In Mexico, as in other parts in the world, fintech applications and regulations are still in development and under discussion. There are many fintech companies operating in Mexico but the legal framework under which they operate, in many instances, is still unclear. This legal uncertainty has been one of the main hurdles for fintech companies to get financing and escalate their business.
However, over the past couple of years, ‘fintech’ has become a trendy topic in Mexico and has been associated with financial inclusion, a topic that has been in the agenda of the Mexican policymakers for more than a decade, since the unbanked population in Mexico is still very high as compared with similar developing nations and it is even below the Latin American and Caribbean average for the number of adults with a bank account.2 Start-up companies gained momentum to pressure the regulator and lawmakers to develop a legal framework for them. Consequently, the Law to Regulate Financial Technology Companies (the Fintech Law) was recently enacted on 9 March 2018; the Fintech Law became effective one day after its publication and it is the main body regulating fintech companies and cryptocurrencies in Mexico.
The entire text of the Fintech Law may be accessed on the Federal Official Gazette’s official website.3 Discussions, press notes and other activities related to the aforementioned Fintech Law and topics related to the fintech progress and legal trends prior its issuance may be accessed on the official websites of the Senate4 and the House of Representatives.5
The explanatory memorandum of the Fintech Law’s bill, provides that it intends to be a principle-based regulation that will set forth the basis and minimum directives to regulate the fintech companies while leaving most of the details to secondary regulations. This is expected to provide greater flexibility in the regulation of such a dynamic sector. The main principles are financial inclusion and innovation, fostering economic competition, consumer protection, financial stability preservation and the prevention of unlawful transactions.
While it is true that the spirit of the Fintech Law is to permit fintech companies to do business in Mexico, it is also true that Mexican financial authorities’ opinions are still divided on this topic. In our opinion, depending largely on how secondary regulation is drafted, Mexico could become a fintech-friendly jurisdiction but with clear oversight by financial regulators.
One important thing to consider is that, though the Fintech Law is already into force and secondary regulations are being drafted, to allow fintech companies to start operating with legal certainty, tax laws have not been amended and we are not aware of any bill to amend tax laws in order to clarify how fintech companies and cryptocurrencies will be taxed.
In the following pages, we will describe the Fintech Law and the main principles and guidelines therein to regulate fintech companies.
i Licensing and marketing
The Fintech Law mainly seeks to regulate two kinds of fintech companies: (1) crowdfunding companies and (2) e-money companies.
Crowdfunding companies are defined as the technological platforms that connect people so that investors can fund investment seekers through mobile applications, interfaces, websites or any other means of electronic or digital communications. Their activities will be described further below. E-money companies are those entities that may provide issuance, administration, redemption and transmission of e-money. Both companies may operate with cryptocurrencies, which in accordance with the law are called ‘virtual assets’.
A special licence will be required to operate as a crowdfunding or an e-money institution, issued at the discretion of the National Banking Commission (CNBV) prior approval of the Inter-institutional Committee, which will comprise two members of the Ministry of Finance and Public Credit two members of the CNBV, and two members of the Central Bank of Mexico (Banxico).
In general terms, entities interested in obtaining a licence to act as a fintech company shall be incorporated as corporations, setting forth in their corporate by-laws that: (1) their purpose is to engage in any of the fintech activities described in the Fintech Law (crowdfunding or e-money); (2) they are subject to the provisions set forth in the Fintech Law and relevant secondary regulation; (3) they designate a domicile within Mexico; and (4) they have a minimum capital, in accordance with its activities, that will be defined by the CNBV through secondary regulation. The ‘minimum capital’ will be determined based on the activities that fintech companies will perform or the risk that they will assume. This will permit differentiated regulatory requirements for companies at a different scale or level.
Applicants shall also provide: (1) the power of attorney granted, before a notary public, to the legal representatives to submit for application the request to be considered a fintech company; (2) a draft of corporate by-laws that comply with the requirements set forth above and others contemplated in the Fintech Law, (3) a business plan; (4) segregated accounts as provided in the Fintech Law; (5) the means and policies to comply with risk disclosure; (6) means and policies implemented regarding operational risks, confidentiality and evidence of having a technological support for their clients, and compliance with the minimum security standards against fraud or cyberattacks; (7) operational controls and processes for client identification; (8) conflict-check policies; (9) AML, fraud prevention and non-terrorism finance policies; (10) agreements with other fintech companies for the performance of key business processes; (11) a list of the persons that, directly or indirectly, hold or intend to hold an equity participation (describing the amount of their participation and the origin of the resources); (12) a list of the board members of the company including their background and credit report; (13) information required to verify the ownership or right of use of the interface, website or electronic means of communication; (14) domicile within Mexico and a legal representative; (15) information related to incentives (only applicable to crowdfunding companies); and (16) other documents required by CNBV in secondary regulations. The requirements requested above are designed to comply with the principles of the Fintech Law, and specifically to principles related to financial stability and fraud prevention.
