Contributed By Zurcher, Odio & Raven
The supervisory and regulatory structure of the Costa Rican banking system is composed of two different bodies:
CONASSIF constitutes the senior steering body of the supervisory and regulatory system of Costa Rica. It leads and co-ordinates SUGEF, which is an autonomous body of the Central Bank of Costa Rica (BCCR) that is operationally independent while being under the direction of CONASSIF.
SUGEF is the supervising and regulating agency of all financial intermediaries operating in Costa Rica, including state-owned and private banks, non-banking financial companies, mutual savings and credit entities, as well as any other entity that is legally authorised to carry out financial intermediation activities.
CONASSIF has the authority to issue regulations regarding the authorisation, supervision, oversight and operations of SUGEF and the entities supervised by it. Such regulations are proposed and drafted by SUGEF, which also issues resolutions and guidelines for the financial sector (circulars, letters, resolutions, legal criteria and opinions).
Principal Laws and Regulations
The principal laws and regulations governing the banking sector and the regulators responsible for supervising banks in Costa Rica are as follows.
SUGEF Regulations
The most relevant regulations issued by SUGEF are as follows:
Banking Licence
Offering banking services is a regulated activity, and a licence must be obtained from the regulator before starting operations.
The activities and services authorised under the banking licence are restricted to “banking activities”, which are defined as including the following:
Finally, according to the law, commercial banks are prohibited from participating directly or indirectly in agricultural, commercial, industrial or other companies, and from purchasing products, goods and real estate that are not essential for their normal banking business operation.
Applying for a Licence
A company can apply for a licence as a private bank, a non-banking financial entity or a mutual savings and credit entity, which will enable it to carry out financial activities in Costa Rica. Regarding banking authorisations, CONASSIF grants a general banking licence to a local entity organised as a Sociedad Anónima (equivalent to a corporation) or to a branch of a licensed foreign bank domiciled in a recognised jurisdiction, if such comply with all the requirements provided in Regulation SUGEF 8-24.
SUGEF Guidelines
Regulation SUGEF 8-24 establishes a series of guidelines to determine the following:
Required Documentation
The application for a banking licence must include the following documents:
The banking licence application must be filed at SUGEF for its review. If completed to its satisfaction, SUGEF will transfer the application together with an opinion to CONASSIF for its approval or disapproval. If approved, CONASSIF issues a conditional licence to start the constitution of the entity/branch and other remaining operational requirements; once completed, SUGEF will release the final licence for the start of business operations in the Costa Rican market. As part of the process, to start the operation, the applicant must deposit approximately USD31.91 million in advance into the BCCR. This deposit can be partially drawn by the applicant to fund the lending operations, investments, installation and operational costs. The licensing process may take around 12 months.
The Competition Act
The Promotion of Competition and Consumer Protection Act (the “Competition Act”) promotes and seeks to maintain market competition by regulating anti-competitive conduct by companies, including concentrations where two or more companies combine by means of a merger or acquisition. It means that a merger or acquisition must be notified in advance to the Competition Commission so that it can be examined before the closing of a binding agreement.
If the transaction can be classified as a concentration under the definition provided by the law, and if the thresholds established by the law are triggered, the parties are obliged to notify before closing.
The definition of economic concentration contained in the Competition Act is broad and covers a whole series of transactions, such as mergers, the transfer of shares, the purchase of assets, and the purchase and sale of a business establishment, among others, if the following elements are met:
Competition Commission
The Competition Commission is the authority that enforces the competition law, even though there are some special regulations or guidelines issued by SUGEF that cover regulated entities and must be complied with. Thus, regardless of whether or not the transaction is classified as a concentration under the Competition Act, SUGEF requires, pursuant to Regulation SUGEF 08-08, that regulated entities notify and update the information in respect of any relevant ownership modification when it occurs. Relevant ownership is defined as direct ownership of 10% or more of an entity, or indirect ownership of 25% or more of the entity. However, the supervised entity must always conduct a due diligence exercise to comply with the know-your-shareholder policy, and ensure that all documents related to it are updated.
