Principal Legal Framework
The principal laws governing the banking sector in Mexico are as follows:
Although banks are heavily regulated, the most relevant regulations concerning their operations are as follows:
The principal authorities responsible for supervising banks in Mexico are:
The organisation and operation of a bank in Mexico requires authorisation from the Commission. Prior to granting the authorisation, the Commission must have a favourable opinion of the Central Bank of Mexico with regards to the project. The granting of a bank authorisation is a discretionary authority of the Commission, and such authorisations are non-transferable.
Foreign banks are not allowed to provide banking and credit services through locally established branches, but rather need to establish a subsidiary.
Types of Authorisations
Outside of development banks, which are owned by the Federal Government, the Banking Law provides for two types of bank authorisations:
There are very minor differences between these two licences with regard to their corporate organisation, activities and regulation. However, the quantity of information required from the owners of an affiliate bank in the process of authorisation is significantly reduced. Affiliate banks are owned and controlled by a bank established in a foreign country that has entered into a treaty with Mexico. This treaty must contain a provision allowing for the establishment of affiliate banks.
Activities and Services Covered
Article 46 of the Banking Law sets forth a comprehensive list of activities that banks are allowed to perform (including active and passive transactions and financial services). Banks must include in their by-laws the list of activities that they intend to perform. The minimum equity capital requirement for each bank will depend on the activities included in its by-laws. Bank regulations establish three different predefined sets of permitted activities that banks can elect to include in their by-laws, as follows:
Any other combination of permitted activities requires the bank to have the same minimum equity capital as that of the banks that elect to include all of the permitted activities in their by-laws.
The most significant restrictions for banks are the prohibition on acting as underwriters in public offerings of securities and the prohibition on issuing insurance policies.
The process of authorisation is carried out with the Commission and takes between nine and 12 months. Operations usually commence within 18–24 months after the project has started. The authorisation process involves the following stages:
Thereafter, the bank has 90 days to approve the executed deed of its incorporation. Within 180 days of the approval of the deed of incorporation, the bank requests the Commission to authorise its commencement of operations. Such authorisation involves officers from the financial authorities visiting the bank to test its operations.
At this stage, the applicants must pay the Commission a fee of approximately USD39,500 for the issuance of the bank authorisation and a fee of approximately USD125,000 for the authorisation to commence operations.
After receiving the authorisation to commence operations, the bank may start doing business with the public.
The acquisition and transfer of the shares of a bank in Mexico are subject to the following rules and requirements:
Pursuant to the Banking Law, control over a bank is the ability to impose decisions at the shareholders’ meeting, directly or indirectly. This includes the authority to exercise the voting rights of more than 50% of the shares and the authority to direct the administration, strategy and principal policies of the bank, whether through the ownership of securities or through any other legal means.
In addition, the acquisition of shares or the control of a Mexican bank could require authorisation from the Federal Economic Competition Commission for antitrust matters. Likewise, the acquirer should consider the reporting and investment thresholds of the Securities Market Law (Ley del Mercado de Valores) if the shares of the bank are traded in a Mexican stock exchange.
Banks are not restricted from having foreign investors in their equity capital, but foreign governments are only allowed to participate, directly or indirectly, in the stated capital of banks in Mexico in the following circumstances:
Corporate Governance of a Bank
The board of directors is the principal corporate body in charge of the corporate governance of a bank in Mexico. The board of directors must be integrated by no fewer than five and no more than 15 statutory members, at least 25% of whom (rounded upwards) must be independent. Having independent board members is a concept of corporate governance that requires certain board members not to have any professional, business, commercial or family relationship with other directors, the shareholders or other stakeholders of the bank.
The number of officers of the bank that can form part of the board is limited to one third, as long as they are only either the CEO or officers within the two lower levels from the latter. For each statutory director, an alternate director can be appointed, in the understanding that the alternates of independent directors also qualify as independent directors. The board of directors is required to have a meeting at least every quarter and whenever necessary.
The board of directors is required to have certain committees with advisory duties. The bank must have at least an audit committee, a risk committee, a compensations committee (whose functions, subject to complying with certain requirements, may be performed by the risk committee), a communication and control committee (in charge of know-your-customer and anti-money laundering matters) and a related-party transactions committee.
These committees are auxiliary committees to the board of directors, and one or more of their members must be directors. In the case of an audit committee, all of its members must be directors and the majority of them, including the chairperson, must be independent.
The board of directors, at the audit committee’s proposal, is responsible for establishing the objectives and guidelines of the internal control system. The CEO is responsible for implementing the internal control system throughout the organisation. Once implemented, the audit committee is responsible for submitting the organisational chart, the code of conduct, the appointment of external auditors and the evaluation reports of the internal control system for the board’s approval.
