The Open Finance Model in Colombia, its Regulation and Main Challenges

With the issuance of Decree 1297 of 2022, hereinafter "the Decree", through which the voluntary model of open financial architecture was implemented, Colombia became the third country in the region, after Brazil and Mexico, to establish an open finance regulation.
 
Specifically, open finance, better known as Open Banking or Open Finance, consists of the exchange, transfer and circulation of personal data of financial consumers, subject to their authorization, between financial institutions or specialized third parties. In this model, the owner of the data acquires control of them and allows third parties access to his information so that they can provide him with new or better services; therefore, when the consumer authorizes, in a prior, express and informed manner, the financial entity to process his personal data, he allows them to be shared in a standardized manner with other financial entities or specialized third parties, promoting new collaborative models.

With the implementation of the open finance model in Colombia, the financial system seeks to open access to its data to achieve the free exchange and use of these in order to create products and services that meet the needs and preferences of consumers, allowing it to respond to new market demands and generate new growth opportunities (URF).

Regarding its operation, the decree mentions the framework of electronic transfers, exclusively, it adds the activity of payment initiation, consisting of sending payment orders or fund transfers through a third party that may or may not be supervised by the Financial Superintendency, in this way, the customer initiates a transfer of resources from his account through a third party (payment initiator) that is not his financial institution, which improves his experience since he does not have to go through the latter’s channels. It should be noted that the function of the payment initiator is limited to offering the user a service for transmitting payment orders to his financial institution and therefore does not manage and/or access the user’s resources or funds.

Within the international framework, a series of risks inherent to the payment initiation activity have been identified, such as information security and privacy risks, risks of impersonation and fraud, reputational and operational risks; in this regard, international experience shows that there are some rules that help mitigate such risks.
 
One of the main challenges of Open Finance is the protection of clients in relation to the use of their data and security, and also the responsibility of the actors who have access to the client’s data for the effects derived from the violation or misuse of such data. In the payment initiation activity, the risk of information security and privacy is mitigated when there is a regulation that obliges the initiator to have measures to ensure that unauthorized third parties do not have access to customer information and when payment initiators are restricted from requesting or storing more information than is necessary for the development of their activity.
 
This risk is contemplated in the Decree to the extent that it indicates that the payment initiator, in the development of its activity, may not manage or hold the originator’s funds (put). Likewise, this instrument explicitly states that payment initiators may not request more information from payers than is strictly necessary to initiate the payment order or transfer of funds; the provision adds that under no circumstances may they have access to the passwords or authentication mechanisms of the payer with the issuing entity.
 
There are other risks that the system must face, such as those mentioned above. The conditions of each of them are analyzed below:

 As for, the risk of impersonation and fraud, which may be consummated to the extent that when the transfer is initiated by a third party other than the financial entity, cases of impersonation or fraud may occur, it is important that the payment initiator has the user’s authorization for each of the payment orders to be initiated. Likewise, the international rule indicates that there must be reinforced authentication rules on the part of financial entities[14].

In particular, the Decree mitigates the risk to the extent that it establishes that the initiation of payments necessarily implies a prior authorization by the originator, so that the initiators cannot initiate payment orders without such authorization. In addition, the Decree states that in order for a payment order to be processed in the payment system, entities must authenticate and confirm the originator.

Regarding reputational risk, caused when there is a failure in the payment initiator’s service, ideally the initiator should be ordered to inform the customer about the scope and terms of provision of its services, being necessary to develop user service policies and procedures[15].  
 
In this respect, the Decree establishes the duty of information and scope of the offer, thus specifying that the entities supervised by the Financial Superintendency that offer for commercialization, in non-face-to-face channels, services of third parties not supervised by the same institution, must comply with their obligations and rules of the financial consumer protection regime and the consumer statute. Regarding consumer protection, the international rule indicates that under the understanding that the initiator serves the client, it must provide complete and timely information to its users regarding the services it provides and their conditions.

Finally, operational risks refer to the need for liability rules in case of defective payment orders or those that are improperly executed. Whether the liability corresponds to the payment initiator or to the issuing entity, it is necessary to opt for a regulation that contemplates a liability regime in such cases. Specifically, it can be observed that the Decree does not expressly contemplate it, however, it would be correct to regulate the matter.

In conclusion, it is clear that the Open Banking or Open Finance model promotes competition, innovation and efficiency in the provision of financial services, allowing financial entities to better profile users and develop strategies and alliances with entities from other sectors. In addition to the above, in relation to the payment initiation system, although it may suffer from risks, the regulation allows them to be mitigated.

DRAFTED BY: Laura Sofía Díaz
REVISED BY: Lucciana Fuscaldo & Claudia Delgado