Trust underpins transactions in the financial system. When compromised by fraud, market stability is threatened.
In June 2025, the Financial Market Commission (CMF) issued Regulation No. 538 (NCG 538 Chile), establishing mandatory security and authentication standards for banks, card issuers, and cooperatives. This regulation compels financial institutions to implement robust pre-transaction controls and proactive fraud mitigation, shifting the duty from reimbursing losses to actively safeguarding users’ assets.
This regulation fortifies the Chilean financial system and aligns it with international standards, such as the European PSD2 and Strong Customer Authentication (SCA). For users, this mandates stricter authentication for financial products, delivering enhanced fraud protection and greater trust in digital services.
Purpose and scope of Regulation NCG 538 Chile
Regulation No. 538 of Chile applies to all payment issuers and providers regulated by the CMF. Its goal is to set minimum security for transactions covered by Law No. 20,009, which protects users from card fraud and unrecognised transactions.
Specifically, the standard requires:
- Ensure the integrity, confidentiality, and availability of payment systems.
- Deploy strong authentication protocols (ARC) in critical operations.
- Preserve traceable and auditable records of every authentication attempt, including unsuccessful ones. Analyse transaction patterns for anomalies and potential fraud.
The standard elevates financial security to the same importance as solvency and liquidity.
Key definitions: strong authentication and trusted devices
The standard introduces concepts that define the new paradigm:
- Authentication: the process for verifying a user’s identity or the validity of a payment method.
- Strong Customer Authentication (SCA) requires at least two independent factors, including knowledge (PIN), possession (token, OTP, smartphone), and inherence (facial biometrics, fingerprint, voice). This aims to shield critical operations from impersonation.
- Authentication code: a unique element generated after successful ARC, which enables the issuer to process a transaction.
- Trusted device: a device enrolled by the customer through ARC and equipped with anti-tampering mechanisms.
In summary, the standard unifies the definition and protection of users’ financial identities.
When is ARC mandatory?
Although issuers can apply ARC broadly according to their risk management framework or in cases where they deem it necessary, the standard establishes mandatory use cases from July 2026 onwards:
- Electronic funds transfers, including requests, recipient changes, and recurring payments.
- Digital onboarding, involves customer registrations on platforms, updates to personal data, and password changes.
- Management of trusted devices, onboarding, replacement, or removal.
This guarantees uniform protection for the most sensitive financial operations.
When does Regulation NCG 538 Chile come into effect?
CMF Standard 538 has two key milestones in its implementation schedule:
- 1 August 2025: The general standard comes into effect, incorporating all its minimum security and registration requirements.
- 1 July 2026: Strong Customer Authentication (SCA) becomes mandatory for critical operations, including electronic transfers, digital customer registrations, and trusted device management.
This transitional year grants banks, card issuers, and fintechs a year to upgrade their systems, streamline onboarding processes, and train their teams. Rather than mere compliance, this period represents an opportunity to bolster confidence in the Chilean financial system.
Penalties for non-compliance
Liability for damages caused and penalties for non-compliance are regulated in Title III of DL No. 3,538, of 1980.
Consult with one of our experts to implement a digital onboarding solution that complies with Regulation NCG 538 Chile.
I am a curious mind with knowledge of laws, marketing, and business. A words alchemist, deeply in love with neuromarketing and copywriting, who helps Mobbeel to keep growing.
