By Resolution No. JPRF-S-2025-0152 dated April 30, 2025, the Financial Policy and Regulation Board (the “Financial Board”) issued the “Regulation Governing Insurance Technology Service Providers” (the “Regulation”). This Regulation is based on the Organic Law for the Development, Regulation and Control of Technological Financial Services (Fintech Law).

I. Purpose

The Regulation aims to establish the regulatory framework for the activities carried out by Insurance Technology Service Providers (“ESTS”), such as alternative transaction systems, insurance market infrastructure, blockchain platforms, among others, that involve “financial risk.”

ESTS that pose financial risk are those directly involved in sensitive (i.e., critical to the operation of an insurance company, where failure could compromise financial sustainability and operational capacity) and fundamental (i.e., essential for the company to fulfill its business purpose) processes of an insurance company.

II. Qualification, Authorization, and Operation

The incorporation of ESTS is governed by the Fintech Law. Their qualification will be granted by the Superintendency of Companies, Securities and Insurance (SCVS), provided the following requirements are met:

1. A corporate purpose that aligns with one of the ESTS activities defined in the Fintech Law.
2. Sufficient capital and infrastructure.
3. A corporate governance code.
4. Inclusion of roles for product responsibility and risk management within their organizational structure.
5. Compliance with technical and financial standards to be issued by the SCVS.

ESTS operations must adhere to the guidelines set forth in the Regulation. Key operations include:

• Insurance sales
• Rate optimization
• Risk profile assessment and selection
• Product design and development
• Loss prevention related to the line of business
• Claims management

III. Risk Management

ESTS must implement a risk management system aligned with international best practices, covering the stages of:

1. Identification
2. Measurement
3. Control
4. Monitoring

They must manage operational risks (i.e., losses arising from failures in internal processes, systems, personnel, or external events) and legal risks (i.e., losses resulting from errors, negligence, recklessness, or willful misconduct leading to non-compliance or misapplication of legal or regulatory provisions).

In addition, ESTS must implement information security protocols and comply with regulations on anti-money laundering and personal data protection.

IV. Timeline

The SCVS will have one (1) month to prepare the schedule for issuing the relevant technical regulations. The maximum period for full compliance is twelve (12) months.

The Regulation is effective as of its issuance, regardless of its publication in the Official Register.

For additional information, please contact us at the following email addresses:

Jesús M. Beltrán: jbeltran@bustamantefabara.com

Belén Jaramillo: bjaramillo@bustamantefabara.com