Exemptions
This information is required from all the shareholders down to the final beneficiary level, regardless of whether or not the shares are held through agents, custodians or other legal entities through which the capital may be owned, including trusts, except when the shareholder is:
There are no restrictions or different treatments for foreign shareholders.
The corporate governance regime applicable to banks is defined by the Regulation of Corporate Governance, CONASSIF 4-16. This regulation is mandatory and covers a comprehensive set of governance rules, including:
As a consequence of this regulation, the bank is required to approve an internal corporate governance code.
The Regulation on Suitability of Members of the Management Body and Senior Management, CONASSIF 15-22, complements the Regulation of Corporate Governance, with more specific assessment duties for the regulated entity upon appointing a director and/or senior manager, including the subsequent performance assessment. Pursuant to this regulation, regulated entities must approve a suitability policy and apply an assessment test for such positions.
The current corporate governance regulation draws upon leading international benchmarks for corporate governance, including the instruments of the Bank for International Settlements, the Basel Committee on Banking Supervision, the International Association of Insurance Supervisors, the Financial Stability Board (FSB), the International Organization of Securities Commissions (IOSCO) and the OECD/G20 Principles of Corporate Governance. It deals with the different characteristics and capacities of regulated institutions by allowing proportionality in its application, as its rules can be adapted to the size and nature of the institution.
Most public and private banks and financial institutions have their own corporate governance code, which must be in accordance with the conditions and terms defined by the Regulation of Corporate Governance issued by SUGEF.
Banks are authorised to define their applicable rules for the members of the management body and senior management, and their roles and responsibilities, all according to the best interest of the entity. The law also requires the board of directors of an entity to have a minimum of five members.
The Regulation of Corporate Governance, CONASSIF 4-16, has a more comprehensive set of governance rules covering the following:
The Regulation on Suitability of Members of the Management Body and Senior Management, CONASSIF 15-22, complements the Regulation of Corporate Governance with more specific assessment duties for the regulated entity before appointing a director and/or senior manager, including the subsequent performance assessment. Pursuant to this regulation, the regulated entities must approve a suitability policy and apply an assessment test for such positions, as follows.
The compliance with this pre-employment process must be supported and evidenced in an individual file for further regulatory review if needed. On a case-by-case basis, affidavits and official certifications shall support the compliance with the aforementioned requirements.
The regulated entity must inform SUGEF once a director or senior manager has been appointed. This designation is not subject to regulatory approval, as the supervisory regime follows a risk-based model whereby the regulator has the authority to execute a later review if needed, according to the circumstances and based on compliance with the aforementioned guidelines on the suitability policy, assessment tests and performance test.
According to the Regulation of Corporate Governance, the board of directors must supervise the performance of the senior management team, and must take any necessary actions when actions and consequences are not aligned with the expectations of the board. These include complying with company values, risk appetite and risk culture. Consequently, the regulated entities must approve a performance evaluation policy, applicable on a regular basis, for each member of the management body and senior management, once hired, to identify and valuate weakness points and to execute a mitigation plan to correct such discrepancies.
The remuneration requirements are regulated in the Regulation of Corporate Governance, CONASSIF 4-16, according to which the board of directors, the senior management team and members of the control bodies are subject to the relevant remuneration and incentive requirements.
The board of directors is responsible for approving the applicable remuneration conditions, and for defining and verifying that the scheme of remuneration and incentives encourages good performance and promotes acceptable risk management criteria. In addition, the regulated entity must have a Remunerations Technical Committee in place, which is responsible for monitoring the design and function of an adequate remunerations system. This Committee must be able to deliver a competent and independent set of recommendations about the policies and practices of remuneration and incentives to manage risk, capital and liquidity.
The approved remuneration policy must be revised periodically and monitored to ensure its correct application.
