JPRF-F-2023-076 — Regulation of Financial Technology Service Entities: Definitions, AML/CFT Risk Management, and Digital Credit Lending Entities

Address: Av. Amazonas between Pereira and Unión Nacional de Periodistas, Financial Management Governmental Platform. Yellow Block, 5th Floor | Postal Code: 170507 | Quito - Ecuador Resolution No. JPRF-F-2023-076

THE FINANCIAL POLICY AND REGULATION BOARD

CONSIDERING:

That Article 132, number 6 of the Constitution of the Republic of Ecuador determines that a law will be required to "6. Grant public control and regulation bodies the authority to issue general norms in matters within their competence, without being able to alter or innovate legal provisions.";

That Article 226 of the Magna Carta mandates that State institutions, their bodies, dependencies, public servants, and persons acting by virtue of a State power will exercise only the competencies and faculties attributed to them in the Constitution and the law;

That Article 227 ibid establishes that the Public Administration constitutes a service to the community that is governed by the principles of effectiveness, efficiency, quality, hierarchy, coordination, participation, and others;

That Article 308 of the Fundamental Law prescribes that financial activities are a matter of public order. Furthermore, it states that the State will promote access to financial services and the democratization of credit;

That Article 309 of the Supreme Norm indicates that "the National Financial System is composed of the public, private, and popular and solidary sectors (...)" Each of these sectors will have specific and differentiated control norms and entities, which will be responsible for preserving their safety, stability, transparency, and solidity;

That Article 13 of the Organic Monetary and Financial Code, Book I, created the Financial Policy and Regulation Board, part of the Executive Function and as a legal entity of public law, responsible for the formulation of credit, financial, securities, insurance, and prepaid comprehensive health care services policy and regulation;

That Article 14, number 2 ibid, stipulates that it corresponds to the Financial Policy and Regulation Board "2. Issue the regulations that allow maintaining the integrity, solidity, sustainability, and stability of the national financial, securities, insurance, and prepaid comprehensive health care services systems in accordance with what is provided in article 309 of the Constitution of the Republic of Ecuador (...)";

That Article 14.1 of the aforementioned Organic Code orders the Financial Policy and Regulation Board to fulfill the following faculties, among which are: "1. Regulate the creation, constitution, organization, activities, operation, and liquidation of financial entities (...); 7. Issue the prudential regulatory framework to which financial entities must be subject (...), framework that must be coherent, not give rise to regulatory arbitrage (...); 15. Establish, within the framework of its competencies, any measure that contributes to: a. Prevent and seek to eradicate fraudulent and prohibited practices, including money laundering and the financing of crimes such as terrorism, considering current and applicable international standards; b. Protect the privacy of individuals in relation to the dissemination of their personal information, as well as national security information (...); d. Promote financial inclusion, promoting the participation of financial entities (...); 27. Exercise the other functions, duties, and faculties assigned to it by this Code and the law.";

That Article 5 of the Organic Law for the Development, Regulation, and Control of Financial Technology Services (Fintech Law), published on December 22, 2022, in the Second Supplement No. 215 of the Official Register, enumerates Fintech Activities, among which are Financial Technology Services;

Resolution No. JPRF-F-2023-076 Page 2 of 17

---

Address: Av. Amazonas between Pereira and Unión Nacional de Periodistas, Financial Management Governmental Platform. Yellow Block, 5th Floor | Postal Code: 170507 | Quito - Ecuador

That Article 6 ibid establishes the following principles by which the aforementioned Law is governed: autonomy of will, risk-based regulation, transparency, specialty, loyalty, confidentiality and data protection, security, and incidents/vulnerabilities;

That Article 8 of the aforementioned Organic Law prescribes that "fintech companies will be regulated by the Monetary Policy and Regulation Board and the Financial Policy and Regulation Board, as applicable (...)";

That Article 11 of the Fintech Law reformed article 162 of the Organic Monetary and Financial Code, Book I, Chapter 2 "Integration of the National Financial System", of Title II "National Financial System", incorporating in numbers 4 and 5, as entities of the private financial sector, those of Financial Technology Services and Specialized Societies for Electronic Deposits and Payments;

That Article 12 of the aforementioned Organic Law reformed the Organic Monetary and Financial Code, Book I, incorporating articles 439.1, 439.2, 439.3, 439.4, 439.5, and 439.6 into Section 12 "On financial technology services", Chapter 5 "Private Financial Sector", of Title II "National Financial System";

