On April 14, the Central Bank of Brazil advanced the process of regulatory definition aimed at guiding the implementation procedures of the Open Financial System in Brazil (the Brazilian Open Banking system), by issuing five Normative Instructions (“INs”) dedicated to specific topics.
Following the provisions of article 3 of Resolution BCB 32/20, the Central Bank established, through the referred INs, the details of operational requirements for the implementation of Open Banking, which shall be included in the following manuals: (i) manual of scope of data and services; (ii) API manual; (iii) manual of services provide by the Structure Responsible for the Governance of Open Banking; (iv) security manual; and (v) manual of client experience in Open Banking.
MANUAL OF APIs. In this step, Normative Instruction No. 95 (“IN 95”) issues version 2.0 of the manual of APIs, incorporating, modifying and improving the requirements of the Phase 2 of Open Banking and other sections of the manual of APIs of Open Banking.
Thereby, new accessory definitions were introduced, which shall be published by the Structure Responsible for the Governance of Open Banking, on the Open Banking Portal, in the form of an API specifications style guide, containing definitions and recommendations for:
- Structure of Uniform Resource Identifiers (URIs);
- HTTP headers;
- HTTP status codes;
- Conventions on body of requests and responses;
- Nomenclature conventions;
- Types of common data;
- Pagination; and
- Stability of change management.
Moreover, considering the intense use of terminology specific to the technology area in the interaction environment among the participants, IN 95 provides definitions for commonly used expressions, namely:
- API (Application Programming Interface): consisting of a set of definitions about how a system can access data or features provided by another system;
- REST (Representational State Transfer): designates the architectural style of software;
- RESTful API: an API that adheres to the restrictions of the REST architectural style;
- OpenAPI: the specification language of RESTful APIs;
- Endpoint: element of an OpenAPI specification on which operations can be executed to access data or features;
- HTTP (Hypertext Transfer Protocol): consisting of the protocol for distributed and collaborative hypermedia systems; and
- Operation: which is the element of an OpenAPI specification that declares a valid path to access an Endpoint, informing, for example, which HTTP method (GET, POST, etc.) to use, names and types of parameters, etc.
In addition to providing a more in-depth treatment of the aspects inherent to the elements of of API specification, IN 95 adds specific functionalities to the API table of Open Banking, referring to “Consent”, “registration data”, “credit card”, “accounts” and “credit operations”. The Consent API is described as that which shall allow the creation, consultation and revocation of consents by clients and users; the Registration Data API shall serve to allow access to data of clients and their representatives; the Credit Card API shall provide access to postpaid payment account data; the Accounts API shall enable the access to upfront deposit, savings and prepaid account data; and, finally, the Credit Operations API shall allow access to operations such as loans, financing, advances to depositors and prepayment of receivables (discounted credit rights).
An equally important aspect pertains to the maintenance of a list of modifications to the APIs, which must have their published versions duly listed on the Open Banking Portal (and the respective periods in which they were in production). Therefore, the Structure Responsible for the Governance of Open Banking shall establish and publish on the Open Banking Portal the process it will adopt to manage these changes in the APIs specifications.
Lastly, it is important to highlight the insertion in the Manual of the obligation that all information for the development, testing and entry into production of applications or APIs shall be available in tutorials on the Open Banking Portal. Each of these tutorials shall contain the steps for the full development of the activity in question.
OPEN BANKING DATA SCOPE AND SERVICE MANUAL. In accordance with Normative Instruction No. 96 (“IN 96”), the Central Bank released version 2.0 of this manual, which, in particular, introduces changes related to rules and requirements for the sharing of registration and transactional client data related to upfront deposit, savings or payment accounts – prepaid or postpaid -, and credit operations.
The innovations brought in this version 2.0 of the Manual are related to explanations contained throughout all points of mandatory observance, such as that which refers to the requirement that the prior consent of the client, for determined purposes and deadlines, is also a requirement for sharing of registration and transactional client data provided in the Manual.
Likewise, the updated Manual now stipulates that, through prior consent and provided that purposes and deadline are observed, participants must observe the obligation to share data on client registrations. Thus, the Manual determines that basic requirements regarding the data on the registration of clients and their representatives, individuals or companies, are observed.
In relation to individuals, the following data must therefore be included:
- Identification, through full name, CPF, home address, means of contact, marital status and affiliation;
- Qualification, by indicating the frequency of income and its value and occupation; and
- Relationship, by indicating the starting date of the relationship with the institution, types of products and services maintained, nature of account and identification of the representative, when applicable.
