JPRF-T-2025-0156 — Incorporates Title II "Norm on Requirements and Parameters for the Operation of Controlled Spaces for Regulatory Testing (Regulatory Sandboxes) for Innovative Developments"

Address: Av. Amazonas between Pereira and Unión Nacional de Periodistas Governmental Financial Management Platform. Red Block, 8th floor | Postal Code: 170507 | Quito - Ecuador | Resolution No. JPRF-T-2025-0156 THE FINANCIAL POLICY AND REGULATION BOARD CONSIDERING: That, Article 82 of the Constitution of the Republic of Ecuador prescribes that the right to legal certainty is based on respect for the Constitution and on the existence of prior, clear, public legal norms applied by competent authorities; That, Article 84 of the Fundamental Norm establishes that every body with normative power has the obligation to adapt, formally and materially, laws and other legal norms to the rights provided for in the Constitution; That, number 6 of Article 132 of the aforementioned Constitution grants public regulatory bodies the power to issue general norms in matters within their competence, without being able to alter or innovate legal provisions; That, Article 213 of the Magna Carta defines superintendencies as technical bodies for surveillance, auditing, intervention, and control of economic activities and services provided by public and private entities, with the purpose that these activities and services comply with the legal framework and serve the general interest. Superintendencies will act ex officio or upon citizen request. The specific powers of the superintendencies and the areas requiring control, auditing, and surveillance of each will be determined in accordance with the law; That, Article 226 of the Supreme Norm states that State institutions, their bodies, dependencies, public servants, and persons acting by virtue of a state power shall exercise only the competencies and powers attributed to them in the Constitution and the law; having the duty to coordinate necessary actions for the effective fulfillment of rights recognized in the Constitution; That, Article 227 of the Fundamental Norm determines that public administration constitutes a service to the community governed by the principles of effectiveness, efficiency, quality, hierarchy, decentralization, coordination, participation, planning, transparency, and evaluation; That, Article 308 ibid indicates that financial activities are a matter of public order and may be exercised, with prior State authorization, in accordance with the law; That, the article following number 6 of Article 6 of the Organic Code of Monetary and Financial Law, Book I, which incorporates international best practices, prescribes that bodies with regulatory, normative, or control capacity shall seek to adopt as a reference framework international technical standards related to the scope of their competence for the issuance of regulations and the exercise of their functions, strictly adhering to the normative hierarchy established in the Constitution of the Republic of Ecuador; That, Article 9 of the aforementioned norm indicates that regulatory and control bodies shall have the duty to coordinate actions to fulfill their purposes and make effective the enjoyment and exercise of rights recognized in the Constitution, for which effect they shall exchange data or reports related to entities subject to their regulation and control; That, Article 13 of the Organic Code of Monetary and Financial Law, Book I, created the Financial Policy and Regulation Board, part of the Executive Function, as a legal entity of public law, with administrative, financial, and operational autonomy, responsible for formulating credit, financial, securities, insurance, and prepaid comprehensive health care service policy and regulation; That, Article 14 ibid, in numbers 1 and 2, provides that it falls to the Financial Policy and Regulation Board within its scope of competence to formulate credit, financial, securities, and insurance policies; and to issue regulations that allow maintaining the integrity, solidity, sustainability, and stability of the national financial, securities, and insurance systems; That, Article 14.1, numbers 1, 7, 9, 15 letters a and b, 17, 25, and 27 of the aforementioned Organic Code of Monetary and Financial Law, Book I, establish that it falls to the Financial Policy and Regulation Board, among other powers, the following: i) regulate the creation, constitution, organization, activities, operation, and liquidation of financial, securities, and insurance entities; ii) issue the prudential regulatory framework to which financial, securities, and insurance entities must adhere, which must be coherent and not give rise to regulatory arbitrage; iii) issue the non-prudential regulatory framework for all financial, securities, and insurance entities, which will include, among others, norms on accounting, transparency and information disclosure, market integrity, and consumer protection; iv) authorize financial, securities, and insurance entities to carry out new activities or operations that, while not prohibited, are necessary to fulfill the objectives of financial, credit, securities, and insurance policy, in accordance with the regulations issued for this purpose; v) establish any measure that helps prevent and seek to eradicate fraudulent and prohibited practices, including money laundering and the financing of crimes such as terrorism, considering current and applicable international standards, protect the privacy of individuals regarding the dissemination of their personal information, promote financial inclusion, promoting the participation of financial, securities, and insurance entities; vi) issue the norms that regulate insurance and reinsurance; vii) apply the provisions of said organic code and resolve cases not foreseen in it, within its scope of competence; and, viii) exercise the other functions, duties, and powers assigned to it by the Organic Code of Monetary and Financial Law and the law; That, number 1 of Article 25.1 ibid prescribes, as one of the functions of the Technical Secretariat of the Financial Policy and Regulation Board, the elaboration of technical and legal reports that support the regulatory proposals to be issued by this institution; That, General Provision Twenty-Ninth of the Organic Code of Monetary and Financial Law, Book I, prescribes: "In the current legislation where mention is made of the 'Monetary and Financial Policy and Regulation Board', replace it with 'Financial Policy and Regulation Board.'"; That, Transitory Provision Fifty-Fourth of the aforementioned Code determines the transitional regime of resolutions of the Codification of the Monetary and Financial Policy and Regulation Board, establishing that: "(...) Resolutions contained in the Codification of Monetary, Financial, Securities, and Insurance Resolutions of the Monetary and Financial Policy and Regulation Board and norms issued by control bodies will remain in force until the Monetary Policy and Regulation Board and the Financial Policy and Regulation Board resolve what corresponds, within their respective competencies."; That, among the attributions of the aforementioned National Council of Securities detailed in Article 9, numbers 1, 17, 19, 20, and 25 of the Securities Market Law, which, as noted above, currently correspond to this Board, are the following: i) establish the general policy of the securities market and regulate its operation; ii) establish general policies for the supervision and control of the market, as well as promotion and training mechanisms; iii) authorize related activities of stock exchanges and securities houses that are necessary for the adequate development of the securities market; iv) ensure observance and compliance with the norms governing the securities market; and, v) establish the norms necessary to prevent cases of conflicts of interest and affiliation of market participants; That, the Organic Law for the Development, Regulation and Control of Technological Financial Services (Fintech Law), published in Official Register Supplement No. 215 of December 22, 2022, states in its Articles 1 and 2, respectively, that its object is to regulate Fintech Activities related to all financial activities, including the financial, securities, and insurance markets; and that its purpose is to foster innovation and development, adoption and use of new technologies in financial products and services to improve financial inclusion, national productivity, and contribute to reducing socio-economic inequality gaps in a context of full competition and provide protection to users and consumers of services; That, Article 8 ibid establishes that fintech companies will be regulated by the Monetary Policy and Regulation Board and the Financial Policy and Regulation Board, as appropriate; and supervised and controlled by the Central Bank of Ecuador, the Superintendence of Companies, Securities and Insurance, the Superintendence of Banks, or the Superintendence of Popular and Solidarity Economy, within the scope of their competencies and according to the regulation issued for this purpose; That, General Provision First of the aforementioned law indicates that fintech companies and financial entities that develop innovative models may request a temporary authorization from the competent control entity to operate in regulatory sandboxes. For the issuance of said authorization, the requirements and parameters established in this Law and in the regulations issued by the Financial Policy and Regulation Board, within the scope of their competencies, must be met. Additionally, the aforementioned general provision prescribes that the Superintendence of Banks, the Superintendence of Companies, Securities and Insurance, the Superintendence of Popular and Solidarity Economy, and the Central Bank of Ecuador are empowered to create regulatory sandboxes, within the scopes of regulated activities that are within their competence, and emphasizes that they must conform to the legal framework; That, the Fintech Law incorporates into the Organic Code of Monetary and Financial Law in its Books I, II, and III a series of articles that determine duties and attributions for the Financial Policy and Regulation Board; That, Article 439.7 of the Organic Code of Monetary and Financial Law, Book I, establishes that the Superintendence of Banks or the Central Bank of Ecuador, within the scope of their respective competencies, will implement a program for the creation of regulatory testing environments intended for new business models related to technological financial services and technology-based payment services, as appropriate. While the company is in the regulatory testing environment, it may develop its services under the constant supervision and control of the respective control bodies; That, Article Art. 73.7 of the Organic Code of Monetary and Financial Law, Book II "Securities Market Law" provides that, regarding the implementation of regulatory testing environments or sandboxes for the generation of regulatory testing environments for new business models related to technological services for the securities market, which are not yet specifically regulated, the implementation of said programs will be under the responsibility of the Superintendence of Companies, Securities and Insurance, in coordination with the Central Bank, the Financial Policy and Regulation Board, and the Monetary Policy and Regulation Board. Likewise, the aforementioned article determines that while the respective company is in the regulatory testing environment, it may develop its services under the constant supervision and control of the Superintendence of Companies, Securities and Insurance; That, Article 8.8 of Book III "General Insurance Law" of the aforementioned organic code stipulates for the regulatory sandbox that the Superintendence of Companies, Securities and Insurance, in coordination with the Central Bank, the Financial Policy and Regulation Board, and the Monetary Policy and Regulation Board, will implement a program for the generation of regulatory testing environments for new business models related to technological services for insurance, which are not yet specifically regulated. While in the regulatory testing environment, the respective company may develop its services under the constant supervision and control of the Superintendence of Companies, Securities and Insurance; That, the Regulation to the Organic Law for the Development, Regulation and Control of Technological Financial Services (Fintech Law), provides that the Monetary Policy and Regulation Board and the Financial Policy and Regulation Board are the only competent bodies to regulate testing environments (Sandbox), in the monetary and financial scopes, as appropriate; That, Article 7 of the Regulation to the Organic Law for the Development, Regulation and Control of Technological Financial Services (Fintech Law) prescribes that the Financial Policy and Regulation Board must have the technical contribution of the Financial and Economic Analysis Unit for the issuance of corresponding regulations with the object of preventing money laundering and the financing of crimes; That, the Financial Policy and Regulation Board, through Office No. JPRF-JPRF-2025-0136-O of April 7, sent to the Superintendence of Banks, Superintendence of Popular and Solidarity Economy, Superintendence of Companies, Securities and Insurance, and Financial and Economic Analysis Unit the draft of "Norm on Requirements and Parameters for the Operation of Controlled Spaces for Regulatory Testing (Regulatory Sandboxes) for Innovative Developments", for its technical contribution; That, the Financial Director of the Financial and Economic Analysis Unit, through email of April 14, 2025, stated having no observations on the draft norm sent, fulfilling what is prescribed in Article 7 of the Regulation to the Organic Law for the Development, Regulation and Control of Technological Financial Services (Fintech Law); That, Article 9 "Principle of Coordination" of the Organic Administrative Code establishes that public administrations, including regulatory and control bodies, develop their competencies in a rational and orderly manner, avoiding duplications and omissions. Likewise, Article 28 "Principle of Collaboration" determines that public administrations must work in a complementary manner, providing mutual aid and agreeing on coordination mechanisms for the management of their competencies; That, Article 15 of the Organic Administrative Code, with reference to the principle of responsibility, provides that the State will respond for damages as a consequence of the lack or deficiency in the provision of public services or the actions or omissions of its public servants or subjects of private rights acting in the exercise of a public power delegated by the State and its dependents, controlled or contractors, with the State making effective the responsibility of the public servant for intentional or negligent acts or omissions, stating that no public servant is exempt from responsibility; That, the Technical Secretary of the Financial Policy and Regulation Board, through Memorandum No. JPRF-ST-2025-0039-M of May 28, 2025, sends to the President of the Board the Technical Report No. JPRF-CTIFSP-2025-0009 of May 28, 2025, issued by the Technical Coordination of Policy and Regulation of the Financial Inclusion and Prepaid Health System; as well as the Legal Report No. JPRF-CJF-2025-025 of May 28, 2025, issued by the Legal Coordination of Policy and Financial Norms of this Board, as well as the respective draft resolution; That, the Financial Policy and Regulation Board, in an extraordinary session held by technological means, convened on May 28, 2025 and carried out via video conference on May 30, 2025, reviewed the Memorandum No. JPRF-ST-2025-0039-M of May 28, 2025, issued by the Technical Secretary of the Board;

