In brief

The amendments to the Law that oblige financial institutions to obtain and store real-time geolocation of clients' mobile devices went into effect in a staggered manner and by sector As of 21 March 2021. The National Banking and Securities Commission (CNBV) will verify that financial institutions comply with this measure. Financial institutions found to be in non-compliance will be subject to the corresponding sanctions.


In depth

The amendment to the general provisions of Article 115 of the Law of Credit Institutions seeks to comply with international standards to combat money laundering and terrorist financing. Several countries and international organizations, including the World Bank and the International Monetary Fund, have also recognized these standards. By implementing and recognizing the standards, Mexico is in compliance with the international commitments derived from the Financial Action Task Force (FATF), especially with the "Guide on Digital Identity" published by the FATF in March 2020.

Financial institutions will collect real-time geolocation of devices to obtain information on geographic zones at the time of executing non-face-to-face transactions carried out on the customer's device and whose location is unknown. The CNBV will verify that financial institutions comply with this measure. Financial institutions that fail to comply, as well as with any obligation regarding the prevention of money laundering and financing of terrorism, will be subject to the corresponding sanctions.

The measures apply to the following Financial institutions:

  • Investment advisors
  • Money transmitters
  • Multiple purpose financial companies
  • Credit institutions (Banks)
  • Brokerage and exchange houses
  • Savings and loan cooperatives
  • Popular financial companies
  • Investment funds
  • Credit unions

Recommended actions

In accordance with the provisions of the Federal Law for the Protection of Personal Data held by Private Parties (FDPL), any private individual or legal entity that decides on the processing of personal data is obliged to inform the data subjects of the personal data collected and its purposes through a privacy notice.

In this sense, we recommend to verify that all privacy notices addressed to customers of financial institutions comply with the information requirements. Fines of up to one million dollars may be applied in case of non-compliance.