BCRA Communication "A" 8398: PSPs Become Obligated Entities under the Cybersecurity Framework

BCRA Communication "A" 8398: PSPs Become Obligated Entities under the Cybersecurity Framework

New requirements for technology risk management, outsourcing of critical services, and vendor oversight for financial institutions and payment service providers.

On February 5, 2026, Argentina's Central Bank (BCRA) issued Communication "A" 8398 (hereinafter "Com. A 8398"), published in the Official Gazette on February 9. The regulation comprehensively amends the consolidated text on "Minimum Requirements for the Management and Control of Technology and Information Security Risks" (the "Minimum Requirements") and the rules on "Expansion of Financial Entities." The most significant measure for the fintech ecosystem is the inclusion of Payment Service Providers (PSPs) as obligated entities.

Until now, the Minimum Requirements on cybersecurity applied to financial institutions, electronic clearing houses, ATM networks, and a handful of specifically mentioned entities. With Com. A 8398, PSPs registered with the BCRA are now formally subject to that same regulatory framework. They have 180 calendar days from publication to comply, i.e., until August 4, 2026.

PSPs as Obligated Entities: What Changes

The inclusion of PSPs in Section 1.1 of the Minimum Requirements has a direct consequence: the entire technology and information security risk management regime that previously applied only to banks is now enforceable against them. This encompasses, among other matters, technology and information security governance (Section 2), risk management (Section 3), information security (Section 5), business continuity (Section 6), cyber incident management (Section 8), and the new Section 10 on outsourcing.

For a PSP operating digital wallets, payment processing, or collection services, this represents a qualitative leap in regulatory requirements. Many of these operators had been functioning with reasonable internal security standards but without a BCRA regulatory framework compelling them to formalize those standards. That is over. The 180-day implementation period may sound generous, but the required adaptations are numerous and touch areas ranging from internal governance to vendor relationships.

A critical point worth noting: the Minimum Requirements must be met not only by registered entities and PSPs but also by the third parties to whom they have delegated processes, services, or activities related to technology and information security. In other words, responsibility cannot be outsourced.

Outsourcing of Critical Services: New Regime

Com. A 8398 entirely replaces Section 10 of the Minimum Requirements, which governs relationships with third parties. The new text introduces several innovations.

Service Taxonomy

The regulation requires each outsourced service to be classified within a specific taxonomy. The list includes, among others: data processing on traditional infrastructure, IaaS, PaaS, and SaaS services, data management, access control for infrastructure and systems, security operations (including SOC), cyber incident management, technology-supported back-office activities, payment administration, communications and network management, software development and maintenance, backup management, and other services deemed critical.

This classification serves a concrete purpose: each outsourced service must be assessed based on its risk, and that assessment must be documented and approved by the entity's senior management.

Prior Notification to the BCRA

When critical technology or cybersecurity services are outsourced, the regulation requires prior notification to the BCRA at least 60 calendar days before the outsourcing commences. The notification must include a description of the services covered, the expected go-live date, identification of the provider and any subcontractors (including their geographic location), contractual instruments, and a business continuity plan.

Third parties must formally commit to granting the BCRA audit access. The same applies to subcontractors, for whom traceability requirements are strengthened.

Offshore Outsourcing

For intra-group outsourcing abroad, Com. A 8398 raises the bar. A written certification from the home country supervisor is required, stating that it does not object to the outsourcing and that the provider adheres to the Basel Committee's "Core Principles for Effective Banking Supervision" and FATF anti-money laundering standards.

BCRA inspections abroad remain the entity's own responsibility. The obligation to maintain accounting records, debtor files, and documentation supporting guarantees and financing in Argentina is preserved.

Mandatory Contractual Clauses

The regulation introduces new minimum clauses that must appear in contracts with outsourced service providers. These include mechanisms for data deletion upon termination of the commercial relationship and coordinated cyber incident management procedures. Entities must also evaluate planned or forced service termination scenarios and establish plans covering source code recovery and system documentation.

Amendments to Expansion Rules

Com. A 8398 also replaces Section 2 of the consolidated text on Expansion of Financial Entities, which governs outsourcing of activities. The previous version distinguished between decentralization using proprietary infrastructure and parent company infrastructure. The new text abandons that distinction and focuses on the use of third-party facilities and infrastructure.

Documentation for communicating an outsourcing arrangement must be submitted in PDF format, and the new regulation is stricter regarding electronic submission: the legal representative must file a sworn statement certifying that the files are true copies of the originals.

Impact on the Fintech Sector

The inclusion of PSPs as obligated entities was an anticipated measure. The growth of digital wallets and payment platforms in recent years had created a regulatory asymmetry vis-a-vis traditional financial institutions, which already complied with the Minimum Requirements. Com. A 8398 corrects that imbalance.

That said, the compliance effort is significant. PSPs will need to review their technology governance structures, formalize their risk management processes, implement (or document) their business continuity and cyber incident management plans, and renegotiate contracts with technology service providers to incorporate the clauses the regulation requires.

For PSPs that outsource critical services (and most do, at least for cloud infrastructure, SOC, or software development), the new prior notification and subcontractor traceability requirements represent an operational and contractual burden that must be addressed promptly. The 180-day clock (until August 4, 2026) is ticking.

Key Areas for Legal Advisory

From the perspective of advising PSPs and fintechs, Com. A 8398 opens several simultaneous work fronts. The first is the gap analysis: identifying the extent to which the PSP's current governance, risk, and security structure aligns with the Minimum Requirements, and determining what adaptations are needed.

The second is contractual review. All contracts with technology service providers must be reviewed to verify they contain the minimum clauses the regulation now requires: data deletion, coordinated cyber incident management, BCRA audit access commitment, and exit plans. Many existing contracts will lack these provisions.

The third is the evaluation of existing outsourcing arrangements, particularly those involving offshore providers. The new requirements for foreign supervisor certification and adherence to Basel and FATF standards may complicate arrangements that previously operated without regulatory friction.

Internal documentation is also non-trivial. The regulation requires that each vendor's risk assessment be documented and approved by the entity's senior management. For a fast-growing PSP with dozens of technology providers, formalizing all of this within six months is a project in itself.

Summary

Com. A 8398 places PSPs on equal footing with financial institutions regarding cybersecurity and technology risk management. It subjects them to the same Minimum Requirements, imposes a 180-day compliance deadline, and strengthens outsourcing requirements for critical services (prior notification, subcontractor traceability, mandatory contractual clauses, restrictions on offshore operations).

For PSPs, the message is clear: the cybersecurity regime has ceased to be an aspirational standard and has become an enforceable regulatory obligation. Those who fail to comply in time will face concrete regulatory risk. The window for action is open, but 180 days pass quickly.

This note is for informational purposes only and does not constitute legal advice. For a specific analysis, please contact our team at contact@jfcattorneys.com.