Under new “open banking” rules approved by Brazil’s central bank, Brazilian financial institutions can share, at their customers’ discretion, account holders’ personal and transactional data with other financial institutions. The central bank says the data sharing will promote competition among financial institutions and ease customers’ access to better products and services at lower costs. To what extent will the new rules benefit customers? How much does open banking increase concerns about privacy and the security of customers’ information, and are consumers adequately protected? How will the change affect Brazilian financial institutions and their business models?
Candido Botelho Bracher, president and chief executive officer of Itaú Unibanco Holding: “The new open banking rules have the potential to bring better products with lower costs for customers, as they facilitate the comparison among competing offers and conditions. In addition, customers will be able to use information aggregators, which will bring consolidated data about their relationship with different financial institutions, allowing for better planning and control of their finances. Customers will be protected both by the General Data Protection Law and by robust information security systems in the financial system. That said, in Brazil most of the financial fraud to clients is done by social engineering, that is, by groups that manage to persuade clients to deliver information or carry out transactions that enable or characterize fraud. Open banking will bring greater ease and speed to transactions, in addition to a large flow of data between different participants in the system. Therefore, this type of fraud can be enhanced. Institutions will have to compete in a more open market, in which competing business proposals can be easily compared. The big question is the speed of customers’ adherence to open banking systems. In countries where open banking has already been implemented, membership has generally been lower than expected.”
Ione Amorim, economist at the Brazilian Institute of Consumer Defense (IDEC): “IDEC believes that the movement toward opening the financial market to new entrants is highly positive and should be considered fundamental to deconcentrating this market to the benefit of the consumer. However, the rules that will be implemented between November 2020 and October 2021 should better explain the rights and guarantees of the consumer, precisely determining the duties of the institutions when dealing with the consumer. For IDEC, it is worrying that the open banking rules come into force before the approval of the General Data Protection Law, which was postponed to May 2021. This mismatch is worrying because many of the fundamentals in the open banking rules must be guided by the data protection law. The complexity of the system, which involves technical issues, social issues and various institutions, for the benefit of consumers and to foster financial inclusion, would require a greater debate among these different actors to understand the effects and the importance of these new mechanisms. A broader debate on the proposed regulation contributes to reducing the asymmetry of existing information on a topic that will influence the Brazilian consumer. Although the open banking system aims to increase the well-being of Brazilian consumers among the objectives of its implementation, it does not present a focus on the rights of individuals directly affected by the change. It is also necessary to focus on consumer data control, explaining principles of consumer protection and the protection of their personal data and ensuring that the inclusion proposed by open banking does not promote the increase in banking service costs.”
Peter Baumgaertner and Paul Bond, partners at Holland & Knight: “Brazil’s central bank has issued a ‘Regulation on Open Banking,’ supplemented by a circular on guidance. This regulation encourages, and in some cases requires, the implementation of open banking, defined as ‘a standardized sharing of data and services through the opening and integration of systems’ pursuant to customer authorization. The central bank describes a phased implementation. This will eventually include consumer information relating to demand deposit or savings accounts, payment accounts or credit operations; registry and transactional information; loan proposals; and foreign exchange operations, investments, insurance and open pension funds, among other financial products. Financial institutions and fintech companies operating in Brazil and around the world will be watching closely to see how this process plays out, balancing consumer choice and competition against privacy and data security risks. For example, it is not yet clear how the larger banks will be compensated for the sharing of this information (as the regulation only provides a limited number of free accesses). Also, while Brazil’s plan may considerably increase the volume and instances of consumer-authorized sharing, it does not explain how the central bank will assign responsibility and liability in the event of a data security breach. While in many ways Brazil’s new initiative mirrors the U.S. Consumer Financial Protection Bureau’s 2017 Consumer Protection Principles: Consumer-Authorized Financial Data Sharing and Aggregation, those U.S. guidelines did not constitute new law. Brazil may therefore shape the global debate over data portability as a workable model, or as a cautionary tale.”
Leandro Vilain, director of business policies and operations at the Brazilian Federation of Banks (Febraban): “Febraban believes that open banking is a positive initiative that encourages innovation and will bring customers greater convenience and a better experience with financial services. It will also give customers greater autonomy in the use of their bank information, facilitating sharing with other institutions participating in the system and authorized to operate by Brazil’s central bank. The Brazilian banking industry is engaged and active in this process and will make positive contributions to the entire program, maintaining the necessary security for its customers and long-term sustainability for the project.”
Pedro Carvalho, associate director at Fitch Ratings: “Brazil has a highly concentrated banking industry. Fintechs and other smaller entities usually struggle to reach a reasonable scale of client base, mainly due to lack of knowledge of their credit behavior. Open banking will allow clients to share account information (mainly historical lending data) with third-party entities. These entities are expected to offer a suitable (and low-cost) service to the client (lending, investment products and other services). In parallel to open banking discussions and implementation, the Brazilian government has established a regulatory framework. This includes Law 13.709, which protects client information, to be implemented in August. This encompasses the responsibilities and requirements of agents involved in clients’ data sharing, which may reduce the risk of leaks of client information. Accordingly, both banks and fintechs will face the challenge of ensuring adequate treatment of clients’ data. Larger banks won’t need additional cybersecurity infrastructure investments to operate open banking APIs. However, it may be a concern for smaller participants given limitations of their resources vis-à-vis the data volume that they might deal with (which could also translate into an image risk) and also a vulnerability for hackers. Fitch understands that open banking and other initiatives from regulators (for example, instant payments) are paving the way for the banking industry’s transformation. Larger players are reducing the number and size of branches, increasing the digital transformation and user experience.”