Joint Resolution No. 1 - Implementation of Open Finance

---

The Central Bank of Brazil, in accordance with Article 9 of Law No. 4.595 of December 31, 1964, makes public that its Collegiate Board, in a session held on April 22, 2020, and the National Monetary Council, in a session held on April 30, 2020, based on Article 4, item VIII, of the aforementioned Law, and on Article 9, caput and item II, of Law No. 12.865 of October 9, 2013,

R E S O L V E D:

CHAPTER I ON THE OBJECT AND SCOPE OF APPLICATION

Art. 1. This Joint Resolution provides for the implementation of the Open Financial System (Open Banking) by financial institutions, payment institutions, and other institutions authorized to operate by the Central Bank of Brazil.

CHAPTER II PRELIMINARY PROVISIONS

Section I Definitions

Art. 2. For the purposes of this Joint Resolution, the following are considered:

I - Open Banking: standardized sharing of data and services through the opening and integration of systems; II - client: any natural or legal person, except for the institutions referred to in Article 1, who maintains a relationship aimed at providing financial services or carrying out financial operations with the institutions referred to in this Joint Resolution, including for the purpose of carrying out payment transactions; III - data transmitting institution: participating institution that shares with the data receiving institution the data within the scope of this Joint Resolution; IV - data receiving institution: participating institution that presents a sharing request to the data transmitting institution to receive the data within the scope of this Joint Resolution; V - account-holding institution: participating institution that maintains a checking account, savings account, or prepaid payment account for a client; VI - payment transaction initiating institution: participating institution that provides payment transaction initiation services without holding the funds transferred at any time during the provision of the service; VII - payment transaction initiation service: service that enables the initiation of a payment transaction instruction, ordered by the client, regarding a deposit or prepaid payment account; VIII - consent: free, informed, prior, and unequivocal manifestation of will, made electronically, by which the client agrees to the sharing of data or services for determined purposes; IX - interface call: request for data and services presented by the data receiving institution or payment transaction initiating institution to the data transmitting institution or account-holding institution; X - method signature: the unique identification of each method, consisting of the definition of the method name, as well as the input and output parameters in a programming function; XI - successive payment transactions: payment transactions carried out between the same payers and payees according to a periodicity, resulting from the same legal business or legal relationship; and XII - data aggregation: consolidation of shared data in accordance with the provisions of this Joint Resolution for the purpose of providing services to its clients.

Section II Objectives and Principles

Art. 3. The objectives of Open Banking are:

I - to encourage innovation; II - to promote competition; III - to increase the efficiency of the National Financial System and the Brazilian Payments System; and IV - to promote financial citizenship.

Art. 4. The institutions referred to in Article 1, for the purpose of fulfilling the objectives referred to in Article 3, must conduct their activities with ethics and responsibility, observing the legislation and regulations in force, as well as the following principles:

I - transparency; II - security and privacy of data and information on services shared within the scope of this Joint Resolution; III - data quality; IV - non-discriminatory treatment; V - reciprocity; and VI - interoperability.

CHAPTER III ON THE SCOPE OF OPEN BANKING

Section I Scope of Data and Services

Art. 5. Open Banking covers the sharing of, at minimum:

I - data on:

a) service channels related to:

1. own branches;
2. correspondents in the country;
3. electronic channels; and
4. other channels available to clients;

b) products and services related to:

1. checking deposit accounts;
2. savings deposit accounts;
3. prepaid payment accounts;
4. postpaid payment accounts;
5. credit operations;
6. foreign exchange operations;
7. accreditation services in payment arrangements;
8. time deposit accounts and other products with an investment nature;
9. insurance; and
10. open supplementary pension;

c) client and their representatives' registration; and

d) client transactions related to:

1. checking deposit accounts;
2. savings deposit accounts;
3. prepaid payment accounts;
4. postpaid payment accounts;
5. credit operations;
6. registration and control account referred to in Resolution No. 3.402 of September 6, 2006;
7. foreign exchange operations;
8. accreditation services in payment arrangements;
9. time deposit accounts and other products with an investment nature;
10. insurance;
11. open supplementary pension; and

II - services of:

a) payment transaction initiation; and b) forwarding of credit operation proposals.

§ 1. It is optional for the participating institutions referred to in Article 6, through the convention referred to in Article 44, to include other data and services in the scope of Open Banking, provided that the principles, sharing requirements, and other provisions of this Joint Resolution are observed.

