The operation of open finance is becoming a reality in Colombia. This scheme allows entities under the surveillance of the Superintendency of Finance to share their client's financial information with other entities under said surveillance or with third parties at the user's request so that these third parties can provide innovative, personalized, secure, and efficient services to financial consumers.
Last February 7, and in line with the Roadmap proposed by the Superintendency of Finance for the operation of open finance in Colombia, the authority issued External Circular 004 of 2024, which defines the technological, security, personal data protection, and other necessary standards to be adopted by entities under surveillance, as well as by third parties receiving data from financial consumers who wish to participate in the architecture. Depending on the participant's role in the scheme, an entity under the surveillance of the Superintendency of Finance, or a third-party receiver, certain requirements must be met to guarantee the system's security.
Specifically, for third parties receiving personal data to be linked to the system by the entities under the surveillance of the Superintendency, they must:
- Be registered in the National Registry of Databases, or if they are not registered, they must have policies and procedures for the treatment of personal data.
- Have procedures for the handling of queries and claims related to the protection of personal data.
- Have mechanisms that allow: Managing the risks associated with the processing of personal data of financial consumers, in particular, information security and cybersecurity, as well as failures in the technological infrastructure and in the systems in which the information is stored; keeping encrypted the personal data of financial consumers that are in storage or circulation; having information monitoring systems for the development of open finances, among others; manage the vulnerabilities of those platforms that make use of the data provided within the framework of open finance schemes.
- Inform under surveillance entities, as soon as possible, about any event or situation that may compromise the security of financial consumers' data.
- To have procedures in place for the revocation and deletion of the personal data of financial consumers, following the applicable regulations.
Additionally, the receiving third party must have the prior, express, and informed authorization of the financial consumer for the processing of personal data for these purposes. This authorization is crucial for the proper functioning of the scheme. The third-party receivers must also inform entities under surveillance of their contact information for the handling of conducts and claims. The entities under surveillance must pass this information on to the consumer.
If these requirements are complied with, the entities under surveillance of the Superintendency of Finance may not restrict the involvement of these third-party receivers. In addition, entities under surveillance may not discriminate against third-party receivers in terms of compliance with the requirements outlined above, in terms of fees, commissions, applicable charges, and controls to monitor compliance with the requirements by the third-party receiver.
We applaud this regulatory development as it fosters financial inclusion, leverages the benefits of technology, and promotes competition and the operation of new and better services for consumers. We will be looking forward to the execution of the other phases established in the Roadmap of the Superintendency of Finance.
You might be interested: Natural or legal persons who decide on the processing of personal data and who have assets exceeding 100,000 UVT (COP 4,241,200,000 and around USD 1.083.000) must register their databases in the National Database Registry. It must be updated annually, by March 31 at the latest. Failure to comply with this obligation may result in fines of up to 2,000 legal monthly minimum wages.
