How Chilean Banks Can Meet Ley 21.673 and CMF NCG 538 Without Adding Customer Friction
November 11, 2025
Chile’s consumer protection agency, SERNAC, reported 19,834 fraud complaints in 2024 - up 109 % vs 2023 - while banks’ favorable response rate fell to ~7% after the May 2024 reform.
This wasn't supposed to happen.
Chile passed Ley 21.673 in May 2024 specifically to combat fraud and protect both consumers and financial institutions. The law clarified procedures and strengthened banks’ ability to fight "autofraude" (friendly fraud), and placed greater responsibility on customers to secure their accounts, including submitting a sworn statement and a criminal complaint (denuncia) to restore lost funds.
Yet, instead of improving the fraud landscape, the law has introduced new challenges, increasing friction between banks and their customers.
This article examines the factors driving Chile’s surge in fraud reports, the challenges financial institutions face in resolving disputes, the types of fraud that will require the most attention in 2026, and how banks can effectively meet regulatory requirements while preventing fraud, rather than just detecting it.
Chilean Consumers Are Highly Connected, But Remain Vulnerable to Fraud
Chile has one of the most financially inclusive and digitally native populations in Latin America.
As of January 2025, 94.1% of Chile's population is online, and nearly 75% of Chileans actively use social media. Trust in Chilean financial institutions is also relatively high for the region, sitting at around 46%.
But a digitally mature market also brings mature expectations for how fraud prevention should work, while also exposing consumers to more sources of potential fraud through digital channels. 9% of the Chilean population fell victim to fraud via email, online, phone calls, or text messages between August and December 2024.
Today’s digital-first consumers conduct most of their banking on mobile devices, use instant payment rails, and expect experiences that are both safe and frictionless - a balance that’s proving increasingly difficult to achieve.
3 Fraud Types Chilean Banks Must Watch Out for In 2026
Based on the latest data from SERNAC and other regional and global sources, we predict that the following three fraud types will drive a large volume of fraud-related losses for Chilean banks and financial institutions in 2026.
1. Voice Phishing (Vishing)
Vishing is a leading type of fraud reported in Chile, with 28% of Chileans targeted by fraud attempts indicating that the scam occurred via vishing. Some studies estimate that 1 in 4 spam calls made to Chilean numbers involve an attempted scam or fraudulent activity, and a significant portion of them are banking-related.
In one recent case, a person in Coyhaique received a call from someone claiming to be a bank representative about “unusual activity.” After following the caller’s instructions, they lost CLP 1.37 million through unauthorized transfers.
For Chilean banks, vishing poses a unique challenge. Under the new authentication requirements introduced by NCG 538, customers now receive more legitimate security prompts and verification requests. Because there are more touchpoints for attackers to mimic, it’s becoming increasingly difficult for Chilean consumers to distinguish between genuine bank communications and vishing attempts.
2. Account Takeover Fraud
According to TransUnion's fraud report for Chile, 2.2% of all transactions in 2023 were flagged as suspicious for digital fraud. At the account login stage, that figure jumps to 9.7%.
This means that nearly 1 in 10 account login attempts shows characteristics consistent with fraud, including credential stuffing, automated bots, compromised credentials, or account takeover attempts.
→ Learn more about customer impersonation fraud.
In one real-world example reported by BioBioChile, an individual received an unsolicited text saying their SIM would be ported. Assuming it was spam, they ignored it. Later, their phone lost signal, and the number was discovered to have been ported without authorization. Using the stolen number, criminals accessed the victim’s banking app, reset their password, and made purchases exceeding CLP 1.3 million.
Cases like this highlight a growing authentication dilemma for Chilean financial institutions: service providers can't challenge every suspicious login without creating unbearable friction for the end user.
3. Cross-channel Fraud Attacks
Cross-channel fraud occurs when fraudsters target multiple customer touchpoints simultaneously, probing for the weakest link.
A fraudster might gather information through a phishing email, use that information to socially engineer a call center agent, then complete unauthorized transactions through the mobile app once they've bypassed authentication.
