Banking Regulation 2025 Comparisons

Last Updated December 10, 2024

Law and Practice

Authors



Zurcher, Odio & Raven acts for a large number of banking and financial institutions and has substantial experience in all forms of financial contracts, banking and brokerage, leasing, commodity and financial derivatives for hedging, speculation and arbitrage. The team benefits from a wealth of knowledge in contractual and regulatory matters, and their impact on exchange, tax and financial law. The lawyers are able to adapt their experience with complex structured financing techniques that have evolved in the bank lending and capital markets, to provide innovative legal solutions for both domestic and international clients. The firm’s long-standing experience in government procurement, administrative regulations and constitutional law enables it to provide expert legal advice on public work concessions, private and public sector partnership and joint ventures, public project finance and infrastructure development.

The supervisory and regulatory structure of the Costa Rican banking system is composed of two different bodies:

  • the National Council for Supervision of the Financial System (Consejo Nacional de Supervisión del Sistema Financiero – CONASSIF); and
  • the General Superintendency of Financial Institutions (Superintendencia General de Entidades Financieras – SUGEF).

CONASSIF constitutes the senior steering body of the supervisory and regulatory system of Costa Rica. It leads and co-ordinates SUGEF, which is an autonomous body of the Central Bank of Costa Rica (BCCR) that is operationally independent while being under the direction of CONASSIF.

SUGEF is the supervising and regulating agency of all financial intermediaries operating in Costa Rica, including state-owned and private banks, non-banking financial companies, mutual savings and credit entities, as well as any other entity that is legally authorised to carry out financial intermediation activities.

CONASSIF has the authority to issue regulations regarding the authorisation, supervision, oversight and operations of SUGEF and the entities supervised by it. Such regulations are proposed and drafted by SUGEF, which also issues resolutions and guidelines for the financial sector (circulars, letters, resolutions, legal criteria and opinions).

Principal Laws and Regulations

The principal laws and regulations governing the banking sector and the regulators responsible for supervising banks in Costa Rica are as follows.

  • The Organic Law of the Central Bank of Costa Rica, No 7558 sets the Central Bank’s structure, governance and responsibility for:
    1. the monetary and exchange rate policy;
    2. overseeing the management of international monetary reserves;
    3. operating the internal and external payment system;
    4. setting forth the regulations for the creation, functioning and control of financial intermediaries;
    5. overseeing legal reserve requirements of financial intermediaries;
    6. acting as a lender of last resort;
    7. providing liquidity assistance to markets and solvent institutions;
    8. promoting the strengthening of the national financial system;
    9. safeguarding financial stability; and
    10. co-ordinating the macroprudential policy. The Law also outlines SUGEF’s role, tasks and responsibilities, and the non-compliance fines and penalties for supervised financial entities.
  • The Organic Law of the National Banking System, No 1644 sets up the general rules applicable to the banking system for state-owned and private banks, including the constitution of branch offices of foreign banks.
  • The Regulatory Law of Securities Market, No 7732 creates the regulators responsible for supervising banks and certain financial entities (CONASSIF and SUGEF), and their regulatory powers.
  • The Law of the Deposit Guarantee Fund and Liquidation of Financial Entities, No 9816 and its Regulation, rules the resolution of deposit insurance and banking entities.
  • The Law of Narcotics, Psychotropics, Non-authorised Drugs, Related Activities, Money Laundering and Financing of Terrorism, No 8204 (the “AML Act”) defines the activities that are subject to obligations regarding anti-money laundering, countering the financing of terrorism and financing the proliferation of weapons of mass destruction (AML/CFT/FPWMD).
  • The Law for the Promotion of Competition and Effective Consumer Defence, No 7472 protects the rights and legitimate interests of the consumer; the protection and promotion of the process of competition and free competition, through the prevention, prohibition of monopolies, monopolistic practices and other restrictions on the efficient functioning of the market; and the elimination of unnecessary regulations for economic activities. The Law Against Credit Usury, No 9859 includes a chapter to this consumer law that rules usury by setting up limits on the interest rates that can be charged by credit and financial operations, imposing duties of publicity of information related to credits and a series of obligations towards lenders.

