Central Bank of Brazil Normative Instruction No. 720 of April 2, 2026: Publication of Version 5.0 of the Open Finance Security Manual

CENTRAL BANK OF BRAZIL NORMATIVE INSTRUCTION NO. 720, OF APRIL 2, 2026

Publishes version 5.0 of the Open Finance Security Manual.

The Heads of the Department of Financial System Regulation (Denor) and the Department of Information Technology (Deinf), in the exercise of the powers conferred upon them by Art. 23, item I, letter "a", of the Internal Regulations of the Central Bank of Brazil, annexed to BCB Resolution No. 340, of September 21, 2023,

based on Art. 3, item IV, of BCB Resolution No. 32, of October 29, 2020,

RESOLVE:

Art. 1 This Normative Instruction publishes version 5.0 of the Open Finance Security Manual, mandatory observance by participating institutions, as per the Annex.

§ 1 The manual referred to in the caput, in its most recent version, will be accessible on the Open Finance page on the Central Bank of Brazil's website and on the Open Finance Portal of Brazil, maintained by the Open Finance Governance Structure referred to in Art. 44, § 1, of Joint Resolution No. 1, of May 4, 2020.

§ 2 Mandatory observance of the manual referred to in the caput must occur:

I - from November 3, 2026, for items 3.28 to 3.30 and 6.18 of the cited manual; and

II - on the effective date of this Normative Instruction, for the remaining items of the manual.

Art. 2 BCB Normative Instruction No. 305, of September 15, 2022, published in the Official Gazette of the Union on September 19, 2022, is hereby revoked.

Art. 3 This Normative Instruction enters into force on the date of its publication.

MARDILSON FERNANDES QUEIROZ Head of Denor

CAIO MOREIRA FERNANDES Head of Deinf

ANNEX TO BCB NORMATIVE INSTRUCTION NO. 720, OF APRIL 2, 2026

Open Finance Security Manual Version 5.0

Summary of changes

Date	Version	Description of changes
2/4/2026	5.0	Improvements in the wording of the text, without alteration of merit.
	Update of references.
	Update of the wording regarding the scope of application of minimum security requirements, based on Joint Resolution No. 1, of 2020.
	Alteration of items 3.1 and 3.9, to align with the updated scope of application of minimum security requirements.
	Inclusion of item 3.10, providing for the exceptionality of the use of digital certificates for sharing data on service channels and for the sharing of products and services referred to in Art. 5, item I, letters "a" and "b", of Joint Resolution No. 1, of 2020, with renumbering of the remaining items.
	Alteration of item 3.15, providing for the certificates used for communication of Front-End systems.
	Inclusion of items 3.28 to 3.30, providing for the mechanisms adopted for validation of digital certificates.
	Inclusion of item 6.18 regarding the availability of parameters for selection of mechanisms referred to in item 3.28.

Terms of Use

This manual details the technical requirements for the implementation of the elements necessary for the operationalization of Open Finance, complementing the current regulation on the subject.

The manual will be reviewed and updated periodically to preserve compatibility with the regulation, as well as to incorporate improvements resulting from the evolution of Open Finance and technology.

More detailed information and examples of the application of this manual can be found in the guides and tutorials available on the Open Finance Portal of Brazil, in the Developer Area.

Suggestions, criticisms, or requests for clarification of doubts regarding the content of this document may be sent to the Central Bank of Brazil through the institutional channels of this autarchy.

References

These specifications are based on, reference, and complement, when applicable, the following documents:

