Costa Rica -- AML/CFT Compliance Regulatory Overview

**Law No. 7786, "Law on Narcotics, Psychotropic Substances, Drugs of Unauthorized Use, Related Activities, Money Laundering and Financing of Terrorism" (Ley sobre Estupefacientes, Sustancias Psicotrópicas, Drogas de Uso No Autorizado, Actividades Conexas, Legitimación de Capitales y Financiamiento al Terrorismo)**, as amended. This is Costa Rica's foundational AML/CFT law.

**Law No. 10.363, "Law on the Regulation of Virtual Asset Service Providers" (Ley de Regulación de Proveedores de Servicios de Activos Virtuales)**. This law established the legal framework for VASPs, bringing them under Law 7786's AML/CFT scope. However, the operational AML/CFT obligations and registration mandate became enforceable only after SUGEF's implementing regulation (SUGEF 2-2024) came into effect on November 16, 2024.

**Regulations issued by SUGEF:** While Law 10.363 sets the legal framework, the Superintendent General of Financial Entities (SUGEF) is responsible for developing specific regulations. The key implementing regulation, **SUGEF 2-2024 ("Reglamento para la Inscripción y Supervisión de los Proveedores de Servicios de Activos Virtuales")**, was issued and became effective on November 16, 2024. It details registration, CDD, transaction monitoring, STR, and record-keeping requirements for VASPs.

**Identification and Verification of Customer Identity:**

Identification number (e.g., national ID card, passport number)

Contact information (e.g., phone number, email address)

Source of funds/wealth (as part of Enhanced Due Diligence (EDD) for high-risk clients, which may include scrutiny of large transactions as a contributing factor to the risk assessment).

Verification through reliable, independent source documents, data, or information (e.g., government-issued ID, utility bills).

Legal name, legal nature or type of entity (naturaleza jurídica), and proof of incorporation/registration (copia certificada de la personería jurídica).

Registered office address (domicilio o dirección física de la sede social).

Corporate identification number (número de identificación), which in Costa Rica commonly serves as the tax identification number (cédula jurídica / Número de Identificación Tributaria).

Names of directors, partners, and senior management.

Identification of **Beneficial Owners (BOs)**: VASPs must identify and verify the identity of all natural persons who ultimately own or control the legal entity (typically those holding 25% or more of shares or voting rights, or otherwise exercising control).

Nature of business and purpose of the business relationship.

**Purpose and Intended Nature of the Business Relationship:** Understanding why the customer wants to use the VASP's services.

Regularly monitoring transactions to ensure they are consistent with the VASP's knowledge of the customer, their business, and risk profile.

Keeping customer information, documents, and data up-to-date.

Periodically reviewing the risk categorization of customers.

**Risk-Based Approach (RBA):** VASPs must apply CDD measures on a risk-sensitive basis. This means applying enhanced due diligence (EDD) for higher-risk customers, transactions, or business relationships (e.g., Politically Exposed Persons (PEPs), cross-border correspondent relationships, complex/unusual transactions). Simplified due diligence (SDD) may be applied in specific lower-risk scenarios.

**Trigger:** Any transaction, attempted transaction, or activity where the VASP suspects or has reasonable grounds to suspect that the funds or assets are proceeds of criminal activity (including money laundering) or are related to terrorist financing.

**Reporting Body:** The report must be submitted to the **Unidad de Inteligencia Financiera del Instituto Costarricense sobre Drogas (UIAD)**, which is Costa Rica's FIU.

**No Tipping Off:** VASPs and their employees are prohibited from disclosing to the customer or any third party that an STR has been, or will be, filed.

**Timing:** Reports must be made without delay, typically within a few days of forming the suspicion.

Customer identification data (collected during CDD).

Costa Rica has proposed but not yet enacted a law requiring virtual asset service providers to maintain transaction records; as of early 2026, no specific regulatory obligation for such record-keeping is in force.

