Ecuador

Yes. Financial institutions in Ecuador are permitted to use cloud services, provided that they comply with applicable legal and regulatory requirements, such as those described below. 

The Superintendence of Banks (Superintendencia de Bancos or “SB”) and the Financial and Monetary Policy and Regulation Board (Junta de Política y Regulación Financiera y Monetaria) are Ecuador’s primary regulatory authorities responsible for the formulation of public policies, and the regulation and supervision of monetary, credit, exchange, financial, insurance, pension, and securities institutions.

The Financial and Monetary Policy and Regulation Board is the body responsible for issuing public policies and regulatory standards applicable to the Financial, Insurance and Securities System, which complement the Organic Monetary and Financial Code (Código Orgánico Monetario y Financiero).

The SB, in turn, is responsible for supervising and controlling all financial institutions, except for loans and savings cooperatives, which are regulated by the Superintendency of Popular and Solidarity Economy (Superintendencia de Economía Popular y Solidaria).

Financial Institutions in Ecuador may be subject to a number of different legal and regulatory considerations when they use cloud services.

Monetary and Financial Organic Code: Regulates Ecuador’s monetary and financial systems, as well as the securities and insurance regimes.

SB Book I.- control standards for Entities in the Public and private financial sectors, Title IX.- Risk Management and Administration, Chapter V.- Control standard for operational risk management: Regulates the structure, functioning, operations, control and risk management applicable to financial institutions in Ecuador.

Resolution No. SB-2018-771: Reforms the Operational Risk Management Control Standard and sets requirements for contracts signed by financial institutions.

Resolution No. 382-2017-F: Regulates the definition, qualification and operations of auxiliary services companies that provide services to financial institutions

Codification of Monetary and Financial Policy and Regulation Board Resolutions: Compiles and codifies resolutions on monetary, financial, securities and insurance matters, including transaction recording, risk management and service continuity.

Public Procurement Law (Organic Law of the National Public Procurement System): Regulates the contracting processes of works, goods and services by public sector entities, including state-owned financial institutions. (does not apply to private banks)

Ecuadorian Quality System Law: Establishes principles, policies and entities related to quality and conformity assessment, including technical requirements such as encryption standards.

Resolution No. SEPS-IGT-IGS-INSESF-INR-INGINT-INSEPS-IGJ-0116 (Control Standard For The Management Of Operational Risk In Entities In The Popular And Solidarity Financial Sector)
In the case of contracting cloud infrastructure, platform, and/or software services, whether from domestic or foreign providers, controlled entities must have, in accordance with the contracted service, a technical report, an information security report, and a legal report issued by the controlled entity's personnel, based on their competencies, in which the operational risks associated with the service and the respective management have been identified.

Additional fintech regulations:

Fintech Law (Organic Law for the Development, Regulation and Control of Technological Financial Services, 2022): Establishes the legal framework for fintech activities, mandates exclusive corporate purpose and licensing requirements for entities providing financial technology services.

Electronic Commerce, Electronic Signatures and Data Messages Law: This Law regulates data messages, electronic signatures, certification services, electronic and telematic contracting, and the provision of electronic services through information networks, including electronic commerce.

Resolution No. JPRF-F-2023-076: establishes the amendment of the Codification of Monetary, Financial, Securities and Insurance Resolutions, incorporating Chapter LXII: “Regulation for Technological Financial Services Entities.”

Decree 903, 2023 (Implementing Regulations of the Fintech Law): Implements the Fintech Law by defining authorization procedures, supervisory powers, cybersecurity requirements, and sandbox provisions under the authority of the Monetary and Financial Policy and Regulation Board.

Resolution No. JPRF-2025-0155: regulates entities that grant digital loans. This regulation requires that entities using big data and cloud computing must have a scalable and adaptable technological architecture capable of managing significant volumes of data and responding to the entity's fluctuating operational needs. Said entities must comprehensively manage and monitor services provided by third parties; this management includes: supplier selection; contracting; risk management; cloud computing; financial regulations; and information integrity.

Resolution BCE-GG-007-2026: regulates real-time electronic transfers and sets deadlines for payment networks to implement technological infrastructure and standards (key management, payment credentials, among others) and achieve full interoperability throughout the country.

AWS encourages its Financial Institution customers to obtain appropriate advice on their compliance with all regulatory and legal requirements that are relevant to their business, and local regulations, guidelines and laws.  

AWS is committed to offering customers a strong compliance framework and advanced tools and security measures that customers can use to evaluate, meet, and demonstrate compliance with applicable legal and regulatory requirements.

Financial institutions who are using or planning to use AWS services can take the following steps to better understand their compliance needs:

1. Consider the purpose of the workload(s) under consideration and the relevant categories of data in order to anticipate which legal and regulatory requirements may apply.

2. Assess the materiality or criticality of the relevant workload(s) considering local requirements. For example, the SB requires financial institutions provide details of services to be contracted, including the analysis of operational, legal, technological, security, and continuity risks.

3. Review the AWS Shared Responsibility Model and map AWS responsibilities and customer responsibilities according to each AWS service that will be used. Customers can also use AWS Artifact to access AWS’s audit reports and conduct their assessment of the control responsibilities.

Customers that have further questions about how AWS services can enable their security and compliance needs, or that would like more information, can contact their account representative.

Financial institutions in Ecuador using AWS services should also consider applicable privacy requirements, including the Organic Law on Personal Data Protection (Ley Orgánica de Protección de Datos Personales, LOPDP), enacted in 2021, and its regulations issued in 2023. This framework establishes obligations for lawful processing of personal data, data subject rights, breach notifications, data transfers, and accountability measures, which are enforceable by the Superintendence of Personal Data Protection (SPDP).

In addition, the SPDP Resolution SPDP-SPD-2025-0006-R (April 2025) requires mandatory data protection clauses in all contracts that involve personal data processing, which is directly relevant when financial institutions contract with cloud service providers.

For cross-border data transfers to AWS Regions outside Ecuador, institutions must comply with the mechanisms established in Resolutions No. SPDP-SPD-2025-0024-R and SPDP-SPD-2026-0004-R.

Additionally, under the SPDP's Risk Management and Impact Assessment Guide (2nd edition, published March, 2026), large financial institutions are subject to the 'principle of scalability', requiring the implementation of robust frameworks such as ISO/IEC 42001 or DAMA-DMBOK, for example, to demonstrate compliance.

The SPDP has approved its 2026 Institutional Regulatory Plan (PIR), which serves as the official roadmap for issuing the secondary regulations necessary to fully implement the Organic Law on Data Protection. This plan was formalized through Resolution No. SPDP-SPD-2025-0050-R. The SPDP publishes the corresponding resolutions on its institutional website as they become official.

The AWS whitepaper, Using AWS in the Context of Common Privacy and Data Protection Considerations provides useful information to customers using AWS cloud services to store or process personal data.

Customers that have questions about the applicable regulations, and how these may apply to their use of AWS services, can reach out to their account representative.