CMF regulation

NCG 454: Operational Risk & Cybersecurity for Financial Entities

The CMF’s General Standard No. 454 sets the operational and technological risk management framework for regulated Chilean financial entities.

This page walks through NCG 454 in four steps: what the standard is and what it consolidates, which entities it reaches, the specific operational and cybersecurity obligations it imposes, and how it fits alongside the Cybersecurity Framework Law 21.663. It closes with the frequently asked questions and the official source.

What is NCG 454?

The starting point is what the standard consolidates and how it changed the CMF supervisory approach.

NCG 454 (Norma de Carácter General N° 454) is the rule issued by the Comisión para el Mercado Financiero (CMF) that consolidates the operational and technological risk management framework applicable to the financial entities it supervises. The standard translates supervisory expectations around governance, continuity, outsourcing and cybersecurity into a set of concrete duties, with a tiered implementation that takes into account the size and complexity of each entity.

Where earlier CMF circulars addressed operational risk and information security separately, NCG 454 brings them under a single, principles-based framework and extends it to technology-driven incidents and cyber threats. It sits alongside sector-specific rules, such as RAN 20-10 for banks, and must be read together with the obligations introduced by Chile’s 2024 Cybersecurity Framework Law 21.663.

Before the duties themselves, it helps to know who is inside the perimeter.

Scope and addressees

The standard reaches the full CMF universe, and its intensity scales with each entity.

The standard reaches the full catalogue of entities supervised by the CMF: banks, cooperatives, securities intermediaries, general fund managers, insurance companies and other regulated financial intermediaries. Application is proportional: entities with greater size, complexity or systemic relevance face more demanding expectations, while smaller entities apply a simplified version of the same core duties.

For those entities, the standard sets out five families of concrete obligations.

Main obligations

These are the duties that structure the framework, from governance to incident reporting.

  1. Governance

    Board and senior management accountability for the operational and technological risk management framework, with a documented risk appetite and regular reporting.

  2. Risk management

    Identification, measurement, control and monitoring of operational, technological and cyber risks, including risks arising from third parties and outsourcing.

  3. Business continuity

    Continuity and recovery plans that cover critical processes, recovery time objectives and periodic testing.

  4. Cybersecurity

    Cybersecurity programme with preventive, detective and responsive controls, a designated responsible function and incident management procedures.

  5. Incident reporting

    Timely communication to the CMF of operational and cyber incidents that could affect the entity’s stability, customers or the integrity of the market.

These duties do not operate in isolation: they intersect with the cross-sector regime introduced in 2024.

Relation with the Cybersecurity Framework Law 21.663

The two regimes coexist, and some entities must answer to both regulators at once.

NCG 454 and Law 21.663 operate in parallel rather than in substitution. The CMF continues to exercise its supervisory powers over regulated financial entities, while the National Cybersecurity Agency (ANCI) adds a cross-sector regime of duties and incident notifications. Entities that qualify as operators of vital importance (OIV) need to coordinate reporting to both regulators and align their cybersecurity programmes with the requirements of both frameworks.

The most common questions about the standard and its implementation are answered below.

Frequently asked questions

Scope, obligations, deadlines and the interaction with other regimes.

What is CMF NCG 454?

General Standard No. 454 (NCG 454) is the regulation issued by the Financial Market Commission (CMF) consolidating the operational and technological risk management framework, including cybersecurity, applicable to supervised financial entities. It replaces dispersed prior instruments and operates under a principles-based approach with proportional application according to entity size and complexity.

Which entities does NCG 454 apply to?

It applies to the universe of CMF-supervised entities: banks, cooperatives, securities intermediaries, general fund managers, insurance companies and other regulated financial intermediaries. The intensity of obligations scales with the size and systemic relevance of the entity.

What operational and cybersecurity obligations does it impose?

The main obligations are: board accountability for the framework; identification, measurement, control and monitoring of operational, technological and cyber risks (including third-party risks); continuity and recovery plans with periodic testing; a cybersecurity programme with preventive, detective and responsive controls; and timely reporting to the CMF of incidents that may affect stability, customers or market integrity.

How does it relate to Law 21.663 (Cybersecurity)?

NCG 454 and Law 21.663 operate in parallel. The CMF retains supervisory authority over regulated financial entities; ANCI adds a cross-sector regime with its own incident notification. Entities designated as Operators of Vital Importance (OIV) must coordinate reporting to both regulators and align their programmes with the requirements of each framework.

What is the difference between NCG 454 and RAN 20-10?

NCG 454 is transversal to the full CMF universe and operates on principles; RAN 20-10 is bank-specific and sets more detailed standards for banking operational risk management. In practice, banks comply with both: RAN 20-10 as a sectoral layer inside the general NCG 454 framework.

When did NCG 454 enter into force and what implementation timelines apply?

NCG 454 was issued by the CMF in 2021 and is being implemented on a phased basis according to entity size and complexity. Entities with greater systemic relevance face more demanding milestones for framework governance, continuity testing and incident reporting; smaller entities follow proportional schedules. The CMF supplements the standard with sector-specific instructions, which should be read together with the original text to set each institution’s internal roadmap.

Further reading

Transform Your Legal Challenges into Competitive Advantages

Discover how our innovative approach can drive your business

© 2025 AnguitaOsorio, all rights reserved.
Chile

Contact

Contáctanos

Phone:

+56 2 2760 4512

Location:

Cerro el Plomo 5420, office 1306, Las Condes, Metropolitan Region.