I OVERVIEW

Over the past year, the Law to Regulate Financial Technology Companies (the Fintech Law), and certain secondary regulations were enacted. However, certain secondary regulations are still pending, and are currently under discussion by the administrative bodies in charge of their issuance.

Regulated fintech entities, which are construed as part of the financial services sector, are regulated by four main governmental agencies:

  1. the Bank of Mexico (Banxico) as the Mexican central bank;
  2. the Ministry of Finance and Public Credit (SHCP) as the ministry within the executive branch in charge of regulating financial institutions;
  3. the National Banking and Securities Commission (CNBV) as an agency that directly depends on the SHCP; and
  4. the Financial Consumer Protection Commission (CONDUSEF).

While it is true that the spirit of the Fintech Law is to permit fintech companies to do business in Mexico, it is also true that Mexican financial authorities' opinions are still divided on this topic. In our opinion, depending largely on how the laws and regulations are applied and enforced, Mexico could become a fintech-friendly jurisdiction but with clear oversight by financial regulators.

Although regulated fintech entities are part of the financial sector, they are not part of the financial system for tax purposes, and therefore have the same rights and obligations as any other entity incorporated pursuant to Mexican law.

This chapter describes the Fintech Law and the main principles and guidelines therein to regulate fintech companies.

ii REGULATION

i Licensing and marketing

The Fintech Law mainly seeks to regulate two kinds of fintech companies: crowdfunding companies and e-money companies.

Crowdfunding companies are defined as the technological platforms that connect people so that investors can fund investment seekers through mobile applications, interfaces, websites or any other means of electronic or digital communications. Their activities are described further below. E-money companies are those entities that may provide issuance, administration, redemption and transmission of e-money. Both companies may operate with cryptocurrencies, which in accordance with the law are called 'virtual assets'.

A special licence is required to operate as a crowdfunding or an e-money company, issued at the discretion of the CNBV prior to approval of the Inter-institutional Committee, which will comprise two members of the Ministry of Finance and Public Credit, two members of the CNBV and two members of Banxico.

In general terms, entities interested in obtaining a licence to act as a fintech company shall be incorporated as corporations, setting forth in their corporate by-laws that:

  1. their purpose is to engage in any of the fintech activities described in the Fintech Law (crowdfunding or e-money);
  2. they are subject to the provisions set forth in the Fintech Law and relevant secondary regulation;
  3. they designate a domicile within Mexico; and
  4. they have a minimum amount of capital, in accordance with their activities, as defined by the CNBV through secondary regulation.

The minimum capital depends on the activities that fintech companies will perform or the risk that they will assume. This permits differentiated regulatory requirements for companies at a different scale or level.

Applicants shall also provide:

  1. the power of attorney granted, before a notary public, to the legal representatives to submit for application the request to be considered a fintech company;
  2. a draft of corporate by-laws that comply with the requirements set forth above and others contemplated in the Fintech Law;
  3. a business plan;
  4. segregated accounts as provided in the Fintech Law;
  5. the means and policies to comply with risk disclosure;
  6. means and policies implemented regarding operational risks, confidentiality and evidence of having a technological support for their clients, and compliance with the minimum security standards against fraud or cyberattacks;
  7. operational controls and processes for client identification;
  8. conflict-check policies;
  9. AML, fraud prevention and non-terrorism finance policies;
  10. agreements with other fintech companies for the performance of key business processes;
  11. a list of the persons that, directly or indirectly, hold or intend to hold an equity participation (describing the amount of their participation and the origin of the resources);
  12. a list of the board members of the company including their background and credit report;
  13. information required to verify the ownership or right of use of the interface, website or electronic means of communication;
  14. domicile within Mexico and a legal representative;
  15. information related to incentives (only applicable to crowdfunding companies); and
  16. other documents required by CNBV in secondary regulations.

The requirements requested above are designed to comply with the principles of the Fintech Law, and specifically to principles related to financial stability and fraud prevention.