SUGEF Regulations

The most relevant regulations issued by SUGEF are as follows:

  • SUGEF 4-04: Regulation about a Group Linked to an Entity;
  • SUGEF 5-04: Regulation on Credit Limits to Individuals and Economic Interest Groups;
  • SUGEF 1-05: Regulation for Debtor Risk Assessment (credit score);
  • SUGEF 3-06: Regulation on the Capital Adequacy of Financial Entities;
  • SUGEF 10-07: Regulation on Disclosure of Information and Advertising of Financial Products and Services;
  • SUGEF 2-10: Regulation of Comprehensive Risk Management;
  • CONASSIF 4-16: Regulation of Corporate Governance;
  • CONASSIF 5-17: Regulation of Information Technology Management;
  • CONASSIF 6-18: Regulation of Financial Information;
  • SUGEF 13-19: Regulation for the Prevention of Money Laundering;
  • SUGEF 9-20: Regulation for the Authorisation and Execution of Operations with Exchange Derivatives;
  • SUGEF 29-20: Regulation on the Responsibilities and Minimum Obligations of Foreign Banks’ Branches Domiciled in Costa Rica; and SUGEF 12-21: Regulation for Compliance with Law No 7786 (AML/CFT/FPWMD compliance);
  • SUGEF 40-21: Regulation of Resolution Mechanisms for Financial Intermediaries Supervised by SUGEF;
  • CONASSIF 15-22: Regulation on Suitability of the Members of the Management Body and Senior Management;
  • CONASSIF 16-22: Regulation of Consolidated Supervision;
  • SUGEF 24-22: Regulation for Economic-Financial Assessment of the Supervised Entities;
  • SUGEF 23-23: Regulation to Implement Recovery Plans and Resolution Plans in Supervised Entities;
  • SUGEF 8-24: Regulation on Authorisations of Entities Supervised by SUGEF.

Banking Licence

Offering banking services is a regulated activity, and a licence must be obtained from the regulator before starting operations.

The activities and services authorised under the banking licence are restricted to “banking activities”, which are defined as including the following:

  • financial intermediation (attracting financial resources from the public, on a regular basis, in order to allocate them, at the intermediary’s risk and expense, to any form of credit or investment in securities);
  • granting loans;
  • receiving deposits in savings accounts;
  • acting as a trustee;
  • opening trust accounts;
  • issuing letters of credit;
  • accepting and issuing commercial papers (such as promissory notes and bills of exchange);
  • guaranteeing such commercial papers; and constituting a general deposit warehouse.

Finally, according to the law, commercial banks are prohibited from participating directly or indirectly in agricultural, commercial, industrial or other companies, and from purchasing products, goods and real estate that are not essential for their normal banking business operation.

Applying for a Licence

A company can apply for a licence as a private bank, a non-banking financial entity or a mutual savings and credit entity, which will enable it to carry out financial activities in Costa Rica. Regarding banking authorisations, CONASSIF grants a general banking licence to a local entity organised as a Sociedad Anónima (equivalent to a corporation) or to a branch of a licensed foreign bank domiciled in a recognised jurisdiction, if such comply with all the requirements provided in Regulation SUGEF 8-24.

SUGEF Guidelines

Regulation SUGEF 8-24 establishes a series of guidelines to determine the following:

  • the proceedings to obtain a banking license and other relevant modifications to the local operation, such as ownership transfers, M&A and voluntary cessation;
  • the requirements for the acceptance of foreign banking centres;
  • the proceedings for changing the residence or the licence type for banks of Costa Rican-supervised financial groups located abroad;
  • the requirements for the incorporation of foreign organisations that are not subject to supervision at their legal residence (home jurisdiction).

Required Documentation

The application for a banking licence must include the following documents:

  • the application letter;
  • a draft of the constitution deed;
  • a detailed list of and information about the shareholders and final beneficiaries, together with a copy of their identification document, curriculum vitae, recommendation letters, criminal record certificate, financial statements audited and certified by a public accountant, prepared under NIIF or US GAAP and an affidavit;
  • authorisation from the applicant, its board members and its shareholders to conduct local and international research into their personal and financial backgrounds;
  • an affidavit about the source of the funds; and
  • a detailed business plan.

