Index
The best content in your inbox
What Chile’s NCG 538 Standard Requires: Technical Guide
The Chilean financial sector is undergoing an unprecedented transformation driven by the need to mitigate digital fraud and protect consumers. At the heart of this regulatory revolution lies General Regulation No. 538 (NCG 538), published by the Financial Market Commission (CMF)—a regulatory framework that completely redefines the security standards required of institutions by mandating the implementation of Strong Customer Authentication (SCA) across remote channels.
This regulation goes far beyond a simple legal requirement. It represents a strategic opportunity for banks, credit unions, and fintech companies to position themselves as undisputed leaders in cybersecurity, operational efficiency, and user experience. In this article, we will analyze—from technical, operational, and strategic perspectives—exactly what NCG 538 establishes, how Strong Customer Authentication (ARC) is a game-changer, and why now is the time to act to turn this technological challenge into a direct competitive advantage.
Download our guide on how to adapt your institution to the NCG 528 standard and lead the transition to Strong Customer Authentication (ARC)
Download free ebookWhat is the CMF’s NCG 538, and who does it affect?
NCG 538 is a mandatory regulatory guideline in Chile. Its enactment was a direct and necessary response to the requirements set forth by Law 20.009 (commonly known as the Fraud Law), which limits users’ liability for payment card fraud and electronic transactions, shifting much of the burden of proof and financial risk to financial institutions.
The primary objective of NCG 538, issued by Chile’s Financial Market Commission (CMF), is to establish minimum standards for security, control, and risk management that institutions must implement to prevent unauthorized access, transactional fraud, and identity theft in digital channels. This regulation seeks not only to protect customers’ assets but also to strengthen the resilience of the national financial system against increasingly sophisticated cyber threats, ensuring that technology platforms operate within a framework of unwavering digital trust and guarantee business continuity.
Regulated Entities: To Whom Does This Regulation Apply?
The scope of this regulatory framework is extremely broad and cuts across the Chilean financial industry. Its strategic design seeks to shield any point of contact where financial transactions take place or sensitive data is processed. This approach prevents security gaps between traditional players and new, fully digital business models, ensuring a uniform and robust standard of protection for all consumers in an increasingly interconnected market. Consequently, strict compliance with these obligations directly affects:
- Banks and traditional financial institutions: Required to secure all their online banking channels and mobile applications.
- Payment card issuers and operators: Including credit, debit, and prepaid cards.
- Companies supporting banking operations and payment methods: Transaction infrastructures and payment gateways.
- Savings and credit cooperatives: Those regulated by the CMF.
- Fintech companies and open finance platforms: Those that interact with customers’ financial data or process payments, thereby aligning with the guidelines also promoted by Chile’s Fintech Law.
These entities are now required to natively integrate fraud prevention into the very architecture of their systems. This requires that user identity validation cease to be a secondary control and instead become an unbreakable, fully auditable process capable of withstanding the most sophisticated evasion or impersonation tactics.
What is Strong Customer Authentication (ARC)?
Strong Customer Authentication (ARC) is a security mechanism that forms the technological core of NCG 538; it is equivalent to the Strong Customer Authentication (SCA) established in Europe by the PSD2 directive. The adoption of this model represents a vital qualitative leap for the Chilean market, as it significantly raises the defenses against cybercriminals and proactively protects users’ digital transactions from automated attack techniques.
ARC is a security standard that requires validating a user’s identity using at least two independent authentication factors. Independence is key: a breach of one factor must not compromise the reliability of the other, ensuring that the system maintains its operational integrity and protects sensitive data even under attack.
To ensure this robustness and comply with the technical requirements of the regulation, institutions must implement an appropriate combination of these elements. These factors fall into three universal categories:
- Knowledge (something only the user knows): Passwords, security PINs, or answers to secret questions.
- Possession (something only the user has): A registered mobile device, a hardware token, or a smart card.
- Inherence (something the user is): Biometric variables, such as facial recognition, fingerprints, iris scans, or behavioral biometrics (how they type or hold the device).
Under NCG 538 standards, traditional methods such as coordinate cards or SMS OTPs are obsolete due to their high vulnerability to phishing and SIM swapping attacks. To eliminate these weak links, the ARC requires Chilean banks to evolve toward a secure and unbreakable combination of Possession (an app on a linked device) and Inherence (facial biometrics).
Use Cases: When Is ARC Mandatory Under the Standard?
NCG 538 does not require constant friction with every user click but instead applies a risk-based approach. ARC must be implemented in critical and transactional scenarios where the risk of financial loss or identity theft is high:
- Digital onboarding of new customers: The most critical moment. When opening a bank account remotely, the institution must ensure that the person on the other side of the screen is who they claim to be and that their identification document is legitimate and has not been altered.
- Electronic fund transfers: Especially when transferring money to new recipients or in amounts that exceed the customer’s usual transaction profile.
- Modification of personal data and credentials: Changes of address, updates to email addresses or phone numbers, or password resets. An attacker typically changes this information first to cut the victim off from the bank’s alerts.
