ESP | ENG

09 Feb 26 Inclusion of PSPs as Regulated Entities for Cybersecurity Purposes

Posted at 13:10h in The Firm by

Agustín Cerolini, Valentina Circolone y Tomás Mingrone

 

On February 5, 2026, the Argentine Central Bank (the “BCRA” for its acronym in Spanish) issued Communication “A” 8398 (the “Communication”), pursuant to which it updates the regulatory framework applicable to the management and control of technology risks and information security, with a focus on the outsourcing of critical services and the strengthening of internal governance and third-party management. The most relevant changes are outlined below:

Inclusion of PSPs as regulated entities.

The Communication incorporates Payment Service Providers (“PSPs”) as regulated entities under the BCRA’s consolidated regulations titled “Minimum Requirements for the Management and Control of Technology Risks and Information Security”. In this context, PSPs have a 180-day period to implement the necessary adjustments for compliance.

Outsourcing of critical services.

The Communication strengthens the framework applicable when technology and/or cybersecurity services deemed critical are outsourced. In this regard, before commencing the outsourcing arrangement, a prior notice must be filed with the BCRA at least 60 calendar days in advance, informing the service to be outsourced, the relevant locations, the service provider and any subcontractors, together with minimum documentation and business continuity arrangements. In addition, such third parties must formally undertake to allow the BCRA audit access.

It should be noted that the minimum requirements must be complied with both by financial institutions and PSPs registered with the BCRA, as well as by those third parties to which they have delegated processes, services or activities related to technology and information security processes.

Foreign service providers and record-keeping.

For outsourcing arrangements abroad, the Communication introduces additional conditions. In particular, it provides that foreign service providers must be located in jurisdictions aligned with the standards of the Financial Action Task Force (“FATF”) regarding anti-money laundering and counter-terrorism financing. It also establishes that any BCRA inspections conducted abroad will be at the entity’s expense. Finally, it includes guidelines on the local safeguarding, availability and retention of relevant documentation and records, providing that accounting books, files and key documentation must be kept in Argentina.