On 3 July 2024, the Chilean financial regulator and supervisor, the Comisión para el Mercado Financiero (CMF), published a standard to regulate open finance within Fintech Law 21.521.
This announcement was the culmination of more than three years of collaborative effort, by both the private and the public sector, to implement an open finance ecosystem in Chile based upon best practice and learnings from across the globe.
It started with a study by Rosario Celedon and Ana Maria Montoya, highly recognised competition and financial regulation experts, who were commissioned by the Ministry of Finance to set the basis for what would later be called the ‘Fintech Law’. Their work (“Lineamientos para el Desarrollo del Marco de Finanzas Abiertas en Chile, con foco en Competencia e Inclusion Financiera”), published in August 2021, highlighted a requirement for new actors to enhance the provision of digital products and services enabling consumers to better access their financial information within a safe and secure environment.
As early as September 2021, former Minister of Finance, Rodrigo Cerda, presented a draft of the ‘Fintech Law’ to Congress with the vision of regulating the financial sector with a focus on competition and financial inclusion.
The Chilean Senate voted to pass the country’s Fintech Law in early October 2022 and it was approved by the Chilean Congress on 12 October 2022, ready for enactment by President Gabriel Boric.
Ratified by the Ministry of Finance on 4 January 2023, the Fintech Law set out to regulate open finance and further the country’s vision of promoting competition and financial inclusion through innovation and technology.
Fintech Law 21.521 – an overview
The Fintech Law established the legal framework for exchanging customer data between different financial service providers.
The regulation identified 4 regulated open finance roles:
- Data Providers
- Data Service Providers
- Account Service Providers
- Payment Initiation Service (PIS) Providers
It also mandated obligatory data-sharing, set the tone for future interoperability, and called upon bilateral open banking agreements to come to an end, alongside highlighting the importance of linking identity and authentication capabilities to state-of-the-art technology.
Most importantly though, the Fintech Law laid the foundations for the CMF to define the rules and standards that would govern open finance implementation in Chile.
Consulting on the best operational framework for Fintech Law 21.521
The publication of the Fintech Law set the clock ticking, giving the CMF eighteen months to issue the necessary legal framework to ensure the ecosystem could be successfully implemented.
Within this time, the CMF would need to review the different regulatory models, define API and consent standards and draw up registration services regulation to enable fintechs and other entities to enrol within the ecosystem.
To help with the comprehensive delivery of these rules and standards, the CMF consulted with the public and private sector. This culminated in the creation of the Open Finance System Forum on 6 December 2023. Its role was to collaborate with the CMF on how to achieve a successfully functioning open finance system.
The development of this Forum is one of the key characteristics of the Chilean ecosystem where the foundations for clear governance and rule setting were laid out. The forum drew upon the work of many, including international organisations, both public and private, with expertise on the topic. Konsentus was proud to be included in the highly organised and detailed work that took place, supported by the CMF Innovation Centre that set clear goals and timelines.
Through our work across the globe, we have validated the importance of a robust governance framework to lay down foundations for an interoperable and future-proofed framework. Seeing Chile develop these solid building blocks is encouraging; it allows for transparent discussion around rules and standards setting the stage for an implementation that is fit-for-purpose.
Ultimately it is the governance model that prescribes the rules and standards that will define the interaction between players. Much has been said about centralised infrastructure, and whilst we agree with this approach, it can reside/be run by regulated actors with the support of qualified providers.
Following the external input, the CMF put the proposed regulation governing the Open Finance System (SFA) – Title III of the Fintech Law – up for public consultation between April and May 2024.
Consultees provided feedback and input on:
- Section I: Scope of the Open Finance System
- Section II: Operation of the System
- Section III: System Security and Safeguards
- Section IV: System Information
- Section V: Other Provisions
On 3 July 2024, after having reviewed consultee input, the CMF issued the regulation that would govern the Open Finance System (OFS) in Title III of Law No. 21,521 (also known as the Fintech Act). Known as ‘General Standard N°514, this regulation addressed the same five topics put up for consultation.
What is clear from the outset is that the CMF put strong foundations in place to guide them through the process resulting in the delivery of an extremely thorough and extensive set of implementation rules and standards.
1) Scope of the Open Finance System
The regulation states that all entities within Chile’s open finance ecosystem must be governed by the same rules and standards – not just banks but fintechs too.
This is different from other Latin American open finance ecosystems, such as Colombia and Mexico, where only entities providing payment initiation services are regulated.
Those that qualify comprise:
- Information provider Institutions (IPI)
- Account Provider Institutions (IPC)
- Information Based Service Providers (PSBI)
- Payment Initiation Service Providers (PSIP)
The regulation also sets out the licensing requirements for the different entities, calling for a certificate authority to issue digital certificates to the participants. These certificates are to comply with the X509 standard and must be based on TLS specifications for the signing and encryption of messages.
In terms of the operating model, this is set to mirror Europe with fintechs connecting directly to banks rather than via a central hub and requires all participants to first be registered in a central directory as stipulated in article 19 of the Fintech Law.
This approach means greater work for the Regulator as they will be required to supervise not just the banks, but also all fintechs who wish to participate in the open finance ecosystem. The increased regulatory supervision of fintechs will provide banks and consumers with confidence that these organisations have met the required regulatory thresholds and continue to be monitored for compliance.
