The Financial Technology Law Review: Mexico


The Law to Regulate Financial Technology Companies (the Fintech Law), and secondary regulations were enacted over the past few years in Mexico. All secondary regulations had to be enacted no later than March 2020, although certain regulations remain pending.

Regulated fintech entities, which are considered part of the financial services sector, are mainly regulated by four governmental agencies:

  1. the Bank of Mexico (Banxico) as the Mexican central bank;
  2. the Ministry of Finance and Public Credit (SHCP) as the ministry within the executive branch in charge of regulating financial institutions;
  3. the National Banking and Securities Commission (CNBV) as an agency that directly depends on the SHCP; and
  4. the Financial Consumer Protection Commission (CONDUSEF).

Notwithstanding the above, the National Insurance and Bonds Commission (CNSF) and the National Retirement Savings System Commission (CONSAR) are also authorised under the Fintech Law to perform certain surveillance activities.

While it is true that the spirit of the Fintech Law is to permit fintech companies to do business in Mexico, secondary regulation is very exhaustive which may have resulted in an overregulation. In our opinion, depending largely on how the regulations are applied and enforced, Mexico could become a fintech-friendly jurisdiction but with clear oversight by financial regulators.

Although regulated fintech entities are part of the financial sector, they are not part of the financial system for tax purposes, and therefore have the same rights and obligations as any other entity incorporated pursuant to Mexican law.

This chapter describes the Fintech Law and the main principles and guidelines therein to regulate fintech companies.


i Licensing and marketing

The Fintech Law mainly seeks to regulate two kinds of fintech companies: crowdfunding companies and e-money companies.

Crowdfunding companies are defined as the technological platforms that connect people so that investors can fund investment seekers through mobile applications, interfaces, websites or any other means of electronic or digital communications. Their activities are described further below. E-money companies are those entities that may provide issuance, administration, redemption and transmission of e-money. Both companies may operate with cryptocurrencies, which in accordance with the law are called 'virtual assets'.

A special licence is required to operate as a crowdfunding or an e-money company, issued at the discretion of the CNBV prior to approval of the Inter-institutional Committee, which comprises two members of the Ministry of Finance and Public Credit, two members of the CNBV and two members of Banxico.

In general terms, entities interested in obtaining a licence to act as a fintech company shall be incorporated as corporations, setting forth in their corporate by-laws that:

  1. their purpose is to engage in any of the fintech activities described in the Fintech Law (crowdfunding or e-money);
  2. they are subject to the provisions set forth in the Fintech Law and relevant secondary regulation;
  3. they designate a domicile within Mexico; and
  4. they have a minimum amount of capital, in accordance with their activities, as defined by the CNBV through secondary regulation.

The minimum capital depends on the activities that fintech companies will perform and the risk that they will assume. Crowdfunding entities that perform only one type of activity (debt, capital or co-ownership funding) must have a minimum capital of 500,000 investment units2 (currently this is around 3.2 million Mexican pesos) this minimum capital is also applicable to e-money companies that perform their activities in national currency. Crowdfunding entities that are authorised to perform two or more activities and e-money companies that are authorised to perform their activities in foreign currency or with virtual assets or that are authorised to perform underlying virtual assets derivative transactions or act as a switch, shall have a minimum capital of 700,000 UDIs (currently this is around 4.5 million Mexican pesos).

Applicants shall also provide:

  1. the power of attorney granted, before a notary public, to the legal representatives to submit for application the request to be considered a fintech company;
  2. a draft of corporate by-laws that comply with the requirements set forth above and others contemplated in the Fintech Law;
  3. a business plan;
  4. segregated accounts as provided in the Fintech Law;
  5. the means and policies to comply with risk disclosure;
  6. means and policies implemented regarding operational risks, confidentiality and evidence of having a technological support for their clients, and compliance with the minimum security standards against fraud or cyberattacks;
  7. operational controls and processes for client identification;
  8. conflict-check policies;
  9. AML, fraud prevention and non-terrorism finance policies;
  10. agreements with other fintech companies for the performance of key business processes;
  11. a list of the persons that, directly or indirectly, hold or intend to hold an equity participation (describing the amount of their participation and the origin of the resources);
  12. a list of the board members of the company including their background and credit report;
  13. information required to verify the ownership or right of use of the interface, website or electronic means of communication;
  14. domicile within Mexico and a legal representative;
  15. information related to incentives (only applicable to crowdfunding companies); and
  16. other documents required by CNBV in secondary regulations.

The requirements requested above are designed to comply with the principles of the Fintech Law, and specifically to principles related to financial stability and fraud prevention.

The Fintech Law is close to a disclosure-based regulation. Therefore, fintech companies are required to implement measures to avoid spreading false or misleading information to comply with the principle of consumer protection. Additionally, fintech companies shall inform their clients about the risks of transactions executed through them. Specifically, they need to make it clear on their websites, applications, contracts and electronic or digital communications, and marketing adverts that neither the federal government nor the entities managed by the public state-owned administration support or back their obligations and that there is no deposit insurance, but that they are authorised, regulated and supervised by Mexican financial authorities. Additionally, their corporate name must indicate whether they are crowdfunding or e-money companies.

The Fintech Law does not regulate the activity of automated-digital advisory services or asset management. However, advisory services may be carried out with a prior registration with financial authorities. Investment advisers are regulated for AML and consumer-protection purposes but their regulation is probably lighter than the regulation that will apply to fintech companies. Automated asset management may be provided through an investment adviser as long as he or she operates through a licensed broker-dealer and is not the custodian of the assets.

Considering the provisions set forth within the Fintech Law, sharing of information is subject to secondary rules issued by the Supervising Commission and Banxico. In this sense, the Fintech Law provides that financial entities, money transmitters, credit-scoring companies, clearing houses, fintech companies and companies authorised to operate with innovative models will be required to establish programming interfaces of standardised applications that allow connectivity and access to other interfaces developed or managed by them and the allowed IT third parties, to share the following information:

  1. open financial information, which is defined as that information generated by the above-mentioned entities that is not confidential. In other words, open financial information may be referred to those related to the product or services offered to the general public and the location of its offices, ATMs and other points of service on which its products or services may be accessed;
  2. aggregated data, which is defined as statistical information that does not identify an individual and that is related to operations made by or through the entities mentioned above; and
  3. transactional data, which is defined as information related to the use of a product or service, including deposit accounts, credit and means of disposition contracted on behalf of clients, and other information related to transactions that customers have made or tried to perform in the technological infrastructure of the above-mentioned entities.

Access to open financial information is not limited by the Fintech Law. Regarding aggregated data, the Fintech Law provides that access will be limited to those persons that have implemented authentication methods, as provided by the supervising regulators, Banxico or the credit-scoring companies through the provisions within the secondary regulations issued to that end and, finally, transactional data shall be shared with the client's consent only and shall be used for the purposes expressly consented to by the client.

ii Cross-border issues

There is no limitation within the Fintech Law for Mexican-licensed fintech companies to offer their services abroad.

There is also no limitation on foreign ownership of Mexican fintech companies. They may be wholly owned by foreigners or foreign investors. Neither are there exchange or currency control restrictions. Foreign companies should consider, however, that as general rule, any person in Mexico has the right to settle his or her obligations payable within the Mexican territory in Mexican pesos at the official exchange rate published by Banxico.

On the other hand, foreign fintech companies may not offer or market their services in Mexico without a local licence. The Fintech Law does not address how it applies to companies that have no physical presence in Mexico, but if a fintech company is intentionally and regularly marketing to Mexican customers the financial regulators are likely to try asserting jurisdiction and applying the Fintech Law and Mexican regulations, as with any other financial entity doing business in Mexico without a physical presence. What 'regularly' means is something that is yet to be tested and will need to be analysed on a case-by-case basis.

Digital identity and onboarding

Currently there is no recognised digital identity in Mexico. The prior federal administration had plans to implement a digital nation on which technology and innovation converged to reach the goals for the development of the country, and the implementation of a digital identity. However, the current federal administration has not issued any statement as to whether it will continue with the previous digital national strategy or whether it will have its own strategy. Many Mexican citizens still lack access to diverse services (including financial services) by using a digital identity.

Up to now, some governmental entities have digital databases based in biometrical systems and have created through them a kind of digital identity for some Mexican citizens and foreign residents; biometrical systems are the core required for the implementation of a digital identity in Mexico, but are not generally adopted yet by all entities.

Private means of creating a digital identity are not prohibited by the Mexican authorities but there is still no general system available that may function as a digital identity. Banks will be obliged as of March 2020 to request biometrical data (i.e., fingerprints) of their clients to verify their identity when requesting a loan or opening an account. The biometrical information collected by the banks will be matched with the database of the National Electoral Institute (or with the National Immigration Institute, in case of foreigners) to verify customers' identity. Banks have agreed to use a sole database that may be supplemented by the databases of other governmental entities such as the tax administration database. A bank's database, when implemented, may be considered an initial, but a private and limited digital identity database.

There is no provision related to mechanisms that may be implemented by fintech companies regarding the use of a digital identity; nevertheless, such companies are implementing diverse private methods to verify its users' identity. Means used by fintech companies may vary and contain different requirements related to the documents or validation of proofs requested by the relevant users. As mentioned before, identification methods may vary but the most common means used by fintech companies are currently:

  1. online validation of a mobile number;
  2. ID validation (by taking a picture of the relevant user in conjunction with his or her ID);
  3. valid proof of address;
  4. linking a fintech account to a bank account in order to receive or transfer funds; and
  5. physically or electronically sign a written agreement.

Crowdfunding companies and e-money companies are required to implement identity checks through the completion of a know-your-customer procedure. For these purposes, crowdfunding companies and e-money companies must obtain from their customers information and documents, which will vary depending on whether their customer is a foreign or national individual, foreign or national entity or other, as provided under the secondary regulation issued by the CNBV and the entity's anti-money laundering manual.

The information and documents that must be collected from customers can be collected remotely through automated questionnaires and digital copies of the documents.

Pursuant to the relevant secondary regulation, fintech entities shall file reports with the CNBV for, among others, any relevant or unusual operation performed by their customers, as well as transactions performed with foreign currency or virtual assets.

Digital markets, payment services and funding

The Fintech Law regulates crowdfunding and expressly allows for different models such as peer-to-peer lending and collective investment schemes. Crowdfunding companies may operate debt investment schemes, equity investment schemes, co-ownership and royalty investment schemes.

The Fintech Law does not allow crowdfunding entities to securitise or trade loans in secondary markets. Furthermore, the Fintech Law provides that crowdfunding companies cannot take loans or issue securities whenever those loans or securities are issued to 'share risks' with investors.

As mentioned before, crowdfunding and e-money companies need a licence that will be granted at the discretion of the CNBV, prior to the approval of the Inter-institutional Committee.

Licensed crowdfunding companies may only engage in the following activities:

  1. receive and publish the requests of crowdfunding operations of borrowers or targets and their projects through its interface, website or electronic or digital communication means used to perform its activities;
  2. provide information to the potential investors so that they know the characteristics of the requests of crowdfunding or projects;
  3. enable and allow electronic means of communications between investors and borrowers;
  4. obtain loans and credits;
  5. issue securities;
  6. own or lease real property;
  7. make deposits in authorised financial companies;
  8. create a trust required to comply with their legal purpose (e.g., to segregate funds);
  9. make investments in complementary, auxiliary or real estate companies;
  10. perform judicial or extrajudicial collection of credits granted to borrowers by investors, as to renegotiate the terms and conditions of relevant credits; and
  11. other activities required to comply with their corporate purpose.

E-money companies are only allowed to engage in the following activities:

  1. issue, commercialise or manage instruments for the disposal of funds of electronic payments;
  2. provide the service of money transmission;
  3. provide services related to payment networks;
  4. process information related to payment services;
  5. grant credits or loans only as overdrafts of the accounts they administer;
  6. operate with cryptocurrencies;
  7. obtain loans and credits of any local or foreign person in order to comply with their corporate purpose;
  8. issue securities on their own account;
  9. constitute overnight or term deposits in financial institutions;
  10. own or lease real property;
  11. broker with cryptocurrencies; and
  12. buy, sell or transfer cryptocurrencies on their own account.

As mentioned above, sharing information rules are subject to secondary regulations issued by the Supervising Commission and Banxico. The Fintech Law provides that fintech companies (among the other entities mentioned within the law) will be obligated to execute an agreement with transferees and set forth therein that they (transferees) will be required to allow audits by fintech companies to verify compliance with the Fintech Law. Fintech companies will be required to report the results obtained of such audits to the Supervising Commission and Banxico.

The CNBV is the authority in charge of issuing general provisions related to information security, which include confidentiality policies and registry of accounts related to transactional movements, the use of private or public technological means or other systems for processing of information that will apply to crowdfunding companies. In the case of e-money companies, the foregoing provisions are issued by the CNBV in conjunction with Banxico.

Fintech companies are required to retain information in a physical or electronic format for minimum terms of 10 years.

Cryptocurrencies, initial coin offerings (ICO) and security tokens

Cryptocurrencies are known as virtual assets in the Fintech Law and they are defined as a representation of value, electronically registered and used by the public as a means of payment for any legal transaction and transfer of which may be made only through electronic means. In accordance with the Fintech Law, cryptocurrencies may not be considered legal currencies, and licensed fintech companies may operate only with such cryptocurrencies previously approved by Banxico. Fintech companies require a special authorisation from Banxico to operate with cryptocurrencies. Banxico issued Circular 4/2019, which provides that fintech entities will not be authorised to operate if their purpose is to exchange, transfer or safeguard cryptocurrencies. Currently, fintech entities and financial institutions will only be permitted to trade with cryptocurrencies on their own account (proprietary trading).

No specific technology is regulated by the Fintech Law or its secondary regulation. Blockchain technology is not regulated by the Fintech Law or by any other Mexican laws. The Fintech Law regulates activities and transaction and, generally, does not speak of specific technologies.

Digital assets

Other new business models

The Fintech Law devotes a special chapter to innovative models, which are defined as 'those that to provide fintech services employ tools or technological means with alternatives different from those currently existing in the market'. As mentioned in this chapter, the Fintech Law is designed as a principle-based regulation and, in keeping with this, such chapter is in line with principles of innovation and promotion of competition, by opening its text to admit new models of services and the admittance to new competitors to the fintech environment.

Innovative models will receive a temporary authorisation that will be discretionally granted by the financial authorities when the applicant duly proves that:

  1. it has an innovative model;
  2. the product or service to be offered to the public shall be tested in a controlled environment;
  3. the new model represents a benefit to the client that cannot be obtained from existing models available in the market;
  4. operations may be made immediately;
  5. the project shall be tested with a limited number of clients; and
  6. other requirements that are to be determined by financial authorities.

Temporary authorisation may not be granted for longer than two years and shall be in accordance with the services that will be or are planned to be provided.

Authorisation shall be requested from the competent authority depending on the purpose of the innovative models, this meaning that either CONDUSEF, CONSAR, CNSF, the CNBV, Banxico, or two or more of these authorities may empowered to review the innovative model. Financial authorities may authorise fintech companies, financial entities or others to implement and operate innovative models.

All entities authorised to operate an innovative model shall have: (1) the human, monetary and material resources to operate their model during the term of the authorisation; (2) policies in place to mitigate the risks to which customers will be exposed; and (3) the resources, insurance or other types of guarantee to indemnify their customers for any damages and lost profit caused during the temporary authorisation.

Entities authorised to operate innovative models shall give the competent financial authority a quarterly report containing the number of transactions performed during such term, the number of clients, the risk factors generated during the applicable term and the actions taken to secure a final authorisation.

Intellectual property and data protection

In Mexico, software is not subject to be patented. The Industrial Property Law specifically provides in its Article 19(IV) that software may not be considered as an invention. In practice, software is registered as an intellectual work in accordance with the provisions set forth in the Federal Copyright Law. The foregoing provisions apply to fintech business models and related software; in both cases, they may be registered under the copyright provisions.

Considering the above, in accordance with the provisions set forth within the Federal Copyright Law, when an individual or company requests a contractor to develop software or business models, by the payment of remuneration, the company will own the economic rights over the work and have the rights related to its divulgation, integrity and collection.

Regarding contractors, they may have the right to be expressly mentioned in the role of authors over the parts in which they have participated. It is essential that agreements are drafted in a clear manner and that the terms of the work to be created and its remuneration are stated precisely, considering that in case of doubt, interpretation will be in favour of the author.

When a work is made as a consequence of a labour relationship, established within a written individual labour agreement, it will be presumed, if it is not otherwise agreed, that economic rights will be divided equally between employer and employee. The employer may divulgate the work without the authorisation of the employee but not the other way around. If an individual labour agreement is absent, economic rights will be granted to the employee.

Regarding privacy rights, the Fintech Law regulates the exchange of information with authorities. Specifically, it provides that fintech companies are required to provide information to the CNBV and Banxico about their operations and their clients, including data that may be useful to estimate their financial situation and information that may be useful for mentioned authorities in order to duly comply with their functions.

Additionally, the Fintech Law provides that clients' information shall be considered as confidential and that in no case may fintech companies give notices or information of their activities or services contracted by them unless such information is requested by the client itself, his or her legal representatives or those whose have granted a power of attorney to intervene in the relevant operation or service. This is similar to current banking secrecy provisions.

There are no special rules applying to the digital profiling of clients considering that processing of personal data is not distinguished if physical or electronic means are implemented for this purpose. On this topic, the Federal Law on the Protection of Personal Data held by Private Parties (the Data Protection Law), requires data controllers to obtain consent before processing data subjects' personal information and to obtain that consent through the delivery of a detailed privacy notice that contains at least the requirements set forth within the privacy law framework applicable within Mexico. Furthermore, financial information shall be protected under stricter means and measures than identification data. When processing financial information, express consent is required.

The Data Protection Law also requires data controllers to process personal information in accordance with the following principles: lawful basis for processing; consent; information; data quality; purpose limitation; loyalty; proportionality; and responsibility.

Data controllers shall also adopt the security measures and procedures that are necessary to protect the personal data against damage, loss, alteration, destruction and unauthorised use, access or processing. These measures shall be at least equal to the measures that the data controller uses to protect the company's own information.

If storage is through a cloud computing service provider, the storage will be subject to specific conditions provided within the Regulations of the Data Protection Law. The data controller and service provider (i.e., the cloud computing service provider) relationship, shall be documented within a legal instrument and the relevant service provider, in its role of data processor, shall be informed about the data controller's (company) privacy notice and may only process the personal data received by the data controller, in accordance with its privacy notice and its instructions.

The data controller shall only contract services from a provider that it:

  1. has policies and procedures similar to those contemplated by the Data Protection Law and the Data Protection Regulations;
  2. discloses if it subcontracts to third parties;
  3. does not condition the service upon the service provider becoming the owner or acquiring any right over the personal data;
  4. maintains confidentiality; and
  5. has mechanisms to:
    • notify changes in its privacy policies;
    • allow the data controller to limit the processing of the personal data;
    • have security measures that are reasonable with respect to the service;
    • guarantee the cancellation of data once the service is terminated; and
    • block access to the personal data by persons that do not have access privileges except when ordered by a competent authority and the data controller is informed of such order.

Finally, another essential obligation is that data controllers must appoint a data protection officer or department to answer data subjects' access, rectification, suppression and rejection requests.

Year in review

The first authorisation in Mexico to a fintech entity to operate as an e-money company was granted by the CNBV in January 2020. Fintechs that were carrying out electronic payment funds or crowdfunding activities had to file their authorisation request under the grandfathering provision of the Fintech Law no later than September 2019 in order to continue to perform their activities in Mexico during review of their application. Approximately 85 entities filed for their authorisation request in September 2019, and authorisations will continue to be granted in the coming months.

As the number of participants increases, the fintech market will evolve. The application and interpretation of the Fintech Law by the competent authorities remains unknown as they are too becoming acquainted with the industry. However, we expect authorities to be flexible and to promote fintech activities.

Fintech remains an area of interest to the government given that it has proven to be more flexible than banking institutions, allowing the unbanked population to have access to financial services.

Outlook and conclusions

As the Fintech Law is a principle-based law, most issues are resolved and understood with secondary regulation and regulatory interpretation.

It is likely to be an environment of constant change supported by cooperation and new developments within the fintech market; we predict that new actors will enter the market and will be interested in the way fintech services will be conducted. We expect that more banks will, in a cautious manner, begin providing fintech services, as many people have shown interest in the market.

Regarding the adoption of tokens and cryptocurrencies within Mexico, the general expectation was that Banxico would allow e-money companies' customers to transact with cryptocurrencies. Banxico's rationale for prohibiting fintech entities and credit institutions from providing cryptocurrency transfers and custodial services is prompted by its concern that fintech entities could misinform customers or that customers would not be able to understand the mathematical information behind cryptocurrencies and the manner in which their value is determined. It is also seeking to reduce money laundering and terrorism financing risks.

It is not clear whether methods that are provided in the Fintech Law relate to innovative models; we consider that the market will dictate the application of the law and other provisions issued by the financial authorities.

We expect that 2020 will be a year of change and progress in this field and, given the rapid adoption of fintech and the interest the public has shown in it, we foresee that Mexican users and service providers are likely to continue to increase rapidly.


1 Federico de Noriega Olea is a partner and Juan Enrique Lizardi Becerra is an associate at Hogan Lovells.

2 As at 17 March 2020, 1 investment unit (UDI) is equivalent to 6.492514 Mexican pesos.

Get unlimited access to all The Law Reviews content