Reference	Origin
Joint Resolution No. 1, of 2020	https://www.bcb.gov.br/estabilidadefinanceira/exibenormativo?tipo=Resolu%C3%A7%C3%A3o%20Conjunta&numero=1
BCB Resolution No. 85, of 2021	https://www.bcb.gov.br/estabilidadefinanceira/exibenormativo?tipo=Resolu%C3%A7%C3%A3o%20BCB&numero=85
BCB Resolution No. 109, of 2021	https://www.bcb.gov.br/estabilidadefinanceira/exibenormativo?tipo=Resolu%C3%A7%C3%A3o%20BCB&numero=109
BCB Normative Instruction No. 136, of 2021	https://www.bcb.gov.br/estabilidadefinanceira/exibenormativo?tipo=Instru%C3%A7%C3%A3o%20Normativa%20BCB&numero=136
CMN Resolution No. 4.893, of 2021	https://www.bcb.gov.br/estabilidadefinanceira/exibenormativo?tipo=Resolu%C3%A7%C3%A3o%20CMN&numero=4893
BCB Resolution No. 400, of 2024	https://www.bcb.gov.br/estabilidadefinanceira/exibenormativo?tipo=Resolu%C3%A7%C3%A3o%20BCB&numero=400
General Law for the Protection of Personal Data (LGPD – Law No. 13.709, of 2018)	http://www.planalto.gov.br/ccivil_03/_ato2015-2018/2018/lei/L13709.htm
OWASP API Security Project	https://owasp.org/www-project-api-security/
CWE TOP 25 Most Dangerous Software Errors	https://www.sans.org/top25-software-errors
CWE Top 25 Most Dangerous Software Weaknesses	https://cwe.mitre.org/top25/
NIST Cybersecurity Framework	https://www.nist.gov/cyberframework
ICP Brasil - Technical Conduct Manual 7 – Volume I	https://www.gov.br/iti/pt-br/centrais-de-conteudo/mct-7-vol-1-v-2-2-pdf
Provisional Measure No. 2.200-2, of August 24, 2001	http://www.planalto.gov.br/ccivil_03/mpv/antigas_2001/2200-2.htm
Chartered Professional Accountants – Canada: Principles and Criteria and Practitioner Guidance	https://www.cpacanada.ca/business-and-accounting-resources/audit-and-assurance/Overview-of-WebTrust-services/Principles-and-criteria
RFC 2818 - HTTP Over TLS	https://datatracker.ietf.org/doc/html/rfc2818
RFC 5280 - Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile	https://datatracker.ietf.org/doc/html/rfc5280
BCP 195/RFC 7525 - Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)	https://tools.ietf.org/html/rfc7525

1. Introduction

This manual details in operational terms the security guidelines established by Joint Resolution No. 1, of May 4, 2020, and BCB Resolution No. 32, of October 29, 2020. It contains both the minimum security requirements mandatory for participating institutions and for the other elements that make up the Governance Structure Responsible for Open Finance.

To ensure the security of Open Finance in the country, current regulation establishes the obligation to comply with a series of measures, including those described in this manual.

Regarding the mandatory requirements for participating institutions, this manual presents the following sections: 2. governance, 3. protection, 4. detection, and 5. reaction. The mandatory requirements for the Open Finance Governance Structure are contained in Section 6.

This manual prescribes the minimum security requirements necessary for the sharing of data and services in Open Finance, as per Joint Resolution No. 1, of 2020.

As Open Finance covers the sharing of other data and services, new security requirements may be added to this manual, complementing the applicable regulation.

Throughout this document, the use of acronyms to designate some common expressions of information security professionals is constant. Some examples of the most frequently used, with their corresponding definitions, are as follows:

I - ACL: Access Control List; II - API: Application Programming Interface; III - ETIR: Incident Response Team; IV - HTTP: HyperText Transfer Protocol; V - ICP-Brasil: Brazilian Public Key Infrastructure; VI - IP: Internet Protocol; VII - NTP: Network Time Protocol; VIII - PFS: Perfect Forward Secrecy; IX - PGP: Pretty Good Privacy; X - TCP: Transmission Control Protocol; XI - TLS: Transport Layer Security; XII - URI: Uniform Resource Identifier; and XIII - UTC: Universal Time Coordinated.

2. Governance

2.1 Participating institutions in Open Finance must adopt processes to monitor the publication and entry into force of normative acts with impact on the subject, in order to remain permanently updated with regulatory determinations.

2.2 The list of normative acts whose observance is essential for participating institutions in Open Finance includes, non-exhaustively:

I - Joint Resolution No. 1, of 2020; II - Resolutions issued by the National Monetary Council (CMN) and the Central Bank of Brazil applicable to participating institutions, especially those dealing with cybersecurity policy and requirements for contracting data processing and storage services and cloud computing; and III - The General Law for the Protection of Personal Data (LGPD – Law No. 13.709, of 2018).

2.2 The incident response and action plan of participating institutions must cover the procedures and controls to be used in the prevention and response to incidents affecting systems, APIs, and other resources related to the implementation and operation of Open Finance, in a manner compatible with the institution's cybersecurity policy and current regulation.

2.4 Participating institutions must define procedures and controls aimed at the prevention and handling of incidents to be adopted by third-party service providers that handle data or information required for the conduct of activities related to Open Finance, in compatibility with the policy referred to in item 2.3 and current regulation.

2.5 The procedures and controls referred to in item 2.4 must be disclosed to service provider companies in clear, accessible language and at a level of detail compatible with the functions performed and the sensitivity of the information.

2.6 Participating institutions, prior to contracting services required for the conduct of activities related to Open Finance, must adopt procedures that include verification of the potential service provider's capacity to ensure compliance with legislation and current regulation.

2.7 Institutions must store and process the data specified in the consent stage according to the purpose for which they were shared securely, observing current legislation and regulation.

2.8 Participating institutions must keep their registration information permanently updated in the Open Finance Participants Directory, observing current regulation.

