SBS Resolution No. 3289-2025: Modification of Article 17 of the Credit and Debit Card Regulations

Lima, September 17, 2025 SBS Resolution No. 3289-2025 The Superintendent of Banks, Insurance Companies and Private Pension Fund Administrators CONSIDERING: Whereas, by SBS Resolution No. 6523-2013 the Credit and Debit Card Regulations were approved, which establish general provisions applicable to credit and debit cards, including those regarding the implementation of transaction monitoring systems and corporate responsibilities when transactions are executed, as well as the necessary validations required to verify each cardholder's identity; Whereas, by SBS Resolution No. 2286-2024 the regulatory framework for card usage was modified, establishing that financial system companies must assume responsibility for users' identity validation procedures and obtaining their consent when executing transactions, in cases of unrecognized transactions and those processed without requiring enhanced authentication, as well as the companies' obligations associated with compliance with mandatory provisions; Whereas, it is necessary to define the scope of implementing monitoring systems as part of each company's risk management, with the purpose of clarifying that these systems are not part of and are distinct from the user authentication process for conducting card transactions; Whereas, likewise, financial system companies may incorporate additional measures into the monitoring system as part of their risk management, such as applying amount limits per transaction, additional authentication methods for high-risk transactions, obtaining insurance policies to cover potential losses, among others; Having obtained the approval of the Deputy Superintendencies for Banking and Microfinance, Regulation and Legal Affairs, as well as the Risk Management, Market Conduct and Financial Inclusion Departments; and, In the exercise of the powers conferred by paragraphs 7 and 9 of Article 349, and in accordance with the Thirty-Second Final and Complementary Provision of Law No. 26702, General Law of the Financial System and Insurance System and Organic Law of the Superintendence of Banking and Insurance, and its amendments;

RESOLVES: Article One.- Article 17 of the Credit and Debit Card Regulations, approved by SBS Resolution No. 6523-2013 and its amendments, is modified as indicated below: "Article 17th.- Security measures regarding transaction monitoring 17.1 Companies must adopt, at a minimum, the following security measures regarding the monitoring of card transactions executed by users:

1. Maintain transaction monitoring systems, distinct from the transaction authentication mechanisms established in paragraph 7 of Article 16th of these Regulations, aimed at detecting transactions that do not correspond to the user's usual consumption behavior.
2. Implement procedures to manage alerts generated by the transaction monitoring system, which shall include the scope of this system, the type of information considered as fraud patterns, the circumstances determining when a transaction is atypical, the application of amount limits per transaction, additional authentication methods for high-risk transactions, among others.
3. Identify fraud patterns through the systematic analysis of historical transaction data, which shall be incorporated into the transaction monitoring system.
4. Establish limits and controls across various service channels to mitigate the risk of losses due to fraud. 17.2 The security measures implemented by companies as a result of transaction monitoring are part of their risk management. Monitoring is not part of the transaction authentication process, nor does it alone determine the validity of a transaction. The liability of financial system companies for transactions executed by users is determined in accordance with the provisions of Article 23rd of these Regulations. Article Two.- This resolution takes effect the day following its publication in the Official Gazette El Peruano. Registered, communicated and published.