The Central Reserve Bank of El Salvador (BCR) has issued a technical regulation that governs the participation of Digital Asset Service Providers in the country’s payment systems. This measure marks a significant step towards regulating and supervising cryptocurrencies and other digital assets, enhancing the security and reliability of transactions in an increasingly digital financial world.

Our associate lawyer, Andrea Gómez, emphasized the importance of this technical regulation by stating that it “establishes a comprehensive regulatory framework for the participation of Digital Asset Service Providers in the country’s payment systems.” Additionally, Gómez highlighted that compliance with anti-money laundering and counter-terrorism financing regulations is crucial to prevent the misuse of these services for illicit purposes.

The regulation, consisting of five chapters, sets forth a series of requirements and procedures that digital asset service providers must follow to enter and participate in the payment systems managed by the BCR. Among the most notable aspects of this regulation are:

1. Entry Requirements: Digital asset service providers must be entities established in El Salvador. In the case of foreign legal entities, they must establish a legal entity within the country. Additionally, they must comply with the requirements set by the National Commission of Digital Assets and follow anti-money laundering and counter-terrorism financing regulations.
2. Application and Business Model Description: Providers must submit an application authorized by their board of directors and provide a detailed description of their business model, including information about the technological platform they will use.
3. Risk Management: They must have a risk management program that identifies potential operational and financial risks, including the risk of money laundering and terrorist financing.
4. Payment Systems Surveillance: The BCR, through its Payment Systems Surveillance Unit, will oversee authorized providers, with the ability to conduct on-site visits and access relevant information in case of investigations.
5. Minimum Security Requirements for Computer Systems: Providers must ensure the security of operations, including information logging and control, user identification and authentication mechanisms, and contingency procedures.