Fintech Outlook for the Americas — 2026 Edition

Latin Counsel presents its Fintech 2026 – The Americas report at a moment of structural transition in the global financial system. Across the region, the convergence of digital assets, tokenization, artificial intelligence and real-time payment infrastructure is redefining how financial services are designed, delivered and regulated.

This edition is anchored in a key shift identified in the United States. As outlined by Yvette Valdez of Latham & Watkins, the U.S. is undergoing a regulatory reset, moving away from an enforcement-driven approach toward a more facilitative framework aimed at enabling financial innovation and digital asset market development.

This transition is reflected in evolving legislative initiatives, revised agency guidance and a broader effort to position U.S. markets at the forefront of financial innovation. The shift is expected to expand institutional participation and support the expansion of tokenized and digital asset markets, while maintaining a distinctly market-led approach compared to more prescriptive regimes in other jurisdictions.

Against this backdrop, the report examines how jurisdictions throughout Latin America are responding to similar pressures, albeit at different speeds and through distinct legal traditions.

While some markets are advancing Open Finance frameworks and instant payment ecosystems, others remain in earlier stages, prioritizing financial stability and incremental regulatory development. At the same time, artificial intelligence, digital assets and cross-border compliance are emerging as common regulatory themes across the region.

Contributions from leading firms including Marval, O’Farrell Mairal (Argentina), PPO Indacochea (Bolivia), TozziniFreire (Brazil), Arias Law (Central America), Carey (Chile), Posse Herrera Ruiz (Colombia), Pérez Bustamante & Ponce (Ecuador), Nader, Hayaux & Goebel (Mexico), Arias, Fábrega & Fábrega (Panama), Berkemeyer (Paraguay), Estudio Rodrigo (Peru), FinReg 360 (Spain) and Guyer & Regules (Uruguay) provide a jurisdiction-by-jurisdiction analysis of these developments, alongside the regional perspective from Latham & Watkins.

The result is a comparative assessment of the fintech regulatory landscape in 2026, identifying areas of convergence, divergence and emerging opportunity. As in previous editions, Latin Counsel aims to offer a clear and reliable reference for investors, financial institutions and advisers navigating the evolution of financial technology across the Americas.

THE AMERICAS (Regional Perspective) | LATHAM & WATKINS | Yvette Valdez

Financial technology is reshaping the foundations of how money moves, assets are held, and financial services are delivered throughout the Americas. Across payments, lending, capital markets, and asset management, the convergence of blockchain, tokenization, and artificial intelligence is driving structural change at a pace that regulation has historically struggled to match.

For years, regulatory uncertainty in the United States has stymied institutional participation, leaving fintech organizations to navigate an enforcement-driven environment with limited formal guidance. The dynamic in the U.S. today has pivoted materially. The U.S. is now in the midst of a significant regulatory reset, moving from a posture of skepticism toward one of enablement, with new legislative frameworks, revised agency guidance, and a broader ambition to position American markets at the forefront of financial innovation.

The most consequential shift has been a dramatic change in regulatory posture. Virtually overnight, U.S. regulators moved from enforcement-heavy crypto-skepticism — which effectively restricted traditional financial institutions from digital asset markets — to a determined focus on flexibility. The SEC dropped nearly all enforcement actions commenced under the prior administration against fintech companies based on unregistered broker-dealer or exchange activities.

This regulatory orientation puts the U.S. more in line with pro-innovation jurisdictions globally, though it takes a distinctly market-led approach compared to the EU’s prescriptive frameworks.

Digital Assets and Stablecoins: An Emerging Federal Regulatory Regime
With the passage of the GENIUS Act, a federal regulatory framework for stablecoins paved the way for a growing stablecoin market in the U.S. The pending Clarity Act would further standardize definitions of digital commodities, distinguishing them from securities and stablecoins, and codify broker-dealer registration requirements. While these developments are significant, by contrast, the EU’s MiCA regime has already created a unified, passportable crypto licensing framework across member states — arguably ahead of where U.S. federal law currently sits. Latin America, led by Brazil and Mexico, has taken a more cautious, activity-based licensing approach, though Brazil’s Drex CBDC initiative signals ambition.

Tokenization: From Pilots to Market Infrastructure
With pro-innovation leadership now in place, tokenized assets are expected to move beyond pilots into capital markets and fund distribution at scale. The SEC issued a taxonomy for tokenized securities in January 2026. The Federal Reserve, the OCC, and the FDIC jointly clarified that capital rules are technology-neutral, and the CFTC similarly issued guidance for tokenized collateral.

Generative AI: Federal Ambition, State Fragmentation
AI regulation remains the least settled area in the U.S. In the absence of a federal standard, states including California, Colorado, and Texas have pursued their own AI transparency and consumer protection laws. President Trump’s December 2025 executive order sought to override this patchwork with a "minimally burdensome national standard."

Bottom Line
The U.S. is undergoing a genuine regulatory reset — moving from adversarial enforcement to structured enablement. While governmental agencies are still building frameworks for the pro-innovation mandate from the White House, the U.S. is betting on speed and market-led innovation, with compliance increasingly seen as a competitive differentiator rather than a constraint.
The rest of the Americas is similarly building regulatory and legislative frameworks for financial technology. My fellow industry colleagues have provided a jurisdiction-by-jurisdiction overview herein.
Thank you to Latin Counsel for compiling this fintech market outlook.

Participating firms:

Argentina: Juan Diehl – Marval, O’Farrell Mairal.
Bolivia: Lindsay Sykes, Eid Salomón, Andrea Lizarraga, Fernanda Ribera – PPO Indacochea.
Brazil: Alexei Bonamin, Alexandre Vargas – TozziniFreire.
Central America (regional perspective): Mario Lozano, Katia Ventura – Arias Law.
Chile: Fernando Noriega, Agustín Domínguez – Carey.
Colombia: Juan Camilo Zuluaga – Posse Herrera Ruiz.
Ecuador: Juan Francisco Simone – Pérez Bustamante & Ponce.
Mexico: Adrián López, María Gabriela Botello – Nader, Hayaux & Goebel.
Panama: Javier Yap Endara – Arias, Fábrega & Fábrega.
Paraguay: Manuel Arias – Berkemeyer.
Peru: Nydia Guevara – Estudio Rodrigo.
Spain: Jorge Ferrer Barreiro, Mariona Pericas Estrada – FinReg 360.
Uruguay: Florencia Costagnola, Rodrigo Varela – Guyer & Regules.

The participation of these firms and professionals, based on a set of six common questions addressed across all jurisdictions, allows us to present a comparative, technical and current view of the fintech regulatory landscape in each country and across the region as a whole:

1. As we move through 2026, how has your jurisdiction’s legal framework successfully transitioned from basic Open Banking to a mature "Open Finance" or "Open Data" economy, and what are the remaining friction points for data portability?

2. With Generative AI now deeply integrated into financial services, what specific regulatory frameworks or "sandboxes" are currently being used to govern algorithmic transparency, automated credit decisions, and AI-driven risk management?

3. Following the regional success of systems like Pix or SPEI, how is your local legislation managing the mandatory shift toward instant, 24/7 payment interoperability, and what new licensing requirements are hitting payment service providers (PSPs) this year?

4. What are the legal and regulatory challenges of Real World Asset (RWA) tokenization in your market, and how are regulators treating stablecoin-based remittances under updated securities or "travel rule" anti-money laundering laws?

5. As Fintech corridors expand across LatAm, what are the most critical cyber-resilience and AML/KYC hurdles that international firms must overcome to ensure seamless cross-border operations within your jurisdiction?      

6. Given the widespread and continuing global adoption of the value proposition of blockchain generally for the financial markets, how has the legal and regulatory treatment of digital assets changed or been impacted?


ARGENTINA | MARVAL, O’FARRELL MAIRAL | Juan Diehl

1. As we move through 2026, how has your jurisdiction’s legal framework successfully transitioned from basic Open Banking to a mature "Open Finance" or "Open Data" economy, and what are the remaining friction points for data portability?

Juan Diehl (Argentina): Argentina is concentrating its efforts towards Open Banking, primarily driven by regulatory initiatives led by the Argentine Central Bank. The interoperability side of Open Banking is well advanced, shown by the mandatory interoperability of digital wallets, including the unification of QR codes for payment initiation, with a significant expansion of retail digital payments and market competition.

From a data-sharing perspective, Argentina is still well behind countries such as Brazil or the UK. Nonetheless, some minor advancements are impulsed by the Argentine Central Bank, for example, providing standardized APIs to grant access to key public financial datasets -such as the Debtors Registry, reported checks, and monetary and foreign exchange statistics- enabling automated data integration by regulated entities and third parties.

In May 2025, Decree No. 353/2025 formally introduced the Open Finance System, allowing individuals and legal entities, subject to express consent, to share financial information with registered entities to promote credit access, competition, and financial inclusion.

The Argentine Central Bank has the mandate to act as the enforcement authority and is responsible for defining technical standards and governance rules. The regulatory framework is still pending, but it is reasonable to state that it will be introduced mid to late 2026.

Finally, it is useful to highlight that key friction points remain, mainly due to the work and investment that certain key players have put into populating their databases. Also, the financial sector remains vigilant of the regulatory contingencies that the Argentine Data Framework poses, which was inspired in strong regulations such as GDPR.

2. With Generative AI now deeply integrated into financial services, what specific regulatory frameworks or "sandboxes" are currently being used to govern algorithmic transparency, automated credit decisions, and AI-driven risk management?

Juan Diehl (Argentina): Argentina does not have a dedicated regulatory framework governing the use of Generative AI. Coincidentally, Argentina does not have regulation applicable to all financial service providers pertaining to Generative AI.

Nonetheless, the Argentine Central Bank has issued regulation that requires banks and payment service providers to identify and document the purpose of their use of AI and machine learning, including the hiring of third parties that utilize these tools. In addition, banks and payment service providers must establish roles and responsibilities for the definition of the context in which artificial intelligence or machine learning systems operate, the identification of the models, algorithms and datasets utilized, and the definition of precise metrics and thresholds to evaluate the reliability of the solutions implemented through the use of these innovative tools.

3. Following the regional success of systems like Pix or SPEI, how is your local legislation managing the mandatory shift toward instant, 24/7 payment interoperability, and what new licensing requirements are hitting payment service providers (PSPs) this year?

Juan Diehl (Argentina): Argentina is very experienced on instant payments, with regulations that have matured and continue to be improved and adapted to the payments ecosystem’s requirements. Argentina already has instant 24/7 payments, with full interoperability, and the corresponding regulations applicable to payments and interoperability, respectively. In short, financial users can make payments, choosing from a wide palette of options.

The latest developments of the payments regulation were focused on enhanced supervisory oversight by the Argentine Central Bank, customer fund safeguarding mechanisms, and operational risk controls. To a lesser extent than its neighbor Brazil, Argentina suffers from cybersecurity-related scams, such as client impersonation, as well as more common flagellum, such as cellphone theft, which enable fraudulent and unauthorized transactions.

The most recent regulatory development (March 2nd, 2026), the Argentine Central Bank introduced a new instrument, called collection by transfer (in Spanish, ‘cobro con transferencia’), as the sole instant transfer modality authorized for recurring collections. In subsequent phases, the framework is expected to expand and facilitate other recurring payments, including utility bills and similar obligations.

4. What are the legal and regulatory challenges of Real World Asset (RWA) tokenization in your market, and how are regulators treating stablecoin-based remittances under updated securities or "travel rule" anti-money laundering laws?

Juan Diehl (Argentina): Tokenization in Argentina raises issues regarding the legal characterization of the tokenized instrument. Where a token grants economic, credit, or governance rights consistent with transferable securities or investment contracts -particularly in the context of a public offering- securities regulation may apply, triggering oversight and potential registration requirements before the National Securities Commission (Comisión Nacional de Valores, CNV for Spanish acronym).

In late 2025, the CNV established a specific regulatory framework for the tokenization of marketable securities. This regime operates under a one-year regulatory sandbox model, allowing supervised experimentation within defined parameters and subject to subsequent regulatory evaluation and potential adjustments. Its practical implementation and market uptake remain to be assessed upon conclusion of the sandbox period.

With respect to stablecoin-based remittances, there are no express prohibitions under Argentine law. Argentina does not have a single enforcement authority regulating virtual assets as such, since the CNV is the enforcement authority for Virtual Asset Service Providers (VASPs). Regulatory scrutiny is primarily driven by anti-money laundering (AML) considerations rather than product-level restrictions. Accordingly, registered VASPs are subject to reporting obligations, customer due diligence requirements, and are treated as reporting entities before the UIF. The "travel rule" compliance is subject to UIF regulation that has still not been issued.

5. As Fintech corridors expand across LatAm, what are the most critical cyber-resilience and AML/KYC hurdles that international firms must overcome to ensure seamless cross-border operations within your jurisdiction?

Juan Diehl (Argentina): Regulated entities must implement robust cybersecurity frameworks, including, but not limited to, incident reporting controls, third-party risk management, and fraud monitoring.  While these requirements are broadly aligned with international standards, compliance and supervisory expectations may still generate operational frictions for international entities seeking to obtain local licenses.

With respect to AML and KYC, oversight is led by the Financial Information Unit (Unidad de Información Financiera, UIF for Spanish acronym), under a framework aligned with the Financial Action Task Force’s (FATF) standards. The main hurdles for international firms arise from regulatory divergence across jurisdictions, including, but not limited to, difference in ultimate beneficial ownership identification, requirements applicable to compliance officers, reporting obligations and travel rule implementation. As a result, international firms typically need to adapt their global AML/KYC systems to meet UIF’s expectations.

Where services are provided strictly on a reverse?solicitation basis and without local presence, regulatory exposure is more limited; however, this structure requires careful assessment, as Argentine authorities tend to apply a substance?over?form approach when determining local regulatory applicability.
             
6. Given the widespread and continuing global adoption of the value proposition of blockchain generally for the financial markets, how has the legal and regulatory treatment of digital assets changed or been impacted?

Juan Diehl (Argentina): Argentina does not yet have a comprehensive, unified regulation governing virtual assets nor blockchain as such, but does have regulations in place for VASPs.
In 2024, the CNV issued specific regulation governing VASPs, including registration, conduct, and the way virtual assets may be offered to Argentine residents. Hence, from 2024 onwards, Argentina has regulation applicable to the sale, exchange, transfer, and custody of virtual assets.

In 2025, the CNV further expanded said regulation, establishing a comprehensive framework applicable to the aforementioned activities, with minimum net worth requirements, the obligation to have a local entity in Argentina, among others. Hence, it is safe to say that Argentina currently holds standards comparable to those established by the FATF.

In conclusion, the Argentine legal framework has progressively shifted from an initial absence of specific regulation -and, in some cases, restrictive approaches applicable to financial institutions and payment services providers- towards a more structured and functional regulatory model. Other notable developments include new regulations addressing the tokenization of negotiable securities and their corresponding offer by VASPs.

Rather than adopting a prohibition?based approach, Argentina’s regulatory treatment of virtual assets reflects a gradual institutionalization of the ecosystem, seeking to integrate blockchain?based activities into existing regulatory frameworks while allowing room for innovation.

BOLIVIA | PPO INDACOCHEA | Lindsay Sykes | Eid Salomón | Andrea Lizarraga | Fernanda Ribera


1. As we move through 2026, how has your jurisdiction’s legal framework successfully transitioned from basic Open Banking to a mature "Open Finance" or "Open Data" economy, and what are the remaining friction points for data portability?

Lindsay Sykes, Eid Salomón, Andrea Lizarraga, Fernanda Ribera (Bolivia): As of 2026, Bolivia has not yet transitioned from basic Open Banking to mature Open Finance or Open Data economy. Currently, there is no Open Banking legal framework that establishes standardized data sharing through interoperable APIs among banks, payment service providers, and third parties. Bolivian financial regulatory framework has been conservative, with emphasis on consumer protection and financial system integrity rather than portability mandates.

However, 2025 marked a significant regulatory milestone with the approval of the Regulation for financial technology companies (Empresas de Tecnología Financiera – ETF) through Resolution ASFI/540/2025 of 3 July 2025 ("ETF Regulation"), which formally recognizes and regulates fintech companies constituted and operating in Bolivia.
According to the ETF Regulation, an ETF can operate through several categories, including:

- Payment platforms and digital payment services.
- Solution based on blockchain, tokenized assets and virtual asset service providers (PSAVS)
- Digital financing platforms and other business technologies.

The ETF Regulation introduces principles of responsible innovation, interoperability, confidentiality, and risk management, and incorporates a regulated sandbox ("Entorno Controlado de Pruebas"), allowing companies to submit to trial new tech services/products under supervision.

These elements provide a foundation that could, over time, support more advanced forms of data sharing and interoperability. 

In relation to the transition to Open Finance, several key points remain pending:
(i) No mandatory data portability regimes: While the ETF Regulation contemplates interoperability principles, it does not impose standardized API-based data sharing obligations between financial institutions and third-party providers.
(ii) Absence of comprehensive data protection and privacy law that clearly defines user data ownership and consent parameters. 
(iii) Limited scope of regulatory coverage: The ETF Regulation applies to entities constituted in Bolivia; foreign platforms operating without local incorporation, remain effectively outside ASFI’s direct jurisdiction. 
(iv) Early stage of adoption and implementation: Many ETFs are still in the process of regulatory adequacy, and the full implementation of digital interfaces across the financial ecosystem remains pending. 

2. With Generative AI now deeply integrated into financial services, what specific regulatory frameworks or "sandboxes" are currently being used to govern algorithmic transparency, automated credit decisions, and AI-driven risk management? 

Lindsay Sykes, Eid Salomón, Andrea Lizarraga, Fernanda Ribera (Bolivia): Bolivia does not have a regulation that specifically addresses Generative AI, algorithmic transparency, or automated decision making in financial services. In addition, financial regulation does not require the explanation of AI models, human oversight of automated credit decisions, or specific governance standards for AI-driven risk management.

In practice, the use of AI in the Bolivian financial sector remains limited and primarily regulated by traditional obligations applicable to financial entities. These include risk management controls, internal audit requirements, cybersecurity standards, consumer protection duties, and supervisory oversight by the Financial Services Authority ("ASFI"). This means that any automated credit scoring or AI-based risk analytics must therefore operate within existing frameworks rather than under AI-specific regulation. 

3. Following the regional success of systems like Pix or SPEI, how is your local legislation managing the mandatory shift toward instant, 24/7 payment interoperability, and what new licensing requirements are hitting payment service providers (PSPs) this year? 

Lindsay Sykes, Eid Salomón, Andrea Lizarraga, Fernanda Ribera (Bolivia): Bolivia has made material progress toward instant and interoperable retail payments, primarily through a regulator-driven model led by the Central Bank of Bolivia ("BCB").

While the country does not operate an open, market-led instant payment scheme comparable to Pix or SPEI, the current framework mandates interoperability across participants, supports continuous availability of instant payment services, with the interoperable QR system acting as the main retail implementation in practice.

Under the current payment services framework, banks and payment service providers ("PSP") participating in the payment system are required to integrate into the national payment infrastructure under common technical and operational standards, enabling interoperability across participants. The framework also expressly contemplates 24/7 operation of instant payments and electronic and mobile banking channels, resulting in continuously available electronic transfers and QR-based payments.

The BCB-led interoperable QR standard is the main mechanism used for instant retail payments. PSPs offering QR payments are required to adopt the interoperable QR standard defined by the BCB, enabling users to initiate and receive real-time payments across different financial institutions.

In addition, as previously mentioned, the approval of the ETF Regulation formalized the licensing process for fintech companies, including the category of payment platforms, which reaches PSPs.  

4. What are the legal and regulatory challenges of Real World Asset (RWA) tokenization in your market, and how are regulators treating stablecoin-based remittances under updated securities or "travel rule" anti-money laundering laws? 

