Tag Archives: Quito

Through Executive Decree No. 356 of April 7, 2026, published on April 8, 2026, in the Third Supplement of the Official Register No. 260, the General Regulation of the Public Procurement Law (“RGLOSNCP”) was amended.

Below is a summary of the amendments:

1. Sanctions for suppliers. The infractions established in article 119 of the Public Procurement Law (“LOSNCP”) must be sanctioned by the National Public Procurement Service (“SERCOP”) with the suspension of the offender’s Single Registry of Suppliers (“RUP”). For the imposition of this sanction, SERCOP shall apply the following grading:

 

1.1. The infractions defined in literals a) and c) of article 120 of the LOSNCP (e.g., providing false information or links between bidders, respectively) are sanctioned considering the reference budget and the public procurement procedure in which the infraction was committed, as explained below:

1.2. The infraction defined in literal b) of article 119 of the LOSNCP, which relates to the types of misuse of the Public Procurement Portal established in article 25 of the RGLOSNCP, will be sanctioned as explained below:

1.3. The infraction defined in literal d) of article 119 of the LOSNCP, related to the commission of acts of dishonesty during the certification of operators of the National Public Procurement System, will be sanctioned with a 180-day suspension of the RUP. Additionally, SERCOP may annul the irregularly obtained certification.

 

1. Claims before SERCOP. Bidders’ claims filed before SERCOP in accordance with Article 115 of the LOSNCP, regarding unlawful actions by contracting entities during the pre-contractual stage, must be resolved within a maximum of 15 business days, counted from the date the contracting entity submits its rebuttal or from the expiration of the deadline to do so, if no response has been submitted. Article 433 of the RGLOSNCP explicitly established that failure to comply with this deadline resulted in SERCOP’s loss of competence to resolve the claim. Following the reforms, this provision was removed; however, contracting entities are still authorized to continue with the procurement process even without a decision from SERCOP. This creates a legal gap that SERCOP must address.

 

1. Central Bank of Ecuador (“BCE”). Under the special regime of Article 149 of the RLOSNCP, the BCE can contract directly and, if necessary, under reserve, non-cataloged strategic goods and services for the operation, security, and sustainability of the financial system, including: external audit, management of valuables, coin minting, financial infrastructure, gold management, and technical systems for stability and prevention of money laundering.

 

Xavier Rosales, Partner at CorralRosales
xrosales@corralrosales.com
+593 2 2544144

 

Hugo Garcia Larriva, Partner at CorralRosales
hgarcia@corralrosales.com
+593 2 2544144

Mario Fernández, Associate at CorralRosales
mfernandez@corralrosales.com
+593 2 2544144

On March 31, 2026, the Internal Revenue Service (SRI) issued Resolution No. NAC-DGERCGC26-00000015, through which it amended the procedure for the issuance, endorsement, use, and cancellation of tax credit notes. The most relevant changes are summarized below:

 

• The amounts of dematerialized tax credit notes will constitute an available balance for the taxpayer within the “securities account statement” available on the SRI online portal.
• It was established that each tax liability determined in tax returns administered by the SRI may be settled using available balances from tax credit notes up to 60% of the amount payable for each return. The remaining balance of the tax liability must be paid through other means. This limitation will not apply to balances corresponding to tax credit notes related to the Foreign Currency Outflow Tax (ISD).
• The possibility of securing compliance with customs tax obligations through dematerialized tax credit notes issued by the SRI has been eliminated.

 

Andrea Moya, Partner at CorralRosales
amoya@corralrosales.com
+593 2 2544144

Mateo Bravo, Associate at CorralRosales
mbravo@corralrosales.com
+593 2 2544144

By means of the 4th Supplement of Official Register No. 240 dated March 10, 2026, the Ministry of Labor, published the Ministerial Agreement MDT-2026-059 (hereinafter the “Agreement”) was published. The Agreement establishes the Procedure for the Authorization of Special Work Shifts or Schedules and the Efficient Workday for Development modality. Key points include the following:

• Its purpose is to regulate the approval process for special shifts or schedules, as well as the efficient workday modality for development.

 

The Agreement revokes Ministerial Agreement No. MDT-2018-0219 and all its amendments.