The remuneration and incentives policy must be aligned with the entity’s strategies and business horizon or with the activity and level of risks, objectives, values and long-term interests, taking into consideration measures to avoid conflicts of interest.
The board of directors must ensure that remuneration covers current and potential risks taken by an employee, such as internal procedure violations and regulatory and legal requirements.
For staff members from units involving risk, compliance and other control units, incentives must be defined independent of any business line or substantial activity, and performance must be evaluated according to their own objectives.
SUGEF supervises the application of remuneration policies as part of the Corporate Governance Code that all supervised entities must implement internally. SUGEF periodically supervises the execution and results of the Corporate Governance Code, and issues mandatory changes or adjustments that must be implemented by the supervised entity.
Breaching the requirements could trigger internal disciplinary actions by the company, and could eventually result in economic penalisation or fines being imposed by the regulator.
Article 15 of the AML Act states that the following activities are subject to compliance with and supervision by SUGEF:
If any business falls under any of the activities described in Article 15 of the AML Act, the individual or entity must comply with the AML regulation, which includes the appointment of a compliance officer, implementing know-your-client (KYC) and know-your-employee (KYE) procedures, and regular reporting obligations for suspect transactions.
Thus, all banking institutions must:
The Law of the Deposit Guarantee Fund and Liquidation of Financial Entities, No 9816, and its Regulation for the management of the Deposit Guarantee Fund (FGD) and other guarantee funds (OGF), regulates deposit insurance through a special fund and banking resolution.
The Deposit Guarantee Fund (the “Fund”) created by this law establishes three different compartments:
The Fund is administered by the Central Bank but is a separate estate and will have a manager subordinated to the board of directors of the Central Bank.
Deposits such as savings, accounts and investments opened in public banks, private banks and non-bank financial entities are covered by the Fund.
The maximum coverage amount is approximately USD10,000 per person/entity, in local or foreign currency.
The Fund receives contributions from the regulated entities. The maximum contribution to the Fund is 0.15% of the total financial intermediation liabilities covered. Within this maximum, a risk-based premium, established by regulation, will be applied based on the risk profile of the financial entity. In addition, the Fund will be guaranteed by the assets constituting the minimum reserve requirement (RR) and the liquidity reserve (LR), up to 2% of the total liabilities subject to those requirements.
According to Law No 9816 the Fund will pay by an order of CONASSIF, upon a recommendation of the intervention manager of the entity in default. If a default event occurs that triggers the pay-out, where CONASSIF determines that it is necessary to use the Fund, resources will be used from the compartment of the Fund to which the financial institution contributes. If the Fund is insufficient, the amounts will be met by the RR and LR guarantee.
The Regulation indicates that OGF corresponds to any guarantee fund, existing or created in the future, different from the Fund, which must offer equal or greater coverage than provided by the Fund, and it must be regulated by CONASSIF and supervised by SUGEF. Savings and credit unions are the only entities authorised to contribute to OGF.
According to Articles 62, 63 and 65 of Law No 7558, all supervised financial institutions must maintain a reserve requirement for deposits and funds received, with a maximum limit of 15%, in an unremunerated BCCR account. This minimum reserve requirement has been set by the BCCR at its maximum level since August 2005. Short-term external debt operations and new operations of medium and long-term external debt were included as part of the reserve requirement in September 2011 and July 2015, respectively. There is no differentiation between instruments or institutions. Although this requirement does not apply to co-operatives, a minimum liquidity reserve of 15% is applied to a group of co-operatives based on their size. These reserves must be invested in financial instruments issued by the BCCR.
The capital adequacy of financial institutions operating in Costa Rica is prescribed by Regulation SUGEF 3-06 (Regulation on the Capital Adequacy of Financial Entities) and Regulation SUGEF 24-22 (Regulation to Assess the Economic and Financial Situation of the Supervised Entities).