Lindsay Sykes, Eid Salomón, Andrea Lizarraga, Fernanda Ribera (Bolivia): In Bolivia, the regulatory framework for RWA tokenization remains at an early stage. The BCB lifted the prohibition on crypto-asset operations in the financial system and authorized the use and commercialization of virtual assets (activos virtuales), defined as a digital representation of value that could be commercialized or digitally transferred, as well as used as alternative payment or investment means. This concept is sufficiently broad to potentially encompass tokenized representations of RWA such as real estate or commodities.  However, beyond this general authorization framework, there is currently no specific regulation governing the tokenization of RWA. 

In relation with stablecoin-based remittances, the lifting of the crypto prohibition has enabled certain companies in Bolivia to facilitate cross-border transfers using stablecoins, including traditional financial entities, such as banks. Nevertheless, these operations are not formally classified as "remittances" under existing financial regulation, as the traditional remittance framework remains tied to fiat currency systems and regulated financial entities. In practice, stablecoin transfers operate as virtual asset transactions rather than as regulated remittance services.

From an anti-money laundering (AML/CFT) perspective, Bolivia has taken initial steps in 2025 to incorporate virtual asset service providers into the compliance perimeter. The Financial Investigations Unit (UIF) has designated Virtual Asset Service Providers (PSAVs) as reporting entities subject to AML obligations. These include duties of registration and reporting suspicious transactions to the UIF. However, a specific regulatory instruction detailing the scope of their AML/CFT obligations has not yet been formally approved.

5. As Fintech corridors expand across LatAm, what are the most critical cyber-resilience and AML/KYC hurdles that international firms must overcome to ensure seamless cross-border operations within your jurisdiction? 

Lindsay Sykes, Eid Salomón, Andrea Lizarraga, Fernanda Ribera (Bolivia): The most critical cyber-resilience and AML/KYC hurdles faced by international fintech companies seeking seamless cross-border operations in Bolivia arise primarily from operational and compliance frictions, rather than from explicit prohibitions applicable to foreign- based companies. 

From a cyber-resilience perspective, although foreign fintechs are not directly subject to licensing under the ETF Regulation when they are not established locally, in practice, they are often expected, through their relationships with local regulated partners, to demonstrate robust technological governance, security controls, and operational continuity. This is particularly the case where the operating model relies on local banks, payment service providers, or other supervised entities, which usually impose contractual and operational requirements relating to infrastructure control, incident management, and reliance on third-party technology providers.

With respect to AML/KYC, ETFs are not considered obliged subjects under Bolivian AML regulations, except in the case of PSAVs. Nevertheless, this absence of direct legal obligation does not eliminate AML/KYC friction in practice. Where international fintechs operate through local banks or regulated partners, those entities — as obliged subjects — usually cascade local KYC, monitoring and reporting expectations to their fintech counterparties. This has resulted in recurring challenges relating to the acceptance of foreign KYC processes, fully remote onboarding models, and the use of non-Bolivian identification documents.

6. Given the widespread and continuing global adoption of the value proposition of blockchain generally for the financial markets, how has the legal and regulatory treatment of digital assets changed or been impacted? 

Lindsay Sykes, Eid Salomón, Andrea Lizarraga, Fernanda Ribera (Bolivia): As mentioned above, the legal and regulatory treatment of digital assets in Bolivia has evolved significantly in recent years, shifting from an openly restrictive approach to a more permissive one. Since 2014, the use, commercialization and negotiation of cryptoassets within the national payment system had been expressly prohibited by the BCB. This position changed in June 2024, when the BCB lifted the prohibition through Board Resolution No. 82/2024, allowing the use of virtual assets in certain contexts within the financial system and enabling electronic payment instruments to be linked to transactions involving virtual assets. 

Following the lifting of the ban, the regulatory framework applicable to virtual assets has adopted a broad-based approach, in the absence of a comprehensive, activity-specific regime. This has expanded the operational scope for market participants, while at the same time creating challenges in terms of regulatory interpretation, particularly for business models seeking to operate in a structured and long-term manner. In this context, different authorities have begun issuing sector-specific criteria, including guidance on the tax treatment of transactions involving virtual assets, reflecting a regulatory framework that remains under development.

In parallel, as mentioned, the approval of the ETF Regulation has incorporated blockchain-based solutions and virtual asset-related activities within the broader fintech perimeter, without constituting a comprehensive virtual assets regime. At the same time, UIF has designated PSAV as obliged subjects for AML/CFT purposes. At present, PSAVs are required to register with the UIF, while detailed compliance obligations are still under development with expectations that PSAVs will be required to implement risk-based AML/CFT programs aligned with international standards.

BRAZIL | TOZZINI FREIRE | Alexei Bonamin | Alexandre Vargas


1. As we move through 2026, how has your jurisdiction’s legal framework successfully transitioned from basic Open Banking to a mature "Open Finance" or "Open Data" economy, and what are the remaining friction points for data portability?
 
Alexei Bonamin, Alexandre Vargas (Brazil): Brazil has moved from a classic "Open Banking" framework to a broader "Open Finance" architecture through a phased, regulation-driven rollout by the Central Bank of Brazil ("Central Bank") under the Central Bank’s Joint Resolution No. 1/2020 and subsequent amendments. Brazil’s "Open Banking" framework originally focused only on financial data, services and products.

The program’s Phases 1, 2, and 3 were, respectively: (i) Phase 1, launched on February 1, 2021, covering the sharing of standardized public data by participating institutions on service channels and products/services; (ii) Phase 2, launched on August 13, 2021, allowing the sharing of customer registration and transactional data with the customer’s consent; and (iii) Phase 3, launched on October 29, 2021, introducing service initiation, especially payment initiation through Pix. A key milestone came when the Central Bank formally positioned Phase 4 as the step that would expand "Open Banking" into "Open Finance" (and officially rebranded the system from "Open Banking Brasil" to "Open Finance Brasil"), with rollout beginning on December 15, 2021. That expansion was designed to move beyond current-account and payment data toward a broader financial perimeter, and the investment vertical later went live on September 29, 2023.

By 2025, the ecosystem had reached scale, with the Central Bank reporting 103 million active data-sharing authorizations and 68 million connected accounts, while also highlighting concrete use cases such as faster onboarding and broader use of financial-management tools.
 
The remaining friction points are now less about the absence of a legal framework and more about execution and portability. Official Central Bank and Open Finance governance materials still point to issues involving interoperability, data quality, consent journey performance, and conversion rates. In addition, "true portability" is still evolving. For example, credit "portability" via Open Finance was only launched on Februray 2026 and, at least initially, is limited to unsecured personal credit, which shows that Brazil is already a mature Open Finance market but not yet a fully frictionless "open data economy" across sectors. Governance has also been institutionalized further, with the infrastructure moving to the new Associação Open Finance structure from January 2025]
 
2. With Generative AI now deeply integrated into financial services, what specific regulatory frameworks or "sandboxes" are currently being used to govern algorithmic transparency, automated credit decisions, and AI-driven risk management?
 
Alexei Bonamin, Alexandre Vargas (Brazil): As of March 2026, Brazil still does not have a fully enacted, finance-specific AI statute. The proposed general AI bill (PL 2.338/2023) remains under review in Congress, at the House of Representatives (Câmara dos Deputados). Accordingly, algorithmic transparency and automated decision-making in financial services are currently governed through a combination of horizontal data-protection law and sectoral financial regulation, rather than through a dedicated banking-AI code.

The main hard-law anchor is Article 20 of the Brazilian Data Protection Act (Lei Geral de Proteção de Dados — "LGPD"), which gives data subjects the right to request review of decisions taken solely on the basis of automated processing, including decisions affecting their credit profile. The Brazilian Data Protection Agency (Agência Nacional de Proteção de Dados — "ANPD") has also made this topic a live regulatory priority, including consultation work specifically aimed at clarifying the application of Article 20, LGPD.
 
In practice, the most concrete "sandbox" now operating in Brazil is ANPD’s Regulatory Sandbox on AI and data protection. The ANPD launched the sandbox in 2025, selected participants later that year, and in February 2026 moved the project into supervised testing. The sandbox expressly covers themes such as algorithmic transparency, explicability, risk assessment, incident scenarios, and cybersecurity. In the financial sector itself, the Central Bank appears to be supervising AI mainly through existing prudential, operational, cybersecurity and outsourcing frameworks, rather than through a dedicated "GenAI sandbox".

This is consistent with the Central Bank’s November 2025 Financial Stability Report, which showed that generative AI was already the most common AI approach reported by surveyed institutions, while also flagging governance gaps and the need for stronger AI-risk frameworks and explainability practices.]
 
3. Following the regional success of systems like Pix or SPEI, how is your local legislation managing the mandatory shift toward instant, 24/7 payment interoperability, and what new licensing requirements are hitting payment service providers (PSPs) this year?
 
Alexei Bonamin, Alexandre Vargas (Brazil): Brazil’s legislation has not literally abolished legacy payment rails, but it has effectively created a 24/7 interoperable instant-payments backbone through Pix (Brazil’s instant payments network) and the Instant Payments System (Sistema de Pagamentos Instantâneos — "SPI"). The official framework makes clear that the SPI operates continuously, 24 hours a day, 7 days a week, including holidays, with settlement in Central Bank fiat currency and real-time finality. In that sense, the Brazilian market has already internalized instant interoperability as a baseline expectation for retail payments.

The regulatory agenda is now focused on how to expand use cases, such as the "Automatic Pix" (Pix Automático) functionality focusing on recurring payments, which went live on June 16, 2025.
 
The main licensing trend hitting PSPs in 2025–2026 is a significant tightening of the authorization perimeter. From January 1, 2025, only institutions already authorized by the Central Bank may request to join Pix as new participants. Existing non-authorized Pix participants were put on a migration schedule to seek authorization, and the Pix rulebook now reflects deadlines that run into 2026 for some institutions.

In parallel, BCB Resolution No. 494/2025 reinforced that no payment institution may begin operating without prior authorization, and the Central Bank also imposed tougher prudential and operational conditions on non-authorized electronic-money issuers participating in Pix, including new capital requirements applicable to all Central Bank-licensed institutions (which dramatically increased the capital requirements, both for share capital and net equity / "cushion" requirements).

These new requirements have been especially tough on small players and the Central Bank expects these higher capital requirements to create a trend of consolidation and consequently of concentration of licensed activities in the hands of less players in Brazil. At the same time, on November 28, 2025, the Central Bank enacted the new regulatory framework for ‘banking as a service’ ("BaaS"), covering activities such as payments and lending.

This clearly signals the regulator’s vision that smaller players should run their operations under the umbrella of a BaaS provider up until the point that they become robust enough to apply for their own license. This last point is especially relevant for companies currently looking to enter the Brazilian market to offer regulated financial services (including, but not limited to payments and lending).]
 
4. What are the legal and regulatory challenges of Real World Asset (RWA) tokenization in your market, and how are regulators treating stablecoin-based remittances under updated securities or "travel rule" anti-money laundering laws?
 
Alexei Bonamin, Alexandre Vargas (Brazil): The core legal challenge of RWA tokenization in Brazil is still regulatory classification. Brazilian regulators have taken a technology-neutral approach: if a tokenized asset qualifies as a security, it falls under the CVM’s securities framework regardless of the distributed-ledger technology used; if it does not, it may instead fall into the virtual-asset perimeter under the Central Bank’s new regime.

CVM’s Parecer de Orientação 40 states that cryptoassets that are securities remain subject to securities laws, and subsequent CVM guidance has made clear that receivables tokens and certain fixed-income-style tokens may well be characterized as securities. In short, tokenization does not remove the need to analyze issuance, offering, registration, custody and secondary-trading rules under the underlying asset’s legal nature.
 
Stablecoin-based remittances are also moving decisively into the regulated perimeter. Brazil’s Law No. 14,478/2022 created the statutory basis for regulating virtual-asset services, and the Central Bank’s 2025 rules now require authorization for virtual-asset service providers, impose conduct/governance obligations, and insert virtual-asset activity into the foreign-exchange and cross-border reporting framework. The official messaging expressly states that the framework is aligned with FATF/GAFI best practices and designed to ensure traceability, which is the Brazilian equivalent of moving toward a travel-rule-style AML outcome.

At the same time, Resolution BCB No. 521/2025 expressly provides that the purchase or sale of virtual assets with payment or receipt in foreign currency is prohibited, meaning that stablecoins cannot be used as a regulatory-free offshore payments channel.]
 
5. As Fintech corridors expand across LatAm, what are the most critical cyber-resilience and AML/KYC hurdles that international firms must overcome to ensure seamless cross-border operations within your jurisdiction?
 
Alexei Bonamin, Alexandre Vargas (Brazil): For international groups operating across LatAm fintech corridors into Brazil, the hardest compliance issues are still local licensing/perimeter analysis, cyber-resilience and AML/KYC adaptation to Brazilian standards. Brazil does not offer passporting for foreign fintech licenses: international groups need to determine whether their activity triggers local authorization, depending on the business model. On the cybersecurity side, Brazil already has mature binding rules on cybersecurity policies, cloud/data-processing outsourcing and third-party risk management for both financial institutions and payment institutions, and the Central Bank strengthened this perimeter further in late 2025 with updated rules for data-communication and financial-system infrastructure security.
 
On the AML/KYC side, the Central Bank applies a risk-based framework under Circular No. 3,978/2020, complemented by Circular Letter No. 4,001/2020. In practice, that means robust customer due diligence, including beneficial-owner analysis, transaction monitoring, suspicious-activity reporting to Brazil’s Financial Intelligence Unit (Conselho de Controle de Atividades Financeiras — COAF), and special scrutiny for unusual international transfers, opaque structures, fragmented remittances and dealings involving jurisdictions that insufficiently apply FATF standards.

The Central Bank’s November 2025 Financial Stability Report also underscores why this matters: cybersecurity incidents reported to the Central Bank have increased substantially, and official data still shows important weaknesses in periodic risk assessment regarding cloud computing and data service providers. For cross-border groups that rely heavily on outsourcing and regional hubs, those third-party governance expectations are important attention points.]
 
6. Given the widespread and continuing global adoption of the value proposition of blockchain generally for the financial markets, how has the legal and regulatory treatment of digital assets changed or been impacted.
 
Alexei Bonamin, Alexandre Vargas (Brazil): Brazil’s legal treatment of digital assets has changed materially over the last few years. The market moved from a relatively fragmented environment to a much clearer dual-perimeter model: the Central Bank regulates virtual-asset service providers ("VASPs") and non-securities crypto activity, while the CVM remains competent wherever the token qualifies as a security.

The statutory turning point was Law No. 14,478/2022, followed by Decree No. 11,563/2023, which designated the Central Bank as the regulator for virtual-asset services without prejudice to the CVM’s jurisdiction over securities tokens. The practical consequence is that blockchain is no longer treated as a legal novelty outside the system; it is increasingly treated as financial infrastructure subject to ordinary rules on licensing, conduct, AML and prudential oversight.
 
The shift became much more concrete in 2025–2026. The Central Bank adopted the first full operational regime for VASPs through Resolutions BCB Nos. 519, 520 and 521 (2025), including authorization, governance and foreign-exchange related rules. Then, in February 2026, two further layers were added: (i) digital-asset businesses were brought into the LC 105/2001 bank-secrecy perimeter; and (ii) virtual assets began to receive specific accounting treatment, rather than being treated simply as "other non-financial assets." 
 
The bottom line is that Brazil is becoming more open to the use of blockchain and tokenization in financial markets, but always inside a more formal framework of authorization, disclosure, accounting, AML, traceability and investor-protection rules.]

CENTRAL AMERICA | ARIAS LAW | Mario Lozano | Katia Ventura


1. As we move through 2026, how has your jurisdiction’s legal framework successfully transitioned from basic Open Banking to a mature "Open Finance" or "Open Data" economy, and what are the remaining friction points for data portability?

Mario Lozano, Katia Ventura (Central America):
In recent years, El Salvador has experienced significant growth in its fintech ecosystem, particularly in areas such as digital payments, electronic wallets and other technology-driven financial services. While the jurisdiction has not yet adopted a formal Open Banking or Open Finance framework requiring financial institutions to share customer financial data through standardized APIs, the increasing digitalization of financial services has expanded the practical use of financial information within the ecosystem. The financial system continues to operate primarily through regulated financial institutions, which act as the main financial intermediaries. In this context, while various private actors may engage in credit activities (active operations), the acceptance of deposits from the public (passive operations) remains reserved for authorized financial institutions, resulting in banks holding most financial and transactional information. At the same time, banking secrecy rules and personal data protection legislation establish important safeguards for the confidentiality and responsible use of financial data, which continue to shape how financial information may be accessed and shared within the financial system.

Guatemala has not yet implemented a formal Open Banking or Open Finance regulatory framework, and there have been no major legislative reforms specifically addressing financial data sharing. However, regulators have generally taken a pragmatic and technology-neutral approach, allowing financial institutions and fintech companies to develop digital financial services within the existing regulatory framework.
In practice, developments similar to Open Finance have emerged primarily through market-driven initiatives, including digital banking services, payment platforms, and API-based integrations between financial institutions and fintech providers.
The main friction points for data portability stem from the absence of standardized rules for data sharing and APIs, meaning that financial data exchange is largely governed by contractual arrangements, banking secrecy obligations, and internal data protection policies.

As Honduras enters 2026, its financial system continues to operate primarily under a bank-centric regulatory architecture, where financial data governance remains largely controlled by regulated financial institutions. Unlike jurisdictions that have formally adopted Open Banking frameworks, Honduras does not yet mandate standardized APIs or regulated third-party access to financial data.
However, the current legal structure already provides certain foundational elements. Financial institutions operate under the supervisory authority of the CNBS, while payment systems and monetary infrastructure are overseen by the BCH. Regulations governing electronic money, payment services, and consumer protection establish baseline requirements for operational security, confidentiality of financial information, and responsible data management.
In practice, financial data sharing occurs through contractual arrangements between financial institutions and technology providers, rather than through mandatory interoperability frameworks. While this model prioritizes prudential oversight and financial stability, it also highlights a natural path for future regulatory evolution toward structured Open Finance initiatives that could improve interoperability and consumer data portability.

Costa Rica does not have a developed legal framework with respect to Open Banking. Data must still be provided on a case-by-case basis by the client to different financial entities and there is no central repository for such data to be shared among the institutions in an Open Banking concept. Innovation and regulations are required to allow and promote data sharing among financial entities.

As of now, Nicaragua has not yet transitioned from basic Open Banking to a mature "Open Finance" or "Open Data" economy. Recent regulatory developments have focused primarily on strengthening the authorization and supervision of payment service providers and virtual asset service providers, rather than on mandating financial data sharing between institutions. That said, the current framework leaves room for future evolution. At present, data portability remains limited due to the absence of clear interoperability standards and a dedicated legal regime for "customer-permissioned" data sharing.

2. With Generative AI now deeply integrated into financial services, what specific regulatory frameworks or "sandboxes" are currently being used to govern algorithmic transparency, automated credit decisions, and AI-driven risk management?

Mario Lozano, Katia Ventura (Central America):
El Salvador has shown increasing interest in promoting technological innovation and the development of emerging technologies, including artificial intelligence. Although there is currently no regulatory sandbox or specific framework dedicated exclusively to generative AI in financial services, the use of algorithmic tools in areas such as credit assessment, fraud detection and risk management is subject to the general regulatory framework applicable to financial institutions. This includes obligations related to operational risk management, governance standards and personal data protection. In parallel, legislative initiatives aimed at fostering technological development and digital transformation are helping to create an environment conducive to innovation. Within this context, financial institutions adopting AI-based tools are expected to do so in a manner consistent with existing regulatory principles of transparency, accountability and consumer protection.

