Fintech 2024 Comparisons

In 2023, Costa Rica’s fintech sector continued to demonstrate its dynamism and resilience. With an estimated growth in the number of fintech companies of more than 20% over the last year, the outlook for 2024 is even more promising. There are at least three relevant private organisations currently working to foster fintech innovation:

• the Central American Fintech Association (AsoFintech);
• the Chamber of Information and Communication Technologies (CAMTIC) – particularly its fintech section; and
• the Costa Rica Blockchain Association (AsoBlockchain).

Since 2023, these entities have signed collaboration agreements between them, looking to generate closer, more collaborative and productive work. This is certainly promising for the evolution of the local fintech sector and the interaction with other stakeholders, such as regulators, financial entities and other government authorities.

In addition, banks and other financial institutions are increasingly willing to work together with the fintech sector, as part of the remarkable progress they have made in their digital transformation processes. 

From a regulatory perspective, it is important to highlight the approval in February 2023 of the Regulations on Centralised Registries of Electronic Bills of Exchange and Promissory Notes, which complement Law 10.069 on Electronic Bills of Exchange and Promissory Notes, effective since December 2021. These Regulations will allow the creation of entities (Centralised Registries) that will be authorised to register the issuance, custody, transfer and other acts related to electronic promissory notes and bills of exchange.

This is considered a significant step towards the goal of completing a totally digitised experience for the creation of valid promissory notes and bills of exchange, which are critical for the credit sector, since such documents are the most used for documenting loans in Costa Rica and in collection processes, both by incumbent and fintech lenders. As of February 2024, no Centralised Registries have yet been authorised. 

Regarding the legislative landscape, it is worth noting two bills of law proposed for discussion in the Legislative Assembly.

The Crypto-Assets Market Law

This bill of law, named the “Crypto-Assets Market Law”, seeks to establish a legal definition of crypto-assets and their categories – based on international examples such as the MiCA Regulation in Europe – as well as to regulate their ownership, use, liabilities and tax regime. It also proposes to delimit the way in which crypto-assets service providers can register, for purposes of preventing money laundering, and the possibility of being admitted into the real-time payment system (SINPE) administered by the Central Bank.

The Law on Collaborative Financing Platforms

A bill of law that intends to establish crowdfunding as a supervised activity, known as the “Law on Collaborative Financing Platforms”, would appoint the Superintendence of Securities (SUGEVAL) as the regulatory entity in charge of supervising the activity of connecting investors and recipients of resources to finance productive projects through the issuance of securities – either debt or equity – traded exclusively through the authorised platforms. This bill intends to help start-ups and small businesses in their moving from the emerging phase to the expansion phase, by facilitating access to funding in early stages.

Lastly, and although not yet officially presented as a bill of law, it is very likely that the Superintendence of Financial Entities (SUGEF) will work with members of the Legislative Assembly to obtain support for a project intending to regulate fintech companies receiving money from the public through digital wallets (to be referred to as “non-banking payment account entities”), and will probably look to distinguish this activity from the traditional checking and savings accounts offered by incumbent entities.

The main fintech business models or “verticals” in Costa Rica are the payments and alternative financing sectors, which account for nearly two thirds of the existing initiatives. This reflects a similar result seen in other emergent markets. 

On the payments side, it is worth noting that in Costa Rica the SINPE Móvil instant (and free) payments service, offered by the Costa Rica Central Bank (BCCR) and consequently by all local banks, is very popular and has grown significantly in the last few years, particularly since the COVID-19 pandemic. Any person can easily link an account in local currency to a smartphone number, to be able to seamlessly send and receive transfers and payments at no cost (up to a certain amount). 

Regarding platforms for alternative financing, a growing number of fintech companies in Costa Rica have been offering such services; typically centered around personal loans and microloans.

Other important activities include:

• remittances;
• technology service providers, such as for software and applications for financial institutions; and
• digital asset exchanges.

Notwithstanding that there is no specific fintech regulation in Costa Rica, the regulatory regime applicable to industry participants in the main fintech verticals includes several laws and regulations concerning certain activities – for example, as follows.