Records of suspicious transaction reports filed.

Records of risk assessments, internal policies, and training materials.

**Retention Period:** Records must generally be kept for a minimum of **five (5) years** after the business relationship is terminated or after a transaction is conducted.

**Accessibility:** Records must be readily available and easily retrievable by the supervisory authority and law enforcement upon request.

**Superintendencia General de Entidades Financieras (SUGEF)**

**Register** with SUGEF as an obligated subject for AML/CFT purposes.

**Implement an AML/CFT compliance program** in line with Law N° 7786 (Ley sobre estupefacientes, sustancias psicotrópicas, drogas de uso no autorizado, actividades conexas, legitimación de capitales y financiamiento al terrorismo).

**Conduct Know Your Customer (KYC)** and Customer Due Diligence (CDD) procedures.

**Monitor transactions** for suspicious activity.

**Report suspicious transactions (STRs)** to SUGEF's Financial Intelligence Unit (FIU).

**Maintain adequate records** for the required periods.

**Ley N° 7786:** (Law on Narcotics, Psychotropic Substances, Unauthorized Drugs, Related Activities, Money Laundering, and Terrorism Financing). This is the foundational AML/CFT law.

**SUGEF Resolution SUGEF 15-22 (January 2022):** This resolution, while not directly linkable as a public document through a simple URL on SUGEF's site, is widely acknowledged in legal analyses for designating VASPs as obligated subjects. It aligns Costa Rica with FATF Recommendation 15 regarding virtual assets.

General SUGEF Normative Section (where such resolutions are published): https://www.sugef.fi.cr/normativa/

There are ongoing discussions within the Central Bank and SUGEF regarding the broader financial innovation landscape.

Like many jurisdictions, Costa Rica is monitoring international developments, particularly the recommendations from the Financial Action Task Force (FATF) and regulatory approaches in more advanced markets (e.g., MiCA in the EU, or frameworks in the US).

Ensure full compliance with **Law N° 7786** and **SUGEF Resolution SUGEF 15-22** regarding AML/CFT obligations.

Implement robust internal controls and best practices for security, asset segregation, and risk management, even if not explicitly mandated by current regulation.

Monitor legislative developments closely, as the regulatory landscape for digital assets is dynamic.

Seek legal counsel specializing in Costa Rican financial and cryptocurrency law.

**Law No. 7786: "Ley sobre Estupefacientes, Sustancias Psicotrópicas, Drogas de Uso no Autorizado, Actividades Conexas, Legitimación de Capitales y Financiamiento al Terrorismo" (Law on Narcotics, Psychotropic Substances, Unauthorized Drugs, Related Activities, Money Laundering, and Financing of Terrorism).** This law, and its subsequent reforms, establishes the general AML/CFT obligations for supervised entities.

**Legal Reference:** **Ley No. 7786** (available through the official legislative information system, e.g., Procuraduría General de la República - Sistema Costarricense de Información Jurídica): http://www.pgrweb.go.cr/scij/Busqueda/Normativa/Normas/nrm_texto_completo.aspx?param1=NXT&nValor1=1&nValor2=39485&nValor3=44622&nValor4=59762&strTipM=TC

**SUGEF (Superintendencia General de Entidades Financieras):** The General Superintendency of Financial Entities (SUGEF) is the primary regulator for financial institutions and is responsible for overseeing AML/CFT compliance. While Costa Rica has been cautious in fully regulating crypto as traditional financial assets, SUGEF has clarified that entities involved in certain crypto-related activities (especially those meeting the FATF definition of a VASP) fall under its purview concerning AML/CFT obligations. SUGEF issues regulations and circulars, such as:

**Circular SUGEF 15-2019 (Reglamento sobre la gestión de riesgo de legitimación de capitales, financiamiento al terrorismo y financiamiento de la proliferación de armas de destrucción masiva):** This regulation outlines the risk management framework for money laundering, terrorism financing, and proliferation financing. It applies to all supervised entities and implicitly requires adherence to international sanctions lists as part of a robust risk assessment and due diligence process.

