Chile

Regulations

• Can financial institutions use AWS?

  Yes. Financial institutions in Chile are permitted to use cloud services, provided that they comply with applicable legal and regulatory requirements, such as those described below. 

• Who are the financial regulators?

  The Comisión para el Mercado Financiero or “CMF” (Financial Market Commission) is the public body that oversees and enforces compliance with laws and regulations by banks and other financial institutions (for example, credit card issuers and processors, credit unions) and the insurance industry in Chile.

  Refer to entities audited by the CMF including Financial Institutions, Markets (stock and insurance), and other entities.

  The Superintendencia de Pensiones or “SP” (Superintendence of Pensions) oversees and enforces compliance with laws and regulations by pension fund administrators.
  

• What regulations apply to financial institutions using AWS?

  Financial institutions in Chile may be subject to a number of different legal and regulatory considerations when they use cloud services. Relevant regulations include, but are not limited to:

  Regulations issued by the CMF to oversee banks, and financial institutions:

  • RAN 20-7 Externalización de Servicios (Outsourcing), establishes requirements for financial institutions to outsource services, including requirements for the outsourcing of cloud services.
    
  • RAN 1-13 Clasificación de Gestión y Solvencia (Classification of Management and Solvency).
    
  • RAN 20-8 Información de Incidentes Operacionales (Operational Incident Information), contains guidelines and good practices applicable to cybersecurity management.
    
  • RAN 20-9 Gestión de la Continuidad de Negocio (Business Continuity Management), sets forth certain requirements for data processing sites and technological infrastructure, including cloud services.
    
  • RAN 20-10 Gestión de Seguridad de la Información y Ciberseguridad (Information Security and Cybersecurity Management), contains guidelines for the management of information security and cybersecurity.
    
  • Circular No 2 Contains rules and standards on operational and security safeguards for the issuance and operation of payment cards.
    

  Refer to the CMF website for additional information.

  Capital and insurance markets:
  

  • General Rule NCG 454 /2021 Operational Risk and Cybersecurity Management (Insurance Sector). Instructions on implementing operational risk management systems, cybersecurity measures, and reporting requirements for information security and cybersecurity events by insurance and reinsurance entities.
  • Circular N° 2020/2011 (SVS) Management and Resolution of Incidents (Capital Markets). Establish instructions referring to communication, management, and resolution of critical operational incidents that affect the normal development of services.
    
  • General Rule NCG 309/2011 Corporate Governance Principles, Risk Management, and Internal Control Systems. Contains instructions regarding principles of corporate governance and risk management systems and internal control in insurance and reinsurance companies.
    
  • General Rule NCG 325/2011 Rules regarding the risk management system of insurance companies and their solvency assessment.
    
  • General Rule NCG 171/2004 Electronic Commercialization and Intermediation of Insurance (Insurance companies). Establishes minimum security requirements and necessary conditions for the trade and intermediation of insurance by electronic means.
    

  Pension funds:
  

  • Book V Administrative and Operational Aspects of the Pension Fund Administrators and the Social Security Institute.

  Fintech Law and Open Finance System:

  • Fintech Law (Ley 21.521): Establishes a regulatory framework for financial technology companies and crowdfunding platforms, defining operational guidelines, consumer protection measures, and supervisory mechanisms to promote innovation while ensuring financial stability and market integrity.
    
  • NCG 514 (July 2024): Governs the Open Finance System under the Fintech Law (Ley 21.521). Outlines how financial data can be exchanged securely between financial institutions, establishes API standards, and mandates customer consent procedures.
  • NCG 502 (January 2024): Establishes the framework for registration and authorization of financial service providers under the Fintech Law. It was subsequently updated by NCG 514, which refined the registration processes, enhanced security standards for data exchange (particularly through APIs), and ensured interoperability across financial institutions.

  Cybersecurity:

  • Law No. 21,663 - Framework Law on Cybersecurity establishes the general norms, principles and definitions regarding cybersecurity for Chile. It creates the National Cybersecurity System and defines the institutions in charge of its coordination.

  Customers that have questions about the applicable regulations, and how these may apply to their use of AWS services, can reach out to their account representative.
  

• Key considerations for financial institutions using AWS

  AWS is committed to offering customers a strong compliance framework and advanced tools and security measures that customers can use to evaluate, meet, and demonstrate compliance with applicable legal and regulatory requirements.

  Financial institutions who are using or planning to use AWS services can take the following steps to better understand their compliance needs:

  1. Consider the purpose of the workload(s) under consideration and the relevant categories of data in order to anticipate which legal and regulatory requirements may apply.

  2. Assess the materiality or criticality of the relevant workload(s) in light of local requirements. For example, RAN 20-7 contains materiality assessment considerations for financial institutions. RAN 20-7 is focused on Outsourcing and is part of an updated compilation of rules for banks, and other regulations issued by the regulatory body.

  3. Review the AWS Shared Responsibility Model and map AWS responsibilities and customer responsibilities according to each AWS service that will be used. Customers can also use AWS Artifact to access AWS’s audit reports and conduct their assessment of the control responsibilities.

  Customers that have further questions about how AWS services can enable their security and compliance needs, or that would like more information, can contact their account representative.
  

• Key data privacy and protection considerations for financial institutions using AWS

  Financial institutions in Chile using AWS services should also consider applicable privacy requirements, including: Chile’s Personal Data Protection Act, No. 19,628 and the significant updates in Law 21.719 enacted in 2024. These updates include: new principles for data processing, new rights for data subjects (including access, rectification, deletion, opposition, and portability), stricter requirements for consent, special protections for sensitive and children's data, new obligations for data controllers, an administrative sanctions regime, regulation of international data transfers, and data breach notification requirements.
  

  The AWS whitepaper, Using AWS in the Context of Common Privacy and Data Protection Considerations provides useful information to customers using AWS cloud services to store or process personal data.
  

Resources