In one incident, a fraudster posing as a cardholder called a credit card call center and, using only a name, tax ID, and address, requested a cash advance of about CLP 1.3 million. The operator accepted the information and approved the transaction, transferring the funds to another bank account. Two months later, the real cardholder disputed the charge. By reviewing call recordings, the company learned that the initial caller had impersonated the client.
In 2026, increasingly sophisticated generative AI tools are expected to enable a new wave of these coordinated, cross-channel attacks.
Like their counterparts around the world, Chilean banks operate across digital apps, web platforms, call centers, and physical branches, each with its own security protocols and authentication layers. The gaps between these channels create systemic vulnerabilities that sophisticated fraudsters are increasingly ready to exploit.
New Authentication Standards Add More Pressure
In June 2025, Chile’s financial regulator (CMF) issued NCG 538, which establishes minimum security, authentication, and logging standards for issuers of means of payment and supervised financial institutions.
The regulation becomes effective in August 2025 in general.
However, from August 2026, obligatory use of “autenticación reforzada de cliente” (ARC), i.e., strong customer authentication (two independent factors among knowledge, possession, and inherence), will be required in designated high-risk use cases (e.g., fund transfers, onboarding, and device enrollment).
Additionally, NCG 544 (August 2025) extended the phase-out of printed coordinate cards to August 2026. The intent is to push institutions away from weak shared-secret methods (e.g., simplistic security questions) and towards more modern, stronger authentication schemes.
The challenge for Chilean financial service firms is that extra authentication steps add friction. Each additional security challenge increases the risk of frustrating legitimate customers or blocking valid transactions. Banks must strike a careful balance between meeting regulatory requirements and maintaining a smooth customer experience.
→ What do customers want from banking experiences?
While the regulations assume that more authentication equals greater security, reality is more complex. When authentication is visible and predictable, fraudsters adapt their tactics to account for it. Vishing scripts are customized to include instructions for getting past two-factor authentication, malware can intercept SMS codes, and deepfakes can defeat facial recognition.
Meeting NCG 538 and Ley 21.673 Requirements Without Destroying Customer Experience
The core challenge for Chilean banks in 2026 is meeting regulatory requirements while maintaining the frictionless experience customers demand.
Here's what that actually means.
Risk-based authentication that's invisible
NCG 538 requires step-up authentication for high-risk transactions. But "step-up" doesn't have to mean interrupting the customer with SMS codes or security questions.
Through continuous behavioral authentication, banks can detect anomalies, assess risk, and verify identity in the background, all without adding visible friction or slowing down the user experience.
Device trust and secure binding
The regulation calls for “identificación de dispositivos de confianza” and secure enrollment processes to ensure access originates from known devices.
How banks implement this will determine whether it improves security or undermines customer experience. A well-designed device-binding process can maintain security while allowing customers to migrate safely to new devices without repetitive re-enrollment or degraded experience.
Fraud evidence collection that meets Ley 21.673 standards
Ley 21.673, along with the CMF’s updates to NCG 487 and the introduction of NCG 538, raises the bar for how banks must record, preserve, and demonstrate authentication events in fraud-related disputes.
Financial institutions are now required to maintain traceable, auditable logs that can show when, how, and by whom each transaction or access attempt was authenticated.
Fraud prevention to reduce false declines
NCG 538 doesn't require high decline rates. It requires appropriate risk management. With more advanced, continuous user identity and intent validation, banks can meet regulatory requirements while approving more legitimate transactions and improving the overall customer experience.
IronVest ActionID™ Helps Chilean Banks Meet CMF NCG 538 requirements and Prevent Fraud
IronVest ActionID™ delivers continuous, invisible authentication across all banking channels: mobile apps, web, call centers, and even in-branch interactions.
The system continuously validates user behavior and intent without interrupting legitimate customers. There are no SMS codes to intercept, no authentication moments for fraudsters to script around, and no friction for customers to complain about.
→ Learn more about Action ID technology
We're already helping banks across Latin America reduce fraud losses while improving approval rates for legitimate transactions.