If the bill put forward by the São Paulo Legislative Assembly is signed into law, it will prevent financial services providers and payment institutions from processing payments through Pix until the Brazilian Central Bank introduces mechanisms to ensure consumer safety. The Assembly can vote to revoke the law if the Central Bank presents a technical security report that demonstrates what measures have been implemented. The objective is to prevent situations like the so-called lightning kidnappings, whereby consumers are forced to make instant transfers to criminals while being held ransom. Introduced in November 2020 as part of a broader modernisation of the Brazilian financial services environment – which also includes ongoing initiatives, such as Open Banking – Pix has more than 104 million registered users and has processed more than 1.6 billion transactions since it launched. Around 75% of the transfers carried out via Pix in its first year of operation took place between individuals. According to the Central Bank, the system enabled financial inclusion at a significant scale; around 40 million Brazilians who had never made a money transfer before did so through the instant payments system. Transfers are made through a Pix “key,” which acts as a sort of nickname associated with a user’s full account details, aimed to simplify the payment process. A Pix key could be a user’s mobile phone number, tax registration number, email address, a randomly generated alphanumeric string, or a QR code. The convenience introduced by the instant payments system created loopholes for criminal action, however, prompting the Central Bank to impose limits on the value of transactions made between 8pm and 6am and on weekends. Other measures included a precautionary block on the receipt of transfers for up to 72 hours in cases of suspected fraud, as well as a special return mechanism scam victims can use. The author of the bill that aims to suspend Pix in the state of São Paulo, congressman Campos Machado, notes that banks did not anticipate that “the enormous ease and convenience [Pix offers] to users would also bring dexterity to criminals, who have discovered the comfort and speed of using it to their advantage.” The debate over instant payments in the context of increasing crime follows the first major data protection incident involving Pix that occurred in October. More than 395,000 Pix keys under the custody and responsibility of the Bank of the State of Sergipe (Banese) – likely obtained through social engineering or phishing techniques – were leaked.