 

• Special Shifts are defined as:

 

1. Those involving work for more than 5 consecutive days and including additional or accumulated rest days.
2. Those involving work for fewer than 5 consecutive days with rest intervals of less than 2 consecutive days.

These apply when, due to evident conditions of the industry, operations, or tasks, activities cannot be interrupted for technical reasons or because such interruption would cause harm to the public interest or other employer needs.

• Special Schedules are those involving rotating shifts.

 

Any arrangements that do not fall under special schedules or shifts and that remain within legal parameters do not require authorization from the Ministry of Labor, only an explicit agreement between employers and employees.

 

• These agreements must be registered on the SUT platform within a maximum period of 30 days from the date of execution.

 

• Priority in Youth Hiring: When the implementation of special shifts or schedules creates new job positions, the Ministry of Labor will give priority in the processing of applications that demonstrate the hiring of young people between 18 and 29 years of age, provided the hiring is carried out through the “Encuentra Empleo” platform.

 

• The Agreement also introduces the Efficient Workday for Development, which allows employers and employes to agree on a work schedule that distributes 40 weekly hours into daily shifts of up to 10 hours within 5 days per week.

This workday may be in-person, remote, or hybrid, with the objective of promoting family stability, efficiency, free time, youth employment, and gender equality, and it also allows compensation or weekly use of working hours.

Agreements regarding the efficient workday must be included in the employment contract or in an amendment to the originally agreed work schedule. This agreement must be registered on the SUT platform within 30 days after being agreed upon.

• Medical technologists (radiologists) may work 6 hours per day exposed to radiation, up to 30 hours per week, and 2 additional hours per day on administrative tasks related to their duties, completing a maximum schedule of 8 hours per day and 40 hours per week.

 

• Drivers in an employment relationship may not perform their duties in shifts exceeding 12 hours.

 

 

Edmundo Ramos, Partner at CorralRosales
eramos@corralrosales.com
+593 2 2544144

Belén Jaramillo, Partner at CorralRosales
bjaramillo@corralrosales.com
+593 2 2544144

On March 4, 2026, the “Organic Law for Comprehensive Cancer Care” (the “Law”) was published by means of the seventh supplement of the Official Registry No. 236. From a strictly labor perspective, we highlight the following:

The Law establishes relevant definitions for its application, including:

Direct substitute: relatives up to the fourth degree of consanguinity and second degree of affinity, spouse, partner in a common-law union, legal representative or attorney-in-fact, or any person who has under responsibility the maintenance or care of a person diagnosed with cancer.

Parents or legal representatives of children or adolescents with cancer will also be considered direct substitutes.

The illness must generate a condition that prevents the person from independently carrying out activities necessary for their subsistence.

Caregiver: parents, spouses, adult children, legal representatives, or guardians who are authorized to care for a person diagnosed with cancer.

Relevant labor rights provided for in the Law:

a)    People diagnosed with cancer have the right to equality and non-discrimination in the social, family, educational, and labor context for having or having been diagnosed with cancer.

 

b)    People diagnosed with cancer shall enjoy enhanced job stability. To terminate the employment relationship, the employer must reasonably demonstrate that the termination is unrelated to the illness and must base it on the causes and procedures established in the applicable regulations.

 

c)    The same treatment shall be granted to substitute workers and anyone acting as caregivers, provided that the illness generates a condition that prevents the person from independently carrying out activities necessary to ensure their subsistence.

Edmundo Ramos, Partner at CorralRosales
eramos@corralrosales.com
+593 2 2544144

María Victoria Beltrán, associate at CorralRosales
mbeltran@corralrosales.com
+593 2 2544144

Through Resolution No. NAC-DGERCGC26-00000009, the Ecuadorian Internal Revenue Service (Servicio de Rentas Internas – SRI) updated the Income Tax withholding rates to be applied by special taxpayers and other withholding agents as of March 1, 2026, upon making payments or recording income subject to taxation in favor of beneficiaries.

 

Below is a summary of the most relevant amendments introduced by the Resolution.

