The Association of Banks and the FinteChile union have reported that a Framework Agreement has been signed for data capture, thus taking the first step in what is the first concrete advance for Open Banking in Chile.
This Master Agreement (“MA”), which has also been signed by Banco Estado, establishes:
- Accountability standards, and
- Mechanisms for capturing customer data from the MA signing entities in a controlled manner via web scraping.
The foregoing, to serve as an action framework while other capture mechanisms are established, and without prejudice to the regulatory changes that are approved in the future.
In accordance with the terms of this MA, banks and entities that make inquiries through the mechanisms and conditions agreed upon therein may adhere to it. Likewise, this MA will be complemented by bilateral contracts (BC) to be agreed upon by the participating entities. In everything that is not expressly regulated in the BC, what is stipulated in the MA will apply.
Likewise, it is established that it will be the responsibility of the institutions that are signatories of the MA to have the explicit authorization of their clients for the access, use, storage and treatment of the information obtained through data capture via web scraping.
The capture of personal data will be governed by seven principles:
- Responsibility, and
The security standards must be aligned according to Chapter 20-10 of the Updated Compilation of Regulations of the Commission for the Financial Market (“CMF”).
Thus, the participating entities will have to:
- Consider a security and cybersecurity incident management model.
- Establish mechanisms and protocols for information exchange with the institutions that provide data on cybersecurity incidents or situations that may affect operational continuity.
- Implement a timely information model for the entities that provide information about any anomalous event, critical category technical vulnerabilities or fraud events identified in the infrastructure of the institution that consults the data, and that affects the security of customer information. or the company that provides.
Regarding the responsibility of the participating entities, it was resolved that “the verification of compliance with the standards defined in terms of security, as well as the notification of any event or vulnerability in no case will mean the adoption of any type of responsibility on the part of the institution that provides against anomalous events or vulnerabilities”.
The MA also addresses fraud prevention. For these purposes, the participating entities will have to implement mechanisms in case of alerts or incidents, as well as critical category technical vulnerabilities or fraud events identified in the infrastructure of the consulting institution that may affect the security of customer information or the entity that provides it.
Likewise, the companies that provide information “will be able to block the accesses of the institutions that they consult, in the event that they present critical vulnerabilities or are under a cyberattack or threat thereof, there is a leak of information, the security protocols previously established, or another event that could affect the security of the information or the operational continuity”.
To prevent these situations, a simplified procedure was defined to determine the responsibility of the parties for unknown operations carried out by clients of the institutions.
If a fraud occurs, the entities that consult data – authorized by their clients to carry out data capture activities – will be responsible and will be obliged to reimburse the institution that provided the information for the amounts that the latter have borne or in which they must incur. in favor of its clients in accordance with the law on the event of fraud, when there is a cause attributable to the company that makes the query.
Likewise, they must assume their responsibility in case of errors in their platforms or vulnerabilities in their systems, which allow unauthorized access by third parties or produce the disclosure of credentials or customer information.
Prior to initiating any legal action, “the entities participating in the agreement must analyze in good faith and make their best efforts to determine the origin of a fraud suffered by clients of the institutions they provide.“. The term for these purposes will be twelve (12) calendar days from the notification between the parties. If an agreement is not reached within the aforementioned period, any difference, difficulty, or controversy that arises between participating entities regarding an event of fraud suffered by a client, will be submitted to the knowledge and resolution of an arbitration commission.
This will be integrated by three members, who will resolve in a single instance and as a mixed arbitral court. All members of this Court must be lawyers.
Each entity shall have the right to freely designate a member, within those listed in the Arbitration and Mediation Center of the Santiago Chamber of Commerce. The third member, who will chair the arbitration court, will be appointed by the same Center at the written request of either party.