Fintech Law — Law N° 21.521
What it regulates, who it protects, why it matters
Chile approved Law N° 21.521 on January 12, 2023. It is one of the most comprehensive fintech regulations in Latin America.
The law exists but is written in dense legal language, distributed across disconnected government portals, and is inaccessible to the average citizen.
Crowdfunding and crowdlending
Invest $50,000 CLP in a project from your phone
Digital payments and wallets
Pay with QR at the market, transfer money by app
Digital assets
Buy fractional shares or cryptocurrencies
Robo-advisors
Apps that tell you where to invest based on your profile
Open Finance
Your financial data belongs to you — move it between platforms
→ Right to clear information — fintechs must explain in understandable language
→ Personal data protection — explicit regulation on handling your info
→ Complaint system — formal channel for disputes with fintech platforms
→ Portability — your financial data belongs to you (Open Finance)
| Regulation | Topic | Relevance |
|---|---|---|
| Art. 1-2 | Object and definitions | Scope of the law |
| Art. 12-15 | Provider registry | Which companies are regulated (CMF public data) |
| Art. 29-33 | Open Finance | APIs, data portability |
| Art. 40-44 | Regulatory sandbox | Innovation testing space |
| Art. 50-55 | Client protection | Rights, complaints, transparency |
5 million Chileans could benefit from this law, but cannot understand it.
CMF — Financial Market Commission
The regulator: public data, circulars, APIs
The CMF decides which financial companies can operate in Chile, how they must treat customers, and what happens when they break the rules.
Fintec Provider Registry (RPSF)
179 authorized + 300 under review (Feb 2025)
Circulars and regulations
Rules by institution type (PDF/HTML)
Complaint registry
Complaint statistics by institution (CSV)
Scam alerts
Unauthorized entities, detected fraud
No public REST API
Data in CSV/PDF — respectful scraping (1 req/s)
| Regulation | Topic | Relevance |
|---|---|---|
| NCG 502 | Fintec registry & duties | Who can operate under Law 21.521 |
| NCG 503 | Role competence requirements | Personnel requirements |
| NCG 504 | LMV Art. 65 provisions | Securities market |
| NCG 514 | Open Finance System | APIs and data portability |
| Circular 2.345 | Fee transparency | Track: Financial Inclusion |
| SIF Manual | Reporting & cybersecurity | Track: Cybersecurity |
SII — Internal Revenue Service
Fintech tax obligations, public data
The SII manages and enforces taxes in Chile. Every fintech must comply with specific tax obligations — and so must their users.
An entrepreneur in Temuco fails her fintech tax obligations. Not because she avoids them, but because the SII portal assumes she speaks bureaucratic language.
If you sell on digital platforms
You must issue electronic receipts
If you receive fintech payments
These are taxable income
If you invest in crowdfunding
Gains are taxed as income
If you use cryptocurrencies
SII considers them taxable "digital assets"
If you freelance via fintech
You must file as independent worker
| Regulation | Topic | Relevance |
|---|---|---|
| Res. Ex. 113/2025 | DJ 1963 — non-resident crypto | Reporting of foreign user transactions (1st: Jun 30, 2026) |
| Res. Ex. 114/2025 | DJ 1964 — resident crypto | Reporting of Chilean user transactions (1st: Jun 30, 2026) |
| CARF (OECD) | Crypto-Asset Reporting Framework | International standard Chile is aligning with |
| Res. Ex. 36/2021 | Crypto general regime | Crypto taxed under LIR — no VAT on trading |
| Circular 58/2020 | Digital economy | Platforms must report to SII |
+1.8 million microenterprises in Chile. Less than 30% understand their digital tax obligations. Active crypto enforcement: SII reported 13 cases yielding ~CLP 5B (Sept 2025).
Financial Consumer Protection
Rights, complaints, fee transparency
Everything a digital financial services user should know — but no one has explained.
