Banking Regulation 2025

PERU Law and Practice Contributed by: Andrés Kuan-Veng and Luis Ernesto Marín, Rubio Leguía Normand

10. DORA 10.1 DORA Requirements

The provisions in the regulation are applicable when financial institutions provide: • advisory services for financing a project where the total estimated investment exceeds USD10 million; • financing for a project with an estimated investment exceeding USD10 million; • loans to non-retail clients related to a project phase, provided that: (a) the total amount of the client’s loans related to the project within the financial system is at least USD50 million; and (b) the total amount of the client’s loans related to the project within the institution is at least USD25 million; • bridge loans for financing a project that requires an estimated total investment exceeding USD10 million; and; • corporate loans above USD10 million to pri - mary suppliers of a project. The Regulation establishes that it is the respon - sibility of the board of directors to define the general policy for managing social and environ - mental risks, establishing the minimum aspects that the policy should include. This includes the approval of a manual for managing social and environmental risks that must cover at least the provisions set out in the Regulation for the Man - agement of Social and Environmental Risk. Simi - larly, the general management is responsible for implementing the policy for managing social and environmental risks in accordance with the board’s provisions. Lastly, the risk management unit is tasked with proposing policies for manag - ing social and environmental risks to the board and participating in the design and ongoing updates to the manual for managing social and environmental risks.

While Peru does not have a direct equivalent to DORA, the SBS has issued guidance on operational risk management and cybersecurity frameworks for financial institutions. Provisions on operational risk management are primarily contained in the Reglamento para la Gestión del Riesgo Operacional (Operational Risk Management Regulation), approved by SBS Resolution No 2116-2009, which applies to banks and other entities in the financial system. This Regulation defines operational risk as the possibility of losses resulting from inadequate processes, failures in personnel or information technology or external events. This definition includes legal risk but excludes strategic and reputational risk. Accordingly, financial system entities must appropriately manage risks associated with their internal processes, such as poorly designed pro - cesses or inadequate or non-existent policies and procedures, which could result in deficient operations and services or their suspension. This includes, among other things, the proper management of risks associated with the com - pany’s personnel, risks related to external events beyond the company’s control, and risks tied to information technology. These IT risks may involve security failures, operational continuity issues, errors in the development and imple - mentation of IT systems, compatibility and inte - gration problems, poor data quality, insufficient technology investment and other related factors. On the other hand, the provisions for manag - ing information security and cybersecurity are set forth in the Reglamento para la Gestión de la Seguridad de la Información y la Cibersegu-

454 CHAMBERS.COM

Powered by