December 20, 2023

Facilitating Data Sharing in Open Finance
- New Central Bank Resolution -

In October of this year, the Central Bank of Brazil announced an important measure to simplify the consent renewal process within the field of Open Finance. Joint Resolution No. 7/2023—which will amend certain articles of Joint Resolution No. 1/2020—aims to make data sharing more accessible and convenient for individuals and companies participating in this open financial system.

Previously, renewing data sharing required going through all the steps for a new consent agreement. However, the resolution introduced significant changes, streamlining the renewal process. It is now enough for individuals to access the institution's environment that received their data and confirm their intention to renew the agreement.

Another significant change introduced by Joint Resolution No. 7/2023 is the extension of the validity period of data sharing consent.

Participating institutions can now offer longer validity periods than the previous limit of 12 months, while ensuring that customers retain their rights to revoke their consent at any time. This flexibility aims to provide greater convenience for both individuals and businesses.

Autonomy for renewal of consent remains unchanged. The data-receiving institution also has the option to notify the customer when the consent is about to expire and suggest its renewal. However, the consent renewal will only take effect if the customer agrees. This way, customers have full control over their consent, allowing them to manage or revoke it at any time.

This simplified renewal process will initially be available only for individual customers, but it is expected that its scope will be expanded to include corporate customers starting next year. The governance framework responsible for implementing Open Finance in Brazil—comprised of key market associations—is developing the technical specifications for this measure, and the features are available to the public since November 2023.

It is worth noting that the Central Bank has disclosed that there are already more than 41.3 million active consents for data sharing, involving a total of 27.2 million customers. [However, another survey conducted by the Consultative Group to Assist the Poor (CGAP) reveals that adoption of Open Finance is still relatively low.]

The Central Bank emphasizes that the changes introduced by the resolution do not compromise the security of the system. The adopted security standard follows international models used in other jurisdictions and applies exclusively to renewals, i.e., cases where there is already an active consent after the traditional steps of request, authentication, and confirmation.

Open Finance in Brazil is supervised by the Central Bank, and participating institutions are required to follow specific regulatory acts, cybersecurity, and risk management rules, as well as relevant legislation, such as the Brazilian General Data Protection Law (LGPD) and the Banking Secrecy Law. Institutions must also have mechanisms for monitoring and sharing process control—including a consent management area—and specific accountability rules for the institution and its executives.

Security is a priority in Open Finance, with authorized data for sharing flowing directly from the originating institution to the receiving institution, without centralized storage.

Open Finance is evolving to make data sharing simpler and more secure, benefiting both consumers and businesses. The recent measure from the Central Bank of Brazil addressing data security and privacy is an important step towards a more open and efficient financial system.

Joint Resolution No. 7/2023 and LGPD

Joint Resolution No. 7/2023 introduced a definition of “agreement” from individuals, which differs from the consent required to join Open Finance. This agreement represents a specific and active authorization from customers.

In the context of the LGPD, this authorization can be understood as a formal consent from data owners, if the financial institutions request such “agreement” in light of the requirements of the LGPD.

Even though this resolution states that this “agreement” would not be a new consent, from the LGPD perspective, compliance will depend on the approach adopted by the institutions requesting this “agreement.”

Therefore, the difference between a formal “consent” under the LGPD and the new “agreement” lies in how the financial institutions will request such agreement or formally modify the previously given consent, based on the specific systemic approach adopted.

Tauil & Chequer, in association with Mayer Brown—with their deep expertise in financial and regulatory law and data protection—are kept up-to-date and prepared to provide strategic guidance to financial institutions operating in the Open Finance environment.

Stay Up To Date With Our Insights

See how we use a multidisciplinary, integrated approach to meet our clients' needs.