In relation to legal entities, the following data must therefore be included:
- Identification, by indicating the corporate name, the trade name, date of incorporation, CNPJ, address, means of contact, identification of the representative and his qualification (partner or administrator);
- Qualification, by indicating the area of primary and secondary activity, frequency of billing and its value (with indication of its reference year);
- Relationship, by indicating the starting date of the relationship with the institution, types of products and services maintained, nature of account and identification of representative.
Regarding transactional data, the Manual provides for the sharing of information concerning data from upfront or savings deposit accounts and prepaid payment accounts, through indication of their identification, their available balance, types of transactions carried out in the account, amounts, dates, identification of payers and recipients and their institutions. In addition to these data, information regarding limits taken out in relation to overdraft and depositor advance payment operations should also be considered.
As for postpaid payment accounts, the new version of the Manual includes the indication of account types, total credit limits associated with credit cards, limits per type of operation associated with credit cards, transactions carried out and payment of invoices.
Finally, regarding credit operations, information concerning the identification of consigned service must be considered, indicating the types of credit taken out (whether financing, loans, discounted credit rights or advances), dates and amounts taken out, CET, amortization system and CNPJ of the contracting entity, when applicable. Even more important is the information that must be made available on fees, obligations, remunerative interest rates and guarantees.
CLIENT EXPERIENCE MANUAL. Through Normative Instruction No. 97 (“IN 97”), the Central Bank introduced this Manual of mandatory observance by the participating institutions, with the purpose of defining basic principles on the topic, in addition to the regulations in force, in order to guarantee that the experience of sharing information data consented to by clients with and between Open Banking participants is safe, fast, accurate and convenient, ensuring reliability in the use of the entire sharing system.
Thus, security and privacy, speed, convenience and control and transparency are established as principles of the sharing experience. As for security and privacy, it is certain that the sharing environment must be surrounded by technological security that ensures the privacy of the clients’ personal data and is in compliance with the legislation of personal data protection in force.
As for speed, the Manual establishes that the sharing must be completed within a deadline compatible with the level of complexity and its objectives, ensuring the necessary means for the client’s free choice and reasoned decision, whether it is a simple data sharing journey, or multiple journeys.
In relation to convenience and control, the Manual prescribes that sharing must be carried out to serve specific purposes and in a convenient and accessible way to the client, including regarding the access channels to the participating institutions, ensuring the conditions for the client to control his own personal data when shared in the Open Banking environment.
The convenience aspect becomes even more clear when considering the Manual’s determination that the center of the data sharing journey is the client himself – not any participating institutions – so that the client is assured alignment of the whole process to his own profile, his needs and expectations regarding the products and services, the availability of information and the conditions for exercising his prerogative to grant or revoke consent, as he deems necessary and appropriate.
In matters of transparency, the Manual provides for the principle that clients must have clear and accurate information at their disposal that is objective and appropriate to specific purposes during data sharing. The clients must be informed, using simple and understandable language, about the data that will be subject to sharing and about the motives that justify the fulfillment of the intended purposes, always in a clear and timely manner and in sufficient volume for their unambiguous decision making.
This new Manual also provides for the drafting and availability to the participating institutions and to the general public, through publication on the Open Banking Portal by the Structure Responsible for Governance of Open Banking, a Client Experience Guide, which will bring together procedures and requirements to be observed by all institutions in interactions with clients, throughout the sharing journey.
The structuring of the Client Experience Guide should be presented in a clear and cohesive manner, containing sample screens that illustrate the journey stages, with its devices expressed in the form of requirements (with mandatory observance provisions) and recommendations that, although not mandatory, are in line with best practices for the client experience.
The Client Experience Guide must present content that, at minimum, provides for the flow of the stages of the simple and multiple data sharing journeys, for client identification, for indication of the purposes related to consent, for the selection of data to be shared and the selection of the sharing period, as well as for the selection of the transmitting institution and the redirection to the environment of the same institution.
In addition, the Guide must include the client’s authentication at the transmitting institution and confirmation of sharing by the client at the same institution, plus information about the consent management environment and the terminology used by the institutions throughout both journey modalities.
MANUAL OF SERVICES PROVIDED BY THE STRUCTURE RESPONSIBLE FOR THE GOVERNANCE OF OPEN BANKING. Through Normative Instruction No. 98 (“IN 98”), the Central Bank set out to disclose to the market the new version of this Manual, whose importance lies in the establishment of technical requirements for the implementation of the infrastructure elements that will allow the operationalization of the Open Banking, starting with the directory of participants, in which the critical functionalities of the system are gathered, such as the managing the credentials of the participants and monitoring the APIs.