§ 2. For the purposes of sharing data on products and services referred to in item I, letter "b", of the caput, only products and services available for contracting through the service channels of the data transmitting institution, including correspondents in the country, shall be considered.

§ 3. It is necessary to obtain the client's consent, in accordance with Article 10, for the purposes of sharing registration and transaction data and services referred to in items I, letters "c" and "d", and II, of the caput, as well as those referred to in § 1, in the case of data and services related to them.

§ 4. The sharing of registration data referred to in item I, letter "c", of the caput, must cover:

I - the data provided directly by the client or obtained through consultation with public or private databases, except:

a) data classified as sensitive personal data by legislation; b) credit notes or scores; and c) credentials and other information used for the purpose of authenticating the client; and

II - the last available data, with discrimination of the date of its obtaining.

§ 5. The sharing of transaction data referred to in item I, letter "d", of the caput:

I - concerns data related to the client:

a) on products and services contracted or distributed through the data transmitting institution; and b) accessible through their electronic service channels, including regarding credit limits eventually contracted; and

II - covers, at minimum, the data and history of transactions carried out in the last twelve months regarding products and services with contracts in force during this period.

Section II Participation in Open Banking

Art. 6. The participants in Open Banking are:

I - in the case of sharing data referred to in Article 5, item I:

a) mandatorily, the institutions classified in Segments 1 (S1) and 2 (S2), referred to in Resolution No. 4.553 of January 30, 2017; and b) voluntarily, the other institutions referred to in Article 1;

II - in the case of sharing the payment transaction initiation service referred to in Article 5, item II, letter "a", mandatorily:

a) the account-holding institutions; and b) the payment transaction initiating institutions; and

III - in the case of sharing the credit proposal forwarding service referred to in Article 5, item II, letter "b", mandatorily, the institutions referred to in Article 1 that have signed a correspondent contract in the country, whose object contemplates the service activity provided for in Article 8, item V, of Resolution No. 3.954 of February 24, 2011, through electronic means, observing the implementation period mentioned in Article 55, item III.

§ 1. The sharing of data and services is mandatory, observing the implementation periods mentioned in Article 55:

I - in a format for public access, as provided in Article 23, § 2, for the data of Article 5, item I, letters "a" and "b"; and

II - between the participating institutions of each case mentioned in items I and II of the caput for the data of Article 5, items I, letters "c" and "d", and II, letter "a".

§ 2. The requirement of mandatory participation referred to in item I, letter "a", of the caput is exempted for institutions that are part of prudential conglomerates that do not provide the services referred to in the client transaction data provided for in Article 5, item I, letter "d".

§ 3. The voluntary participation referred to in item I, letter "b", of the caput presupposes the availability of the dedicated interface referred to in Article 23 in the capacity of a data transmitting institution.

Art. 7. Participating institutions must register their participation in the repository of participants maintained through an electronic system, mentioned in Article 44, item VI.

CHAPTER IV REQUIREMENTS FOR SHARING

Section I Sharing Request

Art. 8. The request for sharing of registration and transaction data and services referred to in Article 5, items I, letters "c" and "d", and item II, letter "a", comprises the stages of consent, authentication, and confirmation.

Sole paragraph. The stages referred to in the caput must:

I - be carried out securely, quickly, accurately, and conveniently, through the dedicated interface referred to in Article 23; II - be carried out exclusively through electronic channels; III - occur successively and uninterruptedly; and IV - have a duration compatible with their objectives and level of complexity.

Art. 9. Participating institutions must ensure the provision of information to clients in a clear, objective, and adequate manner regarding:

I - the stages referred to in Article 8, caput; II - the procedures associated with the stages referred to in item I; and III - redirection to other environments or electronic systems, including those of other institutions, when applicable.

Section II Consent

Art. 10. The data receiving institution or payment transaction initiating institution, prior to the sharing referred to in this Joint Resolution, must identify the client and obtain their consent.

§ 1. The consent mentioned in the caput must:

I - be requested through clear, objective, and adequate language; II - refer to determined purposes; III - have a validity period compatible with the purposes referred to in item II, limited to twelve months; IV - discriminate the data transmitting institution or account-holding institution, as the case may be; V - discriminate the data or services that will be the object of sharing, observing the option of grouping referred to in Article 11; VI - include the identification of the client; and VII - be obtained after the entry into force of this Joint Resolution, observing the deadlines established in Article 55.

§ 2. The alteration of the conditions referred to in items II to V of § 1 requires the obtaining of new consent from the client.