The banking licence application must be filed at SUGEF for its review. If completed to its satisfaction, SUGEF will transfer the application together with an opinion to CONASSIF for its approval or disapproval. If approved, CONASSIF issues a conditional licence to start the constitution of the entity/branch and other remaining operational requirements; once completed, SUGEF will release the final licence for the start of business operations in the Costa Rican market. As part of the process, to start the operation, the applicant must deposit approximately USD31.91 million in advance into the BCCR. This deposit can be partially drawn by the applicant to fund the lending operations, investments, installation and operational costs. The licensing process may take around 12 months.

The Competition Act

The Promotion of Competition and Consumer Protection Act (the “Competition Act”) promotes and seeks to maintain market competition by regulating anti-competitive conduct by companies, including concentrations where two or more companies combine by means of a merger or acquisition. It means that a merger or acquisition must be notified in advance to the Competition Commission so that it can be examined before the closing of a binding agreement.

If the transaction can be classified as a concentration under the definition provided by the law, and if the thresholds established by the law are triggered, the parties are obliged to notify before closing.

The definition of economic concentration contained in the Competition Act is broad and covers a whole series of transactions, such as mergers, the transfer of shares, the purchase of assets, and the purchase and sale of a business establishment, among others, if the following elements are met:

  • it is carried out between two or more independent economic agents, whether or not they are competitors;
  • at least two of the participating economic agents have operations with an impact in Costa Rica;
  • it involves a transfer of control of one or more of them, either through the acquisition of control over one another, or in the formation of a new economic agent, wherein “control” is defined as the de facto or legal possibility of executing a decisive influence over an economic agent or its assets, or the power to adopt or block decisions that determine its strategic commercial decisions;
  • it is carried out permanently or with the intention of permanence; and
  • the following thresholds are met:
    1. joint threshold: the combined assets of the parties in Costa Rica, or the combined revenue generated during the last fiscal period, has to be more than 30,000 base salaries (approximately USD25.856 million); and
    2. individual threshold: the individual sales or assets in Costa Rica of each party have to be more than 1,500 base salaries (approximately USD1.29 million).

Competition Commission

The Competition Commission is the authority that enforces the competition law, even though there are some special regulations or guidelines issued by SUGEF that cover regulated entities and must be complied with. Thus, regardless of whether or not the transaction is classified as a concentration under the Competition Act, SUGEF requires, pursuant to Regulation SUGEF 08-08, that regulated entities notify and update the information in respect of any relevant ownership modification when it occurs. Relevant ownership is defined as direct ownership of 10% or more of an entity, or indirect ownership of 25% or more of the entity. However, the supervised entity must always conduct a due diligence exercise to comply with the know-your-shareholder policy, and ensure that all documents related to it are updated.

Exemptions

This information is required from all the shareholders down to the final beneficiary level, regardless of whether or not the shares are held through agents, custodians or other legal entities through which the capital may be owned, including trusts, except when the shareholder is:

  • a company that is a public institution;
  • a company that is an international or multilateral development organisation;
  • a company whose shares are traded on the domestic or an international stock market;
  • a financial entity that is subject to consolidated supervision by the supervisory authorities in the shareholder's legal domicile; or
  • a co-operative association, a mutual association or a solidarity association.

There are no restrictions or different treatments for foreign shareholders.

The corporate governance regime applicable to banks is defined by the Regulation of Corporate Governance, CONASSIF 4-16. This regulation is mandatory and covers a comprehensive set of governance rules, including:

  • board member duties;
  • board responsibilities;
  • board composition;
  • board member profiles;
  • nomination processes;
  • documentation;
  • board evaluations;
  • conflicts of interest;
  • committees;
  • risk management;
  • audits;
  • remuneration;
  • transparency;
  • subsidiary governance; and
  • shareholder rights.

As a consequence of this regulation, the bank is required to approve an internal corporate governance code.

The Regulation on Suitability of Members of the Management Body and Senior Management, CONASSIF 15-22, complements the Regulation of Corporate Governance, with more specific assessment duties for the regulated entity upon appointing a director and/or senior manager, including the subsequent performance assessment. Pursuant to this regulation, regulated entities must approve a suitability policy and apply an assessment test for such positions.

