On April 7, 2026, the Ministry of Finance signed Decree 368, establishing Colombia’s mandatory Open Finance System (SFA) framework and amending Decree 2555 of 2010. The country thereby makes the definitive transition from a voluntary scheme (in force since Decree 1297 of 2022) to a mandatory one, pursuant to Article 89 of Law 2294 of 2023 (National Development Plan).

The decree requires credit institutions, SEDPEs, trust companies, securities brokers, pension fund managers, investment management companies, insurers, collaborative financing entities, and other EOSF-regulated entities to share three categories of data with authorized third-party recipients: (i) information on products and services held by the data subject; (ii) information related to the client onboarding process; and (iii) general information on products and services offered by participating entities. Access to the first two categories requires prior, express, and informed consent from the data subject, which may be revoked or updated at any time.

Access to the first two categories requires prior, express, and informed consent from the data subject. Data providers must confirm such consent before sharing any information. Data subjects may at any time view, revoke, or update their authorizations and request an explanation of how their data is being used. The SFC will set technical and operational standards, maintain the participant directory, and publish quarterly monitoring indicators. Obligated entities will have 12 months from the issuance of each standard to enable data access, extendable by up to 6 months by the SFC.

Entities participating in the SFA are encouraged to incorporate mechanisms for obtaining customer consent to share personal data within their comprehensive personal data protection programs. Additionally, they should implement security measures and data-sharing agreements to ensure compliance with the obligations they will undertake.

The final decree is more conservative than the draft circulated for public comment in June 2025. Key changes include: (i) elimination of “trusted third parties” that would have verified compliance of non-supervised participants; (ii) elimination of the “access service provider” figure for technologically limited recipients; (iii) elimination of the reciprocity principle, which would have required data recipients to also act as data providers; (iv) a shift from full gratuity to allowing infrastructure cost recovery (though charging for the data itself remains prohibited); (v) payment initiation was structurally decoupled from the SFA; (vi) the participant directory was simplified; and (vii) deadlines imposed on the SFC were softened.