How Brazil regulates Open Banking
Thursday 25 November 2021
Fabio de Almeida Braga
Demarest Advogados, São Paulo
fbraga@demarest.com.br
Daniel Oliveira Andreoli
Demarest Advogados, São Paulo
dandreoli@demarest.com.br
Open Banking, its purpose and function
Online communication within our ‘information society’ has become ever faster and more multifaceted over the past few decades. Once upon a time, some would have argued that the advent of the internet was its apex. However, digital technology has continued to advance in leaps and bounds, with today’s economic power coming from the analysis and processing of personal data– the so-called ‘data analytics industry’.
This impact of the analysis and processing of personal data has gained even greater weight with the advent of laws to establish descriptive and prescriptive norms of rights, prerogatives and ownership. These try to place natural persons at the centre of the control and command of their personal information – be it identity or financial information, news about themselves, records of interactions with third parties (public or private entities) or when carrying out the most basic acts of civil life.
Most modern data and personal information protection laws have followed the example of European regulation – principally 2016’s European Parliament Resolution 679, which revoked and updated the provisions on the processing of personal data contained in Directive 46 (which dated back to the 1990s).
While there is no federal legislation on the subject in the United States, the 2018 California Consumer Privacy Act came into force in California in 2020. Meanwhile, the Personal Information Protection and Electronic Documents Act has been in force in Canada since the turn of the century.
Argentina, China, Japan and New Zealand – which have much more stringent rules than other jurisdictions – have implemented laws designed to govern the relationship between consumers and holders of personal information and data, as well as providers of goods and services. The reach of these laws is significantly wider than just the channels offered by the internet.
In Brazil, the first legal provisions on the subject arrived on 14 August 2018, with the enactment of Law No 13.709. This law regulated the processing of personal data, including in digital media, by a natural person or by a public or private legal entity. It aims to protect the fundamental rights to freedom and privacy and the free development of the natural person's personality.
It is in this context that the phenomenon of Open Banking takes place in Brazil today.
‘Open Banking’ refers to an open, interoperable and permeable platform for the sharing of information about financial assets, goods and rights held by account holders and investors who use the services of the capital and financial markets, including payment services. It is a concrete digital concept and structure that establishes the contact and exchange of data between institutions, with the permission of the person holding the information, with a view to providing more convenient services to the end user. This idea of sharing data, products and services, through the opening and integration of platforms and infrastructures, is part of Open Banking's operating basis, with the purpose of providing the consumer market with:
- better financial services and products;
- greater efficiency;
- increasing competition among market agents; and
- materialisation of the objective of financial citizenship (considered as the exercise of rights and the fulfillment of duties that allow citizens to manage their financial resources well, within the context of relationships established in a structured and regulated environment).
It is a seismic shift in the axis of the relationship between the financial system and its users, giving users and businesses opportunities predominantly governed by their own financial interests and designs.
The legislative background
The rules laid down by Joint Resolution No 1, issued by the National Monetary Council and the Central Bank of Brazil, and Circular BC No 4.015 paved the way for Open Banking. These rules provide for Open Banking to consist of the practice of sharing of information, data and services related to individuals and legal entities that use the National Financial System and the Brazilian Payment System in a standardised way among institutions, through the opening up and integration of the operating systems of these entities.[1]
Pursuant to the structuring rules of Open Banking issued by the Brazilian monetary authorities, financial institutions and other institutions authorised to operate under the supervision of the Central Bank must put in place integrated information mechanisms, amongst themselves and among agents that may join the structure, that enable the information holder to authorise their personal data to be shared between institutions. This provides data subjects with access to financial and banking services and products in a safe and efficient manner.
One can compare Open Banking, to some extent, with the principle of portability of services, as introduced in the communications segment in 2008. With the implementation of Open Banking, a wide range of options for contracting financial services should be opened up, with greater speed, objectivity and clarity from the reduction of paper-based, bureaucratic processes.