The current corporate governance regulation draws upon leading international benchmarks for corporate governance, including the instruments of the Bank for International Settlements, the Basel Committee on Banking Supervision, the International Association of Insurance Supervisors, the Financial Stability Board (FSB), the International Organization of Securities Commissions (IOSCO) and the OECD/G20 Principles of Corporate Governance. It deals with the different characteristics and capacities of regulated institutions by allowing proportionality in its application, as its rules can be adapted to the size and nature of the institution.

Most public and private banks and financial institutions have their own corporate governance code, which must be in accordance with the conditions and terms defined by the Regulation of Corporate Governance issued by SUGEF.

Banks are authorised to define their applicable rules for the members of the management body and senior management, and their roles and responsibilities, all according to the best interest of the entity. The law also requires the board of directors of an entity to have a minimum of five members.

The Regulation of Corporate Governance, CONASSIF 4-16, has a more comprehensive set of governance rules covering the following:

  • board member duties;
  • board responsibilities;
  • board composition;
  • board member profiles;
  • nomination processes;
  • documentation;
  • board evaluations;
  • conflicts of interest;
  • committees;
  • risk management;
  • audits;
  • remuneration;
  • transparency;
  • subsidiary governance; and
  • shareholder rights.

The Regulation on Suitability of Members of the Management Body and Senior Management, CONASSIF 15-22, complements the Regulation of Corporate Governance with more specific assessment duties for the regulated entity before appointing a director and/or senior manager, including the subsequent performance assessment. Pursuant to this regulation, the regulated entities must approve a suitability policy and apply an assessment test for such positions, as follows.

  • The suitability policy must include a valuation of the following items:
    1. honesty, integrity and reputation – this analysis should include at least the following factors –
      1. if the person has been convicted of a crime – special attention will be given to crimes of fraud, financial crimes or a crime under the legislation relating to financial and non-financial institutions, money laundering and the financing of terrorism, market manipulation and the use of inside information for profit;
      2. if the person has held a key position in an organisation that has been sanctioned or has entered into insolvency, bankruptcy, liquidation or intervention while said person was in office; and
      3. if the person or entity in which they have held a key position has a pending petition for a declaration of insolvency or bankruptcy, respectively, or has already been declared insolvent or bankrupt, even when said processes have been terminated by conciliation or judicial or extrajudicial arrangement. It should also be indicated if the natural person or entity in which the person has held a key position is in a process of administration and reorganisation by judicial intervention or if the person has lawsuits for pending debts, in the country or abroad, or if the entity is a delinquent debtor in the local financial system or abroad; and
    2. experience – this assessment must cover at least the following factors –
      1. experience in relevant areas of financial activity;
      2. specific experience in financial entities, particularly performing positions in management or senior management bodies;
      3. academic training in relevant areas for the activity carried out by the entity;
      4. specific complementary training in relevant areas for the activity developed by the financial institution, such as certifications from local or foreign institutions; and
      5. the number of years of experience, as well as academic and professional training, in congruence with the relevant activities of the financial entity.
  • Assessment test – the regulated entities must include an assessment test within the hiring and interview process to determine whether a candidate has the skills, work style, knowledge and personality to succeed in the required position according to the market, goals, team integration and experience of the entity.

The compliance with this pre-employment process must be supported and evidenced in an individual file for further regulatory review if needed. On a case-by-case basis, affidavits and official certifications shall support the compliance with the aforementioned requirements.

The regulated entity must inform SUGEF once a director or senior manager has been appointed. This designation is not subject to regulatory approval, as the supervisory regime follows a risk-based model whereby the regulator has the authority to execute a later review if needed, according to the circumstances and based on compliance with the aforementioned guidelines on the suitability policy, assessment tests and performance test.

According to the Regulation of Corporate Governance, the board of directors must supervise the performance of the senior management team, and must take any necessary actions when actions and consequences are not aligned with the expectations of the board. These include complying with company values, risk appetite and risk culture. Consequently, the regulated entities must approve a performance evaluation policy, applicable on a regular basis, for each member of the management body and senior management, once hired, to identify and valuate weakness points and to execute a mitigation plan to correct such discrepancies.

