Costa Rica’s Legislative Assembly has approved a bill in second reading to regulate cryptocurrency-related service providers and bring them under stronger anti-money laundering oversight.
The reform, approved unanimously on, amends Law No. 7786, Costa Rica’s main law on narcotics, unauthorized drugs, money laundering and terrorist financing. The bill was processed under legislative file No. 25.340 and now goes to the Executive Branch for signature and official publication.
The measure creates a legal framework for virtual asset service providers, including businesses that exchange virtual assets for legal tender, exchange one virtual asset for another, transfer or custody digital assets, or provide financial services tied to their issuance, sale or commercialization.
The law does not make cryptocurrencies legal tender in Costa Rica, nor does it recognize them as foreign currency under the authority of the Central Bank. Instead, it treats them as digital representations of value that can be traded, transferred or used for payments or investments.
Under the new framework, virtual asset service providers must register with the General Superintendency of Financial Institutions, known as Sugef. The registration will allow regulators to keep a centralized record and supervise compliance with anti-money laundering and counterterrorism financing rules. However, the registration will not amount to a license or government authorization to operate.
Companies covered by the law must identify, assess and document risks tied to money laundering, terrorist financing and the financing of weapons proliferation. They must also keep those risk assessments updated and provide information to authorities when required.
The bill requires providers to apply customer identification and due diligence measures, including controls related to clients and beneficial owners. They must also keep records of transactions and monitor transfers, particularly those involving financial institutions in countries considered higher risk by international bodies.
Suspicious transactions must be reported confidentially and without delay to the Financial Intelligence Unit of the Costa Rican Institute on Drugs. The obligation applies not only to completed transactions, but also to attempted transactions that raise concern. Providers are also required to preserve information about the origin and destination of transfers and cooperate with investigations.
The law gives authorities the power to freeze assets, immobilize funds and block transactions linked to people or entities included on international terrorism or weapons proliferation lists. Financial institutions and other regulated entities will also be barred from maintaining business relationships with virtual asset service providers that are not registered with Sugef.
The reform comes as Costa Rica faces closer international scrutiny over its anti-money laundering framework. The country has been under review by the Latin American Financial Action Task Force, known as Gafilat, and regulators had previously identified virtual assets as one of the pending areas in Costa Rica’s compliance system.
Penalties for noncompliance can be significant. The bill establishes fines for failures involving registration, internal controls, reporting duties, customer identification, transaction records and the submission of required information. Sanctions may range from two to 100 base salaries, which currently equals roughly ₡924,400 to ₡46.2 million, or about $1,800 to $90,000. In some cases, fines may reach up to 50% of the total value of the transaction involved.
The reform also includes confidentiality and data protection requirements under Costa Rica’s personal data law. Companies handling crypto-related services will need to manage compliance information while protecting customer data and avoiding unauthorized disclosures.
For Costa Rica’s growing digital assets, the change marks a shift from a largely open environment to one with formal compliance obligations. Crypto businesses will not be banned, but they will be expected to operate under the same kind of risk-based controls already applied across much of the financial system.
The next step is regulation. Once the law is signed and published, detailed rules must be prepared, including the procedures for registration, reporting, supervision and compliance. The regulation is expected within three months.