Banking institutions that, until now, guarded all information related to their customers – thus accumulating opportunities to examine and process the historical data and financial information of said customers – are now subject to manifestations of elective autonomy from these same customers and users, who have gained the independence to navigate between offering options in the financial market. Under the auspices of the Banking Secrecy Law, all this information has always remained lodged securely in the computers of banking institutions. No more. The provisions of Law No 13.709 protected this information, which has always been of natural interest to its holders. Thus, it became beyond doubt that its ownership exclusively belongs to the individual to whom it refers. Therefore, it is ‘customer’ information.
The legislation also ensures full freedom of the use of such data and information by its holders, who can exercise this right in the Open Banking environment through the transfer and sharing of consent between financial institutions and entities. Each of these will gravitate to the main axis of operation of Open Banking in the way that best suits them. It will be up to each owner, user and customer of financial services and products to seek the best business opportunities, transactions and investments at rates that seem more advantageous and attractive to them.
Under Open Banking, users will be able to view all the information on their financial transactions jointly and in real time. They will also be able to analyse the offers and services that may better suit their needs, both present and future. This could generate greater predictability and financial programming opportunities for millions of system users, as the financial integration of the national population advances.
Open Banking will allow, on the basis of transparency, agility and informational security, the transfer of information and financial history to institutions that offer a range of services and products that better serve the demands that are created as consumer markets evolve.
It will be possible to contract different products at different institutions, with the practice of exchanging options and compositions at the sole discretion of the user who owns the shared information. Open Banking will allow users to search with greater assertiveness and efficiency, looking for the best offers: this is expected to increase competition among participating institutions.
Open Banking is a profound paradigm shift, which, based on the sharing of information by institutions, will result in the inclusion of products, services and service channels in an environment that will allow the sharing of user information.
The implementation of Open Banking
Data sharing will be carried out through application programming interfaces (APIs). These interconnections enable the integration of different systems, software packages or applications. They will be responsible for:
- standardising data transmission forms;
- enabling each institution’s systems to establish communication and integration channels;
- avoiding errors during the information exchange process; and
- ensuring a minimum security standard that must be observed by the participating institutions.
Each participating institution will need to operate multiple, constant and instantaneous interconnections to give effect to the sharing of data and services.
The Central Bank has determined the market standards and the technical specifications for the implementation of APIs by the participating institutions. More recently, the authority edited Normative Instruction No 130, of 22 July 2021, to publish version 3.0 of the Open Banking API manual. With this, the Central Bank seeks to ensure that data sharing between institutions takes place in an efficient and secure manner.
The Open Banking implementation project in Brazil is based on four phases, scheduled to take place between November 2020 and October 2021.
- In the first phase, the Central Bank established the objective of interconnecting information on data on products and services, consisting of public access to data from the institutions themselves, such as service channels, products and services, prices and costs;
- The second phase has as its scope the sharing of registration data and transactions carried out by customers, through the process of identifying and qualifying institutions’ customers and their financial operations and businesses;
- In the third phase, transactional information must be shared with the initiation of payments (through the functioning of the payment transaction initiators) and the submission of credit proposals; and
- Finally, the fourth phase contemplates the expansion of the scope of shared data to include foreign exchange operations, investments, insurance, supplementary pensions and accreditation in payment arrangements.
The flow of data and information sharing within the scope of Open Banking could be determined as follows:
- The first step consists of identifying the customer and obtaining consent to share their information;
- Second, the institution receiving the data and information makes an interface call with the transmitting institution;
- The third step sees the transmitting institution authenticate the customer and the institution receiving or initiating the payment;
- Fourth, the transmitting institution requests confirmation from the client; and
- Fifth, the transmitting institution then shares the customer’s data and information with the receiving institution.
All of these actions should presumably take place almost instantaneously while the customer uses the system.