Guatemala has not yet adopted a specific regulatory framework or sandbox governing the use of Generative AI in financial services. However, the Superintendency of Banks (SIB) has issued regulations and supervisory guidance addressing technology risk, operational risk, and information security, which apply to banks and other supervised financial institutions using advanced technologies.
Under these rules, institutions remain responsible for ensuring adequate risk management, governance, and internal controls over automated processes, including algorithmic decision-making and AI-driven risk tools. The regulatory approach has therefore been technology-neutral and risk-based, rather than based on specific AI regulation.

As of 2026, Honduras does not yet have legislation or regulatory guidance specifically addressing artificial intelligence or generative AI within the financial sector. Moreover, the public use of AI-based systems by financial institutions has not been formally disclosed or regulated.
Financial institutions remain subject to the general supervisory framework of the National Banking and Insurance Commission which focuses primarily on prudential supervision, operational risk management, and consumer protection. While these rules require institutions to maintain internal controls and sound risk management processes, they do not currently establish specific obligations regarding algorithmic transparency, automated decision-making, or AI governance.
As a result, the current regulatory environment can be characterized as technology-neutral, meaning that emerging technologies such as artificial intelligence would be evaluated under existing financial regulatory principles rather than under dedicated legislation.
Looking forward, as financial technologies evolve across Latin America, the development of regulatory experimentation mechanisms, such as supervisory innovation programs or regulatory sandboxes, could provide a structured environment for evaluating the potential use of advanced analytics or AI in financial services.

There are no existing regulations or regulatory initiatives in this regard in Costa Rica.

While Generative AI is increasingly relevant in financial services globally, Nicaragua does not yet have a specific regulatory framework or sandbox addressing its use. Instead, financial institutions are expected to incorporate AI tools within existing risk management, governance and consumer protection frameworks. In practice, this allows for flexibility in innovation, while supervision continues to rely on general compliance and control standards rather than technology-specific rules.

3. Following the regional success of systems like Pix or SPEI, how is your local legislation managing the mandatory shift toward instant, 24/7 payment interoperability, and what new licensing requirements are hitting payment service providers (PSPs) this year?

Mario Lozano, Katia Ventura (Central America):
El Salvador has made steady progress in modernizing its payment infrastructure and expanding digital financial services. Initiatives aimed at strengthening electronic transfer systems and the increasing adoption of digital payment solutions have contributed to improving efficiency and accessibility within the payment ecosystem. In this context, the country has developed electronic transfer infrastructures that enable continuous operations, such as Transfer365, a system that facilitates interbank transfers available 24 hours a day. However, unlike jurisdictions such as Brazil or Mexico, which have implemented nationwide interoperable instant payment systems such as Pix or SPEI, El Salvador continues to move gradually toward similar solutions within its financial regulatory framework. Electronic payment services are regulated, among other legal frameworks, by the Law to Facilitate Financial Inclusion, which establishes the legal regime applicable to electronic money providers supervised by the Superintendence of the Financial System and the Central Reserve Bank. These entities may issue electronic money and operate mobile payment platforms, and must comply with licensing requirements, operational guarantees, safeguards for the backing of electronic money, anti-money laundering obligations and technical regulations applicable to the payment system.

Guatemala has not adopted legislation mandating instant, 24/7 payment interoperability similar to systems such as Pix or SPEI. Instead, the evolution of the payments ecosystem has largely been driven by market initiatives, with banks and fintech providers gradually introducing faster digital payment solutions, mobile wallets, and interoperable payment platforms.
From a regulatory perspective, payment activities remain primarily governed by the existing banking and financial services framework, supervised by the Superintendency of Banks (SIB). As a result, entities providing payment services typically operate either as regulated financial institutions or in partnership with them, and there have not been major new licensing regimes specifically targeting payment service providers (PSPs) this year.
Overall, the transition toward faster and more interoperable payments in Guatemala has been gradual and driven by technological adoption rather than by a regulatory mandate.

Honduras has progressively expanded the regulation of payment systems through a combination of central bank oversight and financial supervision. The BCH plays a central role in maintaining the integrity of the national payment infrastructure, while the CNBS supervises financial institutions and electronic money issuers operating within the system.
Although Honduras has not yet implemented a mandatory instant payment network comparable to Brazil’s Pix or Mexico’s SPEI, current legislation governing payment service providers already requires operational resilience, transaction monitoring, and compliance with financial integrity standards.
Licensing requirements for payment service providers continue to emphasize AML compliance, safeguarding of client funds, and operational reliability. These regulatory foundations position the country to gradually move toward enhanced interoperability and real-time payments as the payment ecosystem evolves.

Costa Rica has a long trajectory with a system governing instant 24/7 payment interoperability. The Central Bank established the "SINPE" system in 1997 and all banks that grant accounts to the public are registered in the system. Fintech companies and payment service providers have been using the SINPE system, to facilitate the transfer of funds and perform payments and deposits. Through the "SINPE Movil" modality, users can directly transfer amounts from their bank account to other users using only their registered cell phone number. The SINPE Movil system performed over 615 million transfers in 2025.

Nicaragua is gradually modernizing its payment ecosystem, although it has not adopted a mandatory instant payment model comparable to systems such as Pix or SPEI. Recent regulatory developments have focused on strengthening the authorization and supervision of payment service providers, rather than imposing system-wide interoperability or real-time payment obligations.
Electronic transfers and digital payment channels are becoming increasingly relevant in Nicaragua, as reflected in recent Central Bank of Nicaragua data (i.e. list of registered PSPs) showing growth in non-face-to-face payments, electronic money accounts and digital wallets. The main legal development in this area was the adoption in 2025 of a specific authorization and supervisory framework for payment service providers. However, Nicaragua has not introduced a binding legal mandate requiring instant, 24/7 payment interoperability comparable to Pix or SPEI; instead, the operation of these services continues to depend on the products, terms and conditions offered by each authorized provider within the applicable regulatory framework.

4. What are the legal and regulatory challenges of Real World Asset (RWA) tokenization in your market, and how are regulators treating stablecoin-based remittances under updated securities or "travel rule" anti-money laundering laws?

Mario Lozano, Katia Ventura (Central America):
El Salvador has positioned itself as an innovative jurisdiction in the development of regulatory frameworks for digital assets and blockchain-based technologies. The Digital Assets Issuance Law establishes a legal framework that allows the public issuance of digital assets and the operation of digital asset service providers, enabling new financing models based on blockchain technology. Within this regulatory environment, the tokenization of real-world assets may be structured through digital representations of economic rights recorded on distributed ledger technologies. However, these structures may still present certain regulatory challenges, particularly regarding the legal characterization of tokenized instruments and the applicable regulatory framework, as well as disclosure and oversight requirements for issuers. In the case of stablecoins used for transfers or remittance-related activities, the regulatory treatment will generally depend on whether the activity qualifies as a regulated digital asset service under the applicable framework, including compliance with anti-money laundering obligations.

Guatemala does not currently have a specific regulatory framework for cryptoassets, tokenization, or stablecoins. However, fintech activities involving these technologies generally operate under the existing legal and regulatory framework applicable to financial services, securities, and anti-money laundering compliance.
In the case of Real World Asset (RWA) tokenization, the main legal consideration is that the tokenization of an asset does not replace the legal requirements applicable to the underlying asset. For example, the transfer or collateralization of assets such as receivables, real estate, or other property must still comply with local rules regarding ownership, transfer formalities, and creation of security interests. Additionally, if a tokenized instrument grants economic or investment rights similar to securities, it could potentially fall within the scope of the existing securities regime administered through the Registro del Mercado de Valores y Mercancías.
From an AML/CFT perspective, Guatemala’s regime is supervised by the Superintendency of Banks (SIB) through the Financial Intelligence Unit (IVE). While there are no specific rules yet for virtual asset service providers or travel-rule obligations, fintech platforms operating in the space typically structure their activities within existing AML/KYC requirements.
Regarding stablecoin-based remittances, these are generally treated as technological payment rails rather than legal tender. Their use is not prohibited, and solutions have begun to emerge in the market, particularly where the remittance ultimately settles through regulated financial institutions that perform customer onboarding and AML controls. As in many emerging markets, the regulatory approach has so far been cautious and principles-based rather than prescriptive.

Honduras currently maintains a restrictive stance toward cryptocurrencies and blockchain-based financial instruments within the regulated financial system. The Banco Central de Honduras has clarified that cryptocurrencies such as Bitcoin do not constitute legal tender and are not authorized for use by institutions operating within the national financial system.
As a result, financial structures involving blockchain-based tokenization or stablecoin transactions face significant legal limitations if they involve regulated entities. In practice, this means that tokenization of real-world assets has not yet developed as a regulated financial activity in Honduras.
This position reflects a cautious regulatory approach focused on financial stability and consumer protection. However, as digital asset frameworks continue to evolve across Latin America, future regulatory discussions may explore whether certain forms of distributed ledger technology—particularly those not relying on cryptocurrencies—could be integrated into existing financial market structures under appropriate supervision.

Costa Rican regulators have not been very active in regulating digital assets such as RWA tokenization or stable coin based remittances. These have operated based on a freedom of contract principle in Costa Rica, whereby it is understood that private parties are allowed to enter into private agreements as long as they are not expressly prohibited. From an AML perpective, the challenge has been assigned to local banks, who have the duty of conducting due dilligence on their clients and verifying the legal origin of the funds being moved through their accounts in the nationa banking system. There are important challenges to regulate this sector since there is no regulation establishing an oversight body or rules of conduct for the players and technologies within such sectors. 

The main legal and regulatory challenge for RWA tokenization in Nicaragua is that, while there is now a regulatory framework for virtual asset service providers, there is still no specific regime governing the issuance, classification or treatment of tokenized real-world assets. As a result, these structures should be assessed on a case-by-case basis, particularly in relation to whether they could fall within existing financial or securities frameworks.
Recent regulation has focused primarily on bringing virtual asset activities within the AML/CFT perimeter, including exchange, transfer and custody services. In that context, stablecoin-based remittances are not specifically regulated as a distinct product, but may fall within existing compliance obligations depending on how they are structured and whether a regulated provider is involved. Nicaragua has also incorporated travel rule-type obligations for virtual asset service providers, requiring the exchange of information on originators and beneficiaries in certain transactions. However, the broader legal treatment of tokenized assets and stablecoin-based use cases remains underdeveloped.

5. As Fintech corridors expand across LatAm, what are the most critical cyber-resilience and AML/KYC hurdles that international firms must overcome to ensure seamless cross-border operations within your jurisdiction?

Mario Lozano, Katia Ventura (Central America):
As fintech ecosystems continue to expand across Latin America, El Salvador has increasingly positioned itself as a jurisdiction open to financial innovation and digital financial services. International firms seeking to operate within the country must comply with established regulatory frameworks related to anti-money laundering (AML), customer due diligence (KYC), and operational risk management, which apply across financial and digital asset-related activities. These obligations include implementing robust customer identification procedures, transaction monitoring systems and internal compliance programs consistent with international AML standards. In addition, financial institutions and regulated entities are expected to adopt appropriate cybersecurity and operational resilience measures to safeguard digital financial infrastructure and protect user data. These regulatory safeguards contribute to maintaining the integrity and stability of the financial system while supporting the continued development of cross-border fintech activities.

Guatemala’s AML/CFT regime is supervised by the Superintendency of Banks (SIB) through the Financial Intelligence Unit (IVE), and entities operating within the regulated financial perimeter must comply with customer identification, transaction monitoring, and suspicious transaction reporting requirements.
For cross-border fintech operations, one key hurdle is ensuring that digital onboarding and KYC processes meet local AML expectations, particularly when services are offered remotely or through cross-border platforms. Firms often structure their operations in partnership with local entities to ensure compliance with applicable standards.
From a regulatory development perspective, Guatemala is currently discussing Bill No. 6593 (Ley Integral contra el Lavado de Dinero u Otros Activos y el Financiamiento del Terrorismo), which seeks to modernize the AML/CFT framework, align it more closely with international standards, and expand the scope of reporting entities. The proposal contemplates, among other things, the inclusion of virtual asset service providers (VASPs) as obligated entities subject to AML compliance and reporting requirements.
From a cyber-resilience perspective, Guatemala does not yet have a single comprehensive cybersecurity law for financial services, but regulated institutions are expected to maintain robust information security, operational risk management, and data protection practices in line with supervisory guidance issued by the SIB.
Overall, the key challenge for international fintech firms is aligning innovative cross-border models with local AML/KYC expectations and operational risk standards, particularly in areas such as customer due diligence, transaction traceability, and cybersecurity governance.
As fintech corridors continue to expand across Latin America, international firms seeking to operate in

Honduras must primarily navigate the jurisdiction’s existing financial regulatory framework rather than a dedicated fintech regime. Cross-border financial activities are therefore assessed through the general rules governing financial institutions, payment services, and anti-money laundering compliance.
Firms interacting with the Honduran financial system must comply with the AML/CFT obligations established under national legislation and the supervisory standards enforced by the National Banking and Insurance Commission. These obligations include customer due diligence, transaction monitoring, and reporting requirements designed to preserve the integrity of the financial system.
From a technological perspective, cybersecurity and operational resilience have also become increasingly important considerations. Although Honduras does not yet have a fintech-specific cyber-resilience framework, regulated institutions are expected to implement internal security and risk-management controls consistent with international best practices, particularly when engaging with digital financial services or cross-border payment infrastructures.
As fintech activity in the region continues to grow, further regulatory coordination and the gradual modernization of financial infrastructure could facilitate smoother cross-border operations while maintaining robust safeguards against financial crime and systemic risk.

In Costa Rica, the critical issue right now is working closely with the banks and financial institutions to make sure they understand the activity being carried out and comply with local AML regulations. Enforcement is primarily directed through financial institutions and they are the ones with the responsibility to understand their client’s activities and control for possible AML issues.
Another important issue for firms to take into account is the local regulations that govern the activity in each jurisdiction, many jurisdictions are implementing registration and licensing requirements for fintech activities. To operate on a cross border basis, the licensing and registration requirements in each jurisdition must be complied with to avoid any issues in the transferability of funds internationally.

In Nicaragua, the main hurdles for cross-border fintech operators are still quite practical: understanding whether the proposed model falls within a regulated activity, adapting the business to local authorization requirements, and aligning with local AML/KYC expectations. This has become more relevant after the 2025 changes to the regulatory framework issued by the Central Bank of Nicaragua for payment service providers and virtual asset service providers, which brought these activities more clearly within the local supervisory perimeter.
On the operational side, international firms must assess whether such activities trigger local licensing requirements, particularly in light of the 2025 regulatory framework. In addition, the current regulatory framework requires regulated entities to maintain adequate risk management, internal controls, information security, cybersecurity and business continuity measures. In practice, seamless cross-border operations depend on properly structuring the service offering so that it aligns with the local regulatory framework from the outset

6. Given the widespread and continuing global adoption of the value proposition of blockchain generally for the financial markets, how has the legal and regulatory treatment of digital assets changed or been impacted?

Mario Lozano, Katia Ventura (Central America):
El Salvador has become one of the most prominent jurisdictions in the development of legal frameworks related to blockchain technology and digital assets. Through initiatives such as the Bitcoin Law and the Digital Assets Issuance Law, the country has established a regulatory environment that recognizes the role of blockchain-based technologies in financial markets and enables the issuance of digital assets and the operation of digital asset service providers. These legal developments have contributed to fostering innovation and attracting international interest in digital asset-related activities. At the same time, the regulatory framework incorporates supervisory and compliance mechanisms designed to ensure transparency, market integrity and adherence to anti-money laundering standards. As the digital asset ecosystem continues to evolve, the legal framework in El Salvador continues to adapt in order to support innovation while maintaining appropriate regulatory oversight.

The legal and regulatory treatment of digital assets in Guatemala has not undergone significant structural changes in recent years, and there is still no comprehensive legal framework specifically regulating cryptocurrencies or blockchain-based assets. Nevertheless, the use of blockchain-related technologies has gradually increased in the financial and fintech ecosystem.

In practice, digital asset activities are generally assessed under existing legal frameworks, particularly those relating to financial services regulation, securities law, and anti-money laundering compliance. Authorities have tended to take a cautious and technology-neutral approach, focusing on the risks associated with the activity rather than on the underlying technology.
At the same time, legislative initiatives have been discussed in Congress to modernize the regulatory framework for virtual assets and related service providers, which reflects the growing relevance of blockchain-based financial services in the region.

The legal and regulatory treatment of digital assets in Honduras remains cautious and is largely defined by the absence of a comprehensive statutory framework. Cryptocurrencies such as Bitcoin are not recognized as legal tender and are not authorized for use within the regulated financial system. The Central Bank of Honduras has publicly stated that cryptocurrencies are not backed by the State and should not be used by institutions operating within the national financial system.
As a result, digital assets are currently not integrated into the country’s regulated financial infrastructure. Financial activities continue to be governed by the existing legal framework applicable to banking institutions, payment services, and financial supervision, under the oversight of the National Banking and Insurance Commission.
This approach reflects a prudential and stability-oriented regulatory stance. While digital assets remain outside the regulated financial system, ongoing global developments in blockchain and distributed ledger technologies have generated increasing discussion within the Honduran financial ecosystem regarding their potential use in areas such as financial infrastructure, record management, and operational efficiency. Any future regulatory developments would likely aim to balance technological innovation with financial stability and consumer protection.

Costa Rica has taken a mostly hands off approach to the regulation of digital assets, currencies and technologies, leaving the market to regulate itself through freedom of contract principles. Regulators have not been active in pursuing the regulation of this type of assets and technologies, with the exception of anti money laundering controls. There are some iniciatives being analyzed in congress to require registration requirements for Fintech companies and greater AML controls.

Nicaragua’s approach to digital assets has become more structured in recent years. Rather than adopting a comprehensive crypto or blockchain statute, the country has moved to bring certain activities into the regulated perimeter through the 2025 framework for payment service providers and virtual asset service providers, coupled with updated AML/CFT rules for virtual-asset activities.
This means that the main regulatory shift has been toward authorization, supervision and compliance, especially for services involving the exchange, transfer or custody of virtual assets. At the same time, the broader legal treatment of digital assets remains relatively limited, as Nicaragua still does not have a specific and fully developed regime for matters such as token issuance, tokenized securities or the treatment of tokenized assets within the securities framework.

CHILE | CAREY | Fernando Noriega | Agustín Domínguez


1. As we move through 2026, how has your jurisdiction’s legal framework successfully transitioned from basic Open Banking to a mature "Open Finance" or "Open Data" economy, and what are the remaining friction points for data portability?

Fernando Noriega, Agustín Domínguez (Chile): As of 2026, Chile has moved beyond basic data-sharing concepts to establish a comprehensive statutory framework for Open Finance, currently under phased implementation. This framework mandates secure, API-driven financial data sharing among regulated financial institutions participating in the Open Finance System (Sistema de Finanzas Abiertas).

The transformation is primarily driven by Law No. 21,521 ("Fintech Law"), enacted in January 2023, which established the legal and institutional foundations for the Open Finance System. The system is designed to enhance competition, foster innovation, and promote financial inclusion by enabling the exchange of customer financial data among participating institutions, subject to the customer’s prior, express, and informed consent.

The operational architecture, governance requirements, and technical standards of the Open Finance System have been further developed through General Rule No. 514 ("NCG 514") issued by the Financial Market Commission (Comisión para el Mercado Financiero or "CMF"). NCG 514 sets out interoperability and API standardization requirements, data access and sharing protocols, cybersecurity and operational resilience standards, consent management mechanisms, and participation requirements applicable to both regulated and non-regulated entities.

