Eternity Law International News Cybersecurity for PSPs in Argentina: New BCRA Requirements to Implement in 2026

Cybersecurity for PSPs in Argentina: New BCRA Requirements to Implement in 2026

Published:
May 5, 2026
Share it:

The Argentine digital payments market remains one of the fastest-growing in Latin America. Against this backdrop, the PSP licence in Argentina has evolved from a formal registration procedure into a mechanism for ongoing supervision by the country’s Central Bank. In 2025–2026, the BCRA significantly tightened the requirements for payment service providers, particularly in terms of information security, data management and internal controls. 

For firms viewing a PSP licence as a means of entering the regional market, this means they need to establish their technological and compliance infrastructure in advance. Experience shows that without the support of specialist consultants, such as Eternity Law International, launching a PSP project in Argentina becomes significantly more challenging.

Why has the BCRA tightened the requirements for PSPs?

Over the past few years, Argentina has seen a sharp rise in the number of digital wallets, QR payments and non-bank payment services. The increase in transaction volumes has simultaneously led to a rise in fraud, attacks on PSP infrastructure and customer data breaches. In practice, the BCRA concluded that some market participants were developing payment products faster than their internal control systems.

Consequently, in 2025, the Central Bank issued a series of updates and technical guidance that expanded the responsibilities of payment service providers (PSPs) in the areas of cybersecurity, transaction monitoring and reporting. In early 2026, the regulator officially included PSPs in the list of entities subject to minimum requirements for technology risk management and information security.

For foreign companies, this means that PSP registration in Argentina is now assessed not only on the basis of corporate structure and financial model, but also on the business’s ability to ensure that its infrastructure is resilient to incidents and external threats. As part of their client support, the specialists at Eternity Law International conduct a separate analysis of the IT architecture’s compliance with BCRA requirements even before the documents are submitted.

Have any questions?

Fill out the form and our lawyer will contact you to discuss the details and offer you the best solution for your needs

Send Request
Banner

New standards for managing technological risks

The BCRA has placed particular emphasis on the implementation of a comprehensive information security risk management system. Whereas previously many PSPs relied solely on basic internal policies, the regulator expects a structured control model to be in place by 2026. This involves formalising threat assessment processes, continuous incident monitoring, segmentation of data access, logging of operations, and documentation of all critical changes to the system. Particular attention is paid to the storage of customer data and the ability to trace the origin of each transaction.

For international companies, the challenge typically arises when adapting internal standards to meet Argentina’s local requirements. Many procedures used in Europe or Asia do not always meet the expectations of the local regulator. Eternity Law International supports clients specifically in localising their compliance procedures to meet the requirements of the BCRA.

Requirements for the protection of customer data

A separate set of regulations concerns users’ personal and financial data. For the BCRA, the issue of data protection is directly linked to the stability of the financial system, which is why the requirements have become significantly stricter. By 2026, PSPs are required to implement a multi-layered system for protecting customer data. The regulator requires the use of encryption mechanisms, restrictions on internal access, and procedures for detecting unauthorised activity within the company’s infrastructure.

For organizations, this results in additional costs and places a greater burden on legal and technical departments. In practice, many foreign applicants underestimate the volume of documentation required to demonstrate compliance with security standards. Eternity Law International assists in the preparation of internal regulations, data retention policies and incident response procedures, taking into account Argentine regulations.

Regulatory RequirementWhat PSPs Must ImplementBCRA Objective
Risk ControlIT risk management systemReduction of cyber incidents
Transaction SecurityMonitoring of suspicious transactionsPrevention of fraud
Incident ResponseInternal response plan for cyber incidentsRapid mitigation of threats
Operational ResilienceBackup servers and recovery systemsContinuity of payment operations
Data ProtectionData storage and encryption policiesProtection of clients’ personal data
Internal ControlRegular security auditsIncreased transparency of PSP operations

Mandatory incident and cyber-attack management

One of the key changes is the requirement to implement mandatory cyber incident response procedures. The BCRA operates on the assumption that attacks on financial infrastructure are a matter of time, not probability. Payment service providers must develop an internal response plan, designate responsible staff and establish procedures for notifying the regulator. In certain cases, the BCRA requires information on serious incidents to be provided within a short timeframe.

For new market entrants, complying with these requirements is often a more challenging task than the company registration process itself. This is particularly true for start-ups that have not previously operated in regulated financial sectors. In such cases, Eternity Law International assists clients in establishing an internal control framework even before the licensing process begins.

Strengthening oversight of PSP operational resilience

The BCRA is also placing greater emphasis on business continuity. Following several major technical glitches in the digital payments market, the regulator has begun to treat fault tolerance as an integral part of the mandatory security framework. By 2026, PSPs must have backup transaction processing channels, data recovery systems and business continuity plans in place to deal with critical incidents. The regulator requires confirmation that the company will be able to maintain payment processing even in the event of serious technical failures.

