Brazil: New open banking rules
In line with global trends, the Central Bank of Brazil (‘the Central Bank’) and the National Monetary Council (‘the Monetary Council’) issued, on 4 May 2020, Resolution 1 of 4 May 2020 and Circular No. 4.015 of 4 May 2020 (‘the Resolutions’), which set forth the schedule and the relevant rules for the implementation of open banking in Brazil.
Generally speaking, open banking can be defined as the sharing of products, services, and data by financial and other licensed institutions through the integration of platforms and infrastructure of information systems (‘APIs’) in order to promote a safer, more efficient, and decentralised environment.
Nowadays, the banking industry faces a lot of difficulties to promote innovative and straight-to-the-point solutions, since financial institutions fail to access customer’s financial data held by another financial institution in a secure fashion.
However, with the implementation of open banking, at the customer’s discretion, financial institutions will be allowed to process personal and transactional data held by another financial institution, which benefits the market by promoting competition and providing more comfort and convenience to individuals. With a phased implementation approach, it is expected that by October 2021 the Brazilian financial market will have concluded the steps towards an interoperable and customer-centric ecosystem.
Since one of the main aspects of open banking is personal data sharing between financial institutions, it is inevitable to draw a parallel with Law No. 13.709 of 14 August 2018, General Personal Data Protection Law (as amended by Law No. 13.853 of 8 July 2019) (‘LGPD’), which is not fully in force yet (date of coming into force is still under debate by the Congress, although an Executive Order from the President – which may not be definitive – postponed the effectiveness of LGPD until 3 May 2021).
In this sense, the recent regulation issued by the Central Bank and the Monetary Council establishes the lawful basis of consent as the unique legal ground to enact the data transferring within the scope of open banking. Information that might be transferred upon a customer’s request or consent include:
- the most updated data directly collected from customers plus those collected from public or private databases, except for sensitive data, credit scores and ratings, and login and access credentials; and
- data related to services used by the customer, with transactional and related registered information.
The aforementioned consent to enable such data transferring is broadly regulated by these new rules and cannot be obtained:
- through a subscription contract;
- by any sort of forms with pre-checked consent boxes; or
- in a presumed way (without customer’s active expression).
In other words, the Resolutions set out a highly regulated and detailed data portability right for the benefit of customers from the main banking institutions in Brazil. Considering large-scale services, the establishment of open banking in Brazil is the second example of data portability that may be widely applied in order to facilitate service provision migration, the first one being the implementation of the phone number portability between telecom companies in the year of 2007 by National Telecommunications Agency.
There is no doubt regarding the benefits of open banking’s implementation in terms of promotion of competition and empowerment of the customer’s choice. On the other hand, however, considering the high damages a data breach may cause in the context of customer’s financial information, data security is a point of relevant concern. Taking the European experience as an example, studies show that within less than a month before the deadline, none of the APIs were compliant with the Payment Services Directive ((EU) 2015/2366) (‘PSD2’) requirements and obligations1. Therefore, although information security in the banking context is highly regulated by the Central Bank and usually a strong point of the Brazilian banking system, the European experience shows us that ensuring high security standards on the essentials APIs may be a complex duty, as the privacy dilemma between security and portability this portends is not new.
Last but not least, the implementation of open banking must be celebrated by the privacy professionals in Brazil. The right of data portability is in fact provided by the LGPD (Article 18(V)), but cannot be fully effective without proper regulation, as it tends to become a merely ‘right to access 2.0’ if there is no definition of certain regulated standards. Considering that the Brazilian data protection authority (‘ANPD’) has not yet been established (despite the fact that the part of LGPD that provides its creation is already in force and we should have been receiving its guidelines and complementary regulation during the readiness period), the Central Bank and the Monetary Council’s initiative is remarkable and should guide other government-regulated and self-regulated sectors in Brazil.
The right of data portability is key for an open society, although its effectiveness is complex considering it depends on sectors’ arrangements that should not be limited to telecom and banking services. In the absence of the ANPD, companies and regulators should take the example of the Central Bank and the Monetary Council to move forward in making data portability feasible in a modern and secure way as the information society demands.
Article published on OneTrust DataGuidance. Read it here.