Philippine Central Bank Adopts Open Finance Framework; Permits Consent-Driven Data Portability among Financial Institutions and Third Parties
The Bangko Sentral ng Pilipinas (“BSP”), in BSP Circular No. 1122 series of 2021, approved the adoption of an Open Finance Framework (the “Framework”) that would allow sharing of customer data among financial institutions, third party providers, and even to fourth parties. While the Framework has yet to be operationalised, BSP has laid down the minimum standards to ensure consumer data protection while fostering innovation and inclusion in the financial ecosystem.
What is the Open Finance Framework?
“Open Finance” refers to leveraging on and sharing of customer-permissioned data among its participants (i.e., banks, other financial institutions and third party providers) to develop innovative financial solutions. Through the Framework, participants could provide marketing and cross-selling opportunities and develop bespoke financial products and services for customers. The Open Finance ecosystem advocates consent-driven data portability, interoperability, and collaborative partnerships among financial institutions and third party providers while at the same time, enabling customers to securely share their financial data with qualified parties.
Open Finance Oversight Committee as the Governing Body
To implement the Framework, BSP will create an Open Finance Oversight Committee (“OFOC”) that will be initially comprised of representatives from industry stakeholders such as banks, non-bank financial institutions, third party providers, and other relevant sectors as may be determined by BSP. The OFOC is mandated to formulate membership and participation rules and adopt standards and policies governing the Framework.
Registration and Technical Standards
Participation in the Open Finance ecosystem is open to BSP-supervised financial institutions (“BSFI”) and non-BSFIs. BSFIs with a composite rating of at least “3” under the Supervisory Assessment Framework or its equivalent, are automatically eligible to become participants, while those that do not meet the minimum rating must secure prior BSP approval. Participants which are not under the regulation or supervision of the BSP must comply with the registration requirements set by the OFOC. Participants are responsible for ensuring fourth party compliance with the applicable laws, rules, and regulations.
In addition, the application programming interfaces (“API”) must pass certain standards, which, at the minimum, must include architecture standards, data standards, security standards, and outsourcing standards. The API must be designed in such a way that the end-user access shall be limited to data that the end-user has permission to see or process. The implementation of the standards will follow a tier-based approach, based on data sensitivity, data type, and data holder type.
The Framework also permits “Open Access” or allowing authorised third parties to access consented data without needing to establish a business relationship with the open API publisher. Participants that intend to provide Open Access are required to comply with the relevant laws and BSP regulations particularly on outsourcing, IT risk management, AML/CFT, financial consumer protection, and corporate governance, among others.
All existing API arrangements prior to this BSP issuance must comply with the applicable requirements prescribed in the issuance within one year from effectivity thereof.
Implications for Businesses
The establishment of a secure ecosystem that allows sharing of customer information is a major step that would further ignite financial innovation and seamlessly facilitate financial transactions in this era of technological advancement. For example, in the case, of Virtual Asset Service Providers (“VASP”) (please see our previous article on Virtual Asset Service Providers), participating in the Open Finance ecosystem could prove valuable, if not critical, in complying with the Travel Rule.
Note however that participating in the Framework would trigger serious data privacy implications. Participants must be fully aware of the requirements of data privacy laws particularly with respect to processing of customer personal information as well as the concomitant obligations of data controllers and processors.
This alert is for general information only and is not a substitute for legal advice.
 “Customer-permissioned data” refers to “data held by [p]articipants [of the Framework] (e.g., customer transactions, personal identification data, and customer financial history) that are permissioned by the [p]articipant’s customer to be accessed by a third party (and possibly shared onwards with fourth parties if covered by the customer’s consent).”
 Under BSP’s guidelines for VASPs, for virtual asset transfers amounting to PHP50,000 (approximately USD1,000) or more, the originating institution must obtain and hold the required originator information as well as the required beneficiary information, and transmit said information to the beneficiary institution.