Q COSTARICA — Online scams in Costa Rica have seen a significant surge since 2022, when 3,136 complaints were filed with the Organismo de Investigación Judicial (OIJ)—Judicial Investigation Agency.
Since then, the problem has continued to grow exponentially, and by 2025, the OIJ had recorded 10,027 cases, representing a 41% increase compared to the previous year.
The worst part is that, if the current growth rate continues, by the end of this year, online scams will become the country’s leading crime, surpassing robberies, thefts, and fraud, which until the end of last year held the top three positions in the crime ranking.
Thus, cell phones are one step closer to being more dangerous than walking at night in a dangerous neighborhood.
Complaints about this issue jumped from 19 to 27 per day between 2024 and 2025.
These stark statistics reveal a shift in consumption patterns and crime in the country, according to experts, who point out that behind each case is a person with an empty bank account or even debts they didn’t incur.
Last week, legislators approved a bill that essentially exonerates citizens from being held responsible for illegal transactions and requires banks and other financial institutions to refund money lost in electronic fraud if they cannot prove it was a mistake or intentional act by the customer.
In other words, the affected person will no longer have to explain to the bank what happened; instead, the financial institution will be obligated to conduct an investigation and respond within four months.
The legislation was approved in its first vote and requires a second vote, which is progressing unopposed through the legislative process and is expected to be approved as early as this week.
Claims Against Online Fraud
After a series of modifications, the law clarifies the procedure to follow with banking institutions in cases of account fraud.
Here’s how:
- When a user denies having authorized a transaction and claims to be the victim of theft (fraud, electronic fraud, or unauthorized debit) or reports the misuse of their account, they may file a claim with the financial institution within 30 calendar days of the incident.
- The claim must be submitted using a form provided by the institution and must include a copy of the report filed with the Organismo de Investigación Judicial (OIJ) — Judicial Investigation Agency.
- The financial institution will have 30 calendar days to investigate and resolve the claim, which may be extended once for up to 10 additional business days, provided at least 3 days’ prior notice is given.
During the investigation, the institution must demonstrate:
- It complies with the security regulations established by the General Superintendency of Financial Institutions (SUGEF).
- That its systems were not compromised, considering controls such as: analysis of transaction patterns, verification of devices and authentication methods, detection of atypical activity, and application of prior confirmation mechanisms when appropriate.
- If compliance with these requirements is demonstrated, the customer’s conduct will be analyzed.
- The entity may reject the claim if it demonstrates that there was self-fraud, fraud, or transfers between accounts belonging to the same person.
Claim Rejection?
According to the initiative, if the financial institution rejects the claim, it must notify the user, indicating the evidence and the forensic analysis or log prepared in accordance with the parameters of the General Superintendency of Financial Entities (SUGEF). A copy of this report must be sent to the OIJ and the Superintendencia General de Entidades Financieras (SUGEF)—literally translated as ‘Financial Institution Superintendency’.
Furthermore, SUGEF will, within 10 business days, validate through a reasoned decision whether the claim is duly justified.
If SUGEF does not ratify the decision, the institution must return the funds and/or reopen the account within a maximum of 10 business days, without prejudice to the institution’s right to pursue legal action to challenge the payment’s validity.
If SUGEF confirms the rejection, the client may resort to the corresponding legal channels.
Refund of Money
When the financial institution determines that the claim is valid, it must credit the funds within a maximum of 10 calendar days, reopen the account if applicable, eliminate any interest or fees applied due to the fraud, and refund the amounts charged with their respective interest.
Furthermore, if new unauthorized transactions occur after the claim is filed, the financial institution will be responsible for these transactions and their financial consequences.
Penalties
The initiative also establishes that users who impersonate victims of bank fraud to obtain a financial benefit for themselves or a third party could be punished with imprisonment:
- Imprisonment from two months to three years, if the amount defrauded does not exceed ten times the base salary.
- Imprisonment from six months to ten years, if the amount defrauded exceeds ten times the base salary.
Banks resign from ABC
Following the initiative’s approval in the first debate, Costa Rica’s public banks—Banco de Costa Rica (BCR), Banco Nacional de Costa Rica (BNCR), and Banco Popular y de Desarrollo Comunal (BPDC)—announced their formal, immediate, and irrevocable resignation from the Costa Rican Banking Association (ABC).
In a joint statement, they asserted that the decision stems from a breakdown in trust caused by public statements made by ABC spokespeople regarding the bill on online fraud.