The remuneration requirements are regulated in the Regulation of Corporate Governance, CONASSIF 4-16, according to which the board of directors, the senior management team and members of the control bodies are subject to the relevant remuneration and incentive requirements.

The board of directors is responsible for approving the applicable remuneration conditions, and for defining and verifying that the scheme of remuneration and incentives encourages good performance and promotes acceptable risk management criteria. In addition, the regulated entity must have a Remunerations Technical Committee in place, which is responsible for monitoring the design and function of an adequate remunerations system. This Committee must be able to deliver a competent and independent set of recommendations about the policies and practices of remuneration and incentives to manage risk, capital and liquidity.

The approved remuneration policy must be revised periodically and monitored to ensure its correct application.

The remuneration and incentives policy must be aligned with the entity’s strategies and business horizon or with the activity and level of risks, objectives, values and long-term interests, taking into consideration measures to avoid conflicts of interest.

The board of directors must ensure that remuneration covers current and potential risks taken by an employee, such as internal procedure violations and regulatory and legal requirements.

For staff members from units involving risk, compliance and other control units, incentives must be defined independent of any business line or substantial activity, and performance must be evaluated according to their own objectives.

SUGEF supervises the application of remuneration policies as part of the Corporate Governance Code that all supervised entities must implement internally. SUGEF periodically supervises the execution and results of the Corporate Governance Code, and issues mandatory changes or adjustments that must be implemented by the supervised entity.

Breaching the requirements could trigger internal disciplinary actions by the company, and could eventually result in economic penalisation or fines being imposed by the regulator.

Article 15 of the AML Act states that the following activities are subject to compliance with and supervision by SUGEF:

  • systematic or substantial money exchange and transfer operations, through instruments such as cheques, bank drafts, bills of exchange or similar;
  • systematic or substantial operations of the issuance, sale, redemption or transfer of travellers’ cheques or money orders;
  • substantial systematic transfers of funds, carried out by any means;
  • the administration of trusts or any type of administration of resources carried out by individuals or legal entities who are not financial intermediaries; and
  • money remittances from one country to another.

If any business falls under any of the activities described in Article 15 of the AML Act, the individual or entity must comply with the AML regulation, which includes the appointment of a compliance officer, implementing know-your-client (KYC) and know-your-employee (KYE) procedures, and regular reporting obligations for suspect transactions.

Thus, all banking institutions must:

  • obtain and keep information about the identity of anyone who is a beneficiary of an open account or a financial transaction when there are doubts about clients who are not acting on their own benefit, especially in the case of institutional clients without any commercial industrial or financial activity in the country of origin or address;
  • keep only identified holder accounts – anonymous or numbered accounts are forbidden, as are encrypted accounts or accounts under fictitious or inexact names;
  • register and verify by feasible means the identity, representation, address, activity or social object of the client, and other information about its identity; this information must be filed on a form signed by the client; if considered a high-risk client according to the qualification issued by SUGEF, financial entities must require a notary certification about the judicial and extrajudicial representation of the entity; this verification will be implemented particularly when commercial relations are established, such as the opening of new accounts, trust transactions, security box leasing or transactions to or from foreign countries involving amounts equivalent to or higher than USD10,000; any documentation and files and records about these operations must be kept in custody for at least five years after the completion of such transaction;
  • ensure that bearer shares and numbered accounts are forbidden; regulated entities cannot open accounts or have an institutional client with bearer shares; foreign entities that request the opening of an account or any other transaction must be legally registered in their country of origin, so that all of their shareholders can be identified; and
  • report to the authorities suspicious transactions or activities that do not fit into the client/employee profile defined according to the policies approved for these purposes.

The Law of the Deposit Guarantee Fund and Liquidation of Financial Entities, No 9816, and its Regulation for the management of the Deposit Guarantee Fund (FGD) and other guarantee funds (OGF), regulates deposit insurance through a special fund and banking resolution.

