CMF Regulation: Cybersecurity and Fintech Services
Comparative overview of the regulatory framework issued by the Chilean Financial Market Commission applicable to cyber risk management and to the provision of technological financial services in Chile.
The CMF's body of rules on cybersecurity and fintech has consolidated over recent years through different instructions for banks, supervised entities and providers of financial services under Law 21.521. This table summarizes the scope, addressees and key obligations of each rule, with links to the specific analysis.
| Regulation | Scope of application | Key obligations | Detail |
|---|---|---|---|
| RAN 20-10 CMF, 2018 | Banks and banking entities supervised by the CMF. | Information security management, IT corporate governance, incident management and operational continuity. | View analysis → |
| NCG 454 CMF, 2021 | Entities supervised by the CMF beyond banks: insurance companies, securities intermediaries and other market operators. | Comprehensive management of cyber risks, incident reporting, periodic self-assessment and IT corporate governance obligations. | View analysis → |
| NCG 502 CMF, 2023 | Technological financial service providers registered under Law 21.521 (Fintech Law). | Registration with the CMF registry, capital and solvency requirements, corporate governance, risk management and information obligations. | View analysis → |
| NCG 524 CMF, 2024 | Amendment to NCG 502 issued by the CMF in 2024. | Adjustments to registration requirements, deadlines and operational obligations of regulated fintech providers. | View analysis → |
The individual analysis of each regulation is complemented by reading the general framework of Law 21.663 on Cybersecurity, particularly for services under dual CMF-ANCI supervision.
Related general framework
Frequently asked questions
What does CMF regulation cover on cybersecurity and technology risk?
It covers four instruments in force: RAN 20-10 (banking sector, 2018), NCG 454 (cross-sector operational and technology risk framework, 2021), NCG 502 (Fintec providers under Law 21.521, 2023) and NCG 524 (amendments to NCG 502, 2024). Together they define the information security, cybersecurity and operational resilience regime applicable to CMF-supervised entities.
How does RAN 20-10 differ from NCG 454?
RAN 20-10 is bank-specific and sets detailed requirements for banks. NCG 454 is transversal across the full CMF universe (banks, cooperatives, securities intermediaries, fund managers, insurance companies, Fintec providers) and operates under a principles-based approach with proportional application. Banks comply with both: NCG 454 as the general framework and RAN 20-10 as the detailed sectoral layer.
How are Fintec providers registered with the CMF?
Registration and authorisation are governed by NCG 502 (2023), as amended by NCG 524 (2024). NCG 502 details requirements per business line (crowdfunding, alternative transaction systems, credit advisory, investment advisory, custody, order routing and open finance). NCG 524 introduces adjustments — including an authorisation carve-out for providers serving exclusively qualified investors — that should be reviewed before filing.
How does CMF regulation relate to Cybersecurity Law 21.663?
CMF rules (RAN 20-10, NCG 454, NCG 502, NCG 524) and Law 21.663 operate in parallel. The CMF retains supervisory authority over regulated entities; ANCI adds a cross-sector regime with its own incident notification (short timelines) and information-security requirements. Entities designated as Operators of Vital Importance (OIV) must coordinate reporting to both regulators and consolidate the requirements into an integrated programme.
What does NCG 524 (2024) change?
NCG 524, issued in December 2024, amends NCG 502 section by section: it refines the concept of "prior intent of intermediation", rewrites the exclusive-purpose and domicile exceptions, creates an authorisation carve-out for providers serving only qualified investors and adjusts the registration request. It applies with immediate effect and providers should review their status against the amended text.
