Open Banking and Banking Secrecy in Brazil
Having experienced decades of high inflation, Brazilian financial institutions learned to be fast, creative and sophisticated. Whilst in some countries credits and debits can take days to be booked in a bank’s account, a client withdrawing money in an ATM in a remote Brazilian corner should not be surprised to receive an SMS warning that his or her account has been debited even before the machine finishes counting the banknotes.
Not surprisingly, however, integration among different institutions has been slow and tends to be more reactive than proactive. That may now change as the Central Bank of Brazil recently announced its intention to implement an Open Banking model in the country, an important step towards integration. In the Central Bank’s view, Open Banking is considered a sharing of data, products and services among financial institutions, payment institutions and other licensed institutions, such as securities brokers and dealers and leasing companies.
In the first moment it is expected that only larger financial institutions and conglomerates will be obliged to adhere to the Open Banking. Smaller institutions and payment services providers may be obliged to adhere at a later stage, when they would be forced to disclose data with respect to their own products and clients. However, the smaller institutions and payment services providers shall have the option to adhere to the Open Banking on a non-mandatory basis already in the first phase of implementation, thus having access to client and product data from larger institutions and conglomerates. Institutions that adhere voluntarily to the Open Bank will also be required to give access to their own client’s data.
At least four classes of data, products and services shall be comprised in the Brazilian Open Banking concept: (a) data relating to products and services offered by the participating institutions; (b) clients’ personal data, such as name, address and ID; (c) clients’ transactional data, such as account balance, investments and credit transactions; and (d) payment services, such as transfer of funds and payment initiation services.
Except for general information on products and services, the disclosure of client and transaction information raises concerns with respect to banking secrecy. Financial institutions, payment services providers and other institutions authorized to operate by the Central Bank of Brazil are subject to the Banking Secrecy Law of 2001, pursuant to which those institutions must keep confidential their operations and services rendered. Disclosure of information protected by banking secrecy is a crime, except in certain limited cases provided in the Banking Secrecy Law.
One of these cases is the disclosure of protected information upon the express consent of the interested party – this is to say the consent of the client to which the information relates. A similar concept is found in the recently enacted Brazilian General Data Protection Law (GDPL) of 2018, that has not entered into force yet. Under the GDPL, the delivery of personal data by the data holder to third parties requires in general a specific consent of the data’s owner.
That means a client’s express consent is required for financial or payment services institutions as well as any institution authorized to operate by the Central Bank of Brazil to deliver client’s and transactional data to third parties. This is true even if Central Bank regulation obliges the disclosing institution to adhere to the Open Banking and the receiving institution is also bound on banking secrecy.
At the same time, the concept of the express consent means no legislative change is necessary for the Open Banking to be implemented in Brazil. Provided that the client’s consent is granted, the exchange of information among licensed entities can be regulated by Central Bank initiatives without the need to amend the Banking Secrecy Law, the GDPL or other laws.
In fact, no regulation would be necessary at all for regulated institutions to set up the Open Banking on a voluntary basis and a few limited precedents already exist. Nonetheless, regulation is expected to establish a general framework that shall not be limited to the mandatory adhesion of certain classes of institutions to the Open Banking.
For example, regulation should outline the basis for a non-discriminatory access to the data, as a means to increase competition and reduce entry barriers. Regulation should also define the minimum content of agreements providing for the transfer of data from regulated to non-regulated entities, such as fintechs that render services outside the supervision of the Central Bank or other authorities.
According to a communication issued on April 24, 2019, the Central Bank is planning to conduct a public hearing in the second half of this year to discuss the draft Open Bank regulation and the Open Bank model shall start to be implemented in the second half of 2020.
On this issue | May 2019