This increase in information sharing is expected to spark a commensurate increase in the consumption of financial services and products. This is expected to bringing increasing numbers of people closer to the formal financial market, as well as giving them a considerable boost in bargaining power. Several other desired results are expected:
- greater competitiveness among the supplying agents operating in the markets concerned;
- competition for the development of new services and products fuelled by information technology innovations; and
- the development of a wide range of new services and products in the financial sector designed to meet market demands.
The consumer experience of such services and products, whether those of a credit nature or those offered in the payment market, should be guided by the trend of improvement and increment, especially with regard to business costs and transactions, with the potential downward revision of bank spreads.
Since Notice No 33.455, of April 2019, the Central Bank has established its list of Open Banking participants, indicating the financial institutions, payment institutions and other institutions authorised by the Central Bank to operate. This participation is mandatory for institutions that are part of prudential conglomerates from the ‘S1’ and ‘S2’ segments, and voluntary for others.
Governance
To organise the implementation of Open Banking, the Central Bank published Notice No 33.455, in 2019, which sets out the initial structure that will be responsible for the governance of such implementation.
The Notice made clear the Central Bank’s intention to provide only the main operating structure of Open Banking, leaving the task of defining operational and practical aspects of its interconnection to the institutions participating in the new system, through self-regulatory provisions.
It underlined the objective of setting guidelines for the establishment of an Open Banking governance structure for the entire process of its implementation in the national financial environment. It highlighted:
- the representativeness and plurality of institutions and segments of entities participating in the system under development;
- non-discrimination in access;
- mitigation of conflicts of interest; and
- the necessary sustainability of the entire system.
BC Ordinance No 107.101, of 2 March 2020, constituted the working group in charge of proposing the Structure Responsible for the Governance of Open Banking. Proposals were defined on technical, administrative and strategic governance bodies, composition, attributions and responsibilities, budgets for implementing the structure and decision-making processes.
The initial governance structure encompasses associations of institutions participating in Open Banking. This will be replaced by a definitive structure when the last stage of implementation begins.
The Central Bank appointed a representative to act as coordinator of the working group. The Brazilian Federation of Banks, the Brazilian Association of Digital Credit, the Brazilian Association of Banks and the Organization of Brazilian Cooperatives are to designate three further representatives within the scope of the working group.
Three other members were appointed to represent payment service providers, as nominated by the Brazilian Association of Credit Card and Services Companies, the Brazilian Association of Fintechs, the Association of Payment Institutions, the Brazilian Chamber of Electronic Commerce and the Brazilian Internet Association.
The initial structure contemplated three specific levels:
- strategic, integrated by a deliberative council;
- administrative, composed of a secretariat; and
- technical, composed of technical groups.
The deliberative council
The deliberative council is responsible for:
- defining the internal regulations of the structure;
- the schedule of activities;
- deliberating on the convention to be celebrated among the Open Banking participants;
- approving the structure's budget;
- deciding on the structure of the technical groups;
- defining guidelines for administrative and technical levels;
- deciding on contracting services;
- dialoguing with regulatory bodies;
- deliberating on changes to the organisational structure; and
- other issues related to the implementation of Open Banking.
The board comprises seven directors with the right to vote in deliberative processes. Three of the members are appointed by associations of institutions that provide services related to deposit accounts or retail credit operations, which fall into segments S1 to S5. Another three are nominated by associations of payment institutions, entirely digitalised financial institutions named sociedades de crédito direto – SCDs - and sociedades de empréstimo entre pessoas – SEPs. The last independent and unrelated board member is nominated by Open Banking participants.
The associations responsible for appointing directors were chosen by market players, including institutions authorised to operate by the Central Bank. Their terms of office last for 12 months, counting from the first meeting that follows their appointment. Decisions are taken by simple majority, with only matters related to the approval of the structure's budget, the hiring of services or the alteration of the structure being decided by qualified majority.
The secretariat
The secretariat is responsible for:
- organising work plans and proposals for the technical groups;
- organising the council's agenda;
- proposing, executing and managing the structure's budget;
- considering the demands of the technical groups;
- monitoring the execution of the work of the technical groups and informing the council;
- organising the structure's communication;
- monitoring and managing risks; and
- performing operational and administrative activities.
