Background 

This document is a reply to the proposed modification of the decree 2555 (2010) published by the URF as part of their consultation. 

In writing this document, we have used the Open Banking Exchange methodology which is designed to compare open finance implementations across the globe. The comments below reflect our findings against this methodology and are not necessarily criticisms of the position taken within the draft decree. 

Key Findings 

The proposed decree allows financial institutions to develop new services within a legal framework. This is very positive from the perspective of allowing innovation. The draft decree does not require financial institutions to develop these services, nor to grant access to fintechs. 

This position is a good first step to unlocking an open data economy, but it does not go as far as other markets to catalyse the transition, for example it does not mandate APIs as a secure, scalable mechanism for exchanging data in a structured and secure way.  

The decree provides a progressive approach, giving time for individual institutions to evaluate the new technologies and business models – which is appreciated by the financial institutions, while fintechs find that it does not go far enough. 

• The lack of a scheme or any standards (including any mention of APIs or API standards) is a gap that we feel will need to be addressed in the future.  
• It would be useful if the decree signalled that this is first step in a longer evolution. 

Recommendations 

• Recognise that future iterations will need an increased focus on schemes or standards (including any mention of APIs or API standards).  
• A future decree could increase the scope of services offered (e.g. opening accounts, subscribing to loans). 
• Clarify the position on screen scraping within the decree (it is not forbidden for data). 
• Make a clearer link to the technical document. 

Specific Comments 

Clarity: The draft decree is clear; our working groups suggest that different market players understand the decree in the same way.  

Consumer protection and data privacy: The decree gives a very clear framework that puts the consumer in control of their data. 

Scope of services: As the decree applies to all financial institutions regulated by the decree 2555 (2010), which includes insurance companies and pension funds, it offers a broad definition of open finance compared with some other countries. Concerning the types of service, the decree talks about payment initiation and data sharing. It does not mention opening accounts, subscribing to services, or changing data as we see in some other countries.  

Clarity around existing screen scraping: We held a number of discussions with market participants about whether the decree prevents (unrestricted) screen scraping that exists today. In the case of data services, in our opinion it does not, as it allows financial institutions to commercialise data but does not appear to forbid other practices. For payments however, it does appear to be banned, although this would not have a significant effect on the market at the moment. If this is the position of the URF, it would be beneficial to clarify it. 

Voluntary & chargeable nature of access: The decree makes it clear that financial institutions are free to “commercialise” data (i.e. offer access to data), and that they can charge for doing so. This may disappoint fintechs, who could hope for mandatory and free access as seen in some other countries. 

The decree also appears to allow the continuation of screen scraping (which de facto happens with no payment to the financial institution). This may disappoint financial institutions, who could hope for a ban on screen scraping. 

Taken together, while this does not provide a final outcome, it does provide both fintechs and financial institutions with an incentive to collaborate, discuss and work together. 

Lack of infrastructure: The decree does not give any guidance as to how these new services should be delivered. While this helps innovation of individual market participants, it will restrict growth of services in the medium term. It is striking that the term API is not used. Most countries that are implementing open finance have put in place some or all of the following: 

• A scheme governance body, to oversee development. 
• Scheme standards, to avoid fragmentation and provide consumers with harmonised services. 
• Scheme infrastructure, to facilitate the consistent and secure rollout of open banking. 

This is not necessarily a criticism of the draft decree, but it is something to be aware of. 

No link to technical document: We were initially surprised that there was no link to the technical document (i.e. the decree does not mandate the methodology in the technical document), but subsequently understood that the draft decree is consciously not telling the market how to innovate or what standards to use. We imagine that in a second step, the technical document will be refined and brought into future regulation.