KYC beyond credit scores: why court data is the next bureau for Brazilian counterparties
By TrackJud
Credit scores don't capture lawsuits. Court data reveals risks that traditional bureaus miss — BACEN Circular 3,978, LGPD art. 7, and practical implementation for fintechs. Updated April 2026.
TL;DR: Credit scores (Serasa, Boa Vista, Quod) don’t capture court cases — labor, civil, criminal, tax executions. A CPF with an 800 score can have R$ 500k in judicial liability the bureau doesn’t show. Court data is the complementary bureau that closes this gap. BACEN Circular 3,978/2020 requires risk-proportional KYC; LGPD (art. 7 §4 + IX) provides clear legal basis for querying without consent. Cost: R$ 0.10-1.20 per client, ROI of 10,000x for relevant credit operations. This guide covers: what the score shows vs doesn’t, 5 real risks, 5 regulations requiring diligence, 3-tier implementation, and how to integrate into the approval engine.
Most fintechs and financial institutions in Brazil use the credit score as the primary — and often only — risk indicator in KYC (Know Your Customer). Serasa, Boa Vista, Quod, and SPC are queried in 100% of onboardings. This is necessary, but deeply insufficient.
The score has a structural blind spot: it doesn’t show court cases. A client with an 800 score can have 15 labor claims, a R$ 500k tax execution, and an ongoing criminal proceeding. The bureau won’t show any of it — the score remains “good payer.”
In Brazil, where more than 83 million active cases are in court according to the CNJ Justice in Numbers 2024, ignoring the judicial dimension of a client means ignoring the country’s largest source of hidden liability.
For a complete risk analysis, this gap needs to be paired with a judicial due diligence — and, for higher-risk profiles, with habitual litigation verification.
What credit scores show — and what they don’t
This table is the core argument. Memorize it if you work in credit risk:
| What the bureau SHOWS | What the bureau DOESN’T show |
|---|---|
| Registered debts (SPC/Serasa) | Active civil cases (as defendant) |
| Payment history | Labor claims |
| CPF queries | Criminal proceedings |
| Bounced checks | Tax executions (ICMS, ISS, IR) |
| Protests | Bankruptcy/recovery proceedings |
| Predictive numeric score | Volume of judicial contingencies |
| Credit blacklisting | Cases as plaintiff (habitual litigant) |
The score is a financial photograph. Court cases are a judicial photograph. They’re complementary, not substitutes.
The 5 real risks of incomplete KYC
Risk 1 — Credit to a judicial debtor
An entrepreneur requests R$ 200k in revolving credit from a fintech. Serasa score: 780, “low risk.” No judicial verification. The entrepreneur has 3 active ICMS tax executions totaling R$ 800k (São Paulo State Revenue, with scheduled BacenJud freeze) and 5 active labor claims from former employees summing R$ 320k.
Real payment capacity: much lower than the score suggests. Result in 4 months: default, generalized judicial freeze catches the fintech’s account too.
Risk 2 — Onboarding a client with criminal proceedings
A payments fintech approves account opening for a CPF with an ongoing criminal proceeding for fraud (art. 171 of the Penal Code). Bureau shows normal score — criminal cases don’t affect credit score. Three months later, the account is used for money laundering. The fintech is notified by COAF and enters mandatory reporting.
Risk 3 — Partnership with a company in judicial recovery
A company contracts a strategic logistics supplier (exclusive contract, 12 months) based on a commercial proposal and references. No judicial check. The supplier has a judicial recovery petition filed 8 months prior — public case, searchable in the state court. Four months later, the supplier stops delivering due to cash shortage.
Risk 4 — Direct regulatory exposure
BACEN Circular 3,978/2020 requires financial institutions to conduct verifications proportional to client risk. Resolution 4,557/2017 requires integrated risk management with “robust methodology.” A KYC that doesn’t include court data may be deemed insufficient in a BACEN audit.
