On Friday 29 October 2021, Colombia’s Ministry of Finance and Public Credit published for consultation a decree defining the requirements for a voluntary open banking framework. This proposal is the first written decree around open banking and open finance in Colombia. 

As is customary, the Ministry of Finance has also published a technical document which provides context around the draft decree. The technical document outlines the objectives and changes needed to accommodate current regulation, which will allow for the development of a market-driven open banking model. 

Key Messages from the Draft Decree 

In line with international standards, open finance drives competition, inclusion, and efficiency in the provision of services. It enables financial institutions to better profile users and develop strategies and alliances with entities from other sectors. 

The decree aims to further the development of the Colombian financial system by implementing open finance architecture through a voluntary model. According to the regulator, a voluntary, market-led approach to open banking will encourage innovation and allow entities to implement open finance in a variety of ways. 

The decree has three broad aims:

1. Specify the rules around the exchange of consumer data
2. Establish the administration of digital platforms and services
3. Regulate payment initiation services (PIS) 

The treatment of personal data 

The first section of the decree deals with the treatment of personal data, the commercialisation of data, the security of data, and banking reserve obligations. 

It describes how entities supervised by the Financial Superintendence of Colombia (SFC) may commercialise the use, storage, and circulation of personal data; provided they have the express authorisation of the data owner and comply with regulation related to data protection and habeas data. 

Digital ecosystems and third parties 

Entities supervised by the SFC will be able to offer third party products and services in their virtual and face-to-face channels, provided the offer is related to their authorised operations and that consumers can identify the vendor.  Regulated entities may seek compensation from third parties which offer products and services through their electronic platforms. 

Furthermore, those entities supervised by the SFC (banks, insurance companies, brokerage houses and so on) will be able to commercialise the technology and infrastructure they normally use to provide their products and services to third parties.  This is known as Banking-as-a-Service (BaaS). 

Payment Initiation 

PIS is defined as an activity that can be developed by any participating entity which operates low-volume payments platforms according to a set of rules around security, transparency, and efficiency. The rules state that: 

• Payment initiators will not be able to initiate payment orders without having been previously authorised by the user. 
• Each initiated payment order must be authorised by the user. 
• Issuing entities must, in all cases, authenticate their users before payment orders are processed within the system of payments. This authentication must be done in accordance with the rules issued by the SFC. 
• Payment initiators will not be able to ask users for more information other than what is strictly necessary to initiate the payment order or electronic transfer. In no case may they have access to the keys, passwords or user authentication mechanisms held by their issuing entity. 

PIS is open to providers such as credit institutions, entities specialised in electronic deposits and payments (SEDPES), and any non-regulated entities, as long as they comply with the legal requirements as a participant of low-volume payment systems.  

Importantly, PIS will also apply to providers sending payment orders or electronic transfers to the issuing entity through connections or technologies arranged bilaterally between the two parties.  

Reflections on the Regulation 

Data flow architecture 

Each entity can decide whether to use a centralising operator to channel information to other actors, or do so bilaterally or in another way, depending on the business case identified. According to the regulator, this flexibility has allowed multiple models to originate in the market. Examples are the centralised plurilateral model developed by credit risk bureaus, or bilateral models within the framework of agreements or commercial alliances. 

In mandatory open banking models around the world, the legislator establishes the way in which information will be shared by financial entities. These generally use a system centraliser. Under a voluntary approach, the form in which entities share their information is not limited, as long as they comply with the rules of information protection.  

Open data 

The Ministry of Finance has also set the stage for the development of open data. In parallel to the creation of an open finance framework, open data regulation will promote the exchange of information by other sectors. It will also strengthen the ecosystem and enhance its benefits. 

Conclusion and next steps 

The draft decree is currently being discussed in Congress. The consultation finishes on 24 November and should take effect by the end of the year – when the current legislative period closes. 

The decree is a major step forward for Colombia and its market-led approach to open finance. It is forward-looking – incorporating open data as well as open finance – and provides certainty around standards, platforms, and consumer protection. However, what is less apparent is how newer financial service providers will engage in the space. 

This will be one of the many topics addressed at Open Banking Exchange’s (OBE) working groups and webinars. OBE connects participants of the Colombian open finance ecosystem in a collaborative environment turning regulatory requirements into an operational reality.