Circular Externa 001 of 2026 from the Superintendencia Financiera launches the open finance framework in Colombia. The sector has spent months talking about APIs, interoperability and data portability. There is one conversation not happening: who will be able to demonstrate, in an audit, that the user consent was obtained, documented and is traceable.
What Decree 0368 actually requires
The open finance framework requires that access, use and processing of consumer financial data operate under prior, express and informed consent. The SFC defines the technical standards within six months. Institutions have a gradual implementation schedule.
The industry focus is on the technology layer: the APIs, connectors, authentication protocols. That is the visible conversation. The conversation not happening is about the evidence of that consent when it is obtained through a process that includes physical or semi-structured documentation.
The implicit assumption the framework does not resolve
The open finance framework implicitly assumes a digital user: someone who consents on a screen, whose record is stored in a system log. But the Colombian financial system does not operate only with digital users. Fiduciaries, employee funds, supervised credit cooperatives, mass-market insurance: all have client portfolios that interact through physical forms, mixed forms or field onboarding processes.
For those clients, consent is a document. And that document, in most cases, does not have a structured digitization process, field validation or auditable record issuance.
Colombian open finance is building data highways. The paper consent form in the field is the pothole at the start of the route. Whoever does not resolve it will arrive at the audit with an incomplete highway.
Why this matters beyond compliance
The thesis the sector is applying to open finance is efficiency through interoperability: if data flows between institutions with user consent, acquisition cost drops, product offering improves, financial inclusion advances. It is a correct thesis.
What that thesis assumes is that consent is verifiable. If an institution cannot demonstrate that consent was documented correctly, that user data portability is a regulatory liability, not a business asset.
The question compliance teams must ask today
Can they demonstrate, file by file, that each client consent was obtained, that the form is complete, that mandatory fields were filled and that the record is traceable? For clients who consented digitally, the answer is probably yes. For those who consented on paper or through a mixed process, the answer is more complex.
What DocIntel does with the consent document
DocIntel converts the consent document, in any format, into a validated record field by field with a completeness verdict and full traceability. The result is not a digitized file. It is a consent that can be audited, field by field, with a timestamp for every validation decision.
The time window is short
The SFC will publish the standardization schedule in the next six months. Institutions that at that point have a non-traceable consent documentation process will arrive at the open finance implementation with an active compliance debt.
The question is not whether consent will be enforceable. It already is. The question is whether your institution process can demonstrate it when the auditor arrives.