Comparative Regulatory Framework 2025: Fintech Data Protection (SIC) vs. Open Finance (MinHacienda) in Colombia
Guidelines on Financial Data in the Colombian Fintech Ecosystem (2025)
By Daniel Peña Valenzuela, Partner at Peña Mancero Abogados
Introduction
In the context of the digital transformation of the Colombian financial system, the regulation of personal data processing acquires strategic relevance. On May 6, 2025, the Superintendence of Industry and Commerce (SIC) published a draft external circular aimed at establishing specific guidelines for the handling of personal data by actors in the fintech ecosystem. Although this initiative is presented as a measure to strengthen the protection of data subjects’ rights, its content has sparked significant debate regarding its compatibility with the open finance model promoted by the Ministry of Finance.
Open finance, as an emerging paradigm, seeks to promote interoperability, technological innovation, and financial inclusion through the standardized and secure exchange of data between financial entities and authorized third parties. Within this framework, the Ministry of Finance’s draft decree proposes a regulatory architecture based on digital consent, process automation, and multisectoral governance led by the Financial Superintendence of Colombia (SFC).
The coexistence of these two regulatory frameworks raises normative tensions that could hinder the harmonious development of the digital financial ecosystem. The following comparative table analyzes the main divergences between both projects, aiming to highlight points of friction and propose a critical reflection on the need for coherent, modern regulation aligned with the principles of open finance.
| SIC Draft Circular | Ministry of Finance Draft Decree (Open Finance) |
| Requires human review when decisions significantly affect the data subject, limiting the use of algorithms and AI. | Promotes the use of algorithms and artificial intelligence to expand access to financial services. |
| Requires prior, explicit, and written authorizations, especially for sensitive data or automated processing. | Establishes digital consent managed through APIs and interactive dashboards, with auditable electronic records. |
| Reinforces a restrictive interpretation of the minimization principle, limiting access to data not strictly necessary. | Allows the data subject to voluntarily share their full financial history for personalized services and benchmarking. |
| Based on the traditional controller/processor model without considering a multisectoral structure. | Establishes a governance scheme led by the Financial Superintendence of Colombia (SFC) with technical committees, integration standards, and reciprocity rules. |
| Assumes a paternalistic approach, viewing the consumer as passive and vulnerable. | Views the consumer as an active agent, owner of their data, with the ability to decide with whom to share their information. |
| Aims to protect the rights of personal data holders in the fintech ecosystem. | Aims to increase competition, efficiency, and financial inclusion through standardized data exchange. |
| Does not establish a generalized obligation for ecosystem actors. | Requires entities supervised by the SFC to participate as data providers in the open finance system. |
| Does not contemplate a multisectoral coordination body. | Creates a public-private coordination body with decision-making authority (SFC), a technical secretariat, and working groups. |
Newsletter June
CAUSE FOR DISOLUTION OF COMPANIES DUE TO NON-COMPLIANCE WITH THE HYPOTHESIS OF CONTINUING BUSINESS
