Use the Lexology Navigator tool to compare the answers in this article with those from 20+ other jurisdictions.
How would you describe the regulatory policy for fintech products and services in your jurisdiction?
The Law to Regulate Financial Technology Institutions and its ancillary regulations intend to regulate products and services rendered in Mexico. It is yet to be seen whether regulatory policy becomes a barrier of entry for new players or whether it is reasonable; nonetheless, it is expected that on issuance of ancillary regulation, many currently operating financial technology institutions (FTIs) will not survive.
Have any fintech-specific laws or regulations been enacted in your jurisdiction? Are any envisaged?
Previous reforms to commercial regulations provided three key elements to make electronic transactions (including peer-to-peer lending) reliable:
- electronic signature – the law requires electronic signatures to contain specific information, passwords and keys to verify that the corresponding party is validating the transaction and avoid identity fraud;
- functional equivalence – for legal purposes it is assumed that if a transaction is signed with a valid electronic signature, it has the same validity as if it were executed in paper; and
- evidence in court – information shared through electronic devices at the moment of transaction can be filed as evidence in court, having the same legal and binding effects as traditional paper-backed evidence.
As of April 2018 the only piece of legislation enacted has been the Law to Regulate Financial Technology Institutions. Ancillary regulation will follow in 2018. Following the promulgation of the law:
- the Ministry of Finance must issue:
- the general rules for the operations of FTIs (eg, mechanisms to prevent money laundering and reporting obligations to authorities, internal committees and internal or external audits) within six months; and
- the rules for granting temporary authorisations to sandbox companies within 12 months;
- the Banking and Securities Commission (CNBV) must issue within six months:
- general rules for offering crowdfunding services;
- rules for minimum capital requirements for FTIs; and
- rules for filing for the authorisation to operate as an FTI; and
- the Central Bank must issue the rules for operating with cryptocurrencies within six months.
Which government authorities regulate the provision of fintech products and services?
Several government authorities will regulate the provision of fintech products and services:
- The CNBV will regulate the authorisation process for fintech businesses (eg, electronic fund institutions and collective financial institutions);
- The Central Bank will regulate:
- the operation and activities of electronic fund institutions;
- certain operations performed by the collective financial institutions; and
- operations with virtual assets (ie, cryptocurrencies).
- The National Commission for the Protection of Financial Services Users (CONDUSEF) will regulate contract templates to be used by FTIs and management processes for legal claims in disputes between FTIs and their clients; and
- The National Commission for Retirement Savings (CONSAR), the CNBV, CONDUSEF and the National Insurance and Bonding Commission (CNSF) will regulate the registry for the regulatory sandbox for innovative technologies, as applicable.
Each of these authorities will issue specific ancillary regulations to fulfil its respective obligations.
Financial regulatory framework
Which laws and regulations governing the provision of financial services apply to fintech businesses?
As of now, the following legislation applies to FTIs:
- the Law to Regulate Financial Technology Institutions;
- the Credit Institutions Law;
- the Law to Protect Customers of Financial Services; and
- the Federal Law to Prevent and Identify Activities with Illegal Resources.
Also, ancillary regulation to the Law to Regulate Financial Technology Institutions is to be enacted by several government authorities, including:
- the Central Bank;
- the CNBV; and
- the CNSF.
Under what conditions are fintech businesses subject to licensing requirements? Are there any exemptions?
Under the Law to Regulate Financial Technology Institutions, all fintech businesses require licensing. New fintech businesses must obtain authorisation from the CNBV. Fintech businesses currently operating may continue to do so but will need to obtain proper authorisation as new regulations are promulgated. A regulatory sandbox has been provided for new technologies (with the exception of crowdfunding and electronic payment funds). Regulatory sandbox status may be granted by the CNBV with a temporary authorisation to operate without fully complying with all applicable requirements.
Are any fintech products or services prohibited in your jurisdiction?
No. With the recent enactment of the Law to Regulate Financial Technology Institutions, fintech services and products such as crowdfunding services, electronic payments and operations with cryptocurrencies will be authorised under Mexican law.