In order to allow taxpayers to adapt their invoicing systems, withholding certificates corresponding to Income Tax withholdings made between March 1 and March 15, 2026, may be issued until March 31, 2026.

 

Mateo Bravo, Associate at CorralRosales
mbravo@corralrosales.com
+593 2 2544144

Alberto Bonilla, Associate at CorralRosales
abonilla@corralrosales.com
+593 2 2544144

The Ministry of Commerce, Industry and Tourism of the Republic of Colombia issued Decree No. 0170 of 2026, whereby it adopted a reciprocal tariff equivalent to 30% ad valorem applicable to certain products imported from the Republic of Ecuador, as well as restrictive measures on the entry of goods originating in or coming from Ecuador on grounds of national security.

 

Article 1 of the Decree imposes such tariff on 23 tariff headings, broken down into 73 specific subheadings, expressly detailed in the regulatory text. These subheadings include agricultural and agro-industrial products, food sector goods, certain manufactured products, and other strategic goods identified by the Colombian Government.

 

Article 3 further establishes a stricter measure by prohibiting the entry, under any customs regime and via land routes (Sectional Directorates of Taxes and Customs of Ipiales and Puerto Asís), of goods classifiable under three tariff headings used in the production of fentanyl.

 

The 30% tariff is applied to the customs value of goods imported from Ecuador.

 

Subsequently, in response to such measure, Ecuador adopted a 50% levy on the customs value of goods originating in or coming from Colombia. In this context, the National Customs Service of Ecuador issued Resolution No. SENAE-SENAE-2026-0017-RE, regulating the operational application of such levy and establishing the guidelines for its assessment, collection, and control within the Ecuadorian customs system, as well as its enforceability as a prior condition for customs clearance.

 

 

Following Ecuador’s adoption of the 50% levy, the Government of the Republic of Colombia announced a draft regulation proposing to increase its tariff applicable to imports originating in Ecuador up to 50% ad valorem, which would constitute a further escalation of reciprocal trade measures between the two countries.

 

From the perspective of Andean Community law, both Colombia and Ecuador are Member States of the Andean Community; therefore, the imposition of duties and restrictions on intra-community trade may be subject to review under the Andean Trade Liberalization Program, which prohibits such measures except where duly justified exceptions apply.

 

In this context, mechanisms have been activated before the General Secretariat of the Andean Community (CAN) to analyze the compatibility of these measures with the Andean legal framework.

 

Our team remains attentive to any developments within the Andean framework, as well as to any additional regulatory changes arising from this tariff escalation, including the assessment of the associated regulatory and commercial risks.

Andrea Moya, Partner at CorralRosales
amoya@corralrosales.com
+593 2 2544144

Felipe Samaniego, Partner at CorralRosales
felipe@corralrosales.com
+593 2 2544144

On 18 February 2026, the Data Protection Authority (“DPA”) issued, through Resolution No. SPDP-SPD-2026-0009-R, the General Regulation for the Guarantee of the Right to Personal Data Protection in the Use of Artificial Intelligence Systems (“AI Regulation”), with the purpose of ensuring the effective application of the Data Protection Law (“DPL”), its General Regulation, and other applicable regulations concerning personal data protection, when controllers and processors develop, train, implement, deploy and/or provide artificial intelligence systems (“AI Systems”) in which the personal data of Ecuadorians are processed, regardless of the location of the AI System or its provider.

 

Below, we detail the most relevant aspects of the AI Regulation:

 

1. Definitions:

• Developer: controller or processor that generates or creates an AI System.
• Deployer: controller or processor that, through the use of an AI System, provides a service, except where such use falls within a personal activity of a non-professional nature.
• Distributor: controller or processor that forms part of the supply chain other than the developer, deployer, or implementer, that markets or supplies an AI System on the market.
• Implementer: controller or processor that commissions the development of, or implements, an AI System within internal procedures or processes.

 

1. Controllers or processors that process personal data through AI Systems must comply with the following obligations:

 

• Comply with the principles established in the DPL.
• Guarantee the rights recognized in the DPL, in particular the rights to information, objection, and not to be subject to a decision based solely or partially on automated assessments.
• Inform the data subject about the processing of their personal data carried out through AI Systems, including its purposes and its automated nature.
• Carry out risk analyses and data impact assessments.
• Implement appropriate security measures.
• Include the processing operations carried out through AI Systems in the record of processing activities (RoPA).
• Audit the operation of the AI System according to its level of risk.

