Costa Rica -- Custody Regulations Regulatory Overview

Costa Rica's regulatory framework for cryptocurrency and digital assets, particularly regarding custody, is still in an evolving stage. The primary focus to date has been on Anti-Money Laundering (AML) and Counter-Terrorism Financing (CFT) compliance rather than comprehensive prudential regulation for digital asset custodians.

Here's a breakdown:

Overall Regulatory Stance

The Banco Central de Costa Rica (BCR) has consistently stated that cryptocurrencies are not legal tender in Costa Rica and are not regulated by the BCR as currency. They have issued warnings to the public about the risks associated with investing in and using cryptocurrencies.

The Superintendencia General de Entidades Financieras (SUGEF), the general superintendence of financial entities, is the main financial regulator. While initially hesitant to classify virtual asset service providers (VASPs) under its direct supervision for prudential purposes, SUGEF has expanded its AML/CFT oversight to include them.

Specific Custody Regulations

1. Custodial License Requirements

There is no specific, standalone "digital asset custody license" required in Costa Rica akin to those in jurisdictions with dedicated crypto legislation.

However, performing digital asset custody activities means you are likely classified as a Virtual Asset Service Provider (VASP). As of January 2022, SUGEF Resolution SUGEF 15-22 officially designates VASPs as obligated subjects under Costa Rica's anti-money laundering and counter-terrorism financing framework.

This means that any entity providing custody and/or administration of virtual assets or instruments enabling control over virtual assets must:

• Register with SUGEF as an obligated subject for AML/CFT purposes.
• Implement an AML/CFT compliance program in line with Law N° 7786 (Ley sobre estupefacientes, sustancias psicotrópicas, drogas de uso no autorizado, actividades conexas, legitimación de capitales y financiamiento al terrorismo).
• Conduct Know Your Customer (KYC) and Customer Due Diligence (CDD) procedures.
• Monitor transactions for suspicious activity.
• Report suspicious transactions (STRs) to SUGEF's Financial Intelligence Unit (FIU).
• Maintain adequate records for the required periods.

Regulatory References:

• Ley N° 7786: (Law on Narcotics, Psychotropic Substances, Unauthorized Drugs, Related Activities, Money Laundering, and Terrorism Financing). This is the foundational AML/CFT law.
  • URL: http://www.pgrweb.go.cr/scij/Busqueda/Normativa/Normas/nrm_texto_completo.aspx?param1=NXT&nValor1=1&nValor2=43467&nValor3=82071&nValor4=9909&nValor5=17292&strTipM=T
• SUGEF Resolution SUGEF 15-22 (January 2022): This resolution, while not directly linkable as a public document through a simple URL on SUGEF's site, is widely acknowledged in legal analyses for designating VASPs as obligated subjects. It aligns Costa Rica with FATF Recommendation 15 regarding virtual assets.
  • General SUGEF Normative Section (where such resolutions are published): https://www.sugef.fi.cr/normativa/

2. Segregation of Client Assets Rules

Currently, there are no explicit regulatory mandates from SUGEF or the BCR regarding the segregation of client digital assets from the custodian's own assets. These types of rules are typically part of prudential regulation aimed at protecting consumers in case of insolvency or fraud, which is not yet fully developed for crypto custodians in Costa Rica.

However, as a best practice in the industry, and to mitigate legal and operational risks, reputable custodians voluntarily implement asset segregation.

3. Insurance/Bonding Requirements

There are no specific regulatory requirements for insurance or bonding for digital asset custodians in Costa Rica. Similar to asset segregation, these are prudential measures often seen in more mature regulatory frameworks for financial services.

Again, leading industry players may choose to obtain insurance coverage to protect against various risks (e.g., cyber theft, employee misconduct), but this is not a regulatory mandate.

4. Cold Storage Mandates

There are no specific regulatory mandates for cold storage (offline storage of private keys) from Costa Rican authorities. Regulators have not yet delved into the specific technical security requirements for digital asset custody.

Custodians are expected to implement robust security measures as part of their general operational risk management, but the specific methods (cold storage, multi-signature, hardware security modules) are left to the custodian's discretion and industry best practices.

5. Qualified Custodian Definitions

Costa Rica does not have a specific legal or regulatory definition of a "qualified custodian" for digital assets in the prudential sense (e.g., requiring specific capital, expertise, or operational standards beyond AML).

However, by classifying VASPs (which includes custodians) as "obligated subjects" under AML/CFT law, SUGEF effectively defines a set of entities that must meet certain compliance standards. In this context, an entity fulfilling these AML/CFT obligations could be considered "qualified" to operate as a VASP from an anti-money laundering perspective.

6. Any Pending Custody Legislation

As of late 2023/early 2024, there has been no specific comprehensive digital asset custody legislation or a dedicated regulatory framework for digital asset services (beyond AML) that has been passed or is in advanced stages of parliamentary debate.

• There are ongoing discussions within the Central Bank and SUGEF regarding the broader financial innovation landscape.
• Like many jurisdictions, Costa Rica is monitoring international developments, particularly the recommendations from the Financial Action Task Force (FATF) and regulatory approaches in more advanced markets (e.g., MiCA in the EU, or frameworks in the US).

It is plausible that future legislation could emerge to address prudential aspects, consumer protection, and specific licensing for crypto service providers, including custodians. However, this would likely be part of a broader digital asset law rather than a standalone custody bill.

Summary and Recommendation

Currently, the primary regulatory burden for digital asset custodians in Costa Rica is compliance with AML/CFT requirements as an "obligated subject" under the supervision of SUGEF. Specific prudential rules regarding asset segregation, insurance, security mandates (like cold storage), or a dedicated "qualified custodian" definition are absent.

Entities operating or planning to operate as digital asset custodians in Costa Rica should:

1. Ensure full compliance with Law N° 7786 and SUGEF Resolution SUGEF 15-22 regarding AML/CFT obligations.
2. Implement robust internal controls and best practices for security, asset segregation, and risk management, even if not explicitly mandated by current regulation.
3. Monitor legislative developments closely, as the regulatory landscape for digital assets is dynamic.
4. Seek legal counsel specializing in Costa Rican financial and cryptocurrency law.