to a matter of systemic stability.
With 16 regulatory initiatives in preparation and new Central Bank and CMN rules already in force since March, the sector enters a cycle of greater scrutiny and accountability. Institutions without the structure to detect, respond, and produce digital evidence will be exposed — both regulatorily and reputationally.
AI as a double-edged tool
Artificial intelligence was a recurring theme. On one side, a detection tool — models that identify anomalous patterns in real time, cross-reference behavioral and location signals, and reduce incident response time. On the other, an attack instrument — deepfakes, synthetic voice, AI-generated documents, hyperpersonalized phishing.
The balance between the two sides of this dynamic depends on the quality of data available for defense. Those with access to real-time behavioral and location signals have a layer of analysis that current attack models still can't reliably falsify.
What Zarv reads in this agenda
Zarv operates exactly at the intersection Febraban SEC placed at the center: identity, behavior, and location as complementary layers of risk intelligence.
Zarv ID was built to identify and correlate signals that traditional systems don't capture — suspicious number portability, SIM swap patterns, behavioral history tied to CPF and device. It's the layer that distinguishes the legitimate account holder from the fraudster who assumed their identity.
For banks, fintechs, and lenders facing a more demanding regulatory environment and more sophisticated attacks, behavioral and location data is no longer a differentiator. It's a requirement.