Cybersecurity and personal data in the Fintech environment in Costa Rica

Mónica Arias

Mónica Arias

Michael Villalobos

Michael Villalobos

Currently, the issue of cybersecurity is of particular importance for companies operating in the Fintech ecosystem, which, precisely, operate at the intersection between finance, technology, and regulation, coupled with the exponential growth in the use of technological and digital means for the execution of financial transactions.

Cybersecurity or information security of an entity or virtual space seeks to maintain the integrity, availability, privacy, control, and authenticity of the information contained, guarded, and managed in electronic equipment and even in the cloud. Every day cyber-attacks are becoming more common, generating major impacts on companies with consequences in the private sphere of customers and their personal, financial, and transactional data, so cybersecurity is one of the strategies used to prevent such frauds.

Fintech companies are not exempt from these attacks, so it is important to know the obligations and duties, which, in terms of data protection, exist in our country without neglecting the rules, which in relation to specific services such as credit and debit card services establish on this matter, or even in matters relating to the consumer. The above is valid both for Fintech companies that serve consumers directly (B2C) and for those that provide services to other companies, including regulated financial entities (B2B).

Currently, Costa Rica does not have specific regulations for the Fintech sector in this area. However, there is a general regulation for the protection of personal data, and even for the protection of data related to credit behavior, of interest to those companies in the industry that provide credit facilities or provide services to entities or companies that grant credit.

Thus, for example, the Law for the Protection of the Person against the Processing of Personal Data, Law 8968 and its regulations, guarantee to any person, national or foreign, the following:

    1. Respect for his or her right to informational self-determination in relation to his or her private life or activity.
    2. The right of personality.
    3. Defense of their freedom and equality with respect to the automated or manual processing of data corresponding to their person or property.

They also establish the minimum requirements applicable to automated and manual databases, and of the persons involved in the collection, safeguarding, and use of personal data.

Additionally, in terms of protection of consumer rights, the regulation to the law of promotion of competition and effective defense of the consumer, No. 7472 regulates the obligation of the merchant to adopt effective security measures to protect the integrity, veracity and confidentiality of the personal data existing in its databases, while the regulation of credit and debit cards regulates the right of the users of financial services to the protection of personal data obtained by financial entities in the provision of their services, specifically for the provision of credit and debit card services. In the same sense, the regulation of the payment card system refers to the security of the information of the payment card device.

Now, specifically to Fintech companies that carry out any of the activities listed in the Law on narcotics, psychotropic substances, drugs for unauthorized use, related activities, money laundering and financing of terrorism, regulation No.7786, the prudential regulations, specifically in agreement SUGEF 13-19 (regulation for the prevention of the risk of money laundering, financing of terrorism and financing of the proliferation of weapons of mass destruction), applicable to the subjects bound by art 15 and 15 bis of law 7786, regulates the obligation of these companies to keep the information of their clients and the supporting documents under custody during the commercial relationship, guaranteeing the confidentiality of the information collected from their clients, and the other aspects established in Law No. 8968 mentioned above. Finally, we do not omit to point out that the Penal Code establishes the penal types on illicit conducts related to the non-compliance with the protection of personal data.

Undoubtedly, the notorious growth that Fintech companies have had in recent years, both in the B2B and B2C areas, brings with it a series of obligations and responsibilities in the security of the data to which they have access, an interest that reaches the authorities and regulators who seek the security of the data of users, suppliers and others involved in the services and products provided by companies in this industry.

In this sense, it is of vital importance for these companies to clearly know the regulations they must comply with in this area, and even those that apply to their customers (in the case of B2B), for example, in the financial sector, to be able to offer a service that meets the applicable requirements and standards.