The internal audit department, independent of the CEO, is responsible for reviewing the internal control system, both periodically and systematically, while reporting findings and implemented actions to the audit committee.
A bank's financial information and its control systems are reviewed annually by external auditors and comisarios. The latter are persons appointed by the shareholders’ meeting and are in charge of overseeing the performance of the board of directors in connection with the internal control system.
Directors of a bank in Mexico can only be appointed by the shareholders’ meeting. Pursuant to the Banking Law, all directors need to have technical capabilities, honourability, satisfactory business and credit history and ample financial, legal or administrative knowledge. Most directors of banks in Mexico must be local residents.
No person can act as director for two banks, or a financial group holding companies that own banks, at the same time. The director must inform the shareholders' meeting if he or she is the director of another financial entity.
Officers of a bank, including the CEO and all officers within the two hierarchy levels below the CEO, must be residents of Mexico with evidence of at least five years of previous professional experience in positions of high decision-making.
During the processes related to the authorisation of a new bank or to a change of control, the proposed directors, CEO and senior officers of the bank must submit predefined forms and letters for the consideration of the Commission, as well as supporting documentation showing:
Each director and officer will need to sign a letter, addressed to the Commission, with representations as to their honourability and creditworthiness, authorising the Commission to verify all information provided with the corresponding national or foreign authorities.
The Commission has the right to request additional information as it deems convenient, and may approve or reject the proposed appointment at its discretion.
In the ordinary course of business, any appointments of directors or officers must be communicated to the Commission within five business days. In this case, it is the bank that must verify and ensure the compliance of the proposed director or officer with all of the requirements established by law.
The Commission can request the removal of any officer or director that does not comply with the applicable requirements. This can be either at the time of the appointment or at any time thereafter, and the Commission can ban such officers or directors from occupying any positions in the financial sector.
The bank must always open and update, at least annually, a file for each director and officer containing all the information and documentation meeting the applicable requirements.
Banks must permanently implement, maintain and monitor a remuneration system consistent with effective risk management. The purpose of Mexico's banking remuneration system is to ensure that the ordinary and extraordinary remuneration of its employees, administrative departments, control and business areas and other employees takes into consideration the actual and potential risks related to the individual activities of such employees.
The remuneration system must consider all remuneration, whether in cash or otherwise. It forms part of the internal control system and is ultimately overseen by the board of directors, which is advised on these matters by the remuneration committee, chaired by an independent director.
Unusual remunerations that are determined by individual performance or that of a particular department must not consider exclusively the results of the financial year in which the transactions occurred but also the risks and results seen during a reasonably longer period of time. To this extent, performance reviews must be consistent with and based on results adjusted by present and future risks, liquidity, capital costs and other considerably appropriate variables.
The remuneration system must be flexible enough to allow the bank to reduce or suspend the payment of extraordinary remunerations whenever the bank faces losses or whenever the risk impacts are greater than expected.
A bank's remuneration system must be updated every year and must be made available to the public via its webpages. The information displayed must include a thorough description of the remuneration system, including qualitative and quantitative information and a mention of the actual remuneration amount paid during the relevant fiscal year, indicating if such remuneration was fixed or variable, paid or deferred, and in cash, stock, other equity instruments or otherwise.
The AML/CFT framework applicable to Mexico is founded on a risk-based approach. Mexican banks must assess their AML/CFT risks yearly, taking the following elements into consideration:
Identification and Follow-Up of Counterparties
Another AML/CFT requirement for banks in Mexico is the conduct of due diligence and know-your-customer exercises. The scope and degree of these requirements depends on whether they are conducted on:
There are simplified due diligence measures available and exemptions to it according to the client’s risk of AML/CFT. There are banking account levels, which begin with reduced due diligence requirements, subject to lower transactional levels. The permitted transactional level of accounts increases along with the increase in the depth of due diligence requirements. This regulation aims to bolster financial inclusion in the country.
Before COVID-19, banks did not have the widespread ability to start a client relationship remotely. However, the Commission has recently enacted rules that allow banks to remotely execute operations and agreements as long as they verify certain biometric information of customers' IDs against the information in official records held by authorities like the National Electoral Institute (which issues the most commonly accepted photo identification in the country).
Regarding know-your-customer requirements, banks must regularly assess whether their clients have their identifications and documents updated and their transactional behaviour in order to determine the risk they entail to the financial institution.
Banks must maintain internal structures, policies, controls and procedures against financial crime, including the following lines of defence:
Banks must have AML/CFT manuals and training in place, which are regularly shared with the Commission.