3. Protection

3.1 Access to data and services within the scope of Open Finance must be carried out exclusively through APIs.

3.2 Systems and APIs related to Open Finance must be maintained on an internal network logically segregated from networks ordinarily used by workstations or wireless networks.

3.3 Data-transmitting institutions and account-holding institutions must implement inbound and outbound traffic controls, in order to allow only what is necessary for communication with Open Finance APIs.

3.4 Institutions must implement encryption in communication with publicly exposed Open Finance APIs, using the TLS protocol in version 1.2 or higher, using cipher suites that meet the perfect forward secrecy (PFS) requirement.

3.5 The "TLS Session Resumption" and "TLS Renegotiation" functionalities must be disabled.

3.6 Institutions must apply security controls at the application layer that allow threat inspection and blocking of code injection attacks, among others, adequate to the technologies used in the APIs.

3.7 Institutions must not expose the data repositories used in Open Finance directly to the internet.

3.8 Participating institutions must verify and ensure that the quantity, order, format, size, and content of the fields of access requests to APIs, as well as their responses, are in accordance with the definitions established by Open Finance.

3.9 For signing messages and secure communication with APIs used for data and service sharing, valid digital certificates issued by a certification authority participating in ICP-Brasil must be used, in accordance with the standards for digital certification established by the Open Finance Governance Structure.

3.10 The provision of item 3.9 does not apply to the sharing of data on service channels nor to the sharing of data on products and services referred to in Art. 5, item I, letters "a" and "b", of Joint Resolution No. 1, of 2020.

3.11 The digital certificates referred to in item 3.9 must include mechanisms for protecting communication channels and for signing or encrypting messages exchanged with APIs.

3.12 The use of digital certificates issued by the Directory service of the Open Finance Governance Structure is admitted for use in the API testing environment referred to in Art. 12, item IV of BCB Resolution No. 32, of 2020.

3.13 Certificates required for partnership contracts must observe current legislation and regulation and, where applicable, follow the digital certificate standards defined by the Open Finance Governance Structure. The standards referred to in this item must include the certificate formatting, cryptographic algorithms, and attributes established.

3.14 For establishing TLS connections for calls to confidential endpoints, the following algorithms must be used:

I - ‘TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256’; and II - ‘TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384’.

3.15 Certificates used for communication of Front-End systems, accessed directly by customers of participating institutions, especially for authentication, must:

I - be of the Extended Validation (EV) type; and II - be issued by a certification authority in operation, in conformity with WebTrust principles and criteria.

3.16 Procedures and controls related to encryption must include secure means for storage, transfer, use, and destruction of secrets or keys employed within the scope of Open Finance, observing current regulation.

3.17 It is recommended to use the following cryptographic algorithms for protection and storage of secrets within the scope of Open Finance:

I - ‘AES-256bits’ or higher; II - ‘SHA-256bits’ or higher; and III - ‘RSA-2048bits’ or higher.

3.18 It is advisable that secrets and keys used to authenticate, protect, and ensure data integrity be generated in a manner that respects dual control processes and secret handling (split-knowledge), storing log records that include generation date, participants, and custodians, when applicable and in a manner compatible with current regulation.

3.19 Participating institutions must implement security procedures and controls for vulnerability analysis in the development and production usage stages of API versions used in Open Finance, observing current regulation.

3.20 The vulnerabilities referred to in item 3.19 must be categorized and prioritized according to risk classification.

3.21 Participants must implement processes for periodic review of system and API configurations used in Open Finance, to ensure that only authorized ports and services are enabled, observing current regulation.

3.22 Participating institutions must ensure that portals and applications related to the implementation and operation of Open Finance have adequate authentication means and authorization control in observance of current regulation.

3.23 The authentication process must always be carried out through a secure communication channel, using TLS 1.2 or higher encryption, in a manner compatible with current regulation.

3.24 Remote accesses for administration of systems or infrastructure related to Open Finance must be carried out using multiple authentication factors, observing, where applicable, compatibility with current regulation.

3.25 Institutions must implement a formal patch application process that includes systems related to the implementation of Open Finance, in a manner compatible with the institution's cybersecurity policy, observing current regulation.

3.26 Systems and APIs related to Open Finance must have a clock synchronized with a reliable time source, for example, through the use of the NTP protocol.

3.27 APIs and systems related to Open Finance must be implemented using secure configuration standards (hardening), observing current regulation.

3.28 Participating institutions must use mechanisms to verify the validity of the digital certificates referred to in item 3.9.

3.29 The selection of the mechanisms referred to in item 3.28 must be in accordance with the parameters defined by the Open Finance Governance Structure.

