Q COSTARICA — A lot of people in Costa Rica have had their online banking accounts hacked and money stolen and with banks, even when the evidence is clrar, often refusing or dealying to return the stolen funds to the user. That is no long the case.
The law passed by the Legislative Assembly came into effect on Wedneday with its publication in the official newspaper La Gaceta. The law boosts protections for financial system users and holds banks accountable for fraud, even if the financial institution itself isn’t directly at fault.
The legislation (Ley 10.889) amends the Ley de Promoción de la Competencia y Defensa Efectiva del Consumidor (Law for the Promotion of Competition and Effective Consumer Protection) to incorporate a specific regime applicable to supervised public and private financial institutions.
The law stipulates that financial institutions must be held liable for damages caused to users when money or assets are stolen from their accounts by unauthorized third parties, regardless of fault.
The provision covers any mechanism used to commit fraud, including electronic scams, unauthorized transfers, or security breaches.
Complaint Procedure
The law establishes a detailed procedure for affected individuals to file their complaints. Users must file their complaint with the financial institution within 30 calendar days of the incident and submit a report to the Judicial Investigation Agency (OIJ).
The institutions must provide simple and accessible forms for receiving these complaints and guarantee permanent customer service channels, both in person and digitally.
Once a complaint is filed, the bank will have 30 calendar days to investigate the case and issue a resolution. This period may be extended once for up to ten additional business days, provided the user is notified beforehand.
During the investigation, the institution must demonstrate that it complies with the security standards required by the (Superintendencia General de Entidades Financieras (SUGEF) — General Superintendency of Financial Entities, and that its systems have not been compromised.
Among the elements that must be analyzed are customer behavior patterns, devices used, connection networks, authentication methods, and any indication of atypical or suspicious activity.
Conditions for rejecting complaints
The law allows financial institutions to reject a complaint only when they can prove specific situations, such as the existence of self-fraud, intent to defraud by the user, or transfers made between accounts belonging to the same person.
In these cases, the bank must submit a report with technical evidence to both the OIJ and SUGEF. This latter institution will have ten business days to validate whether the bank’s decision complies with regulations and is supported by sufficient evidence.
If SUGEF does not uphold the denial, the bank must return the funds to the user within a maximum of ten business days. If SUGEF confirms the denial, the affected person may pursue legal action.
Restitution of Funds and Immediate Measures
When the claim is deemed valid, the bank must reimburse the stolen money within a maximum of ten calendar days. Furthermore, it must eliminate any interest charges or fees associated with the fraud and return the amounts already collected along with the corresponding interest.
The regulations also require banks to immediately block the financial products or services involved upon receiving the claim, as well as issue a receipt with the date and time of the action.
Likewise, the banks must offer alternatives so that the user can continue operating while the case is being resolved.
In cases where new unauthorized transactions occur after the claim is filed, the financial institution will be held directly responsible.
Penalties for Non-Compliance
The text establishes consequences for entities that fail to comply with deadlines or procedures. If the bank resolves the claim outside the established timeframe, it must pay the user compensation equivalent to one base salary.
Furthermore, if 120 calendar days pass without the entity issuing a resolution, it will lose the right to reject the claim and will be obligated to return the funds.
Changes in the Burden of Proof
One of the most significant changes introduced by the law is the reversal of the burden of proof in favor of consumers. This means that, in cases of electronic fraud and financial disputes, the entity will be responsible for demonstrating that it acted correctly and that the damage is not attributable to it.
This rule will apply in both administrative and judicial proceedings.
The regulations also impose new responsibilities on SUGEF and the Central Bank of Costa Rica (BCCR) — Central Bank.
SUGEF must issue and update, at least annually, regulations aimed at preventing and reducing cyber fraud, incorporating international security standards. For its part, the Central Bank must strengthen security mechanisms on its payment platforms and collaborate in the prevention and investigation of these crimes.
Financial institutions must also implement protocols for immediate assistance to fraud victims, train their staff, and provide users with regular information on security measures.
The law also criminalizes self-fraud, defined as the simulation of a scam to obtain financial gain. Those who engage in this conduct will face penalties ranging from two months to ten years in prison, depending on the amount defrauded.
The regulations took effect on Wednesday, April 22, 2026, and establish transitional periods for financial institutions and the SUGEF to adapt their procedures and regulations. These include a maximum of six months to implement victim assistance protocols and update the corresponding technical regulations.