The technical groups
The technical groups are responsible for:
- developing studies, proposals and work plans to implement Open Banking,
- reporting to the secretariat on the development of proposals;
- standardising technical decisions; and
- facilitating the board's decisions.
The following technical groups are currently working to implement Open Banking:
- Architecture: responsible for guiding the technical groups in the construction and development of the Open Banking platform;
- Communication: responsible for the Open Banking Brazil portal and for the production of informative content;
- Developer/user experience: responsible for proposing aspects related to the customer experience to harmonise concepts, information and the form of interaction with system participants;
- Definitive structure: responsible for the discussions proposed to define the legal nature and function of the definitive structure;
- Policy, risk and compliance: responsible for analysing the regulatory, legal and compliance aspects of the Open Banking project and suggesting the rules that will govern the system;
- Specifications: responsible for taking care of the technical structuring of Open Banking products and defining their objectives, detailing APIs, payment initiation and other functionalities to be defined by the regulator;
- Infrastructure: responsible for defining, implementing and supporting the platforms that permeate all operating scopes of Open Banking in Brazil;
- Fraud prevention: responsible for providing mechanisms that mitigate fraud and money laundering risks in the Open Banking system; and
- Security: responsible for defining the properties, standards and protocols for authentication and authorisation, as well as the minimum security requirements that must be followed by all participants in the ecosystem.
The costs of maintaining the initial governance structure were borne by the participating institutions. The share of costs were divided proportionately, in accordance with a system defined by the deliberative board.
Through this structure, the Central Bank offered the market the necessary conditions to ensure the success of the innovations to come, especially regarding:
- technological standards;
- operational procedures;
- representation;
- plurality; and
- non-discriminatory access for all participants.
It effectively lays the foundations for the sustainability of Open Banking in Brazil.
Recent requirements and procedures
As from 14 April 2021 until 12 November 2021, the Central Bank published new normative vehicles relative to the process of implementing the Open Financial System in the country.
The rules were published under the vehicle of Resolution BCB no 86 (Res 86) and Normative Instructions (NI) 130, 178, 184, 133 and 134. Resolution 86 revisited the implementation process, with technical requirements and operational procedures provided for by Resolution No 32 of 29 October 2020, while the NIs took care of the dissemination of updated versions of Open Banking operational manuals.
Resolution 86 changed the forecasts related to the scope of data and services, considering the obligation for the institution transmitting customer registration data and their transactions to inform the date and time of both the last update of the data and the sharing of the data itself.
Recognising the possibility of a lag occurring in relation to the response time of each request for interconnection between participants, the rule provided for the admission of a maximum difference related to the availability in electronic channels of up to five minutes for data on balances and transactions in a deposit or payment account, and up to one hour for other cases.
Regarding the rules for registering participants, Resolution 86 made clear that the privacy, data use and dispute resolution were included in the list of rights and obligations of institutions. This list of rights and obligations is designated and disclosed by the Structure Responsible for Governance of Open Banking (as provided for in AR no 1/20).
Resolution 86 also made it clear that the Manual of Services provided by the Structure Responsible for the Governance of Open Banking should detail parameters on the unavailability and performance of participants in activities to implement the directory of participants, as well as support channels to access the directory for forwarding demands, in addition to those related to the Open Banking portal.
The establishment of such details must be based on criteria related to the frequency of availability and the response time to meeting demands.
The monitoring and dissemination of information on the unavailability and performance of request processes for sharing data and services was also added to the list of attributions of the directory of participants, as was conducting compliance testing and registering participant APIs.
Article 13 of Resolution 32 provided the original attributions for the directory to manage:
- the registry and access to the directory by institutions;
- the identity and authorisation of the participating institutions, including identification, authorisation and revocation of certificates used for data sharing and services; and
- directory information is of interest to participants and developers about technical standards, regulatory requirements and other information necessary for implementing the APIs.