Regulation SUGEF 3-06 defines a minimum capital requirement of 10% for all financial institutions (banks, savings and credit co-operatives) operating in Costa Rica, and describes the methodology to estimate the solvency of supervised entities. Reserves created with specific purposes, other than loss absorption, are not accepted for the calculation of solvency. Capital is required for credit risk, operational risk, exchange rate risk, counterparty risk and market risk in transactions with exchange rate derivatives and risk of changes in interest rates on operations with exchange rate derivatives.
Financial institutions are rated and categorised by risk level based on their capital adequacy levels, according to Regulation SUGEF 3-06 and SUGEF 24-22. The same regulations prescribe the remedial action and measures required at each of the different risk levels.
A special administrative procedure is established for financial entities such as banks, called the “Administrative Procedure in Case of Financial Instability Situations”, which is handled by SUGEF and is a pre-emptive procedure imposed when a supervised financial institution exhibits instability as determined by SUGEF. In such cases, SUGEF appoints a comptroller to take control of the financial institution, according to the rules of the Organic Law of the Central Bank of Costa Rica. This is a temporary intervention and cannot exceed a term of one year.
Financial Institution Ratings
To evaluate the financial stability of supervised entities, SUGEF issues a rating for each financial institution, composed of a quantitative and a qualitative rating. The quantitative classification consists of six elements subject to analysis:
The qualitative qualification results from an on-site evaluation carried out by SUGEF. The evaluation approach is according to the risk-based supervision approach, with the qualitative part of the assessment being allocated a higher weighting in the overall rating of the bank and the supervisor assigning the final qualitative assessment of the financial entity.
Levels of Financial Instability or Irregularity
There are three levels of financial instability or irregularity for supervised entities, corresponding to the rating assigned to them based on the analysis and the evaluation model:
Level 2 situations of instability that have not complied with the recovery plan;
Irregular Situations
If an irregular situation is declared, SUGEF must inform the board of directors or management (manager and internal auditor) of the institution about such situation, and will require the submission of an action or recovery plan within a certain period. Once approved, such plan becomes mandatory for the institution.
Progress reports on compliance might be requested by SUGEF, and can be accompanied by on-site verifications carried out by SUGEF. If SUGEF considers that the action or recovery plan is not adequate to remedy the financial situation, it shall order the financial intermediary to make the relevant adjustments within a reasonable and non-extendable period. In accordance with the level of risk shown by the financial intermediary, SUGEF may require the institution to provide additional capital or any other corrective measures to remedy the deficiencies, including the possibility of requesting changes of staff members.
For institutions on Level 3 of financial irregularity, CONASSIF shall order the intervention of the supervised institution and designate the intervenors/administrators to assume the administration of the institution. The administrators must present a plan for the financial regularisation of the institution within the term established by CONASSIF, or recommend its resolution. The Superintendent monitors the intervention process and ensures compliance with the conditions of intervention agreed upon by CONASSIF.
Resolution
Resolution is applicable to an entity under a Level 3 irregularity or instability. CONASSIF is the resolution authority and, based on the recommendation of the controller, will apply the resolution mechanism that best suits the situation, if the entity is considered non-viable.
Resolution may combine one or more of the following options:
According to the legislation, the resolution regime will provide the resolution authority with the flexibility to apply different tools and mechanisms for resolving an insolvent financial entity, in order to maximise the value of the entity to protect its creditors, particularly depositors, as well as being at the lowest cost.
The current resolution regime is the result of a legal update made by Costa Rica as part of the process to become a member of the OECD. Thus, both Financial Stability Board Key Attributes of Effective Resolution Regimes and OECD recommendations were considered in updating the resolution legal framework.
As part of this update, SUGEF was granted discretionary intervention powers by extending the scope of its current intervention and sanctioning powers towards a cross-border and consolidated supervision covering local, foreign and other group companies relating to information provision, financial and capital requirements, and the authority to execute on-site inspections abroad.
There are no specific banking regulatory requirements that involve ESG matters. However, in October 2021 the Congress passed a law that entitles financial entities and government agencies to issue and register “thematic bonds” for public offer. These securities can be issued to finance specific investment themes such as climate change, health, food, education and access to financial services, and target specific sustainable development goals (SDGs) through investing.