Resolution No. JPRF-T-2025-0156 Page 4 of 17

---

Address: Av. Amazonas between Pereira and Unión Nacional de Periodistas Governmental Financial Management Platform. Red Block, 8th floor | Postal Code: 170507 | Quito - Ecuador |

as well as the aforementioned Technical Report No. JPRF-CTIFSP-2025-0009 and Legal Report No. JPRF-CJF-2025-025, in addition to the corresponding draft resolution; In exercise of its functions, RESOLVES: SINGLE ARTICLE.- The "Norm on Requirements and Parameters for the Operation of Controlled Spaces for Regulatory Testing (Regulatory Sandboxes) for Innovative Developments" is issued and incorporated into the Codification of Monetary, Financial, Securities, and Insurance Resolutions, Book V "COMMON APPLICATION NORMS FOR REGULATED SECTORS", as Title II, the following text:

"TITLE II: NORM ON REQUIREMENTS AND PARAMETERS FOR THE OPERATION OF CONTROLLED SPACES FOR REGULATORY TESTING (REGULATORY SANDBOXES) FOR INNOVATIVE DEVELOPMENTS CHAPTER I: REQUIREMENTS AND PARAMETERS FOR THE OPERATION OF CONTROLLED SPACES FOR REGULATORY TESTING (REGULATORY SANDBOXES) FOR INNOVATIVE DEVELOPMENTS SECTION I: OBJECT, SCOPE, DEFINITIONS AND PRINCIPLES Art. 1.- Object and scope.- To regulate the operation of controlled spaces for regulatory testing (regulatory sandboxes), which allow putting into practice innovative developments in the national financial, securities, and insurance systems, distinct from those that are within the exclusive competence of the Monetary Policy and Regulation Board and the Central Bank of Ecuador. Art. 2.- Definitions.- For the purposes of this norm, the following definitions will be considered:

1. Business continuity management: It is a permanent process that guarantees the continuity of entity operations, through the effective maintenance of a business continuity management system.
2. Cybersecurity: It is the set of protection measures for technological infrastructure and information, through the treatment of threats and vulnerabilities that put at risk the confidentiality, integrity, and availability of information processed by the different interconnected technological components.
3. Operational contingency: Any internal or external event that hinders, limits, or prevents a supervised entity within the regulatory sandboxes from providing its services or activities normally, affecting business continuity. It may compromise the confidentiality, integrity, or availability of information, and put at risk those processes that could have a direct or indirect impact on users of the regulatory tests.
4. Innovative developments: It is a new product, design, process, service, method, or organization, or an existing one to which value is added through the use of new and/or existing technologies, for the exercise of financial activities, for whose implementation regulatory reforms may be required.
5. Controlled spaces for regulatory testing: Testing environments implemented by the respective control body applicable to the national financial, securities, and insurance systems, also known as regulatory sandboxes, for the performance of regulatory testing of pilot projects in a controlled and delimited environment in accordance with the provisions of this norm, in order to prove their viability, and identify the necessary regulatory modifications for their implementation. The implementation of controlled spaces for regulatory testing comprises the following phases: application and selection, development of regulatory tests, and evaluation of results.
6. Technological infrastructure: Set of organized technological elements whose function is to support the operations of an entity.
7. Temporary operating license: Temporary authorization issued by the respective control body, which allows a supervised entity to carry out operational tests of innovative developments, within a controlled space for regulatory testing.
8. Monitor(s): It is an official, group of officials, or administrative areas, designated by the respective control body, for the follow-up of tests carried out in the controlled spaces for regulatory testing.

Resolution No. JPRF-T-2025-0156 Page 5 of 17

---

Address: Av. Amazonas between Pereira and Unión Nacional de Periodistas Governmental Financial Management Platform. Red Block, 8th floor | Postal Code: 170507 | Quito - Ecuador |

9. Controlled closure plan: Document presented by the promoters and approved by the corresponding control body, through which procedures are established to liquidate operations and finalize the test.
10. Transition plan: Document presented by the supervised entity, and approved by the corresponding control body, through which the process is established for the entity to demonstrate full compliance with the operational requirements applicable to the sector associated with the innovative developments, once the temporary test ends.
11. Promoter: Any legal person, entity of the national financial, securities, and insurance systems, and auxiliary companies duly constituted, that individually or jointly with others, seeks to obtain authorization to carry out fintech activities and presents to the corresponding control body a pilot project in accordance with what is provided in this norm.
12. Test protocol: Document that includes the detail of processes, activities, human resources, technological resources, and others related, through which the tests will be carried out.
13. Pilot project: Innovative development on which a set of tests will be carried out in a regulatory sandbox, backed by what is provided in this norm and subject to supervision by the corresponding control body.
14. Regulatory tests: Temporary and controlled implementation of innovative developments carried out in accordance with the provisions