Brazil's Open Banking Framework: A Developer's Overview
Brazil's Open Banking initiative — now expanded and rebranded as Open Finance — is one of the most ambitious financial data-sharing programs in the world. Regulated by the Banco Central do Brasil (BCB) and the Conselho Monetário Nacional (CMN), Open Finance mandates that banks share customer data (with customer consent) through standardized APIs.
For developers, this creates extraordinary opportunities: build products that aggregate accounts, enable payment initiation, and provide personalized financial services — all through a regulated, interoperable framework.
The Four Phases of Open Banking in Brazil
Brazil rolled out Open Banking in structured phases:
| Phase | Focus | Key Data/Services |
|---|---|---|
| Phase 1 | Open Data | Product and service information (public, no consent needed) |
| Phase 2 | Customer Data | Account, credit, and transaction data (with consent) |
| Phase 3 | Payment Initiation | PIX payments initiated by third-party apps |
| Phase 4 | Open Finance | Insurance, investments, pensions, foreign exchange |
How the Consent Flow Works
The cornerstone of Open Banking is customer consent. Before your application can access a user's financial data, the user must explicitly authorize it. This process involves:
- Consent Request — Your app (as a TPP, or Third Party Provider) requests specific data permissions with a defined scope and expiry.
- Redirect to Bank — The user is redirected to their bank (e.g., Bradesco) to authenticate and approve the consent.
- Authorization Code — Upon approval, your app receives an authorization code.
- Token Exchange — The code is exchanged for access and refresh tokens.
- API Access — Your app uses the access token to retrieve permitted data.
What is a TPP?
A Third Party Provider (TPP) is any company or developer that accesses bank APIs on behalf of a customer. TPPs in Brazil must be registered with the BCB and are categorized as:
- AISP (Account Information Service Provider) — reads account data
- PISP (Payment Initiation Service Provider) — initiates payments
- CBPII (Card-Based Payment Instrument Issuer) — issues payment instruments
How Bradesco Implements Open Banking
As a Phase 1 mandatory participant, Bradesco exposes all required Open Banking endpoints through its developer portal. This includes product catalogs (publicly available), as well as consented data endpoints for accounts, transactions, and payment initiation.
Bradesco follows the FAPI (Financial-grade API) security profile, which means:
- All API calls require mTLS
- JWT-signed requests are enforced for sensitive operations
- PKCE is used in authorization flows
Key Takeaways for Developers
Building on Brazil's Open Finance ecosystem requires understanding both the technical standards and the regulatory framework. Start with Phase 1 public APIs to familiarize yourself with the response structures, then work toward consented data flows. Always stay updated with the Open Finance Brasil GitHub repository, which publishes the official API specifications.