§ 3. It is prohibited to obtain the client's consent:

I - through an adhesion contract; II - through a form with a previously filled acceptance option; or III - in a presumed manner, without active manifestation by the client.

§ 4. It is prohibited to provide information to the data transmitting institution regarding the purposes referred to in § 1, item II.

§ 5. The prohibition referred to in § 4 does not apply to partnership contracts referred to in Article 36 or other cases provided for in the legislation or regulations in force.

§ 6. In the case of successive payment transactions, the client, at their discretion, may define a period longer than that established in § 1, item III, and may condition the validity period of the consent to the closure of the referred transactions.

Art. 11. The data object of sharing may be presented to the client in a grouped manner, based on criteria to be established in the convention referred to in Article 44.

Sole paragraph. For the purposes of the provision in the caput, the grouping of data must:

I - be identified in a clear, objective, and adequate manner; II - enable the discrimination of data by the client at a granular level; and III - bear a relationship with the data represented at a granular level.

Art. 12. The data receiving institution must ensure that the data object of sharing are pertinent to the determined purposes referred to in Article 10, § 1, item II.

Art. 13. For the sharing of the payment transaction initiation service referred to in Article 5, item II, letter "a", in addition to the requirements provided in § 1 of Article 10, the consent must contemplate, at minimum, the following information:

I - the payment method; II - the value of the payment transaction; III - information regarding the payee of the payment transaction; and IV - the payment date.

§ 1. In the case of successive payment transactions, the consent must also provide for the periodicity of the transactions and the period, observing the provision of Article 10, § 6.

§ 2. The provision in item II of the caput is optional in the case of successive payment transactions whose agreed value is variable.

§ 3. The information required in the caput must be those strictly necessary for the execution of the payment transaction and compatible with the regulation or instrument that disciplines the functioning of the payment arrangement regarding the respective payment transaction.

§ 4. The payment transaction initiating institution must request the client's consent for each new payment transaction, except in the case of successive payment transactions, when the validity period of the consent will observe the provision of Article 10, § 6.

Art. 14. Participating institutions must provide the client, at minimum, the following information regarding consents, with valid periods, related to the sharing in which they are involved:

I - the identification of the participating institutions; II - the data and services object of sharing; III - the validity period of the consent; IV - the date of the consent request; and V - the purpose of the consent, in the case of the data receiving institution or payment transaction initiating institution.

Art. 15. Participating institutions involved in the sharing of data or services must ensure the possibility of revocation of the respective consent, at any time, upon request by the client, through a secure, agile, precise, and convenient procedure, observing the provision in the legislation and regulations in force.

§ 1. For the purposes of the provision in the caput, institutions must make available to the client the option of revoking consent at least through the same service channel in which it was granted, if it still exists.

§ 2. It is prohibited for the data transmitting institution or account-holding institution to propose to the client the revocation of consent, except in the case of justified suspicion of fraud.

§ 3. The revocation referred to in the caput must be carried out observing the following deadlines:

I - within one day, counted from the client's request, in the case of sharing the payment transaction initiation service referred to in Article 5, item II, letter "a"; and II - immediately, for the other cases.

§ 4. The revocation, in the form of § 3, must be immediately informed to the other participating institutions involved in the sharing.

Section III Authentication

Art. 16. The data transmitting institution or account-holding institution must adopt procedures and controls for authentication:

I - of the client; and II - of the data receiving institution or payment transaction initiating institution.

Sole paragraph. The procedures and controls referred to in the caput must:

I - in the case of client authentication, be carried out only once for each consent; and II - in the case of authentication of the data receiving institution or payment transaction initiating institution, be carried out only once for each interface call.

Art. 17. The procedures and controls for client authentication must be compatible with those applicable to access, by clients, to electronic service channels made available by the institution, taking into consideration:

I - the risk level; II - the type of data or service object of sharing; and III - the service channel.

§ 1. The compatibility referred to in the caput covers, including:

I - the authentication factors; II - the number of stages; and III - the duration of the procedure.

§ 2. The convention referred to in Article 44 may propose recommendations regarding standards related to the procedures and controls referred to in the caput, with a view to observance by participating institutions of the provision of Article 8, sole paragraph.

Art. 18. The procedures and controls for authentication referred to in Articles 16 and 17 must be compatible with the institution's cybersecurity policy, provided for in the regulations in force.

