On April 15, the Financial Market Commission (CMF) began a public consultation process for the regulations that will regulate the Open Finance System (SFA) established by Law No. 21,521, Fintech Law, of 2023. This process will last until next May 15.
The proposed regulation aims to establish the regulatory framework to participate in the OSS, and establishes risk management obligations and operating standards for system participants, in order to safeguard the information of people who consent to share their data to access to new financial services or products. The entry into force and enforceability of the new regulations will begin 18 months after their issuance.
The text published by the CMF is organized in the following sections:
1. Section I. It identifies all the entities participating in the SFA and establishes the requirements that must be met to participate in the system:
-
Registry of Information-Based Service Providers. It is a voluntary registration for service providers that intend to participate in the SFA, reserved for legal entities incorporated under the laws of Chile and domiciled within Chilean territory. Exceptionally, foreign entities may participate as long as they have established an agency in Chile prior to the application.
-
Registration of Payment Initiation Service Providers. Entities that intend to provide services consisting of instructing on behalf of a client before an Account Provider Institution (IPC) the execution of payment orders or electronic transfers, including recurring payments, may register in this registry.
-
List of Information Providers and Account Providerss. All entities considered as Information Provider Institution (IPI) and IPC in accordance with the Fintech Law, must present the background information that allows them to be incorporated and enabled in the lists of entities called “IPI Payroll” for the provision of information and “Payroll IPC” on payment orders or electronic transfers.
-
List of Information Based Service Providers. Entities that qualify as IPI and those registered in the Registry of Financial Services Providers may voluntarily participate in the SFA as an Information-Based Service Provider (PSBI). To do this, these entities must request their voluntary incorporation into the “PSBI Payroll”. The Fintech Law considers PSBI to be entities authorized to participate in the SFA in order to consult, access and receive data for the purposes of providing services to their clients.
2. Section II. System Operation. It is established that the mechanism for data exchange within the OSS will be the APIs (Application Programming Interfaces). Likewise, the basic standards applicable to APIs and other technical requirements that they must meet are defined.
3. Section III. Security and System Safeguards. Regulates the requirements that participating entities must observe in relation to risk management and internal control, cybersecurity, incident reporting, operations and elements for business continuity.
4. Section IV. System information. Establishes the SFA data that may be exchanged according to defined categories of information, under conditions of availability, validity, updating and means of exchange. Likewise, the obligations of the participating entities are established in relation to the safeguarding of the data involved in each transaction, especially the protection of clients’ personal data.
5. Section V. Other provisions. Temporary suspension measures, sanctions and deadlines for implementation and validity of the standard are regulated.
According to the CMF proposal, the SFA will have an implementation period divided into two stages. The first will be 18 months, and its purpose will be the technological preparation and the development of the tasks that correspond to the participating entities and the CMF. This period will allow the development of the technical aspects of the OSS through the so-called Open Finance Consultative Forum, and begins with the publication of the final standard.
The second stage establishes implementation deadlines according to the different types of APIs that range from 6 to 36 months, depending on whether they are banks, credit card issuers, and payment card issuers; or payment card operators, savings and credit cooperatives, managing agents of endorsable mortgage mutual funds and insurance companies, general fund administrators, stockbrokers, entities registered in the Registry of Financial Services Providers, etc.