3.30 Participating institutions must be able to verify the validity of digital certificates even in the event of temporary unavailability of the mechanisms referred to in item 3.28.

4. Detection

4.1 Participating institutions must maintain audit trails containing, at minimum, the source IP address of the call, the source communication port of the call, date, time, system, user (when applicable), object, failure or success of the action of configurations performed on systems and APIs related to Open Finance, observing current legislation and regulation.

4.2 Participating institutions must monitor records related to API accesses related to Open Finance, especially records indicating internal errors (e.g., HTTP status 500) or invalid requests (e.g., HTTP status 400), observing current regulation.

4.3 Participating institutions must monitor the volume and pattern of requests to APIs related to Open Finance, for the detection of incidents related to items I to IV of item 5.5.

5. Reaction

5.1 Participating institutions are permitted to implement blocking of access to their APIs, with a view to treating cyber risks or handling ongoing cyber incidents. The implementation of these blocks must be compatible with the institution's cybersecurity policy.

5.2 In the event of compromise of any credential related to Open Finance, the participating institution must revoke it promptly before the Participants Directory and share this information with other participating institutions, observing current regulation.

5.3 In the event of compromise of security certificates, the participating institution in Open Finance must promptly request the revocation of the compromised certificate from the certification authority and share this information with the Open Finance Governance Structure and other participating institutions, observing current regulation.

5.4 Without prejudice to the duty of confidentiality and free competition, participating institutions must share with other participating institutions and with the Open Finance Governance Structure information about cyber incidents that affect Open Finance services, observing current regulation.

5.5 Within the scope of Open Finance, observing current regulation, the incident response and action plan must include, at minimum, procedures to prevent and respond to incidents that may imply:

I - unauthorized access; II - data leakage; III - denial of service; and IV - failure in data integrity.

6. Open Finance Governance Structure

6.1 Each institution must register in the Participants Directory the contact data of its representatives for incident handling, with at least email, PGP cryptographic keys (if any), and a field for additional data. Such data must be made available by the Directory for access by other participants.

6.2 Each institution must make available the email contacts of security teams as per RFC 2142 (abuse and security).

6.3 Access to restricted areas of the Participants Directory must be:

I - allowed only to users authorized by participating institutions or by the Open Finance Governance Structure; and II - conditioned to multi-factor authentication.

6.4 Accesses to the Directory must be recorded in audit trails, which must contain, at minimum, the date and time of access in UTC timezone, source IP address of the call, source communication port of the call, URI accessed, HTTP method used, and return status, observing current legislation and regulation.

6.5 The Open Finance Governance Structure must implement and maintain a cybersecurity policy formulated based on principles and guidelines that seek to ensure the confidentiality, integrity, and availability of data and information systems used, with a view to covering the activities referred to in Art. 12 of BCB Resolution No. 32, of 2020.

6.6 The policy referred to in item 6.5 must include:

I - procedures and controls to reduce vulnerability to incidents; II - the execution, at least annually, of intrusion tests; III - mechanisms for disseminating cybersecurity culture; and IV - the diffusion of cybersecurity best practices to participants and other stakeholders in the implementation and operation of Open Finance in Brazil.

6.7 The Open Finance Governance Structure must implement and maintain an incident response and action plan aimed at implementing the cybersecurity policy referred to in item 6.5.

6.8 The incident response and action plan mentioned in item 6.7 must include the routines, procedures, controls, and technologies to be used in the prevention, monitoring, and response to incidents affecting the services defined in Art. 12 of BCB Resolution No. 32, of 2020.

6.9 Monitoring of the services referred to in item 6.8 must be carried out permanently and be available 24 hours a day, 7 days a week.

6.10 The policy referred to in item 6.5 and the incident response and action plan mentioned in item 6.7 must be approved by the Senior Management Body of the Open Finance Governance Structure, after prior technical evaluation.

6.11 The intrusion tests mentioned in item II of item 6.6 must be carried out independently and impartially by a natural person or specialized company contracted for this purpose.

6.12 Vulnerabilities identified in intrusion tests must be documented and promptly handled by the Open Finance Governance Structure.

6.13 The Open Finance Governance Structure must establish an Incident Response Team responsible for:

I - preventing and handling cyber incidents affecting the activities referred to in Art. 12 of BCB Resolution No. 32, of 2020; II - monitoring the use of participant access credentials for the activities referenced in Item I; and III - being responsible for any access violations if the credentials referred to in Item II are used.

6.14 It is the responsibility of the Incident Response Team referred to in item 6.13, within the scope of its attributions, to support the handling of incidents that may imply risk to the functioning of systems related to the implementation of Open Finance, especially to promote:

I - the diffusion and sharing of indicators of compromise and cyber intelligence information; and II - the monitoring