NCG 454: Operational Risk & Cybersecurity for Financial Entities
The CMF’s General Standard No. 454 sets the operational and technological risk management framework for regulated Chilean financial entities.
What is NCG 454?
NCG 454 (Norma de Carácter General N° 454) is the rule issued by the Comisión para el Mercado Financiero (CMF) that consolidates the operational and technological risk management framework applicable to the financial entities it supervises. The standard translates supervisory expectations around governance, continuity, outsourcing and cybersecurity into a set of concrete duties, with a tiered implementation that takes into account the size and complexity of each entity.
Where earlier CMF circulars addressed operational risk and information security separately, NCG 454 brings them under a single, principles-based framework and extends it to technology-driven incidents and cyber threats. It sits alongside sector-specific rules, such as RAN 20-10 for banks, and must be read together with the obligations introduced by Chile’s 2024 Cybersecurity Framework Law 21.663.
Scope and addressees
The standard reaches the full catalogue of entities supervised by the CMF: banks, cooperatives, securities intermediaries, general fund managers, insurance companies and other regulated financial intermediaries. Application is proportional: entities with greater size, complexity or systemic relevance face more demanding expectations, while smaller entities apply a simplified version of the same core duties.
Main obligations
- Governance. Board and senior management accountability for the operational and technological risk management framework, with a documented risk appetite and regular reporting.
- Risk management. Identification, measurement, control and monitoring of operational, technological and cyber risks, including risks arising from third parties and outsourcing.
- Business continuity. Continuity and recovery plans that cover critical processes, recovery time objectives and periodic testing.
- Cybersecurity. Cybersecurity programme with preventive, detective and responsive controls, a designated responsible function and incident management procedures.
- Incident reporting. Timely communication to the CMF of operational and cyber incidents that could affect the entity’s stability, customers or the integrity of the market.
Relation with the Cybersecurity Framework Law 21.663
NCG 454 and Law 21.663 operate in parallel rather than in substitution. The CMF continues to exercise its supervisory powers over regulated financial entities, while the National Cybersecurity Agency (ANCI) adds a cross-sector regime of duties and incident notifications. Entities that qualify as operators of vital importance (OIV) need to coordinate reporting to both regulators and align their cybersecurity programmes with the requirements of both frameworks.
Further reading
- CMF cybersecurity & fintech regulation: comparative table
- NCG 461: corporate disclosure standard / Annual Report
- NCG 502: general fund managers (AGF) duties
- NCG 524: securities intermediaries
- RAN 20-10: bank operational risk management
- Cybersecurity in the Chilean financial sector
- Cybersecurity Framework Law 21.663
- Operators of Vital Importance (OIV)
- Cybersecurity overview
- CMF NCG 454 (official text, PDF)
Frequently asked questions
What is CMF NCG 454?
General Standard No. 454 (NCG 454) is the regulation issued by the Financial Market Commission (CMF) consolidating the operational and technological risk management framework, including cybersecurity, applicable to supervised financial entities. It replaces dispersed prior instruments and operates under a principles-based approach with proportional application according to entity size and complexity.
Which entities does NCG 454 apply to?
It applies to the universe of CMF-supervised entities: banks, cooperatives, securities intermediaries, general fund managers, insurance companies and other regulated financial intermediaries. The intensity of obligations scales with the size and systemic relevance of the entity.
What operational and cybersecurity obligations does it impose?
The main obligations are: board accountability for the framework; identification, measurement, control and monitoring of operational, technological and cyber risks (including third-party risks); continuity and recovery plans with periodic testing; a cybersecurity programme with preventive, detective and responsive controls; and timely reporting to the CMF of incidents that may affect stability, customers or market integrity.
How does it relate to Law 21.663 (Cybersecurity)?
NCG 454 and Law 21.663 operate in parallel. The CMF retains supervisory authority over regulated financial entities; ANCI adds a cross-sector regime with its own incident notification. Entities designated as Operators of Vital Importance (OIV) must coordinate reporting to both regulators and align their programmes with the requirements of each framework.
What is the difference between NCG 454 and RAN 20-10?
NCG 454 is transversal to the full CMF universe and operates on principles; RAN 20-10 is bank-specific and sets more detailed standards for banking operational risk management. In practice, banks comply with both: RAN 20-10 as a sectoral layer inside the general NCG 454 framework.
When did NCG 454 enter into force and what implementation timelines apply?
NCG 454 was issued by the CMF in 2021 and is being implemented on a phased basis according to entity size and complexity. Entities with greater systemic relevance face more demanding milestones for framework governance, continuity testing and incident reporting; smaller entities follow proportional schedules. The CMF supplements the standard with sector-specific instructions, which should be read together with the original text to set each institution’s internal roadmap.
Transform Your Legal Challenges into Competitive Advantages
Discover how our innovative approach can drive your business