Risk 5 — Habitual litigant infiltration
A CPF opens accounts at 5 different fintechs in the same month. Normal score everywhere. The CPF has 47 cases as plaintiff in JEC (Small Claims Court) — classic predatory litigation pattern. The goal: provoke incidents, sue the company, accumulate small indemnities at scale. Without judicial verification, the fintech only discovers when it already has 3 active cases.
What regulation requires — 5 norms that provide foundation
| Norm | What it says | KYC implication |
|---|---|---|
| BACEN Circular 3,978/2020 | Risk-proportional KYC | Judicial verification is “proportional” for relevant credit |
| BACEN Resolution 4,557/2017 | Integrated risk management with robust methodology | Institution must identify credit risks — lawsuits are risk |
| Anti-Corruption Law 12,846/2013 | Third-party due diligence | Fine of 0.1-20% of revenue if no DD |
| LGPD 13,709/2018 | Legal basis for public data (art. 7 §4) | Public court lookup doesn’t require consent |
| CPC 25 / IAS 37 | Provision for judicial contingencies | Court cases MUST be provisioned on the balance sheet |
KYC in 3 tiers — proportional implementation
Tier 1 — Basic verification (every client)
Runs on 100% of clients at onboarding, automatically:
- Credit score (bureau)
- CPF/CNPJ validation
- Document verification
- Court case lookup in the client’s home state courts (1-5 courts)
Cost: R$ 0.10-0.50 per client. Time: <60 seconds via API.
Tier 2 — Expanded verification (medium credit, R$ 10-100k)
Runs for clients that pass Tier 1 AND request credit above threshold:
- Everything from Tier 1
- Court lookup across all relevant states (5-12 courts)
- Shareholder verification (for companies)
- Previous company history for the CPF
Cost: R$ 0.50-1.20 per client. Time: ~60 seconds via API.
Tier 3 — Full due diligence (high credit, M&A, strategic supplier)
Runs for high-value or high-risk operations:
- Everything from Tiers 1 and 2
- Lookup across all available courts (12+ courts)
- Qualitative analysis of found cases (human)
- Related party verification
- Continuous monitoring until closing
Cost: R$ 1.20-5.00 per entity + human analysis. Details at judicial due diligence.
Real case — payroll-deducted credit fintech with 15,000 approvals/month
A private payroll-deducted credit fintech (FGTS-backed operations) integrated Tier 1 judicial verification into the onboarding pipeline. Results after 90 days:
- Volume: 15,000 approvals/month
- Additional Tier 1 cost: R$ 1,500/month (15,000 × R$ 0.10 per query in 1 court)
- Clients flagged with judicial risk: 4.2% (~630/month)
- Of those 630, escalated to Tier 2: ~180
- Of those 180, denied or adjusted: ~45
- Estimated default avoided (based on avg ticket R$ 8,000 × flagged default rate): ~R$ 360,000/month
- ROI: R$ 360,000 / R$ 1,500 = 240x per month
Integration took 2 weeks (1 backend dev) and payback came in the first month.
The cost of checking vs not checking
| Operation | Typical value | Judicial KYC cost (Tier 1) | Cost of not checking |
|---|---|---|---|
| Personal loan | R$ 10,000 | R$ 0.10-0.50 | Up to R$ 10,000 (default) |
| Business credit | R$ 100,000 | R$ 1.00-1.20 | Up to R$ 100,000 + legal costs |
| Mortgage | R$ 500,000 | R$ 1.20-2.00 | Up to R$ 500,000 + foreclosure |
| M&A / corporate credit | R$ 5,000,000+ | R$ 5.00-50.00 | Millions in hidden liability |
Court data costs pennies per client and prevents losses of thousands to millions. Full pricing at /en/pricing/.
