Open Finance has revolutionized the financial industry, especially in the delivery of financial products. Unlike traditional methods such as credit bureaus, Open Finance provides information from government or banking sources, always with the explicit consent of the data owner. In Chile, to transfer this data (from the source to where the user wants to send it), users must authenticate using a private credential (such as a banking or tax password). With their authorization, companies can access the financial and personal data of the person to be evaluated or identified.

In this environment of sensitive information exchange, data security and protection become fundamental. And here’s something that still surprises many companies: in order to exchange sensitive information, it is essential to have high-standard cybersecurity certifications, such as ISO 27001. This isn’t just our opinion—various decrees and resolutions outline the specific requirements that State Bodies must meet in this regard.

If you're considering taking advantage of the benefits of Open Finance and evaluating providers, here’s what you need to know.

‍

First, what is ISO 27001 certification?

ISO 27001 is an international standard for information security management that defines the requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS) within an organization. This standard is part of the ISO/IEC 27000 series, which offers guidelines and best practices for information security.

ISO 27001 is based on a risk management approach, meaning organizations must identify and assess risks related to information security and then implement appropriate controls to mitigate them. The ultimate goal is to ensure the confidentiality, integrity, and availability of information within the organization.

This certification is obtained through an audit conducted by an independent and accredited certification body. During the audit, the organization is evaluated to determine whether it meets all the requirements established in the standard. Once compliance is verified, the organization receives ISO 27001 certification, which is valid for a set period and requires regular follow-up audits to maintain.

ISO 27001 not only demonstrates that an organization has implemented adequate information security measures—it also builds trust with clients, business partners, and other stakeholders. It helps organizations comply with legal and regulatory requirements related to information security and provides a solid framework for continuous improvement.

But this goes beyond cybersecurity recommendations. At least for public institutions, holding ISO 27001 certification has become a minimum legal requirement, setting the benchmark for the private sector.

‍

Let’s talk about the law in Chile

On January 12, 2005, Chile published Decree 83—a technical regulation establishing the minimum mandatory security and confidentiality standards that electronic documents of State Administration bodies must meet for use, storage, access (by private entities), and distribution.

To ensure that the use of shared information is secure and trustworthy, the regulation highlights the need for advanced security levels for electronic documents and references compliance with ISO 27002. This standard provides detailed guidance on the information security controls that must be implemented to meet ISO 27001 requirements. Together, these standards help organizations establish and maintain an effective ISMS to protect their information comprehensively.

Additionally, the Chilean National Congress issued Exempt Resolution 301, allowing State bodies to enter into agreements with private entities to provide information contained in public records of the Unique Key Service, provided that the same security and confidentiality limitations applied to electronic documents are observed. In other words, if ISO 27001 is a minimum cybersecurity standard for the government, it logically follows that private companies should also adhere to the same level of security and meet at least the same regulatory requirements.

‍

What about the rest of Latin America?

Various countries have been advancing cybersecurity policies and regulations for the processing of personal data. Recently, in Colombia, the Financial Superintendence published two new articles on "Instructions related to open finance" and the "commercialization of digital technology and infrastructure," outlining requirements and obligations for the fintech ecosystem. One of the most important technological and security aspects mentioned is that Open Finance fintechs must comply with secure data processing standards, with ISO 27001 certification required to ensure that the information they process is encrypted and secure.

Thus, in the context of Open Finance, ISO 27001 plays a crucial role in protecting end-user data, ensuring regulatory compliance, managing risks, and strengthening customer trust. Organizations that want to operate in this new financial landscape must obtain this certification to guarantee information security and confidentiality. Only then can they participate in the market and build solid business relationships based on data security and trust.

‍

How we do it at Floid

Floid implemented this standard and became ISO 27001 certified in 2022, with annual renewals planned. By implementing appropriate controls—such as access management, data encryption, and incident response—Floid ensures that data is protected against internal and external threats. This promotes proactive risk management by identifying and evaluating potential threats and implementing measures to mitigate them. Regular security assessments and proactive actions are conducted to address emerging security risks. As a result, our clients can rest assured that their data is protected and that the highest security standards have been implemented.

As we’ve mentioned before, Open Finance involves the exchange of financial and personal data between multiple entities such as banks, government sources, fintechs, and service providers. This includes confidential information like account numbers, transaction histories, and personal details. ISO 27001 provides a robust framework of information security controls that ensures the protection of this sensitive data.

‍