In response to the digitalization of the economy and the growing use of emerging technologies, the SFC seeks, through the External Circular Project, to consolidate an architecture for the development of open finance in Colombia, under conditions of security, interoperability, and transparency.

The Bill of Circular would also authorize supervised entities to commercialize the technology and digital infrastructure they use to provide their services, such as equipment, facilities, and digital technologies (e.g., hardware and software system).

In this regard, the SFC aims to set rules to:

• Define technological and security standards to be adopted by supervised entities within the ecosystems of open finance, such as implementing application programming interface (APIs) to handle data access requests submitted by third-party data receivers.
  
  These APIs must comply with minimum standards in terms of architecture and data management, such as: execute data exchange in JSON format and comply with the REST framework.


• Establish the obligations that supervised entities must comply for the processing of financial consumer data, complying with all the rules related to data protection and habeas data set forth in Laws 1266 of 2008 and 1581 of 2012 or other rules that may modify, substitute or add to such laws.


• Disclosure of minimum information to financial consumers within the ecosystems of open finance.


• Define rules for the linking of third parties' recipients of financial consumer data (TTPs). Considering that supervised entities will be linked with third parties not supervised by the SFC in order to share information, minimum requirements will be set for this linkage, such as:

1. To be incorporated as a legal entity in Colombia.
2. Have policies and procedures for data processing.
3. Mechanisms to mitigate cybersecurity risks and failures in infrastructure, technology and systems.

• Define the guidelines that supervised entities must comply to commercialize their technology and digital infrastructure, such as prior assessment of the risks associated with such commercialization and define safeguards to cover the risk of default on obligations under such agreements.

Bearing in mind that these rules may promote and/or affect the development of new products and/or services, we invite our colleagues and customers to review the bill of External Circular and submit comments to the SFC. 

Deadline for comments: May 31st, 2023.