Reporting to Authorities
Banks are required to periodically file the following AML/CFT reports:
All these reports have specific thresholds, deadlines and conditions when being filed for the Commission.
Due to the risk of illicit activities between Mexico and the United States, Mexican authorities have implemented restrictions so that Mexican banks are usually restricted in receiving US dollars in cash, except when there is an economic rationale provided in the regulation – eg, receiving funds from legal entities with branches near the border.
The Bank Savings Protection Law (Ley de Protección al Ahorro Bancario) provides for the creation, organisation and functions of the Bank Savings Protection Institute, which is in charge of managing the savings protection fund.
Bank liabilities that are guaranteed by the Bank Savings Protection Institute are mainly on-demand and term deposits, savings accounts and revolving deposits associated with debit accounts, but only up to the amount of 400,000 inflation adjusted units (known as UDIs) per person – or legal entity – per bank (approximately USD139,000).
The deposit insurance to be provided by the Bank Savings Protection Institute to a bank’s depositors will be paid upon determination of the resolution of a bank. Upon payment, the Bank Savings Protection Institute acquires the claim of the depositor against the relevant bank. Any amount not paid by the Bank Savings Protection Institute can be claimed directly by the depositor from the relevant bank.
Obligations of banks in favour of financial entities, companies within the same financial group as the bank, shareholders, board members, the CEO and the officers within the immediately following hierarchy level, general managers and attorneys-in-fact of the bank are not insured by the Institute. In addition, the deposit insurance does not cover:
The deposit insurance is exclusive to bank liabilities and, therefore, does not cover financial products such as mutual funds, insurance products and other liabilities of other financial entities, even if the bank acts as the distributor of such products.
Banks have the obligation to pay ordinary and extraordinary contributions to the Bank Savings Protection Institute as determined from time to time by the governing board thereof. All banks must make monthly ordinary contributions to the Bank Savings Protection Institute in an amount equal to the twelfth part of 0.004 of the bank’s deposits and certain other liabilities. Calculating the standard contribution amount is done by subtracting the following from the total account of each bank’s liabilities:
The Bank Savings Protection Institute may also impose extraordinary contributions on banks, which may not exceed in any one year 0.003 of the deposits of the banks. Extraordinary contributions may be imposed by the Bank Savings Protection Institute when it does not have sufficient resources to satisfy its obligations, given the then-prevailing conditions of the Mexican banking system. Both ordinary and extraordinary contributions, in the aggregate, shall not exceed 0.008 of the liabilities of a bank on any one year.
Bank Secrecy Framework
Banks in Mexico are subject to very strict secrecy rules concerning their customers. Pursuant to the Banking Law, banks in Mexico may not provide any news or information on deposits, bank operations or services, including trusts, to the depositor, debtor, account holder, beneficiary, settlor or principal, their respective legal representatives, or the persons that have been legally authorised to withdraw from the relevant account or to be involved in the corresponding transaction or service.
This secrecy obligation is not related to the reporting obligations of banks with the Commission, the Central Bank, the Bank Savings Protection Institute and the regulators of Mexican banks.
This secrecy obligation will not be considered to have been breached by a bank when information is provided to judicial authorities pursuant to court-issued orders in judicial procedures in which the account holder, settler, beneficiary, trustee or agent is either a plaintiff or a defendant. Furthermore, banks will be exempted from their secrecy obligations and are consequently required to provide information requested by any of the following authorities, typically through the Commission:
Information and documents provided by banks to the authorities in connection with these bank secrecy exemptions may only be used in the proceedings and for the purposes indicated in the relevant request. The persons that acquired knowledge of such information and documents are required to keep them strictly confidential, even if they cease to be public servants. Any breach of this obligation will subject the relevant person to the applicable administrative, civil or criminal responsibilities as provided by law.
In addition, the Banking Law expressly allows the Ministry of Finance and Public Credit, the Commission, the Bank Savings Protection Institute, the Central Bank and the National Commission for the Protection and Defence of the Users of Financial Services, within their respective scope of authority, to give foreign financial authorities any and all information acquired by said Mexican authorities in the performance of their functions. This is provided that the relevant Mexican authority and the relevant foreign financial authority have entered into reciprocity agreements.
In any undue disclosure of bank secrets, the employees and officers of banks responsible for breaches of the secrecy rules and the relevant bank will be requiredto pay for the damages and lost profits caused by such breach.
In addition, non-compliance by a bank with the bank secrecy provisions set out in the Banking Law is considered a serious breach and can be sanctioned with fines imposed by the Commission, ranging from approximately USD130,000 to approximately USD435,000.