Art. 19. It is admitted the contracting of services for the execution of the procedures and controls for authentication referred to in Articles 16 and 17, observing the provision in:

I - Chapter III of Circular No. 3.909 of August 16, 2018, and, insofar as applicable, in Chapters IV and V of the said Circular, in the case of payment institutions; and II - Chapter III of Resolution No. 4.658 of April 26, 2018, and, insofar as applicable, in Chapters IV and V of the said Resolution, in the case of financial institutions and other institutions authorized to operate by the Central Bank of Brazil.

§ 1. In the case of contracting referred to in the caput, the responsibility for the purposes of this Joint Resolution remains with the data transmitting institution or account-holding institution.

§ 2. It is prohibited to contract for the purposes of authenticating the institution referred to in Article 16, item II, from the data receiving institution or payment transaction initiating institution itself.

Section IV Confirmation of Sharing

Art. 20. The data transmitting institution or account-holding institution must request confirmation of sharing from the client.

Sole paragraph. The confirmation procedure must:

I - occur simultaneously with the procedures for authentication referred to in Article 16; and II - ensure the client the possibility of discriminating the content of the sharing, observing the scope of data and services and the option of grouping referred to in Articles 5 and 11, as well as the data or services discriminated in the consent stage referred to in Article 10, § 1, item V.

Art. 21. In the case of sharing of registration and transaction data referred to in Article 5, item I, letters "c" and "d", the following information must be discriminated in the confirmation, at minimum:

I - identification of the data receiving institution; II - validity period of the consent; and III - data that will be the object of sharing, observing the scope of data and services and the option of grouping referred to in Articles 5 and 11, as well as the data or services discriminated in the consent stage referred to in Article 10, § 1, item V.

Art. 22. In the case of sharing of the payment transaction initiation service referred to in Article 5, item II, letter "a", the following information must be discriminated in the confirmation, at minimum:

I - value of the payment transaction; II - information regarding the payee of the payment transaction; and III - payment date.

§ 1. In the case of successive payment transactions, the confirmation must also provide for the periodicity of the transactions and the period, observing the provision of Article 10, § 1, item III, and § 6.

§ 2. The provision in item I of the caput is optional in the case of successive payment transactions whose agreed value is variable.

§ 3. The information required in the caput must be compatible with the regulation or instrument that disciplines the functioning of the payment arrangement regarding the respective payment transaction.

Section V Dedicated Interfaces for Sharing

Art. 23. Participating institutions must make available dedicated interfaces for the sharing of data and services referred to in this Joint Resolution, standardized according to the standards established by the convention referred to in Article 44.

§ 1. The data and services mentioned in the caput must be represented in digital media and machine-processable, in a format free of restrictions regarding their use.

§ 2. In the case of interfaces for sharing the data referred to in Article 5, item I, letters "a" and "b", participating institutions must ensure their free access to the public, with the possibility of defining, based on justified and equitable parameters, through the convention referred to in Article 44, limits on interface calls.

§ 3. The confederation constituted by central credit cooperatives in a three-level system and the central credit cooperative in a two-level system may entrust, with respect to their affiliates, the provision of the interface referred to in the caput.

Art. 24. Institutions must provide other participants with information regarding the dedicated interfaces in a clear manner, adequate to the nature of the sharing and accessible, including regarding version control and connection support.

Art. 25. The data transmitting institution or account-holding institution must make available an alternative for sharing to other participating institutions in the case of unavailability of the dedicated interfaces.

§ 1. Cases of unavailability that generate a crisis situation in the institution must be communicated promptly to the Central Bank of Brazil.

§ 2. For cases of unavailability of interfaces and use of alternatives for sharing, the data transmitting institution or account-holding institution must:

I - ensure that the data receiving institution or payment transaction initiating institution does not have access to data or services different from those consented by the client; and II - maintain a record of access and the data and services accessed through the alternative referred to in the caput.

Section VI General Provisions

Art. 26. The data transmitting institution or account-holding institution must provide timely information to the data receiving institution or payment transaction initiating institution regarding the effective implementation of the sharing request or, if applicable, the reasons that prevent sharing.

§ 1. The convention referred to in Article 44 shall standardize the reasons for impossibility of sharing referred to in the caput.

§ 2. In the case of sharing the payment transaction initiation service, the standardization of the reasons referred to in § 1 must be compatible with the regulation or instrument that disciplines the functioning of the payment arrangement regarding the respective payment transaction.

§ 3. The impossibility of sharing referred to in the caput must be duly documented, accompanied by the reasons and evidence that substantiated it.

Art. 27. The data receiving institution or payment transaction initiating institution must communicate to the client the effective implementation of the sharing request.

§ 1. The communication referred to in the caput must, at minimum:

I - di