The Central Bank also created an API testing environment, providing that the Structure Responsible for the Governance of Open Banking should maintain such an environment to allow participants to submit their in-development APIs to automated testing and access example implementations of the APIs.
The guidelines that guide the forecasts contained in the Customer Experience Manual in Open Banking were also defined. By inserting Chapter VIII-A to the original text of Resolution 32, the Central Bank provided that the Open Banking Experience Manual contains the governing principles of customer experience in the process of requesting data and service sharing, as well as the requirements of the experience guide, including its content and outline, with a view to harmonising the steps of consent, authentication and confirmation among the participants.
The guide also includes the different possible use cases, including joint accounts of natural persons. The guide should be prepared, revised and updated from time to time by the Structure Responsible for the Governance of Open Banking and made available to participants and to the public, in its most up-to-date version, through the Open Banking portal.
In the same chapter on Customer Experience, Resolution 86 provided that the data sharing of data around customer registration, as well as transactions related to prepaid and postpaid cash deposit and savings accounts (among others) jointly held by natural persons, must be accompanied by the guarantee that the institution recipient accesses only the registration data of the account holder responsible for the consent, not sharing data from the other holders.
Finally, regarding the sharing of transactional data from the same joint account, the transmitting institution must do so with the consent of the holders who have access to the transactional information of the account. This preserves the privacy and secrecy of the information, depending on the interests of its many holders.
New versions of the Open Banking operating manuals
The publication of the NIs mentioned in the previous section made the regulatory definitions aimed at guiding the procedures for the Phase 3 of the Open Banking implementation process even more detailed. The NIs were dedicated to specific topics.
Following the provisions of Article 3 of Resolution BCB 32/20, the Central Bank established the details of operational requirements for the implementation of Open Banking, which should be included in the following manuals:
- the manual of scope of data and services;
- the API manual;
- the manual of services provided by the Structure Responsible for the Governance of Open Banking;
- the security manual; and
- the Open Banking customer experience manual.
API manual
NI 130 released version 3.0 of the API manual, incorporating, amending and enhancing the requirements of Phase 3 of Open Banking and other sections of the Open Banking API manual.
New ancillary definitions were introduced to be published by the Structure Responsible for the Governance of Open Banking on the Open Banking Portal, in the form of an API specification style guide, including definitions and recommendations for:
- the structure of uniform resource identifiers (URIs);
- hypertext transfer protocol (HTTP) headers;
- HTTP status codes;
- request and response body conventions;
- nomenclature conventions;
- common data types;
- paging; and
- change management stability.
Considering the intense use of terminology specific to the technology area in the environment of interaction between participants, NI 130 also provides definitions for commonly used expressions, namely:
- application programming interface (API): a set of definitions on how a system can access data or functionalities provided by another system;
- representational state transfer (REST), which designates the architectural style of a software;
- RESTful API: the API that adheres to the restrictions of the REST architectural style;
- OpenAPI: the RESTful API specification language;
- endpoint: element of an OpenAPI specification on which operations can be performed to access data or functionality;
- hypertext transfer protocol (HTTP): consisting of the protocol for hypermedia, distributed and collaborative systems; and
- operation: the element of an OpenAPI specification that declares a valid way to access an endpoint, informing, for example, which HTTP method (GET, POST, etc.) to use, parameter names and types, etc.
In addition to deepening aspects inherent to API specification elements, NI 130 maintained NI 95 aspects related to the additional specific functionalities to the Open Banking APIs table, referring to ‘consent’, ‘registration data’, ‘credit card’, ‘accounts’ and ‘credit operations’:
- the consent API should allow the creation, consultation and revocation of consents by clients and users;
- the registration data API will serve to allow access to data from customers and their representatives;
- the credit card API will provide access to post-paid payment account data;
- the accounts API will allow access to data on deposit, savings and prepaid accounts; and
- the credit operations API will allow access to operations such as loans, financing, advances to depositors and prepayment of receivables (discounted credit rights).