The Fintech Law is close to a disclosure-based regulation. Therefore, fintech companies are required to implement measures to avoid spreading false or misleading information to comply with the principle of consumer protection. Additionally, fintech companies shall inform their clients about the risks of transactions executed through them. Specifically, they need to make it clear on their websites, applications, contracts and electronic or digital communications, and marketing adverts that neither the federal government nor the entities managed by the public state-owned administration support or back their obligations and that there is no deposit insurance, but that they are authorised, regulated and supervised by Mexican financial authorities. Additionally, their corporate name must indicate whether they are crowdfunding or e-money companies.

The Fintech Law does not regulate the activity of automated-digital advisory services or asset management. However, advisory services may be carried out with a prior registration with financial authorities. Investment advisers are regulated for AML and consumer-protection purposes but their regulation is probably lighter than the regulation that will apply to fintech companies. Automated asset management may be provided through an investment adviser as long as they operate through a licensed broker-dealer and they are not custodian of the assets.

Considering the provisions set forth within the Fintech Law, sharing of information will be subject to secondary rules issued by the Supervising Commission and Banxico. Such secondary rules shall be issued no later than March 2020. In this sense, the Fintech Law provides that financial entities, money transmitters, credit-scoring companies, clearing houses, fintech companies and companies authorised to operate with innovative models will be required to establish programming interfaces of standardised applications that allow connectivity and access to other interfaces developed or managed by them and the allowed IT third parties, to share the following information:

  1. open financial information, which is defined as that information generated by the above-mentioned entities that is not confidential. In other words, open financial information may be referred to those related to the product or services offered to the general public and the location of its offices, ATMs and other points of service on which its products or services may be accessed;
  2. aggregated data, which is defined as statistical information that does not identify an individual and that is related to operations made by or through the entities mentioned above; and
  3. transactional data, which is defined as information related to the use of a product or service, including deposit accounts, credit and means of disposition contracted on behalf of clients, and other information related to transactions that customers have made or tried to perform in the technological infrastructure of the above-mentioned entities.

Access to open financial information is not limited by the Fintech Law. Regarding aggregated data, the Fintech Law provides that access will be limited to those persons that have implemented authentication methods, as provided by the supervising regulators, Banxico or the credit-scoring companies through the provisions within the secondary regulations issued to that end and, finally, transactional data shall be shared with the client's consent only and shall be used for the purposes expressly consented to by the client.

ii Cross-border issues

There is no limitation within the Fintech Law for Mexican-licensed fintech companies to offer their services abroad.

There is also no limitation on foreign ownership of Mexican fintech companies. They may be wholly owned by foreigners or foreign investors. Neither are there exchange or currency control restrictions. Foreign companies should consider, however, that as general rule, any person in Mexico has the right to settle his or her obligations payable within the Mexican territory in Mexican pesos at the official exchange rate published by Banxico.

On the other hand, foreign fintech companies may not offer or market their services in Mexico without a local licence. The Fintech Law does not address how it applies to companies that have no physical presence in Mexico, but if a fintech company is intentionally and regularly marketing to Mexican customers the financial regulators are likely to try asserting jurisdiction and applying the Fintech Law and Mexican regulations, as with any other financial entity doing business in Mexico without a physical presence. What 'regularly' means is something that is yet to be tested and will need to be analysed on a case-by-case basis.

iii DIGITAL IDENTITY AND ONBOARDING

Currently there is no recognised digital identity in Mexico. Within the Digital National Strategy,2 which is defined as the action plan of the Mexican government to implement a digital nation on which technology and innovation converge to reach the goals for the development of the country, the implementation of a digital identity in the near future is expected to begin but there is no specific deadline. Under the Digital National Strategy, it is envisaged that Mexican citizens may access diverse services (including financial services) by using a digital identity. Up to now, some governmental entities have digital databases based in biometrical systems and have created through them a kind of digital identity for some Mexican citizens and foreign residents; biometrical systems are the core required for the implementation of a digital identity in Mexico, but are not generally adopted yet by all entities.

Private means of creating a digital identity are not prohibited by the Mexican authorities but there is still no general system available that may function as a digital identity. Banks will be obliged as of March 2020 to request biometrical data (i.e., fingerprints) of their clients to verify their identity when requesting a loan or opening an account. The biometrical information collected by the banks will be matched with the database of the National Electoral Institute (or with the National Immigration Institute, in case of foreigners) to verify customers' identity. Banks have agreed to use a sole database that may be supplemented by the databases of other governmental entities such as the tax administration database. A bank's database, when implemented, may be considered an initial, but a private and limited digital identity database.

