The use of mobile platforms for banking services has skyrocketed in the LATAM region. Currently, 62% of all transactions in this region are performed or authorized on mobile phones.
Fraudsters, who increasingly target mobile platforms, have recognized this trend. To maintain public trust in banking services, regulators introduce new measures to ensure higher levels of security in banking systems so that digital banking services remain trusted and reliable.
A prime example of this trend is the Central American country of Costa Rica, which recently implemented a holistic security framework, SUGEF 10-07. This policy transforms how Costa Rican banks manage cybersecurity and digital channel risk. Some key requirements of this regulation address fraud prevention, customer authentication, and secure mobile banking environments. In these areas, Wultra has deep expertise and a software stack meeting the highest security standards.
This regulation comes into effect this year.
How Wultra Solutions Map to SUGEF 10-07
Wultra's product portfolio for customer authentication, mobile security, and digital onboarding has been designed to meet the security challenges, authentication needs, and regulatory requirements for financial institutions in Europe and Asia. It complies with the highest security standards while ensuring a user-centric design of the passwordless multi-factor authentication (MFA). It provides developer-friendly APIs, allowing a swift and smooth integration of its authentication and mobile security solutions with general banking and fraud detection systems.
As a result, the post-quantum authentication platform by Wultra can help comply with the most stringent SUGEF 10-07 requirements.
1. Strong Customer Authentication (SCA)
The mobile-first authentication platform provides fast and secure access with passwordless multi-factor authentication based on future-proof, post-quantum cryptography (PQC). The first factor is always possession: something the user already has, a registered mobile device that’s securely bound to their identity during the activation process. The second factor is knowledge (a secure financial-grade PIN code) or inherence (biometric authentication like Face ID or Touch ID).
The system also fulfil regulatory requirements by enforcing the number of unsuccessful login attempts and blocking the operation and authenticator device after a defined number of failed attempts.
2. Secure Credential Storage and Use
The secure financial-grade PIN code is never stored on the mobile phone or the server, not even as a hash. The PIN exists solely to unlock local cryptographic keys. Combined with operation-specific data and a hash-based counter, these keys generate a one-time authentication code, which the server verifies. Cryptographic keys are encrypted and stored using the device’s hardware-backed security features, such as iOS Secure Enclave or Android’s StrongBox. The solution provides a built-in PIN strength validation mechanism to help users select secure, hard-to-guess codes and mitigate the risk of choosing easy-to-guess PINs.
3. Real-Time Fraud Detection and Behavior Monitoring
Many financial organizations worldwide use fraud detection systems to consume data feeds from the mobile in-app protection solution. These inputs are then used during real-time transaction monitoring. The in-app protection proactively identifies potential threats and provides robust runtime application self-protection (RASP) to ensure mobile devices remain secure against various malicious attacks.
As an additional measure, security warnings can be delivered through pa ush notification channel to meet the regulatory requirements on properly informing the user about suspicious activity.
4. Malware and Tampering Detection
The built-in anti-malware feature guards mobile banking from tampering, code injection, screen readers, keyloggers, malware, and more. Identified threats can be propagated to the customer fraud detection or SIEM systems and analyzed on the dashboards in the management servers.
5. Auditability and Compliance
A full audit log of authentication events and mobile security incidents provides trustworthy information about the customer context. It can be used to analyze and handle customer complaints or claims efficiently.
Future-Proof Compliance in Post-Quantum Era
While SUGEF 10‑07 doesn’t currently mandate post-quantum cryptography, Wultra’s unique post-quantum authentication (PQA), a PQC-ready authentication solution, ensures future compatibility. This is important for financial institutions when choosing their authentication solution for the following reasons:
- Avoid the “buy now, waste later” issue – organizations can set themselves up for another authentication replacement in 2-3 years by betting on a rigid vendor.
- Quantum computing is evolving rapidly – companies like IBM, Google, and Microsoft predict significant breakthroughs by 2027, which may render traditional cryptography (encryption and signatures) obsolete.
- Banks and fintechs are prime targets – attackers could exploit weak authentication before quantum security measures are in place.
- Aligning with future regulatory changes or international guidelines (e.g., NIST PQC standards), which may be rapidly propagated to national regulatory policies.
- Gartner names Wultra a sample vendor for post-quantum authentication in Hype Cycle for Digital Identity, 2025.
The Right Partners For the Challenge
Aligning regulatory requirements with a user-friendly app design and protection from fraudsters' upcoming scam attempts is no easy task. It requires not only having the right tools but also knowing how to deploy them and integrate them with the financial institution's overall security ecosystem.
Every bank is different and may require integration with different components. Also, for every process, there may be a range of possible variants, which may be designed to meet the challenges of individual banks. We can share the best practices from the global marketplace and provide you with the consulting support of highly qualified technical staff.
Do you want to discuss the SUGEF 10-07 regulatory requirements with our experts?
Let's Meet in Colombia and Costa Rica!
Wultra will attend Cybersecurity Bank & Government Colombia 2025 and Andicom in Colombia and visit Costa Rica with the CzechTrade agency.
If you're interested in talking to us, schedule a meeting with our team now — we’d love to connect and share how we can help.
.webp)