On April 7, 2026, Colombia reached a pivotal milestone in the modernization of its financial sector with the issuance of Decree 0368, which mandates the incorporation of the Open Finance system into the country’s regulatory framework. This decree, issued by the Ministry of Finance and Public Credit, represents much more than a normative provision: it is the gateway to a new era of financial inclusion and digital transformation that will impact millions of Colombian citizens.

At Q-Vision Technologies, with over 21 years of experience transforming the financial industry through innovative technological solutions, we view this decree as an unprecedented opportunity to reconfigure how banks, fintechs, and consumers interact within the national financial ecosystem.

The Government’s Vision

Decree 0368 materializes the strategic objectives established in Law 2294 of 2023, which categorizes the access, use, and leveraging of data as a catalyst for human security and social justice. Its central purpose is ambitious: to promote financial and credit inclusion for traditionally excluded populations, particularly those within the "popular economy" and small to medium-sized enterprises (SMEs).

As noted in the decree’s considerations, the Open Finance System represents the first step in building an Open Data framework. This framework aims to:

• Bridge the Credit Gap: Provide access to new information sources for those without traditional credit histories.

• Foster Competition: Facilitate the entry of new competitors into the financial system.

• Innovate Business Models: Encourage the development of solutions tailored to the specific needs of financial consumers.

It is important to highlight that Colombia already possessed a voluntary open finance framework (Decree 1297 of 2022). However, the new decree marks a fundamental shift: mandatory participation. This change is critical because it ensures that all players in the system operate under the same rules, accelerating adoption and reducing the information asymmetries that have historically perpetuated financial exclusion.

Decree 0368 is structured around six fundamental principles that, from a technical perspective, represent complex challenges and opportunities:

1. Access to Personal Data Under the Owner's Control

The decree establishes that the owner has the exclusive right to authorize third-party data recipients to access their personal information. This principle of prior, express, and informed consent is critical in the era of digital privacy.

• Technological Implication: This requires two-level authorization and confirmation platforms, robust authentication mechanisms, and instantaneous revocation systems. At Q-Vision, we have worked extensively in these scenarios with financial institutions, ensuring that security and user experience remain complementary rather than antagonistic.

2. Interoperable Infrastructure Based on APIs

Article 2.35.8.3.6 mandates that participants implement automatic information exchange protocols operating via Application Programming Interfaces (APIs). These must be interoperable and comply with the architecture, security, and technology standards defined by the Financial Superintendency of Colombia.

• Technological Implication: This is the heart of the decree. It is not just about sharing data; it is about doing so in a secure, scalable, audited, and standardized manner. Interoperability requires institutions with legacy infrastructures to coexist seamlessly with modern, cloud-native platforms.

3. Security and Restricted Circulation

The decree explicitly states that personal data circulating within the open finance system must be protected by robust information security and cybersecurity mechanisms to prevent unauthorized access or use.

• Technological Implication: Encryption of data in transit and at rest, tokenization, real-time anomaly detection, cybersecurity monitoring, and continuous auditing are indispensable. Q-Vision assists in identifying vulnerabilities and strengthening the security perimeter of these architectures.

4. Information Quality

Data must be accurate, complete, updated, and relevant. While this sounds simple, it presents a significant technical challenge: ensuring data consistency across multiple heterogeneous systems in real-time.

• Technological Implication: This requires strict data governance, automated validation processes, versioning, data lineage, and quality monitoring capabilities within the APIs.

The decree defines specific categories and products that must be made available through the Open Finance ecosystem, ensuring that the most relevant financial information is accessible to the consumer and authorized third parties.

Information Categories

• Product and Service Information: Comprehensive data regarding products held by the owner, including a transactional history of the last 12 months.

• Onboarding Information: Data associated with the owner's initial linkage and verification process as a client.

• General Product Characteristics: Publicly available information regarding the features and terms of products and services offered by institutions.

Included Products

The scope covers the core pillars of the financial sector:

• Deposits: Savings accounts, checking accounts, and other deposit instruments.

• Insurance: Policies and coverage details.

• Credit: Loans, mortgages, and credit card data.

• Investment: Portfolio details and investment products.

Strategic Note: The decree explicitly leaves the door open for future expansions. The Financial Superintendency will be responsible for defining and standardizing specific data points through relevant use cases as the market evolves.