There is no provision related to mechanisms that may be implemented by fintech companies regarding the use of a digital identity; nevertheless, such companies are implementing diverse private methods to verify its users' identity. Means used by fintech companies may vary and contain different requirements related to the documents or validation of proofs requested by the relevant users. We expect that fintech companies that provide more identification methods will be allowed to increase the limits of funds or withdrawals when using the relevant platform. As mentioned before, identification methods may vary but the most common means used by fintech companies are currently:

  1. online validation of a mobile number;
  2. ID validation (by taking a picture of the relevant user in conjunction with his or her ID);
  3. valid proof of address;
  4. linking a fintech account to a bank account in order to receive or transfer funds; and
  5. physically or electronically sign a written agreement.

Crowdfunding companies and e-money companies are required to implement identity checks through the completion of a know-your-customer procedure. For these purposes, crowdfunding companies and e-money companies must obtain from their customers information and documents, which will vary depending on whether their customer is a foreign or national individual, foreign or national entity or other, as provided under the secondary regulation issued by the CNBV and the entity's anti-money laundering manual.

The information and documents that must be collected from customers can be collected remotely through automated questionnaires and digital copies of the documents.

IV DIGITAL MARKETS, FUNDING AND PAYMENT SERVICES

The Fintech Law regulates crowdfunding and expressly allows for different models such as peer-to-peer lending and collective investment schemes. Crowdfunding companies may operate debt investment schemes, equity investment schemes, co-ownership and royalty investment schemes.

The Fintech Law does not allow crowdfunding entities to securitise or trade loans in secondary markets. Furthermore, the Fintech Law provides that crowdfunding companies cannot take loans or issue securities whenever those loans or securities are issued to 'share risks' with investors.

As mentioned before, crowdfunding and e-money companies need a licence that will be granted at the discretion of the CNBV, prior to the approval of the Inter-institutional Committee.

Licensed crowdfunding companies may only engage in the following activities:

  1. receive and publish the requests of crowdfunding operations of borrowers or targets and their projects through its interface, website or electronic or digital communication means used to perform its activities;
  2. provide information to the potential investors so that they know the characteristics of the requests of crowdfunding or projects;
  3. enable and allow electronic means of communications between investors and borrowers;
  4. obtain loans and credits;
  5. issue securities;
  6. own or lease real property;
  7. make deposits in authorised financial companies;
  8. create a trust required to comply with their legal purpose (e.g., to segregate funds);
  9. make investments in complementary, auxiliary or real estate companies;
  10. perform judicial or extrajudicial collection of credits granted to borrowers by investors, as to renegotiate the terms and conditions of relevant credits; and
  11. other activities required to comply with their corporate purpose.

E-money companies are only allowed to engage in the following activities:

  1. issue, commercialise or manage instruments for the disposal of funds of electronic payments;
  2. provide the service of money transmission;
  3. provide services related to payment networks;
  4. process information related to payment services;
  5. grant credits or loans only as overdrafts of the accounts they administer;
  6. operate with cryptocurrencies;
  7. obtain loans and credits of any local or foreign person in order to comply with their corporate purpose;
  8. issue securities on their own account;
  9. constitute overnight or term deposits in financial institutions;
  10. own or lease real property;
  11. broker with cryptocurrencies; and
  12. buy, sell or transfer cryptocurrencies on their own account.

As mentioned above, sharing information rules will be subject to secondary regulations that shall be drafted and issued, in the future, by the Supervising Commission and Banxico. The Fintech Law provides that fintech companies (among the other entities mentioned within the law) will be obligated to execute an agreement with transferees and set forth therein that they (transferees) will be required to allow audits by fintech companies to verify compliance with the Fintech Law. Fintech companies will be required to report the results obtained of such audits to the Supervising Commission and Banxico.

In addition, the Fintech Law provides that CNBV will be the authority in charge of issuing general provisions related to information security, which shall include confidentiality policies and registry of accounts related to transactional movements, the use of private or public technological means or other systems for processing of information that will apply to crowdfunding companies. In the case of e-money companies, the foregoing provisions are issued by the CNBV in conjunction with Banxico.

