Skip to content

SUGEF 10-07. The Banking Fraud Law. 38 Victims Per Day. The Regulatory and Threat Landscape Has Changed — Has Your Security?

Costa Rica's financial sector faces converging pressures: new mandates requiring biometric authentication and real-time fraud detection, a law that shifts fraud liability to institutions, and a cybercrime crisis that doubled year-over-year. Compliance is no longer aspirational — it's existential.

Request a Regulatory Readiness Assessment See the Full Regulatory Picture Below

668%

Increase in banking fraud from 2020 to 2024

38

Costa Ricans victimized by cyber fraud every day in 2025

June 2025

SUGEF 10-07 and SINPE Cybersecurity Norm compliance deadline

March 2026

Banking Fraud Law approved — liability shifts to institutions

Industry Overview

Costa Rica's financial ecosystem — 15 banks, 21 cooperatives, 12+ insurers, 55+ fintechs, and the entire SINPE infrastructure processing 648 million SINPE Movil transactions in 2024 — is under siege. The OIJ reported over 10,000 cybercrime cases in 2024, a 90% increase from the prior year. By 2025, that number surged further, with projected complaints reaching 30,000 for the year. Meanwhile, 98% of cases are linked to organized crime.

The regulatory response is sweeping. SUGEF 10-07, effective June 1, 2025, mandates biometric authentication with liveness detection, real-time fraud monitoring, and comprehensive audit trails for all digital channels. The SINPE Cybersecurity Technical Norm requires annual cybersecurity audits across 16 control areas. And the Banking Fraud Law, approved March 5, 2026, shifts the burden of proof in fraud cases to financial institutions — banks must now reimburse stolen funds unless they can demonstrate the client acted with intent or negligence.

For institutions of every size — from state banks processing millions of transactions to small cooperatives serving rural communities — these changes mean cybersecurity investment is no longer a discretionary budget line. It's a legal requirement with direct financial consequences.

We work with banks, cooperatives, insurers, and fintechs to navigate this landscape: achieving regulatory compliance, implementing the technical controls mandated by SUGEF and the BCCR, securing digital channels, and building the client-facing platforms and AI systems that modern financial services require.

The Three Mandates Every Financial Institution Must Address

SUGEF 10-07 (Effective June 1, 2025)

The most comprehensive cybersecurity regulation in Costa Rica's financial history. Key requirements include:

  • Biometric authentication with liveness detection for secure channel access
  • Digital identity verification during client onboarding
  • Fraud detection through transactional pattern analysis
  • Multi-factor authentication for all digital banking channels
  • Device blocking after failed login attempts
  • Prohibition of recoverable credential storage
  • Full audit trails of all authentication events
  • Protection of digital channels throughout the entire customer lifecycle

SINPE Cybersecurity Technical Norm (Compliance Deadline June 30, 2025)

Applies to all SINPE affiliates across 16 control areas including:

  • Cybersecurity awareness and training
  • Service provider risk management
  • Application security
  • Incident response
  • Secure software development
  • Network security

Mandates formal annual cybersecurity audits with documented compliance reports to the BCCR.

Banking Fraud Law (Approved March 5, 2026)

This law fundamentally changes the cost-benefit calculation for cybersecurity investment. Key provisions:

  • Banks must reimburse money stolen through electronic fraud
  • Burden of proof shifts to the financial institution to demonstrate client intent or negligence
  • 4-month investigation window per claim
  • 6-month implementation period to create victim assistance protocols

Active Threats Targeting Costa Rican Financial Institutions

Phishing & Fake Banking Portals

The dominant attack vector. Criminals create pixel-perfect replicas of banking websites and distribute links via SMS, email, and social media. The OIJ identified fake bank websites as the #1 fraud modality in 2025.

SIM Swapping

Attackers port a victim's phone number to a new SIM card, intercepting two-factor authentication codes to authorize fraudulent transactions. This directly exploits SINPE Movil's phone-number-based architecture. The BCCR now requires users to report device changes to their financial institution.

The "Accidental SINPE" Scam

Fraudsters claim to have sent money by mistake via SINPE Movil and demand immediate return. Variations include sending a small real transfer then claiming a larger amount, or using social engineering to extract transfer confirmation details.

Business Email Compromise

Targeting corporate accounts, treasury operations, and vendor payment processes. Check Point data shows Costa Rican organizations face 1,468 attacks per week — 55% above the Americas average.

The BCR Maze Precedent

In 2019-2020, the Maze ransomware group breached Banco de Costa Rica, accessing the network in August 2019, re-entering in February 2020 after the bank failed to fully remediate, and ultimately claiming to have exfiltrated 11 million credit card records. BCR confirmed the breach and reissued affected cards. The incident demonstrated that Costa Rican financial institutions are not immune to sophisticated, persistent threat actors.

