On April 7, 2026, the Chilean Financial Market Commission (CMF) published for public consultation a proposal to update Chapter 20-7 of the Updated Compilation of Regulations (RAN) for banks, relating to the outsourcing of services, together with the creation of a new regulatory reporting file, “I28 – Outsourced Services”, intended for the standardized and periodic reporting of providers, services and incidents.

The proposal aims to modernize the existing prudential framework, aligning it with international standards in operational risk management and, in particular, risks associated with third parties. In this regard, it represents a shift from an approach focused on outsourcing specific functions toward a comprehensive third-party risk management model.

Main proposed changes

The current framework establishes the conditions under which banks may outsource operational activities while retaining full responsibility for such functions, integrating outsourcing within their operational risk management. However, it does not include a standardized reporting system nor a comprehensive supply chain risk approach.

The proposal introduces several key changes:

• Expanded regulatory scope: Updated definitions are introduced, including the concept of Third-Party Service Providers (TPPS), and expressly recognizing fourth parties, requiring banks to manage not only direct providers but also those indirectly involved in service delivery.
• Life-cycle approach to outsourcing: Outsourcing management is strengthened through a comprehensive life-cycle approach covering design, implementation, operation, maintenance and deactivation, including onboarding requirements and, in particular, exit strategies linked to operational continuity.
• Enhanced due diligence and monitoring: Requirements regarding prior assessment, contractual clauses and continuous monitoring are expanded and standardized, extending to subcontractors and other relevant actors within the service delivery chain.
• New regulatory reporting framework: The “I28 – Outsourced Services” file is introduced, requiring standardized periodic reporting on providers, outsourced services, service delivery chains and related incidents, significantly enhancing supervisory capabilities.

Practical considerations

In practice, the proposal will require banks to:

• Strengthen third-party risk and provider management frameworks.
• Develop capabilities to map service delivery chains, including subcontractors.
• Review and update existing contractual arrangements.
• Implement continuous monitoring and structured reporting systems.
• Reinforce internal governance on outsourcing and operational risk.

Effective date

The proposal contemplates its entry into force as of January 1, 2027. The first submission of the I28 file will be required in July 2027, covering information for the second quarter of that year.