• AML-KYC: industry participants in several fintech verticals are included within the non-financial entities that are supervised by SUGEF, solely in relation to know-your-customer requirements, and the prevention of money laundering and the financing of terrorism (KYC-AML).
• Payment system (SINPE): these rules issued by the BCCR allow certain fintech companies to participate in the SINPE, subject to their being supervised by SUGEF for KYC-AML purposes, as mentioned above.
• Digital signatures and electronic documents: the purpose is to regulate the principle of “functional equivalence” of electronic documents in relation to physical documents, as well as the functional equivalence of digital signature with respect to handwritten signatures.
• Consumer protection: besides general regulations on consumer protection, there are also specific rules applicable to electronic commerce activities.
• Personal data protection: this regulation aims to guarantee the protection of automated or manual processing of personal data.
• Payment cards system: applicable to payment gateways, aggregators, and credit and debit card issuers, including registration with the Central Bank.

In general, industry participants can determine their own compensation model to be proposed to their customers, given there are no specific regulations for the fintech sector. For credit and debit card issuers, the regulations now establish caps on the interest rates that can be charged to customers, as well as caps for the acquiring and interchange fees that can be charged to merchants.

As for any other businesses, industry participants must comply with general consumer protection regulations, which require that all information provided to customers, including price, must be disclosed in a clear, true, precise and timely fashion.

There is no specific regulation for the fintech sector in Costa Rica, which presents both opportunities and risks for fintech entrepreneurs. Fintech companies are still subject to general business regulations such as regarding data protection, KYC-AML supervision (in most cases) and consumer protection; but the absence of industry-specific regulations in the fintech sector allows for both greater flexibility and innovation, as well as leads to uncertainty.

Conversely, incumbent institutions in the financial industry operate in an increasingly highly regulated environment; while the regulatory landscape for fintech participants is still evolving.

Costa Rica does not have a regulatory sandbox. The creation of such a project would probably require a new law or the amendment of existing laws. Because of this, and with the purpose of following similar experiences in other Latin American countries, the financial authorities opened a Financial Innovation Hub (CIF) in April 2022 with support and advice from the Inter-American Development Bank. This hub is still in a development phase, and there is growing discussion in the fintech entrepreneurship community as to whether it will indeed develop further. 

Costa Rica has several governmental entities that exercise supervision and have regulatory competence over activities that include or may include different fintech verticals.

For example, the Central Bank of Costa Rica (BCCR) is legally responsible for the administration and regulation of the payment system (SINPE), which includes real-time money transfers, and in this capacity determines which entities can access this system – in addition to financial intermediaries and certain government entities that were included in SINPE a long time ago.

The BCCR also has regulatory competence over the payment cards system, which includes the possibility of issuing regulations regarding credit, debit and prepaid cards and establishing maximum acquiring and interchange fees, transactional limits, etc.

The BCCR is also responsible for calculating, on a semi-annual basis, the maximum interest rates that can be established in the country for credit operations, both in local currency and in US dollars.

The General Superintendency of Financial Entities (SUGEF) has the legal responsibility to supervise financial intermediaries, but is also in charge of supervising AML-related matters, a wide variety of non-banking and non-financial companies (such as those dedicated to payment services, remittances, trust and escrow services) and others.

The BCCR requires that fintech companies applying for admission to SINPE be previously registered with SUGEF for such AML supervision. Therefore, fintech companies that are dedicated to payment and credit verticals may end up being supervised by both these entities. Furthermore, such activity may also imply the supervision of the Consumer Commission of the Ministry of Economy, Industry and Commerce (MEIC), for general consumer protection matters.

Other government entities that could have competence to carry out supervision of fintech companies, depending on the vertical, include:

• the General Superintendency of Securities (SUGEVAL), which is responsible for supervision in matters of securities, and public and private offers;
• the General Superintendency of Insurance (SUGESE), which is responsible for the supervision of the insurance market; and
• the data protection agency, PRODHAB.

Some of the functions that financial entities and fintech companies need to provide their services can be outsourced, but there is no specific regulation for the latter. For incumbents under supervision, there are rules that demand them to have operational risk policies, procedures and controls in place to guide the process of choosing and hiring service providers. They also have to keep track of the processes or services they outsource. These agreements usually cover:

• service levels;
• duties related to information security;
• contingency plans, especially for essential services; and
• service continuity, provider availability and cybersecurity.

Fintech industry participants are not directly regulated by these rules, but they are impacted by these operational risk policies when they offer their services to financial entities, and also when they seek authorisation to join SINPE, since the BCCR does ask applicants to reveal any outsourcing contracts for IT operations.

Fintech providers must act as gatekeepers for KYC-AML purposes. They have the duty to identify and report suspicious or unlawful behaviours of their customers. 

