Banking Regulation 2025

CHILE Trends and Developments Contributed by: Alvaro Moraga Fritz and Sebastián Moraga Nazar, Moraga & Cía.

Deep Dive Into NCG 514 The NCG 514 regulation comprises five key sec - tions, outlined as follows. Section I: SFA Perimeter This section establishes the foundational struc - ture of the SFA. • Key definitions and terminology – provides standardised definitions and nomenclature for all participants and processes within the system. • Participants – identifies the main actors in the SFA, categorised as: (a) information provider institutions (IPIs), entities that hold clients’ financial data; (b) account provider institutions (IPCs), enti - ties offering transactional accounts; (c) information-based service providers (PSBIs), entities utilising financial data to deliver services to clients; and (d) payment initiation service providers (PSIPs), entities facilitating payments on behalf of clients. • Registration and listings – outlines the pro - cedures for PSBIs and PSIPs to register with the CMF, and specifies the creation of public participant listings for IPIs and IPCs. Section II: System Operations The SFA operates through an information exchange model utilising APIs as the primary interface. • Information exchange – APIs enable data transfer between participants, adhering to strict standards for interoperability, data

(b) they must handle high transaction vol - umes and meet minimum response times to ensure a seamless user experience. • Alternative mechanisms – in the event of API unavailability, secure repository services act as fallback mechanisms to maintain opera - tions. • Participant directory – the CMF will man - age an online public directory with real-time updates on participant statuses (IPI, IPC, PSBI, PSIP), ensuring transparency and reli - ability. Section III: Security and Safeguards Security is at the core of NCG 514, ensuring the protection of client data and operational conti - nuity. • Risk management and internal controls – par - ticipants are required to: (a) implement robust risk management poli - cies; (b) conduct regular internal audits; and (c) maintain effective mitigation strategies. • Cybersecurity standards: (a) compliance with international standards, such as ISO/IEC 27001, is mandatory; and (b) multi-factor authentication, continuous threat monitoring, firewalls and intrusion- detection systems are required for API security. • Incident reporting – security incidents affect - ing client data or operations must be reported to the CMF within 24 hours, alongside the implementation of incident response and recovery plans. • Business continuity – participants must develop and regularly test continuity plans to mitigate the impact of technological or infra - structure failures.

integrity and availability. • API technical standards:

(a) APIs must incorporate advanced security features, such as end-to-end encryption; and

109 CHAMBERS.COM

Powered by