Regulatory compliance for hotels in Costa Rica: obligations to SUGEF, ICD, and bank

By Ivette Campos

On March 4, 2025, the Costa Rican College of Public Accountants (CCPCR) issued Circular No. 35-2025, which establishes specific guidelines for the preparation of assurance reports under the External Audit and Follow-up System (SAES) of the Costa Rican National Audit and Monitoring System (SUGEF). Although directed at certified public accountants, this guideline has direct practical implications for companies in the tourism sector, particularly for those hotels that have casinos, manage significant amounts of cash, or participate in the sale of real estate, linked to ISA 3000 on assurance reports.

This new approach responds to the growing regulatory requirements regarding the prevention of money laundering (ML) and terrorist financing (TF), in accordance with Law 7786 and the agreements between CONASSIF and SUGEF. To comply with these requirements, banks and supervisory authorities have begun requiring specific reports, such as accounting attestation reports, as well as the implementation of compliance manuals, risk matrices, KYC policies, and reporting to the Financial Intelligence Unit of the ICD.

Hotel owners who operate casinos on their premises or sell real estate (for example, condominiums, villas, or lots within the resort) face specific regulatory requirements in Costa Rica. These activities could place the hotel among the so-called "obligated subjects" in terms of money laundering prevention, meaning they must comply with the regulations of the SUGEF (General Superintendency of Financial Entities) and Law 7786 (Law on narcotics, psychotropic substances, drugs for unauthorized use, related activities, money laundering, and terrorist financing). In this article, we explain, in clear and professional language, why a hotel with a casino or real estate business is an obligated subject, and what compliance with these obligations entails in practice. We'll cover key provisions (such as Circular 35-2025 of the College of Public Accountants, Law 7786, CONASSIF agreements, SUGEF regulations, and ICD guidelines) and provide practical examples and actionable recommendations for hotel managers or owners in this situation.

Being an "obligated subject" means that the company is legally obligated to implement anti-money laundering and anti-terrorist financing measures and submit to regulatory oversight. We traditionally think of banks when we talk about financial regulation, but Costa Rica's Law 7786 extends these obligations to certain non-financial activities. In particular, casinos and the regular purchase and sale of real estate are expressly included in the list of regulated activities. This means that if your hotel operates a casino open to the public or professionally and routinely sells real estate (for example, developing and selling condominiums within a resort), you are covered by Law 7786 and must register and comply with the regulations established by SUGEF (Federal Tax Administration).

These obligations for casinos and real estate businesses are not arbitrary; they respond to international anti-money laundering standards. Costa Rica is a member of GAFILAT (Financial Action Task Force of Latin America) and has committed to implementing the 40 Recommendations of the FATF (Financial Action Task Force). In particular, the FATF recommends that, in addition to financial institutions, certain designated non-financial businesses and professions (DNFBPs)—such as casinos and real estate agents—identify, assess, and mitigate their money laundering and terrorist financing risks. Therefore, Costa Rican regulations have incorporated these sectors under supervision.

A concrete example: since 2019, CONASSIF issued a regulation requiring casinos, real estate developers, and other businesses covered by Articles 15 and 15 bis of Law 7786 to register with SUGEF within a specified period. This registration is not a mere formality; it is a requirement for your hotel to continue operating normally in the financial system. In fact, Law 7786 prohibits banks and other financial entities (supervised by SUGEF) from maintaining business relationships with such companies that have not registered as required by law. In other words, if a hotel with a casino or real estate business fails to comply with its registration and anti-money laundering obligations, banks could deny it services or close its bank accounts due to the risk this represents. This reality has prompted many hotels to catch up on compliance to avoid impacting their financial operations.

Obligations of hoteliers under Law 7786 and SUGEF regulations.

Being an obligated entity entails specific compliance responsibilities. Below, we summarize the main requirements that apply to a hotel with a casino or real estate activity, according to Law 7786, its regulations (e.g., SUGEF Agreement 13-19), and SUGEF and ICD guidelines:

Registration with SUGEF: You must register your company with SUGEF as a non-financial obligated entity, following the procedure set out in the registration regulations issued by CONASSIF. This registration is mandatory and a condition for operating within the banking system; banks are prohibited from maintaining accounts for unregistered entities, given their failure to comply with the law. For example, a hotel with a casino had to register before June 2019 to avoid having its accounts closed, according to the schedule established by SUGEF.