- Enrollment or replacement of trusted devices: When a user installs the banking app on a new mobile phone, the process of linking that device to the customer’s profile requires the highest level of biometric security.
Implementing strong authentication at these critical touchpoints not only ensures strict compliance with regulatory requirements but also protects the institution’s digital environment. To prevent these mandatory controls from negatively impacting the customer experience, it is vital to rely on advanced technological solutions such as those from Tecalis, which automate real-time biometric and document verification, transforming fraud prevention into a seamless and invisible process for legitimate users.
The Impact of NCG 538 on Chilean Financial Institutions
The implementation of NCG 538 represents a truly monumental technological challenge for the infrastructure of financial institutions and fintech companies in Chile. Adapting to these requirements means completely rethinking user interactions across digital channels, necessitating significant investments in cybersecurity and platform modernization. This regulatory paradigm shift compels institutions to act swiftly, with its direct impact being felt in three main areas:
- Modernization of technical infrastructure: Many banks operate on legacy architectures designed for an analog world or one with low levels of digitization. Integrating real-time multi-factor authentication (MFA) engines requires modernizing core banking systems, adopting microservices, and migrating to scalable cloud environments.
- The delicate balance between security and user experience: Greater security often comes with greater friction. If a bank forces its customers to go through verification processes that are slow, cumbersome, or constantly failing, the abandonment rate will skyrocket. The commercial impact of poor ARC design is the direct loss of customers to more agile competitors.
- Reducing the financial impact of fraud: Under Law 20.009, banks are liable for fraud losses if they cannot prove gross negligence on the part of the user. By mandating ARC, NCG 538 acts as a “financial shield” in the medium and long term, drastically reducing refunds for unrecognized transactions.
Successfully overcoming these three operational challenges not only ensures strict compliance with the regulator but also establishes the institution as a leader in digital trust, capable of building customer loyalty through streamlined and fully secure transactions.
Automate NCG 538 compliance seamlessly
Contact our expertsCombating AI and Deepfake Fraud in the Financial Sector
To understand the urgency of the NCG 538 regulation, it is necessary to analyze the rapid evolution of cyber threats in the financial sector. Today, institutions are no longer facing lone scammers using basic image-editing software; the real threat lies in the use of advanced AI by organized digital crime syndicates. These criminal networks have refined their methods to systematically compromise banking channels, launching automated attacks that require far more dynamic and robust cybersecurity measures.
In this scenario, the imminent threat of deepfakes and the creation of synthetic identities has emerged as a critical attack vector. Cybercriminals use neural networks to create hyper-realistic videos from stolen photographs. Through video injection attacks—where the attacker bypasses the device’s camera and injects a pre-recorded file directly into the banking app—they attempt to fool traditional facial recognition systems. Furthermore, the tactic of combining a real RUT with an AI-generated face is growing at an alarming rate to open “mule” accounts intended for money laundering.
Given this level of sophistication, it is clear that simple biometrics are no longer sufficient to protect the transactional perimeter. NCG 538 compels the industry to raise its technological standards, recognizing that the simple comparison of two-dimensional faces is ineffective against AI. Financial institutions are compelled to implement advanced Proof-of-Life technologies. The system must not only verify “who” the person is, but also determine with zero margin of error that they are a living human being, physically present in front of the device at that very moment, thereby ruling out the use of silicone masks, high-resolution screens, or injected videos.
Specific Applications of Biometrics Under NCG 538
Given the inherent requirements of Strong Customer Authentication and the constant threat of impersonation, biometrics has established itself as the financial sector’s primary line of defense. Its implementation enables compliance with Chilean regulations, eliminates vulnerable validation methods, and ensures smooth operations by making the user’s face the definitive key for access and authorization. Its practical applications within this compliance framework include:
Passive liveness detection during onboarding: Unlike active validation (where the user is asked to smile or turn their head—which creates friction and can be mimicked by AI), the passive model captures the image in milliseconds and analyzes pixel depth, light refraction on the skin, and micro-movements undetectable to the human eye. Everything happens in the background, offering maximum security with zero friction for the legitimate user.
Continuous transactional authentication: Use of facial recognition that is native to or directly integrated into the bank’s app to authorize high-value transfers. This methodology definitively replaces SMS, linking the transaction’s cryptography directly to the account holder’s face.
Forensic Document Analysis (KYC): Facial biometrics are cross-referenced in real time with the cryptographic validation of the Chilean national ID card. Optical Character Recognition (OCR) technologies read the document, verify holograms, detect digital tampering, and ensure that the person holding the ID card is exactly the same person registered on the official document.
How to Prepare for the CMF’s New Regulations?
Complying with these new regulatory criteria requires a complete rethinking of the identity validation strategy. Far from being a simple software update, it represents a paradigm shift at every point of contact with the user. Financial institutions must stop viewing these integrations as an operational burden and start valuing them as a critical investment to secure their ecosystems, accompanying this process with training for their teams and appropriate guidance for their customers.