The Fintech Law is close to a ‘disclosure-based regulation’. Therefore, fintech companies are required to implement measures to avoid spreading false or misleading information to comply with the principle of consumer protection. Additionally, fintech companies shall inform their clients about the risks of transactions executed through them. Specifically, they need to make it clear on their websites, applications, contracts and electronic or digital communications, and marketing adverts that neither the federal government nor the entities managed by the public state-owned administration support or back their obligations and that there is no deposit insurance, but that they are authorised, regulated and supervised by Mexican financial authorities. Additionally, their corporate name must indicate whether they are crowdfunding or e-money companies.
The Fintech Law does not regulate the activity of automated-digital advisory services or asset management. However, advisory services may be carried out with a prior registration with financial authorities. Investment advisers are regulated for AML and consumer-protection purposes but their regulation is probably lighter than the regulation that will apply to fintech companies. Automated asset management may be provided through an investment adviser as long as they operate through a licensed broker-dealer and they are not custodian of the assets.
Considering the provisions set forth within the Fintech Law, sharing of information will be subject to secondary rules issued by the Supervising Commission and Banxico. In this sense, the Fintech Law provides that financial entities, money transmitters, credit-scoring companies, clearing houses, fintech companies and companies authorised to operate with innovative models, will be required to establish programming interfaces of standardised applications that allow connectivity and access to other interfaces developed or managed by them and the allowed IT third parties, to share the following information: (1) ‘open financial information’, which is defined as that information generated by the above-mentioned entities that is not confidential, in other words, open financial information may be referred to those related to the product or services offered to the general public and the location of its offices, ATMs and other points of service on which its products or services may be accessed; (2) ‘aggregated data’, which is defined as statistical information that does not identify an individual and that is related to operations made by or through the entities mentioned above, and (3) ‘transactional data’, which is defined as information related to the use of a product or service, including deposit accounts, credit and means of disposition contracted on behalf of clients, and other information related to transactions that customers have made or tried to perform in the technological infrastructure of the above-mentioned entities.
Access to open financial information is not limited by the Fintech Law. Regarding aggregated data, the Fintech Law provides that access will be limited to those persons that have implemented authentication methods, as provided by the Supervising Commissions, Banxico or the credit-scoring companies through the provisions within the secondary regulations issued to that end and, finally, transactional data shall be shared with the client’s consent only and shall be used for the purposes expressly consented by the client.
ii Cross-border issues
There is no limitation within the Fintech Law for Mexican-licensed fintech companies to offer their services abroad.
There is also no limitation on foreign ownership of Mexican fintech companies. They may be wholly owned by foreigners or foreign investors. Neither are there exchange or currency control restrictions. Foreign companies should consider, however, that as general rule, any person in Mexico has the right to settle his or her obligations payable within the Mexican territory in Mexican pesos at the official exchange rate published by Banxico.
On the other hand, foreign fintech companies may not offer or market their services in Mexico without a local licence. The Fintech Law does not address how it applies to companies that have no physical presence in Mexico but if a fintech company is intentionally and regularly marketing to Mexican customers, the financial regulators are likely to try asserting jurisdiction and applying the Fintech Law and Mexican regulations as with any other financial entity doing business in Mexico without a physical presence. What ‘regularly’ means is something that is yet to be tested and will need to be analysed on a case-by-case basis.
iii DIGITAL IDENTITY AND ONBOARDING
Currently there is no recognised digital identity in Mexico. Within the Digital National Strategy,6 which is defined as the action plan of the Mexican government to implement a digital nation on which technology and innovation converge to reach the goals for the development of the country, the implementation of a digital identity in the near future is expected to begin but there is no specific deadline. Under the Digital National Strategy, it is envisaged that Mexican citizens may access diverse services (including financial services) by using a digital identity. Up to now, some governmental entities have digital databases based in biometrical systems and have created through them a kind of digital identity for some Mexican citizens and foreign residents; biometrical systems are the core required for the implementation of a digital identity in Mexico, but are not generally adopted yet by all entities.
