Fabio Caldeira
Colombia just crossed a threshold that few Latin American markets have reached.
On April 7, 2026, the Colombian government issued Decree No. 0368, formally transitioning the country’s Open Finance framework from voluntary participation to a legal obligation. Banks, fiduciaries, insurers, crowdfunding platforms, pension funds, and all other supervised financial entities are now required to act as Data Providers. No opt-outs. No waiting for the competitive landscape to shift. The mandate is live.
This is a significant moment, not just for Colombia, but for the broader LATAM region. Here is what the decree actually says, why some of its design choices stand out globally, and what banks should be thinking about right now.
Colombia had been discussing a voluntary Open Finance framework. The problem with voluntary frameworks is that they tend to produce uneven ecosystems: a handful of progressive institutions build APIs while the rest wait for a business case to become undeniable. Progress is slow, adoption is fragmented, and the use cases that would actually drive consumer value rarely reach critical mass.
Decree 0368 ends that dynamic. Supervised entities, including banks, insurers, crowdfunding platforms, and pension funds, are now legally obligated to open access to their data via APIs for authorized Third-Party Providers (TPPs). The SFC (Superintendencia Financiera de Colombia) is the primary regulator responsible for implementation, alongside the Ministry of Finance.
The commercial implications are significant. When every institution must participate, the network effects multiply. TPPs can build products knowing that coverage is universal. Consumers get consistent experiences. And the institutions that build strong, well-designed API infrastructure early will hold a clear advantage over those who treat this as a box-ticking exercise.
The decree defines the scope of Open Finance data across three distinct categories:
1. Customer Product and Service Data This covers transactional data, account balances, and product details. Critically, Data Providers must supply at least 12 months of transaction history for deposit accounts. This is not a summary; it is enough data to power meaningful credit risk assessment, financial management tools, and SME lending products.
2. KYC and Onboarding Data Banks hold some of the most verified identity data in any economy. The decree brings this into the Open Finance scope, enabling TPPs to build compliant onboarding journeys on top of a bank’s existing identity infrastructure. For institutions willing to think commercially, this is a legitimate revenue opportunity.
3. General Product Characteristics information must be available to support consumer comparison. This drives transparency and competition, which is the intended outcome, but it also raises the bar on how institutions present and package their products in a market where third-party comparison tools will proliferate.
Colombia has introduced something that does not exist in most other Open Finance frameworks: a mandatory confirmation step on the Data Provider side.
Here is how it works. A TPP must obtain clear, prior, and express user authorization before accessing any data, specifying exactly what data will be accessed, for what purpose, and for how long. That part is standard. What is different is that, before any data is actually released, the Data Provider must independently execute a double verification step with the user to confirm the TPP’s authorization is legitimate.
This is a deliberate consumer protection measure. It adds friction to the consent flow, but it also adds trust. In markets where open banking adoption has stalled due to consumer anxiety about data misuse, this kind of design could actually accelerate uptake by making users feel genuinely in control.
For compliance teams, it is worth noting now: this requirement adds a step to your API architecture and your user-facing consent journey. Building this into your design from the start is far easier than retrofitting it.
The decree takes a clear position on charging: selling data is prohibited.
However, it explicitly permits Data Providers to recover the direct costs of building and maintaining API infrastructure by charging TPPs for usage. Crucially, these charges must be based on objective, non-discriminatory usage volumes and applied consistently to all third parties.
This is a nuanced but commercially important distinction. Institutions that invest in high-quality, scalable API infrastructure now have a path to recover those costs as the ecosystem grows. The model rewards investment. But the non-discrimination requirement means pricing cannot be used as a competitive weapon to disadvantage specific TPPs or protect proprietary channels.
Banks that have been following the JP Morgan debate in the United States will recognize this conversation. Colombia has drawn a cleaner line than most: no data monetization, but fair infrastructure cost recovery is on the table. Getting the pricing model right from day one, before the SFC publishes detailed standards, is the kind of strategic work that pays dividends later.
The decree does not immediately mandate Payment Initiation Services (PIS), but it does explicitly empower the SFC to issue standards for payment initiation covering both immediate and recurring payments.
This matters for how banks should think about their infrastructure investment today.
The API infrastructure required to support the three data categories listed above is largely the same infrastructure that will support payment initiation when those standards arrive. Banks that build a robust, FAPI-aligned data API layer now are not just preparing for the data mandate — they are building the foundation for payments. That is a considerably stronger business case for the investment.
Leading institutions should treat the absence of a PIS mandate as a window, not a reason to wait.
The SFC will administer a centralized Directory of Participants to govern the ecosystem. The directory will consist of modules to register all approved Data Providers, Data Receivers, and voluntary linkages between them.
This is a well-established governance model. The UK’s directory infrastructure was central to building trust in the open banking ecosystem there. For Colombia, this centralized approach will be key to managing participant authentication, reducing fraud risk, and giving consumers confidence that the TPPs accessing their data are properly authorized.
The timelines are set. Here is what institutions should expect:
| Milestone | Who | Timeline |
| Publish detailed standardization schedule | SFC | Within 6 months of Decree 0368 (by ~Oct 2026) |
| Launch the Directory of Participants | SFC | Within 12 months of Decree 0368 (by ~Apr 2027) |
| Enable API access | Financial entities | Within 12 months of SFC publishing technical standards |
| Possible extension | Financial entities | SFC may grant a single 6-month extension |
The practical implication: institutions that begin their technology scoping and vendor evaluation now will be well-positioned when the SFC publishes its standards. Waiting for the standards before starting internal conversations almost guarantees a compressed timeline and higher implementation costs.
Colombia does not exist in isolation. It is the latest major LATAM market to go mandatory, joining a regional wave that includes Brazil’s mature Open Finance ecosystem and Chile’s ongoing rollout. The table below puts the three in context.
| Feature | Brazil | Chile | Colombia |
| Current Status | Mature/Live. Phases 1-4 operational. | In Implementation. Mandatory deadlines from July 2027. | Transitioning. Decree 0368 (Apr 2026) made it mandatory. |
| Main Regulator | Central Bank (BCB) | CMF | SFC and Ministry of Finance |
| Mandatory Nature | Mandatory for S1/S2 banks (>5M active accounts); voluntary for others. | Mandatory for all banks, brokers, and major insurers. | Mandatory for all credit institutions, fiduciaries, brokers, and insurers. |
| Scope | Banking, Credit, Payments, and Insurance. | Banking, Investments, Wealth Management, and Insurance. | Banking, Investments, Insurance, and Pension Funds. |
| Payment Initiation | Fully operational. Pix as the main rail. | High-priority. Includes VRP and variable modalities. | Decree 0368 assigned the SFC to prepare the Payment Initiation. Initial focus on data interchange. |
| Technical Standard | FAPI 1.0/2.0 | FAPI-based (NCG 514 / Anexo 3) | To be defined by SFC, aligned with FAPI. |
| Unique Feature | Speed. World leader in PIS adoption via Pix. | Portability. Focus on reducing switching costs. | Digital Economy. Heavy focus on SME inclusion and Finance-as-a-Service. |
| Historical Data Requirement | 12 months minimum | 24 months minimum | 12 months minimum |
| Performance Mandate | General availability and SLA requirements. | Strict 800ms SLA for Payment Initiation APIs. | Indicators to be defined by SFC within 12 months. |
A few things stand out in this comparison.
Colombia’s double verification consent model is unique in the region. Brazil’s Pix infrastructure gave it a head start on payments that Colombia will need to replicate through deliberate standardization, but the Bre-B infrastructure is there to support it. Chile’s stricter 24-month data history requirement and 800ms SLA for payment APIs set a high bar on data depth and performance that Colombia may eventually move toward.
What unites all three markets is the direction of travel: mandatory, FAPI-aligned, consumer-centric, and increasingly commercial in scope.
The decree gives institutions roughly 12 months after the SFC publishes technical standards to have compliant API access live. That sounds like a long time. It is not.
Realistically, institutions need to:
The institutions that will benefit most from Decree 0368 are not the ones that comply on time. They are the ones that treat the mandatory baseline as a starting point and build toward the commercial opportunity beyond it: premium data services, payment initiation readiness, and API-powered embedded finance use cases that the new ecosystem will enable.
Ozone API was built by the original architects of the UK Open Banking standard. Since then, we have helped institutions across the UK, Europe, the Middle East, Africa, and Latin America navigate exactly this kind of regulatory transition, at speed, and with a platform that supports all major global standards out of the box.
We know what good looks like when a market goes mandatory. And we know that the institutions that win are the ones that start the conversation early.
If you are a Colombian financial institution trying to figure out your strategy for Decree 0368, or a regional institution thinking about LATAM market entry, we would like to talk. Get in touch with us here.
Want to track Open Finance developments across Latin America and beyond? Explore The Open Finance Tracker to see the full global picture.
The FCA has published its Open Finance Roadmap, with key milestones beginning this year and a 2030 horizon. Banks, lenders, and fintechs face a significantly wider scope than open banking, with real commercial opportunity for those who prepare early. Here is what the roadmap says and what it means for your business.
The FCA has published its Open Finance Roadmap with specific milestones, credible use cases, and an honest acknowledgement that the UK is catching up, not leading. We break down what the plan gets right, where the real risks are, and what regulators worldwide should take from it.
In September 2024, I published Global Interoperability, making the case that open finance would only deliver on its promise if the underlying plumbing was standardised globally, not just market by market. Eighteen months later, the landscape has changed considerably. More markets. More data. More urgency. Three arguments from that piece have aged particularly well, and...
Chris Michael