According to Article 5 of this Law, all financial regulatory agencies, including SUGEF, must recommend regulatory changes to CONASSIF. This requires regulated entities to include sustainable or responsible investment strategies in their policies. In this way, not only do funds managed by these entities create revenue, but part of this investment can be directed into activities, works and projects that contribute to the fulfilment of SDGs and the National Climate Change Strategy.
Therefore, it is expected that a regulation could be implemented to allow all financial entities to include SDGs in their investment policies, along with financial returns and revenue.
Although there is no direct reference to DORA (the Digital Operational Resilience Act), in July 2024, CONASSIF approved a comprehensive reform to the Information Risk Management General Regulation (“the Regulation”). The Regulation is a new version of that initially approved in 2017. Its aim is to establish the minimum requirements to be officially met by all supervised entities and companies within the Costa Rican financial system in respect of the governance and management of information technology and associated risks.
Pursuant to the Regulation, supervised entities and companies must design, implement, monitor and maintain a governance and IT management framework in accordance with: i) organisational strategy; ii) risk appetite, tolerance, and capacity; and iii) the size, complexity, business models, and policies approved by the governing body.
The supervised entities and companies must apply international standards, best practices, and reference frameworks developed by the technology industry to implement the governance and IT management framework without compromising compliance with the provisions established in the Regulation. They will also be required to design, implement, maintain and monitor any information security management system that includes provisions on information security and cybersecurity set down in the Regulation.
The Regulation establishes a series of obligations and responsibilities that must be fulfilled by senior management, the Information Technology Committee, Internal Audit, and the Risk Management department of each entity. As part of the obligations set out, supervised entities and companies must develop a technology profile and update it annually. An external IT audit of the governance and IT management framework must also be carried out each year.
The information security management system must permit controls that enable risk-based measures to protect information assets and the assets supporting these from information security and cybersecurity risks. These controls must be included in a statement of applicability, and their attributes laid out in Regulation’s general guidelines.
International standards, best practices or reference frameworks related to information security and cybersecurity developed by the technology industry may be used to implement the information security management system.
Based on risks identified, the superintendencies may require the inclusion in the information security management system of information security and cybersecurity practices and controls.
Supervised entities and companies must manage cybersecurity to meet business requirements and ensure operational resilience of all digital functions, establishing indicators to regularly measure the effectiveness and efficiency of cybersecurity. They must also design and implement a process for managing information security and cybersecurity incidents that incorporates the phases of incident management as established in the general guidelines of the Regulation.
When an information security or cybersecurity breach is identified, supervised entities and companies must determine its potential impact in accordance with the classification model presented in the Regulation’s general guidelines.
The incident-management process must include a response plan for information security and cybersecurity incidents, as well as controls to allow the collection of evidence for forensic analysis.
An information security and cybersecurity incident response function must be set up in accordance with the structure, size, service channels, transaction volume, number of clients, risk assessment and services provided by each supervised entity and company. If the confidentiality or integrity of client information is compromised due to an information security or cybersecurity breach, the entities and companies must notify the clients affected. It will be the responsibility of the supervised entities and companies to define the type, scope, and minimum content of the communication, which must be timely, clear, and appropriately tailored to the nature of the incident.
SUGEF and CONASSIF requested a legal opinion from the General Attorney of the Republic regarding the legality and operation of the fintech industry where it has obtained financial resources from the public. According to the legal opinion recently issued by this entity, fintech platforms must keep functioning as an aggregated service to the banking and financial supervised industry.
Fintech operators are not permitted to accept deposits from the public or open individual accounts, as they are not authorised to engage in financial intermediation under the current legal framework.
Plaza Roble Corporate Centre
Los Balcones Building
Escazú, San José
Costa Rica
+506 2201 3800
+506 2201 7150
dsoto@zurcherodioraven.com www.zurcherodioraven.com