Open Finance in Colombia Is Now Mandatory

How this regulation is laying the groundwork for the future of finance in Latin America

On April 7, 2026, Colombia turned what had long been voluntary into law. Banks now have twelve months to comply—but the real deadline isn’t regulatory. It’s competitive.

For decades, banks were the sole custodians of their customers’ financial data. They knew their salaries, spending habits, debts, and more. That information never left their systems. It wasn’t portable, it wasn’t shareable, and it certainly didn’t belong to the customer.

This asymmetry wasn’t accidental. It was the foundation of traditional banking power: whoever controls the data controls the relationship.

Decree 0368 of 2026 begins to dismantle that paradigm.

This is not a minor regulatory tweak or a technical update. It represents a fundamental shift: financial data belongs to the individual who generates it—not the institution that stores it. And if the data belongs to the user, then the user decides who can access it, under what conditions, and for what purpose.

Colombia has now made that principle mandatory.

Four Years in the Making—Now a Binding Obligation

This didn’t happen overnight. Colombia’s journey toward Open Finance has been deliberate, with key milestones that help explain the true scope of what has changed.

In 2022, Decree 1297 introduced the country’s first Open Finance framework on a voluntary basis. It established the overall architecture and allowed financial institutions to process and monetize customer data with consent.

In February 2024, External Circular 004 from the Financial Superintendence (SFC) defined the technical standards for architecture, security, and technology.

Then, in February 2026, External Circular 001 extended the transition timeline from 18 to 30 months, acknowledging the operational complexity involved.

Decree 0368 closes this four-year cycle and takes the decisive step: it replaces the voluntary framework with a mandatory one for all institutions supervised by the Financial Superintendence of Colombia—banks, trust companies, insurers, pension fund managers, and card issuers.

To fully understand this evolution and its regional implications, it’s essential to look at how Open Banking has expanded into Open Finance.

A Regional Shift, Not an Isolated Case

Colombia is not acting in isolation. It is part of a broader regional shift that is reshaping the financial landscape across Latin America.

Brazil remains the clearest benchmark, with Open Finance already live for several years, tens of millions of active consents, and a fully operational ecosystem.

Chile has defined its legal framework and is set to begin phased implementation in July 2027.

Meanwhile, Mexico, Peru, and Argentina are developing their own regulatory models—at different levels of maturity, but all guided by the same principle: enabling access to financial data with user consent.

Across the region, the pattern is clear: Open Finance is no longer a promise. It is becoming core infrastructure.

Decree 0368 is more than a local regulation. It is a signal of where the entire region is heading.

For leaders in Latin American banking, the question is no longer whether regulation is coming—it’s whether they’ll be ready to turn it into a competitive advantage before it becomes a liability.

Dual Consent: The Architecture Behind Real-Time Events

Decree 0368 doesn’t just mandate data sharing—it defines exactly how it must happen. And in that detail lies an operational implication many institutions have yet to fully grasp.

The regulation establishes a dual-layer consent model:

• First, the user authorizes the third party, specifying what data can be shared, for what purpose, and for how long.
• Then, the financial institution must actively verify that authorization before releasing any data. It’s not enough for the third party to claim consent—the bank must confirm it using strong authentication mechanisms, as required by the SFC.

This dual, binding consent model—set out in Articles 2.35.8.3.2 and 2.35.8.3.3 of the amended Decree 2555 of 2010—is not a formality. It is the backbone of the system.

In practice, every authorization, modification, and revocation of consent becomes a real-time event requiring immediate action from the bank.

User authorizes: notification.
Bank confirms: notification.
User revokes: notification.

From a legal standpoint, this strengthens user autonomy, traceability, and certainty. From an operational standpoint, it introduces something else: friction.

And in this context, friction is not just a UX issue—it’s a compliance risk.

Each interaction is both a regulatory obligation and a moment to build trust. Institutions that handle it well don’t just comply—they differentiate.

The Blind Spot: Communication

When Open Finance is discussed in technical circles, the focus is usually on APIs, OAuth, microservices, and interoperability standards.

But there’s a critical dimension that rarely gets the attention it deserves:

How does a bank notify its customers every time their data is accessed?

In Colombia’s Open Finance model, consent isn’t a one-time action. It’s dynamic and continuous. Customers can grant, modify, or revoke permissions at any time—and at each step, the bank is required (and expected) to communicate in real time.

A delayed notification is an operational failure.
An unlogged notification is a regulatory issue.
A generic notification is a missed opportunity to build trust.

Decree 0368 leaves no room for ambiguity. The principle of demonstrable accountability—borrowed from frameworks like the GDPR—means banks must be able to prove that every communication was properly executed.

That the message was delivered. Through which channel. At what time. And with what content.

This goes beyond CRM systems or core banking platforms. It requires a purpose-built communications infrastructure—one that ensures full traceability and remains resilient under failure scenarios or peak demand.

Consent as a Strategic Asset

There are two ways to interpret Open Finance. A reactive view sees it as a loss: data that was once exclusive to the bank can now flow to third parties. A more strategic perspective leads to a different conclusion.

Each time a customer explicitly authorizes the sharing of their data, they are engaging in a deliberate act of trust. That moment—often reduced to a procedural step—is, in reality, a critical interaction. The institution that manages it well does not lose relevance; it strengthens it.

In an open data environment, the most valuable banking relationship is no longer defined by the number of products held, but by the level of trust established. The winning institution is the one the customer perceives as a partner in managing their information, not as its owner.

This is where many institutions underestimate the challenge.

According to Boston Consulting Group, seven out of ten digital transformation initiatives fail to meet their objectives—not due to technological limitations, but because of underestimated complexity and execution gaps.

Open Finance must be understood in this light. What appears to be a data-sharing framework is, in practice, a transformation in how trust is built, maintained, and demonstrated at scale.

Delivering on that promise requires more than compliance. It demands the ability to accompany the customer throughout the lifecycle of their consent—providing clarity, responding in real time, and consistently respecting user preferences.

This, in turn, requires a robust preference management capability, allowing customers to define which notifications they receive, through which channels, and under what conditions, and ensuring those preferences are honored in every interaction.

It also requires a communications infrastructure built on security, resilience, and regulatory compliance—capable of performing reliably even under the most demanding conditions.

This is not simply a customer experience challenge. It is an infrastructure challenge.

Three Questions Every Colombian Bank Should Be Asking Today

Can your communications infrastructure respond in real time to consent-related events?

Do you have full traceability of every notification sent?

Is your communications layer decoupled from the core banking system?

Open Finance introduces new types of events, with frequencies and levels of criticality that traditional core systems are not designed to handle. The governance of banking communications must operate as an independent, auditable, and scalable layer.

At Latinia, we have spent more than 25 years helping banks across Europe and Latin America manage critical communications with traceability, resilience, and regulatory compliance. If you want to understand how to prepare your notification infrastructure for Open Finance in Colombia, let’s talk.