Navigating Costa Rica’s Evolving Fraud Protection Framework

With stricter fraud protection requirements and an evolving liability debate, Costa Rican banks are under growing pressure to strengthen fraud prevention as threats escalate.

In Costa Rica, a new cybercrime victim is reported every 38 minutes. This figure is a telling example of the country’s growing online fraud problem.

Historically, Costa Rica has struggled with an established financial crime market. Recent investigations by Costa Rican authorities suggest that many criminals are now migrating toward cybercrime. Compared with traditional crime models, online fraud is easier to operate, carries significantly lower risk, and is increasingly international.

Inside Costa Rica’s Fraud Landscape

Costa Rica is feeling the impact of the fraud surge. Marked by ransomware attacks, malware threats, and a growing number of scams, including AI-generated impersonations continue to exploit authority bias and unsuspecting individuals. Government institutions have not been spared. In 2022, the Russia-linked Conti group launched a devastating ransomware attack on nearly 30 public bodies, including the Ministry of Finance and the Costa Rican Social Security Fund (CCSS).

The background of these schemes is painfully similar to patterns seen elsewhere, with global criminal networks and complex structures sitting behind most of these operations. Some groups focus on stealing and selling data, while others carry out the attacks themselves. These networks continue to expand, recruiting new members and targeting countries with weaker defenses, often with domestic help.

The consequences are worrying. Between 2020 and 2024, reported banking cyber fraud cases increased by 668%, and experts warn that 2025 could set a new record. If current trends hold, Costa Rica could see nearly double the number of cases recorded in 2024.

Many scams are fueled by data breaches, with compromised databases of personal details often leaked from financial institutions. Phishing and impersonation scams rank among the most prevalent fraud types, alongside fake lottery schemes and counterfeit checks. AI-powered fraud is also gaining traction, with deepfakes impersonating public figures becoming increasingly widespread.

Regulatory Response

Regulators are seeking to improve outcomes for consumers, who have largely borne fraud losses, by pushing Costa Rican banks to strengthen their safeguards. In June 2025, a new regulation issued by the Superintendencia General de Entidades Financieras, Acuerdo SUGEF 10-07, came into effect, aimed at reinforcing digital banking defenses against the growing threat of cyber fraud.

In particular, SUGEF 10-07 seeks to:

• Mandate minimum controls to prevent and mitigate digital scams across banking channels.
• Require risk-based fraud strategies, approved at board level and regularly reviewed.
• Enforce behavioral and technical monitoring to detect atypical transactions before execution.
• Impose robust authentication, including multi-factor mechanisms, for access and high-risk actions.
• Require real-time user alerts and rapid blocking of suspicious activity.
• Mandate user education in digital cyber hygiene to reduce exposure to social engineering.
• Strengthen supervisory oversight through auditability, reporting to SUGEF, and documented incident handling.

Liability Changes Underway

While SUGEF 10-07 is a supervisory regulation approved by CONASSIF, a separate legal change is currently under debate. Lawmakers in Costa Rica’s Legislative Assembly are considering an amendment to Article 35 of Law 7472, known as Proyecto de ley 23.908. The proposed text would explicitly include banks and other financial entities holding customer funds, and introduce objective and joint liability in certain scenarios, meaning liability would apply regardless of fault.

This could impose automatic responsibility on banks for losses arising from online fraud.

The bill is supported by Costa Rica’s public ombudsman, the Defensoría de los Habitantes, citing reports from fraud victims who express dissatisfaction with how banks handle their cases. The ombudsman has argued that internal bank procedures following a victim’s complaint can, in some cases, exceed 120 business days.

The proposal has faced pushback from the Costa Rican Banking Association (ABC). The association warns that automatic liability could incentivize false claims and simulated fraud, increase system-wide costs, and create negative economic spillovers. Instead, ABC argues for a balanced liability framework with case-by-case assessment, distinguishing between intent or gross negligence and external deception.

Beyond shared responsibility, ABC is also calling for the legislation to establish clear and efficient procedures for investigating fraud claims, similar to frameworks used in Spain and the UK. This would include defined timelines for banks to conduct investigations and respond to affected customers.

Rising Expectations

While final liability rules are under debate, several implications are clear as Costa Rica looks toward 2026 and beyond.

1. Under SUGEF 10-07, banks are expected to strengthen customer fraud protection through comprehensive measures, including robust multi-factor authentication, behavioral-based anomaly detection, and structured user education.
2. Under Proyecto de ley 23.908 (still under discussion), banks are likely to bear a greater share of fraud losses, whether through an automatic liability regime or a shared liability model. In either case, consumer protection would be significantly strengthened.

With the fraud surge adding another layer of pressure, Costa Rican banks need to strengthen their defenses to meet compliance requirements, control costs, and preserve customer trust.

Practical Solutions for Banks in Costa Rica

To effectively counter fraud and future-proof their defenses, Costa Rican banks can no longer rely solely on reactive measures or litigation. Instead, they need proactive and vigilant prevention focused on the real adversary: organized fraud rings.

To make fraudsters’ lives harder and better protect customers, banks need to adjust their defenses to disrupt the entire fraud lifecycle, from phishing infrastructure to money mules. This requires detection that can assess not only whether a customer is legitimate, but also the context behind each transaction, which is increasingly critical as social engineering–based scams continue to rise.

ThreatMark supports Costa Rican banks to do exactly that, supporting compliance with SUGEF 10-07 and strengthen detection across the full fraud lifecycle.