A few weeks before the end of the mandate, on Monday, November 6, the president Guillermo Lasso issued two executive decrees, 903 and 904, s regulations which will operationalize the Organic Law for the Development, Regulation and Control of Technological Financial Services (Fintech) and the Organic Law on Personal Data Protection.

In case of Fintech lawwhich has been in force since December 2022, the regulation contains ten articles.

The standard provides that activities fintech will be regulated by the Committee for Monetary Policy and Regulation and by the Committee for Financial Policy and Regulation. While the Central Bank of Ecuador (BCE) and supervisory bodies of companies and banks, within their powers, will be responsible for qualification, supervision and control companies.

Likewise, it was established that companies dedicated to activities fintech They will not be able to implement otherwise. Be able provide one or more services, as long as they have the appropriate authorization; with the exception of specialized companies for electronic deposit and payment, whose sole purpose is to receive funds exclusively for the purpose of enabling payment and transfer of funds through authorized electronic means of payment, the regulations state.

will be implemented standardized computer systems for reports from companies involved in the field.

With a purpose prevent money laundering and financing of crime, as well as to regulate aspects of cyber and information security, competent entities must pass appropriate regulations.

In Decree 903, Lasso argued that it is necessary to issue regulatory provisions for the application of the Fintech Law, “enabling the development market fintech localand protection of the rights of users of the said market.”

Referring to Data Protection Act, Effective from May 2021. The regulation is more extensive as it contains 90 articles, one general provision and two transitional provisions. It refers to all natural and legal persons, domestic and foreign, from the public and private sector, who process personal data inside or outside the country.

It establishes, among other topics, the rules that must be followed by those responsible and in charge of processing personal data that are not based in Ecuador.

In all cases where express consent of the owner To process your personal data, the person responsible for handling the data must inform in advance and in detail about the treatment that the data will have, the purpose, the storage time, protection measures, the consequences of delivery and other aspects.

It was found to be personal data storage periods They should not exceed those strictly necessary to fulfill the purpose justifying the treatment. These deadlines will be regulated by the Data Protection Authority.

The Regulation dedicates one chapter to rights, which determines the ways of exercising rights, content of requests, requests for additional information, registration of requests and complaints to the Personal Data Protection Authority.

Treatment information about the deceased personinformation on creditworthiness, information on minors and the best interest of the child.

Other chapters of the regulation refer to the transfer or communication of data to third parties, breach of personal data security, impact assessment, data controller, proactive responsibility and self-regulation, codes of conductamong others.

The standard provides that Authority for the protection of personal data It enjoys administrative, technical, operational and financial autonomy. It will be headed by a personal data protection supervisor and will be based in Quito.

Among the powers that the Authority will have is the registration of databases containing personal data in the National Register for the Protection of Personal Data; directs and administers the Unified Register of Non-Compliant Responsible Persons and Managers; issue regulations and technical reports.

It also establishes a sanctioning regime for cases in which the commission of any of the offenses contained in the law is assumed.

The transitional provisions of the regulations stipulate that the implementation of i operation of the Main Supervisory Authority protection of personal data will depend on the availability of the budget, the previous positive opinion of the Ministry of Finance.

He also imposed himself maximum term of one yearfrom the work of the Supervisory Board, so that the entity develops technical training and training courses intended for the general public.

In Decree 904, the president emphasized in the text that it is necessary to “clearly establish the regulations and procedures for the execution of the law”.