Brazil is moving ahead with open banking regulations, meaning that a critical focus for banks in the next months will be to get data-use consent.
Financial institutions will need to take into account new rules stipulating that data belongs to individuals, says Maristela Martins, country manager for Brazil at Backbase. That means that clients journeys will need to include explicit, simple, quick and secure consent agreements.
“Building the consent journey should be the main point to be addressed by companies,” Martins told iupana.
After lengthy discussions, the Brazilian Central Bank and the National Monetary Council set out open banking regulations earlier this month. The data-sharing framework aims to foster financial inclusion, drive competition in financial services and increase security.
“It’s a substantial and, above all, paradigmatic change,” says Marcelo Chiavassa, professor of digital law at Universidade Presbiteriana Mackenzie Campinas. “The premise is that the personal data held by banks and other financial institutions do not belong to them, but to the respective holders, customers.”
The rules will be phased in over the course of a year, starting from November.
Brazilian GDPR delayed as Open Banking advances
Brazilian open banking rules are aligned with the country’s General Data Protection Regulations (LGPD, in Portuguese), and based on the premise that financial consumers own their personal data. However, the open banking advance closely followed a major delay to implementation of LGPD – from August to May 2021 – due to the Covid-19 pandemic.
“For now, we can say that the LGPD has been temporarily extended,” said Chiavassa, adding that the postponement came through a provisional measure that could be reversed by congress.
“Obviously, it would be better if it came into force in August 2020, as this would bring more security to society and a qualitatively superior instruction with regard to privacy and data protection personal,” Chiavassa said.
However, the open banking regulations are seen as effective and complete when it comes to privacy and protection of personal data – and compatible with the spirit, principles and premise (self-determination) of the LGPD.
Companies that are regulated by BCB must comply with both regulations: LGPD as a general rule, and with the Central Bank’s regulation specifically for data shared with other institutions with authorization from the holder.
“If there’s any incompatibility between the BCB and LGPD rules, the LGPD must be respected, in view of the hierarchy of rules,” Chiavassa noted.
Are you subscribed to our weekly newsletter? Click here to do it. Every Monday we will send you a special report on the fintech sector in Latin America. You can also follow us on LinkedIn and Facebook.