The thriving financial technology industry has transformed the financial products and services market. It encompasses a wide range of technology that allows users to make payments, obtain financing, invest and beyond. Fintech is attractive to users and companies alike due to the efficiency it offers by significantly reducing former challenges of time and distance. Also, inclusion is a key aspect of fintech: It makes managing financial tools accessible to more communities. However, the use of fintech raises privacy concerns due to an evolving market and the lack of specific regulations in most jurisdictions.

In Costa Rica, legal compliance includes the regulatory framework of data protection, consumer protection and the financial system. Although Costa Rica does not have fintech-specific regulations, these businesses must abide by the existing overarching regulations.

Fintech companies manage delicate customer data, which is why data protection is particularly relevant. A fundamental objective of privacy rules is that data subjects receive precise and transparent information about the processing of their data. Accordingly, fintech organizations as controllers must obtain individualized, specific, informed and freely given written consent from every user. The consent must disclose details of the database such as its purpose, who will have access to the information, if and how the data will be transferred, the data subject’s rights and how they can be exercised. Additionally, the controller must facilitate the exercising of the data subjects’ rights to access the data, modify the data and revoke consent. The extent of these obligations is regulated by the Data Protection Law, its regulations, and overseen by the data protection agency, Agencia de Protección de datos de los Habitantes. Failure to comply could lead to administrative fines imposed by PRODHAB.

Another reason compliance with privacy regulations is crucial is that the information fintech platforms process makes them an attractive target for cyberattacks. Statistics show cyberattacks have been on the rise since 2019. Therefore, fintech companies must have robust safety protocols and security measures in place. If a data breach were to occur, Costa Rican legislation provides the controller has a maximum of five working days to respond. Considering this short window of time, companies should be prepared with a developed mitigation plan. It is also imperative for finance industry employees to be aware of how their behavior could make the company vulnerable to cyber threats. For that reason, privacy policies need to be part of the day-to-day operations. A final aspect to consider is that fintech companies must transfer data safely and legitimately in accordance with privacy rules.

When it comes to consumer protection rules, anyone who offers fintech products and services in Costa Rica must comply with consumer obligations and observe consumer rights. This includes providing clear and truthful information about the products and services to the consumers. Failure to comply with this requirement has been identified as one of the fintech industry’s concerns. Fintech organizations should not be obscure about contracting conditions or the complete costs of the services and products they are offering. Recently, Executive Decree No. 43270 was enacted to regulate consumer protection in the sphere of financial, commercial and microcredit operations offered to the consumer. This decree regulates these operations closely and is applicable to fintech organizations that fall into its scope.  

Regarding the financial system, the International Monetary Fund has described Costa Rica’s financial sector as highly fragmented. The applicability of the financial system’s laws will depend on the fintech organization’s business model. When a fintech develops technology for a financial entity, it is the financial entity that is responsible for complying with the financial sector’s rules. Meanwhile, for organizations that use technology to provide services comparable to those provided by financial entities, a case-by-case analysis should be conducted to determine what regulations are applicable. Consequently, not all fintech companies are governed by the same rules.

Mexico and Brazil have already developed fintech-specific regulations. Most notably, Mexico’s 2018 Law to Regulate Financial Technology Institutions focuses on fintech and virtual assets such as cryptocurrency, application programming interfaces and temporary authorizations for innovation tests (sandboxes). Regarding privacy, the Mexican Personal Data Law is applicable, and the Fintech General Dispositions contain a chapter on cybersecurity. As one of the largest fintech markets in Latin America, Brazil has accommodated fintech development with specific legislation within the existing regulatory framework rather than producing a separate framework. Regulations in Brazil follow the principles of segmentation and proportionality. This approach has resulted in rules tailored to reflect the size, activities and risk profile of each entity. Brazil’s 2018 Data Protection Law regulates data protection, data processing and cybersecurity. The government has also issued policies for cybersecurity specific to fintech organizations.

Given the popularity of the fintech sector, users and businesses must make privacy a priority. With cyberattacks as serious threats, companies must do everything in their power to protect their business. Additionally, every player in the fintech ecosystem can benefit from clear communication and compliance with existing regulations. Although Costa Rica has much to develop on the regulation front, there is great opportunity for fintech organizations. Costa Rica can sustain prosperous fintech companies and this will inevitably push the industry and legislation forward.

Photo by Carlos Muza on Unsplash