Article 2.35.8.2.3 explicitly lists the institutions required to provide data access under the new regulatory framework:

• Credit Institutions: (Banks, financing companies, etc.)

• Specialized Electronic Deposit and Payment Societies (SEDPEs)

• Trust Companies (Fiduciarias)

• Stockbrokers

• Pension Fund Administrators (AFPs)

• Insurance Companies

Implementation Timeline: The Race Against the Clock

This is where Q-Vision identifies the true challenge for the industry. The decree establishes a phased but aggressive schedule:

1. Standardization Phase (Max. 6 Months): The Financial Superintendency must publish the technical standards for data exchange.

2. Implementation Phase (12-18 Months): Entities have 12 months (extendable by an additional 6 months) from the publication of each standard to enable full access.

3. Extended Grace Period (+6 Months): An additional 6-month extension is contemplated specifically for data related to corporate clients that do not qualify as SMEs.

The Reality: This means the sector effectively has between 18 and 30 months to completely transform its technological architecture.

The Q-Vision Strategic Perspective

From our experience managing large-scale migrations and integrations, 24 months is a tight window for traditional institutions. The challenge isn't just "opening a port"—it's about:

• Legacy Modernization: Decoupling data from core systems that weren't designed for high-frequency external requests.

• Governance at Scale: Managing thousands of third-party consents in real-time.

• Security by Design: Implementing zero-trust architectures to protect data as it circulates outside the traditional bank perimeter.

At Q-Vision, we help institutions navigate this timeline not by replacing their systems, but by building the API-First integration layer necessary to meet these deadlines without disrupting daily operations.

Implementing Decree 0368 is not merely a legal checkbox; it is a profound engineering undertaking. At Q-Vision, we categorize the immediate technical hurdles into two critical fronts:

1. Integration of Legacy Systems

Despite significant technological strides, the majority of Colombian banks still operate on architectures built 20, 30, or even 40 years ago. These systems were never designed to expose data via modern APIs. Successful modernization requires:

• Strangler Fig Pattern: Gradually implementing new API layers to "wrap" old functionality without dismantling critical core systems.

• Data Governance: Establishing clear policies regarding what data exists, where it resides, and how it flows across the organization.

• Exhaustive Testing: Ensuring that no sensitive data is inadvertently exposed during the transition.

The Q-Vision Advantage: Our teams significantly accelerate these modernization processes by identifying recurring patterns and automating the creation of secure integration layers.

2. Technological and Security Standards

The Financial Superintendency will soon define the "rules of the road," which likely include:

• API Technical Specifications: Standardizing around RESTful or GraphQL architectures.

• Authentication & Authorization: Implementation of OAuth 2.0 and OpenID Connect for secure consent management.

• Security Protocols: Mandatory use of TLS 1.3+ and advanced data encryption at rest and in transit.

• Standardized Data Formats: Uniform JSON schemas to ensure all players speak the same language.

• SLAs and Availability: Strict uptime requirements to ensure the ecosystem remains reliable.

Our Role: With over 21 years of experience in Quality Assurance (QA), Q-Vision's capabilities are essential here. Before any institution launches its Open Finance infrastructure, it must undergo exhaustive testing for security, performance, and regulatory compliance.

Decree 0368 is, without a doubt, a technological milestone for Colombia. It positions the country as a regulatory leader in Latin America regarding open finance, drawing favorable comparisons to PSD2 in Europe and Open Banking in Brazil.

However, it is not a magic wand. Its success will depend on:

• Firm Regulatory Leadership: Consistent oversight from the Financial Superintendency.

• Significant Investment: A commitment from the financial sector toward deep digital transformation.

• Top-Tier Talent: A workforce of skilled developers, architects, and security specialists.

• Industry Cooperation: Competitors working together under a unified framework.

• Digital Education: Ensuring citizens understand and trust the new system.

Our Commitment to the Future

At Q-Vision Technologies, we have spent 21 years transforming the Colombian financial sector. We have partnered with the country's leading banks and dozens of financial innovation initiatives. We are ready to serve as the technological partner for this transition.

The future of the Colombian financial system is more open, more secure, and more inclusive. And we are committed to making it a reality.