That Article 439.1 of the aforementioned normative body establishes that among the financial technology service entities is digital credit lending, which is defined as "companies that offer credit products through electronic platforms, without this implying the capture of public resources for intermediation purposes (...)";

That Article 439.4 ibid mandates the Financial Policy and Regulation Board to regulate on experts in economics and information security who will determine differentiated criteria according to the financial and technological risks of financial technology service entities;

That Article 439.5 of the aforementioned Code orders the Financial Policy and Regulation Board and the Monetary Policy and Regulation Board, as applicable, to regulate the definition and actions comprising the operations carried out by financial technology service entities;

That Article 439.6 of the Organic Monetary and Financial Code, Book I, establishes that financial activities based on technology that represent high risks will be determined by the Financial Policy and Regulation Board;

That the First Transitory Provision of the aforementioned Law grants the Financial Policy and Regulation Board and the Monetary Policy and Regulation Board a period of one hundred eighty (180) days counted from its publication in the Official Register, to develop secondary legislation that allows the application of what is established therein;

That the Technical Secretary of the Financial Policy and Regulation Board, through Memorandum No. JPRF-ST-2023-0069-M of September 9, 2023, submits to the President of the Board the following reports:

i. Technical Report No. JPRF-CTSF-2023-014 of September 9, 2023 concludes that, based on the review of comparative norms, workshops held with public and private actors, specialized consultants in fintech regulation from countries in the region, international organizations, and the review of bibliographic sources related to the matter, it is estimated that the proposal for the norm applicable to digital credit lending entities should include, within the framework of aspects established by the Fintech Law to this Board, elements referring to operations, minimum capital for operation, management of risks that would affect clients, such as operational risk, technological risk, and information security, as well as money laundering and financing of crimes such as terrorism risk, and provisions regarding the protection of the rights of financial users, recognizing in said provisions the nature and characteristics proper to this type of entity, in accordance with the definitions contained in the Organic Law for the Development, Regulation, and Control of Financial Technology Services (FINTECH LAW).

ii. Legal Report No. JPRF-CJF-2023-040 of September 9, 2023 concludes that:

• The Financial Policy and Regulation Board, in accordance with articles 13, 14, 14.1, 439.2, 439.4, 439.5, and 439.6 of the Organic Monetary and Financial Code, Book I, and article 8 of the Organic Law for the Development, Regulation, and Control of Financial Technology Services (Fintech Law), is competent to issue secondary legislation for the application of the Fintech Law.

• Articles 11 and 12 of the aforementioned Law reformed the Organic Monetary and Financial Code, Book I, incorporating in number 4 of article 162 of Chapter 2 "Integration of the National Financial System", of Title II "National Financial System", the financial technology service entities as part of the Private Financial Sector and including articles 439.1, 439.2, 439.3, 439.4, 439.5, and 439.6 in Section 12 "On financial technology services", Chapter 5 "Private Financial Sector", Title II "National Financial System", respectively.

• The Financial Policy and Regulation Board must observe the First Transitory Provision of the Fintech Law, which grants it a period of one hundred eighty (180) days counted from its publication in the Official Register, to develop secondary legislation that allows its application. Said time period must be computed as a term, in accordance with what is provided in articles 58 and 59 of the Organic Administrative Code;

That the Financial Policy and Regulation Board, in an ordinary session held by technological means, convened on September 9, 2023, and carried out via video conference on September 11, 2023, learned of Memorandum No. JPRF-ST-2023-0069-M of September 9, 2023, issued by the Technical Secretary of the Board; as well as Technical Report No. JPRF-CTSF-2023-014 and Legal Report No. JPRF-CJF-2023-040 of September 9, 2023, issued by the Technical Coordination of Policy and Regulation of the Financial System and by the Legal Coordination of Policy and Financial Norms, and the corresponding draft resolution;

That the Financial Policy and Regulation Board, in an ordinary session held by technological means, convened on September 9, 2023, and carried out via video conference on September 11, 2023, learned of and approved the following Resolution; and,

In exercise of its functions,

RESOLVES:

SINGLE ARTICLE.- Incorporate Chapter LXII "Norm that Regulates Financial Technology Service Entities", immediately after Chapter LXI "Extraordinary and Temporary Financial Relief Mechanism Applicable to the Popular and Solidarity Economy Financial Sector", of Title II "National Financial System", Book I "Monetary and Financial System", of the Codification of Monetary, Financial, Securities, and Insurance Resolutions, with the following text:

"CHAPTER LXII.- NORM THAT REGULATES FINANCIAL TECHNOLOGY SERVICE ENTITIES

SECTION I.- DEFINITIONS, QUALIFICATION, AND OPERATIONS OF FINANCIAL TECHNOLOGY SERVICE ENTITIES

Resolution No. JPRF-F-2023-076 Page 4 of 17

---

Address: Av. Amazonas between Pereira and Unión Nacional de Periodistas, Financial Management Governmental Platform. Yellow Block, 5th Floor | Postal Code: 170507 | Quito - Ecuador

SUBSECTION I.- DEFINITIONS

Art. 1..- Definitions.- For the purposes of this norm, the following definitions are considered:

a. Data analytics: The processing, cleaning, transformation, and modeling of data with the objective of discovering patterns, trends, correlations, and statistically significant information. Data analysis allows for informed decision-making, identifying business opportunities, improving efficiency, and gaining insights from large volumes of data.

b. Automated advisors: Digital platforms that offer automated financial advice on investments and portfolio management and contract intermediation.

c. Big data: Refers to large and complex sets of data that require specialized processing methods for tasks such as capture, storage, analysis, and visualization. It is characterized by its high volume, velocity, variety, and the requirement of innovative technology to collect and analyze data.

d. Blockchain: Information recording technology that collects and stores data in blocks, as well as transaction details, creating a unique record in a pre-existing chain, using advanced cryptography.

e. Cybersecurity: The set of protection measures for technological infrastructure and information, through the treatment of threats that put at risk the information processed by the different interconnected technological components.

f. Client: Natural or legal person, internal or external to the organization, with which a financial system entity establishes, directly or indirectly, occasionally or permanently, a contractual relationship of a financial, economic, or commercial nature.

g. Cloud Computing: A model of information technology services that provides access to computing resources, such as storage, servers, and software, through the internet.

h. Digital credit lending: The process related to the granting of credits that involves at least the promotion, evaluation of the client's risk profile, approval, and disbursement, largely automated by the use of digital technologies, through electronic platforms. Everything related to crowdfunding is excluded.

i. Confidentiality: The attribute that only authorized personnel of the entity has access to pre-established information.

j. Smart contract: An electronic algorithm configured on a blockchain to fulfill an agreement previously established between two or more parties. Once the conditions are met, a digital task or automatic transaction is executed. The transactions performed are traceable, transparent, and irreversible.

k. Open data: Those data that are not restricted and easily available to the public on websites and open public data sets.

l. Biometric data: Unique personal data, relating to the physical, physiological characteristics, or behaviors of a natural person that allows or confirms the unique identification of said person, such as facial images or fingerprint data, among others.

Resolution No. JPRF-F-2023-076 Page 5 of 17

---

Address: Av. Amazonas between Pereira and Unión Nacional de Periodistas, Financial Management Governmental Platform. Yellow Block, 5th Floor | Postal Code: 170507 | Quito - Ecuador

m. Confidential data: Data protected against disclosure and that are highly sensitive or legally, regulatory, or contractually restricted from disclosure.

n. Credit data: Data that integrate the economic behavior of persons, to analyze their financial capacity.

o. Digital credit lending entities: Financial technology service entities that offer credit products exclusively through electronic platforms, through automated processes, largely by the use of digital technologies, which involve at least the promotion, evaluation of the client's risk profile, approval, and disbursement, without being able to capture public resources for intermediation purposes.

p. Fintech (Financial Technology): Financial innovations facilitated by technology that could give rise to new business models, applications, processes, or products with a substantial effect on markets, financial institutions, and the provision of financial services.

q. Technological infrastructure: Set of technological elements grouped and organized whose function is to support the operations of an entity.

r. Business Intelligence (BI): The process of collecting, analyzing, and presenting data, which uses technological tools for the generation of information and optimization of analysis for decision-making.

s. Data protection: Technical, organizational, legal, and any other measures that are necessary, so that the processing of data is used exclusively for the purpose for which they were requested and/or authorized, in accordance with the current law for that effect.

t. Provider: Any natural or legal person of a public or private nature that develops activities of production, manufacturing, importation, construction, distribution, rental, or commercialization of goods, as well as the provision of services to consumers.