**Legal Reference:** Check SUGEF's official website for current regulations: https://www.sugef.fi.cr/ (Look for "Normativa" or "Reglamentos").

**Customer Due Diligence (CDD):** Identifying and verifying the identity of all customers, including beneficial owners.

**Sanctions Screening:** Screening all new and existing customers (individuals and entities), beneficial owners, and, where appropriate, transaction counterparties against relevant international sanctions lists (UN, OFAC, EU). This should be an ongoing process.

**Risk-Based Approach:** Implementing a risk-based approach to identify and mitigate the risks associated with sanctions evasion, particularly given the anonymity potential of some virtual assets.

**Reporting:** Reporting suspicious transactions, including those potentially related to sanctions violations or attempts to evade sanctions, to the Financial Intelligence Unit (UIF) of Costa Rica, which operates under the Costa Rican Institute on Drugs (ICD).

**Sanctioned Jurisdictions:** Countries or regions subject to comprehensive sanctions (e.g., Cuba, Iran, North Korea, Syria under certain regimes).

**Designated Individuals/Entities:** Individuals or entities located anywhere in the world who are on international sanctions lists (UN, OFAC, EU).

**Administrative Penalties:** SUGEF can impose fines on supervised entities for non-compliance with AML/CFT regulations. These fines can be substantial and are calculated based on the severity and recurrence of the violation.

Individuals involved in money laundering or terrorism financing activities, or those who knowingly facilitate such activities by failing to comply with their obligations, can face imprisonment under Law 7786, and Bill 22.837 has extended this penalties framework to specifically include VASP-related violations.

**Law 7786** specifies penalties for money laundering (legitimación de capitales) and financing of terrorism, which can range from **10 to 20 years of imprisonment**.

Consult Law No. 7786 as extended by Bill 22.837 for specific penalty clauses, particularly for Virtual Asset Service Provider (VASP)-related violations.

**e-money/Payment Tokens:** Stablecoins are **not automatically classified as e-money or payment tokens** under Costa Rican law. For something to be considered e-money, it typically needs to be issued by a regulated financial entity (like a bank or licensed e-money issuer) under the framework of the **Ley de Sistemas de Pagos (Law No. 8454)**. Most stablecoins, particularly those issued by non-financial entities, would not meet these criteria. If a stablecoin were issued by a financial institution and widely accepted for payment with appropriate guarantees, it *might* be deemed e-money, but this would be an exceptional case.

**Ley de Sistemas de Pagos (Law No. 8454):** https://www.pgrweb.go.cr/scij/Busqueda/Normativa/Normas/nrm_texto_completo.aspx?param1=NXT&nValor1=1&nValor2=54378&nValor3=58849&strTipM=TC (Spanish)

**Securities:** A stablecoin *could potentially* be classified as a security if its structure and offering meet the definition of a security under the **Ley Reguladora del Mercado de Valores (Securities Market Law, Law No. 7732)**. This would depend on factors such as whether it represents an investment contract, grants rights to profits, or is marketed as an investment opportunity. The **Superintendencia General de Valores (SUGEVAL)**, the securities regulator, would be responsible for this determination on a case-by-case basis.

**Ley Reguladora del Mercado de Valores (Law No. 7732):** https://www.pgrweb.go.cr/scij/Busqueda/Normativa/Normas/nrm_texto_completo.aspx?param1=NXT&nValor1=1&nValor2=28340&nValor3=33621&strTipM=TC (Spanish)

**Virtual Assets for AML/CFT Purposes:** The most consistent classification applied to stablecoins (and other cryptocurrencies) is as "virtual assets" for the purposes of Anti-Money Laundering and Counter-Financing of Terrorism (AML/CFT) regulations.