SUGEF and SUGEVAL often alert the public about unauthorised and possibly risky companies or individuals that have been reported or identified as carrying out activities without proper licence. 

Also, in 2023 there was no agreement between SUGEF and the BCCR on how to regulate the activities of certain fintech companies in the payments vertical, especially regarding digital wallets admitted to operate in SINPE. After discussions and preventative enforcement actions from SUGEF on several of the fintech companies involved, both entities decided to ask for a formal interpretation of the regulations by the government attorney general, which is still yet to be resolved. Moreover, SUGEF prepared a draft law aiming to regulate these fintech verticals.

Data privacy laws and regulations are of general application in Costa Rica, with incumbent banks also being subject to specific banking secrecy laws.

Regulators impose strict rules on risk management for legacy players, which require them to set up strategies, policies and procedures to avoid and reduce risks in areas such as (among others):

• information technology;
• cybersecurity
• outsourcing; and
• business continuity.

Fintech companies do not face these requirements for their activities unless they offer services to financial institutions or seek to join SINPE.

Some companies, such as fintech verticals, that are not financial entities can be considered as high risk by SUGEF for KYC-AML regulation purposes. This means they must perform external audits for their KYC-AML procedures and send them to the regulator. Companies that provide technology services to financial institutions also need to be evaluated by those incumbents as part of the risk-mitigation policies they must follow, as mentioned previously.

Regulated activities such as financial intermediation, public offerings of securities and financial instruments, and securities intermediation services – including advisory services – can only be provided by licensed entities. 

Other activities such as remittances, payments, management of funds, granting credit facilities, etc, do not need a licence per se; however, the companies providing the services must register with SUGEF to be supervised for KYC-AML purposes. Some of these services can be offered by the same legal entity but others may need to be offered separately.

AML and sanctions rules affect fintech companies that offer any of the activities requiring registration with SUGEF for KYC-AML purposes.

First, they have to meet all the requirements for such registration, including strong policies and procedures and a suitable internal structure based on their risk category as determined by SUGEF.

Second, registration with SUGEF is a condition for local banks to open and keep savings or checking accounts for fintech companies. Relevant sanctions can be imposed on companies operating without registration.

Costa Rica does not yet have any rules concerning robo-advisers. The existing legal framework for traditional players only allows individuals to provide investment advice.

Over the years, legacy players have increasingly used automated assistants for customer service and onboarding processes. However, this trend has not yet reached investment advisory services or wealth management.

The local exchange has set regulations on best execution, so brokers and dealers need to have internal rules and policies for executing transactions (for themselves or for their customers). These rules have to cover:

• timely execution;
• access to best prices (Costa Rica does not allow dark pools);
• transparency;
• market integrity;
• avoidance of insider trading;
• duty of care;
• controls; and
• auditability.

The BCCR sets the maximum interest rates that borrowers must pay lenders in credit transactions every six months. The regulation defines what factors are used to determine this rate, which is different for two categories: microcredits (for amounts below a certain threshold) and other operations. All credit providers in the country have to follow these regulations and limits. 

Additionally, the “development banking system” is a legal framework designed to fund and support feasible and viable projects of micro, small and medium-sized enterprises (SMEs). This system allows SMEs to access loans with better conditions. Fintech companies are not currently authorised as operators in this system.

Underwriting on the public offering market can take different shapes, involving banks and stock exchange booths. The private offering market can have more flexible contracts. There are two types of underwriting in local primary markets: firm commitment underwritings and guaranteed underwritings. Banks or broker-dealers can perform these in the regulated markets. Private offer markets are not regulated, but they often follow the practices of the regulated market.

Some common sources of funding for loans are:

• deposits;
• capital raised by lenders;
• subordinated debt; and
• public or private issuances.

The fintech market in Costa Rica has not yet developed a peer-to-peer segment, although some initiatives have started recently. Fintech companies that offer loans in Costa Rica cannot take money from the public, so they must obtain the funds from investors or from mezzanine loans.  Non-regulated companies can perform securitisations, and they must comply with the legal requirements to avoid performing financial intermediation, which requires a licence.

There are no legal limitations for the syndication of these loans, although this is not a common practice for industry participants.

SINPE is the payment rail provided by the BCCR. This system allows for payment processing, dedicated to this activity, for legacy players and industry participants who have been previously authorised. It is the most popular payment system in the country by far. However, there are no legal limitations for using other types of payment rails.

