Open Banking and Data Protection

Gabriela de Ávila Machado
Lawyer at Marcos Martins Advogados

Open banking, also known as “open bank data”, is the banking practice whereby financial institutions open up access to consumers’ banking, transaction and other financial data through application programming interfaces (APIs). Through open banking, financial institutions will give access to consumers’ personal and financial data, with their consent, to third-party service providers – usually fintechs.

The purpose of Open Banking is to decentralize financial information, which is currently held by the major operators. As a result, consumers will be able to choose the solution they want to use. Another advantage for consumers is the possibility of portability. With open banking, consumers who decide to change institutions will not lose their financial history.

According to experts, Open Banking will force big banks to be more competitive with smaller, newer banks, which will result in less abusive fees and lower costs for consumers, not to mention improved customer service and technology. In addition, credit providers would also have a more detailed idea of the applicant’s credit profile.

In Europe, the PSD2 (revised Payment Services Directive) is the regulation governing Open Banking and the deadline for implementing the Open Banking model was September 2019 – so European financial institutions should already be operating in compliance.

The Brazilian version went through a public hearing in November 2019 and Joint Resolution 01/2020, which provides for the scope of data and services of the Open Financial System (Open Banking), was published on May 4, 2020. Circular No. 4,015 was also published together with the Resolution.

The Resolution obliges large and medium-sized banks (classified as S1 and S2) to participate in the System, while fintechs, among other institutions, will be able to choose, and also determines that the System should be implemented in four phases with an end date of October 2021.

The first phase, starting on November 30, 2020, involves the disclosure by participants of the products and services offered. The Central Bank’s Director of Regulation explains that with information on the costs and prices of products and services, third parties will be able to use the information to offer advice to clients.

In the second phase, scheduled to end in May 2021, participants will have to open up their clients’ registration data and financial transactions. The aim of this phase is to expand the range of products and services offered to clients. The third-party agent, armed with this information, will be able to offer personalized financial products to each client.

The third phase, scheduled to end in August 2021, involves signing up to the services and starting transactions.

The fourth phase, finally, will see the expansion of data and services made available, such as investments, insurance, among others.

The promises of Open Banking are endless, but to what extent are they advantageous for consumers?

As we can imagine, open banking poses serious risks to consumers’ financial privacy and the security of their finances, and this also brings a risk of liability for financial institutions.

Even with the effective date of the General Data Protection Law (Law No. 13.709/2018 – “LGPD”) still open, pending approval of MP 959/2020 of Bill No. 1179/2020, we cannot leave the protection of personal data aside.

In this sense, the protection of privacy was provided for by the Central Bank when developing the standard. According to the agency, among the fundamental requirements for the implementation of Open Banking is the consent of the data subject, which is also one of the legal bases for the processing of personal data provided for in the LGPD.

It is important, however, to note that consent, according to article 5 of the LGPD, is the “free, informed and unequivocal expression by which the data subject agrees to the processing of their personal data for a specific purpose”. Thus, as the regulators have determined in the UK, consent by customers should only be valid if it is based on complete information about the processing of their data.

Even with consent, the question remains as to how the data made available on these unified platforms will be protected. There is concern about the technology that will be used to keep information safe from attackers.

The Central Bank itself has stated that open banking participants should propose “technological standards for interfaces and security certificates, standardization of data layout, channels for forwarding complaints and resolving disputes, and compensation amounts”[1].

In this sense, the LGPD determines that the technology used for protection must comply with certain security rules (such as ISO 27.001). Banks and APIs must have security measures in place to encrypt and protect confidential information.

Finally, we also have to think about the international transfer of data. We can’t talk about banking transactions without addressing this issue.

The LGPD only allows the transfer of personal data to countries that have an adequate level of data protection (art. 33, I). This is a very important issue that still depends on the National Data Protection Agency for further clarification.

Dúvidas? Fale com nossos advogados e receba orientações.

[rock-convert-pdf id=”14866″]


[1]Director of the Central Bank explains how Open Banking regulation and self-regulation work. Fintechlab, 2020. Available at https://fintechlab.com.br/index.php/2020/05/25/diretor-do-bc-explica-funcionamento-da-regulacao-e-autorregulacao-do-open-banking/. Accessed on: May 27, 2020.

Share on social media