LGPD and court data — detailed legal basis
Court queries for KYC fall under 3 simultaneous legal bases of Law 13,709/2018:
- Art. 7, §4 — data “made manifestly public by the subject.” Court cases published in public lookup by the courts fit this
- Art. 7, IX — “legitimate interests of the controller or a third party.” KYC for credit decisions is legitimate interest by definition
- Art. 7, VI — “regular exercise of rights in judicial, administrative, or arbitration proceedings.” Covers regulatory compliance (BACEN, CVM)
Implementation requirements:
- Purpose: use data only for KYC/compliance (not for marketing, prospecting, or data resale)
- Necessity: collect only what’s needed
- Transparency: inform the subject that public data was queried (when required)
- Retention: keep data only for the necessary period + regulatory retention
- Audit trail: maintain a log of who queried, when, which CPF, what result. Vigilant generates this automatically.
Practical implementation — by segment
For credit fintechs
Integrate judicial verification into the onboarding pipeline via REST API. Automate decisions based on rules:
| Judicial result | Action in decision engine |
|---|---|
| 0 cases | Normal approval (score decides) |
| 1-3 civil cases as defendant | Approval with flag → periodic review |
| Active criminal proceedings | Mandatory human review |
| Tax executions | Review + additional guarantees |
| Habitual litigant (10+ cases as plaintiff) | Behavioral risk flag |
| Judicial recovery/bankruptcy | Automatic denial |
Integration via Vigilant’s API is REST + JSON, documented in OpenAPI 3.1 with bearer token auth. See developer resources with examples in 4 languages.
For banks
Complement bureau scores with court data across all credit tiers. For credit above R$ 50,000, make Tier 2 judicial verification mandatory. For credit above R$ 500,000, activate Tier 3 (full DD). BACEN regulation (Circular 3,978 + Resolution 4,557) provides the foundation.
For insurers
Verify judicial history before issuing high-value policies. Identify fraudulent claim patterns via prior litigation — an insured party with 8 indemnity claims across 3 different insurers in the last 5 years is a systemic fraud signal.
Glossary
| Term | Definition |
|---|---|
| KYC | Know Your Customer — client identity and risk verification process |
| Credit score | Numeric score estimating default risk, calculated by bureaus |
| Bureau | Company that aggregates financial data to calculate scores (Serasa, Boa Vista, Quod, SPC) |
| BACEN | Central Bank of Brazil — financial system regulator |
| Circular 3,978 | BACEN norm requiring risk-proportional KYC |
| BacenJud | Judicial bank account freeze system operated by BACEN |
| CPC 25 | Accounting pronouncement requiring provision for judicial contingencies |
| Habitual litigant | Person who files an abnormal volume of lawsuits as plaintiff |
| COAF | Council for Financial Activities Control |
Conclusion
Credit scores were an advancement when created. But in 2026, with 83 million active cases in the country and regulation requiring risk-proportional KYC, treating the score as the sole source is regulatory negligence. Court data is the complementary bureau that closes the gap — costs pennies, prevents thousands, and the legal basis (LGPD, BACEN, Anti-Corruption Law) is clear.
If your fintech still approves credit based solely on Serasa/Boa Vista, you’re operating with half the picture. The other half is in the courts.
To see how court data fits into your credit or compliance pipeline, check our fintech and bureau solutions and compliance and KYC solutions. To integrate directly into your decision engine, the technical docs have the path.
Complement your KYC with court data. 5 free credits on signup, no credit card. Start now.
Frequently asked questions
No. The score (Serasa, Boa Vista, Quod, SPC) measures payment history, registered debts, CPF queries, and protests — strictly financial data. Court cases (labor claims, civil suits, criminal proceedings, tax executions, bankruptcy) are NOT factored into the score. An entrepreneur with an 800 score can have 15 active labor claims and a R$ 500k tax execution — the bureau shows 'good payer.' The court shows real risk. They're complementary sources, not substitutes.
Circular 3,978/2020 doesn't literally say 'judicial search' but requires financial institutions to adopt KYC procedures 'proportional to the client's risk.' This means for credit operations of relevant value, a KYC limited to bureau scores may be deemed insufficient in a BACEN audit. The regulator expects the institution to demonstrate it conducted verifications consistent with the risk level — and court data is exactly that complement. Resolution 4,557/2017 (integrated risk management) reinforces this: institutions must identify, measure, and monitor credit risks with robust methodology.