Implementation of the Open Finance System is currently underway and is scheduled to enter fully into force on June 3, 2026, following a phased rollout that differentiates obligations depending on (i) the type of institution, and (ii) the category of data involved. The framework distinguishes between entities that must mandatorily participate by making data available – such as banks, card issuers, and other traditional financial institutions – and those that may join voluntarily in order to access and process customer-permitted data. Due to the technical complexity involved, the CMF has submitted for public consultation a proposal to extend the general implementation period to 36 months (Resolution No. 11765 of 2025, dated November 12, 2025).

While the legal framework is robust and clearly structured, the transition to Open Finance remains operationally ongoing. Key friction points include: (i) the significant technological and operational costs associated with compliance and infrastructure development; (ii) achieving uniform interoperability standards across heterogeneous market participants; (iii) cybersecurity and data protection burdens; and (v) operational complexity in consent management and strong customer authentication frameworks.

As implementation progresses, further regulatory guidance and supervisory practice are expected to clarify these issues and determine the extent to which the Chilean model achieves full market-wide interoperability and effective data portability in practice.

2. With Generative AI now deeply integrated into financial services, what specific regulatory frameworks or "sandboxes" are currently being used to govern algorithmic transparency, automated credit decisions, and AI-driven risk management?

Fernando Noriega, Agustín Domínguez (Chile): Chilean law does not currently provide a comprehensive statutory regime specifically addressing artificial intelligence in financial services. Instead, the deployment of generative AI and algorithmic decision-making tools is governed indirectly through existing financial regulatory frameworks, primarily the Fintech Law and General Rule No. 502 issued by the CMF ("NCG 502"), as well as specific consumer protection and credit reporting regulations.

Financial service providers remain subject to conduct of business, governance, and risk management obligations irrespective of whether decisions are human-driven or automated. In practice, firms relying on algorithmic models – particularly in investment advisory and credit advisory – must ensure methodological soundness, data quality and consistency, objectivity in decision-making, and suitability in light of customers’ profiles and declared needs. These standards derive from existing prudential and consumer protection rules rather than AI-specific legislation.

In the credit context, a particularly relevant development is General Rule No. 540 ("NCG 540"), which regulates the operation of the Registro de Deuda Consolidada ("REDEC"). REDEC is a centralized credit debt registry administered by the CMF under statutory mandate, designed to improve credit risk assessment and enhance supervisory oversight. It consolidates updated information on the indebtedness of natural and legal persons, based on reporting by regulated entities.

Access to REDEC is strictly limited: reporting entities may consult the registry exclusively for purposes such as credit risk evaluation, capital and provisioning calculations, and financial analysis related to their credit activity, and only with the debtor’s express consent or other legally valid basis. The framework also establishes detailed rules on information quality, security, consent administration, audit procedures, sanctions, and suspension of reporting entities. These requirements directly impact automated credit scoring models by reinforcing data accuracy, traceability, and lawful access standards.

In addition, NCG 540 establishes specific safeguards regarding the interaction — whether human or automated — between reporting entities and debtors when obtaining consent to access REDEC information. The rule expressly provides that the person or information system interacting with the debtor must not exert any undue influence in order to induce the manifestation of consent. In particular, it prohibits the use of interface designs that lead users to unintended, involuntary, or potentially detrimental decisions; conditioning discounts or benefits on the granting of consent; or employing default-ticked options, visual emphasis (such as differentiated colors, font sizes, or styles), or other design features that highlight consent options over alternatives.

This provision introduces a regulatory constraint on the architecture of digital credit-related interactions and is directly relevant where automated or algorithmic systems are used in the consent related to access to the REDEC and, therefore, in connection with credit evaluation process.

More broadly, financial institutions using algorithmic or AI-driven systems remain subject to Chile’s general prudential and conduct of business framework. This includes operational risk management, outsourcing controls, cybersecurity and operational resilience obligations under CMF regulation, as well as consumer protection and data protection rules requiring lawful processing of personal data, transparency, and respect for the protection of private life.

Accordingly, automated or AI-based processes do not operate in a regulatory vacuum; rather, they are embedded within existing supervisory expectations concerning governance, internal controls, accountability, and fair treatment of customers.

Chile does not currently operate a dedicated regulatory sandbox specifically tailored to AI-based financial services. Instead, innovative technologies are assessed within the ordinary authorization and supervisory framework on a case-by-case basis. While policy discussions on broader AI governance are ongoing, binding AI-specific legislation for financial services has not yet been enacted.

3. Following the regional success of systems like Pix or SPEI, how is your local legislation managing the mandatory shift toward instant, 24/7 payment interoperability, and what new licensing requirements are hitting payment service providers (PSPs) this year?

Fernando Noriega, Agustín Domínguez (Chile): Chile’s payment infrastructure operates under a mature and robust regulatory framework that enables near-real-time electronic transfers between private entities. The system relies on Clearing Houses (Cámaras de Valor) and the Real-Time Gross Settlement System (Sistema de Liquidación Bruta en Tiempo Real or "LBTR") operated by the Central bank of Chile, which provides final settlement of interbank obligations.

Central Bank regulations require the simultaneous execution of debit and credit entries in electronic transfers, ensuring that funds are credited on the same day the transaction is processed. However, Chile has not adopted a unified mandatory instant payment scheme equivalent to Brazil’s Pix or Mexico’s SPEI, nor does it impose 24/7 instant interoperability mandate. Instead, the existing infrastructure provides a high degree of operational immediacy within the current market structure.

Within the merchant acquiring ecosystem, banking regulations have historically required settlement to merchants within 15 calendar days following the transaction date. However, increased competition resulting from the entry of new acquiring and sub-acquiring providers has led to significantly shorter settlement periods.

Chile follows a differentiated regulatory model for Payment Service Providers ("PSPs") rather than a single, unified licensing regime. While not all PSPs require a general license, sub-acquirers become subject to CMF oversight once certain quantitative thresholds are met, notably when they: (i) carry out settlements or payments exceeding 0.5% of the total payments made to affiliated merchants by all card operators supervised by the CMF during a 12-month period; and (ii) exceed such threshold during two consecutive calendar quarters.

Recent regulatory amendments also require PSPs providing cross-border sub-acquiring services — including onboarding merchants not domiciled in Chile and settling abroad transactions conducted using payment cards issued in Chile — to register in the Payment Card Operators Registry.

Additionally, the Fintech Law introduced Payment Initiation Service Providers ("PISPs") as a distinct regulated category within the payments ecosystem. PISPs may, on the customer’s behalf and with prior, express consent, instruct the execution of payment orders or electronic transfers directly with the institutions holding the customer’s accounts. They operate under a mandate-based model and are not permitted to hold or custody customer funds. NCG 514 requires PISPs to register in the CMF’s Register of Payment Initiation Service Providers within 12 months from the rule’s effective date (June 3, 2026), meaning the outer deadline to register would be June 3, 2027.

4. What are the legal and regulatory challenges of Real World Asset (RWA) tokenization in your market, and how are regulators treating stablecoin-based remittances under updated securities or "travel rule" anti-money laundering laws? 

Fernando Noriega, Agustín Domínguez (Chile): Under the Fintech Law, tokenized real-world assets may qualify as financial instruments depending on their structure, economic function, and the activities performed in relation to them. Chile does not provide a standalone statutory category for "RWA tokenization"; rather, regulatory treatment follows a functional approach, whereby the legal characterization depend on the economic substance of the underlying asset and the nature of the service provided.

Consequently, entities offering, intermediating, trading, or providing custody services in connection with tokenized assets may fall within the regulatory perimeter of Fintech Law and become subject to registration, authorization, and ongoing compliance obligations under CMF supervision.

Key regulatory challenges stem from the evolving supervisory interpretation of the CMF, particularly with respect to:

- The scope of licensing requirements applicable to digital asset service providers;
- The efficiency and predictability of registration procedures; and
- The development of uniform compliance standards applicable to ongoing operational obligations.

Stablecoins may likewise fall within the regulatory perimeter depending on their issuance structure, backing mechanisms, and functional characteristics. Service providers involved in their issuance, intermediation, transfer, or custody may therefore be subject to Fintech Law.

From an anti-money laundering perspective, digital asset service providers, including those facilitating stablecoin-based remittances, are subject to reporting and compliance obligations under Law No. 19,913 ("Chilean AML Law") and are supervised by the Unidad de Análisis Financiero ("UAF"). These obligations include registration requirements, suspicious transaction reporting, and customer due diligence standards, which operate in alignment with international AML/CFT principles, including those reflected in the FATF framework.

Overall, Chile applies a technology-neutral, functional regulatory model, whereby supervisory treatment depends primarily on the economic substance of the activity rather than the specific technological architecture employed.

5. As Fintech corridors expand across LatAm, what are the most critical cyber-resilience and AML/KYC hurdles that international firms must overcome to ensure seamless cross-border operations within your jurisdiction?

Fernando Noriega, Agustín Domínguez (Chile): International firms entering the Chilean market typically face two principal regulatory hurdles: (i) operational risk and cybersecurity requirements under the Fintech Law and CMF regulations; and (ii) strict anti-money laundering and know-your-customer obligations enforced by the UAF.

From a cyber-resilience perspective, NCG 502 and the Open Finance System regulations (i.e. Fintech Law and NCG 514) impose comprehensive operational risk management standards. Firms must implement business continuity plans, disaster recovery protocols, and continuous API monitoring. A critical friction point for foreign entrants is the strict incident reporting requirement: operational or cybersecurity incidents must be reported to the CMF via the Operational Incident Report (Reporte de Incidentes Operacionales or RIO) within extremely tight timeframes. Furthermore, while foreign entities can operate in Chile, they are generally required to establish a local domicile unless they exclusively serve "qualified investors" under a specific regulatory safe harbor.

Regarding AML/KYC, crypto-asset service providers and other fintech services providers are explicitly designated as reporting entities under the Chilean AML Law. The UAF recently updated its regulatory framework via Circular No. 62, which systematizes and updates instructions for reporting entities, mandating enhanced due diligence for Politically Exposed Persons and strict adherence to the "Travel Rule" for cross-border electronic fund transfers exceeding USD 1,000. International firms must ensure their global compliance programs are localized to meet these specific UAF thresholds.

6. Given the widespread and continuing global adoption of the value proposition of blockchain generally for the financial markets, how has the legal and regulatory treatment of digital assets changed or been impacted.

Fernando Noriega, Agustín Domínguez (Chile): Chile’s legal treatment of digital assets has evolved from a period of regulatory ambiguity to a formal statutory framework defining the regulatory perimeter and supervisory authority applicable to virtual financial assets.

The Fintech Law introduced the concept of "virtual financial assets" into Chilean law, defining them as digital representations of value that can be digitally traded or transferred and used for payment or investment purposes. This definition serves as the basis for determining whether certain activities — including custody, intermediation, or operation of alternative trading systems for digital assets — fall within the CMF’s supervisory scope.

The CMF has further clarified the perimeter through interpretative guidance and regulatory practice, confirming that decentralized cryptocurrencies such as Bitcoin and Ethereum qualify as virtual financial assets, while fiat currencies do not. Consequently, entities professionally engaging in custody, brokerage, intermediation, or operation of alternative transaction systems for digital assets must register, obtain authorization and comply with the requirements established under NCG 502 and related regulations.

Rather than adopting a fully bespoke digital asset code comparable to certain foreign regimes, Chile has opted for a functional approach, integrating digital assets into the broader financial regulatory architecture while progressively refining supervisory criteria through rulemaking and practice.

COLOMBIA | POSSE HERRERA RUIZ | Juan Camilo Zuluaga


1. As we move through 2026, how has your jurisdiction’s legal framework successfully transitioned from basic Open Banking to a mature "Open Finance" or "Open Data" economy, and what are the remaining friction points for data portability?

Juan Camilo Zuluaga (Colombia): In Colombia, three regulatory actions that have fostered the adoption of an open finance model. In 2022, the Colombian Government issued a decree establishing guidelines for the voluntary adoption of Open Finance. This framework focused on payment systems, data protection, and the use of financial infrastructure to enable third-party service provision. In 2023, Congress enacted legislation promoting open data principles and facilitating product portability, allowing financial consumers to transfer products between institutions more seamlessly.

The Government is currently advancing toward a mandatory Open Finance regime. However, key friction points remain. Standardization of data formats across financial institutions continues to pose operational and technical challenges. In parallel, ensuring robust personal data protection—consistent with Colombia’s data privacy regime—remains central to regulatory discussions. Authorities are actively coordinating technical and supervisory standards to enable secure and interoperable data portability.

2. With Generative AI now deeply integrated into financial services, what specific regulatory frameworks or "sandboxes" are currently being used to govern algorithmic transparency, automated credit decisions, and AI-driven risk management?

Juan Camilo Zuluaga (Colombia): Colombia does not yet have a comprehensive regulatory framework specifically governing Generative AI. Nevertheless, authorities have adopted a policy-driven and supervisory approach. In coordination with the Inter-American Development Bank, the National Planning Department (Departamento Nacional de Planeación) has issued policy guidance on the responsible use of alternative data and artificial intelligence to enhance credit decisions and promote financial inclusion.

Regarding AI-driven risk management, the Superintendencia Financiera de Colombia (SFC) has incorporated artificial intelligence tools into supervisory activities. It has encouraged supervised entities to adopt AI solutions prudently, subject to appropriate governance, explainability standards, and human oversight. This principles-based approach has enabled gradual adoption while maintaining supervisory safeguards.

3. Following the regional success of systems like Pix or SPEI, how is your local legislation managing the mandatory shift toward instant, 24/7 payment interoperability, and what new licensing requirements are hitting payment service providers (PSPs) this year?

Juan Camilo Zuluaga (Colombia): The Colombian financial system has progressively enhanced interoperability across ATMs, card networks, and certain peer-to-peer and business-to-consumer channels. Inspired by Brazil’s PIX system, the Colombian Central Bank launched Bre-B, an instant payment system that became operational in October 2025 for peer-to-peer transactions.

As of February 2026, approximately 34 million individuals have registered with Bre-B, and over 480 million transactions have been processed, with an average ticket size of approximately USD 40. Business participation is expected to expand throughout 2026. The system has stimulated integration efforts among payment service providers (PSPs) and accelerated innovation in digital payments. These developments are expected to significantly reduce cash usage and promote financial inclusion.

4. What are the legal and regulatory challenges of Real World Asset (RWA) tokenization in your market, and how are regulators treating stablecoin-based remittances under updated securities or "travel rule" anti-money laundering laws? 

Juan Camilo Zuluaga (Colombia): Real World Asset (RWA) tokenization in Colombia faces structural legal challenges arising from the civil law framework governing property, securities, and registrable assets. Transfers of ownership over real estate, corporate shares, and other registrable assets require compliance with formal dispositive requirements, including public deeds, registration before the Oficina de Registro de Instrumentos Públicos, or centralized book-entry systems such as Deceval. A blockchain token, by itself, does not satisfy these legal formalities. As a result, tokenization structures often rely on fiduciary vehicles or special purpose entities to ensure enforceability under Colombian law.

With respect to stablecoin-based remittances, cryptoassets are not recognized as legal tender by the Central Bank. Virtual Asset Service Providers (VASPs) are subject to AML/CFT obligations. Under the regulatory sandbox and FATF-aligned standards implemented by the Unidad de Análisis e Información Financiera (UIAF), travel rule requirements increasingly mandate the collection and transmission of originator and beneficiary information for qualifying transfers. Stablecoins are generally assessed through AML, foreign exchange, and consumer protection lenses rather than under a bespoke securities regime.

5. As Fintech corridors expand across LatAm, what are the most critical cyber-resilience and AML/KYC hurdles that international firms must overcome to ensure seamless cross-border operations within your jurisdiction?
 
Juan Camilo Zuluaga (Colombia): For international fintech firms entering Colombia, the principal hurdles are regulatory fragmentation and heightened supervisory expectations in AML, data protection, and operational resilience.

First, AML/KYC compliance is governed by a risk-based framework aligned with FATF standards and overseen by the Unidad de Información y Análisis Financiero. Local entities must adopt AML reporting systems, including enhanced due diligence for cross-border clients, UBO identification, and suspicious transaction reporting. Interoperability with foreign KYC utilities remains limited, which complicates seamless onboarding in regional fintech corridors.

Second, Colombia’s data protection regime, enforced by the Superintendencia de Industria y Comercio, imposes consent, purpose limitation, and cross-border transfer requirements. Cloud hosting, outsourcing, and data localization assessments must be carefully structured to avoid unlawful international transfers.

Cyber-resilience expectations have also intensified. Local financial institutions must adopt robust cybersecurity governance, incident reporting, and third-party risk management frameworks. International firms must reconcile Colombian operational risk standards with home-jurisdiction requirements, ensuring harmonized controls, penetration testing, encryption standards, and contractual allocation of cyber-liability across group entities and local partners.

6. Given the widespread and continuing global adoption of the value proposition of blockchain generally for the financial markets, how has the legal and regulatory treatment of digital assets changed or been impacted.

Juan Camilo Zuluaga (Colombia): Colombia’s regulatory treatment of digital assets has evolved from categorical skepticism to calibrated supervision. Initially, authorities such as the Colombian Central Bank and and the Superintendencia Financiera de Colombia emphasized that cryptoassets are not currency, not legal tender, and not deposits. Regulated financial institutions were discouraged from directly intermediating crypto-related activities.

However, growing global blockchain adoption in capital markets has prompted a more nuanced approach. Through the SFC’s regulatory sandbox ("la Arenera"), supervised banks have been permitted to pilot crypto-fiat on-ramps with exchanges under controlled environments, reflecting a shift toward risk-mitigation rather than outright prohibition. Simultaneously, the Colombian tax authority has clarified that cryptoassets may constitute intangible assets subject to income and wealth tax reporting.

Although Colombia lacks a comprehensive digital asset statute, regulators apply existing legal frameworks—securities law, AML/CFT rules, consumer protection, and foreign exchange controls—based on functional equivalence. The country has thus transitioned toward incremental integration through sandbox experimentation, interpretative guidance, and strengthened supervisory oversight.

ECUADOR | PEREZ BUSTAMANTE & PONCE | Juan Francisco Simone


1. As we move through 2026, how has your jurisdiction’s legal framework successfully transitioned from basic Open Banking to a mature "Open Finance" or "Open Data" economy, and what are the remaining friction points for data portability?

Juan Francisco Simone (Ecuador): Ecuador has established a clear legal mandate for Open Banking through the Ley Orgánica para el Desarrollo, Regulación y Control de los Servicios Financieros Tecnológicos (Ley Fintech), published on December 22, 2022. This positions Ecuador among the Latin American jurisdictions with explicit Open Banking legislation.

The Second Transitory Provision of the Fintech Law mandates that within eight years from December 2022 (deadline: December 2030), entities of the national financial system must standardize bank accounts according to the IBAN standard. The Junta de Política y Regulación Financiera y Monetaria shall establish the conditions for the private financial system to provide open banking services, publishing application programming interfaces (API) for validation of account information in order to facilitate interoperability with Fintech companies. 

The Confidentiality and Data Protection Principle (Article 6, paragraph 6) establishes that financial information and personal data accessed in the framework of Fintech Activities must be kept in strict confidentiality, according to international standards and the provisions of the Ecuadorian legal system, especially in accordance with the Ley Orgánica de Protección de Datos Personales and international instruments ratified by Ecuador. 

Remaining Friction Points for Data Portability: As of March 2026, several obstacles remain. First, the Junta de Política y Regulación Financiera y Monetaria must still issue specific conditions and technical standards for open banking APIs. Second, migration to the IBAN standard requires significant coordination among all financial system entities. 

2. With Generative AI now deeply integrated into financial services, what specific regulatory frameworks or "sandboxes" are currently being used to govern algorithmic transparency, automated credit decisions, and AI-driven risk management?

