In recent years, Mexico has been rated by private institutions(1) as having one of the highest rates of credit card fraud in the world. The number of claims in this regard has rapidly increased and despite preventative efforts, the reported number of cases is still high. In 2016 more than 78,000 identity theft claims were filed before the National Commission for the Protection and Defence of Financial Services Users.

Certain Specialised Electoral Prosecutor employees have argued that the number of cases involving credit card fraud is so high because official identification cards can easily be obtained using false documents if the criminals are assisted by the National Electoral Institute.

At present, identity theft is prosecuted as criminal fraud under the Federal Criminal Code. However, a bill which will introduce special rules and distinguish identity theft from fraud has been approved by the House of Representatives and is now undergoing review by the Senate. This bill contemplates a penalty of one to six years in prison and a fine of 400 to 600 times the minimum daily wage for persons found guilty of identity theft.

According to the Financial Institutions Bureau, the banks which received the highest number of complaints regarding credit card fraud during the first quarter of 2017 were:

  • BBVA Bancomer – which received more than 5,000 claims;
  • CitiBanamex – which received more than 3,000 claims; and
  • Santander – which received more than 2,900 claims.(2)


On August 29 2017 the National Banking and Securities Commission published the Resolutions that Modify the General Rules Applicable to Credit Institutions in the Federal Official Gazette. These resolutions require credit institutions to verify information and documentation filed by users and customers with different government bodies in order to assure the identity of each prospective customer.

The modified rules provide the criteria for customer identification. These so-called 'know-your-customer' guidelines are independent from existing anti-money laundering regulations.

The modified rules are divided into:

  • Section A – which contains provisions regarding the identification and performance of on-site transactions;
  • Section B – which contains provisions regarding identification means for remote transactions; and
  • Section C – which contains supplementary provisions regarding the general identification of transactions.

Section A Section A targets the identification and performance of on-site transactions. For these purposes, the modified rules introduce different requirements for the performance of identification duties by national and foreign individuals. They also include several additional requirements which apply depending on the account level (the criteria for establishing an account level depend on the account balance and transactional amounts).

Under Section A, customers must provide:

  • a valid form of identification (voting cards or passports are preferred for national individuals, while passports must be provided by foreign individuals);
  • their Unique Population Registry Code;
  • their mobile phone number; and
  • their email address.

Foreign individuals must also provide all documents needed to evidence their legal stay.

Financial institutions can propose different validation methods to those established in the regulations – which make explicit reference to biometric methods (eg, fingerprints) – provided that they obtain prior authorisation from the regulator. The regulator will grant authorisation on a discretional basis after the financial institution has provided evidence that the method:

  • is adequate; and
  • can validate information against the Mexican authorities' registries.

Finally, Section A requires financial institutions to:

  • keep copies of certain documents as a compliance measure;
  • provide training to their personnel; and
  • perform validation duties before any transaction becomes effective.

In the event that a financial institution fails to perform its validation duties, it will become liable for any unrecognised transactions.

Section B Section B targets the identification and performance of remote transactions. The transactions that can be performed through this means are restricted to national individuals and several limitations apply regarding the amount of such transactions.

To identify a customer remotely, the financial institution must have prior authorisation from the regulator and ask the individual to send an identification form via electronic means, along with a photograph and a form of identification. The identification form will include general information regarding the customer in accordance with the know-your-customer standards and must include the customer's consent for having his or her voice and image recorded.

On receipt of the form, the financial institution must perform its validation duties in order to verify the individual's identity. Once validation has been substantiated, the financial institution will inform the customer of how to continue the proceedings through real-time communications and must record the customer at all times.

Institutions must have adequate means for transmitting and keeping any information and files generated during remote proceedings. Section B sets out several instances in which a transaction must be suspended in order to ensure the security of the process.

As in Section A, Section B enables financial institutions to propose different validation methods to the ones established therein, provided that such methods are approved by the regulator before their application. The regulator will grant authorisation on a discretional basis after the financial institution has provided evidence that the method:

  • is adequate;
  • can validate information against the Mexican authorities' registries; and
  • will ensure data sharing.

Under the applicable regulation, financial institutions must state in their agreements that they will become liable for any unrecognised transactions in the event that they fail to perform their validation duties.

Section C Section C establishes supplementary provisions for the general identification of both on-site and remote transactions. Financial institutions must collect and maintain records of the branch where and the date on which each on-site transaction is executed. Further, they must preserve information regarding the authorising officer of both on-site and remote transactions.

Unless explicitly opposed by customers, financial institutions must provide immediate phone or email notifications to customers regarding any:

  • withdrawals;
  • product or service hire; or
  • execution of transactions described in the regulations.

These notifications must include information regarding the time, location and description of the operation that was performed.

Finally, financial institutions must develop and maintain an electronic register of all customer reports regarding the unrecognised opening of saving or deposit accounts, the provision of credit or any other transactions described in the resolutions.

For further information on this topic please contact Federico de Noriega Olea, Maria Aldonza Sakar Almirante, Juan E Lizardi or Carlos Romero at Hogan Lovells BSTL by telephone (+52 55 5091 0000) or email (,, or The Hogan Lovells website can be accessed at


(1) Aite, "2016 Global Consumer Card Fraud: Where Card Fraud is Coming From", available here.

(2) More information is available here.

This article was first published by the International Law Office, a premium online legal update service for major companies and law firms worldwide. Register for a free subscription.