As has been demonstrated in Europe, this removes the burden on banks to ensure that fintechs wishing to access their open finance APIs are compliant with the regulation, providing a common market approach to fintech regulatory authorisation.
The regulation specifies that the directory will contain the registration and authorisation data of participants, their role and profile data, alongside a search capability. To speed up identity and validation, endpoint data and associated digital certificates will also be available.
2) System operation
APIs are the main mechanism that must be used for responding to access requests, with the upkeep of APIs the responsibility of participants.
Standards are set out for API specification and design, architecture, data management, authorisation and authentication, security profiles and exchange protocols.
API performance and availability are also addressed, with a minimum daily uptime of 95% and a transaction processing speed of under 4,000 milliseconds for data requests and under 800 milliseconds for payment initiation requests.
Entities must have mechanisms in place to report on the performance and availability of their APIs with weekly results submitted to the CMF each month.
This approach, like practices adopted in the United Kingdom and Brazil, will provide the CMF with up-to-date market information on the health and development of the open finance ecosystem. This approach is vital to understand and analyse overall ecosystem and individual bank performance, the number of active fintechs, the volume of transactions processed (successfully vs failed), and the overall number of consumers and business engaging in open finance services.
These key performance indicators will be critical for understanding the growth and development of the ecosystem as it matures and will provide the regulator with insight into areas that may require intervention to support growth and competition. It should be recommended that the CMF publishes monthly key performance indicators so that all can see how the open finance ecosystem is developing.
This approach is distinctly different from that of the European market where there is no information available other than the number of banks and fintechs regulated to provide open banking services. This results in there being no understanding of ecosystem performance, growth, the number of transactions processed or the number of citizens using the services.
The regulation calls for participants to provide specific information on the operation of the Directory. It is also their responsibility to ensure their data is correct and up to date, including:
- Functional and technical contact information
- Certificate information including public keys
- API endpoint information
Data quality of the system will be maintained through periodic and random testing, with results reported to the Commission who will deal with any defects appropriately.
3) Security and system safeguards
Each entity participating in the ecosystem is required to have a risk management function responsible for providing reports on defects in activities. They must also set up appropriate compliance policies and procedures and have an annual risk management plan.
Information security and cybersecurity management are addressed, stipulating incident response and recovery procedures are in place and updated annually (in addition to when any incidents occur).
Authentication and verification rules stipulate the Open ID Connect standard should, where possible, be the minimum authentication and confirmation standard for customers and that authentication of the financial client will be through strong customer authentication.
Information Based Service Providers (PSBI) and Payment Initiation Service Providers (PSIP) must hold certificates issued by accredited certificate issuers. When presented, the information in these certificates must be cross-referenced with the authorised profiles in the Directory to ensure validity.
Consent must only be granted if all the stipulated rules and standards have been followed, with a record of each consent communicated to the regulated entities and stored by them in a control panel that must be made available to data owners. This allows them to know, verify and revoke any consents they have granted.
To enable interoperability of the open finance system, the standards must meet technical specifications set out by the Commission. All third parties must be treated equally, and any additional technical standards must ensure a level playing field for all.
In terms of cost distribution, banks will have the opportunity to charge for API requests (excluding payment initiation services) once volumes exceed a minimum threshold, with any threshold review and modification the responsibility of the CMF.
4) System Information
Data that must be shared by regulated entities in the open finance system comprises:
- Terms & conditions and channels
- ID and enrolment data
- Commercial, usage and transaction history data
- Payment initiation data
5) Other provisions
There are clauses in the regulation allowing for entities to be suspended for either deficiencies in their systems or operational errors.
But perhaps one of the most important provisions is the timeline set out by the CMF for implementation. This will be in two stages:
- Technological preparation and development for participants and the CMF: This will last 24 months (from 3 July 2024), after which the rules will come into effect
- Gradual implementation (from July 2026)
- For Banks and Credit/Debit card issuers
- 6 months for terms & conditions and service channel APIs
- 15 months for enrolment
- For Banks and Credit/Debit card issuers
- 18 months for retail, corporate and payment initiation APIs
- For those defined in letter (a) through (h) of the fintech law:
- 24 months for terms & conditions and service channel APIs
- 36 months for the implementation of APIs on enrolment, historical financial positions, history of uses and transactions and current products
Making General Standard N°514 a success
The rules and standards published on 3 July 2024 are extensive in detail and have set Chile off in the right direction for success.
But several outstanding questions will need to be addressed for the Open Finance system to operate efficiently and effectively.
The Directory has rightly been identified as being central to the functioning of the ecosystem, but it must be robust and built for scale. As innovation drives adoption, transactions will scale. Will the directory be able to handle such usage and what provisions have been put in place to update the directory as the ecosystem evolves?
Funding is another matter which is absent from the regulation and has presented a challenge for many ecosystems across the globe. Who will fund the Directory and how will the CMF ensure that the ecosystem is architected cost-effectively without sacrificing security?
What is fundamental to what happens over the next 24 months is that innovation is prioritised to drive competition enabling consumers and businesses to have better access to tailored financial products and services. When delivering the functionality of the ecosystem, this end goal of innovation to enable financial inclusion should be the primary focus. We believe that with a collaborative approach, the objectives and goals are achievable within the suggested timeline.
