SBS strengthens security regulations on credit and debit cards: these are the new changes

At the end of June, the Superintendency of Banking, Insurance and AFP (SBS) approved various modifications to the credit and debit card regulations. Through SBS Resolution No. 02286-2024, published in the official newspaper El Peruano, the new provisions were made official to specify the responsibility of companies in the processes of user authentication and consent of operations, among others.

One of the most significant changes is that banks will now have to assume losses for unrecognized procedures on clients’ plastic cards, whether in the form of payment, transfers and others that have not been carried out by the holders. To learn about the scope of these modifications to the cybersecurity rules applicable to credit and debit cards, La República spoke with Juan Ñahue, a consumer protection specialist.

SBS modifies credit and debit card regulations: what are the changes?

By means of resolution No. 02286-2024, the SBS modified last Friday, July 28, the Regulations on credit and debit cards, related to the management of information security and Cybersecurity, as well as the Regulations on Market Conduct Management of the Financial System and the Regulations on Claims and Requirements.

According to Juan Ñahue, a lawyer specializing in Administrative Law, Consumer Protection and Intellectual Property, one of the reasons that justify the changes proposed by the SBS “The growing number of fraud and cyberattack methods, as well as the need to improve the security system and increase public confidence in the financial sector.”

Below we list the main modifications:

• New security measures are put in place with two-factor authentication that requires the user to provide two forms of identification before completing a transaction, increasing the security of transactions.
• For card-present transactions, two security factors are required. The first is the chip or digital representation of the card, and the second can be a PIN or another method approved by the SBS.
• For transactions with third-party mobile wallets based on card tokenization, they must be verified using card tokenization and a second distinct factor.
• Companies will be liable for losses in unrecognized transactions without enhanced authentication, unless proof of user responsibility is provided.

Banks will be responsible for unrecognized card transactions

According to the amendment to paragraph 20.3 of Article 20 of the Regulation on Information Security and Cybersecurity Management, companies must assume losses unless the user’s liability is proven. This applies to unauthorized transactions by customers through digital channels, without following reinforced authentication or after the user has reported the theft or loss of their credentials.

For attorney Juan Ñahue, this change encourages financial institutions to improve their security systems and implement more advanced technologies to prevent fraud. It also provides greater peace of mind to users, who can feel more secure when using their cards knowing that they are protected against possible fraud.

“A reinforced security system will prevent easy access to users’ bank accounts, preventing fraud, cyber theft and financial losses,” he said.

The regulatory body has set different deadlines for financial institutions to adapt to these changes. In general, they have until December 31 of this year to do so. However, in the case of the provision on liability for losses in unrecognized transactions, it will not apply until July 1, 2025.

“Each financial institution is different, therefore, the established deadlines will allow all financial institutions to optimally implement the required security systems and remain effective. In this sense, the deadlines set are reasonable, since the objective is for financial institutions to be able to fully and smoothly implement the security measures,” Ñahue said.