The Deposit Guarantee Fund (the “Fund”) created by this law establishes three different compartments:

  • one for public banks;
  • one for private banks and non-bank financial entities; and
  • a third for savings and credit co-operatives supervised by SUGEF, as well as other financial entities.

The Fund is administered by the Central Bank but is a separate estate and will have a manager subordinated to the board of directors of the Central Bank.

Deposits such as savings, accounts and investments opened in public banks, private banks and non-bank financial entities are covered by the Fund.

The maximum coverage amount is approximately USD10,000 per person/entity, in local or foreign currency.

The Fund receives contributions from the regulated entities. The maximum contribution to the Fund is 0.15% of the total financial intermediation liabilities covered. Within this maximum, a risk-based premium, established by regulation, will be applied based on the risk profile of the financial entity. In addition, the Fund will be guaranteed by the assets constituting the minimum reserve requirement (RR) and the liquidity reserve (LR), up to 2% of the total liabilities subject to those requirements.

According to Law No 9816 the Fund will pay by an order of CONASSIF, upon a recommendation of the intervention manager of the entity in default. If a default event occurs that triggers the pay-out, where CONASSIF determines that it is necessary to use the Fund, resources will be used from the compartment of the Fund to which the financial institution contributes. If the Fund is insufficient, the amounts will be met by the RR and LR guarantee.

The Regulation indicates that OGF corresponds to any guarantee fund, existing or created in the future, different from the Fund, which must offer equal or greater coverage than provided by the Fund, and it must be regulated by CONASSIF and supervised by SUGEF. Savings and credit unions are the only entities authorised to contribute to OGF.

According to Articles 62, 63 and 65 of Law No 7558, all supervised financial institutions must maintain a reserve requirement for deposits and funds received, with a maximum limit of 15%, in an unremunerated BCCR account. This minimum reserve requirement has been set by the BCCR at its maximum level since August 2005. Short-term external debt operations and new operations of medium and long-term external debt were included as part of the reserve requirement in September 2011 and July 2015, respectively. There is no differentiation between instruments or institutions. Although this requirement does not apply to co-operatives, a minimum liquidity reserve of 15% is applied to a group of co-operatives based on their size. These reserves must be invested in financial instruments issued by the BCCR.

The capital adequacy of financial institutions operating in Costa Rica is prescribed by Regulation SUGEF 3-06 (Regulation on the Capital Adequacy of Financial Entities) and Regulation SUGEF 24-22 (Regulation to Assess the Economic and Financial Situation of the Supervised Entities).

Regulation SUGEF 3-06 defines a minimum capital requirement of 10% for all financial institutions (banks, savings and credit co-operatives) operating in Costa Rica, and describes the methodology to estimate the solvency of supervised entities. Reserves created with specific purposes, other than loss absorption, are not accepted for the calculation of solvency. Capital is required for credit risk, operational risk, exchange rate risk, counterparty risk and market risk in transactions with exchange rate derivatives and risk of changes in interest rates on operations with exchange rate derivatives.

Financial institutions are rated and categorised by risk level based on their capital adequacy levels, according to Regulation SUGEF 3-06 and SUGEF 24-22. The same regulations prescribe the remedial action and measures required at each of the different risk levels.

A special administrative procedure is established for financial entities such as banks, called the “Administrative Procedure in Case of Financial Instability Situations”, which is handled by SUGEF and is a pre-emptive procedure imposed when a supervised financial institution exhibits instability as determined by SUGEF. In such cases, SUGEF appoints a comptroller to take control of the financial institution, according to the rules of the Organic Law of the Central Bank of Costa Rica. This is a temporary intervention and cannot exceed a term of one year.

Financial Institution Ratings

To evaluate the financial stability of supervised entities, SUGEF issues a rating for each financial institution, composed of a quantitative and a qualitative rating. The quantitative classification consists of six elements subject to analysis:

  • capital;
  • assets;
  • management;
  • performance evaluation;
  • liquidity; and
  • sensitivity to market risks.

The qualitative qualification results from an on-site evaluation carried out by SUGEF. The evaluation approach is according to the risk-based supervision approach, with the qualitative part of the assessment being allocated a higher weighting in the overall rating of the bank and the supervisor assigning the final qualitative assessment of the financial entity.

