Latest publications


Challenges for data protection in Open Finance


data protection at Open Finance

Colombia formally began its journey towards an Open Finance ecosystem, following the issuance of External Circular 004 of 2024 by the Superintendency of Finance, which, while aiming to offer more inclusive and personalized financial services, raises the question of data security in the new landscape of Open Finance.

For an Open Finance ecosystem to become a reality in our country, the same circular established the technological, security and interoperability standards for the authorized opening of bank customer data to third parties, specifying also minimum data security requirements, which, as a first step, must always be stored and shared in encrypted form.

Likewise, supervised entities must make sure that the new Third Party Data
Third Party Data Receivers
have policies and procedures for the secure treatment of user data and the management of security risks, complying with security frameworks such as ISO 27001, NIST Cybersecurity Framework or OWASP ASVS. Likewise, if they process, transmit or store credit or debit card data, they must comply with PCI DSS regulations for the protection of bank card data.

These requirements pose new challenges for organizations that must begin to review them in time to achieve compliance by all stakeholders involved in the new open finance ecosystem.

What data security challenges does Open Finance bring?

Undoubtedly, an opening of data in the Colombian financial system means greater access and inclusion of people and personalization of services, but it also means a greater access and inclusion of people and personalization of services, but it also means a greater access and inclusion of people and personalization of services. also brings increased information security risks with potential breaches or leaks that could directly impact the success of the open finance ecosystem. and affect user confidence in the financial system in general.

The first step to prevent these risks is to be able to clearly identify where the sensitive data is and what movements or queries it will have in the new Open Finance model. With this clear understanding of what measures need to be implemented, it is now clear what measures need to be implemented. As data moves between multiple entities and platforms, the potential for data leakage increases and can leave users’ personal and financial information exposed if the data is not well protected with robust security measures such as encryption and tokenization.

The greater accessibility to data made possible by Open Finance also entails the risk of increasing unauthorized income and cyber-attack attempts to the entities’ systems, with techniques such as ransomware or phishing, which in fact already have a high impact on the Colombian financial sector, which recorded 43 cyber-attack attempts per second in 2023, according to figures from Asobancaria.

Although the regulations outline the minimum requirements to ensure data security for supervised entities and third party data recipients, with measures such as data encryption, compliance with global security frameworks, and the PCI DSS standard for the protection of bank card data; this is only one aspect of a comprehensive security approach that truly covers all points of vulnerability in the ecosystem.


Data protection in Open Finance requires a holistic approach

A comprehensive protection strategy involves ensuring the security of API, network, application and data infrastructure, guaranteeing complete protection against a variety of attack vectors. This means including measures such as encryption of data in transit and at rest, tokenization of sensitive data, strong identity management with multi-factor authentication, role-based access control, and continuous risk monitoring and analysis, with incident monitoring and response systems that can detect suspicious activity and respond quickly to potential security breaches.

Parallel to these system and data security measures, continuous training in data security and risk management among the human factor is also indispensable, creating data protection awareness among the workforce and users to prevent common information theft practices such as phishing, ransomware and other types of fraud.

The security challenge involves all players in the ecosystem.

Although the security challenge in the open finance ecosystem is challenging, the good news is that it is achievable with joint efforts by all players in the system, focusing on the implementation of advanced security measures and regulatory compliance. Additionally, it is critical to promote a culture of cybersecurity in organizations and maintain active collaboration between regulators, robust cybersecurity solution providers and third-party data recipients to adapt to the changing dynamics of security threats.

By integrating these practices and achieving greater awareness of the importance of data protection in digital environments, financial institutions and third parties can effectively protect sensitive data and strengthen user confidence in the open finance system, thus favoring innovation and the expansion of open financial services in Colombia and the region.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may be interested in

Perimeter and network security is no longer sufficient to protect data. Banco Santander Case.

Challenges for data protection in Open Finance.

Digital payments in Latin America What to expect next?.

Our intelligent identity identification, payment and data protection solutions will evolve the security of your organization.

Let's talk: