The regulatory landscape and privacy as a priority
The booming financial technology industry has transformed the market for financial products and services. It includes a wide range of technology that allows users to make payments, obtain financing, invest and more. Fintech is attractive to both users and businesses because of the efficiency it offers by significantly reducing past challenges with time and distance. Inclusion is also a key aspect of fintech: It makes financial tool management accessible to multiple communities. However, the use of fintech raises privacy concerns due to a developing market and the lack of specific regulations in most jurisdictions.
In Costa Rica, legal compliance includes the regulatory framework for data protection, consumer protection and the financial system. Although Costa Rica does not have fintech-specific regulations, these companies must comply with existing overarching regulations.
Fintech companies manage sensitive customer data, and therefore data protection is particularly relevant. A fundamental goal of the privacy policy is that data subjects receive precise and transparent information about the processing of their data. Therefore, fintech organizations that control must obtain individualized, specific, informed and freely given written consent from each user. The consent must reveal details of the database as the purpose, who is to have access to the information, whether and how the data is to be transferred, the data subject’s rights and how they can be exercised. In addition, the data controller must facilitate the exercise of the data subjects’ rights to access the data, change the data and revoke consent. The scope of these obligations is regulated by the Data Protection Act, its regulations, and monitored by the Data Protection Agency, Agencia de Protección de datas de los Habitantes. Failure to comply may result in administrative fines imposed by PRODHAB.
Another reason why compliance with privacy regulations is crucial is that the process of information fintech platforms makes them an attractive target for cyber attacks. Statistics show cyber attacks have been on the rise since 2019. Therefore, fintech companies must have robust security protocols and security measures in place. Should a data breach occur, Costa Rican law requires that the data controller has a maximum of five business days to respond. Given this short time window, companies should be prepared with a prepared mitigation plan. It is also important for employees in the financial industry to be aware of how their behavior can make the company vulnerable to cyber threats. For this reason, privacy rules must be part of daily operations. A final aspect to consider is that fintech companies must transfer data safely and legitimately in accordance with the privacy rules.
When it comes to consumer protection rules, everyone who offers fintech products and services in Costa Rica must comply with consumer obligations and comply with consumer rights. This includes providing clear and truthful information about the products and services to consumers. Non-compliance with this requirement has been identified as one of the concerns of the fintech industry. Fintech organizations should not be obscure about the terms of the contract or the full cost of the services and products they offer. Recently, Executive Decree No. 43270 was adopted to regulate consumer protection in the sphere of financial, commercial and microcredit operations offered to the consumer. This decree carefully regulates these operations and applies to fintech organizations that fall within its scope.
In terms of the financial system, the International Monetary Fund has described Costa Rica’s financial sector as very fragmented. The applicability of the financial system’s laws will depend on the fintech organization’s business model. When a fintech develops technology for a financial entity, it is the financial entity that is responsible for complying with the rules of the financial sector. In the meantime, for organizations that use technology to provide services comparable to those offered by financial entities, a case-by-case analysis should be performed to determine which regulations apply. Consequently, not all fintech companies are subject to the same rules.
Mexico and Brazil have already developed fintech-specific rules. Most notably, Mexico’s 2018 law focuses on regulating financial technology institutions on fintech and virtual assets such as cryptocurrencies, application programming interfaces, and temporary authorizations for innovation testing (sandboxes). Regarding privacy, the Mexican Personal Data Act is in force, and Fintech General Dispositions contains a chapter on cybersecurity. As one of the largest fintech markets in Latin America, Brazil has accommodated fintech development with specific legislation within the existing regulatory framework instead of producing its own framework. The regulations in Brazil follow the principles of segmentation and proportionality. This approach has resulted in rules tailored to reflect the size, activities and risk profile of each unit. Brazil’s data protection law from 2018 regulates data protection, data processing and cyber security. The government has also issued cybersecurity guidelines specific to fintech organizations.
Given the popularity of the fintech sector, users and businesses need to prioritize privacy. With cyber attacks as serious threats, companies must do everything in their power to protect their business. In addition, all players in the fintech ecosystem can benefit from clear communication and compliance with existing regulations. Although Costa Rica has a lot to develop on the regulatory front, there are great opportunities for fintech organizations. Costa Rica can maintain prosperous fintech companies, and this will inevitably push the industry and legislation forward.
Photo by Carlos Muza on Unsplash