Levels of Financial Instability or Irregularity

There are three levels of financial instability or irregularity for supervised entities, corresponding to the rating assigned to them based on the analysis and the evaluation model:

  • Level 1 – slight instability or irregularity that can be overcome by adopting short-term corrective actions;
  • Level 2 – more severe instability or irregularity that can only be overcome by adopting and executing a recovery plan; and
  • Level 3 – requires intervention in the entity. Level 3 covers the following cases:

Level 2 situations of instability that have not complied with the recovery plan;

    1. entities involved in fraudulent or illegal operations;
    2. entities with suspended or interrupted payments;
    3. a refusal to provide information about the financial and operational status of the entity to SUGEF;
    4. management of the business in a way that endangers its security and solvency;
    5. involvement in money laundering activities;
    6. entities that have suffered losses which reduce their equity to an amount that is less than half of their initial equity; and
    7. entities that are not complying with the capital adequacy rules.

Irregular Situations

If an irregular situation is declared, SUGEF must inform the board of directors or management (manager and internal auditor) of the institution about such situation, and will require the submission of an action or recovery plan within a certain period. Once approved, such plan becomes mandatory for the institution.

Progress reports on compliance might be requested by SUGEF, and can be accompanied by on-site verifications carried out by SUGEF. If SUGEF considers that the action or recovery plan is not adequate to remedy the financial situation, it shall order the financial intermediary to make the relevant adjustments within a reasonable and non-extendable period. In accordance with the level of risk shown by the financial intermediary, SUGEF may require the institution to provide additional capital or any other corrective measures to remedy the deficiencies, including the possibility of requesting changes of staff members.

For institutions on Level 3 of financial irregularity, CONASSIF shall order the intervention of the supervised institution and designate the intervenors/administrators to assume the administration of the institution. The administrators must present a plan for the financial regularisation of the institution within the term established by CONASSIF, or recommend its resolution. The Superintendent monitors the intervention process and ensures compliance with the conditions of intervention agreed upon by CONASSIF.

Resolution

Resolution is applicable to an entity under a Level 3 irregularity or instability. CONASSIF is the resolution authority and, based on the recommendation of the controller, will apply the resolution mechanism that best suits the situation, if the entity is considered non-viable.

Resolution may combine one or more of the following options:

  • the sale of the entity’s business;
  • the exclusion and total or partial transfer of assets and liabilities to another solvent financial entity or a bridge entity;
  • the exclusion and transfer of assets and liabilities to a trust or a special purpose vehicle;
  • internal recapitalisation – ie, the transformation of liabilities into capital; and
  • any other option approved by CONASSIF.

According to the legislation, the resolution regime will provide the resolution authority with the flexibility to apply different tools and mechanisms for resolving an insolvent financial entity, in order to maximise the value of the entity to protect its creditors, particularly depositors, as well as being at the lowest cost.

The current resolution regime is the result of a legal update made by Costa Rica as part of the process to become a member of the OECD. Thus, both Financial Stability Board Key Attributes of Effective Resolution Regimes and OECD recommendations were considered in updating the resolution legal framework.

As part of this update, SUGEF was granted discretionary intervention powers by extending the scope of its current intervention and sanctioning powers towards a cross-border and consolidated supervision covering local, foreign and other group companies relating to information provision, financial and capital requirements, and the authority to execute on-site inspections abroad.

There are no specific banking regulatory requirements that involve ESG matters. However, in October 2021 the Congress passed a law that entitles financial entities and government agencies to issue and register “thematic bonds” for public offer. These securities can be issued to finance specific investment themes such as climate change, health, food, education and access to financial services, and target specific sustainable development goals (SDGs) through investing.

According to Article 5 of this Law, all financial regulatory agencies, including SUGEF, must recommend regulatory changes to CONASSIF. This requires regulated entities to include sustainable or responsible investment strategies in their policies. In this way, not only do funds managed by these entities create revenue, but part of this investment can be directed into activities, works and projects that contribute to the fulfilment of SDGs and the National Climate Change Strategy.

Therefore, it is expected that a regulation could be implemented to allow all financial entities to include SDGs in their investment policies, along with financial returns and revenue.