Fintech companies are required to retain information in a physical or electronic format for minimum terms of 10 years.

V CRYPTOCURRENCIES AND INITIAL COIN OFFERINGS

Cryptocurrencies are known as virtual assets in the Fintech Law and they are defined as a representation of value, electronically registered and used by the public as a means of payment for any legal transaction and transfer of which may be made only through electronic means. In accordance with the Fintech Law, cryptocurrencies may not be considered legal currencies and licensed fintech companies may operate only with such cryptocurrencies previously approved by Banxico. Fintech companies require a special authorisation from Banxico to operate with cryptocurrencies. This part of the Fintech Law has been subject to debate and there have been some attempts to remove cryptocurrencies and to leave this for further study. We expect Banxico to take longer to issue secondary regulations regarding cryptocurrencies.

The Fintech Law does not define whether cryptocurrencies or other tokens may be considered as securities and does not regulate initial coin offerings. However, we expect this to be regulated in Banxico's secondary regulation.

Credit institutions approved by Banxico may engage in transactions with cryptocurrencies approved by the latter and in accordance with the general provisions issued by the mentioned Central Bank.

No specific technology is regulated by the Fintech Law. Blockchain technology is not regulated by the Fintech Law or by any other Mexican laws. The Fintech Law regulates activities and transaction and, generally, does not speak of specific technologies.

VI OTHER NEW BUSINESS MODELS

The Fintech Law devotes a special chapter to innovative models, which are defined as 'those that to provide fintech services employ tools or technological means with alternatives different from those currently existing in the market'. As mentioned in this chapter, the Fintech Law is designed as a principle-based regulation and, in keeping with this, such chapter is in line with principles of innovation and promotion of competition, by opening its text to admit new models of services and the admittance to new competitors to the fintech environment.

Innovative models will receive a temporary authorisation that will be discretionally granted by the financial authorities when the applicant duly proves that:

  1. it has an innovative model;
  2. the product or service to be offered to the public shall be tested in a controlled environment;
  3. the new model represents a benefit to the client that cannot be obtained from existing models available in the market;
  4. operations may be made immediately;
  5. the project shall be tested with a limited number of clients; and
  6. other requirements that are to be determined by financial authorities.

Temporary authorisation shall not be for longer than two years and shall be in accordance with the services that will be or are planned to be provided.

CONDUSEF will be the authority empowered to resolve controversies between authorised authorities to operate an innovative model. Financial authorities may authorise fintech companies, financial entities or others to implement and operate innovative models.

VII INTELLECTUAL PROPERTY AND DATA PROTECTION

In Mexico, software is not subject to be patented. The Industrial Property Law specifically provides in its Article 19(IV) that software may not be considered as an invention. In practice, software is registered as an intellectual work in accordance with the provisions set forth in the Federal Copyright Law. The foregoing provisions apply to fintech business models and related software; in both cases, they may be registered under the copyright provisions.

Considering the above, in accordance with the provisions set forth within the Federal Copyright Law, when an individual or company requests a contractor to develop software or business models, by the payment of remuneration, the company will own the economic rights over the work and have the rights related to its divulgation, integrity and collection.

Regarding contractors, they may have the right to be expressly mentioned in the role of authors over the parts in which they have participated. It is essential that agreements are drafted in a clear manner and that the terms of the work to be created and its remuneration are stated precisely, considering that in case of doubt, interpretation will be in favour of the author.

When a work is made as a consequence of a labour relationship, established within a written individual labour agreement, it will be presumed, if it is not otherwise agreed, that economic rights will be divided equally between employer and employee. The employer may divulgate the work without the authorisation of the employee but not the other way around. If an individual labour agreement is absent, economic rights will be granted to the employee.

Regarding privacy rights, the Fintech Law regulates the exchange of information with authorities. Specifically, it provides that fintech companies are required to provide information to the CNBV and Banxico about their operations and their clients, including data that may be useful to estimate their financial situation and information that may be useful for mentioned authorities in order to duly comply with their functions.

Additionally, the Fintech Law provides that clients' information shall be considered as confidential and that in no case may fintech companies give notices or information of their activities or services contracted by them unless such information is requested by the client itself, his or her legal representatives or those whose have granted a power of attorney to intervene in the relevant operation or service. This is similar to current banking secrecy provisions.

There are no special rules applying to the digital profiling of clients considering that processing of personal data is not distinguished if physical or electronic means are implemented for this purpose. On this topic, the Federal Law on the Protection of Personal Data held by Private Parties (the Data Protection Law), requires data controllers to obtain consent before processing data subjects' personal information and to obtain that consent through the delivery of a detailed privacy notice that contains at least the requirements set forth within the privacy law framework applicable within Mexico. Furthermore, financial information shall be protected under stricter means and measures than identification data. When processing financial information, express consent is required.

The Data Protection Law also requires data controllers to process personal information in accordance with the following principles: lawful basis for processing; consent; information; data quality; purpose limitation; loyalty; proportionality; and responsibility.

Data controllers shall also adopt the security measures and procedures that are necessary to protect the personal data against damage, loss, alteration, destruction and unauthorised use, access or processing. These measures shall be at least equal to the measures that the data controller uses to protect the company's own information.

If storage is through a cloud computing service provider, the storage will be subject to specific conditions provided within the Regulations of the Data Protection Law. The data controller and service provider (i.e., the cloud computing service provider) relationship, shall be documented within a legal instrument and the relevant service provider, in its role of data processor, shall be informed about the data controller's (company) privacy notice and may only process the personal data received by the data controller, in accordance with its privacy notice and its instructions.

The data controller shall only contract services from a provider that it:

  1. has policies and procedures similar to those contemplated by the Data Protection Law and the Data Protection Regulations;
  2. discloses if it subcontracts to third parties;
  3. does not condition the service upon the service provider becoming the owner or acquiring any right over the personal data;
  4. maintains confidentiality; and
  5. has mechanisms to:
    • notify changes in its privacy policies;
    • allow the data controller to limit the processing of the personal data;
    • have security measures that are reasonable with respect to the service;
    • guarantee the cancellation of data once the service is terminated; and
    • block access to the personal data by persons that do not have access privileges except when ordered by a competent authority and the data controller is informed of such order.

Finally, another essential obligation is that data controllers must appoint a data protection officer or department to answer data subjects' access, rectification, suppression and rejection requests.

VIII YEAR IN REVIEW

Some of the secondary regulations established under the Fintech Law are still pending, therefore fintech companies will not be able to operate with full legal certainty until all secondary regulations are issued and they are aware of their obligations and the process to obtain and maintain their licences.

In December 2018, there was a change in government in Mexico and a new ruling party came to power. The new government has expressed interest in financial inclusion and financial innovation but there have not been specific pronouncements or guidelines with respect to the Fintech Law and its applications.

To this date, the list of financial services providers does not contain any registered crowdfunding companies or e-money companies, which most likely is a consequence of the regulatory uncertainty that exists until the CNBV and Banxico issue all regulations related to the Fintech Law.

During the course of this year, the CNBV shall issue secondary provisions in connection with:

  1. the sharing of information to crowd funding investors; and
  2. sharing of information through digital means.

IX OUTLOOK AND CONCLUSIONS

As the Fintech Law is a principle-based law, we anticipate most issues will be resolved and understood with secondary regulation and regulatory interpretation.

It is likely to be an environment of constant change supported by cooperation and new developments within the fintech market; we predict that new actors will enter the market and will be interested in the way fintech services will be conducted. We expect that banks will, in a cautious manner, begin providing fintech services, as many people have shown interest in the market.

Regarding the adoption of tokens and cryptocurrencies within Mexico, we are not certain about the criteria that authorities will follow regarding their acceptance. It is not clear whether methods are provided in the Fintech Law relate to innovative models; we consider that the market will dictate the application of the law and other provisions issued by the financial authorities.

We expect that 2019 will be a year of change and progress in this field, and given the quick adoption of fintech and the interest the public has shown in it, we foresee that Mexican users and service providers are likely to increase rapidly.


Footnotes

1 Federico de Noriega Olea is a partner and Juan Enrique Lizardi Becerra is an associate at Hogan Lovells.