Banking Regulation 2025

COSTA RICA Law and Practice Contributed by: Douglas Soto, Miguel Elizondo-Soto and Osvaldo Madrigal Méndez, Zurcher, Odio & Raven

cies to issue and register “thematic bonds” for public offer. These securities can be issued to finance specific investment themes such as climate change, health, food, education and access to financial services, and target specific sustainable development goals (SDGs) through investing. According to Article 5 of this Law, all financial regulatory agencies, including SUGEF, must rec - ommend regulatory changes to CONASSIF. This requires regulated entities to include sustainable or responsible investment strategies in their poli - cies. In this way, not only do funds managed by these entities create revenue, but part of this investment can be directed into activities, works and projects that contribute to the fulfilment of SDGs and the National Climate Change Strat - egy. Therefore, it is expected that a regulation could be implemented to allow all financial entities to include SDGs in their investment policies, along with financial returns and revenue. Although there is no direct reference to DORA (the Digital Operational Resilience Act), in July 2024, CONASSIF approved a comprehensive reform to the Information Risk Management General Regulation (“the Regulation”). The Reg - ulation is a new version of that initially approved in 2017. Its aim is to establish the minimum requirements to be officially met by all super - vised entities and companies within the Costa Rican financial system in respect of the govern - ance and management of information technol - ogy and associated risks. 10. DORA 10.1 DORA Requirements

Pursuant to the Regulation, supervised entities and companies must design, implement, moni - tor and maintain a governance and IT manage - ment framework in accordance with: i) organi - sational strategy; ii) risk appetite, tolerance, and capacity; and iii) the size, complexity, business models, and policies approved by the govern - ing body. The supervised entities and companies must apply international standards, best practices, and reference frameworks developed by the technology industry to implement the govern - ance and IT management framework without compromising compliance with the provisions established in the Regulation. They will also be required to design, implement, maintain and monitor any information security management system that includes provisions on information security and cybersecurity set down in the Regu - lation. The Regulation establishes a series of obliga - tions and responsibilities that must be fulfilled by senior management, the Information Technology Committee, Internal Audit, and the Risk Man - agement department of each entity. As part of the obligations set out, supervised entities and companies must develop a technology profile and update it annually. An external IT audit of the governance and IT management framework must also be carried out each year. The information security management system must permit controls that enable risk-based measures to protect information assets and the assets supporting these from information secu - rity and cybersecurity risks. These controls must be included in a statement of applicability, and their attributes laid out in Regulation’s general guidelines.

127 CHAMBERS.COM

Powered by