Central Bank of Brazil adds data protection to Open Banking rules

The Central Bank of Brazil has modified the country's Open Banking framework to add information relating to rights and procedures around consumer data protection.

Through use of open application programming interfaces (APIs), the Open Baking model enables third-party developers to build applications and services around the participating financial institutions, with consumer data shared with their consent.

With the new resolution released by the Central Bank of Brazil last Wednesday (14), five articles of the Open Banking rules in the country have been changed and relate to aspects such as account holder data sharing consent and greater control around updates to data that has been shared.

Among the amendments, institutions participating in the Open Banking model will have to, for the purposes of sharing data on the registration of customers and transactions, the data transmitting institution must inform the date and time of the last update of the shared data, as well as the date and time when data sharing took place.

New sections have also been added, in relation to areas such as customer experience (CX). A manual on the subject of CX has been published, outlining requisites around the harmonization of the stages around consent, authentication and confirmation between the Open Banking participants. Another addition includes the creation of an API testing environment.

The Open Banking model in Brazil has been introduced in February 2021 under a phased approach. The first phase was introduced that month, with companies opening data on their service channels and the characteristics of banking products and services through open APIs, with no sharing of data on customer registration or transactional activity.

Under the next phase, which starts in July, participants will start sharing customer data, with their consent. This will be followed by the third phase, which kicks off in August, where consumers will be able to pay bills and make money transfers outside their bank's environment. The final phase is forecast for December, and will see the scope widening to areas such as foreign exchange services, investments, insurance and salary accounts.

Brazil's data protection regulations were introduced in September 2020, after nearly a month of uncertainty over the actual go-live date of the rules. The board members of the National Data Protection Authority (ANPD), the body responsible for enforcing the regulations, the, were appointed in late October. ANPD released its initial strategy in February 2021.