 

1. The DPA may audit AI Systems where the principles and rights are not guaranteed and may impose corrective measures and/or precautionary measures in the event of non-compliance with the obligations established in the DPL and other applicable regulations in this field.

Rafael Serrano, Partner at CorralRosales
rserrano@corralrosales.com
+593 2 2544144

On January 8 of this year, the Ministry of Labor issued the regulation for compliance with the obligations set forth in the Organic Law for Pay Equity between Women and Men. This regulation includes the creation of a module within the Sistema Unico de Trabajo (SUT), where employers are required to register training programs and awareness initiatives related to equal pay and non-discrimination.

In accordance with the regulation, private sector employers are required to comply with the following:

Annual Training: Provide at least 40 hours of training per year, which may be delivered in person, virtually, or a combination of both, and must include all employees.

Awareness Initiatives: Promote gender equality, equal pay, and the prevention of any form of workplace discrimination.

Registration and Reporting: Document and report all training sessions and awareness activities in the designated SUT module.

Reporting Deadlines: Information on training and awareness initiatives must be reported annually. However, the Ministry of Labor issued Ministerial Agreement No. MDT-2025-185, which provides a one-time extension of the deadline through November 30, 2026.

Thereafter, reports must be submitted annually in January.

To access the module in the SUT, employers must locate the section titled:
“Training and Awareness Registration – Ministerial Agreement MDT-2025-006.”

This new module is currently undergoing continuous updates, which may lead to occasional technical issues during the registration process.

Importance of Compliance:

The information recorded in the SUT will be essential for verification and certification processes conducted by the Ministry of Labor. Compliance with these obligations will enable employers to obtain the Certificate of Compliance with the Organic Law for Pay Equity between Women and Men.

For any clarification or further information, feel free to contact us.

Belén Jaramillo, Partner at CorralRosales
bjaramillo@corralrosales.com
+593 2 2544144

María Victoria Beltrán, associate at CorralRosales
mbeltran@corralrosales.com
+593 2 2544144

By means of Executive Decree No. 298, dated January 30, 2026, the President of the Republic enacted the General Regulations to the Organic Law on the Prevention, Detection, and Combat of the Crime of Money Laundering and the Financing of Other Crimes (the Regulations).

These Regulations seek to consolidate a robust institutional and operational framework for the prevention, detection, and sanctioning of money laundering, terrorist financing, and other related offenses, aligned with international standards and grounded in a risk-based approach.

1. General Approach and Guiding Principles

The Regulations are structured around a comprehensive preventive approach, expressly adopting the risk-based approach as a cross-cutting criterion for the identification, assessment, and mitigation of threats associated with money laundering, terrorist financing, and the proliferation financing of weapons of mass destruction.

Within this framework, the Regulations establish general guidelines that enable:

• Coordination among public entities, the private sector, and supervisory authorities;
• Adoption of technical methodologies aligned with international standards; and
• Strengthening of institutional and corporate governance in matters of regulatory compliance.

Additionally, the Regulations provide for the periodic execution of national risk assessment exercises, the results of which must serve as input for the formulation of public policies and for the implementation of internal risk management systems by obligated entities.

1. Determination and Management of Obligated Entities

One of the most significant aspects of the Regulations is the establishment of technical criteria for the inclusion, exclusion, or modification of the obligations applicable to obligated entities. Such determination is based on an objective analysis that considers, among other factors:

• The level of residual risk associated with the economic activity carried out;
• Trends, typologies, and patterns identified in relation to money laundering and crime financing;
• Regional threats and their potential impact on the State’s economic and financial security; and
• Information derived from national-level risk assessment processes.

Based on these criteria, the Financial and Economic Analysis Unit (UAFE) is empowered to define and update reporting structures, as well as the technical manuals applicable to each sector, ensuring the proportionality of obligations and their alignment with the identified level of risk.

