Colombia’s Open Finance Journey: A Voluntary Model

In 2019, TESOBE helped the Financial Regulation Unit (URF) at the Colombian Ministry of Finance by conducting extensive research and facilitating interviews with key stakeholders, including the Colombian government, banking institutions, FinTech startups, and foreign experts. The analysis resulted in a report that served as a crucial foundation for the Working Paper titled Open Banking and Portability in Colombia, published by the URF in 2020. This Working Paper was a cornerstone for the development of the Colombian Open Banking strategy.

Two years later, in July 2022, regulators published decree number 1297, which dictates the rules for implementing Open Finance on a voluntary basis.

The decree does not directly address APIs for data exchange, but rather the processing of personal data and how it can be shared with third parties with the express authorisation of the data subject. In addition to being voluntary, institutions will be able to monetise their data-sharing service.

The Superintendencia Financiera de Colombia (SFC) had one year from the issuance of the decree to establish technological and security standards to promote interoperability within the Open Finance ecosystem.

The SFC’s approach to standardisation is phased, starting in 2023 with the first phase relating to public data on products, services and channels, followed by phases 2 and 3 for transactional data in different sectors starting in 2024 and 2025 respectively.

A voluntary model for banks

In Colombia’s model, banks can choose to participate in Open Finance initiatives voluntarily. The key elements of this approach for banks are:

Flexibility: Banks have the flexibility to decide whether to participate in Open Finance. This allows them to assess the potential benefits and risks before committing to the implementation, which can be particularly useful for smaller or less technologically advanced banks.
Cost Control: Banks can manage the costs associated with the implementation. They can choose to invest in the necessary infrastructure and resources based on their business strategies and customer demands, rather than following a mandate that is irrelevant for their business.
Competitive Advantage: Banks that voluntarily adopt Open Finance can gain a competitive advantage by offering innovative services and leveraging partnerships with third-party providers. They have the opportunity to differentiate themselves in the market and attract new customers.

Where are we now?

In 2023, Superintendencia Financiera de Colombia issued a draft external circular containing the Instructions Regarding Open Finance and Commercialisation of Technology and Digital Infrastructure. As of the date of publication of this blog, the SFC has issued 4 draft versions. The draft external circular aims to:

Define the requisite technological and security benchmarks for the adoption of open finance systems.
Ensure financial consumer data is treated securely and transparently, in alignment with Data Protection Laws.
Outline the protocols supervised entities must adhere to when commercialising their digital technology and infrastructure.

Several important highlights extracted from the document:

Binding of third-party data recipients

Regulated entities participating in Open Finance ecosystems must adopt policies and procedures for the binding of third-party data recipients, i.e. legal entities that must be established and domiciled in Colombia. They must have policies and procedures for data treatment in compliance with data protection laws as well as security mechanisms to securely handle data and mitigate cybersecurity risks.

Technological and security aspects

Regulated entities must expose APIs that share data in JSON format and follow the RESTful architecture. Regarding data management, the APIs must comply with the ISO 20022 standard and use the same data field dictionary. Similarly to most Open Finance guidelines, the APIs must be able to perform authorisation using the OAuth 2.0 protocol, comply with FAPI 2.0, and secure information using TLS.

This step in the Colombian Open Finance initiative demonstrates the importance in following international best practices. Colombia is adopting a similar technical standard to Brazil, including ISO 20022, which should facilitate interoperability among the two financial systems.

Data Privacy

Regulated entities have to authenticate consumers using strong authentication methods when granting, modifying, or revoking their authorisation for data processing. Third-party data recipients must obtain explicit, informed consent from consumers, complying with data protection laws (Laws 1266 of 2008 and 1581 of 2012). In addition, consumers should have the ability to access, permanently delete, and revoke their authorisation for data processing.

Disclosure Obligations

Regulated entities are required to publish information on their websites, providing consumers with insights into Open Finance implementation. This includes details about the authorisation scope, procedures for access and revocation, contact information for third-party data recipients, channels for inquiries and complaints, and procedures for data deletion.

A strategic blueprint for banks

For a bank to compete effectively and benefit from this wave of innovation, it is vital to adopt a well-structured strategic approach to address the requirements and expectations set by the country’s regulations and to anticipate the changing needs of their clientele.

The following guide draws from the guidelines provided by the Financial Superintendency of Colombia (SFC) and offers a roadmap for supervised entities looking to implement Open Finance schemes.

Prior to delving into the technical and regulatory aspects, the bank must take a proactive stance towards Open Finance. This entails recognising the opportunities it presents and aligning corporate objectives to capitalise on them.
Training internal teams on the principles and benefits of Open Banking is paramount. This not only prepares the bank for operational shifts but also fosters a culture of innovation.
Establishing alliances with fintechs, technology providers, and other third-party data recipients can ease the transition towards Open Finance schemes. These partnerships can assist in technology adoption, share best practices, and co-create innovative solutions.
Maintain a Customer-centric approach, as Open Finance is implemented. It’s crucial to keep the customer at the heart of the strategy. This means ensuring customer data remains secure, interactions are intuitive, and opportunities are continuously generated to offer more personalised products and services.
The strategy should prioritise adherence to the security standards mentioned in the guidelines and ensure that all interactions and data treatments are completely transparent and comply with local regulations.
Adopting Open Finance is a journey. It’s vital to establish metrics and KPIs to regularly evaluate progress, pinpoint areas for improvement, and adapt to the shifting market needs.

Outcome

The SFC’s phased approach and the subsequent draft circulars show that Colombia is deeply committed to aligning with international best practices. The adoption of standards similar to global leaders, such as Brazil, not only facilitates smoother cross-border interoperability but also positions Colombia as a hub for financial technological innovation.

However, for banks to truly capitalise on this opportunity, they must view Open Finance not merely as a regulatory requirement, but as a transformative tool. It’s essential to foster an open innovation culture, ensure robust partnerships with fintechs, and place customer needs and data privacy at the forefront. By striking a balance between innovation and compliance, Colombian banks can redefine their role in the global financial ecosystem.

In essence, Colombia’s Open Finance journey underpins a broader vision – one where banks don’t just adapt, but thrive in a world of digital innovation and transparency.