There is no specific regulation for the activity of cross-border payments or for remittances. Cross-border payments are usually linked to the traditional services offered by incumbent entities, and remittances are connected to a wider industry that includes some fintech companies. Regulations on KYC-AML require that companies offering remittance services register with SUGEF.

In general, those who manage third-party resources, including through trusts, must register with SUGEF for KYC-AML purposes.

If a public offering is made, fund administrators are subject to regulation – ie, investment fund management companies and pension funds.

How fund administrators guarantee their performance and accuracy can differ based on whether they are regulated or not. In the regulated sector, the legal rules provide most of the guidance on performance and accuracy standards. For non-regulated entities, this depends on the agreements between the parties.

The national stock exchange exists for publicly traded securities, and over-the-counter transactions are not allowed. For other financial instruments, such as financial derivatives, the regulator can approve alternative markets based on public/private offer criteria. There is also a commercial merchandise exchange that intends to allow the negotiation of commodities, real estate and other goods. 

The regulation of asset classes in Costa Rica varies depending on the type of asset. The main source of regulation for these is the Civil Code. There is no legal framework yet for digital assets.

As stated in 1.1 Evolution of the Fintech Market, a bill of law named the “Crypto-Asset Market Law” seeks to establish a legal definition of crypto-assets and their categories – based on international examples such as the MiCA Regulation in Europe – as well as to regulate their ownership, use, liabilities and tax regime. It also proposes to delimit the way in which crypto-asset service providers can register, for purposes of preventing money laundering, and the possibility of being admitted into the real-time payment system (SINPE) administered by the BCCR. 

In 2021, another bill of law was proposed to include digital-assets service providers as regulated entities exclusively for KYC-AML purposes; however, it did not receive support in the Legislative Assembly.

Some cryptocurrency exchanges are operating in Costa Rica, since there are no legal limitations for a person buying or selling crypto-assets at their own risk. However, owing to the lack of regulations, financial entities are still reluctant to allow their customers to use their accounts for these trades.

The regulator sets the listing standards for securities exchanges that are registered. In order to be listed, securities have to meet certain requirements depending on whether they are debt instruments, capital instruments, mutual funds shares or structured finance products.

Securities have to be standardised, registered in electronic form, and have at least 200 securities per issuance for the issuer to have an external audit and a prospectus be registered. Since registered securities are not allowed to trade on OTC markets, every issuance has to be listed on the local stock exchange market.

The stock exchange sets the handling rules in Costa Rica. For each market that it organises, the stock exchange makes its own rules. The rules are designed to promote transparency and follow the Market Conduct Rules set by the exchange.

There are no regulations on peer-to-peer platforms in Costa Rica. As previously mentioned, a bill of law intending to establish crowdfunding as a supervised activity was recently presented to the Legislative Assembly.

In publicly traded markets, the usual standards of best execution for customer trades are applicable. For activities that are not regulated, there are no standards for best execution. Any misbehaviour would have to be resolved voluntarily by the participants or in local courts.

Broker-dealers are allowed to carry out trades in the local exchange. They can receive order flow from banks or unregulated financial advisers. Also, they can receive payments for directing order flow to international markets in which they cannot operate directly. The securities intermediation regulations establish certain requirements for regulated entities – they must:

• obtain clients’ acceptance;
• disclose whether they get any payment; and
• follow their policies in choosing the service provider.

For non-regulated entities, there are no such rules.

SUGEVAL is the entity in charge of regulating the securities market in Costa Rica. Its main functions include:

• ensuring transparency;
• correcting price formation;
• investor protection; and
• the dissemination of information necessary to ensure these objectives.

SUGEVAL establishes regulations and standards that entities must comply with to guarantee integrity in the securities market, and to ensure transparency, investor protection and the prevention of abuse in negotiations.

In addition, supervised entities, such as brokerage firms and investment fund managers, should establish their own internal policies and procedures to help maintain market integrity (consistent with SUGEVAL’s regulations), and should design mechanisms to prevent abusive practices and ensure investor confidence.

There are no regulations on this subject.

Market makers are securities intermediaries authorised like brokerage firms and local banks to act as such. Their main function is to promote liquidity and co-operate in the distribution of the Ministry of Finance’s debt in the securities market.

There are no regulations on this subject.

There are no regulations on this subject.

There are no regulations on this subject.

The activity of providing up-to-date and accurate data on the prices of securities traded on the stock market is regulated, and requires prior authorisation from SUGEVAL. Other financial research platforms do not have specific requirements for registration, so anyone who wishes to engage in this activity can do so without the need for prior authorisation; however, they must comply with generally applicable legislation, such as data privacy regulations.

