2026-07-09 | Instrução Normativa BCB 760Added · Updated
The Central Bank of Brazil issued Instruction Normative No. 760, which mandates the mandatory adoption of Version 9.0 of the Customer Experience Manual for Open Finance by all participating institutions. This update introduces specific requirements for informing clients about management environments during data sharing and payment initiation journeys, including optimizations for Pix Automatic and credit portability services. The regulation reinforces core principles of security, agility, convenience, and transparency while revoking the previous Instruction Normative No. 637.
The Heads of the Department of Financial System Regulation (Denor) and the Department of Information Technology (Deinf), in the exercise of the powers conferred upon them by Art. 23, item I, letter "a", of the Internal Regulations of the Central Bank of Brazil, annexed to Resolution BCB No. 340, of September 21, 2023, based on Art. 3, item V, of Resolution BCB No. 32, of October 29, 2020,
R E S O L V E:
Art. 1º This Instruction Normative discloses Version 9.0 of the Customer Experience Manual for Open Finance, of mandatory observance by participating institutions, as per the Annex.
Sole Paragraph. The manual referred to in the caput, in its most recent version, will be accessible on the Open Finance page on the Central Bank of Brazil's internet website and on the Open Finance Portal in Brazil, maintained by financial institutions and payment institutions that are part of the Structure Responsible for the Governance of Open Finance referred to in Art. 44, § 1º, of Joint Resolution No. 1, of May 4, 2020.
Art. 2º Instruction Normative BCB No. 637, of June 13, 2025, published in the Official Gazette of the Union on June 16, 2025, is hereby revoked.
Art. 3º This Instruction Normative enters into force on the date of its publication.
MARDILSON FERNANDES QUEIROZ
Head of Denor
ANDRE BOKEL DA COSTA
Head of Deinf, substitute
ANNEX TO INSTRUCTION NORMATIVE BCB NO. 760, OF JULY 9, 2026
Customer Experience Manual for Open Finance Version 9.0
Summary of Changes
Date | Version | Description of Changes 9/7/2026 | 9.0 | Subsection 4.1.1, X: Addition regarding the obligation to inform the client about the management environment during the stage of finalizing the data sharing journey. Subsection 4.1.2, VIII: Addition regarding the obligation to inform the client about the management environment during the stage of finalizing the sharing of the payment transaction initiation service with redirection in cases of successive payment configuration. Subsection 4.1.3: Addition regarding the types of successive payment configuration journeys allowed for cases of sharing the payment transaction initiation service without redirection. Subsection 4.1.3.1, V, "c": Wording change to increase clarity regarding the standard five-year term and the possibility of this term being altered, including to an indefinite term, in journeys of sharing the payment transaction initiation service without redirection. Subsection 4.1.3.1, V, "d": Adjustment of wording regarding limits per transaction, considering adjustments made to the limit rules of the Pix Arrangement and addition of guidance on the limit per transaction in cases of Pix Automatic and recurring schedules in journeys of sharing the payment transaction initiation service without redirection. Subsection 4.1.3.2, IV and VI: Addition of guidelines related to information to the client in the request and finalization stages in cases of Pix Automatic configuration and recurring schedules in journeys of sharing the payment transaction initiation service without redirection. Subsection 4.1.5: Inclusion of the optimized payment transaction initiation service journey with data sharing (optimized journey), and consequent renumbering of subsequent subsections. Subsection 4.1.6: Inclusion of the credit portability service sharing journey. Subsection 4.1.8: Inclusion of provisions regarding the optimized journey and the sharing of the credit portability service.
Terms of Use
This manual defines the basic principles of the customer experience in Open Finance, complementing the current regulation on the subject.
This manual will be reviewed and updated periodically to preserve compatibility with the regulation, as well as to incorporate improvements resulting from the evolution of Open Finance.
More detailed information and examples of the application of this manual can be found on the Open Finance Portal in Brazil (https://openfinancebrasil.org.br/), maintained by financial institutions and payment institutions that are part of the Open Finance Governance Structure referred to in Art. 44, § 1º, of Joint Resolution No. 1, of 2020.
Suggestions, criticisms, or requests for clarification of doubts regarding the content of this document can be sent to the Central Bank of Brazil through the institutional channels of this autarchy.