Data protection and cybersecurity
What rules and regulations govern the processing and transfer (domestic and cross-border) of data relating to fintech products and services?
Pursuant to the General Law to Protect Personal Data in Possession of Individuals, FTIs must put in place mechanisms to protect any information received from their individual clients, including posting privacy notices on their websites and platforms. FTIs may share information only in the cases specified in their privacy notices or in specific circumstances (eg, providing information to parent companies or subsidiaries, or providing information to authorities due to public interest or a court ruling). These obligations are not exclusive to FTIs but apply to all private entities receiving information from individuals. Under the Law to Regulate Financial Technology Institutions all information regarding an FTI’s activities and clients must be treated as confidential and may not generally be disclosed to any third party.
What cybersecurity regulations or standards apply to fintech businesses?
No cybersecurity regulations are presently applicable to fintech businesses or services. Nevertheless, the Law to Regulate Financial Technology Institutions provides that its ancillary regulation may include provisions regulating the use of electronic equipment and automated data processing systems by FTIs. FTIs will most likely have to report certain information to the CNBV, CONDUSEF and the Central bank in connection with their activities and operations. Appropriate regulation will be issued within six months of publication of the Law to Regulate Financial Technology Institutions, which took place on March 6 2018.
What anti-fraud, anti-money laundering or other financial crime regulations govern the provision of fintech products and services?
Pursuant to the Federal Law to Prevent and Identify Activities with Illegal Resources, financing not granted by financial institutions (including financial non-bank institutions) is now considered a ‘vulnerable activity’ (ie, an activity that is vulnerable to money laundering). Therefore, FTIs focused on peer-to-peer lending must obtain certain personal information from borrowers, including information regarding their partners or shareholders if the borrower is a corporation. FTIs doing peer-to-peer lending must file periodic notices to the tax authorities, including information about the borrowers and the FTI, as well as a brief description of the vulnerable activity. Failure to comply with such provisions may result in penalties for the FTI.
The Federal Law to Prevent and Identify Activities with Illegal Resources and the ancillary provisions issued by the Ministry of Finance require other FTIs (including those focused on alternative financing platforms, electronic payments and cryptocurrencies) to issue measures and procedures to detect acts or omissions in connection with illicit activities such as financing terrorism (as defined by the Federal Criminal Code). FTIs must submit to the CNBV their measures and procedures pursuant to the terms, conditions and requirements set in the ancillary provisions. They must also develop and implement a methodology to carry out risk evaluations for occasions in which third parties might use them to perform acts or omissions in connection with illicit activities.
What precautions should fintech businesses take to ensure compliance with these provisions?
Pursuant to the Law to Regulate Financial Technology Institutions, FTIs must have extensive internal policies describing the information that must be obtained from their clients and ensure that their employees comply with these policies. Further, FTIs dedicated to peer-to-peer lending must provide periodic notice to the tax authorities as specified in the Federal Law to Prevent and Identify Activities with Illegal Resources.
Also pursuant to the ancillary provisions to be issued in this respect, FTIs may be required to comply with reporting obligations and establish measures and procedures to detect acts or omissions in connection with illicit activities such as financing terrorism (as defined in the Federal Criminal Code).
What consumer protection laws and regulations apply to the provision of fintech products and services?
Fintech products and services must comply with:
- the provisions of the Law to Regulate Financial Technology Institutions that cover consumer protection (eg, the obligation to provide clients with receipts of each operation made or account statements proving such operations); and
- the general provisions of the Law to Protect Customers of Financial Services (eg, the obligations to keep information received from customers confidential and – especially – the provisions regarding operations made though electronic means).
Does the provision of fintech products or services in your jurisdiction raise any particular competition regulatory concerns?
Based on the Law to Regulate Financial Technology Institutions and the current regulations, there are no competition regulatory concerns that apply specifically to fintech products or services.
Are there any particular regulatory issues concerning the cross-border provision of fintech products and services (eg, operating jurisdiction rules and currency controls)?
Click here to view the full article.