Juan Francisco Simone (Ecuador): Ecuador has established a regulatory sandbox framework for payment and fintech innovations, though no AI-specific regulatory framework currently exists.

The Fintech Law provides for regulatory sandboxes. Entities wishing to implement new business models related to technology-based payment methods, systems, structures, and services may obtain temporary operating authorization from the Banco Central del Ecuador. The temporary authorization period is up to 24 months, as specified in each authorization. Supervision, oversight, and control of authorized sandboxes corresponds to the Banco Central del Ecuador.

Gap in AI governance: The existing framework does not specifically address algorithmic transparency requirements, explainability of AI decisions, or specific governance for generative AI applications in financial services.
 
3. Following the regional success of systems like Pix or SPEI, how is your local legislation managing the mandatory shift toward instant, 24/7 payment interoperability, and what new licensing requirements are hitting payment service providers (PSPs) this year?

Juan Francisco Simone (Ecuador): Ecuador is actively implementing a comprehensive instant payment infrastructure with mandatory interoperability requirements.

The Red de Pagos Instantáneos (RPI) is the infrastructure for real-time electronic money transfers, administered by the Banco Central del Ecuador. Real-time payments are defined as electronic transactions that transfer resources almost instantaneously from the ordering client’s account to the beneficiary’s, operating 24 hours a day, 365 days a year. The Sistema Integrador de Pagos (SIP) is the technological infrastructure managed by the Banco Central del Ecuador that processes and compensates inter-network payment transfers.

Entities participating in the National Payment System must interoperate between their platforms and infrastructures, complying with rules and technical standards issued by the Banco Central del Ecuador. Interoperability must be designed considering client needs and protection, facilitating the best user experience regardless of the entities providing the service. Applicable principles include accessibility, high service level, scalability, neutrality, technological neutrality, non-discrimination, and transparency.

PSP Licensing Requirements: The Norma para Autorización de Partícipes del Sistema Auxiliar de Pagos (November 2024) establishes current licensing requirements. Authorized services include payment aggregation, payment gateway, electronic payment processing, transactional switch, remittances, public resource collection, and compensation.

4. What are the legal and regulatory challenges of Real World Asset (RWA) tokenization in your market, and how are regulators treating stablecoin-based remittances under updated securities or "travel rule" anti-money laundering laws?

Juan Francisco Simone (Ecuador): Ecuador’s regulatory treatment of tokenization and digital assets remains limited, with key provisions primarily focused on AML/CFT compliance.
Virtual assets are defined as digital representations of value that can be digitally negotiated or transferred and used for payment or investment purposes, excluding digital representations of fiat currencies, securities, or other financial assets.

Virtual Asset Service Providers (VASPs) are defined in alignment with FATF recommendations, covering activities including exchange between virtual assets and fiat currency, exchange between virtual asset forms, virtual asset transfers, custody and administration of virtual assets, and participation in virtual asset offerings.

No specific framework exists for real-world asset (RWA) tokenization or security token offerings. Stablecoin-specific regulations have not been identified in the reviewed framework. The legal treatment of tokenized securities under capital markets law remains undefined.

5. As Fintech corridors expand across LatAm, what are the most critical cyber-resilience and AML/KYC hurdles that international firms must overcome to ensure seamless cross-border operations within your jurisdiction?

Juan Francisco Simone (Ecuador): International fintech firms seeking to operate in Ecuador face substantial compliance requirements in both cybersecurity and AML/KYC frameworks.
Financial institutions and fintech entities must implement a comprehensive cybersecurity framework. Additional technical requirements include information security management referencing ISO/IEC 27000 standards and other applicable international cybersecurity norms, encryption of confidential information according to current international standards, anti-malware software permanently updated on all electronic channels, and vulnerability testing with reports available to the authorities.

Entities must apply comprehensive due diligence covering clients, shareholders, employees, correspondents, suppliers, and beneficial owners.  Know Your Customer (KYC) policies include Know Your Shareholder, Know Your Client, Know Your Employee, Know Your Market, and Know Your Correspondent. Enhanced due diligence is required for high-risk clients, including those from FATF-listed jurisdictions, clients or beneficiaries from tax haven countries, and complex account structures.

6. Given the widespread and continuing global adoption of the value proposition of blockchain generally for the financial markets, how has the legal and regulatory treatment of digital assets changed or been impacted?

Juan Francisco Simone (Ecuador): The legal and regulatory treatment of digital assets in Ecuador has evolved primarily through AML/CFT compliance requirements rather than a comprehensive digital asset framework.

Virtual assets are defined as digital representations of value for payment or investment, excluding fiat currency, securities, or other financial asset representations. VASP activities include exchange, transfer, custody, and participation in virtual asset offerings.

VASPs must comply with UAFE (AML Regulator) guidelines and AML regulations.

A Decreto Ley de Emergencia No. 477 (December 2024) included provisions regarding Virtual Asset Providers, though the Constitutional Court declared its unconstitutionality by form with retroactive effects in March 2025.

The existing framework recognizes FATF-aligned definitions for virtual assets and VASPs. VASPs are included as reporting subjects under the Ley Orgánica de Prevención, Detección y Erradicación del Delito de Lavado de Activos y del Financiamiento de Delitos.

The Fintech Law establishes several principles relevant to blockchain and digital asset activities. The Technological Neutrality principle provides that regulations should not mandate specific technologies, allowing blockchain-based solutions.

The Innovation principle provides that design of technological solutions and application of new technologies should be favored. The Security principle requires that data traffic must be secure, complying with confidentiality, integrity, and availability.

There is no specific securities law framework for token classification. There is also an absence of custody regulations for digital assets. The treatment of blockchain-based smart contracts in the financial sector remains unclear. Finally, there is no central bank digital currency (CBDC) framework beyond the discontinued "dinero electrónico" system.

MEXICO | NADER, HAYAUX & GOEBEL | Adrián López | María Gabriela Botello


1. As we move through 2026, how has your jurisdiction’s legal framework successfully transitioned from basic Open Banking to a mature "Open Finance" or "Open Data" economy, and what are the remaining friction points for data portability?

Adrián López, María Gabriela Botello (Mexico): Mexico continues to transition to an Open Finance ecosystem. Back in 2018, Mexico took a big step forward by enacting Article 76 of the Law Regulating Financial Technology Institutions (Ley para Regular las Instituciones de Tecnología Financiera, the "Fintech Law"), which provides the general statutory framework for Mexican financial entities to share information of open data (publicly available product and service information), aggregated data (statistic information of their operations), and transactional data of each of their customers, subject to customer’s prior explicit consent.

From its inception, the Fintech Law contemplated a cross-sector data-sharing ecosystem encompassing banks, Fintech institutions (payment companies and crowdfunding platforms), insurance companies, credit report companies, and all other regulated financial entities.

The statute requires that all financial entities implement standardized APIs to share information and implement data portability; and grants regulatory authority to the relevant financial authorities to issue secondary regulations governing fundamental technical aspects for the mandatory inter institutional data sharing ecosystem.

The full operationalization of the Mexican Open Finance ecosystem depends on the issuance of comprehensive secondary regulation allowing for the sharing of aggregated data and transactional data, which continues under review by the relevant regulatory agencies. Mexican regulators have indicated their intention to be particularly meticulous (and for good reason) in the design of the data sharing technical standards to ensure information safety and reliability while observing technological neutrality, and are prevented by law from adopting a more liberal approach that may leave technical matters to autoregulation by consensus of financial players, as it is the case in other jurisdictions.

The most relevant advance with respect to secondary regulation took place back in July 2020, when the National Banking and Securities Commission (Comisión Nacional Bancaria y de Valores, "CNBV") issued regulations governing the exchange of open financial data for its regulated entities. These regulations established the technical standards for APIs, security protocols, formatting requirements, and availability parameters applicable to open data. As a result, the open data layer of the framework is legally and operationally active.

That said, comprehensive secondary rules governing aggregated and transactional data sharing across all financial sectors remain pending. Although the law mandates such sharing and permits it with customer consent, the absence of fully harmonized set of technical standards and supervisory guidance has postponed ecosystem-wide interoperability.

Mexico’s framework is therefore structurally advanced but not yet fully consolidated. The most relevant friction point is finalizing the regulation on the technical and supervisory architecture needed to enable broad, seamless data portability across the financial system.

It is to be expected that regulators prepare the secondary regulations drawing from their experience in other information sharing that ordinarily takes place within the Mexican financial sector in certain defined contexts, including information exchange within financial group members, anti-money laundering and counter-financing of terrorism ("AML/CFT") compliance, fraud mitigation, coordinated crime prevention, and supervisory or regulatory investigations. These exchanges take place based on express legal mandates and/or are enabled through customer consent, in each case subject to confidentiality and data protection requirements.

2. With Generative AI now deeply integrated into financial services, what specific regulatory frameworks or "sandboxes" are currently being used to govern algorithmic transparency, automated credit decisions, and AI-driven risk management?

Adrián López, María Gabriela Botello (Mexico): Mexico’s regulatory sandbox framework was introduced by the Fintech Law, drawing inspiration from the UK’s FCA experience. The sandbox framework was designed to allow for the controlled deployment of financial products through innovative mechanisms, which may make it suitable for services delivered through the implementation of AI in any stage.

In contrast to the successful UK sandbox experiences, Mexican entrepreneurs and institutions have not opted for sandbox authorizations to taste the waters of the Mexican markets. The inactivity of the Mexican sandbox is multifactorial, among others, there is a common perception that the application process is disproportionally complex and cumbersome, and that the authorization would be restrictive and short-lived, particularly when contrasted with the possibility of applying for other regulated licenses.

Mexico’s financial regulation has proven sufficiently technology-neutral and flexible to accommodate AI within existing licensing frameworks, reducing the practical need to rely on a sandbox. We would not expect to see sandbox applications for AI driven products if the regulators do not regulate or take a restrictive stance towards the use of AI for typical financial entities.

Industry stakeholders are continuously engaged with policymakers in early-stage discussions for often referred to informally as "Fintech Law 2.0." Among the objectives under consideration is a potential redesign of the sandbox framework to make it more accessible and operationally viable. These conversations remain preliminary, with no formal legislative proposal yet introduced, and any material reform would likely occur, if at all, toward late 2026.

Mexico does not have an AI-specific statute or binding regulatory framework applicable to financial institutions or Fintechs. The use of AI in financial services is governed by activity-based and entity-based regulation, rather than technology-specific rules. This means that AI-driven underwriting, robo-advisory services, fraud detection systems, and risk models are subject to the same legal obligations that apply to their non-AI or human-operated equivalents. By way of example, below we address the following use cases:

Credit scoring and lending. Financial institutions and credit information companies must comply with consumer protection, data protection, and non-discrimination standards. Scoring methodologies, whether AI-based or traditional, must be fair, transparent, and based on complete and lawfully obtained data. The regulated entity remains fully liable for discriminatory or arbitrary outcomes.

Investment advisory and automated portfolio management. Under the securities framework, suitability, disclosure, fair treatment, and anti-misleading conduct obligations apply regardless of whether recommendations are generated by a human advisor or an inteligent algorithm.

Fraud detection and AML/CFT systems. Obligations arise primarily from anti-money laundering laws and secondary regulations. Institutions must maintain risk-based monitoring, transaction review, and reporting mechanisms. Where AI is used, regulators expect traceability, auditability, and effective human oversight. The deployment of automated systems does not shift liability away from the regulated institution.

As the regulatory perimeter focuses on the financial institution rather than the type of technology they use<, financial institutions (such as Fintechs, banks, etc.) remain fully responsible for the outputs generated by AI systems. Market participants are increasingly using internal AI and model-risk governance frameworks aligned with existing regulatory expectations on operational risk, internal controls, and compliance management.

Interestingly, many of the AI governance mechanisms being discussed by certain groups in Congress in AI legislation drafts are already being implemented voluntarily by regulated institutions to mitigate regulatory and reputational risks. In that sense, regulatory developments in Mexico may follow the path of formalizing risk-management practices that sophisticated financial institutions have already begun to adopt.

Lastly, it is worth noting that recent legislative discussions, including a 2025 draft initiative inspired in part by the EU AI Act, have contemplated risk-based governance for high-impact AI systems in financial services. Proposals under discussion have included mandatory explainability standards for algorithms, bias testing requirements, and enhanced human review for certain decisions. However, these initiatives remain at a conceptual or draft stage and have not yet been made into binding law.

3. Following the regional success of systems like Pix or SPEI, how is your local legislation managing the mandatory shift toward instant, 24/7 payment interoperability, and what new licensing requirements are hitting payment service providers (PSPs) this year?

Adrián López, María Gabriela Botello (Mexico): Mexico’s payment system is anchored in SPEI, the real-time interbank peso-denominated transfer system administered by Banco de México (Banco de México. "Banxico"). SPEI will continue to serve as the core account-to-account (A2A) infrastructure of the Mexican economy, and it is to be expected that it will continue to be progressively strengthened and updated through regulation.

Recent regulatory activity includes Banxico’s Circular 2/2025, which enhances the prudential and operational perimeter applicable to SPEI participants by reinforcing requirements relating to operational continuity and resilience, cybersecurity governance, fraud prevention controls, among others. This new regulation established phased compliance milestones through 23 February 2026.

Rather than mandating a structural migration toward instant payments, which are already operational nationwide, the regulatory expectations for 2026 include provisions governing the interplay between the SPEI and the upcoming stablecoin economy and other potential international payment systems, as well as further provisions tightening participation, operational, and risk-management standards for entities connecting (directly or indirectly) to SPEI.

Importantly, participation in SPEI is not limited to banks. Pursuant to rule 56[1] of Banxico’s Circular 14/2017, other regulated entities, including Electronic Payment Fund Institutions (IFPEs) authorized under the Fintech Law, may connect to SPEI, subject to compliance with Banxico’ s technological and risk requirements This has expanded the interoperability perimeter to include Fintech wallet providers within the same real-time ecosystem as traditional credit institutions. Currently, as per the lists of SPEI participants published by Banxico, there are 12 IFPEs participating directly, including CASHI (Walt-Mart’s IFPE), Mercado Pago and NVIO[2] and 15 IFPES participating indirectly, such as Pomelo and Mex Pago.[3]

Overlay Banxico initiatives such as CoDi (merchant QR payments) and DiMo (mobile-number-based transfers) are expected to continue growing in terms of adoption, although their expansion is discreet compared to other payment products, such as fiat wallets operated by IFPEs and other depository products.

4. What are the legal and regulatory challenges of Real World Asset (RWA) tokenization in your market, and how are regulators treating stablecoin-based remittances under updated securities or "travel rule" anti-money laundering laws? 

Adrián López, María Gabriela Botello (Mexico): Mexico does not yet have a specialized body of law governing tokenization of real-world assets. Regulatory treatment remains functional and asset-based rather than technology-specific. Mexican law does not currently provide a specific legal definition or regulatory framework for tokenized assets, tokenised deposits, or tokenized central bank money, nor does it establish rules specifically governing distributed ledger technology (DLT) as a registry mechanism for financial assets. Instead, the legal characterization of tokenized arrangements is expected to follow a functional, "look-through" approach, whereby regulators assess the underlying economic activity rather than the technological wrapper.

However, Mexican Law isn’t inherently averse to tokenized assets, the legal framework is generally technology-neutral and, in certain respects, accommodating of digital infrastructures.

The judicial system isn’t opposed to blockchain and DLT technologies, records kept using this technology may be admissible under Mexican procedural law as electronic evidence, with their evidentiary weight depending on the reliability integrity, and traceability of the DLT system, the attribution of information and the availability for subsequent consultation. Information recorded on permissioned or closed ledgers may therefore serve as evidence subject to judicial evaluation regarding authorship, system security, and subsequent accessibility of the records under the National Civil Procedure Code provisions governing electronic data and digital information.

Permissioned DLT systems—characterized by controlled access and identifiable participants—tend to present fewer legal uncertainties than fully decentralized or permissionless systems. The existence of admission controls and identifiable actors generally facilitates attribution of acts, strengthens evidentiary reliability.

From a substantive standpoint, Mexico does not have a specific legal regime governing proprietary rights in digital assets. However, under Mexican law, digital assets are generally characterized as intangible movable property (personal property). Accordingly, issues relating to ownership, transfer, enforcement, and security interests are governed by the general rules applicable to movable assets, primarily pursuant to the Federal Civil Code and the Commerce Code.

Similarly, security interests over digital assets may be created in accordance with Mexican law, subject to the formalities and perfection requirements applicable to intangible movable property.

As a general conflict-of-laws principle, proprietary matters are governed by the law of the jurisdiction where the asset is located. In the context of digital assets, location is typically determined by reference to control, including possession of the relevant private keys. Mexican courts would assess location and the territorial connection of relevant acts or effects when determining jurisdiction.

There is no MiCA-style perimeter for decentralized finance or token issuance. Supervisory analysis focuses on the economic function being performed: intermediation, custody, solicitation, exchange, lending, rather than the token format itself.

With respect to stablecoins (i.e. a token representing a claim on fiat currency or otherwise designed to maintain a stable value relative to a sovereign currency or basket of assets) Mexican authorities have publicly cautioned that certain instruments marketed as stablecoins may resemble deposit-taking or funds-raising activities requiring proper authorization, based on the Fintech Law, which prevents fiat-denominated digital instruments to be characterized as "virtual assets."

Accordingly, a stablecoin-based remittance model is assessed not by its technological architecture but by its economic substance. It is very important to meticulously review a stablecoin business model on a case-by-case basis to make sure that it does not entail a violation of Mexican law.

For regulated financial entities, Banxico continues to maintain a "safe distance" policy between regulated entities and the use of digital assets in terms of Circular 4/2019, which limits the use of "virtual assets" by regulated institutions to internally authorized operations and effectively prohibits customer-facing crypto exposure absent express authorization.

From an AML/CFT perspective, recent amendments to the Federal Law for the Prevention and Identification of Transactions with Illicit Funds (Ley Federal para la Prevención e Identificación de Operaciones con Recursos de Procedencia Ilícita, the "AML Law") has increased the reporting requirements applicable to virtual asset activities.

Mexico’s AML framework incorporates "travel rule"–type expectations through sectoral AML provisions applicable to financial institutions and money transmitters. Where a stablecoin-based remittance qualifies functionally as a funds transfer, the same customer-originator and beneficiary information requirements applicable to traditional transfers must be obtained and safeguarded.

5. As Fintech corridors expand across LatAm, what are the most critical cyber-resilience and AML/KYC hurdles that international firms must overcome to ensure seamless cross-border operations within your jurisdiction?

Adrián López, María Gabriela Botello (Mexico): Mexico’s regulatory approach provides a high degree of legal certainty for cross-border models, with established requirements on governance, AML/KYC, and cybersecurity that support market integrity and consumer trust.

Within this institutional setting, international Fintech models can scale successfully in the Mexican market when their governance and compliance architectures are structured in alignment with applicable local regulatory parameters, including authorization requirements, supervisory standards, and operational obligations. The key regulatory considerations relevant to international entrants are outlined below.

Regulated entities, including Fintechs, must comply with stringent cybersecurity and operational resilience standards. These include:

- documented information security frameworks,

- incident detection and response mechanisms,

- penetration testing and vulnerability management, and

- business continuity and disaster recovery planning.

Where critical services are outsourced, including cloud infrastructure, institutions remain fully responsible for compliance. Outsourcing agreements must incorporate audit rights, supervisory access clauses, data availability guarantees, and exit strategies consistent with CNBV requirements.

For regulated Fintech institutions, CNBV places cybersecurity and operational resilience at the center of its supervisory framework through the General Provisions Applicable to Fintechs (Disposiciones de carácter general aplicables a las Instituciones de Tecnología Financiera). These rules require formal information security governance, incident reporting to CNBV, and enhanced oversight of outsourcing arrangements involving sensitive or biometric data.