Added to this is the objective of maintaining access and support channels to the directory and forwarding demands to the participants, as well as providing availability of information through the Open Banking Portal, for the purposes of promoting communication among participants and between them and the general public.
Another extremely important function to be made available among the services to be provided by the Structure Responsible for the Governance of Open Banking includes the provision of a testing environment for APIs under a temporary regulation flexibility regime (“Sandbox”), in order to enable support for innovations undertaken by participating institutions. However, it is provided for that there will naturally be the development of an evolution process of the services provided that reflects the evolution of Open Banking itself in the country, which is why this Manual must remain in a constant state of review and updating.
Starting with the directory of participants, it should be noted that this is the environment and the repository for formalizing the participation of an institution in Open Banking, so that it can participate in the process of sharing data and information, of initiating payment transactions and of forwarding credit operation proposals through the APIs.
In the directory environment, participants will be able to perform activities such as identity and access management, identity management and application authorization and information management of the directory itself.
The API compliance and registration tests constitute an innovation introduced in the Manual by IN 98 and consist of verifying, through tests, the API compliance of each participant, taking into account functional and non-functional aspects, such as, respectively, assessments of adherence of implementations to API specifications and the assessment of compliance on the part of APIs with security requirements. It will be the responsibility of the Structure of Governance to certify the results of the compliance tests, making such certification to be considered a precedent condition for registering the implementation of the API in the production environment of the directory.
The Manual also establishes the minimum required content of directory service level agreements, as well as their performance and availability monitoring standards for storing and making available Open Banking performance statistics.
Two other topics are also covered by the Manual: the Service Desk environment and the Open Banking Portal. The first will be responsible for centralizing the requests and maintenance of technical support tickets related to the directory, APIs and data and services shared among the participants. Regarding the Portal, the Manual provides its guidelines regarding accessibility, language and timeliness, security, confidentiality and data protection, in addition to providing for three areas of interaction: (i) the developer area, containing technical specifications referring to various themes of Open Banking operating infrastructure; (ii) the citizen’s area, containing information aimed at improving the client experience; (iii) the participant area, with information on topics of interest to the participating institutions.
OPEN BANKING SAFETY MANUAL. Finally, the Central Bank published version 2.0 of the Security Manual, by editing Normative Instruction No. 99 (“IN 99”), through which technical elements and measures are introduced to ensure the operationalization of Open Banking through the secure sharing of data on support channels and services and products related to upfront deposit and savings accounts, prepaid and postpaid accounts and credit operations, in addition to sharing client registration data and transactions related to the same products and services mentioned above.
The version of the Manual released by IN 99 changes provisions regarding the Governance structure that must be maintained by the participating institutions concerning the strict compliance of their practices and procedures with the legislation and normative acts that impact on the management of all functionalities and aspects of infrastructure for the operation of Open Banking.
The protection provisions that appear in this version of the Manual are also revised and expanded upon with several important technical aspects, such as logical segregation of systems and APIs within the operational environment of each participating institution, implementation of cryptography in the communication with publicly exposed APIs and deactivation of the “TLS Session Resumption” and “TL Renegotiation” functionalities.
Communication with APIs and the signature of messages must be carried out by means of a valid digital certification issued by a certifier that is part of the ICP-Brasil system, containing mechanisms for the protection of communication channels and for the signing or encryption of messages among APIs.
A new wording was introduced regarding the criteria for detecting interactions in the Open Banking environment that are capable of allowing the deepening of audit trails as well as regarding the reaction by the participating institutions in the face of cyber risks or the need to deal with incidents already underway, by implementing access blocks to the APIs, in compliance with the cybersecurity policy of each institution.
Lastly, IN 99 added a topic specifically focused on security issues related to the Structure Responsible for the Governance of the Open Banking itself. Thus, the Structure of Governance will have to observe basic requirements on this topic, such as, among others, the obligation to make access to restricted areas of the directory of participants dependent on multiple factor authentication, in addition to implementing and to maintain a cybersecurity policy, which must take into account principles and guidelines conducive to confidentiality, completeness and availability of data and information systems.
Demarest’s Banking and Finance team is constantly monitoring developments related to the Open Banking system in Brazil, and is available for any further clarification on this and other topics.