In practice, this means investing in backup infrastructure, additional server capacity and independent data storage systems. For some foreign companies, it is precisely this set of requirements that proves to be the most costly. When preparing projects, Eternity Law International’s specialists analyse the client’s technical business model separately, as errors in the infrastructure architecture may lead to a refusal of registration or additional requirements from the BCRA.

What will change for foreign companies in 2026

For foreign investors, the Argentine market remains attractive thanks to high demand for digital payments and the growth of the fintech sector. However, by 2026, the process of obtaining a PSP licence will become significantly more technical and costly. The regulator is effectively moving from formal checks to ongoing supervision of payment service providers’ infrastructure. This means that obtaining PSP status can no longer be viewed as a one-off procedure. Companies must maintain compliance with BCRA requirements on an ongoing basis.

The regulator scrutinizes foreign projects particularly closely, especially those involving distributed IT infrastructure, international payment solutions and the use of external technology providers. Without prior legal and technical preparation, the risk of delays in the registration process increases significantly. In practice, most issues arise not at the application stage, but during the review of internal security systems and operational controls. For this reason, many organizations prefer to engage external consultants even before the project is launched. Eternity Law International works with international clients on PSP licensing, structuring fintech businesses and adapting corporate procedures to meet the requirements of Argentina’s financial regulators.

The BCRA’s new cybersecurity requirements for PSPs are shaping a stricter regulatory framework for the payments market in Argentina. By 2026, payment service providers are required to implement comprehensive mechanisms for risk management, data protection, incident response and operational resilience. For foreign firms, this means increased compliance costs and the need for thorough preparation even before the licensing process begins.

If you are interested in obtaining a PSP licence in Argentina, structuring a fintech project, analysing BCRA requirements, or receiving support throughout the registration process for a payment company, the specialists at Eternity Law International provide comprehensive legal and regulatory support to international businesses. The firm works on projects in the areas of financial licensing, digital payments and cross-border fintech solutions, taking into account the current requirements of Argentine legislation and the practices of the Central Bank of Argentina.

FAQ

What cybersecurity requirements must PSPs meet by 2026?

Businesses are obligated to establish internal data protection guidelines, adopt frameworks for managing IT-related threats, safeguard customer information, maintain backup systems, and define procedures for handling cyberattack situations.

Is there a demand for cybersecurity in Argentina?

Yes. The requirement for cyber protection offerings within Argentina is rising as the financial tech industry, online payments, and web banking platforms continue to grow. After stricter rules were introduced by the central bank of Argentina, firms have started allocating greater resources to securing information, supervising operations, and stopping digital threats.

Have any questions?

Fill out the form and our lawyer will contact you to discuss the details and offer you the best solution for your needs

Send Request
Banner

Other gaming license

You could be interested

Extradition Defense in Italy

From the very beginning the thought which we would like to highlight is that such a request is more than just paperwork. It is obvious that it’s a direct challenge to your freedom. When another country asks Italy to hand you over, the consequences can be life-altering. Nevertheless, stay still and don’t panic. We are...

Free zones in Georgia

The convenient and favorable geographical position of Georgia makes it attractive from the point of view of establishing various types of industries, infrastructure facilities, research and business on its territory. Attractive conditions are also created by internal and external activities: reducing the level of bureaucracy and corruption, calm in the internal political life of the...

Regulation of Crypto Exchanges in Singapore

In this article, we are going to look into the Monetary Authority of Singapore’s regulation of the Digital Payment Token Service Providers activities. Key provisions: Legislative Basis: Payment Services Act (PSA) 2019, MAS Notice PSN02, Consultation Paper on a New Omnibus Act for the Financial Sector. Financial regulator: Monetary Authority of the Singapore (MAS). FIU:...

Company registration in Ukraine

Registration of a company in Ukraine is getting easier every year. Company formation procedure The first stage in setting up a company in Ukrainian jurisdiction is entering it into the Unified State Register. This can be done by submitting an application to the state registrar working in the zone where the legal entity will operate...

Why Selling Your Company Is Better Than Liquidating It

In business practice, the question of winding up a business arises regularly. The reasons vary: change in the owner’s priorities, a decline in profitability, pressure from regulatory authorities, or the reallocation of assets. At this stage, the choice usually comes down to two scenarios – liquidation or sale. Despite the prevalence of the first option,...

Gambling license in Mexico

Mexico is a country positioned at the forefront of the most prospective destinations in Latin America for companies interested in interactive online formats. The contemporary environment was created by the interaction of ancient legal provisions and booming demand rising from the users. Most businesses currently operate in conditions of regulatory uncertainty regarding a Mexico gambling...

Discover our services

The international company Eternity Law International provides professional services in the field of international consulting, auditing services, legal and tax services.

Fill the blank: