CMF Regulation: Cybersecurity and Fintech Services
Comparative overview of the regulatory framework issued by the Chilean Financial Market Commission applicable to cyber risk management and to the provision of technological financial services in Chile.
The CMF's body of rules on cybersecurity and fintech has consolidated over recent years through different instructions for banks, supervised entities and providers of financial services under Law 21.521. This table summarizes the scope, addressees and key obligations of each rule, with links to the specific analysis.
| Regulation | Scope of application | Key obligations | Detail |
|---|---|---|---|
| RAN 20-10 CMF, 2018 | Banks and banking entities supervised by the CMF. | Information security management, IT corporate governance, incident management and operational continuity. | View analysis → |
| NCG 454 CMF, 2021 | Entities supervised by the CMF beyond banks: insurance companies, securities intermediaries and other market operators. | Comprehensive management of cyber risks, incident reporting, periodic self-assessment and IT corporate governance obligations. | View analysis → |
| NCG 502 CMF, 2023 | Technological financial service providers registered under Law 21.521 (Fintech Law). | Registration with the CMF registry, capital and solvency requirements, corporate governance, risk management and information obligations. | View analysis → |
| NCG 524 CMF, 2024 | Amendment to NCG 502 issued by the CMF in 2024. | Adjustments to registration requirements, deadlines and operational obligations of regulated fintech providers. | View analysis → |
The individual analysis of each regulation is complemented by reading the general framework of Law 21.663 on Cybersecurity, particularly for services under dual CMF-ANCI supervision.