From an enforcement perspective, supervision is largely event driven. Regulators have broad inspection and sanctioning powers, and cyber incidents, service outages, or weaknesses in third-party arrangements frequently trigger targeted information requests and follow-up reviews. As a result, Fintechs operating in Mexico should expect that material incidents, rapid operational growth, or reliance on critical vendors are the most likely catalysts for supervisory scrutiny and potential corrective measures.

Mexico does not impose a blanket data localization requirement mandating that financial data be stored exclusively within national territory. However, regulated entities must ensure that supervisory authorities have effective and timely access to information, records, and audit trails, even where technological infrastructure is hosted abroad.

This supervisory access requirement operates alongside Mexico’s personal data protection framework, which permits cross-border data transfers provided that: the transfer is supported by appropriate contractual safeguards, the recipient assumes equivalent data protection obligations, and the data subject has been properly informed where required.

For regulated financial entities, additional considerations apply. Certain financial, accounting, and transactional records must remain retrievable and available in Mexico upon regulatory request, and outsourcing arrangements, particularly cloud-based services, must preserve audit rights, information availability, and operational continuity.

As a result, international firms operating centralized or regional infrastructure may rely on cross-border data architectures, but these must be structured to ensure compliance with Mexican data protection law, confidentiality obligations, and supervisory access standards.

With respect to AML/CFT Mexico maintains a comprehensive framework aligned with FATF standards, grounded in the AML Law and sector-specific implementing provisions applicable to regulated financial entities.

International firms entering the Mexican market must calibrate their compliance models to a framework that places particular emphasis on know your customer and customer due diligence, beneficial ownership transparency, and ongoing monitoring obligations.

Core regulatory expectations include:
- full customer identification and verification based on official documentation;
- mandatory identification and documentation of the ultimate beneficial owner;
- risk-based customer profiling and ongoing monitoring;
- enhanced due diligence for politically exposed persons (PEPs) and higher-risk categories;
- suspicious transaction reporting to the Financial Intelligence Unit (Unidad de Inteligencia Financiera); and
- designation of a compliance officer and implementation of internal AML/CFT governance structures.

Entities intending to connect, directly or indirectly, to Mexican payment infrastructure (including SPEI or card networks) must align with domestic standards on operational reliability and fraud mitigation.

Participation in real-time payment systems requires:
- demonstrable uptime and business continuity capabilities,
- robust cybersecurity frameworks,
- real-time transaction monitoring,
- clearly defined incident escalation protocols, and
- segregation of critical operational functions.

For example, entities facilitating instant transfers must be able to detect anomalous patterns in near real time and implement preventive controls before settlement finality. In practice, this requires not only technological capability but also internal governance structures capable of responding to fraud events within compressed timeframes.

For international firms operating regional processing hubs, this means Mexican operational risk standards must be embedded into system design, rather than layered on post-entry.

Institutions must also be prepared to respond to regulatory inquiries and consumer claims in Spanish, within prescribed statutory timelines, and under formal administrative procedures.

Accordingly, successful market entry requires not only technological interoperability but also careful localization of contractual documentation, disclosure practices, and consumer-facing governance structures.

6. Given the widespread and continuing global adoption of the value proposition of blockchain generally for the financial markets, how has the legal and regulatory treatment of digital assets changed or been impacted.

Adrián López, María Gabriela Botello (Mexico): Mexico’s regulatory treatment of digital assets has evolved cautiously and is expected to continue evolving on that line. The Fintech Law defines "virtual assets" as digitally recorded units of information that are used as a means of payment with a value determined by market supply and demand.

Banxico has maintained a restrictive posture towards virtual asset use by regulated financial institutions. Through Circular 4/2019, Banxico limits the use of virtual assets by banks and IFPEs to internally authorized operations, effectively preventing customer-facing crypto exposure absent specific approval.

As a result, digital asset activity in Mexico has developed primarily outside the regulated banking perimeter, subject to compliance with the Fintech Law and its AML/CFT obligations.

There is no MiCA-style statute or dedicated DeFi regime. Instead, digital asset services are assessed according to the function with licensing requirements triggered by substance rather than technology.

Recent policy discussions suggest interest in refining the framework, particularly regarding tokenization and stablecoin structures. However, the overarching regulatory direction remains clear: digital asset innovation is permissible, but within a supervisory perimeter designed to contain systemic risk and ensure AML compliance.

Mexican authorities have signaled a technology-enabling but risk-contained approach: they broadly recognize the potential value of blockchain/DLT to improve efficiency, traceability, and settlement processes in financial markets, while maintaining a restrictive stance on retail exposure to "virtual assets" due to the risks repeatedly identified by Banco de México (volatility, operational/cyber risks, fraud, and AML/CFT concerns). In practice, this means that blockchain is more likely to be adopted in permissioned, supervised infrastructures (with strong governance, cybersecurity, and auditability) than as a basis for open, customer-facing crypto intermediation.

Regarding securities on blockchain, the most plausible "advance" in Mexico is not a new crypto-specific securities regime, but rather the migration of traditional securities and securities-like rights to DLT-based recordkeeping and transfer under a functional, existing-law analysis. In other words, tokenization would generally be assessed by the underlying right and regulated activity (issuance/offering, intermediation, custody, settlement, market infrastructure) rather than the token format. This creates a pathway for DLT as a securities infrastructure layer, especially in controlled environments, so long as investor protection, custody/record integrity, and settlement finality requirements are satisfied and the model does not translate into public-facing exposure to the virtual-asset risks that Banxico seeks to contain.

PANAMA | ARIAS, FÁBREGA & FÁBREGA | Javier Yap Endara


1. As we move through 2026, how has your jurisdiction’s legal framework successfully transitioned from basic Open Banking to a mature "Open Finance" or "Open Data" economy, and what are the remaining friction points for data portability?

Javier Yap Endara (Panama): As of March 2026, Panama has not undertaken a significant transition from a basic Open Banking framework toward a mature Open Finance or Open Data ecosystem featuring standardized data-sharing among financial institutions, payment service providers and third parties. At present, there is no sector-specific legal framework establishing mandatory financial data interoperability or uniform technical API standards applicable across market participants.

Nevertheless, the Panamanian financial market has demonstrated growing interest in digitalization and interoperability models, driven primarily by private-sector initiatives and regional competitive dynamics. These factors have allowed certain practical developments to emerge even in the absence of a specific regulatory framework.

Law 81 of 2019 on Personal Data Protection, together with its implementing regulations issued by Executive Decree in 2021, constitutes Panama’s principal general data protection regime. The law recognizes several rights of data subjects regarding their personal data, including principles of lawfulness, purpose limitation, security, transparency and, within its scope, data portability. However, this framework does not impose mandatory financial data-sharing obligations between institutions nor establish interoperability standards that would enable an Open Finance model as internationally understood.

In practice, certain institutions have begun exploring contractual data-sharing arrangements and strategic partnerships with fintech companies, demonstrating that ecosystem development may progress incrementally even prior to formal regulation.

Key friction points for the development of a more open financial data ecosystem include: the absence of sector-specific fintech regulation addressing open data-sharing among providers; - the lack of mandatory technical API standards enabling interoperability between banks and third parties; and - regulatory gaps in electronic payment systems that would facilitate continuous and automated financial data flows.

In this context, any evolution toward Open Finance in Panama will depend on future regulatory developments, which currently lack imminent legislative or executive backing, although the institutional and business environment reflects increasing openness to financial innovation.

2. With Generative AI now deeply integrated into financial services, what specific regulatory frameworks or "sandboxes" are currently being used to govern algorithmic transparency, automated credit decisions, and AI-driven risk management?

Javier Yap Endara (Panama): As of March 2026, Panama does not have specific regulation directly addressing Artificial Intelligence—including generative AI—in financial services, nor does it impose specific rules regarding algorithmic transparency, model explainability or automated credit decision-making.

This regulatory landscape has nonetheless allowed financial institutions to experiment with and integrate AI-based solutions within existing regulatory frameworks, providing a degree of structural flexibility.

However, this does not mean that AI-related activities operate in a regulatory vacuum. Financial institutions implementing AI tools must comply with the existing general regulatory framework, including:
- prudential and operational risk management regulations applicable to entities supervised by the Superintendence of Banks of Panama (SBP) or the Superintendence of the Securities Market (SMV);
- internal control and corporate governance rules;
- financial consumer protection obligations;
- cybersecurity and business continuity requirements; and
- the general personal data protection regime under Law 81 of 2019.

Within this framework, automated credit scoring models or AI-based risk management tools must be integrated into existing internal risk management and control systems and remain subject to ordinary regulatory oversight by financial supervisors.
Regarding regulatory testing environments, Panama has not implemented a formal fintech or AI regulatory sandbox in the financial sector. Although legislative proposals aimed at regulating or promoting emerging technologies have been introduced in recent years, none have been enacted or are currently close to implementation.

Consequently, the prevailing regulatory approach in Panama may be characterized as the application of general regulatory frameworks to emerging technologies, rather than the adoption of sector-specific AI regulation—an approach that provides a manageable space for innovation for sophisticated market participants that properly structure their business models.

3. Following the regional success of systems like Pix or SPEI, how is your local legislation managing the mandatory shift toward instant, 24/7 payment interoperability, and what new licensing requirements are hitting payment service providers (PSPs) this year?

Javier Yap Endara (Panama): Unlike Brazil’s Pix or Mexico’s SPEI systems, Panama has not adopted a mandatory 24/7 instant payment system led by the regulator, nor does it currently have comprehensive legislation establishing mandatory interoperability between banks and non-bank payment service providers.
This has not prevented the Panamanian banking sector from gradually modernizing its payment infrastructure through private-sector initiatives and technological improvements within the existing system.
Within the banking system, the ACH Panamá network has incorporated more agile electronic transfer mechanisms, including functionalities such as ACH Xpress. However, these developments have been driven primarily by banking sector initiatives rather than by a legal mandate for open interoperability in the Open Banking or Open Finance sense.

At present, Panama does not have a single comprehensive licensing regime for non-bank payment service providers comparable to regulatory models adopted in other jurisdictions in the region. In practice, fintech business models are structured within existing regulatory frameworks depending on the specific activities performed.

Nevertheless, this functional approach has allowed various fintech models to operate by fitting within existing regulatory categories, creating an environment that—while requiring careful legal analysis—remains open to innovation.

The applicable regulatory landscape may include, among others:
- banks supervised by the Superintendence of Banks of Panama (SBP), where payment services are offered directly by banking institutions;
- issuers of payment instruments or electronic money, which may fall under SBP oversight particularly for anti-money laundering (AML/KYC) purposes pursuant to Law 23 of 2015 and related regulations;
- remittance companies regulated under Law 48 of 2003, primarily applicable to traditional money transfer activities depending on the operational structure; and
- non-bank correspondents authorized under banking regulations to expand distribution channels for supervised entities.

To date, no new sector-specific licensing requirements have been introduced for non-bank PSPs, nor has a mandatory 24/7 interoperability regime been implemented. The regulatory framework remains fragmented and activity-based rather than structured around a distinct fintech regulatory category.

Consequently, Panama maintains a functional regulatory approach: the applicable regulatory regime depends primarily on the type of activity performed—such as deposit-taking, payment instrument issuance, remittance services or banking operations—and the entity conducting it, rather than on the underlying technology employed.

4. What are the legal and regulatory challenges of Real World Asset (RWA) tokenization in your market, and how are regulators treating stablecoin-based remittances under updated securities or "travel rule" anti-money laundering laws?

Javier Yap Endara (Panama): In Panama, the regulatory framework applicable to Real World Asset (RWA) tokenization remains nascent and is characterized by the absence of specific regulation dedicated to this matter. Despite this, certain tokenization structures have emerged in practice under existing legal frameworks, particularly through innovative contractual and corporate arrangements.

RWA tokenization: There is currently no specific legal provision regulating tokenization of assets. In practice, however, tokenization structures have been developed under existing corporate and commercial law frameworks without a specialized regulatory regime for such instruments. The Superintendence of the Securities Market (SMV) has maintained that cryptoassets, in general terms, do not constitute securities per se under Panamanian law—a position reiterated in recent administrative statements.

Stablecoins: Stablecoins are not subject to specific regulation in Panama. Generally, cryptoassets have been treated as digital assets that do not constitute legal tender or regulated financial instruments by default. Nor is there a dedicated regime governing their use as electronic payment instruments. The absence of a specific framework has allowed some degree of market experimentation, provided that interactions with supervised financial institutions are carefully structured.

AML, remittances and the "travel rule": Panama has not yet adopted a specific regulatory regime for Virtual Asset Service Providers (VASPs), nor has it formally implemented the FATF "travel rule" for virtual asset transfers. Nevertheless, anti-money laundering obligations under Law 23 of 2015 fully apply to financial reporting entities—including banks, remittance companies and payment instrument issuers—even when dealing with funds linked to cryptoassets.

Accordingly, if a supervised institution participates in the conversion, custody or transfer of funds associated with stablecoins, its AML/KYC obligations remain fully applicable under the general framework. What is currently lacking is a unified regulatory regime governing virtual asset service providers as an independent category with specific compliance obligations such as the travel rule.

Several legislative initiatives aimed at creating a comprehensive framework for virtual assets and VASPs—including AML/CFT supervision—have been introduced in recent years; however, none have been enacted or are close to implementation.

As a result, the regulatory treatment of RWAs and stablecoins in Panama continues to rely on the indirect application of existing frameworks and case-by-case legal analysis, with a degree of uncertainty regarding future legislative developments.

5. As Fintech corridors expand across LatAm, what are the most critical cyber-resilience and AML/KYC hurdles that international firms must overcome to ensure seamless cross-border operations within your jurisdiction?

Javier Yap Endara (Panama): Panama’s regulatory regime operates primarily under the principle of territoriality. Activities conducted in or from Panama may fall under local supervision depending on the nature of the activity and the entity performing it.

Conversely, purely offshore or reverse-solicitation models—where services are provided from abroad without physical presence, infrastructure or active marketing in Panama—may reduce local regulatory exposure. However, such determinations require case-by-case analysis considering factors such as physical presence, local bank accounts, counterparties, operational structures and the flow of funds.

Panama continues to position itself as a regional financial and logistics hub, making proper structuring of cross-border operations particularly important.

For international fintech firms operating in or from Panama, or engaging with locally supervised entities, key considerations include: Cyber-resilience.
Law 81 of 2019 on Personal Data Protection requires entities to adopt appropriate technical, organizational and administrative measures to safeguard personal data against alteration, loss, unauthorized access or improper processing. Entities handling customer data must implement security controls, incident management protocols and breach-response mechanisms.
For supervised financial institutions, additional requirements relating to business continuity, operational risk management and internal controls arise from prudential regulations issued by the Superintendence of Banks of Panama (SBP) or the Superintendence of the Securities Market (SMV), as applicable.
AML / KYC: Law 23 of 2015 establishes the general framework for the prevention of money laundering and terrorist financing. AML/KYC obligations apply fully to financial reporting entities, including banks, remittance companies, payment instrument issuers and other supervised institutions.

These obligations include:
- risk-based compliance frameworks;
- customer due diligence;
- ongoing transaction monitoring;
- suspicious transaction reporting;
- record-keeping requirements; and
- internal compliance programs.

Where a fintech interacts with supervised entities—for example through local bank accounts or payment issuance structures—these AML/KYC obligations may indirectly shape its operational model.

Accordingly, the principal challenge for international operators is not a standalone fintech regulatory regime—which currently does not exist—but rather structuring their business models appropriately to determine whether activities fall within the local regulatory perimeter and, where applicable, achieving banking access while complying with data protection, risk management and AML requirements applicable to supervised entities in Panama.

6. Given the widespread and continuing global adoption of the value proposition of blockchain generally for the financial markets, how has the legal and regulatory treatment of digital assets changed or been impacted.

Javier Yap Endara (Panama): The legal and regulatory treatment of digital assets in Panama has remained relatively stable since 2018 and continues to be characterized by the absence of specific regulation directly governing such assets. Nevertheless, multiple legislative initiatives have been introduced during this period with the objective of establishing a comprehensive framework for virtual assets, though none have ultimately resulted in enacted legislation.

Current regulatory position: Panamanian financial authorities have consistently maintained that cryptoassets, in general terms, do not automatically qualify as securities, financial instruments or legal tender under Panamanian law. This approach results in a relatively neutral regulatory environment that nonetheless requires case-by-case legal analysis.

Legislative initiatives: Since 2018, several legislative proposals—at least four—have been introduced with the aim of regulating virtual assets, tokenization and digital asset service providers. However, none have been enacted into law nor are currently close to implementation. Consequently, Panama does not yet have a comprehensive licensing regime for virtual asset service providers nor specific regulation governing blockchain-based tokenization or digital securities issuance.
The recurrence of these legislative initiatives indicates that the issue remains firmly on the public and regulatory agenda, suggesting that a more structured regulatory framework could eventually emerge.

Financial institutions and blockchain: In practice, some Panamanian banks have, under particular circumstances and subject to enhanced compliance controls, allowed the opening of accounts receiving funds derived from the sale or conversion of cryptoassets. However, such cases remain the exception rather than the norm within the local financial system. Likewise, there is no systematic adoption of distributed ledger technologies by regulated financial institutions for internal operations.
Nevertheless, there are indications of gradual openness under robust compliance frameworks.

Outlook: While the administrative position has not changed substantially since 2018, the absence of a comprehensive legislative framework continues to create a meaningful degree of legal uncertainty, particularly regarding:
- structured products or derivatives linked to cryptoassets;
- institutional custody models; and
- the potential creation of a dedicated regulatory regime for virtual asset service providers.
In summary, Panama maintains a model of relative regulatory neutrality toward digital assets, relying on the application of existing legal frameworks and case-by-case structural analysis, while the possibility of future legislative development remains under consideration. This positioning combines regulatory prudence with strategic opportunities for sophisticated operators in the evolving digital asset ecosystem.

PARAGUAY | BERKEMEYER | Manuel Arias


1. As we move through 2026, how has your jurisdiction’s legal framework successfully transitioned from basic Open Banking to a mature "Open Finance" or "Open Data" economy, and what are the remaining friction points for data portability?

Manuel Arias (Paraguay): Paraguay is entering 2026 with its strongest progress in what could be called Open Payments (interoperable, faster payments and broader participation), rather than a fully mature Open Finance/Open Data framework. The legal shift is anchored in Law No. 7.503/2025 (National Payment System), which modernizes the governance of the payments ecosystem and reinforces the Central Bank of Paraguay ("BCP") role as rule-setter and supervisor.

That said, Paraguay is not yet at a stage where the market operates under a single, standardized, mandatory "Open Data" model (e.g., common APIs for sharing bank account data, insurance data, investments data, etc., across the industry). Openness is most tangible in payments initiation and interoperability, with the adoption of standardized interoperable QR codes and other similar developments, while broader data portability is still developing.

Remaining friction points for data portability (typical in Paraguay today): No unified API standard for financial data beyond payments (payments have clearer rails; data-sharing is still fragmented by institution and product line).
Data governance is still catching up: institutions are improving systems, but structured, machine-readable portability is uneven (especially across legacy cores).

Consent and accountability mechanics are still maturing, particularly in light of the new Personal Data Protection Law (Law No. 7.593/2025), which has a 24-month implementation period before full enforceability.
Allocation of responsibility in multi-actor ecosystems (when a third party initiates a payment or processes data) is improving, but still a practical challenge.
Cybersecurity expectations are rising quickly, and that tends to slow "open data" expansion until governance and controls are fully in place.