u. Financial technology services: Financial activities centered on digital and electronic technology provided by entities recognized in the law. Among the entities that provide financial technology services are the following:

a. Digital Credit Lending entities;

b. Neobanks;

c. Personal Finance and Financial Advisory entities; and,

d. Others determined by the Financial Policy and Regulation Board.

v. Information Management System (IMS): A set of processes, procedures, policies, technologies, and tools designed to efficiently manage information within an entity.

w. Digital technology: Refers to the use of information technologies, such as the Internet, electronic platforms, mobile technologies, as well as data analytics used to improve the generation, collection, exchange, aggregation, combination, analysis, access, search, and presentation of digital content, including the development of services and applications.

x. Electronic technology: Refers to the use of electronic devices and systems to carry out processes and activities. In the context of Fintech solutions, this implies the use of devices such as smartphones, computers, tablets, among others.

Resolution No. JPRF-F-2023-076 Page 6 of 17

---

Address: Av. Amazonas between Pereira and Unión Nacional de Periodistas, Financial Management Governmental Platform. Yellow Block, 5th Floor | Postal Code: 170507 | Quito - Ecuador

y. Electronic information transfer: The method of sending, receiving, or transferring data, information, files, messages, among others, electronically.

z. Identity verification: Process that allows objectively authenticating, through any system, that the identity of the applicant coincides with the person who will obtain the product or service.

SUBSECTION II.- ON THE MANAGEMENT OF MONEY LAUNDERING AND FINANCING OF CRIMES, SUCH AS TERRORISM (AML/CFT)

Art. 2..- Applicable norms.- Financial technology service entities must be subject to the AML/CFT regulations issued by the Financial Policy and Regulation Board, and those established by the Superintendency of Banks, insofar as they correspond to the corporate purpose and operations of the same.

Art. 3..- On the Compliance Officer.- Financial technology service entities must have a principal compliance officer and a substitute. In the event of temporary or permanent absence of the principal compliance officer, the substitute compliance officer will replace them. In the absence of the substitute, the compliance function will be temporarily exercised by the legal representative.

The principal and substitute compliance officers will exercise their functions for the prevention of money laundering and financing of crimes risks, at least part-time, meaning they may perform other activities as long as they are not related to other areas that could generate a conflict of interest.

SINGLE TRANSITORY PROVISION.- The entities described in this subsection will implement the norms for the Management of Money Laundering and Financing of Crimes, such as Terrorism, within a maximum period of six (6) months, from their qualification before the Superintendency of Banks.

SUBSECTION III.- DIGITAL CREDIT LENDING ENTITIES

PARAGRAPH I.- SCOPE

Art. 4..- Scope.- The provisions of this subsection will apply to digital credit lending entities, which will observe what is established in the Organic Monetary and Financial Code, Book I, the Organic Law for the Development, Regulation, and Control of Financial Technology Services (Fintech Law), and any other norm applicable to them.

PARAGRAPH II.- ON CAPITAL AND QUALIFICATION

Art. 5..- Minimum capital.- The capital of digital credit lending entities will be divided into registered shares. The minimum subscribed and paid-in capital for the constitution of these entities will be USD 200,000.00 (two hundred thousand United States dollars).

Art. 6..- Qualification.- The requirements for the qualification of these entities will be established by the Superintendency of Banks, among which must include policies, processes, procedures, and methodologies for corporate governance, risk management and administration, including aspects of cybersecurity and information security.

The qualification process carried out by the Superintendency of Banks for digital credit lending will allow qualified entities to operate in all credit segments contemplated in the current regulation, with the purpose of fostering innovation and development, adoption and use of new technologies in financial products and services to improve financial inclusion, national productivity, and contribute to the reduction of socioeconomic inequality gaps in a context of full competition and providing protection to users and consumers of the services.

Resolution No. JPRF-F-2023-076 Page 7 of 17

---

Address: Av. Amazonas between Pereira and Unión Nacional de Periodistas, Financial Management Governmental Platform. Yellow Block, 5th Floor | Postal Code: 170507 | Quito - Ecuador

PARAGRAPH III.- POLICIES, PROCEDURES, CONTROLS, SUPERVISION, AND ON THE EXPERT IN ECONOMY AND INFORMATION SECURITY

Art. 7..- Policies, procedures, and controls.- Entities must design, approve, and implement policies, procedures, and controls that reconcile their economic-financial viability with their capacity to have appropriate strategic responses to the risks inherent to their business lines, according to their size, vo