In general terms, consumer protection regulation requires merchants to give consumers clear and correct information, and sets fines for those who do not follow these rules. Moreover, the financial sector regulations give regulators the authority to stop any false or deceptive advertising by supervised entities.

The law specifies criminal sanctions for certain cases where false or misleading information or situations are presented, or where real information or situations are changed or hidden such that this changes the price of securities traded on the stock market, in order to make a profit or to harm another market participant.

Currently, platforms regulate themselves by deciding how to handle the discussions that users post, so they are responsible for moderating content. They may also respond to reports from other users or from a public agency or private entity.

Costa Rica does not have a legal framework for underwriting as an insurance activity. Only registered intermediaries or insurance companies can sell insurance products. There are three types of intermediaries that are allowed to register:

• insurance agencies;
• insurance brokerage firms; and
• self-issued insurance operators.

The law regulates how these entities can sell insurance products. 

Also, each insurance company must follow a manual of policies and procedures for direct insurance marketing and through insurance intermediaries. This manual must be consistent for all insurance intermediaries that the insurance company approves and for insurance brokerage companies, with different provisions depending on whether they are agents not associated with an insurance agency company, self-issued insurance operators or insurance brokers. Insurance brokerage firms must also follow a manual of policies and procedures for selling insurance products, as the local regulations require.

The insurance policies available in Costa Rica are regulated differently depending on category. There are two categories of insurance policies in Costa Rica – personal and general:

• personal covers risks to life, health and physical integrity of people; and
• general covers risks to property, animals, plants or heritage.

Each category has a line (eg, life, fire, medical, etc) and these can be sold individually or collectively. Collective insurance policies have specific rules that apply to them.

Costa Rican law does not regulate regtech providers. However, legacy players who work with regtech providers have to follow their risk-mitigation policies and procedures for choosing and hiring external service providers.

Financial companies typically follow the industry standards for the terms and conditions that they have in their contracts with technology providers. These agreements usually address topics such as:

• service levels;
• uptime;
• cybersecurity;
• data protection;
• contingency plans (especially for critical services); and
• service continuity.

Costa Rica’s financial system has not seen any concrete applications of blockchain technology. There are some private sector initiatives and projects that have the backing of institutions such as the Inter-American Development Bank (eg, the LACChain network).

In 2021, SUGEF proposed a bill of law to the Legislative Assembly that would regulate digital assets service providers only for KYC-AML purposes. This project was not endorsed by the deputies for further debate.

Regulators remain cautious about blockchain technology and especially about crypto-assets, and have not taken or suggested any other specific measures related to blockchain technology.

Costa Rica has not issued any rules on blockchain technology and digital assets.

See also 7.3 Impact of the Emergence of Cryptocurrency Exchanges.

Costa Rica has not issued any rules on blockchain technology and digital assets.

Costa Rica has not issued any rules on blockchain technology, digital assets and trading platforms. Some cryptocurrency exchanges and bitcoin ATMs are active in Costa Rica, since there are no legal limitations on a person buying or selling crypto-assets at their own risk.  There is also a growing community of people promoting the trading of crypto-assets and encouraging their adoption. 

There are no regulations in Costa Rica for blockchain technology and digital assets. Some private funds that are not regulated have made investments in blockchain assets.

There are no regulations in Costa Rica for blockchain technology and virtual currencies.

There are no regulations in Costa Rica for decentralised finance platforms.

There are no regulations in Costa Rica for non-fungible tokens.

Costa Rica has not yet established any open banking regulations. Conversations about open banking and open finance have taken place, but there are no specific plans for related regulatory changes. The authors are aware that regulators, traditional players and the fintech ecosystem are informed of the tendencies to adopt open finance rules in Latin America.

Addressing the data privacy and data security issues posed by open banking will be important when Costa Rica is ready to consider more extensive regulatory changes for allowing the open banking model. For now, such issues are already demanding a lot of attention and work from all industry players.

Some of the most frequent elements of fraud in Costa Rica include:

• engaging in financial intermediation without authorisation;
• making public offers without authorisation; and
• offering or creating deceptive or fraudulent plans and schemes.

Regulators have a duty to monitor, halt and penalise (or report) any kind of fraud that jeopardises the stability and trust of the financial system. Typically, they pay more attention to dishonest or fraudulent offers and schemes, including those related to cybersecurity issues or trickery aimed towards obtaining passwords and bank accounts.