Colombia has taken a major regulatory leap with Decree 0368 of 2026, moving from a voluntary Open Finance model to a mandatory framework for supervised financial institutions. Under the new rules, banks, insurers, brokers, trust companies and other regulated players must enable secure access —subject to the customer’s prior express consent (without this implying any waiver of banking secrecy, which remains in place for any information not authorized by the data holder)— to key financial data, including transaction history, onboarding records and product information, through standardized APIs and common interoperability protocols.
The decree is especially significant because it not only seeks to foster competition, financial inclusion and innovation, but also creates a detailed governance architecture: mandatory participant registration, strong authentication requirements, cybersecurity safeguards, cost-recovery rules for infrastructure use, and a phased implementation timeline tied to standards to be issued by the Superintendencia Financiera de Colombia. For financial institutions, fintechs and digital platforms, this marks a structural shift that will require substantial operational, legal and technological readiness in the coming months.