Four Services Mapped to Financial Services

Cybersecurity for Financial Services

Regulatory compliance is the floor, not the ceiling. SUGEF 10-07, the SINPE Cybersecurity Norm, and the Banking Fraud Law establish minimum requirements — but compliance alone doesn't stop a motivated attacker. We help financial institutions meet every regulatory obligation while building security programs that address the actual threats targeting Costa Rican financial systems.

  • SUGEF 10-07 gap analysis and compliance roadmap — mapped to every article and requirement
  • SINPE Cybersecurity Technical Norm audit preparation across all 16 control areas
  • Banking Fraud Law protocol development: victim assistance workflows, evidence preservation, investigation frameworks
  • Vulnerability assessments and penetration testing of digital banking channels
  • Phishing simulation and security awareness training for all staff
  • Incident response planning and tabletop exercises
  • vCISO services for institutions that need strategic cybersecurity leadership without a full-time hire
  • MDR (Managed Detection & Response) through our US-based monitoring partner — 24/7 SOC coverage
  • Fraud detection architecture advisory: transactional pattern analysis systems (SUGEF 10-07 Art. 17)

Web Development for Financial Services

Your clients interact with your institution through digital channels — websites, portals, mobile interfaces. Those channels must be fast, accessible, secure, and compliant with SUGEF requirements for protecting digital interactions throughout the customer lifecycle.

  • Secure client portal development with MFA, session management, and encryption
  • Corporate website design meeting accessibility and security best practices
  • SINPE Movil integration for digital payment flows
  • Firma digital integration for authenticated transactions
  • Bilingual (ES/EN) institutional sites for international operations
  • WCAG 2.1 accessibility compliance
  • Core Web Vitals optimization and mobile-first responsive design

IT Solutions for Financial Services

Financial infrastructure demands higher availability, tighter security, and more rigorous monitoring than general business IT. Whether you're a cooperative managing 50 endpoints or a bank with multiple branches, your infrastructure must support always-on operations with zero tolerance for unplanned downtime.

  • Network architecture design with financial-grade segmentation and access controls
  • Cloud strategy and migration with Ley 8968 and SUGEF compliance for data residency
  • Business continuity and disaster recovery planning — tested, documented, and auditable
  • Endpoint management across branches, remote staff, and ATM/kiosk environments
  • 24/7 infrastructure monitoring with severity-based alerting and escalation
  • Annual cybersecurity audits as mandated by the SINPE Cybersecurity Technical Norm
  • Vendor management and ISP redundancy planning

AI & Digital Solutions for Financial Services

AI-powered fraud detection, automated compliance monitoring, and intelligent customer service aren't futuristic aspirations — they're the tools SUGEF 10-07 implicitly requires. Transactional pattern analysis, real-time anomaly detection, and automated alert systems are the practical implementations of Article 17's fraud detection mandate.

  • Fraud detection system evaluation and implementation advisory
  • AI-powered transactional pattern analysis for SUGEF 10-07 Art. 17 compliance
  • Customer service chatbot for basic inquiries: branch hours, product information, balance queries
  • Automated compliance monitoring and regulatory reporting workflows
  • Digital onboarding workflow design with biometric verification integration
  • Factura electronica 4.4 automation for institutional billing

Frequently Asked Questions

We're a small cooperative, not a bank. Do SUGEF 10-07 requirements apply to us?

Yes. SUGEF 10-07 applies to all supervised entities — including cooperatives. While proportional regulation means smaller institutions may implement certain requirements at a reduced scale, the core obligations around authentication, fraud detection, and audit trails are mandatory. Given that 14 of 21 supervised cooperatives have assets below ₡80 billion and limited IT resources, this is precisely where external advisory delivers the most value.

What does the Banking Fraud Law mean for our institution practically?

It means that when a client reports electronic fraud, your institution must reimburse the stolen amount unless you can prove the client acted with intent or negligence. You have 4 months to investigate each claim. This shifts the economics of cybersecurity dramatically — it's now cheaper to prevent fraud than to absorb liability for it. We help institutions build the technical controls, evidence collection systems, and investigation protocols needed to both prevent fraud and demonstrate due diligence.

Can you conduct the annual cybersecurity audit required by the SINPE Norm?

Yes. The SINPE Cybersecurity Technical Norm requires all affiliates to conduct annual cybersecurity audits across 16 control areas and submit formal compliance reports. We conduct these audits, provide detailed findings and remediation recommendations, and help you prepare the documentation required for BCCR reporting.

How quickly can we achieve SUGEF 10-07 compliance?

Timeline depends on your current security posture. A gap analysis typically takes 2-3 weeks. Remediation can range from 2-6 months depending on the scope of changes required. We prioritize based on risk — addressing the highest-impact requirements first while building toward full compliance.

The Regulatory Deadline Is Here. The Liability Has Shifted. The Time to Act Is Now.

Whether you need a SUGEF 10-07 gap analysis, a SINPE Cybersecurity Norm audit, or a comprehensive security program — we start by understanding where you stand today and building a clear path to compliance.

Request a Regulatory Readiness Assessment Explore Our Services