Through Resolution No. 25 Minute No. 58 dated December 18, 2025, the Board of Directors of the Central Bank of Paraguay ("BCP") approved the Regulations for the Definition of Roles, Registration and Information Transparency and Information Security for Payment Service Providers ("PSPs") of the National Payment System (the "Regulation").

The Regulation defines the roles that PSPs may perform, based on the payment services they provide and the responsibilities they assume towards users, merchants, other system participants and the BCP.

The roles defined include, among others, acquirer, issuer, payment gateway, payment processor, digital wallet provider, and sub-acquirer. The Regulation expressly admits that the same PSP can perform multiple roles, clarifying that this does not exempt it from the individual compliance of the obligations associated with each function.

The Regulation establishes the mandatory registration of PSPs in a registry administered by the BCP. The General Management will will determine, through supplementary regulations, the deadlines, forms and requirements for registration, and the BCP will be empowered to request additional information to verify compliance with the associated obligations.

PSPs that maintain a direct contractual relationship with users and/or businesses must comply with the following obligations of information transparency: (i) clear and accessible publication of commissions, rates and other applicable economic conditions; (ii) prior notice of contractual modifications thirty (30) calendar days in advance; (iii) the use of contracts drafted in clear and accessible language; and, (iv) the implementation of effective, free and documented mechanisms for attention and resolution of complaints.

In addition, PSPs must make available to merchants and/or users, on an ongoing basis, detailed and exportable reports on the status of transactions, the costs applied to each transaction, net amounts credited, and settlement timeframes. 

The Regulation introduces the obligation to segregate funds for those PSPs that manage or custody funds of users or businesses, particularly issuers and sub-acquirers, by maintaining differentiated accounts that protect such funds against creditor claims. Acquirers, processors and payment networks that do not hold funds are exempt from this obligation, although they must guarantee the traceability, security and correct reconciliation of the transactions processed.

Another component of the Regulation is the establishment of minimum standards in terms of information security, based on a risk approach and proportionate to the scale and complexity of each PSP.

Among other aspects, PSPs must implement an Information Security Management System (ISMS) that includes formal security policies, access controls, data encryption, vulnerability management, business continuity plans, and incident notification procedures to the BCP. Compliance must be evidenced through external audits based on internationally recognized standards, such as ISO/IEC 27001.