Private means of creating a digital identity are not prohibited by the Mexican authorities but there is still no general system available that may function as a digital identity. Recently, at the end of August 2017, the CNBV published in the Federal Official Gazette amendments to the general provisions applicable to banks. These amendments provide that, effective September 2018, banks shall request biometrical data (i.e., fingerprints) of their clients to verify their identity when requesting a loan or opening an account. The biometrical information collected will be matched with the database of the National Electoral Institute (or with the National Immigration Institute, in case of foreigners) to verify customers’ identity. Banks have agreed to use a sole database that may be supplemented by the databases of other governmental entities such as the tax administration database. A bank’s database, when implemented, may be considered an initial, but a private and limited digital identity database.
There is no provision related to mechanisms that may be implemented by fintech companies regarding the use of a digital identity; nevertheless, such companies are implementing diverse private methods to verify its users’ identity. Means used by fintech companies may vary and contain different requirements related to the documents or validation of proofs requested by the relevant users. We expect that fintech companies that provide more identification methods will be allowed to increase the limits of funds or withdrawals when using the relevant platform. As mentioned before, identification methods may vary but the most common means used by fintech companies currently are:
- online validation of a mobile number;
- ID validation (by taking a picture of the relevant user in conjunction with his or her ID);
- valid proof of address;
- linking a fintech account to a bank account in order to receive or transfer funds; and
- physically or electronically sign a written agreement.
Banks are required by their regulations to implement identity checks. Banks may permit remote opening of accounts or loan requests by requesting from their customers or prospective customers the following information: (1) diverse identification data, including clients’ consent related to the recording of his or her voice and image when an audiovisual real-time means is implemented to establish communication, and an online photograph of the client’s face and voter’s official ID (banks shall verify the match between both photographs); (2) the unique population registry key (CURP) and matching it with the National Population Registry’s database; (3) a single-use code provided by the bank; and (4) keep the record and store the remote communication held with the client. Technology for implementing offsite identity verification shall be approved by the risk committee of the companies. Likewise, other mechanisms for identity checks may be implemented by prior approval of the CNBV.
The secondary regulations of fintech companies and other financial institutions may replicate these requirements.
IV DIGITAL MARKETS, FUNDING AND PAYMENT SERVICES
The Fintech Law regulates crowdfunding and expressly allows for different models such as peer-to-peer lending and collective investment schemes. Crowdfunding companies may operate debt investment schemes, equity investment schemes, co-ownership and royalty investment schemes.
The Fintech Law does not allow crowdfunding entities to securitise or trade loans in secondary markets. Furthermore, the Fintech Law provides that crowdfunding entities cannot take loans or issue securities whenever those loans or securities are issued to ‘share risks’ with investors.
As mentioned before, crowdfunding and e-money companies need a licence that will be granted at the discretion of the CNBV, prior approval of the Inter-institutional Committee.
Licensed crowdfunding companies may only engage in the following activities: (1) receive and publish the requests of crowdfunding operations of borrowers or targets and their projects through its interface, website or electronic or digital communication means used to perform its activities; (2) provide information to the potential investors so that they know the characteristics of the requests of crowdfunding or projects; (3) enable and allow electronic means of communications between investors and borrowers; (4) obtain loans and credits; (5) issue securities; (6) own or lease real property; (7) make deposits in authorised financial companies; (8) create a trust required to comply with their legal purpose (e.g., to segregate funds); (9) make investments in complementary, auxiliary or real estate companies; (10) perform judicial or extrajudicial collection of credits granted to borrowers by investors, as to renegotiate the terms and conditions of relevant credits, and (11) others required to comply with their corporate purpose.
E-money companies are only allowed to engage in the following activities:
- issue, commercialise or manage instruments for the disposal of funds of electronic payments;
- provide the service of money transmission;
- provide services related to payment networks;
- process information related to payment services;
- grant credits or loans only as overdrafts of the accounts they administer;
- operate with cryptocurrencies;
- obtain loans and credits of any local or foreign person in order to comply with their corporate purpose;
- issue securities on their own account;
- constitute overnight or term deposits in financial institutions;
- own or lease real property;
- broker with cryptocurrencies; and
- buy, sell or transfer cryptocurrencies on their own account.