Prevention and internal policies manual: A Money Laundering, Terrorism Financing, and Arms Proliferation Financing (ML/FT/FPADM) Risk Prevention Manual must be developed, tailored to the hotel's operations. This manual contains the internal policies and procedures for complying with Law 7786 and SUGEF regulations. It should be a comprehensive document that guides staff on how to comply with legal, regulatory, and internal policies related to money laundering prevention. It is important that the manual (and other policies) be approved by the hotel's highest authority (e.g., the board of directors), periodically updated, and communicated to all relevant staff.

Risk analysis: The company must conduct a risk assessment to identify and assess the specific risks of money laundering and terrorist financing in its operations. For example, a hotel casino must evaluate risks such as handling large amounts of cash, high-profile casual guests, etc., while a real estate developer will assess risks in property purchase and sale transactions. Based on this analysis, controls are implemented based on a risk-based approach, as required by international recommendations and local regulations.

Know Your Customer (KYC) Policy: A formal customer identification and due diligence policy must be in place. This involves procedures for collecting and verifying customer information (e.g., VIP guests/players at the casino, property buyers) before entering into significant business relationships. Law 7786 requires customer identification and verification, identification of the beneficial owner in the case of legal entities, and enhanced measures for higher-risk customers or politically exposed figures. Costa Rica has implemented a centralized system called CICAC (Know Your Customer Information Center), a database managed by SUGEF (National Tax Administration Service) that collects KYC information from obliged entities. If authorized by a customer, your hotel (or bank) can query this database for certain data to facilitate due diligence. This system, created by Article 16 bis of Law 7786, reflects the country's commitment to transparency and standardization of KYC information at the interbank level and across supervised sectors.

Additional controls and policies: In addition to the manual and KYC, the regulations require specific policies such as: procedures to classify the risk of each client (establishing high, medium, low risk profiles), policies for handling Politically Exposed Persons (PEPs) , controls on new technologies or products that could be used for money laundering, controls on delegation to third parties (e.g. if an agent sells properties on behalf of the hotel), and controls for subsidiaries or branches abroad, if applicable. All of these measures must be documented in internal procedures. For example, in the attestation report of a company in the sector, the auditor verified that the company had the Risk Management Procedure, the Client Risk Classification Procedure, and the necessary KYC Policies and forms, all prepared in accordance with SUGEF regulation 13-19 and the nature of its operations.

Suspicious Transaction Reports (STRs): The hotel will have a legal obligation to monitor unusual or suspicious transactions and report them without delay to the Costa Rican Drug Institute (ICD), specifically to the Financial Intelligence Unit (UIF) operating within the ICD. This includes reporting any transaction that, due to its amount or characteristics, raises suspicion of illicit origin, as well as attempts to carry out such transactions that have been rejected. The report is submitted through the ICD's electronic platform (known as UIF-Reportes). It is essential to maintain confidentiality when submitting these reports—neither the guest nor third parties should be informed that a STR has been submitted. A practical example: if a casino player places unusually high bets outside their financial profile, the hotel's compliance officer must investigate the situation and possibly report it to the ICD as a suspicious transaction. The ICD regulations and Article 15 of Law 7786 clearly establish this reporting obligation, and companies that fail to report in order to avoid “inconveniencing” the customer are exposed to severe sanctions, including prison sentences in cases of fraudulent facilitation of money laundering.

Training and Compliance Culture : Regulations require that relevant hotel staff receive regular training on anti-money laundering (AML) measures. From casino cashiers to the real estate sales team, everyone should be aware of the warning signs of potential illicit activity (e.g., guests purchasing casino chips with cash and redeeming them without playing, or property buyers wanting to pay cash in an unusual hurry). Implementing a culture where employees understand the importance of KYC, due diligence, and reporting suspicious activity is key to effectively complying with the law.

Designated Compliance Officer or Liaison: Depending on the size and complexity of your hotel, SUGEF may require the designation of a dedicated Compliance Officer, or at least a "liaison person," responsible for overseeing the day-to-day operation of the anti-money laundering program. This person (who could be a member of existing management with compliance training) will be the point of contact with SUGEF/ICD, oversee the implementation of internal policies, and coordinate reporting of suspicious transactions. Regulations allow SUGEF to tailor this requirement to the specific circumstances of each reporting entity (a large casino resort is not the same as a small real estate developer), but in all cases, it is advisable to formally assign compliance responsibility to someone within the organization.

