New Cybersecurity Requirements for PSPs 

On February 5, 2026, the Argentine Central Bank (BCRA) issued Communication “A” 8398, which introduced amendments to the consolidated text on Minimum Requirements for the Management and Control of Technology and Information Security Risks.

The modifications included adding Payment Service Providers (PSPs) to the list of reporting entities. Accordingly, PSPs must now ensure the implementation of effective practices for internal control and risk management within their technology and information security operating environments.

PSPs have 180 calendar days since this Communication was published to implement the new requirements and comply with BCRA regulations.

The Communication also strengthens the oversight of outsourced technology and/or security services deemed critical. For example, the service to be outsourced must be notified to the Superintendence of Financial and Foreign Exchange Institutions (SEFyC) at least 60 calendar days in advance.

The Communication also establishes that, when services are outsourced to a third party located abroad, that entity must be incorporated in countries aligned to the principles and standards of the Financial Action Task Force (FATF).