+120,000 financial complaints per year to SERNAC. Top 3 reasons: unauthorized charges, product issues, difficulty terminating contracts.
Mandatory solvency analysis
Law 21.398 — required before granting credit (avoids over-indebtedness)
5-business-day deadline
Debt certificates for portability/refinancing
Legal warranty 6 months
Law 21.398 extends from 3 to 6 months
Easy contract termination
Close your account without obstacles
No credit offers in schools
Banned in educational institutions
ARCO+ rights (Law 21.719)
Access, Rectification, Cancellation, Opposition + Portability + Block (in force Dec 2026)
Breach notification
Mandatory from Dec 1, 2026 (Law 21.719)
Formal complaint
CMF and SERNAC channels with traceable follow-up
| Regulation | Topic | Relevance |
|---|---|---|
| Law 21.398 | Pro Consumer | Solvency analysis, debt cert deadlines, 6-month warranty |
| Law 21.719 | New data protection | Promulgated 2024 — in force Dec 1, 2026 (Agency + real sanctions) |
| Law 19.628 | Current data protection | Framework in force until Dec 2026 |
| Law 21.521 | Fintech Law | Fintech-specific rights |
| Law 20.555 | Financial SERNAC | Reinforced financial services protection |
| Law 19.496 | Consumer rights | General legal base |
During the Lab (May 2026), Law 21.719 is not yet in force — but design for the 7 months ahead: your solution must comply before going to production. 73% of Chileans don't know their data rights.
Cybersecurity & Digital Fraud
Threats, CSIRT, financial phishing, incident data
+800,000 digital fraud attempts per year in Chile. 70% of victims do not report. Elderly are the most vulnerable group. ANCI in force since January 2025 — CMF-regulated fintechs are within the perimeter.
Regulated fintechs are operators within the ANCI perimeter: they must report incidents under strict legal deadlines.
3-hour deadline
Early alert to CSIRT from incident knowledge
72-hour deadline
Detailed incident description to CSIRT
15 calendar days
Full report with lessons learned
Financial phishing
45% of digital fraud in Chile
Vishing & Smishing
Bank impersonation calls/SMS — Chile in LATAM Top 5
Cybersecurity officer
Mandatory designation by ANCI for essential services
Operational continuity
Mandatory plans under ANCI standards
Breach notification (Law 21.719)
Mandatory from Dec 1, 2026
| Regulation | Topic | Relevance |
|---|---|---|
| Law 21.663 | Cybersecurity framework (ANCI) | Promulgated 2024 — ANCI in force Jan 2025, full CSIRT deadlines |
| Law 21.459 | Computer crimes | Criminalizes phishing, fraud, unauthorized access (repeals Law 19.223) |
| Law 21.521 | Fintech Law | Security requirements for fintec providers |
| SIF Manual | Tech reporting | CMF cybersecurity standards for fintech |
If you build a CMF-reportable fintech, your cybersecurity plan must already assume ANCI reporting from day one: 3 h alert · 72 h description · 15 d full report.
Datasets & APIs Available
Inventory of real data for the Lab
The data teams will have available during the Impact Lab. Curated by the organizing team, ready to connect with Claude MCPs.
Central Bank — BDE API
JSON REST — statistical series (free registration required) ✅
BCN — Ley Fácil API
JSON — citizen-friendly explanations of laws ✅
CMF — Fintec Provider Registry
HTML — entities authorized under Law 21.521 ✅
CMF — Circulars and regulations
PDF/HTML — no REST API, respectful scraping 1 req/s ✅
SII — Regulations and resolutions
PDF/HTML — Res. 113/2025, 114/2025, etc. ✅
ANCI / CSIRT — Alerts
HTML — national security bulletins ✅
PhishTank
Public REST API — reported phishing URLs ✅
Each participant receives USD $50 in Claude API credits. Claude Code, Agent SDK, MCP and Anthropic tooling included. Design with Privacy by design from the prototype — Law 21.719 takes full effect 7 months after the Lab.