
The Argentine digital payments market remains one of the fastest-growing in Latin America. Against this backdrop, the PSP licence in Argentina has evolved from a formal registration procedure into a mechanism for ongoing supervision by the country’s Central Bank. In 2025–2026, the BCRA significantly tightened the requirements for payment service providers, particularly in terms of information security, data management and internal controls.
For firms viewing a PSP licence as a means of entering the regional market, this means they need to establish their technological and compliance infrastructure in advance. Experience shows that without the support of specialist consultants, such as Eternity Law International, launching a PSP project in Argentina becomes significantly more challenging.
Why has the BCRA tightened the requirements for PSPs?
Over the past few years, Argentina has seen a sharp rise in the number of digital wallets, QR payments and non-bank payment services. The increase in transaction volumes has simultaneously led to a rise in fraud, attacks on PSP infrastructure and customer data breaches. In practice, the BCRA concluded that some market participants were developing payment products faster than their internal control systems.
Consequently, in 2025, the Central Bank issued a series of updates and technical guidance that expanded the responsibilities of payment service providers (PSPs) in the areas of cybersecurity, transaction monitoring and reporting. In early 2026, the regulator officially included PSPs in the list of entities subject to minimum requirements for technology risk management and information security.
For foreign companies, this means that PSP registration in Argentina is now assessed not only on the basis of corporate structure and financial model, but also on the business’s ability to ensure that its infrastructure is resilient to incidents and external threats. As part of their client support, the specialists at Eternity Law International conduct a separate analysis of the IT architecture’s compliance with BCRA requirements even before the documents are submitted.
New standards for managing technological risks
The BCRA has placed particular emphasis on the implementation of a comprehensive information security risk management system. Whereas previously many PSPs relied solely on basic internal policies, the regulator expects a structured control model to be in place by 2026. This involves formalising threat assessment processes, continuous incident monitoring, segmentation of data access, logging of operations, and documentation of all critical changes to the system. Particular attention is paid to the storage of customer data and the ability to trace the origin of each transaction.
For international companies, the challenge typically arises when adapting internal standards to meet Argentina’s local requirements. Many procedures used in Europe or Asia do not always meet the expectations of the local regulator. Eternity Law International supports clients specifically in localising their compliance procedures to meet the requirements of the BCRA.
Requirements for the protection of customer data
A separate set of regulations concerns users’ personal and financial data. For the BCRA, the issue of data protection is directly linked to the stability of the financial system, which is why the requirements have become significantly stricter. By 2026, PSPs are required to implement a multi-layered system for protecting customer data. The regulator requires the use of encryption mechanisms, restrictions on internal access, and procedures for detecting unauthorised activity within the company’s infrastructure.
For organizations, this results in additional costs and places a greater burden on legal and technical departments. In practice, many foreign applicants underestimate the volume of documentation required to demonstrate compliance with security standards. Eternity Law International assists in the preparation of internal regulations, data retention policies and incident response procedures, taking into account Argentine regulations.
| Regulatory Requirement | What PSPs Must Implement | BCRA Objective |
| Risk Control | IT risk management system | Reduction of cyber incidents |
| Transaction Security | Monitoring of suspicious transactions | Prevention of fraud |
| Incident Response | Internal response plan for cyber incidents | Rapid mitigation of threats |
| Operational Resilience | Backup servers and recovery systems | Continuity of payment operations |
| Data Protection | Data storage and encryption policies | Protection of clients’ personal data |
| Internal Control | Regular security audits | Increased transparency of PSP operations |
Mandatory incident and cyber-attack management
One of the key changes is the requirement to implement mandatory cyber incident response procedures. The BCRA operates on the assumption that attacks on financial infrastructure are a matter of time, not probability. Payment service providers must develop an internal response plan, designate responsible staff and establish procedures for notifying the regulator. In certain cases, the BCRA requires information on serious incidents to be provided within a short timeframe.
For new market entrants, complying with these requirements is often a more challenging task than the company registration process itself. This is particularly true for start-ups that have not previously operated in regulated financial sectors. In such cases, Eternity Law International assists clients in establishing an internal control framework even before the licensing process begins.
Strengthening oversight of PSP operational resilience
The BCRA is also placing greater emphasis on business continuity. Following several major technical glitches in the digital payments market, the regulator has begun to treat fault tolerance as an integral part of the mandatory security framework. By 2026, PSPs must have backup transaction processing channels, data recovery systems and business continuity plans in place to deal with critical incidents. The regulator requires confirmation that the company will be able to maintain payment processing even in the event of serious technical failures.
In practice, this means investing in backup infrastructure, additional server capacity and independent data storage systems. For some foreign companies, it is precisely this set of requirements that proves to be the most costly. When preparing projects, Eternity Law International’s specialists analyse the client’s technical business model separately, as errors in the infrastructure architecture may lead to a refusal of registration or additional requirements from the BCRA.
What will change for foreign companies in 2026
For foreign investors, the Argentine market remains attractive thanks to high demand for digital payments and the growth of the fintech sector. However, by 2026, the process of obtaining a PSP licence will become significantly more technical and costly. The regulator is effectively moving from formal checks to ongoing supervision of payment service providers’ infrastructure. This means that obtaining PSP status can no longer be viewed as a one-off procedure. Companies must maintain compliance with BCRA requirements on an ongoing basis.
The regulator scrutinizes foreign projects particularly closely, especially those involving distributed IT infrastructure, international payment solutions and the use of external technology providers. Without prior legal and technical preparation, the risk of delays in the registration process increases significantly. In practice, most issues arise not at the application stage, but during the review of internal security systems and operational controls. For this reason, many organizations prefer to engage external consultants even before the project is launched. Eternity Law International works with international clients on PSP licensing, structuring fintech businesses and adapting corporate procedures to meet the requirements of Argentina’s financial regulators.
The BCRA’s new cybersecurity requirements for PSPs are shaping a stricter regulatory framework for the payments market in Argentina. By 2026, payment service providers are required to implement comprehensive mechanisms for risk management, data protection, incident response and operational resilience. For foreign firms, this means increased compliance costs and the need for thorough preparation even before the licensing process begins.
If you are interested in obtaining a PSP licence in Argentina, structuring a fintech project, analysing BCRA requirements, or receiving support throughout the registration process for a payment company, the specialists at Eternity Law International provide comprehensive legal and regulatory support to international businesses. The firm works on projects in the areas of financial licensing, digital payments and cross-border fintech solutions, taking into account the current requirements of Argentine legislation and the practices of the Central Bank of Argentina.
FAQ
What cybersecurity requirements must PSPs meet by 2026?
Businesses are obligated to establish internal data protection guidelines, adopt frameworks for managing IT-related threats, safeguard customer information, maintain backup systems, and define procedures for handling cyberattack situations.
Is there a demand for cybersecurity in Argentina?
Yes. The requirement for cyber protection offerings within Argentina is rising as the financial tech industry, online payments, and web banking platforms continue to grow. After stricter rules were introduced by the central bank of Argentina, firms have started allocating greater resources to securing information, supervising operations, and stopping digital threats.
Other gaming license
- Why has the BCRA tightened the requirements for PSPs?
- New standards for managing technological risks
- Requirements for the protection of customer data
- Mandatory incident and cyber-attack management
- Strengthening oversight of PSP operational resilience
- What will change for foreign companies in 2026
- FAQ








