The Financial Technology Law Review: Mexico
The fintech industry is strong in Mexico. The enactment of the Law to Regulate Financial Technology Institutions (the Fintech Law) and technology-related amendments to several other financial laws, published on 9 March 2018, have generated trust and a sense of legal certainty in fintech and other technology start-ups in Mexico and Latin America. With a low percentage of the population having access to a bank account, the Fintech Law has enabled new participants to increase the offer of financial products and services across the country, providing financial inclusion.
The global commercialisation of products and services in general, and financial services in particular, has been affected by a technology-driven radical transformation. This trend resulted in the financial industry updating the technology within its regulated and supervised environment, as well as in the creation of newer business models that were not addressed by the existing financial legal framework.
Consumer interest in these newer models triggered the drafting of a law that would provide regulation, supervision and certainty and that welcomes sophisticated and institutional investment in a growing industry. An exponential increase in the use of cryptocurrencies, the adoption of blockchain technologies and the proliferation of shared economy models and peer-to-peer financial services were some of the factors that were considered in the bill. On the other hand, regulators needed a legal framework that mitigates risk, protects consumers and allows expansion in a competitive environment.
As it stands today, the fintech environment in Mexico is regulated by legislation that relies heavily on financial inclusion and innovation, consumer protection, preservation of financial stability, anti-money laundering and countering financing of terrorism.
The Fintech Law introduced the following products to the Mexican market:
- crowdfunding: the creation of specific entities (crowdfunding institutions (IFCs)) that would serve as marketplaces for peer-to-peer lending, equity crowdfunding and co-investments in assets;
- e-wallets: the creation of specific entities (electronic payment fund institutions (IFPEs)) that would allow the collection of funds in Mexican pesos, foreign currency or digital assets2 from the general public and would hold those funds in custody on behalf of clients, making payments, acting as money transmitters and serving as crypto marketplaces;
- open finance rules: rules under which regulated financial institutions must share information on products and services, aggregated statistical information or client transactional data through standardised application programming interfaces (APIs); third-party providers would be licensed to access these APIs;
- virtual assets: the Fintech Law provides a definition for virtual assets and allows certain institutions to transact with these assets, subject to secondary regulations issued by the central bank; and
- regulatory sandbox: the Fintech Law introduced a regulatory sandbox through which an entity may request a temporary exemption to specific regulations, to test a given innovative model in a controlled environment.
In addition to the Fintech Law, other financial laws have been amended to implement the following models:
- electronic signatures: wording was added to financial laws to allow the use of electronic signatures in financial services. Onboarding regulations were also updated to document a process for remote onboarding;
- robo-advisers: regulators are now able to amend secondary regulations to allow licensed financial advisers to automate advisory and asset management;
- money transmitters: IFPEs are now allowed to render money transfer services; and
- transparency and consumer protection: transparency and financial consumer protection laws were updated to consider IFCs and IFPEs and to acknowledge a digital onboarding and user experience.
Financial technology institutions
As a general rule, financial services are rendered in Mexico by entities that are incorporated under Mexican law and are registered or authorised, or both, to operate as such. Registrations and authorisations for financial entities are granted or sanctioned by the National Banking and Securities Commission (CNBV) or the Mexican central bank (Banxico).
The Fintech Law introduced two specific entities authorised to carry out fintech services: IFCs and IFPEs (jointly referred to as financial technology institutions (ITF)). IFCs are authorised to carry out crowdfunding activities and to serve as a marketplace for peer-to-peer lending, equity crowdfunding and co-investments in assets. See Section IV.ii for a detailed discussion of IFCs and their operations.
IFPEs, on the other hand, are authorised to collect funds in Mexican pesos, foreign currency or digital assets from the general public, to hold those funds in custody on behalf of clients, to manage e-wallets, to make payments, to act as money transmitters and to serve as crypto marketplaces. IFPEs may also issue debit cards and can participate in payment networks. See Section IV.iii for a detailed discussion of IFPEs and their operations.
ITF authorisations (for both types of entities) are granted to Mexican corporations after:
- the entity's business plan, compliance manual, operating manual and technology infrastructure have been vetted;
- minimum capitalisation requirements have been secured; and
- the corporate governance and ownership structure have been approved, among other requirements.
Investment advisers and asset managers
Investment advisers and asset managers must be registered with the CNBV. Registration is granted to advisers that meet the requirements, which include a credit history check, certification from an industry association and completion of a compliance and anti-money laundering policy. Within the fintech amendments to financial laws, the CNBV was given authority to regulate robo-advisers specifically. These rules have not been issued yet; however, several investment advisers have pursued a digital business approach using traditional investment adviser and asset manager regulations.
The overview of marketing regulations is diversified depending on the specific matter at hand. Regulation, as a whole, is best described as seeking to protect the end user and sets clear boundaries in terms of exaggerated claims, comparative claims, absolute claims and the types of services that can be advertised and where they can be advertised.
Marketing, advertising and soliciting rules are allocated in: (1) the specific financial law or regulation directly governing the entity or regulated financial service; (2) legislation, regulations and guidelines related to consumer protection and marketing in the financial sector; and (3) legislation, regulations and guidelines related to personal data protection, as financial entities in general, and ITFs in particular, are usually considered as controllers of their clients' personal data. These jointly have the intent to protect the end user and comprise the following five guiding principles:
- all online transaction advertising strategies must provide consumers with clear and sufficient information about the services offered;
- suppliers have the obligation to render services as advertised, offered or implied in the advertising or marketing information;
- promotions or offers must be respected;
- suppliers must be capable of demonstrating the veracity of the information used in their communications and substantiate any claims; and
- advertising communications that are misleading or abusive are prohibited (i.e., those that 'refer to characteristics or information related to a good, product or service, real or unreal, that induce a consumer to error or confusion, due to the inaccurate, false, exaggerated, partial or contrived way it is presented').
Financial laws and regulations typically include a restriction under which words that refer to a specific financial product or service (i.e., credit, savings, banks, fund, etc.) may only be used in corporate names, publicity, advertisements, interfaces, computer applications, internet applications, internet websites or any other means of electronic or digital communication, by the financial entity that is legally authorised to provide the product or service. The Fintech Law reserves the term 'fintech' specifically for ITFs, which generates confusion with all other entities that provide technology to the financial market but that do not necessarily carry out the services of an IFC or an IFPE.
Within the rules set out in financial consumer protection laws, we note the following requirements.
- All information and advertisement in connection with goods, products and services that are disseminated through any means have to be truthful, ascertainable or measurable, clear and with no text, dialogue, sounds, images, trademarks or other deceitful or abusive descriptions that create or may induce error because they are misleading or abusive.
- Terms and conditions of promotions are considered as standard contracts and would need to comply with specific requirements set forth in law and may not include disproportionate duties for consumers, unfair or abusive obligations or any other clause or text that violates the provisions of financial consumer protection laws.
- Product information and the respective advertising need to be in Spanish with prices given in Mexican currency, in understandable and readable terms according to the general system of units of measurement.
- The publicity of promotions and offers needs to include statutory disclaimers, and any consumer that meets the applicable criteria will have the right to obtain the applicable promotion or offer.
- Marketing may be restricted from being delivered to consumers enrolled in a specific consumer protection list.
- Any terms that restrict or limit the use of a good or service must be set out clearly, truthfully and unambiguously.
- ITFs are obliged to communicate through the means by which they contact their clients that they are authorised, regulated and supervised by the financial authorities.
iii Cross-border issues
Aligned with the trend for laws in Mexico, the Fintech Law and the other legislation that regulates the financial services and fintech industry are very protective of Mexican consumers and inexperienced investors. As such, while recent years have seen less restrictive regulation on foreign participation in financial markets (for example, removing foreign-ownership participation limits in banking institutions),3 the catalogue of activities that financial entities can carry out without a local presence is, for the most part, very limited.
Foreign banks, for example, can participate in Mexico through two different vehicles: representation offices, which may only carry out basic activities, mostly restricted to providing their customers with information on the types of products offered by their (foreign) parent company (but not offering the credit products themselves); or branches, which, by their nature, are locally incorporated subsidiaries of foreign banking entities.
Following a similar protectionist approach, the early development of fintech services in Mexico has been marked by the necessity for regulated activities to be carried out by locally incorporated ITF entities. Both types of ITF entities must be incorporated under Mexican law, have a corporate domicile in any state within Mexico and have a physical office within the national territory.
Foreign fintech companies may actively participate in regulated activities in Mexico only to the extent that they partner with local regulated entities. Individuals in Mexico may not be targeted by offshore entities, and no active advertising or offering of financial products or services may be carried out by offshore entities in Mexico.
Finally, it is worth mentioning that, while there are no currency control mechanisms in Mexico, Mexican parties may discharge their obligations in any currency (including foreign currency) by paying any sums in Mexican currency at the rate fixed by Banxico on the date the payment is made.
Digital identity and onboarding
i Digital identity
Although there is no generally recognised digital identity in Mexico, applicable law recognises an 'advanced electronic signature' that could be considered a partial digital identity scheme. The term 'electronic signature' is defined in the Commerce Code as data in electronic form affixed to, or logically associated with, a data message, which may be used to identify the signatory in relation to the data message and to indicate the signatory's approval of the information contained therein. Electronic signatures have the same legal effect as a handwritten signature and have probative value.
Notwithstanding the above, the Commerce Code differentiates between an electronic signature and an advanced electronic signature. As an example, user identifications and passwords or digital signatures are considered electronic signatures but not advanced electronic signatures.
The Commerce Code considers that an electronic signature qualifies as an advanced electronic signature if it complies with specific requirements, which are only currently met in Mexico if a certified services provider (PSC) issues the signature. PSCs are private companies, notaries public, public brokers and certain public institutions that are duly authorised by the Ministry of Economy to serve as a PSC (e.g., the Tax Administration Service (SAT)).
The most common advanced electronic signature is the e.firma, developed initially by the SAT for tax matters and proceedings with the authorities, but, in late 2016, the Mexican Federal Tax Code was amended to allow private use of the e.firma by individuals, for signing electronic agreements. In theory, PSCs can develop advanced electronic signatures that could be issued for any individual (even non-Mexican citizens or residents).
Advanced electronic signatures are generally acceptable for the execution of commercial transactions. An exception would be transactions that require a specific form by statute.
Mexican regulators have strategised a legislative agenda around the notion of financial inclusion and overall growth of users of financial services. As a direct result of this, financial service providers are permitted to carry out fully digitised onboarding of clients as long as the onboarding process is reviewed and authorised by Banxico or the CNBV, or both. Fully digitised onboarding of clients without prior approval has led to significant sanctions by the CNBV.
For most financial entities, ITFs included, regulation provides different levels of requirements directly related to the risk and transaction level of the customer and its activities. For customers and transactions that are considered low risk (sometimes limited to low monthly or one-off transactions), onboarding may be cleared and confirmed remotely, and the information and documentation to be collected is kept at a minimum. However, if the risk level is considered anything other than low, the client can only partially onboard pending review of their information, and the service provider must inform the client that they cannot partake in any operations on the platform until the onboarding process is complete.
In addition to a fully digitised onboarding experience, rules for financial entities have also been updated to allow a fully digitised user experience whereby customers may perfect transactions entirely through digital outlets (including the origination of loans).
Digital markets, payment services and funding
i Digital markets
Unlike other aspects of Mexican regulation, the innovations in Mexico's regulatory framework have not significantly impacted the rules governing digital marketplaces, which historically has been a field of little interest to federal or local legislators or regulating authorities (with the exception of a marketplace for cryptoassets, which is described in more detail below). Electronic commerce is only briefly regulated in general commercial and consumer protection legislation as well as by a specific regulatory document known as a Mexican Rule, which, unlike an Official Mexican Rule, is of voluntary compliance, and provides limited content that would impose any relevant obligations on sellers or marketplace service providers. Notwithstanding the above, general commercial and consumer protection legislation would still be applicable to all businesses and individuals, including electronic commerce.
While digital marketplace activities are not regulated, activities within marketplaces facilitating the sale and purchase of virtual assets are regulated, and provide an institutional fiat gateway for individuals in Mexico interested in holding virtual assets, as further described in subsection iii.
Crowdfunding activities are offered through IFCs, and may be offered as peer-to-peer lending, with investors granting loans to recipients, equity crowdfunding, with investors purchasing equity interests in recipient corporations, or co-investments in assets and project funding, with investors and recipients entering into joint ventures through which the investor purchases an interest in a current or future asset or in the income or proceeds from a project offered by the recipient.
IFC platforms must provide, among other requirements, disclosure on the selection of recipients and projects and the terms followed for the due diligence of these and a risk profile of the investments, including details on the repayment of loans, formalisation of the transactions and a report to credit information companies.
Applicable law provides limits to the transactions that may be offered through IFC platforms. These limits include a maximum amount that may be requested by recipients and the maximum amount that may be invested by a single investor.
Agreements entered into by IFCs with users, both investors and recipients, must comply with financial consumer protection laws aimed to provide transparency and certainty to all parties involved. Fees and costs must also be clearly disclosed and approved by the CNBV.
iii E-money and e-wallet
The issuance of e-money and the management of e-wallets is entrusted to IFPEs. Clients, individuals and entities are authorised to fund their IFPE accounts with Mexican pesos, foreign currency or digital assets.4 The IFPE would then manage a ledger of its clients' accounts. Amounts held in the accounts may be used by clients to make payments to any third parties (which may be processed by the IFPE, which is entitled to collect a fee), to act as money transmitters sending money to any beneficiary located in Mexico or offshore, and to serve as a crypto marketplace. IFPEs may also issue debit cards to their users to allow access to the amounts deposited in clients' wallets.
As it relates to cryptoassets, the Fintech Law has included the potential to designate IFPEs as a legal fiat gateway. As such, an IFPE would be able to 'put third parties in contact with one another with the purpose of buying, selling, or in any other way transferring virtual assets' and would 'buy, sell or, in general, transfer virtual assets on their own behalf or on behalf of their clients'. IFPEs would also hold virtual assets serving as a crypto wallet. Although the Fintech Law introduced these activities for IFPEs, Banxico issued a virtual asset regulation on 30 September 2020, which severely restricts the use of virtual assets, limiting this to internal transactions of IFPEs and banks only.
iv Open finance
Mexico, through the Fintech Law, has provided for an open finance rule under which entities subject to compliance with API technical requirements may request from any Mexican financial entity (and the entity is obliged to provide) information on products and services, aggregated statistical information or client transactional data (when authorised by the user).
At the time of writing, the regulator in charge of issuing the rules governing the APIs needed to allow for open banking has only defined the characteristics that these APIs need to comply with to allow third parties to receive open financial data (i.e., data that contains no personal information, such as details of products and branch locations), and therefore, financial institutions are not yet obliged to share more in-depth information with third parties. Future developments are expected to allow more sophisticated open-finance services, allowing, for example, customers of several financial institutions to see their aggregate balances or track their global expenses on a single app.
Cryptocurrencies, initial coin offerings (ICO) and security tokens
Mexico's approach to regulating cryptocurrencies can be both highly technical and yet still lack clear-cut answers to relevant aspects of digital technology.
Blockchain, as a technology, is not regulated in any manner. There are no references to decentralised ledgers or other characteristics of the technology itself; instead, the regulatory focus has been placed on 'virtual assets', a rather limited concept, defined as 'a representation of value that is recorded electronically and used among the public as a payment method for any kind of legal transaction and which can be transferred exclusively through electronic means'. As this description is clearly based on the characteristics of cryptocurrencies in general, it currently fails to encompass the more modern application of blockchain technology, most notably, non-fungible tokens.
The regulation of virtual assets has been assigned to Banxico. Although the Fintech Law introduced several models to allow an institutional approach to virtual assets, on 30 September 2020 Banxico issued restrictive regulations limiting all virtual asset activities by financial entities to internal activities that require prior approval from Banxico. This approach has been, for the most part, aimed at allowing the use of virtual assets by the general public, but limiting adoption and use by financial institutions. Banxico, through non-binding opinions, has expressly stated that 'notwithstanding the fact that regulations have limited ITFs and banks from offering users virtual assets services, the regulations do not limit commercial companies to offer services related to virtual assets'.5 Private parties could, for example, price services rendered to each other in virtual assets; or crypto exchanges could be incorporated without needing the authorisation of any regulator (provided that these parties do not operate a fiat gateway to avoid triggering a restriction on the collection of deposits, and that they only buy and sell virtual assets on their own behalf and do not serve as a virtual asset marketplace).
A particular aspect where the current legal framework has been mute is the use of virtual assets as securities. Initially, securities in Mexico were regulated by the Securities Market Law, which defines a security as:
[t]he shares, obligations, bonds, optional titles, certificates, promissory notes, letters of exchange and other named or unnamed negotiable instruments, whether recorded or not in a registry, susceptible to circulation in securities markets, issued in series or in mass and that represent the stock of a company, a part of an asset or the participation in a collective credit or any individual right, in terms of applicable local or foreign laws.
While this would give the impression that virtual assets could, in some cases, serve as securities, Banxico holds the (non-binding) opinion that any virtual asset representative of an underlying asset (shares, bonds, etc.) is not really a virtual asset (without clarifying what the digital value representation would be).6 While this definition is different to the one provided by the Fintech Law, it sheds light on the opinion Mexican regulators hold on the use of virtual assets as tradeable securities.
From an anti-money laundering/counter-terrorist financing perspective, in early 2018 the Mexican Federal Law to Prevent and Identify Operations with Illicit Resources was amended to specifically foresee certain cases in which operations with virtual assets could be considered vulnerable activities, and thus subject to notices to Mexican authorities. This amendment was heavily based on international standards; in particular, the Financial Action Task Force's Guidance for a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers.
Finally, it is worth noting that, from a tax standpoint, virtual assets are seen by the Mexican tax authorities as no different to other assets; therefore, any sale of digital assets would be subject to the same general income tax and value added tax provisions of other moveable assets.7
Other new business models
The current fintech ecosystem, and the legal and regulatory environment created by the Fintech Law, allows for multiple innovations in financial business.
Open finance rules, while still limited, offer a wide range of possibilities for third-party companies to offer integration of financial services to clients. Comparison websites now have full access to the available financial products and services, and are no longer limited to private negotiations with individual institutions aiming to share details on products and services. These companies must still consider guidelines issued by consumer protection bureaus in connection with the comparison of prices, products or services and the legal issues related to the use of intellectual property owned by the companies that commercialise those products.
Smart contracts and self-executing contracts, although generally permitted in commercial transactions subject to certain conditions, have a longer road ahead. Confidence and trust in digital agreements is still low among the general population, and justice and administrative authorities are not well versed in these engagements.
Intellectual property and data protection
As a matter of law, business models and software (unless these are integrated into hardware) are not patentable in Mexico. The most adequate protection for software is available through copyright; however, in Mexico, as in many other jurisdictions, the registration of a work only recognises authors. Nevertheless, to initiate infringement actions against third parties, prior registration of the work with the National Copyright Office is recommended.
Because Mexican law recognises moral rights (droit moral), it is very important to have the documentation that supports ownership of the moral and economic rights. Moral rights cannot be owned by an entity and must be allocated to the individual that created the work. A common way of documenting this scheme is through labour employment agreements, assignment agreements and work-made-for-hire agreements, which would determine compensation; each of these has its own formalities and requirements.
As a general rule, the person or entity that commissions a piece of work from a third party should be the owner of the economic rights derived from the work. However, if the work is developed under a labour employment agreement, it must be specified that the economic rights belong to the employer, otherwise half of the rights would belong to the employer and half to the employee. When it comes to software development, the rights are owned by the employer, regardless of the specification in the labour employment agreement.
As for data protection, applicable law regulates the protection of clients' personal data (as data subjects) and the processing of their information for any purpose, including marketing purposes, by ITFs (as controllers).
The most important rules are the following:
- ITFs must inform clients of the purpose for acquiring and processing their personal data, including marketing purposes, by providing them with a privacy notice that must comply with specific requirements set forth in the Mexican Data Protection Law; excluding certain exceptions, ITFs must obtain clients' consent for processing their personal data as per the terms of the privacy notice;
- if ITFs use a client's personal data for marketing purposes, the ITFs must implement a mechanism that allows the client to reject the use of his or her information for that purpose, which should be described in the privacy notice and available to clients from the moment the ITF publishes its privacy notice;
- ITFs must process clients' personal data exclusively on the terms of the privacy notice; and
- if ITFs 'communicate' personal data to third parties (either processors or controllers), they need to comply with specific requirements set forth in Mexican personal data protection regulations.
If digital profiling is to be carried out, it should be included in the privacy notice as one of the stated personal data processing purposes. A controller must also inform data subjects, through a privacy notice or any other applicable means, when this profiling is carried out through an algorithm, with no human involvement.
Year in review
Prior to the enactment of the Fintech Law, several companies carried out activities that were unregulated but are now regulated, and were thus temporarily grandfathered into the Fintech Law. All grandfathered companies were required to formalise their activities and make them compliant with the Fintech Law and other applicable regulations. Over the past 18 months, regulators have been reviewing fillings by both grandfathered companies and new players seeking authorisation to incorporate an ITF. Authorisations have been issued slowly, and the regulators have been particularly cautious with entities that are not yet operational.
During this compliance window, authorities have also rejected formal authorisations for grandfathered companies where they considered that the grandfathered models were non-compliant with the Fintech Law. These rejections are followed by a business wind-up order, under which the rejected entity is no longer able to carry out any new business and must terminate all existing business with its current customers. This has been achieved through several methods, including the assignment of clients to a regulated entity or substantial changes to business models whereby the regulated activity is no longer offered to customers.
Outlook and conclusions
The progress in fintech regulation in the past few years and the growth of the fintech sector in Mexico is evident. The ambitious models that are introduced in the Fintech Law, the increased demand for digital products, and a growing globalisation of services, have served as fertile ground for the sector in Mexico. With new products and services being continually offered by multiple start-ups, and with an increasing number of investors and institutional fintech companies investing in Mexico, we anticipate that the market will continue to grow.
Consolidation through mergers and acquisitions is expected, not only with venture capital investments, but also with big purchases by the traditional financial sector players to introduce innovation to their portfolio.
As to the regulators, certain adjustments to secondary rules are anticipated. Some initial rules and interpretation by regulators are now viewed as too conservative, ineffective and excessively burdensome. Careful amendments to the rules could trigger quicker and more confident investments in the local market.
1 Daniel Guaida Azar is a partner and Lucía Fernández González is a counsel at Gonzalez Calvillo, SC. The authors wish to acknowledge the participation of Emilio Hugues, associate at the firm, for his extensive collaboration.
2 Certain conditions apply to determine the funding options available to each type of client.
3 Notwithstanding, there are still limitations on foreign governments directly or indirectly investing in financial entities, subject to very specific exceptions.
4 Certain conditions apply to determine the funding options available to each type of client.
5 Mexican Central Bank, Regulatory Actions by Banco de Mexico: Regulation regarding operation with virtual assets by Financial Technology Institutions and Credit Institutions, www.banxico.org.mx/sistemas-de-pago/6--acciones-regulatorias-po.html (last visited 9 February 2022).
6 Banxico, Definition of Virtual Assets, www.banxico.org.mx/sistemas-de-pago/1---que-es-un-activo-virtua.html (last visited 9 February 2022).
7 Federal Taxpayer Defence Bureau, Declarable incomes related to cryptocurrencies, www.prodecon.gob.mx/Documentos/bannerPrincipal/2021/CRIPTOMONEDAS.pdf (last visited 9 February 2022), pp. 3, 4.