As mentioned above, sharing information rules will be subject to secondary regulations that shall be drafted and issued, in the future, by the Supervising Commission and Banxico. The general provisions set forth within the Fintech Law related to sharing of information provide that fintech companies (among the other entities mentioned within the law) will be obligated to execute an agreement with transferees and set forth therein that they (transferees) will be required to allow audits by fintech companies to verify compliance with the Fintech Law. Fintech companies will be required to report the results obtained of such audits to the Supervising Commission and Banxico.
In addition, the Fintech Law provides that CNBV will be the authority in charge of issuing general provisions related to information security, which shall include confidentiality policies and registry of accounts related to transactional movements, the use of private or public technological means or other systems for processing of information, that will apply to crowdfunding companies; in the case of e-money companies, the foregoing provisions will be issued by the CNBV in conjunction with Banxico.
Fintech companies are required to retain information in a physical or electronic format for minimum terms of 10 years.
V CRYPTOCURRENCIES AND INITIAL COIN OFFERINGS (ICO)
Cryptocurrencies are known as ‘virtual assets’ in the Fintech Law and they are defined as a representation of value, electronically registered and used by the public as a means of payment for any legal transaction and transfer of which may be made only through electronic means. In accordance with the Fintech Law, cryptocurrencies may not be considered legal currencies and licensed fintech companies may operate only with such cryptocurrencies previously ‘approved’ by Banxico. Fintech companies require a special authorisation from Banxico to operate with cryptocurrencies. This part of the Fintech Law has been subject to debate and there have been some attempts to remove cryptocurrencies and to leave this for further study. We expect Banxico to take longer to issue secondary regulations regarding cryptocurrencies.
The Fintech Law does not define whether cryptocurrencies or other tokens may be considered as securities and does not regulate initial coin offerings. However, we expect this to be regulated in Banxico’s secondary regulation.
Credit institutions approved by Banxico may engage in transactions with cryptocurrencies approved by the latter and in accordance with the general provisions issued by the mentioned Central Bank.
No specific technology is regulated by the Fintech Law. Blockchain technology is not regulated by the Fintech Law or by any other Mexican laws. The Fintech Law regulates activities and transaction and, generally, does not speak of specific technologies.
VI OTHER NEW BUSINESS MODELS
The Fintech Law devotes a special chapter to ‘innovative models’, which are defined as ‘those that to provide fintech services employ tools or technological means with alternatives different from those currently existing in the market’. As mentioned in this chapter, the Fintech Law is designed as a principle-based regulation and, in keeping with this, such chapter is in line with principles of innovation and promotion of competition, by opening its text to admit new models of services and the admittance to new competitors to the fintech environment.
Innovative models will receive a temporary authorisation that will be discretionally granted by the financial authorities when the applicant duly proves that: (1) it has an innovative model; (2) the product or service to be offered to the public shall be tested in a controlled environment; (3) the new model represents a benefit to the client that cannot be obtained from existing models available in the market; (4) operations may be made immediately; (5) the project shall be tested with a limited number of clients, and (6) other requirements that are to be determined by financial authorities. Temporary authorisation shall not be for longer than two years and shall be in accordance with the services that will be or are planned to be provided.
The National Commission for the Protection and Defence of Financial Service Users (CONDUSEF) will be the authority empowered to resolve controversies between authorised authorities to operate an innovative model. Financial authorities may authorise fintech companies, financial entities or others to implement and operate innovative models.
VII INTELLECTUAL PROPERTY AND DATA PROTECTION
In Mexico software is not subject to be patented, the Industrial Property Law specifically provides in its Article 19(IV) that software may not be considered as an invention; in practice, software is registered as an intellectual work in accordance with the provisions set forth in the Federal Copyright Law. The foregoing provisions apply to fintech business models and related software, in both cases; they may be registered under the copyright provisions.
Considering the above, in accordance with the provisions set forth within the Federal Copyright Law, when an individual or company requests a contractor to develop software or business models, by the payment of remuneration, the company will own the economic rights over the work and have the rights related to its divulgation, integrity and collection.
Regarding contractors, they may have the right to be expressly mentioned in the role of authors over the parts in which they have participated. It is essential that agreements are drafted in a clear manner and that the terms of the work to be created and its remuneration are stated precisely, considering that in case of doubt, interpretation will be in favour of the author.
When a work is made as a consequence of a labour relationship, established within a written individual labour agreement, it will be presumed, if it is not otherwise agreed, that economic rights will be divided equally between employer and employee. The employer may divulgate the work without the authorisation of the employee but not the other way around. If an individual labour agreement is absent, economic rights will be granted to the employee.
