Advancing with its regulatory activities of the Open Financial System in the country, the Brazilian Central Bank (“BCB”) published, on April 14, 2021, six new normative vehicles related to the implementation process of Open Banking in the country.
The new rules are set out in Resolution BCB No. 86 (“Res. 86”) and in five Normative Instructions identified sequentially among the numbers 95 and 99 (“INs”). While Res. 86 revisited the implementation process, editing technical requirements and operational procedures provided for by Resolution No. 32 of October 29, 2020 (“Res. 32”), all of the INs publish versions of the Open Banking operational guides.
Res. 86 modifies provisions associated to the scope of data and services, making it mandatory that institutions that transmit client registration data and their transactions inform both the date and the hour of the last data update and of the data sharing itself. Recognizing the possibility of a lag occuring in relation to the response time of each interface request among the participants, the new rule also establishes a maximum difference related to availability through electronic channels up to five minutes concerning balance and transactions data in deposit or payment accounts, and up to one hour for other cases.
With regard to the registry rules for participants, Res. 86 clarifies the importance that aspects of privacy, data use and conflict resolution take on in the list of rights and obligations of institutions. As is known, this list of rights and obligations is designed and issued by the Structure Responsible for the Governance of Open Banking (in accordance with RC No. 1/20).
Res. 86 also makes explicit that the Guide of Services Provided by the Structure Responsible for the Governance of the Open Banking must detail parameters on unavailability and on the performance of the participants in the execution of activities to implement the directory of participants, support channels for access to the directory, forwarding of demands, in addition to those related to the Open Banking portal. The establishment of such detailing shall be based on criteria related to availability frequency and to the response time to the meeting of demands.
Res. 86 adds to the list of attributions of the participants directory that is covered by the Structure Responsible for the Governance of Open Banking monitoring and the sharing of information about the unavailability and the performance of request processes for sharing of data and services within the scope of Open Banking, as well as conducting compliance tests and tests of the registry of APIs of the participants. It is worth noting that article 13 of Res. 32 provides for, as original attributions of the directory, the management of: (i) the registry and of access to the directory by the institutions; (ii) the identity and authorization of the participating institutions, including identification, authorization and revocation of certificates used for the sharing of data and services; and (iii) directory information of interest to participants and developers on technical standards, regulatory requirements and other information necessary for the implementation of the APIs.
In an innovative way, Res. 86 also creates the concept of testing environments for APIs, establishing that the Structure Responsible for the Governance of the Open Banking must maintain the environment in such a way as to allow the participants to submit their APIs implementations, still in development stage, to automated tests both functional and non-functional, as well as to access sample implementations of the APIs.
The guidelines that will drive the provisions contained in the Open Banking Client Experience Guide were also defined. Through the insertion of the Chapter VIII-A to the original text of Res. 32, the Central Bank established that the Open Banking Experience Guide shall contain the governing principles of client experience in the request process of sharing of data and services and the requirements of the experience guide, taking into consideration its content and the structure of topics, in order to harmonize the stages of consent, authentication and confirmation among the participants.
In this step, the guide shall also include different possible use cases, including for joint accounts of individuals, and must be drafted, revised and updated from time to time by the Structure Responsible for Governance in the Open Banking and made available to participants and to the public, in its most updated version, through the Open Banking portal.
Lastly, in the same chapter about Client Experience, Res. 86 provides for the sharing of data related to the registration of clients and their transactions referring to upfront deposit and savings accounts, prepaid and postpaid, among others, jointly held by individuals, must be accompanied by the guarantee that the receiving institution accesses only the registration data of the account holder responsible for the consent, and not allowing the sharing of data of the other holders. And, concerning the sharing of transaction data of the same joint account, the transmitting institution must do so with the consent of the holders who may have access to account transaction information, in such a way as to protect both the privacy and the confidentiality of the information, in accordance with the interests of its many holders.