/ New Fintech Law: CMF to issue more than seventy regulations

January 11, 2023

With the publication of Law 21,521 (Fintech Law), the Financial Market Commission will have to issue about seventy General Applicability Rules. Among them, one on liability in open banking.


Maria Ignacia Ormeño Sarralde and Vicente Guíñez Reyes
Associate Attorneys
Alessandri Abogados

With the publication in the Official Gazette of Law 21,521 (Fintech Law), the Financial Market Commission (CMF) must issue about seventy General Applicability Rules (NCG).

One of these rules, established in Article 24 of the Fintech Law, refers to the responsibility of the institutions participating in the Open Banking System regarding the integrity, availability, security and confidentiality of the data involved in each transaction and the adequate privacy of their clients’ information. The foregoing shall be incorporated without prejudice to compliance with other legal and regulatory requirements that may be applicable in relation to the data processing that each participant performs, in addition to the provisions of Law No. 19,628, on privacy protection.

In the case of information-based service providers, the new regulation shall indicate the way in which the necessary measures are implemented to guarantee the security of the data processing carried out in the access to financial information. In the case of payment initiation service providers, data protection must be ensured in this action.

Providers must take special care with respect to the purposes for which the System was authorized by their clients, and may not use, store or access data not included in the aforementioned authorization or consent. The same will happen in the event that such consent has been revoked or its validity period has expired. It is important to take into account what this means for the providers, who must have an adequate technical and organizational structure for data governance, which facilitates the management of data according to the purposes and consents granted by data holders. Providers shall adopt the necessary measures and shall be liable to their clients in case of alteration, destruction, loss, processing or unauthorized communication or access to their clients’ data.

This and the other NCGs to be issued by the CMF related to personal data protection shall be coordinated with the Personal Data Bill, Bill No. 11,144-07, which is being processed by the Constitution, Legislation, Justice and Regulation Committee of the Chamber of Deputies. This bill contains provisions that regulate matters contemplated in the Fintech Law, such as the purpose in the processing of personal data and the security measures to be adopted by those who process this type of data, but of third parties.