2. With Generative AI now deeply integrated into financial services, what specific regulatory frameworks or "sandboxes" are currently being used to govern algorithmic transparency, automated credit decisions, and AI-driven risk management?

Manuel Arias (Paraguay): Paraguay’s approach in 2026 is best described as supervisory and risk-based, rather than a single "AI-specific" financial statute. In practice, AI use is being channeled through:

(a) Data rules and consumer-impact controls (indirectly shaping AI): Credit data rules remain a key anchor for automated credit decisions because they govern how credit information is collected, updated, and used – even if they do not explicitly reference "AI" – a through Law No. 6.534/2020 "On the protection of personal credit data" (which is currently in force until Law No. 7.593/2025 becomes applicable).
Law No. 7.593/2025 (Personal Data Protection) will likely become a major driver of model governance (transparency, accountability, security), but it is not yet fully enforceable given its implementation period as referenced in Q1.

(b) Prudential supervision and internal governance expectations:
The BCP tends to regulate outcomes through governance, internal controls, risk management, and security requirements—which naturally capture model risk, automated decisioning, fraud analytics, and AI-driven monitoring.

(c) Sandboxes / controlled environments:
Traditionally, Paraguay does not tend to rely on a single, branded, "one-stop" AI sandbox. Instead, innovation has been absorbed through regulated categories and supervised rollouts in payments (e.g., formal PSP roles and payment initiation). This in practice functions as a pragmatic and more controlled perimeter for innovation without over-claiming a standalone sandbox regime.

3. Following the regional success of systems like Pix or SPEI, how is your local legislation managing the mandatory shift toward instant, 24/7 payment interoperability, and what new licensing requirements are hitting payment service providers (PSPs) this year?

Manuel Arias (Paraguay): Paraguay has been moving toward always-on payments through the local payment system and clearing facility "SIPAP", along with its current instant payment system "SPI" developments; more recently, this move was upgraded through a clearer legal backbone under Law No. 7.503/2025 which empowers the BCP to set rules for the ecosystem and to support innovation, interoperability, and safe functioning of the payment system.

On the "mandatory interoperability" side, the BCP has been issuing specific implementing regulations. A clear example is the BCP’s interoperability/interconnection regulation for credit/debit card systems (December 2025), which is mandatory for PSPs within scope and focuses on non-discrimination, efficiency, and competition.

What is "hitting PSPs" entering 2026 (practically): Role definition + registration + security/transparency duties: BCP’s Resolution No. 25 (Dec., 2025) approves a rulebook defining PSP roles and imposing requirements on registration, transparency, and information security.

Payment initiation licensing/authorization: BCP also issued a dedicated authorization framework for Payment Initiation Service Providers (PISP) within SIPAP (Aug., 2025), bringing fintech payment initiators into BCP sphere of influence and supervision.

4. What are the legal and regulatory challenges of Real World Asset (RWA) tokenization in your market, and how are regulators treating stablecoin-based remittances under updated securities or "travel rule" anti-money laundering laws? 

Manuel Arias (Paraguay):
RWA tokenization: In Paraguay, the main structural development is the modernization of the securities framework under Law No. 7.572/2025 (Securities and Products Market). While the law does not expressly refer to tokenization, blockchain, or digital tokens, it adopts a technologically neutral approach and strengthens supervisory powers and electronic recordkeeping mechanisms. In this context, the principal legal and regulatory challenges for RWA tokenization include:
Legal characterization: determining whether a token qualifies as a security, negotiable instrument, participation right, or merely a contractual claim. This classification directly impacts licensing, disclosure obligations, custody requirements, and secondary trading rules.

Custody and enforceability: ensuring that the token holder’s rights over the underlying asset are legally enforceable and properly recorded under Paraguayan law.

Public offering perimeter: assessing whether token distribution triggers public offering rules or intermediary licensing requirements under the new securities’ law.

Market infrastructure alignment: evaluating whether token-based trading platforms fall within regulated exchange, brokerage, or intermediation categories.

At present, tokenization is analyzed on a case-by-case basis, considering the economic substance of the instrument rather than its technological format.

Stablecoin remittances + AML "travel rule": Paraguay does not currently regulate stablecoins under a dedicated securities regime. Instead, stablecoin-based remittances are generally assessed under the anti-money laundering framework applicable to virtual assets and Virtual Asset Service Providers (VASPs/PSAVs).

The anti-money laundering authority’s (SEPRELAD) Resolution No. 314/2021 subjects virtual asset service providers to AML/CFT obligations, including:
- Risk-based compliance programs
- Customer due diligence (KYC)
- Ongoing monitoring
- Suspicious transaction reporting
- Recordkeeping

Regarding "travel rule" expectations, Paraguay follows FATF standards requiring identification and traceability of parties involved in virtual asset transfers. However, compliance is implemented through supervisory requirements and AML programs rather than through a standalone "travel rule statute."

In practice, the regulatory focus remains on AML/CFT compliance and risk mitigation, rather than on treating stablecoins as regulated securities per se.

5. As Fintech corridors expand across LatAm, what are the most critical cyber-resilience and AML/KYC hurdles that international firms must overcome to ensure seamless cross-border operations within your jurisdiction?

Manuel Arias (Paraguay): International fintechs expanding into Paraguay typically face three big "make-or-break" hurdles:

(1) Licensing/registration perimeter
If the fintech operates in areas such as  payments, onboarding, initiation, or wallet-like services, the BCP’s PSP/PISP frameworks increasingly require formal registration/authorization and ongoing compliance (security, transparency, governance).

(2) Cyber-resilience expectations
Even when not branded as a "cyber law," the PSP rules and interoperability requirements are raising the floor on incident readiness, security controls, third-party risk, and operational continuity.

(3) AML/KYC alignment
If the model involves virtual assets, payment gateways, e-money issuers, remittance services, or otherwise interfaces with regulated payment infrastructures, the applicable AML/CFT framework becomes central. In Paraguay, this includes SEPRELAD’s PSAV regime for virtual asset service providers, as well as the broader compliance perimeter applicable to financial and payment service providers: implementation of a risk-based AML program, customer due diligence (including enhanced due diligence where required), transaction monitoring, suspicious transaction reporting, and proper recordkeeping.

Cross-border models must additionally address practical challenges such as reliable remote identity verification, beneficial ownership checks for corporate clients, data protection constraints, and consistent compliance standards across jurisdictions.

6. Given the widespread and continuing global adoption of the value proposition of blockchain generally for the financial markets, how has the legal and regulatory treatment of digital assets changed or been impacted?

Manuel Arias (Paraguay): Paraguay’s approach can best be described as gradual formalization rather than broad legalization of digital assets. The regulatory response has evolved primarily through existing financial and AML frameworks, rather than through a comprehensive "crypto/digital law."

Two main tracks are visible:
- AML perimeter first (most concrete development to date)
- Digital assets have been incorporated into the regulatory landscape mainly through SEPRELAD’s framework on virtual assets and Virtual Asset Service Providers (VASPs/PSAVs). Under Resolution No. 314/2021, these providers are subject to AML/CFT obligations, including:
- Risk-based compliance programs
- Customer due diligence (KYC)
- Ongoing monitoring
- Suspicious transaction reporting
- Recordkeeping

In practical terms, the State’s first priority has been risk mitigation (money laundering and terrorist financing) rather than financial market innovation. This has brought exchanges and certain crypto intermediaries into a compliance perimeter, even in the absence of a broader crypto regulatory statute.

Capital markets modernization (indirect but relevant development): With the enactment of Law No. 7.572/2025 (Securities and Products Market), Paraguay modernized its securities framework and strengthened supervisory powers under a technologically neutral approach. The law does not expressly regulate blockchain, tokens, or digital assets. However, it reinforces electronic recordkeeping mechanisms and expands supervisory tools.

As a result, when a digital token economically qualifies as a security or market instrument, it may fall within the scope of the securities regime based on its substance rather than its technological form.

This creates a clearer — though still case-by-case — pathway for structuring compliant tokenization models, particularly where tokens represent negotiable instruments or participation rights.

PERU | ESTUDIO RODRIGO | Nydia Guevara


1. As we move through 2026, how has your jurisdiction’s legal framework successfully transitioned from basic Open Banking to a mature "Open Finance" or "Open Data" economy, and what are the remaining friction points for data portability?
 
Nydia Guevara (Peru): As of early 2026, Peru has not yet transitioned to a mature Open Finance or Open Data economy. Rather, the country remains in a preparatory and design stage, following a regulator?led, phased roadmap issued by the Superintendence of Banking, Insurance and Pension Funds (SBS) (the "Hoja de Ruta de Finanzas") which explicitly recognizes Open Finance as a future target state rather than a current reality.

That said, several regulatory and policy developments provide an enabling foundation for a future transition toward an Open Finance and Open Data framework. In particular, since 2022 the Central Bank of Peru ("BCRP") has issued regulations aimed at promoting interoperability in payment systems, especially in the retail payments space. These measures have strengthened the digital payments infrastructure and facilitated the entry of new participants, including fintech companies, thereby laying important groundwork for data?driven financial services.

In parallel, the SBS has implemented innovation?oriented regulation. Notably, the recently modified Regulation for the Temporary Conduct of Activities under Innovative Models (SBS Resolution No. 2429?2021) has allowed for the controlled testing of innovative solutions and the participation of new actors, including fintech, under a sandbox?type approach. This framework is aimed to support experimentation while preserving supervisory oversight and financial stability.

Notwithstanding these advances, significant friction points remain. These include the absence of specific enacted legislation governing Open Finance, the lack of agreed technical standards (such as common APIs and data formats), and the need to further develop comprehensive frameworks for data protection, privacy and cybersecurity. As acknowledged by the SBS in its Hoja de Ruta de Finanzas, a higher degree of interconnection increases exposure to operational and security risks, making it essential to adopt robust safeguards such as strong authentication and authorization mechanisms, end?to?end encryption, continuous monitoring and effective incident?response capabilities, together with clear rules ensuring that shared data is used strictly within the scope and purposes authorized by users.

Against this backdrop, Peru is looking ahead to the progressive implementation of the SBS Hoja de Ruta de Finanzas, which envisages a gradual transition to an Open Finance model. This phased approach seeks to reduce implementation risks, align stakeholders around common technical and governance standards, and build user trust, ultimately enabling sustainable data portability and the development of a fully functioning Open Finance ecosystem.

2. With Generative AI now deeply integrated into financial services, what specific regulatory frameworks or "sandboxes" are currently being used to govern algorithmic transparency, automated credit decisions, and AI-driven risk management?
 
Nydia Guevara (Peru): On September 9, 2025, Supreme Decree No. 115?2025?PCM was published, approving the Regulations of Law No. 31814, the Artificial Intelligence Law (the "Regulation"), which provides for a gradual implementation regime. Although the Regulation does not exclusively govern the application of AI in the financial system, it establishes general, cross-sectorial guidelines applicable to the development, implementation, and use of AI systems, including those deployed in financial services.

Under this framework, Peru has adopted a risk-based regulatory approach to AI governance that applies equally to public and private actors, including financial institutions and fintech. Rather than a sector-specific AI regime for finance, the Regulation provides general rules that directly affect algorithmic transparency, automated credit decisions, and AI?driven risk management when such systems qualify as high-risk.

The Regulation classifies AI systems according to their level of risk. In this context, AI systems used for automated credit evaluation of individuals are expressly categorized as "high-risk", except where AI is used solely for fraud detection. High-risk classification triggers enhanced obligations for developers and implementers, which are particularly relevant for AI-based credit scoring and decision-making tools used in the financial sector.

With respect to algorithmic transparency, the Regulation requires developers and implementers of high-risk AI systems, to adopt mechanisms that allow users to understand the system’s purpose, main functionalities, and the types of decisions it may take. Where automated decisions have an impact on fundamental rights—such as access to credit—affected users must be provided with explanations of the results, including the key criteria and factors used in the automated decision-making process, expressed in clear and accessible language. These obligations apply directly to AI-driven credit decisions in financial services.

Regarding AI-driven risk management, the Regulation mandates that high-risk AI systems be subject to prior risk impact assessments aimed at identifying, mitigating, and documenting risks to fundamental rights, including discrimination and erroneous automated outcomes. In addition, developers and implementers must apply risk-based security and robustness measures, and ensure human oversight, with the ability for trained personnel to intervene, correct, or invalidate automated decisions in sensitive areas such as finance.
 
3. Following the regional success of systems like Pix or SPEI, how is your local legislation managing the mandatory shift toward instant, 24/7 payment interoperability, and what new licensing requirements are hitting payment service providers (PSPs) this year?
 
Nydia Guevara (Peru): Peru has taken concrete steps toward payment interoperability and instant payment infrastructure through a combination of regulatory frameworks.
 
From an operational perspective, the Immediate Transfer Compensation Service, as regulated by BCRP Circular No. 0021?2024, provides the infrastructure for instant interbank transfers operating 24 hours a day, 365 days a year. Under this framework, participants submit immediate transfer orders through authorized clearing infrastructures operated by Enterprises of Clearing and Settlement Services (ESEC). Transfers may be initiated using interbank account codes (CCI), aliases (such as mobile phone numbers), or QR codes, and must be credited to the beneficiary within a maximum of 30 seconds from the moment of acceptance. The net positions resulting from the compensation process are subsequently settled through the Real-Time Gross Settlement System (Sistema LBTR), administered by the BCRP.

Complementing this instant transfer infrastructure, BCRP Circular No. 0024?2022 establishes a mandatory interoperability regime applicable to payment service providers, payment arrangements, and payment systems that offer certain retail payment services. In particular, entities providing digital wallets, immediate payment functionalities embedded in mobile banking applications, or instant transfer services are required to implement interoperability. The regulation sets out core principles such as non?discrimination, technological neutrality, neutrality as to payment instruments and accounts, transparency of fees, and user?oriented design, and expressly prohibits exclusivity arrangements or other practices that may restrict interoperability.

On the licensing and registration side, BCRP Circular No. 0022?2025, which approved the Payment System Regulations and enters into force on April 1, 2026, introduces a differentiated authorization and registration regime for payment service providers within the National Payment System. The Payment System Regulations formally defines Payment Service Entities (Entidades de Servicios de Pago – ESP for its acronym in Spanish) as a distinct category of Payment Service Providers that are not authorized to offer deposit or electronic money accounts and therefore fall outside SBS prudential supervision.

ESPs that operate as direct or indirect participants in a Payment System or in a Prominent Payment Arrangement are required to obtain prior authorization from the BCRP, subject to minimum capital and net worth requirements and a detailed authorization file. By contrast, ESPs that do not participate in such infrastructures are subject only to a registration regime before the BCRP, which is expressly informational and does not imply approval or certification by the BCRP. The Payment System Regulations also establishes phased transition deadlines for existing ESPs based on their average transaction volumes, while allowing entities to continue operating during the authorization or registration process.

4. What are the legal and regulatory challenges of Real World Asset (RWA) tokenization in your market, and how are regulators treating stablecoin-based remittances under updated securities or "travel rule" anti-money laundering laws? 
 
Nydia Guevara (Peru): There is no specific regulatory framework in Peru governing the tokenization of real-world assets, yet. Regarding stablecoin-based remittances, the primary regulatory development is AML-focused rather than market-structure oriented.

Stablecoins qualify as virtual assets, consequently, companies that offer services such as the exchange, transfer, or custody of stablecoins would be considered as Virtual Asset Service Providers (VASPs) and subject to the AML/CFT compliance regime established under Supreme Decree No. 006-2023-JUS and SBS Resolution No. 02648-2024. Under this framework, VASPs must implement AML/CFT prevention system (SPLAFT). It is important to note, however, that this obligation to implement a SPLAFT applies exclusively to VASPs (individuals or legal entities) incorporated or domiciled in Peru.
 
With respect to the Travel Rule, although this obligation was incorporated into SBS Resolution No. 02648-2024, the specific section of the Resolution governing the Travel Rule will not enter into force until August 1, 2026. Once effective, the Travel Rule will impose on VASPs the obligation to obtain, retain, and securely transmit specific information on both the originator and the beneficiary of domestic and cross-border virtual asset transfers, whenever they send or receive such transfers for or on behalf of a client, in order to ensure the identification of both parties and full transaction traceability. Additionally, transfers involving self-custodied wallets will require the VASP to request the relevant originator or beneficiary information from its client, and failure to obtain it must result in the transaction being halted and the evaluation of a suspicious transaction report.
 
5. As Fintech corridors expand across LatAm, what are the most critical cyber-resilience and AML/KYC hurdles that international firms must overcome to ensure seamless cross-border operations within your jurisdiction?
 
Nydia Guevara (Peru): On the AML/KYC front, the primary challenge lies in reconciling fast, low-cost cross-border payment flows with jurisdiction-specific due diligence requirements. International fintech companies seeking to operate in Peru may, depending on the nature and scope of their activities, qualify as Obligated Subjects and be required to implement a SPLAFT. In such cases, they must adapt their onboarding, monitoring, and transaction-screening processes to local standards, while ensuring that customer identification, risk scoring, and ongoing monitoring remain effective across multiple jurisdictions. This is especially relevant where stablecoins or other digital rails are used for remittances, as regulators increasingly expect, as described above, traceability equivalent to traditional wire transfers, including compliance with FATF-inspired "travel rule" requirements and enhanced scrutiny of cross-border flows.
 
6. Given the widespread and continuing global adoption of the value proposition of blockchain generally for the financial markets, how has the legal and regulatory treatment of digital assets changed or been impacted?
 
Nydia Guevara (Peru): Peru has not enacted a comprehensive digital asset or crypto asset legal framework, yet. The only substantive regulatory development to date remains the AML/CFT regime applicable to VASPs described in section 4.
 
SPAIN | FinReg 360 | Jorge Ferrer Barreiro | Mariona Pericas Estrada


1. As we move through 2026, how has your jurisdiction’s legal framework successfully transitioned from basic Open Banking to a mature "Open Finance" or "Open Data" economy, and what are the remaining friction points for data portability?

Jorge Ferrer Barreiro, Mariona Pericas Estrada (Spain): In Spain, the transition from Open Banking to Open Finance is accelerating on the basis of several key pillars: (i) an increasingly developed and competitive payments services offering involving both new market entrants and traditional financial institutions, which has generated new financial-sector use cases such as wealth aggregation across savings and investment positions; (ii) the forthcoming entry into force of the revised European payments framework, including Payment Services Directive 3 and the new Payment Services Regulation, aimed at improving data-sharing mechanisms; (iii) the European Digital Finance Strategy and the proposed Financial Data Access Regulation, currently under discussion at EU level; and (iv) the Data Act, which formally recognizes a broader right to data portability beyond the banking sector.

The most significant qualitative shift from Revised Payment Services Directive lies in the expansion of scope: not only payment accounts, but potentially investment products, insurance, credit and other non-bank financial data. Although the Open Finance framework will not become fully operational until FiDA is finally adopted, the Spanish ecosystem has already taken meaningful steps to improve data exchange through APIs and enhanced authentication systems. In parallel, private initiatives aimed at facilitating financial data exchange between institutions—such as the European Data Exchange (EDX)—are also emerging.

Nevertheless, several important frictions remain. Among the most relevant are technical heterogeneity across APIs and service-level standards, as well as the management and renewal of customer consent.

2. With Generative AI now deeply integrated into financial services, what specific regulatory frameworks or "sandboxes" are currently being used to govern algorithmic transparency, automated credit decisions, and AI-driven risk management?

Jorge Ferrer Barreiro, Mariona Pericas Estrada (Spain): In Spain, the regulatory framework for artificial intelligence in financial services is primarily shaped by the Artificial Intelligence Act, which introduces a harmonized definition of AI systems and a risk-based regulatory approach.
AI applications used in automated credit decisions, risk management or financial advisory services may qualify as "high-risk" systems when they significantly affect clients’ economic rights. This classification triggers enhanced requirements relating to governance, data quality, traceability, human oversight and risk management.