As you can see, the regulatory framework is broad. All of the above is part of the so-called "Risk Management System" that your hotel must implement. Law 7786 (Articles 15 and 15 bis) and the SUGEF/CONASSIF Agreements provide the legal basis for these requirements, and the Financial Intelligence Unit of the ICD frequently issues additional guidelines that obligated entities must comply with. Therefore, it is important to be aware of circulars or guides from both SUGEF and the ICD. In short, your hotel must adopt a comprehensive compliance program: from prevention (manuals, KYC, controls) to the detection and reporting of suspicious activities.

Tool that resolves attestation: external audit and submission to SUGEF (SAES)

A fundamental pillar of current requirements is the periodic external evaluation of their compliance program. Both CONASSIF Regulation 12-21 (which applies to financial institutions, Article 14 of Law 7786) and SUGEF Agreement 13-19 (which applies to obligated entities under Articles 15 and 15 bis of Law 7786, such as casinos and real estate sales entities) require obligated entities to undergo external audits on their compliance with anti-money laundering measures. In the case of casinos, real estate developers, and other DNFBPs, the regulations indicate that these external audits must be conducted "periodically"; in practice, SUGEF expects this to be done annually or as frequently as determined by risk.

What does this accounting work entail? It is an "assurance engagement" performed by an independent Certified Public Accountant (CPA), registered and authorized by both the Costa Rican College of Public Accountants and the SUGEF (Tax Administration). The CPA will assess whether your hotel has effectively implemented all components of the money laundering prevention program: e.g., they will verify the existence and application of the manual, KYC policies, risk analysis, reports submitted, etc. They will also review evidence that the controls are working. The result of this examination is an Attestation Report (or assurance report) addressed to the SUGEF (Tax Administration) and the obligated entity.

Starting in 2023-2024, SUGEF modernized the mechanism for receiving these reports through the electronic system SAES (External Audit and Monitoring System). The auditor must upload their report to the SAES platform for SUGEF to receive and review it. Specifically, the College of Public Accountants issued Circular No. 35-2025 entitled "Responsibilities of the Certified Public Accountant Regarding the Assurance Report Issued Through SUGEF's External Audit System (SAES)," which provides guidelines to auditors on how to properly prepare and submit these digital reports. Why is this relevant to you as a business owner? Because it ensures that external audit reports maintain high standards of quality and consistency, and that they contain all the information SUGEF needs regarding their level of compliance.

A typical attestation report will include sections such as: objective and scope of work, procedures performed by the auditor, findings, and conclusion. In the conclusion, the CPA will express whether, in terms of regulatory compliance, your hotel meets the required requirements. For example, in an actual 2024 report, the auditor concluded that the company "has the ML/TF/FPADM Risk Prevention Manual, Procedures for the management and classification of client risk, and the policies and procedures necessary for compliance with the regulations established in SUGEF 13-19, developed based on the nature of its operations and approved by the company's highest authority." This means that the audited company had its documents and internal approvals in order as required. If the auditor detects gaps or noncompliance (e.g., absence of a procedure, lack of training, incomplete records, etc.), they will typically also indicate this in the report so that the company can take corrective action.

Once issued, what happens with the report? As mentioned, the CPA submits it to the SAES (Spanish Tax Administration Service), which is then available to SUGEF (Sugef). SUGEF will use these reports to monitor non-financial obligated entities. However, you as a business owner should keep a copy of the report and be aware of its contents. It's advisable for senior management to review the attestation report, as it summarizes the hotel's compliance status and often contains recommendations for improvement. Banks may also request proof of this report. Increasingly, financial institutions—upon learning that their client is a casino or real estate developer—inquire whether the external audit report has been submitted and whether everything was satisfactory. Having the report allows you to respond appropriately to banks and supervisors, demonstrating, with the support of an independent auditor, that your hotel is complying with the regulations. Keep in mind that for banks, having commercial clients who are obligated entities entails a reputational and legal risk; therefore, they often perform additional due diligence. Submitting your SUGEF compliance report (attestation) and your Prevention Manual to the bank can give them peace of mind that you're up to date, avoiding delays in processing or potential denials of service.

Note: The attestation report is confidential and for regulatory purposes only; it is not a public document or for marketing purposes. It should only be shared with the appropriate parties (SUGEF, internal auditors, your bank if requested as part of its due diligence, etc.). Fortunately, the existence of this mechanism means you can anticipate potential audits: if SUGEF decides to inspect your hotel, you will already have an independent professional assessment endorsing the measures implemented, which usually makes things easier.

