The BCRA Reinforced Measures to Improve Security of Digital Wallets

In order to reinforce measures that mitigate fraud in transactions made through digital wallets, the Board of the BCRA established new technical requirements for payment service providers (PSPs) and financial institutions that offer digital wallet services. These providers and institutions must obtain a certification from the Registry of Interoperable Digital Wallets to provide payment by transfer (pago con transferencia, PCT) services.

These technical requirements supplement and reinforce the security measures previously adopted by the BCRA. They are based on the need for interaction among wallets and bank or payment account providers in order to manage a customer's consent to link their account to the wallet on which they wish to make transactions.

A technical security process is thus added to the already implemented client authentication and authorization of payment instructions.

New Registry for Digital Wallets

The Board of the BCRA established that financial institutions and PSPs providing digital wallet services will have to register with the Registry of Interoperable Digital Wallets and obtain a certification to provide such service.

The BCRA defined the service of a “digital wallet”, also known as “electronic wallet” or “virtual wallet”, as that offered by financial institutions or PSPs through a mobile application or web browser that allows, among other transactions, payments by transfer and/or through other payment instruments such as debit, credit, purchase or prepaid cards.

Sight or payment accounts to be debited for payments by transfer and other payment instruments may be provided or issued by the same financial institution or PSP that offers payment accounts (proveedor de servicios de pago que ofrece cuentas de pago, PSPCP) and provides digital wallet services; and/or by other financial institutions and/or PSPs when the digital wallet service provider is just the initiator.

Financial institutions and PSPs that provide digital wallet services will have to establish mechanisms to identify suspicious or unusual activities to mitigate fraud risk.

As from May 2022, instant transfer scheme administrators, may not enable acceptors to receive payments by transfer initiated through a QR code if they have not verified that such codes can be read by all digital wallets registered in the abovementioned BCRA’s Registry.

Prevention and Management Rules

In another resolution, fraud prevention and management guidelines were established for each participant in transfer schemes. These are organizational guidelines aimed at addressing clients’ fraud claims, improving the traceability of suspected fraudulent transactions and preserving confidentiality.

The new regulation is in line with the recommendations of the Bank for International Settlements (BIS) contained in the document issued by the Committee on Payments and Market Infrastructures (CPMI) titled Fast payments - Enhancing the speed and availability of retail payments. In this publication, the BIS warns about the main risks that should be analyzed when implementing immediate payment systems, especially operational risk, which includes cybersecurity risks and fraud risk.

Background information of private and public sector organizations that provide products and services to implement these systems was also considered, including the Central Bank of Mexico, the Bank of Spain, the National Payments Corporation of India (NPCI), the Central Bank of Brazil and other agents of the international community.

Financial institutions and PSPCPs will have 180 days since the issuance of the regulation to adjust their systems.

In addition, notwithstanding the BCRA’s powers, the follow-up of the implementation and the monitoring of the technical and organizational aspects of the measures are proposed to be carried out through regular meetings of the Interbank Commission on Means of Payment of the Argentine Republic (Comisión Interbancaria para los Medios de Pago de la República Argentina, CIMPRA).

February 24, 2022