Open Finance System (Sistema de Finanzas Abiertas – SFA) Chile

Designed to foster the development of new financial products, improve rates and fees, allow the portability of financial conditions, and facilitate financial management. The framework expects greater innovation, the prevention of data monopolies, the inclusion of underserved sectors (such as MSMEs), and enhanced control and traceability over individuals’ privacy and consent.

The system explicitly avoids proprietary mechanisms. It imposes a common design based on RESTful architecture, standardized specifications in OAS 3.1, JSON data exchange, and taxonomies under ISO 20022. The regulation explicitly prohibits discriminatory treatment and dictates that APIs cannot prevent or deliberately slow down access for any PSBI/PSIP.

Financial Market Commission (Comisión para el Mercado Financiero – CMF) of Chile

Chile (Latam)

Designed to promote competition, innovation, and inclusion in the financial system. It is governed by the principles of interoperability, non-discrimination among participants, information security, personal data protection, and customer control over their data through express consent.

The regulatory framework was designed considering international reference models such as the UK, Brazil, Australia, India, Singapore, and Bahrain as baselines. Specific domestic case studies are pending as the ecosystem is currently in its implementation phase.

JSON messaging format. Additionally, the ISO 20022 standard is utilized for designing messaging schemas and data dictionaries, particularly for payment operations and account information.

Specification and design are based on OpenAPI version 3.1.

Remote and automated access via RESTful architecture. Connections require mutual authentication using Mutual Transport Layer Security (mTLS) and cryptographic validation of digital certificates issued by a valid Certificate Authority.

The implementation of the Open Finance System (SFA) follows a phased approach as established by General Rule No. 514 (NCG 514). While the rule was published on July 3, 2024, the mandatory data-sharing ecosystem will officially go live in July 2026 (24 months after publication). This will be followed by a gradual 36-month rollout for different types of institutions.

The system is deployed in phases ranging from 12 to 36 months after its entry into force (July 2026). It begins with public data and concludes with transactional data for all customers and payment initiation services, varying by the size and role of the entity.

APIs for financial data exchange and payment initiation; a Centralised Participants Directory managed by the CMF; a mandatory Alternative Mechanism for operational contingencies; Dynamic Client Registration (DCR); and a Developer Web Portal equipped with a testing Sandbox.

Applies to Banks, Credit Card Issuers, Card Operators, Cooperatives, Insurance Companies, General Fund Administrators (AGF), Brokerages, and Compensation Funds. It covers information on terms and conditions, customer service channels, customer onboarding, historical financial positions, transaction history, active products, and payment initiation.

Accounts (current, sight, savings, funding provision), credit cards, credit operations (consumer, commercial, mortgage), insurance policies (life, general, pension), investment instruments (time deposits, mutual funds, APV), and card operation services.

Supported by the “Participants Directory” operated by the CMF, which centralizes identities, roles, endpoints, and statuses. It relies on a Public Key Infrastructure (PKI) and requires Digital Certificates under the X.509v3 standard with extended validation (EV). It leverages Software Statement Assertions (SSA) signed by the directory for Dynamic Client Registration.

Technical specifications are governed by Technical Annex 3 (Annex of NCG 514), which was further updated via public consultation in January 2026. Key standards include:

• Security: Authentication is set to ‘Redirected Mode’ for payment initiation.

• Dynamic Client Registration: Includes a mandatory Dynamic Client Registration (DCR) API for service providers.

• Consent: Standards for generating, managing, and revoking consent must be granular and verifiable, with a mandatory ‘Consent Dashboard’ for users.

Must be express, prior, freely given, informed, and specific regarding its purpose, duration, and the required data. It is generated and managed using Rich Authorization Requests (RAR) and Grant Management (GM) under RFC 9396. Entities must provide a free “Consent Control Panel” enabling customers to view, manage, and revoke their permissions.

Implements the advanced security profile of the OpenID Foundation: FAPI 2.0 Security Profile. It mandates the use of the OAuth 2.0 authorization framework, OpenID Connect, TLS 1.3 protocol, mutual validation via mTLS, Pushed Authorization Requests (PAR), PKCE, JWT tokens, and asymmetric message signing for non-repudiation (JWS).

Includes data on historical financial positions and active products (end-of-month balances, available amounts, delinquency levels, rates, terms) and transaction history (credits, debits, counterparties, dates) with a mandatory historical depth of 12 months for both natural and legal persons.

Services where a Payment Initiation Service Provider (PSIP) instructs charges or credits on behalf of the customer to their Account Providing Institution (IPC). It supports immediate single payments, scheduled payments, and predefined or variable recurring payments. It requires redirected authentication flows for funds confirmation and payment authorization.

As of the January 2026 updates, the CMF has finalized dictionaries and sequence diagrams for five specific payment APIs:

1. One-time payments.

2. Scheduled one-time payments.

3. Recurring fixed-amount payments.

4. Recurring variable-amount payments.

5. Funds confirmation (CAF).

Established across three levels: Level 1 (Guidelines and Policies via NCG 514), Level 2 (Technical definitions of standards), and Level 3 (Manuals and concrete technical specifications incorporated in Annex No. 3 – Technical Annex).

The CMF will provide a “Developer Web Portal” (openfinancechile.atlassian.net) featuring technical documentation, manuals, flows, data dictionaries, coding references, a community forum, and access to a Sandbox environment.

It is mandatory to issue a findings report regarding Functional Tests before moving to production. This certification must be provided by an external certifying entity with at least 3 years of experience in digital services, along with verifiable expertise in APIs and cybersecurity (possessing an ISO 27001 certification or SOC 2 standard).

Fintec Law No. 21,521 was published on January 4, 2023. NCG 514 was issued on July 3, 2024, to formally regulate the SFA. In January 2026, the CMF presented the “Normative Report updating Annex 3 and incorporating Payment Initiation,” detailing mature technical adjustments following public consultations. IN December 2026, CMF released the first version of the APIs specifications set to be in production by July 2027.

Led by the Financial Market Commission (CMF), which is in charge of regulation, Directory administration, and the supervision of participants. It receives consultative support from the “Open Finance System Forum” (Foro SFA), consisting of an Advisory Group, a Technical Secretariat, and Technical Groups.

Centralized interoperability is managed through the Participant Directory (DP). All participants must undergo Mandatory Sandbox Testing within the CMF’s official environment and receive validation from an external certifier specialized in cybersecurity and APIs before joining the live registry.

Each entity must maintain a Risk Management Plan, a Business Continuity Plan, and a Disaster Recovery Plan, which must be tested annually. Institutions are mandatorily required to have an operational “Alternative Mechanism” acting as a contingency, with a required daily availability of 90%.

Participants are subject to the sanctioning powers of the CMF. Non-compliance may lead to temporary suspensions (partial or total), fines, or the definitive cancellation of registration or access. Entities are required to self-report on information quality and consistently use the Operational Incident Report (RIO) platform.

Law No. 21,521 (Fintec Law), DL No. 3,538 (CMF Organic Law), Law No. 19,628 (Personal Data Protection Law of Chile), Law No. 20,009 (Frauds in Means of Payment), and the Updated Compilation of Norms for Banks (RAN Chapters 1-7, 1-13, 20-7, 20-8, 20-9, and 20-10).