On May 4, after some months of public consultation, the National Monetary Council (CMN) and the Central Bank (BC) published a regulation[1] that governs the open banking in Brazil, one of the priority topics on what has been presented as the BC# Agenda.

At a press conference held on the same date, representatives of the Central Bank stated that the objective of open banking in Brazil is to empower financial consumers. In this sense, and in line with the General Data Protection Law (LGPD) and other rules on the subject, the new regulation is based on the principle that registration data and information on products and services provided belong to the customer and it is up to them to decide whether or not to share with third parties participating in the ecosystem. The bill also aims to increase efficiency and competitiveness within the National Financial System and encourage financial innovation.

Open banking is a concept of standardized sharing of data and services provided by financial institutions through the opening and integration, via Application Programming Interface (API), of their online platforms with other information system infrastructures. As an example, let us imagine that a customer of financial institution X already uses internet banking (through an application developed internally by institution X) to look up balances, make transfers etc. This same customer has another account at financial institution Y, also using the application developed internally by this institution to manage investments, check balances, payments made, etc. After implementing open banking it will be possible to look up the financial activities of both accounts through the use of a single application integrated via API to the financial institution's platform (since the participating institutions would have a standardized and integrated data sharing format).

Open banking enables financial institutions to dedicate themselves to their core activities, i.e., to the creation of new financial products and activities inherent to this segment, by encouraging other participants to enter the market to offer technological solutions focused on the customer's experience. It is assumed, in a way, that the data is the property of the customer and that, in fact, institutions should focus their energies on the purely financial market activities. This concept is attractive because it represents a great leap forward in the availability and provision of banking services. It has been discussed and/or implemented in various countries, such as Canada, Mexico, United States, Hong Kong, Japan, Singapore, Australia, New Zealand, Russia, and the United Kingdom.[2]

In Brazil, according to the new regulations issued, institutions authorized to operate by BC may participate in open banking. Large banks within Segments 1 (S1) and 2 (S2)[3] must participate. The other authorized institutions may participate if they wish and non-authorized institutions may participate through partnerships with authorized participating institutions. Any participation must follow the principle of reciprocity, i.e. the recipient must also share information.

In addition to sharing data and information, open banking in Brazil also involves sharing services and for those the obligation to participate is different. In the case of sharing of a payment transaction initiation service, participation is mandatory for (i) institutions holding an account;[4] and (ii) institutions initiating payment transactions.[5] In the case of sharing of a credit proposal forwarding service, participation is mandatory for institutions that have signed a correspondent contract in Brazil, the purpose of which contemplates receipt and forwarding of proposals for credit and leasing operations granted by the contracting institution, as well as other services provided for the monitoring of the operation, by electronic means.

The regulator divided the implementation of the project into four phases. First, participants should disclose less sensitive data about the institution itself that is easily available, such as data about customer service channels (divided into own facilities, banking correspondents, and electronic channels) and, for each channel, the form of access by customers and the services provided in each of them. In the first phase, data on products and services offered by the institution should also be shared, including cash and savings accounts, prepaid and postpaid payment accounts (such as credit card data made available) and credit transactions.[6] Such information should be disclosed in an organized and standardized manner, so that it can be looked up in a simple way by third parties, which can make comparisons between the various products and services offered. This phase should be implemented by November 30, 2020.

The second phase, the implementation of which must be completed by May 31, 2021, provides for the sharing of data and transactions involving the customers themselves, in a manner previously authorized by them. The objective of the second phase is to share both customer registration data and information on transactions carried out through a checking account or savings accounts, prepaid and postpaid payment accounts (including credit card transactions), and credit operations entered into by them. This is expected to encourage healthy competition, as a third-party bank will be able to offer customers the same product in a more advantageous, cheaper, and customized way.

The third phase, the implementation of which must be completed by August 30, 2021, involves the sharing of services of (i) initiation of payment transactions[7] and (ii) forwarding of credit proposals. Under the terms of Joint Resolution No. 1/2020, in relation to this sharing, institutions that do not fall under segments S1 and S2, but which hold accounts (deposit or prepaid) or provide payment transaction initiation services, in the case of the service mentioned in item "i", or which have signed a correspondent agreement in Brazil to receive and forward proposals for credit or leasing transactions, in the case of the service mentioned in item "ii", must also join open banking.