The European Commission has also issued interpretative guidelines clarifying the definition of AI systems—an especially relevant development for the financial sector, where many tools combine advanced automation with human supervision.

Additionally, the use of AI in investment services must be assessed under Markets in Financial Instruments Directive II. The European Securities and Markets Authority (ESMA) has emphasized that the duty to act in the client’s best interests, transparency obligations and internal governance requirements remain fully applicable when AI tools—including generative or third-party solutions—are used.

This entails specific obligations regarding transparency, ex-ante and ex-post controls, model documentation and oversight by both the board of directors and internal governance structures. In parallel, DORA introduces cross-sector digital resilience requirements that are particularly relevant where AI models rely on critical technology providers.

Spain also offers an institutional environment that allows innovative solutions to be tested through the national financial sandbox. Although supervisory doctrine on generative AI remains in its early stages, projects incorporating AI tools to enhance financial advisory processes have already been admitted, reflecting a cautious but open approach by regulators.
Overall, the framework is not one of deregulation but rather of progressive integration of AI into financial services while preserving existing prudential and conduct obligations.

3. Following the regional success of systems like Pix or SPEI, how is your local legislation managing the mandatory shift toward instant, 24/7 payment interoperability, and what new licensing requirements are hitting payment service providers (PSPs) this year?

Jorge Ferrer Barreiro, Mariona Pericas Estrada (Spain): In Spain, the widespread adoption of instant payments has not been driven by a domestic initiative but by the new European Instant Payments Regulation, which amended the SEPA framework to make the reception—and progressively the sending—of euro-denominated instant transfers mandatory.
The Regulation requires 24/7 availability, settlement within a maximum of ten seconds and pricing comparable to standard transfers. This has represented an unprecedented step forward in the account-to-account payments ecosystem.

The initiative forms part of the EU’s broader strategy to develop secure, efficient and low-cost payment systems while also promoting greater European independence from foreign card schemes such as Visa Inc. and Mastercard Incorporated.

In this context, Bizum—the Spanish account-to-account payment system promoted by the domestic banking sector—along with other similar initiatives such as Bancomat Pay (Italy), MB Way (Portugal), Wero (France, Germany and Belgium) and Vipps (Denmark, Finland, Norway and Sweden), have launched a joint project to enable secure, instant and fee-free transfers between individuals and merchants across Europe. The platform is expected to become operational between late 2026 and early 2027.

This transition entails significant technical and risk-management requirements, including resilient infrastructure, beneficiary verification mechanisms and reinforced real-time fraud, anti-money laundering and counter-terrorist financing controls.

In parallel, public and private initiatives such as the potential Digital Euro and banking-sector projects aimed at issuing stablecoins promise to further enhance the efficiency and security of European payments while also improving cross-border payment capabilities.

From a regulatory perspective, PSD3 will integrate the licensing regime for electronic money institutions as an additional service category within payment institutions, making the latter the primary licence through which all payment services can be provided. Combined with the regulatory changes enabling direct access to clearing systems and the instant nature of payments, these developments are expected to drive significant growth in new entrants and innovative payment solutions.

4. What are the legal and regulatory challenges of Real World Asset (RWA) tokenization in your market, and how are regulators treating stablecoin-based remittances under updated securities or "travel rule" anti-money laundering laws?

Jorge Ferrer Barreiro, Mariona Pericas Estrada (Spain): In Spain, asset tokenization is primarily developing within two regulatory spheres: cryptoassets governed by the Markets in Crypto?Assets Regulation and financial instruments operating under the EU DLT Pilot Regime.

MiCA and the DLT Pilot Regime Regulation have provided the legal certainty needed for financial institutions to innovate. MiCA regulates the issuance of and services relating to cryptoassets that are not classified as financial instruments, including stablecoins. Meanwhile, the DLT Pilot Regime enables market infrastructures to trade and settle financial instruments using distributed ledger technology under regulatory supervision, recognizing DLT as a valid method for registering and issuing financial instruments.

Another emerging trend is the tokenization of bank deposits and the issuance of e-money tokens regulated under MiCA, which could significantly transform payment infrastructures and strengthen financial connectivity between Europe and Latin America.

A particularly relevant use case concerns cross-border remittances using e-money tokens (EMTs). In Europe, these services receive dual regulatory treatment: they qualify as cryptoassets under MiCA while also being treated as electronic money and payment services under PSD2—and, in the future, PSD3 and the Payment Services Regulation.

Although this interaction between regulatory regimes has sparked debate regarding licensing and capital requirements, it has not hindered innovation. For example, a consortium of more than ten major European banks is currently exploring the issuance of an EMT.

5. As Fintech corridors expand across LatAm, what are the most critical cyber-resilience and AML/KYC hurdles that international firms must overcome to ensure seamless cross-border operations within your jurisdiction?

Jorge Ferrer Barreiro, Mariona Pericas Estrada (Spain): For international operators wishing to provide services in Spain—either through EU passporting or via domestic licensing—requirements relating to operational resilience and anti-money laundering and counter-terrorist financing will remain central compliance pillars.

At the European level, the Digital Operational Resilience Act requires financial institutions to implement governance frameworks, periodic testing and robust risk-control systems, with particular focus on critical technology providers. DORA has rapidly become a cornerstone of financial institutions’ technology strategies and cybersecurity standards.

At the same time, the forthcoming EU AML package—including the establishment of the new Anti?Money Laundering Authority—seeks to fully harmonize AML and counter-terrorist financing rules across Europe. While this will raise regulatory standards in areas such as due diligence, remote identification, beneficial ownership transparency and enhanced scrutiny of international transfers, it ultimately represents a positive development for foreign operators who currently face fragmented regulatory regimes across EU Member States.

6. Given the widespread and continuing global adoption of the value proposition of blockchain generally for the financial markets, how has the legal and regulatory treatment of digital assets changed or been impacted?

Jorge Ferrer Barreiro, Mariona Pericas Estrada (Spain): In Spain, the legal treatment of digital assets has evolved from an early phase of regulatory uncertainty to a comprehensive European framework in which MiCA and the DLT Pilot Regime represent a turning point.

The implementation of MiCA, together with the revised EU Transfer of Funds Regulation ("Travel Rule") and the forthcoming AML harmonization package, has shifted the regulatory approach from fragmentation toward a coherent system encompassing issuance rules, service provision, capital requirements, governance, transparency and compliance obligations.

Europe has chosen to regulate earlier than other major economic blocs, providing the market with legal certainty and fostering the institutionalization of the sector.
As a result, cryptoassets are increasingly viewed not as an alternative phenomenon but as a regulated asset class integrated into the financial system—although market offerings remain cautious and limited in scope. Entities providing cryptoasset services must now comply with organizational, prudential and conduct requirements comparable to those imposed on traditional financial institutions.

MiCA also establishes a streamlined notification regime enabling already regulated financial institutions to provide cryptoasset services. In Spain and other EU jurisdictions, this has encouraged several banks to begin offering a limited range of cryptoassets to clients. In a second wave, investment firms are expected to follow.

Consequently, Spain now presents a regulatory environment that is demanding but also more mature and attractive for institutional investors and international operators.

In relation to tokenized financial instruments, Spain has taken additional legislative steps to support the DLT Pilot Regime. The Spanish Securities Market Law was amended to recognize DLT as a valid mechanism for the issuance and registration of financial instruments and to introduce the role of the "Entity Responsible for Registration and Record-Keeping" (ERIR), enabling primary issuance of financial instruments on DLT.

Furthermore, the financial sandbox has actively encouraged projects seeking to participate in the Pilot Regime, facilitating licensing processes and allowing market participants to test issuance and trading models.

Spain currently has one project operating under the updated Pilot Regime framework, four additional initiatives in development—several of which have participated in the sandbox—and three brokerage firms already authorized to provide ERIR services.

URUGUAY | GUYER & REGULES | Florencia Castagnola | Rodrigo Varela


1. As we move through 2026, how has your jurisdiction’s legal framework successfully transitioned from basic Open Banking to a mature "Open Finance" or "Open Data" economy, and what are the remaining friction points for data portability?

Florencia Castagnola, Rodrigo Varela (Uruguay): Uruguay does not yet have a specific legal or regulatory framework on open banking, open finance or "open data." Nevertheless, this is one of the most relevant topics on the current agenda of the local financial market, with the Central Bank of Uruguay ("BCU") being the main driver of its development, in line with the Payment System Roadmap to 2025, which expressly included as an objective the promotion of a legal framework and the launch of an open finance system.

Along these lines, in August 2024 the BCU published the document "Towards an Open Finance Ecosystem in Uruguay," which sets out the regulator’s preliminary vision for the design and implementation of the ecosystem. The document outlines the foundations of the system, identifies its participants, and addresses the central aspects of consent (aligned with Law No. 18,331 on the Protection of Personal Data), governance, monetization, risks and controls, applicable regulations and technical standards for access interfaces (APIs). It also envisages the drafting of a bill to be submitted to the Ministry of Economy and Finance and, in turn thereafter to Parliament, granting the BCU the necessary powers and formalizing the access to and transmission of data within the financial system.

To date, there is no specific approved regulatory project comprehensively addressing this matter, beyond the conceptual guidelines mentioned and the recent Decree No. 71/025, which empowers the Agency for the Development of Electronic Government and the Information and Knowledge Society (AGESIC) to authorize private entities to consume services made available by public entities through the Interoperability Platform managed by such agency (through which information in electronic format may be accessed and exchanged).

In this context, the main challenges that remain in this area are: (i) the design of a robust regulatory framework with clear rules for market participants, that takes into account the rights of data subjects and provides for reasonable incentive schemes recognizing the added value of the information transmitted by the participating institutions; (ii) the definition of a gradual participation scheme, with mandatory participation for banks and other financial institutions above certain thresholds and voluntary participation for other entities subject to the regulator’s consent; (iii) the implementation of an active consent model that is free, informed, express, specific, revocable and prior, in accordance with Uruguayan data protection requirements; (iv) the technical standardization and interoperability of access interfaces, aligned with international best practices; and (v) the mitigation of associated risks (legal, operational, cybersecurity, privacy, fraud, financial exclusion and reputational), as well as the articulation of an effective governance structure between the regulator and the industry.

2. With Generative AI now deeply integrated into financial services, what specific regulatory frameworks or "sandboxes" are currently being used to govern algorithmic transparency, automated credit decisions, and AI-driven risk management?

Florencia Castagnola, Rodrigo Varela (Uruguay): While Uruguay does not have a specific law on artificial intelligence, there are various applicable regulations, and in recent years specific provisions addressing the matter have been introduced. In particular, data protection, consumer protection and intellectual property regulations are applicable.

AGESIC is entrusted with the task of designing and developing a national data and artificial intelligence strategy based on international standards, for both the public and private sectors. Such strategy must be grounded on principles of equity, non-discrimination, responsibility, accountability, transparency, auditability and safe innovation.

Regarding automated decisions, Uruguayan data protection regulations provide that individuals have the right not to be subject to a decision with legal effects that significantly affects them and that is based on automated data processing intended to evaluate certain aspects of their personality, such as their work performance, creditworthiness, reliability or conduct, among others. The affected individual may challenge acts or decisions that involve an assessment of their behavior whose sole basis is the processing of personal data providing a definition of their characteristics or personality. In such cases, the affected individual will have the right to obtain information from the database controller both on the assessment criteria and on the program used in the processing that served to adopt the decision.

Also, within the framework of the design and development of the national data and artificial intelligence strategy, AGESIC must identify and propose measures in favor of innovation and promote the creation of controlled testing environments (sandboxes) aimed at implementing innovative technology projects in defined areas together with interested entities.

Further regulations establish a minimum governance scheme for the creation and management of controlled testing environments and data spaces, primarily aimed at the promotion of innovative projects — especially in the area of data use and artificial intelligence — that require regulatory exceptions, special authorizations or sponsorship by public entities.

Finally, in July 2024, AGESIC released a report with recommendations to regulate artificial intelligence in Uruguay, addressing different aspects, including intellectual property, civil liability and consumer rights, and data governance. The report also refers to controlled testing environments and highlights transparency and explainability as guiding principles.

In addition, for financial institutions supervised by the BCU, the use of AI-based services — where embedded within their core business — is subject to prior communication to the BCU and typically requires certain minimum content within the relevant service agreement, as well as a risk assessment of the risks associated with such outsourced service.

3. Following the regional success of systems like Pix or SPEI, how is your local legislation managing the mandatory shift toward instant, 24/7 payment interoperability, and what new licensing requirements are hitting payment service providers (PSPs) this year?

Florencia Castagnola, Rodrigo Varela (Uruguay): In Uruguay, the shift toward instant, 24/7 payment interoperability is not a recent or pending development: for several years the country has had in place a payment-system framework led by the BCU that has progressively delivered comparable functionalities through BCU-regulated rails subject to certain technical and operational limits (including caps per transaction as well as scheduled maintenance windows), allowing end-users to send and receive funds in real time across participating institutions.

Mandatory participation, interoperability and access conditions are addressed through the regulations issued by the BCU and the BCU’s strategic agenda set forth in the Payment System Roadmap to 2025 issued by the CBU, which constitutes the action plan currently in force for the development of the Uruguayan payment system.

The Roadmap is structured around the principles of financial stability, accessibility, promotion of competition, consumer protection, technological neutrality, prevention of money laundering and terrorist financing, and promotion of innovation, and sets forth specific work-streams aimed at, among others: (a) completing the implementation of comprehensive clearing systems with access to the entire regulated industry, 24/7 operation and high security standards, as the basis for the development of new products; (b) the implementation of an instant payments system aligned with international practices; (c) the development of a legal framework and the launch of an open finance system; among other issues.

On the licensing side, the BCU has recently expanded the regulatory perimeter for PSP-like actors, introducing new categories of authorization specifically tailored to transfer-based acquiring activity in connection with instant payments. Key friction points for new entrants accordingly include obtaining the BCU’s prior authorization (granted by the Gerencia de Sistema de Pagos), local incorporation requirements, safeguarding of customer funds, operational resilience and information-security standards, AML/CFT compliance, and effective access to the existing clearing and settlement infrastructure controlled by incumbent participants.

4. What are the legal and regulatory challenges of Real World Asset (RWA) tokenization in your market, and how are regulators treating stablecoin-based remittances under updated securities or "travel rule" anti-money laundering laws?

Florencia Castagnola, Rodrigo Varela (Uruguay): As of today, the BCU has expressed statutory competence to regulate and supervise issuers of stable virtual assets and providers of virtual asset services (PSAVs), following the inclusion of the same within the perimeter of the Superintendencia de Servicios Financieros under the BCU’s charter.

Building on its 2023 conceptual framework for virtual assets, the BCU on March 2026 released for public consultation a draft amendment to the Recopilación de Normas del Mercado de Valores introducing a full licensing regime for PSAVs (covering authorization, minimum capital and guarantees in favor of the BCU, governance, outsourcing, cybersecurity, AML/CFT and reporting). That project is, however, still in consultation and has not been formally approved, so today PSAV-specific regulation is not yet in force, even though the underlying legal competence of the BCU is.

On Real World Asset (RWA) tokenization specifically, there has been clear market interest in Uruguay in analyzing and moving forward with tokenizing assets of the real economy and several market participants have engaged with local counsels to structure such initiatives.

Formal RWA-specific regulation has not yet been issued, but it is a topic that the regulator has expressly taken into account: the BCU’s conceptual framework already proposed a substance-over-form taxonomy in which a tokenized asset that confers ownership, repayment or participation rights is treated as an "Activo Virtual Valor" or "Activo Virtual Estable" if collateralized by other currencies or assets and -in the BCU’s approach- falls within the securities-market perimeter, while utility tokens and pure exchange tokens are treated differently. The BCU is actively working on the implementing rules (including via the draft PSAV regulation), so the main near-term legal challenges for RWA structures continue to be classification, the licensing status of issuers and service providers.

With respect to stablecoin-based remittances, the regulatory approach – to be implemented pursuant to the draft PSAV regulation – seeks to align the AML/CFT and counter-proliferation financing (PLAFT/PADM) obligations of PSAVs with those already applicable to broker-dealers and investment fund managers, consistent with the FATF standards that treat virtual asset service providers as obligated subjects of the same hierarchy as traditional financial institutions.

Core obligations include: (i) a comprehensive AML/CTF system with risk assessment, policies and procedures, and transaction monitoring; (ii) a code of conduct approved by the highest executive body; (iii) customer due diligence for new and existing clients; (iv) enhanced due diligence for higher-risk clients; (v) record-keeping; and (vi) suspicious or unusual transaction reporting to the BCU’s Financial Information and Analysis Unit (UIAF).

In addition, the draft transposes a FATF-style "travel rule" for PSAV-to-PSAV transfers (domestic and cross-border), requiring accurate originator and beneficiary information to be included in the transfer message. Until the PSAV project is enacted, these specific obligations operate as the BCU’s stated policy direction rather than enforceable rules, but the underlying AML/CFT statute (Law No. 19,574) and the BCU’s general supervisory powers already apply to regulated entities that engage in virtual-asset operations.

5. As Fintech corridors expand across LatAm, what are the most critical cyber-resilience and AML/KYC hurdles that international firms must overcome to ensure seamless cross-border operations within your jurisdiction?
   
Florencia Castagnola, Rodrigo Varela (Uruguay): Notwithstanding certain particularities of the local market, Uruguay’s regulatory framework for payment systems is generally aligned with practices observed in other jurisdictions.

The main frictions tend to arise for firms operating on a cross-border basis, as they must simultaneously comply with a range of regulatory requirements and are exposed to heterogeneous compliance standards in each jurisdiction where they operate.

That said, for cross-border fintech corridors, the two "make-or-break" hurdles are (i) cyber-resilience/operational risk governance (including outsourcing and incident response), and (ii) AML/KYC localization.

On AML/KYC, the biggest operational hurdle is reconciling low-friction onboarding with Uruguay-specific identification/verification.

Specific frictions may also emerge in the area of personal data protection, given that Uruguayan data protection legislation is robust and that Uruguay is internationally recognized as a country providing an adequate level of data protection, which can give rise to tensions when interacting with regulatory frameworks of other jurisdictions that adhere to different standards.

6. Given the widespread and continuing global adoption of the value proposition of blockchain generally for the financial markets, how has the legal and regulatory treatment of digital assets changed or been impacted?

Florencia Castagnola, Rodrigo Varela (Uruguay): In Uruguay, the legal and regulatory treatment of digital assets has attracted significant attention from both the market and the regulator, in part because Uruguay positions itself as a technology and fintech hub in the region.

Over the past several years, the BCU has progressively expanded its regulatory perimeter to bring issuers and providers of virtual assets within the financial regulatory framework — including the express incorporation of issuers of stable virtual assets and virtual asset service providers among the entities subject to BCU regulation and supervision under its charter — and has identified the development of a dedicated regulatory framework for digital assets as one of the central pillars of its action plan for the coming years.

Although there is still no consolidated, fully-enacted digital assets regulations in force, the regulator is at a relatively advanced stage of the rulemaking process. The BCU has published a conceptual framework for the treatment of virtual assets and has already circulated for public consultation draft regulations designing new figures and licenses — most notably the regime applicable to Virtual Asset Service Providers (PSAV), to be incorporated into the Recopilación de Normas del Mercado de Valores — which has been revised to incorporate feedback received from market participants and the recent statutory amendments introduced to the BCU’s charter by Law No. 20.446.

On this basis, binding rules covering authorization, governance, AML/CFT, segregation of client assets, market conduct and disclosures for PSAV are expected to be issued and to begin taking effect in the medium term.