The recent entry into force of Law No. 10,889, which amends the Law on the Promotion of Competition and Effective Consumer Protection, constitutes one of the most significant developments in the regulation of financial services in Costa Rica in recent years.
A superficial reading might suggest that it is merely a rule aimed at forcing banks to respond for electronic fraud. However, a more careful analysis reveals something more profound: the law introduces a substantive modification in the way risk is allocated within the financial system.
This is not a marginal expansion of consumer rights, but rather a transformation of the liability framework applicable to financial institutions.
The underlying issue
The sustained growth of electronic fraud, particularly those associated with social engineering schemes, has exposed a structural tension within the traditional model of liability allocation. In practice, users claiming to be victims of fraud have faced significant evidentiary hurdles, while financial institutions, relying on the proper use of credentials, have shifted the burden of loss onto the client.
Although legally defensible under classical fault-based liability principles, this model has proven problematic from a substantive standpoint. Financial institutions control the technological infrastructure, design authentication mechanisms, and manage security systems, while users generally lack the technical means to demonstrate a potential failure. The asymmetry is therefore not only economic, but also informational and evidentiary.
Law No. 10,889: the introduction of a strict liability regime
Within this context, Law No. 10,889 adopts a different approach. At its core lies the introduction of a strict liability regime for financial institutions, meaning that the obligation to compensate for the loss of funds no longer depends on proving fault.
This conceptual shift is significant. The analysis no longer revolves around whether the bank acted negligently, but rather on the mere occurrence of damage within the framework of an activity that, by its nature, entails risks that must be managed by the party engaging in it.
In essence, this reflects a risk-allocation logic typical of highly technical sectors, where the provider is in a better position to prevent, mitigate, and absorb the consequences of potential failures or external attacks.
The reversal of the burden of proof as a structural element
If strict liability constitutes the core of the reform, the reversal of the burden of proof is arguably its most tangible and disruptive feature. The dynamics of disputes are fundamentally altered: it is no longer the user who must demonstrate that the bank failed, but rather the financial institution that must prove that the transaction was duly authorized or that the user acted with intent or gross negligence.
This shift carries profound procedural implications. The defensive position of financial institutions is substantially affected, as they are now required to actively build evidence supporting their defenses, in a context where technological traceability, digital evidence, and authentication standards become central elements.
The establishment of a mandatory claims procedure
The law goes beyond redefining liability and introduces a procedural framework governing how such disputes must be addressed. Financial institutions are required to activate investigative mechanisms, adopt containment measures, and issue a resolution within defined timeframes.
In practice, this creates an internal dispute resolution stage which, while not replacing administrative or judicial avenues, significantly conditions the subsequent development of any controversy. The handling of claims thus ceases to be merely operational and acquires clear legal relevance.
A critical reading: tensions and challenges
Despite the clarity of its objective, which is strengthening consumer protection, the law raises several issues that merit careful consideration. The shift of risk toward financial institutions is almost absolute, prompting the question of whether it is reasonable to require providers to bear the consequences of imprudent user conduct, such as voluntarily disclosing credentials under deception.
This scenario also introduces the possibility of moral hazard. If the system is perceived as one in which reimbursement is the rule regardless of user behavior, incentives to adopt basic security measures may weaken.
Furthermore, it is foreseeable that this new framework will have economic implications for the financial system. The internalization of risk by institutions may translate into cost adjustments, product redesign, or even restrictions on certain digital services, particularly those involving higher exposure.
Finally, it should be noted that many of the concepts introduced by the law, such as the scope of user negligence or the standards for valid authorization, will require judicial development. It is in practice where the true contours of this reform will ultimately be defined.
Implications for financial risk management
From both an operational and strategic perspective, the law compels financial institutions to rethink their approach to risk. Security can no longer be viewed solely as a technological matter, but must be understood as a central component of legal and reputational risk management.
This necessarily entails revisiting authentication mechanisms, strengthening monitoring systems, and developing robust evidentiary frameworks capable of demonstrating, where required, the legitimacy of transactions.
In this new environment, prevention is no longer merely a best practice, it becomes a structural requirement of the model.
Conclusion
Law No. 10,889 reflects a broader regulatory trend: the shift toward enhanced consumer protection in sectors characterized by high technical complexity and significant asymmetries.
As is often the case with reforms of this nature, the challenge lies in striking the right balance. A sound financial system requires user trust, but also conditions that ensure the operational sustainability of its participants.
The true measure of this law’s success will not lie in its normative formulation, but in its practical application. It is there where it will be determined whether the new framework effectively corrects the distortions of the previous model or, conversely, introduces new tensions that may eventually require adjustment, as occurred with the Usury Law, whose implementation revealed consequences not originally anticipated by the legislator.
Author: Diego Elizondo
If you would like to learn more about this topic, as well as other corporate matters, please feel free to contact diego@glclegal.com or reach out to the GLC Legal team.
