On April 14, 2025, the Financial Market Commission ("CMF") published for public consultation a draft general rule (the "Proposed Regulation") that will set minimum standards for security, recordkeeping, and authentication in payment and electronic transaction processes. The rule applies to issuers of payment instruments and financial service providers (the "Issuers").
The Proposed Regulation aligns with Law No. 20,009, which establishes a liability limitation regime for holders or users of payment cards and electronic transactions in cases of loss, theft, robbery, or fraud.
Key elements of the proposal:
- Security measures: Issuers must implement appropriate mechanisms to detect potential fraud, protect authentication codes, and ensure the independence and differentiation of authentication factors.
- Technical standards: The regulation defines criteria for robustness and differentiation in authentication factors, devices, and procedures.
- Mandatory use of strong customer authentication in cases such as:
- Access to online banking platforms or mobile applications.
- Requests to modify personal data or user credentials.
- Enrollment of merchants or frequent recipients.
- Transactions involving present or future fund transfers.
- Atypical transactions posing potential fraud risks.
- Exceptions: The regulation also provides for specific exceptions to the mandatory use of strong customer authentication.
- Issuer liability: The regulation reiterates that Issuers are liable under Law No. 20,009 for damages to users caused by noncompliance and may be sanctioned by the CMF accordingly.
Once enacted, Issuers will have one year to implement the regulation and must submit an adjustment plan to the CMF.
The consultation will remain open until May 5, 2025.