Finally, in the fourth phase, the regulator intends to expand the scope of open banking to include data and transactions involving foreign exchange services and transactions, insurance, private supplementary pensions, and investments. Here coordination with other regulators, such as the Bureau of Private Insurance (Susep) and the Brazilian Securities and Exchange Commission (CVM), is expected. This last phase must be completed by October 25, 2021.

The regulation also presents essential issues for the development and consolidation of open banking in Brazil, such as: (i) the requirements for sharing customer data; (ii) the responsibilities of the parties involved in data sharing; and (iii) the obligation for participating institutions to enter into a convention regarding issues related to:

  • technological standards and operating procedures;
  • standardization of data and service layout;
  • channels for forwarding customer claims;
  • procedures and mechanisms for handling and resolving disputes between participating institutions;
  • reimbursement among the participants;
  • participant repository;
  • rights and obligations of participants; and
  • other issues deemed necessary for compliance with the regulations.

Regardless of the regulations and the approach of the regulator, the perception of insecurity behind the sharing of data and information is high, especially in the case of financial information that is also protected by banking secrecy. Therefore, BC established the obligation of institutions to conduct their activities with ethics and responsibility, in compliance with the laws and regulations in force, as well as the principles of transparency, data security and privacy, data quality, non-discriminatory treatment, and interoperability.

With respect to business continuity, the regulations require institutions to ensure that their risk management policies cover:

  • procedures to follow in the event of unavailability of the interfaces used for sharing;
  • deadline for restarting or normalizing the availability of the interface;
  • handling of incidents related to customer data breaches and the measures taken to prevent and remedy them; and
  • results of business continuity tests, considering the scenarios of unavailability of interfaces.

In addition to the regulations published by CMN and BC, open banking will also have a self-regulation structure. As mentioned above, the rules provide for the existence of a convention to be discussed and prepared by a governance structure representing the market itself.[8] The self-regulation structure will mainly deal with putting open banking into operation, including technology standardization and communication and security protocols, as well as dispute resolution and reimbursements among participants.

Since it enables the reduction of information asymmetry among the various financial service providers, open banking promises structural changes in the supply of financial products and services in Brazil, transforming the experience of customers and institutions and fostering competition, innovation, and financial inclusion in the local market.

[1] CMN/BC Joint Resolution No. 01/2020 and BC Circular 4,015/2020.

[2] The United Kingdom pioneered the development of this concept as public policy. That country's experience is widely regarded as a reference, having been publicly mentioned by interlocutors of BC as a source of inspiration. To learn more about how this initiative is developing in the UK and possible paths for the Brazilian experience, we recommend accessing: https://www.openbanking.org.uk/

[3] Institutions belonging to prudential conglomerates that do not provide the services referred to in customer transaction data shall be exempt from the compulsory participation requirement.

[4] These are defined as those that maintain a customer's checking account or savings account or prepaid payment account.

[5] They are the authorized institutions that, within the scope of open banking, will provide payment transaction initiation services, without holding at any time the funds transferred in the provision of the service. A payment transaction initiation service is a service that enables the initiation of a payment transaction instruction, ordered by the customer, regarding a deposit or prepaid payment account.

[6] The information should cover, for example, fees charged, packages of services made available and their amounts, minimum balance requirement in accounts, procedures for closing accounts, income rates, reward programs, interest charged (both on credit cards and other credit transactions), and types of collateral required for credit transactions, among others.

[7] The aforementioned institutions may be hired by other open banking participants to provide these services, which should include, at a minimum, account debit services, transfer of funds between accounts at the institution itself (book transfer), electronic transfer of available funds (TED), instant payment transaction (PIX), credit document (DOC), and bank invoice payment.

[8] In early March of this year, BC published an ordinance setting up a working group to propose a structure responsible for the governance of the process of implementing open banking in Brazil. This group completed its activities on April 30, 2020, and delivered a report on a number of governance topics to the BC’s Director of Regulations. It is expected that the governance structure to be determined by BC will follow the recommendations of this report and will be published in the coming days.