• Compliance Programs and Internal Controls

The Regulations require obligated entities to implement a comprehensive program for the prevention and management of risks related to money laundering, terrorist financing, and the financing of the proliferation of weapons of mass destruction, designed in accordance with the structure and nature of their activities and with the regulations issued by the competent supervisory authority or the UAFE.

Such program must be set forth in a Money Laundering and Crime Financing Prevention Manual, which must be prepared, approved, implemented, and registered with the relevant authority.

At a minimum, the compliance program must include:

• Policies, procedures, and controls for risk management;
• Mechanisms for the detection of unusual, unjustified, or suspicious transactions; and
• Timely reporting of such transactions to the UAFE within the established statutory timeframe.

Likewise, obligated entities must maintain sufficient and verifiable information regarding their clients and beneficial owners, as well as the transactions conducted, using reliable and trustworthy means.

1. Reporting Regime and Information Obligations

The reporting system constitutes one of the core operational pillars of the Regulations and is designed as an essential tool for the effective functioning of the prevention system. Obligated entities must submit information to the UAFE on a periodic, complete, and timely basis, in accordance with the applicable technical parameters.

Key reporting obligations include:

• Suspicious Transaction Reports (ROS);
• Record of Non-Existence of Suspicious Transaction Reports (NO ROS);
• Reports of individual transactions equal to or exceeding ten thousand United States dollars (USD 10,000), as well as multiple transactions which, in the aggregate, are equal to or exceed such amount when conducted for the benefit of the same individual within a thirty (30) day period (RESU); and
• Record of Non-Existence of Reports of individual transactions equal to or exceeding ten thousand United States dollars (USD 10,000) or its equivalent in other currencies (NO RESU).

 

1. Access, Confidentiality, and Use of Information

The Regulations reinforce the authority of the UAFE to require information from public entities and obligated entities. Such information must be provided in a complete and timely manner, without invoking confidentiality, secrecy, or privilege.

Key aspects include:

• UAFE classifies information in accordance with the Organic Intelligence Law;
• Failure to provide the required information results in administrative sanctions, without prejudice to other applicable liabilities; and
• The establishment of a secure whistleblower channel, ensuring the protection of the reporting individual’s identity.

 

1. Politically Exposed Persons (PEPs)

The Regulations clearly define who qualifies as a Politically Exposed Person (PEP), including individuals who hold or have held senior public positions at the national or international level, as well as those who perform prominent functions within international organizations.

The Regulations provide that:

• PEP status remains in effect for two (2) years following the cessation of public office;
• Being classified as a PEP does not imply the denial of services, but rather the application of enhanced due diligence measures; and
• Obligated entities must obtain approval from senior management to initiate or maintain the business relationship.

 

• Transportation of Cash, Precious Metals, and Precious Stones

Travelers entering or exiting the country are required to declare before the National Customs Service of Ecuador (SENAE) any cash, bearer negotiable instruments, precious metals, or precious stones whose value is equal to or exceeds USD 10,000, whether individually or jointly.

• Administrative Sanctions Regime

The Regulations set forth proportionality criteria for the imposition of administrative sanctions, considering the severity of the infringement, the damage caused, and any recurrence.

Violations are sanctioned with fines expressed in Unified Minimum Wages (SBU), as follows:

• Minor: 1 to 10 SBU
• Serious: 11 to 20 SBU
• Severe: 21 to 40 SBU

 

Dario Escobar, Associate at CorralRosales
descobar@corralrosales.com
+593 2 2544144

On February 2, 2026, the Data Protection Authority (“DPA”) issued Resolution No. SPDP-SPD-2026-0005-R containing the General Regulation on Large-Scale Personal Data Processing (“Large-Scale Regulation”), with the aim of establishing guidelines and criteria for identifying large-scale personal data processing.

 

Below, we detail the most relevant aspects of the Large-Scale Regulation:

 

1. Key concepts

 

The Large-Scale Standard defines the following terms:

 

1. Geographic scope: territorial extent or impact of the processing. It is classified as:

 

• Local: processing carried out within a province, canton, or city.
• National: processing carried out in more than one province, canton, or city.
• Cross-border: processing carried out in a country, international organization, legal entity, or international economic territory.
• Global: processing carried out in more than one country, international organization, legal entity, or international economic territory.