**No specific reserve requirements exist for stablecoins themselves.** Since there is no dedicated stablecoin regulation, there are no legal mandates for issuers to hold specific reserves.

If a stablecoin were to be somehow classified as e-money issued by a regulated financial institution, then that institution would be subject to the existing capital, liquidity, and operational requirements for e-money issuers, which implicitly require sufficient backing and responsible management of funds.

Similarly, if classified as a security, general financial disclosure and capital requirements for securities issuers might apply, but not specific "reserve" mandates in the stablecoin sense.

**No specific stablecoin issuer license exists.**

However, entities providing services related to stablecoins (e.g., exchange, transfer, custody, or conversion between stablecoins and fiat currency) are likely to be classified as **Virtual Asset Service Providers (VASPs)**. As VASPs, they fall under the **Ley sobre estupefacientes, sustancias psicotrópicas, drogas de uso no autorizado, actividades conexas, legitimación de capitales y financiamiento al terrorismo (Law No. 7786)**.

Under Law No. 7786 and its implementing regulations (**Reglamento SUGEF 1-20**), VASPs are considered "obligated subjects" (sujetos obligados) and must:

Register with the **Superintendencia General de Entidades Financieras (SUGEF)**.

Implement robust AML/CFT policies and procedures (e.g., Know Your Customer - KYC, transaction monitoring, suspicious activity reporting).

Comply with international AML/CFT standards set by the Financial Action Task Force (FATF).

**Ley No. 7786 (AML/CFT Law):** https://www.pgrweb.go.cr/scij/Busqueda/Normativa/Normas/nrm_texto_completo.aspx?param1=NXT&nValor1=1&nValor2=24346&nValor3=33190&strTipM=TC (Spanish)

**Reglamento SUGEF 1-20 (Normativa para la Gestión de Riesgo de Legitimación de Capitales y Financiamiento al Terrorismo para los sujetos obligados por la Ley 7786):** This regulation is accessible via the SUGEF website under "Normativa" -> "Disposiciones Generales." https://www.sugef.fi.cr/normativa/disposiciones_generales/Paginas/default.aspx (Spanish)

**No specific legal guarantee for redemption rights for stablecoin holders** in Costa Rica's current legal framework.

Redemption rights would primarily be governed by the terms and conditions (private contract) established by the stablecoin issuer. Any failure to honor redemption would fall under general contract law.

If a stablecoin were ever to be formally regulated as e-money, then specific redemption rights for e-money holders (e.g., redemption at par value at any time) would likely apply as per existing e-money regulations.

**There are no specific rules or regulations for algorithmic stablecoins** in Costa Rica.

The general lack of specific stablecoin regulation means that algorithmic stablecoins face the same ambiguous legal status as other stablecoins, with the primary regulatory concern being AML/CFT compliance for related VASP activities. The BCCR would likely view these with even greater caution due to their inherent volatility and complexity.

The **Banco Central de Costa Rica (BCCR) has been actively studying the feasibility and implications of issuing its own Central Bank Digital Currency (CBDC)**.

In various reports and public statements, the BCCR has acknowledged the potential benefits (e.g., financial inclusion, payment efficiency, monetary policy effectiveness) and challenges (e.g., financial stability, cybersecurity) of a CBDC.

Currently, there is **no direct regulatory interaction between a potential CBDC and private stablecoins**, as a CBDC is still in the exploration phase and private stablecoins lack a specific regulatory framework.

The BCCR's exploration of a CBDC is driven by its mandate to ensure financial stability and efficient payment systems. A CBDC could potentially offer a safer and more stable digital alternative to private stablecoins, which the BCCR views as carrying significant risks for users. Therefore, a CBDC might be seen as a long-term strategy to address some of the issues that private stablecoins currently present.

**Reference:** The BCCR regularly publishes economic reports and studies that may touch upon digital currencies and CBDCs. It's recommended to check their official publications section: https://www.bccr.fi.cr/ (Spanish)