References
The specifications contained in this manual are based on, reference, and complement, when applicable, the following documents:
I - Joint Resolution No. 1, of May 4, 2020, which provides for the implementation of Open Finance, in which concepts, objectives, principles, and other obligations for participating institutions are established;
II - Circular No. 4.015, of May 4, 2020, which provides for the scope of data and services of Open Finance;
III - Resolution BCB No. 1, of August 12, 2020, which institutes the Pix payment arrangement and approves its Regulation.
IV - Resolution BCB No. 32, of October 29, 2020, which establishes the technical requirements and operational procedures for the implementation of Open Finance;
V - Resolution BCB No. 406, of August 2, 2024, which provides for the sharing of the payment transaction initiation service without redirection to other environments; and
VI - Law No. 13.709, of August 14, 2018 (General Law for the Protection of Personal Data - LGPD).
Normative acts within the competence of the National Monetary Council or the Central Bank of Brazil can be accessed on the Central Bank of Brazil's internet website (www.bcb.gov.br), through the "Search for norms" option.
This manual aims to ensure that the customer experience when sharing data and services among participating institutions in Open Finance is safe, agile, precise, and convenient. Consumers of financial products and services will only have confidence to authorize the sharing of data and services if their experience is consistent with their expectations and if information regarding the process is presented to them in a clear and intuitive manner, allowing their consent for data and service sharing to be unequivocal and well-informed. For this to happen, it is essential that the sharing journey occurs in a secure environment with the minimum possible friction.
Throughout this manual, some expressions will be frequently used, among which:
I - simple data and service sharing journey: sequence of steps of data or service sharing carried out by a single client, natural or legal person;
II - multiple data and service sharing journey: sequence of steps of data or service sharing when the authorization of more than one client is necessary, such as corporate accounts, where the requesting client initiates the sharing of data or services and approving clients (representatives or attorneys-in-fact of the legal entity) need to authorize it; and
III - consent management environment: environment made available by participating institutions in their electronic channels for the client to consult and manage consentments already finalized or pending, including for the purpose of their revocation.
The expressions mentioned are used with the objective of facilitating the understanding of this manual and do not necessarily need to be employed during the steps of the sharing request.
Participating institutions are prohibited from creating obstacles or adopting mechanisms that, in any way, hinder the fluidity of the customer's journey or encourage them, voluntarily or involuntarily, to abandon the sharing of data or services within the scope of Open Finance. Such obstacles or mechanisms include, for example, the offer of products and services to the client during any Open Finance journeys, the insertion of unnecessary, duplicated, or redundant screens, steps, or information, or the use of language that may generate uncertainty or negatively affect, directly or indirectly, the client's perception regarding the credibility and security of Open Finance or other participating institutions.
The prohibition applies to all stages of the customer's journey in Open Finance regarding data and services already typified or that may be so within the ecosystem, as well as to information regarding the sharing journey disclosed in the different communication channels of participating institutions with their clients.
Participating institutions must ensure that their clients experience the best journey in Open Finance. With a view to achieving this objective, participating institutions that offer access to their products and services also through an application must offer Open Finance journeys in this channel as well.
The provisions established herein must be expressly stated in the Customer Experience Guide, the subject of section 4 of this manual.
Based on the provisions of Joint Resolution No. 1, of 2020, the principles of customer experience in Open Finance are considered to be:
I - security and privacy;
II - agility;
III - convenience and control; and
IV - transparency and clarity.
3.1 Security and Privacy
The sharing of data and services in Open Finance must be carried out in a secure environment, which guarantees the privacy of the client's personal data, in observance of current legislation and regulation, especially normative acts dealing with the security and privacy of personal data.
During the sharing journeys, the client must be adequately informed about the security of the process, aiming for consent for the sharing of their registration and transactional data, as well as the payment transaction initiation service.
3.2 Agility
The process of sharing data and services in Open Finance must have a duration compatible with its objectives and the level of complexity, ensuring the necessary conditions for free choice and decision-making by the client. An unnecessarily long process may cause the client to abandon it, while any inadequacy in the provision of information does not allow for adequate decision-making.
The process of sharing data and services must occur in a successive and uninterrupted manner. Therefore, the steps of the sharing request should not be interrupted until its conclusion nor should they require unnecessary actions by the client.
In cases of multiple data and service sharing journeys, the confirmation of sharing will only occur after the completion of the process by all clients involved in the sharing, who do not need to do so simultaneously or immediately, observing the guarantee of the security and transparency of the process, including with regard to the timeframes necessary for its conclusion.
3.3 Convenience and Control
The sharing of data and services in Open Finance must be carried out for specific purposes and in a convenient and accessible manner to the client, including with regard to the access channels of participating institutions. The necessary conditions for the exercise of control over their personal data shared in Open Finance must be ensured to the client. In this sense, the sharing journey must be client-centered, taking into account their profile, needs, objectives, and expectations, with the provision of information and consent management environments, including for the revocation of consent when deemed appropriate and proper, respecting the timeframes defined in current regulation.
Participating institutions in Open Finance cannot create additional steps or use more rigorous authentication and confirmation methods for the confirmation of data and service sharing within the scope of Open Finance.
In multiple-level journeys for legal entities, the powers and scopes already constituted and defined for account movement in their internal policies, such as bylaws, articles of association, or other related documents, must be used for the purpose of sharing data and services, so that it is prohibited for data transmitting institutions and account holders to require the constitution of specific powers and scopes for the purpose of data and service sharing within the scope of Open Finance.
Additionally, data transmitting institutions and account holders that make available, in their channels, mechanisms for duly constituted legal representatives to authorize or delegate powers to other persons, must include, in these mechanisms, the possibility of authorization or delegation of powers for sharing data and services within the scope of Open Finance.
3.4 Transparency and Clarity
The client must receive clear, objective, and adequate information in their interactions related to Open Finance, from the moment of consent until the provision of information subsequently and in the consent management environment.
The data receiving institution must inform the client clearly and in a timely manner about which data will be shared, including regarding products or services that may be contracted by the client or marketed by the data transmitting institution in the future, and the reasons why this data will be necessary for the purposes in question, as well as other mandatory information provided for in current regulation. In the case of service sharing, it must always be transparent to the client during the journey which participating institution is responsible for providing this service, as well as the conditions of the service being provided.
Unnecessary or excessively complex information can generate doubts and insecurities for the client, who may abandon the sharing due to a lack of understanding of the process. Thus, the information provided to the client must be sufficient and precise so that their decision-making is unequivocal and well-informed.
The language used must be simple, inclusive, and understandable, regardless of the client's level of prior knowledge about financial products and services. The use of technical terms should be avoided. The terms and expressions used in this manual and in other normative acts issued by the Central Bank of Brazil related to Open Finance may be replaced by others considered more adequate for the understanding of all Open Finance clients, provided that their meanings are maintained.
The interface must be intuitive, have organization and elements that facilitate the readability and understanding of information, and must maintain communication standards consistent with other services of the institution. Participating institutions must observe the principles of accessibility, in the form of current legislation.
The institution must provide feedback to the client regarding their actions throughout the journeys to increase their confidence, facilitate the understanding of the steps, and prevent errors. In the case of errors, the client must be informed, in a clear and specific manner, about the problem that occurred and guidance on how to proceed.
According to Resolution BCB No. 32, of 2020, the Structure Responsible for the Governance of Open Finance must make the Customer Experience Guide available to participating institutions and the general public, which will aggregate operational procedures and mandatory requirements for all participating institutions in their interaction with their clients during the sharing journey, observing the principles and other provisions of this manual and the current regulation on Open Finance. The provision of this document, in its most current version, must be carried out through the Open Finance Portal in Brazil.
The Guide must be reviewed and updated periodically by the Structure Responsible for the Governance of Open Finance, which must maintain transparent control of the published versions. The publication of new versions of the document must be accompanied by usability tests with clients representative of the target audience of Open Finance, as well as communicated in a timely manner to participating institutions and the Central Bank of Brazil, which may determine adjustments and corrections.
It is admitted that the Guide may establish additional principles and requirements to those contained in this manual. However, its content must be in compliance with the provisions of current legislation and regulation.
4.1 Content of the Customer Experience Guide
The Customer Experience Guide must provide for, at minimum:
4.1.1 Simple Data Sharing Journey
The content of this journey must cover, at minimum:
I - client identification
In this step, the data receiving institution must identify the client, as required by current regulation.
II - determined purposes of consent
In this step, the data receiving institution must inform the client of the purpose(s) and service(s) associated with the sharing of data.
III - selection of data subject to sharing at the data receiving institution
The client must be able to select the data they wish to share, observing the data groupings defined based on Art. 11 of Joint Resolution No. 1, of 2020.
The client must be informed about which data are necessary for the purpose of the sharing and, as applicable, which would be optional. Optional data must correspond to a determined purpose, even if secondary to the main purpose. The client must also be informed about the reasons why this data is necessary for the purpose(s) in question.
The presentation of a "Terms and Conditions" feature, or similar, is optional, provided that no additional action by the client is required to accept the terms.
IV - selection of the data sharing term
The client must be able to select the term for which they wish to share the selected data, observing the purpose and other aspects established in the specific regulation of Open Finance.
V - selection of the data transmitting institution
The client must be able to select the institution transmitting the data. A search mechanism must be provided that enables an agile and clear selection of the desired institution. All participating institutions for data sharing in Open Finance duly registered in the Participants Directory maintained by the Structure Responsible for the Governance of Open Finance must be listed.
In cases where bilateral tickets refer to blocking errors during or after the journey, exceptionally, the data transmitting institution may be disabled for selection, and the client must be clearly informed about this temporary restriction. This exception is valid only during the period in which the ticket is ongoing in the Service Desk maintained by the Open Finance Governance Structure.
VI - redirection to the environment of the data transmitting institution
The client must be informed that they are being securely redirected to the environment of the selected data transmitting institution. It must be clear to the client that the sharing is not yet complete and that additional steps are necessary for its finalization.
The redirection cannot involve any action by the client, having an informative character only, and must contemplate the following:
a) journeys initiated at the data receiving institution on a desktop device: the redirection should occur, preferably, to the same device; and
b) journeys initiated at the data receiving institution on a mobile device:
in the case of data transmitting institutions belonging to conglomerates subject to customer journey monitoring, according to the Open Finance Monitoring Manual, the redirection must occur directly to the data transmitting institution's application without passing through browsers; and
other data transmitting institutions not covered by customer journey monitoring, according to the Open Finance Monitoring Manual, must observe, preferably, redirection to their applications.
Conglomerates classified in item 1 may submit reasoned requests to the Central Bank of Brazil for the dispensation of specific institutions or brands where mandatory redirection to the application may harm the journey of their clients.
Exceptionally, if the client does not have the data transmitting institution's application installed on the mobile device, the redirection must be made to the institution's environment in the browser or to the app store, always on the same device.
VII - client authentication at the data transmitting institution
The client must authenticate at the data transmitting institution. The client must be able to recognize that they are in the environment of the institution with which they already have a relationship and that the credentials used for authentication are not visible and will not be shared with the data receiving institution.
As established by Joint Resolution No. 1, of 2020, the procedures and controls for client authentication must be compatible with those applicable to access to electronic service channels already made available by the transmitting institution. This compatibility covers, among others, authentication factors, the number of steps, and the duration of the procedure.
VIII - sharing confirmation by the client at the data transmitting institution
The client must confirm the sharing at the data transmitting institution. The client must be presented for review, at minimum, the identification of the data receiving institution, the validity period of the consent, and the data that will be subject to sharing.
All origins or data groupings presented to the client must be pre-selected, so that client action is only required if they wish to exclude one or more items from the scope to be shared (opt-out).
The selection of data groupings for sharing cannot be altered in the environment of the data transmitting institution. Selections in the environment of the data transmitting institution must be limited to the origin of the data.
Exceptionally in the case of credit, investment, and foreign exchange operations, the data must be presented in unique groupings that encompass all different modalities of products or services existing, including modalities not contracted by the client or that are not yet marketed by the institution, and the possibility of selection by the client of the origin of the data (modalities, sub-modalities, or specific contracts) for sharing is prohibited.
The eventual detailing of the data subject to sharing must be hidden by default. A feature (button, link, among others) must be provided so that the client, if they wish, can access the detailing of the data that will be shared.
The data sharing journey in the environment of the data transmitting institution must not contain a "Terms and Conditions" feature, or similar. This feature may, at the institution's discretion, be included in the Consent Management Environment d