Although there is no direct reference to DORA (the Digital Operational Resilience Act), in July 2024, CONASSIF approved a comprehensive reform to the Information Risk Management General Regulation (“the Regulation”). The Regulation is a new version of that initially approved in 2017. Its aim is to establish the minimum requirements to be officially met by all supervised entities and companies within the Costa Rican financial system in respect of the governance and management of information technology and associated risks.

Pursuant to the Regulation, supervised entities and companies must design, implement, monitor and maintain a governance and IT management framework in accordance with: i) organisational strategy; ii) risk appetite, tolerance, and capacity; and iii) the size, complexity, business models, and policies approved by the governing body.

The supervised entities and companies must apply international standards, best practices, and reference frameworks developed by the technology industry to implement the governance and IT management framework without compromising compliance with the provisions established in the Regulation. They will also be required to design, implement, maintain and monitor any information security management system that includes provisions on information security and cybersecurity set down in the Regulation.

The Regulation establishes a series of obligations and responsibilities that must be fulfilled by senior management, the Information Technology Committee, Internal Audit, and the Risk Management department of each entity. As part of the obligations set out, supervised entities and companies must develop a technology profile and update it annually. An external IT audit of the governance and IT management framework must also be carried out each year.

The information security management system must permit controls that enable risk-based measures to protect information assets and the assets supporting these from information security and cybersecurity risks. These controls must be included in a statement of applicability, and their attributes laid out in Regulation’s general guidelines. 

International standards, best practices or reference frameworks related to information security and cybersecurity developed by the technology industry may be used to implement the information security management system.

Based on risks identified, the superintendencies may require the inclusion in the information security management system of information security and cybersecurity practices and controls.

Supervised entities and companies must manage cybersecurity to meet business requirements and ensure operational resilience of all digital functions, establishing indicators to regularly measure the effectiveness and efficiency of cybersecurity. They must also design and implement a process for managing information security and cybersecurity incidents that incorporates the phases of incident management as established in the general guidelines of the Regulation.

When an information security or cybersecurity breach is identified, supervised entities and companies must determine its potential impact in accordance with the classification model presented in the Regulation’s general guidelines.

The incident-management process must include a response plan for information security and cybersecurity incidents, as well as controls to allow the collection of evidence for forensic analysis.

An information security and cybersecurity incident response function must be set up in accordance with the structure, size, service channels, transaction volume, number of clients, risk assessment and services provided by each supervised entity and company. If the confidentiality or integrity of client information is compromised due to an information security or cybersecurity breach, the entities and companies must notify the clients affected. It will be the responsibility of the supervised entities and companies to define the type, scope, and minimum content of the communication, which must be timely, clear, and appropriately tailored to the nature of the incident.

SUGEF and CONASSIF requested a legal opinion from the General Attorney of the Republic regarding the legality and operation of the fintech industry where it has obtained financial resources from the public. According to the legal opinion recently issued by this entity, fintech platforms must keep functioning as an aggregated service to the banking and financial supervised industry.

Fintech operators are not permitted to accept deposits from the public or open individual accounts, as they are not authorised to engage in financial intermediation under the current legal framework.

Zurcher, Odio & Raven

Plaza Roble Corporate Centre
Los Balcones Building
Escazú, San José
Costa Rica

+506 2201 3800

+506 2201 7150

dsoto@zurcherodioraven.com www.zurcherodioraven.com
Author Business Card

Law and Practice in Costa Rica

Authors



Zurcher, Odio & Raven acts for a large number of banking and financial institutions and has substantial experience in all forms of financial contracts, banking and brokerage, leasing, commodity and financial derivatives for hedging, speculation and arbitrage. The team benefits from a wealth of knowledge in contractual and regulatory matters, and their impact on exchange, tax and financial law. The lawyers are able to adapt their experience with complex structured financing techniques that have evolved in the bank lending and capital markets, to provide innovative legal solutions for both domestic and international clients. The firm’s long-standing experience in government procurement, administrative regulations and constitutional law enables it to provide expert legal advice on public work concessions, private and public sector partnership and joint ventures, public project finance and infrastructure development.