To successfully execute this technological transformation, institutions’ roadmaps should be structured around the following steps:
- Internal security assessment: Analyze the existing infrastructure to detect blind spots and measure its actual resilience against advanced fraud techniques.
- Regulatory compliance mapping: Compare the institution’s validation tools with the specific technical requirements of Strong Authentication (ARC) to identify and address areas for improvement.
- Implementation of adaptive authentication: Deploy systems that combine multiple independent factors and calibrate the required level of verification based exclusively on the risk level and the criticality of the transaction in progress.
- Focus on business fluidity: Integrate these new defensive barriers in a fully native manner, ensuring that legitimate users do not experience friction or blockages that could lead them to abandon the digital channel.
Implementation Deadlines: When Does NCG 538 Take Effect?
Compliance with this regulatory framework is no longer a future project but an inescapable reality. With the final deadline set by the regulator in its official calendar now reached, the technological adaptation period has ended, and financial institutions must now operate under these strict standards to avoid immediate penalties and serious operational risks.
- General Framework (NCG 538): August 1, 2025, Implementation of minimum standards for security, monitoring, and data protection.
- ARC Effective Date (July 1, 2026): Regulatory effective date for the obligation to implement Strong Client Authentication.
- Practical Extension (NCG 544): August 2026: Final deadline for technological adaptation and operational implementation of ARC.
The end of this mandatory implementation period means that the technological leeway has been completely exhausted. With the definitive entry into force of ARC this August 2026, regulatory urgency is at its peak. Entities that have not yet fully consolidated these integrations now face a race against the clock, forced to deploy these security solutions in record time to avoid disrupting the continuity of their services or exposing themselves to penalties from the CMF.
Penalties for Noncompliance: The Cost of Failing to Comply with NCG 538
Failure to comply with these standards not only requires institutions to assume direct financial responsibility for the fraud suffered by their users, but also exposes them to severe penalties imposed by the CMF. In accordance with the rules established in Title III of Decree-Law No. 3,538 of 1980, sanctions range from institutional censure to fines in the millions paid to the government, which may be determined based on the following criteria:
- Global fines: Up to 100,000 UF per company, an amount that may be multiplied by five in cases of proven repeat offenses.
- Operational fines: Up to 30% of the total value of the sanctioned transactions.
- Profit-based fines: Up to twice the profits obtained as a result of such irregular transactions.
Tecalis: Your Partner for Strategic Compliance with NCG 538
Adapting to the CMF’s requirements does not have to mean slow digital processes or complex technical development from scratch. On the contrary, it is the perfect opportunity to optimize the financial institution’s technological infrastructure and streamline the customer onboarding process. Tecalis Identity’s advanced solutions and the Customer Hub omnichannel orchestration environment natively resolve the dichotomy between strict regulatory compliance and a seamless user experience, automating control flows without compromising business conversion through the following capabilities:
Advanced KYC Identity: Automated extraction of data from the National Identity Card (RUT) using OCR technology and real-time document validation to ensure the document is legitimate and valid.
Certified passive proof-of-life: Immediate compliance with the inherent factor required by the ARC. The system detects and blocks advanced impersonation attempts and video recordings in milliseconds, while keeping the process transparent for the real customer.
Certified passive proof of life: Immediate compliance with the inherent factor required by the ARC. The system detects and blocks advanced impersonation attempts and video recordings in milliseconds, keeping the process transparent for the real customer.
By eliminating unnecessary friction and combining biometric verification with contract signing into a single step, the platform drastically minimizes drop-off rates. Financial institutions and fintech companies can thus protect themselves legally against NCG 538, eliminate fraud risks, and enable a robust registration process that converts users into active customers in less than three minutes.
Frequently Asked Questions (FAQs)
- What is the main difference between Law 20.009 and NCG 538? Law 20.009 holds financial institutions financially liable for fraud if they cannot prove user negligence. NCG 538 is the technical regulation that requires the use of Strong Authentication to preventively block these attacks.
- What technologies can be used to comply with Standard 538? Solutions must be used that integrate at least two independent authentication factors. The most secure and seamless combination is the use of a linked mobile device (possession) together with facial biometrics with passive liveness detection (inherence).
- Does NCG 538 apply to fintech companies in Chile? Yes, the regulation covers banks, card issuers, payment operators, and fintech companies under the supervision of the CMF. Any institution that processes critical digital transactions is required to implement these controls.
- What happens if I don’t comply with Standard 538 on time? Institutions that do not have ARC operational by August 2026 will face fines and severe penalties from the CMF. In addition, they will be directly liable for the full cost of any financial losses resulting from fraudulent transactions.
- What is strong authentication? It is a model that requires validating identity using independent authentication factors and adjusting the level of verification based on the risk of each transaction.
- When does NCG 538 take effect? Standard 538 takes effect on August 1, 2026, following a regulatory extension that pushed back the original deadline set for July of that year. |
Is your organization ready for the August 2026 deadline?
Avoid penalties and see Tecalis in action