Yes. Art. 7, §4 of LGPD dispenses consent for data 'made manifestly public by the subject' — court cases published in public lookup by the courts themselves fit here. Additionally, art. 7 item IX (legitimate interest) covers KYC for commercial decisions, and item VI (regular exercise of rights) covers regulatory compliance. ANPD reinforced in a 2023 guidance that data published on official public portals can be processed without consent when the purpose is legitimate. Keep a per-query audit log (Vigilant generates this automatically) as an auditable trail.
Vigilant charges R$ 0.10 per query per court. In a Tier 1 KYC (1-5 courts in the client's home state), cost is R$ 0.10-0.50 per client. In a Tier 3 KYC (12 courts, full DD for high credit), R$ 1.20. Compared to the credit value at risk (R$ 10,000-500,000), the cost is negligible — ROI of 10,000x to 100,000x. Real integration cost depends on your stack: if you already have a decision engine with webhooks, integration takes hours; if manual, a spreadsheet or Make/Zapier workflow resolves it without a dev.
Scope and timing. Judicial KYC is a quick, standardized, automated check that runs on ALL clients as part of the normal approval flow. Judicial due diligence is a deep, customized investigation normally assisted by a lawyer, run in high-risk situations (M&A, corporate credit, strategic supplier). KYC takes seconds and costs pennies. DD takes days and costs thousands. We cover DD in depth in the post [Judicial due diligence: the practical guide](/en/blog/due-diligence-brazilian-entities/).
3 paths by increasing complexity: (1) Manual — paralegal searches high-risk CPFs in Vigilant's dashboard before approving, flags the system if something is found. Works for low volume (<50 approvals/day). (2) Semi-automated — Python/Node script calls Vigilant's API for each CPF in the queue, result is written to a database and the decision engine reads judicial features as additional inputs. (3) Full-pipeline — webhook integrated into the decision engine (e.g., Modela, QI Tech, Mambu) calling Vigilant in real time, returning a normalized judicial score, and the engine approves/denies without human intervention. The [technical docs](/en/developers/) have examples in cURL, Python, Node.js, and Go for each path.
Technically yes, but be careful. LGPD requires transparency in automated decisions (art. 20) and the Consumer Defense Code protects against refusal without justification (art. 43). The recommended practice is using court data as an ADDITIONAL FEATURE in the decision model (alongside score, income, history), not as the sole denial criterion. If the model uses court data to deny, the institution must be able to explain to the subject which data impacted the decision and the logic involved. Many fintechs use it as an 'alert signal' that routes to human review rather than automatic denial — more defensible from a regulatory standpoint.
In order of criticality for default risk: (1) Federal/state tax executions — indicate active tax debt, high risk of generalized judicial freeze via BacenJud; (2) Civil executions — there was already a conviction and the debtor didn't pay; (3) Labor claims as defendant — accumulated labor and social security liability; (4) Bankruptcy/recovery proceedings — systemic risk; (5) High volume as plaintiff — signal of habitual litigant (see [our habitual litigation guide](/en/blog/brazilian-vexatious-litigants/)). Criminal cases are relevant but less predictive of financial default.
Related articles
Jun 16, 2026
Brazilian lawsuit monitoring: how to get automated alerts for new cases against a CPF
Practical guide to automated lawsuit monitoring: how it works, 3 implementation tiers (spreadsheet, no-code, backend), real costs, best practices, and how to integrate alerts into your workflow. Updated April 2026.
May 26, 2026
Brazilian labor liability: auditing suppliers under Súmula 331 to avoid subsidiary responsibility
Practical guide to TST Súmula 331, subsidiary responsibility in outsourcing, how to audit suppliers for hidden labor liability, exposure formula, and actionable checklist. Updated April 2026.
May 12, 2026
Vexatious litigants in Brazil: how to identify and protect your company from predatory litigation
What vexatious litigants are, how they affect banks, telecoms and insurers in Brazil, what CNJ Resolution 529/2023 says, and how to identify patterns before the next lawsuit. Updated April 2026.