On July 3 of this year, the Financial Market Commission (hereinafter the “CMF”) issued General Regulation No. 514 (hereinafter the “NCG” or the “Regulation”), which regulates the Open Finance System (hereinafter the “SFA”) referred to in Title III of Law No. 21,521 (hereinafter the “Fintec Law”).
The standard is structured in different sections, among which we highlight:
1. SFA perimeter.
In accordance with Articles 18, 19 and 20 of the Fintec Law, the NCG establishes as participants of the SFA those entities that qualify as: i)Information Provider Institutions (IPI); ii) Account Provider Institutions (IPC); iii) Payment Initiation Service Providers (PSIP); and, iv) Payment Initiation Service Providers (PSIP).
The Regulation stipulates that each entity must adopt measures to allow consultation, access, delivery and secure and expeditious exchange of financial information related to its clients and the financial products or services they have contracted. Accordingly, and in order to have clarity with whom to request such information, the CMF will create different lists and registries in which such entities must register and/or register according to the type of role they fulfill in the SFA, among which are the List of Information Provider Institutions and Account Providers (IPI List and IPC List), the List of Information-Based Service Providers (PSBI List), and the List of Payment Initiation Service Providers (PSIP List).
2. Operation of the SFA.
For the operation of the SFA, the NCG establishes that the exchange of information will be through Application Programming Interfaces (APIs), which must comply with the standards and technical specifications established in the Regulation and, in turn, will be required to allow the sending of the SFA data requested by the PSBI and PSIP to the IPI and IPC.
In this context, the audited entities will be obliged to use exclusively such APIs, unless the CMF provides otherwise, allowing the use of an alternative regulated mechanism. Likewise, although the development and maintenance of the APIs may be delegated to third parties, the entity participating in the SFA will be solely responsible to the CMF for their operation. However, the exchange of information between SFA participants will always be done bilaterally, regardless of whether services are outsourced.
3. SFA security and safeguards.
In the area of security and safeguards, the NCG establishes principles of risk management and internal control that the SFA’s participating entities must comply with, establishing as main axes: i) The responsibility of the Board of Directors; ii) The risk management function as the body responsible for monitoring the controls defined in the applicable policies and procedures; iii) The risk management plan; iv) Operational risk; and, v) Outsourcing of services.
Through this set of guidelines, the CMF seeks to ensure that the SFA’s participating entities implement effective risk management and internal control practices, with direct supervision by the Board of Directors and adapted to the specific needs of each entity according to its role in the system.
4. SFA information.
The Regulation organizes the information to be shared in the SFA into different categories, which are: i) Terms, conditions and service channels; ii) Identification and registration; iii) Contracted commercial conditions and use or transaction history; and, iv) Initiation of payments.
Likewise, Annex 1 of the NGC details the data that must be provided and shared, specifying the entities required to provide such information in the SFA and who can access it.
5. Implementation of the NCG.
Finally, regarding its implementation, the NCG establishes a gradual process whose terms will depend on the type of entity to which the regulation applies and the type or category of data to be shared. Notwithstanding the above, the initial term established for the entry into force of the regulation will be 24 months from its enactment, i.e., July 4, 2026, a term granted for the technological preparation and development of the necessary tasks by the participating entities and the CMF.
For any question related to this topic, please contact Javier Edwards and Raúl Aranda Smith.
Ontier LLP is authorised and regulated by the Solicitors Regulation Authority, registration number OC327289.