Regarding privacy rights, the Fintech Law regulates the exchange of information with authorities. Specifically, it provides that fintech companies are required to provide information to the CNBV and Banxico about their operations and their clients, including data that may be useful to estimate their financial situation and information that may be useful for mentioned authorities in order to duly comply with their functions.
Additionally, the Fintech Law provides that clients’ information shall be considered as confidential and that in no case may fintech companies give notices or information of their activities or services contracted by them unless such information is requested by the client itself, his or her legal representatives, or those whose have granted a power of attorney to intervene in the relevant operation or service. This is similar to current banking secrecy provisions.
There are no special rules applying to the digital profiling of clients considering that processing of personal data is not distinguished if physical or electronic means are implemented for this purpose. On this topic, the Federal Law on the Protection of Personal Data held by Private Parties (the Data Protection Law), requires data controllers to obtain consent before processing data subjects’ personal information and to obtain that consent through the delivery of a detailed privacy notice that contains at least the requirements set forth within the privacy law framework applicable within Mexico. Furthermore, financial information shall be protected under stricter means and measures than identification data. When processing financial information, express consent is required.
The Data Protection Law also requires data controllers to process personal information in accordance with the following principles: (1) lawful basis for processing; (2) consent; (3) information; (4) data quality; (5) purpose limitation; (6) loyalty; (7) proportionality, and (8) responsibility. Data controllers shall also adopt the security measures and procedures that are necessary to protect the personal data against damage, loss, alteration, destruction and unauthorised use, access or processing. These measures shall be at least equal to the measures that the data controller uses to protect the company’s own information.
If storage is through a cloud computing service provider, the storage will be subject to specific conditions provided within the Regulations of the Data Protection Law. The data controller and service provider (i.e., the cloud computing service provider) relationship, shall be documented within a legal instrument and relevant service provider, in its role of data processor, shall be informed about the data controller’s (company) privacy notice and may only process the personal data received by the data controller, in accordance with its privacy notice and its instructions.
The data controller shall only contract services from a provider that:
- has policies and procedures similar to those contemplated by the Data Protection Law and the Data Protection Regulations;
- discloses if it subcontracts to third parties;
- does not condition the service upon the service provider becoming the owner or acquiring any right over the personal data;
- maintains confidentiality; and
- has mechanisms to:
- notify changes in its privacy policies;
- allow the data controller to limit the processing of the personal data;
- have security measures that are reasonable with respect to the service;
- guarantee the cancellation of data once the service is terminated; and
- block access to the personal data by persons that do not have access privileges except when ordered by a competent authority and the data controller is informed of such order.
Finally, another essential obligation is that data controllers must appoint a data protection officer or department to answer data subjects’ access, rectification, suppression and rejection requests.
VIII YEAR IN REVIEW
As mentioned above, in Mexico the Fintech Law recently entered into force. Moreover, up to now, fintech companies are not be able to operate with full legal certainty until secondary regulation is issued and they are aware of their obligations and the process to obtain and maintain their licences.
Prior to the elaboration of the Fintech Law, different discussions relating to cryptocurrencies and fintech applications were held by financial authorities, experts and academics. Currently, there is no defined way on how fintech regulations and norms issued by the financial authorities will be in practice.
IX OUTLOOK AND CONCLUSIONS
As the Fintech Law is a principle-based law, we anticipate most issues will be resolved and understood with secondary regulation.
It is likely to be an environment of constant change supported by cooperation and new developments within the fintech market; we predict that new actors will enter the market and will be interested in the way fintech services will be conducted. We expect that banks will, in a cautious manner, begin providing fintech services, as many people have shown interest in the market.
Regarding the adoption of tokens and cryptocurrencies within Mexico, we are not certain about the criteria that authorities will follow regarding their acceptance. It is not clear whether methods are provided in the Fintech Law relate to innovative models; we consider that the market will dictate the application of the law and other provisions issued by the financial authorities.
We expect that 2018 will be a year of change and progress in this field, and given the quick adoption of fintech and the interest the public has shown in it, we foresee that Mexican users and service providers are likely to increase rapidly.
1 Federico de Noriega Olea is a partner and Rodrigo Méndez Solís is a senior associate at Hogan Lovells.
2 http://www.cnbv.gob.mx/Inclusi%C3%B3n/Paginas/Encuestas.aspx and http://databank.worldbank.org/data/reports.aspx?source=1228 Latin American & Caribbean Average is 51% whereas Mexican average is 38.7% with 2014 data.