NI 130 also incorporated the functionality of the payment API, which will permit the creation of a payment consent mode, thus making an online initiation payment process possible within any digital purchase platform and the related follow-up by the consumer.
An equally relevant aspect concerns the maintenance of a list of changes to the APIs, the published versions of which must be listed on the Open Banking Portal (and the respective periods in which they were in production). Accordingly, the Open Banking governance structure should establish and publish the process it will adopt to manage changes to API specifications.
Finally, it is worth highlighting the inclusion of the obligation that all information for development, testing and entry into production of applications or APIs must be available in tutorials on the Open Banking Portal. Each of these tutorials should contemplate the steps for the complete development of the activity in question.
Open Banking: data scope and services manual
The Central Bank released version 4.0 of this manual in NI 184. With version 2.0, the authorities introduced changes to rules and requirements related to:
- sharing customer registration; and
- transactional data related to accounts demand deposits or savings deposits, prepaid or postpaid payments and credit operations.
The version 3.0 of this manual was announced by means of the terms and conditions of NI 131, and introduced new rules concerning data for new alternative banking services and products, including Rural Financing and Real Estate Financing under the topic ‘Contracted Financing Type’. As for data related to payment services, it introduced the option for customers to use the Central Bank payment platform PIX.
Version 4.0 of this manual included rules and requirements aimed at sharing data related to payment initiation services, foreign exchange operations, payment network acquirers’ accreditation process, term deposit accounts and other products related to investments, insurance, complementary pension fund products and retail capitalisation plans.
The new material adds detail around all points of mandatory compliance. In particular, the manual mandates that basic requirements regarding the data on the registration of customers and their representatives, individuals or legal entities are observed. It highlights that the client's prior consent is required for the sharing of customer registration and transactional data, as well as for certain purposes and deadlines. The manual also states that participants must observe the obligation to share data on customer records, with prior consent and given that determined purposes and term are observed. In relation to individuals, therefore, the following data are to be considered:
- identification through full name, Cadastro de Pessoas Físicas (CPF) number, residential address, means of contact, marital status and affiliation;
- qualification, upon indication of income frequency, its value and occupation; and
- relationship, by indicating the date of beginning of the relationship with the institution, types of products and services maintained, nature of the account and identification of the representative when applicable.
The following data must be included in relation to legal entities:
- identification through corporate name, its trading name, date of incorporation, Cadastro Nacional de Pessoas Jurídicas (CNPJ) number, address, means of contact, identification of the representative and their qualification (partner or manager);
- qualification through the main and secondary field of activity, frequency of billing and its value (with indication of its reference year); and
- relationship, by indicating the date of beginning of the relationship with the institution, types of products and services maintained, nature of the account and identification of the representative, when applicable.
For transactional data, the manual provides for the sharing of data from demand deposit or savings and prepaid payment accounts, namely:
- identification;
- available balance;
- types of transactions carried out on the account;
- amounts;
- dates;
- identification of payers and recipients; and
- their institutions.
Information regarding contracted limits in relation to overdraft and depositor advance operations should also be considered. For postpaid payment accounts, the new version of the manual requires sharing of:
- account types;
- total credit limits associated with credit cards;
- limits by type of transaction associated with credit cards;
- transactions carried out; and
- payment of invoices.
Finally, regarding credit operations, information identifying the contract must be considered, by indicating:
- the types of credit contracted (if financing, loans, discounted credit rights or advances);
- dates and amounts contracted;
- effective transactional Cost (‘CET’);
- amortisation system used;
- the CNPJ of the consigning entity, when applicable; and
- information on fees, charges, remunerative interest rates and guarantees.