 

1. Frequency of treatment: regularity or continuity with which treatment activities are carried out, considering the repetition, accumulation, and continuity of the operation, which may be single, periodic, or continuous.

 

1. Duration of processing: the period during which personal data is subject to processing activities. It is classified as follows:

 

• Occasional: processing is carried out on an exceptional, one-off, or sporadic
• Temporary: processing is carried out for a period of less than three (3) years.
• Extended: processing is carried out for a period of more than three (3) years.

 

1. Data volume: total amount of personal data processed in each processing operation.

 

1. Large-Scale Technical Model (“MTGE”)

 

The MTGE is a technical-legal instrument that allows the level of risk and magnitude of a given personal data processing activity to be assessed.

 

To calculate this, the MTGE takes the following variables into account:

 

1. Number of personal data subjects:
   • From 0 to 1,000 data subjects: 1 point.
   • From 1,001 to 10,000 subjects: 2 points.
   • From 10,001 to 100,000 data subjects: 3 points.
   • More than 100,000 data subjects: 4 points.

 

1. Volume of personal data:
   • Up to 10 types of data: 0.5 points.
   • Between 11 and 30 types of data: 1 point.
   • Between 31 and 100 types of data: 2 points.
   • More than 100 types of data: 3 points.

 

1. Categories of personal data:
   • One basic category of data: 0.5 points.
   • One special category: 2 points.
   • More than one special category: 3 points

 

1. Frequency of personal data processing:
   • Occasional: 0.5 points.
   • Periodic or recurring: 1 point.
   • Continuous or real-time: 2 points

 

1. Duration of personal data processing:
   • Occasional: 0.5 points.
   • Temporary: 1 point.
   • Prolonged: 2 points.

 

1. Geographic scope:
   • Local: 1 point.
   • National: 2 points.
   • Global or cross-border: 3 points.

 

The total MTGE score will be calculated by adding the values of the variables. If the result is equal to or greater than six (6) points, it will be considered a large-scale treatment.

 

• Direct qualification for Large-Scale Treatment (“Direct Qualification”)

 

Notwithstanding the calculation obtained through the MTGE, the DPA establishes that the following will be directly and mandatorily considered large-scale treatments:

 

• Processing of health data.
• Systematic and exhaustive evaluation of personal aspects of data subjects based on automated processing.
• Systematic surveillance or monitoring of data subjects in public access areas, carried out using video surveillance systems.
• Processing of biometric data.
• Geolocation activities.
• Structural processing of personal data within the framework of credit, financial, or economic risk assessment information systems.
• Systematic processing of data on children and adolescents, when carried out in institutional, educational, digital, or service provision environments aimed at these priority groups.
• Systematic transfers of personal data.
• Processing data in express or courier messaging services.

 

1. Effects of the calculation obtained from the MTGE and the Direct Qualification.

 

The results of the MTGE and Direct Qualification cases are binding for:

 

• Determine the obligation to carry out impact assessments.
• Mandatory appointment of a Data Protection Officer (“DPO”).
• Incorporate processing operations into the Record of Processing Activities (“RoPA”).
• Activate enhanced measures of proactive accountability, security, and oversight.

 

If a controller or processor is required to appoint a DPO under the provisions of the Large-Scale Regulation, they will have ninety (90) days to make such an appointment and register it with the DPA.

 

Those who carry out large-scale data processing must include the following elements in their RoPA, in addition to the requirements set forth in Article 38 of the Regulations of the Data Protection Law: (i) a description of the processing; (ii) the frequency; and (iii) the duration of the processing.

 

Controllers or processors carrying out large-scale processing activities must undergo internal or external audits at least once every twelve (12) months, or when there are significant changes in nature, scope, purposes, technologies used, or level of risk identified. Each audit report must be retained for a minimum of five (5) years.

 

Furthermore, in the case of large-scale processing, controllers or processors must expressly identify such processing in their privacy policies and indicate its purposes, the categories of personal data processed, and the data subjects concerned.

 

Rafael Serrano, Partner at CorralRosales
rserrano@corralrosales.com
+593 2 2544144