Conclusions and recommendations for hotels subject to SUGEF

Entering the obligated subject regime may seem complex, but in short, it's about institutionalizing good practices to protect your business and the country's financial system. More than a formality, it's an investment in your hotel's transparency and reputation. Below, we list practical and actionable steps that you, as a manager or owner, should consider if your hotel has a casino, sells properties, or does any other activity covered by Law 7786:

Check your obligations and register your business: Confirm whether your hotel's activities make it an obligated entity (casinos, regular real estate sales, etc., as defined by Law 7786). If so, register with SUGEF as soon as possible. This registration is essential to avoid problems with banks or legal sanctions. Don't wait for the bank to notify you; the initiative must come from you.

Create a customized Compliance Manual: Don't just rely on generic templates. Develop (with expert help if necessary) a Money Laundering Prevention Manual tailored to your hotel's needs. Include KYC policies, due diligence procedures, internal controls, reporting protocols, and internal sanctions regime. Ensure it is formally approved by management or the board of directors and disseminated to key personnel.

Implement KYC policies and analyze risks: Know your customers in all risk areas (casino guests, property buyers, large suppliers, etc.). Establish due diligence forms and checklists when entering into business relationships. Conduct an institutional risk analysis: for example, assess the country risk of your foreign customers, the risk of cash payments, among others, and document mitigation measures. Update this analysis at least once a year or when the environment changes significantly.

Designate a compliance officer and train staff: Appoint a Compliance Officer (or equivalent) who is clear about their role and authority to implement the program. This can be an existing employee with training in the subject, or you can hire a new person depending on the scale of your operations. At the same time, train your employees—especially those in the cash register, sales, and customer service departments—on how to identify unusual transactions and what to do about them. Ongoing training strengthens internal culture and prevents any details from slipping through the cracks.

Maintain records and report promptly: Keep all due diligence documentation organized (copies of IDs, KYC forms, relevant transaction logs, training records, etc.). Implement a procedure to report suspicious transactions to the ICD as soon as they are detected. Remember that these reports are confidential and that the law protects businesses that report in good faith, while severely penalizing deliberate failure to report. Also, if applicable to your operation, comply with other periodic reporting requirements (for example, a casino may be required to report cash transactions above a certain threshold, in accordance with current regulations).

Prepare to respond to banks and authorities: Have a compliance package ready to share with institutions that request it. For example, your bank might ask for proof of SUGEF registration, a copy of the prevention manual, the name of the compliance officer, and possibly a summary or proof of the latest external audit report. Having these documents on hand and up-to-date projects seriousness and facilitates your business relationships. Remember that banks are required by the same law to verify that their regulated clients comply with the regulations, so being transparent and anticipating them will always be positive.

In conclusion, a hotel with a casino or real estate business must assume its role in preventing money laundering. Far from being a bureaucratic burden, implementing these measures strengthens the confidence of investors, business partners, and financial institutions in their business. Furthermore, it avoids sanctions that could range from fines, bank account closures, to criminal implications in extreme cases of willful noncompliance. Costa Rica, through the SUGEF (Tax Administration) and the ICD (Institutionalized Taxpayer Registry), has aligned its regulations with international standards to protect the tourism-financial sector from illicit activities, and hotels are no exception. The good news is that there are abundant resources—professional circulars, SUGEF guides, specialized advisors—to help you comply.

Adopting a culture of compliance will allow your hotel to grow sustainably and safely. By keeping your obligations in order, you can focus on your core business—providing an excellent guest experience—without regulatory issues. Ultimately, a robust compliance program not only satisfies the law and banks, but also protects your company's reputation with your customers and society. As a tourism business owner, your commitment to these standards also helps Costa Rica remain a trusted and transparent destination internationally. Get to work on compliance; your hotel and the country will thank you!

References:

Circular No. 35-2025 of the College of Public Accountants of Costa Rica, “Responsibilities of the CPA with respect to the assurance report in SAES”.

Law 7786 and its relevant reforms (especially arts. 15, 15 bis, 16 bis).

SUGEF Agreement 13-19 (prevention of ML/FT/FPADM for non-financial entities) and related CONASSIF regulations.

Regulations and guidelines of the Financial Intelligence Unit – ICD (e.g. on prevention in casinos).

FATF/GAFILAT International Standards on Obliged Subjects and Risk-Based Approach.

Practical examples based on recent witness reports and official communications.