The customer experience manual
The Central Bank introduced this manual of mandatory compliance in NI 97, which was subsequently altered by NI 132 and NI 178. It aims to ensure that customers’ experience of data sharing with and among Open Banking participants is safe, agile, accurate and convenient. It defines basic principles on the subject, in addition to the regulations in force, to ensure the reliability of the entire sharing system.
Security, privacy, agility, convenience, control and transparency are established as the core principles of the sharing experience.
In its version 2.0, this manual considered adjustments to topics related to (1) mandatory inclusion of reference to the purposes for the sharing of customers’ optional data; (2) enhancement of the rules regarding the redirection of customers among participating institutions; and (3) inclusion of a specific phase in the enrolment process to allow customers to request their participation in the data sharing process, including for the payment initiation process.
Security and privacy
The sharing environment must use security measures that guarantee the privacy of the customers’ personal data and complies with the personal data protection legislation.
Agility
Sharing must be completed within a period compatible with the level of complexity and its objectives, ensuring the necessary means for the customer’s free choice and informed decision.
Convenience and control
Sharing must be carried out to meet specific purposes, and in a convenient and accessible manner to the customer. This includes access channels to participating institutions, with the customer being guaranteed control of their own personal data when shared in the Open Banking environment.
The convenience aspect becomes even clearer when considering the manual’s determination that the centre of the sharing journey is the client, not any participating institution. The client must be assured of the adequacy of the entire process for:
- their profile;
- their needs and expectations regarding products and services;
- the availability of information; and
- conditions for exercising their prerogative of granting or revoking consent.
Transparency
Customers must have clear and precise information at their disposal, with objectivity and suitability for certain purposes when sharing data. Customers must be informed, through simple and understandable language, about the data that will be shared and the reasons that justify the fulfillment of the intended purposes. This must be done in a clear and timely way, and in enough volume for their decision making.
The new manual also provides for the preparation and availability of the Customer Experience Guide to participating institutions and the general public, through publication on the Open Banking Portal. This will bring together procedures and requirements to be observed by all institutions when interacting with customers.
The structuring of the Customer Experience Guide should be cohesive and clear, containing illustrative examples of the stages of the journey. Its provisions should be expressed in the form of requirements (with mandatory compliance provisions) and recommendations that, while not mandatory, are in line with best practices for the customer experience.
The Customer Experience Guide must present a minimum level of content that provides for the flow of the steps of the simple journey and the multiple sharing journey, including:
- the identification of the customer;
- indication of the purposes related to consent;
- the selection of data to be shared;
- the selection of the term of sharing,
- the selection of the transmitting institution; and
- the redirection to the environment of the same institution.
In addition, the Guide must include:
- the authentication of the client at the transmitting institution;
- the confirmation of sharing by the client at the same institution;
- information on the consent management environment; and
- the terminology used by the institutions throughout both types of journey.
Manual of services provided by the Structure Responsible for the Governance of Open Banking
This manual was published in NI 98 and updated by means of NI 133, which launched the version 2.1. Its importance lies in the establishment of technical requirements for the implementation of the infrastructure that allow the Open Banking’s operationalisation. As per NI 133, version 2.1. introduced the Dispute Resolution Platform, for which SLA must allow for, at the least, an availability level of (1) 24/7; (2) 95 per cent each 24 hours; and (3) 99.5 per cent every three months.
First up is the participant directory, in which the system's critical functionalities are gathered, such as the management of participant credentials and the monitoring of APIs.
The maintenance access and support channels to the directory, forwarding demands to the participants, and the availability of information through the Open Banking Portal, are also highlighted, to aid communication between participants and the general public.
Another important function among the services to be provided by the Structure Responsible for the Governance of Open Banking is the provision of a testing environment for APIs under a temporary regulatory flexibility regime (a sandbox) to support innovations promoted by the participating institutions.
Nevertheless, the natural evolution of services provided will inevitably reflect the evolution of Open Banking. Therefore, this manual will be regularly revised and updated.
The participant directory
This is the environment and repository for formalising the participation of an institution in Open Banking, allowing it to share data and information, initiate payment transactions and submit credit operation proposals through the APIs.
In the directory environment, participants will be able to perform activities such as identity and access management, application identity and authorisation management, and directory information management.
The API compliance and registration tests were introduced to the manual by NI 98 . They verify the compliance of each participant's APIs, contemplating functional and non-functional aspects such as adherence assessments from implementation to specifications and assessment of compliance with security requirements.
The Governance Structure will certify the results of the compliance tests; such certification will be considered a precedent condition for registering the API implementation in the directory's production environment.
The manual also establishes the minimum content of the directory's service level agreements, as well as performance and availability monitoring standards for storing and making available statistical data on Open Banking performance.
Two other topics are also dealt with in the manual: the Service Desk environment and the Open Banking Portal. The former will centralise the requests and maintenance of technical support tickets related to the directory, the APIs, data and services shared among the participants.
Regarding the Portal, the Manual provides guidelines covering accessibility, language and timeliness, security, confidentiality and data protection, in addition to contemplating three areas of interaction:
- the developer area, containing technical specifications related to various topics connected to the Open Banking operation infrastructure;
- the citizen area, containing information aimed at improving the customer experience; and
- the participant area, with information focused on topics of interest to the participating institutions.
The Open Banking security manual
Finally, the Central Bank published version 2.0 of the Security Manual in NI 99, which was updated in accordance with the terms and conditions of version 3.0, which was launched by NI 134.
NI 99 introduced elements and technical measures to guarantee the operationalisation of Open Banking, through:
- the insurance sharing data on service channels and products and services related to:
– demand deposit and savings accounts;
– prepaid and postpaid accounts; and
– credit operations; and
- sharing customer registration data and transactions relating to the same products and services.
This version of the manual updates provisions about the governance structures that participants must maintain regarding the compliance of their practices and procedures with the legislation and normative acts that underpin Open Banking operation infrastructure.
The provisions on protection were also revised and expanded in relation to several relevant technical aspects, such as:
- logical segregation of systems and APIs within the operating environment of each participating institution;
- implementation of encryption in communication with publicly exposed APIs; and
- deactivation of the TLS session resumption and TL renegotiation functionalities.
Communication with APIs and the signing of messages must be carried out through a valid digital certification issued by a certifier that integrates the ICP-Brasil system, including mechanisms for the protection of communication channels and for the signing or encryption of messages between APIs.
New wording has been introduced regarding the criteria for:
- detecting interactions in the Open Banking environment that allow the deepening of audit trails;
- regarding the reaction by participating institutions in the face of cyber risks; and
- the need to deal with incidents in progress through the implementation of access blocks to APIs, in line with the cybersecurity policy of each institution.
Finally, NI 99 promoted the addition of a topic specifically focused on security issues pertaining to the Structure Responsible for Governance of Open Banking. The Governance Structure must observe basic requirements on this topic, such as:
- requiring multiple factor authentication before granting access to restricted areas of the participant directory; and
- implementing and maintaining a cybersecurity policy, which should consider principles and guidelines conducive to confidentiality, completeness and availability of data and information systems.
The continuous update of all these operational manuals, establishing specific technical requirements and operational procedures for each function, constitutes another key step in the process of implementing the Open Banking experience in the Brazilian market.
The Central Bank continues to establish the regulatory assumptions under which the market is being adjusted, little by little, according to the growing performance of agents. This will shape the scenarios of deep and extensive changes to the financial sector that will come to pass with the advent of Open Banking in the country.
[1] Before the issuance of Joint Resolution No 1 and Circular BC No 4.015, the Central Bank issued, on 24 April 2019, Notice No 33.455 contemplating an initial and structural view of what was then called the Open Financial System, in these terms: ‘Open Banking, in the view of the Central Bank of Brazil, is considered the sharing of data, products and services by financial institutions and other authorized institutions, through the opening and integration of information system platforms and infrastructures, in a secure, agile and convenient manner.’