On July 3, 2024, the Financial Market Commission (the "CMF"), exercising its legal powers, published General Rule No. 514 (hereinafter "NCG 514" or the "Regulation") which regulates the Open Finance System (hereinafter the "System" or the "SFA"), in accordance with the provisions of Title III of Law 21,521, also known as the "Fintech Law".

The SFA aims to allow the exchange of financial customer information and other types of data between different service providers, who have given their express consent, through remote and automated access interfaces that enable direct interconnection and communication between Participants (as defined below), under appropriate security standards and subject to compliance with the requirements and conditions established in the Fintech Law.

The Regulation is divided into the following sections:

• Scope of the open finance system

Identifica a todas las instituciones participantes en el SFA (colectivamente, los “Participantes”), para lo cual se dictan los requerimientos que les permiten participar en el SFA de acuerdo con los roles específicos que posean según lo establecido en el Directorio de Participantes, que será implementado por la CMF para facilitar una adecuada interacción de los diversos participantes en el contexto del SFA y que permitirá la “búsqueda, consulta y actualización de los participantes habilitados en el SFA, incluyendo sus datos de registro o autorización, roles y perfiles, recursos de API y certificados digitales, entre otros”.

El Directorio de Participantes estará compuesto por dos registros y dos nóminas asociadas a entidades que deben participar obligatoriamente en el Sistema, o bien que, ya encontrándose incorporadas al perímetro de la CMF, pueden participar del SFA sin necesidad de un nuevo proceso de registro conforme al nivel de requisitos que les aplique. Estos son:

• Register of service providers based on information. It is a voluntary register for service providers enabled by financial information who intend to participate in the SFA to consult, access, and receive data to provide services to customers, reserved for legal entities constituted under Chilean laws and domiciled within Chilean territory. Exceptionally, foreign entities may participate provided they have established an agency in Chile prior to the application.
• Register of payment initiation service providers. This register will include entities intending to provide services consisting of instructing on behalf of a customer to an Account Provider Institution, the execution of payment orders or electronic transfers, including predefined recurring payments in favor of third-party beneficiaries indicated by the customers, debiting their respective accounts and payment methods (hereinafter, "PSIP").
• List of information provider institutions and account providers. All entities considered as Information Provider Institutions ("IPI") and Account Provider Institutions ("IPC") under the Fintech Law must submit the necessary documents to be incorporated and enabled in the lists of entities called "IPI List" for information provision and "IPC List" for payment orders or electronic transfers.
• List of Information-Based Service Providers ("PSBI List"). Entities qualifying as IPI and those registered in the Financial Service Providers Register can voluntarily participate in the System as Information-Based Service Providers ("PSBI"). For this, these entities must request their voluntary inclusion in the PSBI List. The Fintech Law considers PSBI as entities enabled to participate in the SFA to consult, access, and receive data to provide services to their customers.

1. Operation of the SFA

De conformidad a lo establecido en la Ley Fintech, la NCG 514 establece que el mecanismo de intercambio de información de datos dentro del SFA son las Application Programming Interfaces (“APIs”), y las define como aquel “mecanismo tecnológico por medio del cual dos o más programas o sistemas computacionales pueden comunicarse entre sí” y que, en conformidad a lo señalado en la Ley Fintech, permiten una interconexión y comunicación directa entre instituciones participantes del SFA. Luego, se definen los estándares básicos que les serán aplicables a las APIs, junto a los niveles de disponibilidad y rendimiento que estas interfaces deberán cumplir.

Asimismo, se señalan las condiciones que deben considerarse para el uso de un mecanismo alternativo para el intercambio de datos, el cual debe estar disponible para asegurar la continuidad operacional del SFA, cumpliendo los requisitos que se definan en las especificaciones técnicas de la NCG 514.

Finally, the requirements related to the quality of information exchanged within the SFA are addressed, and communication mechanisms in case of contingencies, and the notification procedure to the involved Participants and the CMF, as applicable, are established.

• System security and safeguards

The Regulation sets requirements concerning risk management and internal control of participants; cybersecurity and incident reporting; the mechanism for reporting operational incidents; and elements participants must consider regarding business continuity. In particular, standards for information security within the system are established; client authentication and confirmation; and verification of validity and roles of PSBI and PSIP within the Participant Directory. This section also indicates cases where access to information will be interrupted and new payment orders will be denied.

Additionally, it outlines the requirements and manner in which client consent must be granted as an essential condition for entities to access their financial information, as well as the management of these consents while they remain valid. Finally, other standards regarding interoperability and distribution of reimbursable costs are specified.

• • System information

It establishes the types of data permitted to be exchanged within the SFA, classified by type and their respective details, indicating conditions of availability, validity, updates, and applicable means of exchange.

Additionally, the obligations and responsibilities of Participants concerning the integrity, availability, security, and confidentiality of data involved in each transaction and the proper protection of clients' personal data are stated.

Requirements for disclosing information related to the implementation of the SFA on the supervised entities' websites are also established.

• • Other provisions

The Regulation includes provisions related to the application of temporary suspension measures and sanctions associated with non-compliance with NCG 514.

Regarding implementation and validity periods of the Regulation, it contemplates an implementation period divided into two stages:

The first stage will last 24 months from the publication of the rule and is aimed at technological preparation and development of tasks assigned to participants and the CMF. After this period, the Regulation will come into effect. Finally, the second stage establishes gradual compliance periods for availability according to participant type and APIs, ranging from 6 to 36 months from the Regulation's effective date.

If additional information on this matter is required, you may contact Christian Schiessler (cshiesslerq@jdf.cl) and Diego Miranda (dmiranda@jdf.cl).