With the issuance of Circular 004-2024, Colombia´s financial authority, the “Superintendencia Financiera”, established three different timeframes for compliance with several provisions of the authority´s main regulatory piece, “La Circular Básica Jurídica”.  

The shortest of these timeframes expires on August 1st, 2024. By this date, the entities supervised by the “Superintendencia Financiera de Colombia” must have submitted their compliance plan to the authority for Title I, Chapter IX, Numeral 3.2 of the “Circular Básica Jurídica”. This numeral pertains to architecture, security, and data administration standards that will become enforceable by August 2025. These standards include ISO20022 compliance, information transfers executed using JSON, and adherence to the REST framework and RESTFUL implementation.  

The second timeframe expires on the 7th of august, and relates to compliance with Chapter IX, Title I of the “Circular Básica Jurídica”. This chapter addresses the obligations, standards, and duties supervised entities and third-party recipients must comply with. Examples include: 

Regulated Entities 
  1. Supervised entities must establish controls to periodically verify that the third-party data recipient complies with the requirements specified in the Third-Party Data Recipients table mentioned above throughout the contractual relationship. This periodicity must be reasonable and defined by the supervised entity, considering the risk profile of the third-party data recipient and the nature of the relationship with them. 
Third-Party Recipients 
  1. That they have mechanisms in place to securely handle data and mitigate the risks associated with information processing, such as cybersecurity or infrastructure, technology, or system failures where the information is stored, to this end, they must alternatively comply with ISO 27001, NIST Cybersecurity Framework, or the latest version of OWASP ASVS, or any that modify, replace, or add to these standards. 

 

 

The final timeframe is set on the 7th of February 2025, by which all supervised entities that commercialize their infrastructure or technology must comply with the instructions in Chapter X, Title I of the “Circular Básica Jurídica”. Among the requirements for supervised entities are the following: 

– Assess, before entering into the contract, the risks associated with the commercialization of technology and infrastructure to third parties. 

– Establish safeguards, such as insurance or guarantees, to cover the risk of non-compliance with contractual obligations. 

– Manage the reputational risk associated with using the name or image of the supervised entity by those who acquire or use the technology or infrastructure. 

– Manage the systemic risk associated with the failure of the technology or infrastructure subject to commercialization, if other supervised entities have acquired such technology or infrastructure. 

– Implement quality controls on the technology and infrastructure subject to commercialization. 

These timeframes reflect a proactive approach by the authority, aiming to advance open finance in Colombia, while accommodating the market´s need for adaptation to the new environment.