Capitalisation of Banks in Mexico
The Banking Law requires banks in Mexico to maintain a regulatory capital, expressed as an index (the capital adequacy ratio – ICAP), which shall in no case be less than the sum of the capital requirements associated with (i) market, credit, operational and other risks incurred by banks in their operation; and (ii) their ratio of assets to liabilities.
The Commission, along with other financial authorities in Mexico, has implemented regulations in order to strengthen the composition of the net capital of banks in a manner consistent with the guidelines set forth in the Capital Agreement issued by the Basel Banking Supervision Committee (Basel III Agreement).
Banks in Mexico are required to maintain a minimum capitalisation index, or ICAP, of 8%. The regulatory capital is comprised of Tier 1 and Tier 2 capital. The Common Equity Tier 1 capital must be at least 6%, while the Additional Tier 1 capital ratio must be 4.5%. In addition, banks must maintain a capital conservation buffer of 2.5% of Additional Tier 1 Capital.
Based on their ICAP and their Common Equity Tier 1 and Additional Tier 1 capital ratios, banks will be classified into different categories by the Commission. Such classification may trigger minimum corrective measures and additional special measures that banks must observe in order to improve their capitalisation. Such corrective measures can include the following:
Banks of Local Systemic Relevance
If the Commission determines that a particular bank's potential non-compliance with the obligations could pose a risk for the stability of the Mexican financial system, a payment system or the economy of the country, said bank will be classified as being of Local Systemic Relevance (Instituciones de Banca Múltiple de Importancia Sistémica Local). Local Systemic Relevance Banks will be classified within different degrees of systematic relevance and will be required to add to their capital conservation buffer an additional percentage of the aggregated risk-weighted assets based on the assigned degree of systematic relevance. This additional percentage will range from 0.60% to 2.25%.
Banks are required to establish risk management mechanisms that allow them to perform their activities with risk levels consistent with their regulatory capital, liquid assets and operational capabilities under normal, adverse and extreme conditions. For said purposes, risk management processes implemented by banks must maintain – both systematically and prospectively – the risk level of their principal transactions within their solvency, liquidity and financial feasibility limits, and their accordance with their desired risk profile. Banks must re-establish the risk level whenever a deviation occurs.
Banks classify their risks into the following three categories:
Banks are required to maintain a capitalisation structure that allows them to cover potential losses derived from all of the risks to which they are or may be exposed under different scenarios, including those in which adverse economic conditions prevail. For these purposes, banks are required to conduct annual stress tests to assess whether they have the necessary capital and to design and maintain a contingency plan (similar to living wills in other jurisdictions), which must be approved by the Commission.
The board of directors of the bank is responsible for approving the desired risk profile, the risk management framework, the risk exposure levels and the risk tolerance levels, as well as contingency plans (including the contingency financing plan). The board of directors is also responsible for overseeing that the bank has sufficient capital to cover all of its risk exposure.
The CEO is responsible for ensuring that the business units and the risk management department of the bank remain independent from each other at all times, and for co-ordinating the risk management programmes and duties.
The board of directors must create a risk committee to oversee that all transactions performed by the bank are made within the desired risk profile, the integral risk management framework and the risk exposure limits approved by the board.
Banks are required to calculate their Liquidity Coverage Ratio measured in accordance with the Basel III Agreement. The liquidity obligations of banks in Mexico are outlined by the Bank Liquidity Regulation Committee and implemented by the Commission and the Central Bank. The Commission is also responsible for overseeing compliance with the liquidity requirements applicable to Banks.
The Bank Liquidity Regulation Committee is responsible for dictating the guidelines for the establishment of the liquidity requirements of banks. Such guidelines have the purpose of ensuring that banks will be able to meet their payment obligations in different terms and under different scenarios, including under economically adverse conditions. This committee is integrated by high-level officers of the Ministry of Finance, the Central Bank and the Commission.
Banks must have a financial contingency plan as part of their risk management system, clearly setting out the strategies and policies to be observed and the procedures to follow if there are unexpected liquidity events or trouble liquidating assets. This financial contingency plan must be submitted annually to the Commission, which can subsequently order that changes and amendments are made to it.
If a bank does not comply with its liquidity obligations or determines that it will not comply with them in the future, it shall immediately notify the Commission thereof. In this case, the Commission may require the relevant bank to:
Furthermore, the Commission can impose additional measures on banks that have a Liquidity Coverage Ratio of less than 90%.
Banks in Mexico must have certain minimum levels of capital. Capital requirements concern both a minimum equity capital and regulatory capital amounts. Capitalisation is an important indicator of a bank’s financial health, a reduction of which, depending on its level, could:
Once a bank’s capitalisation index falls below 10.5%, said bank will be subject to minimal corrective measures or special additional corrective measures imposed by the Commission, depending on its actual level of capitalisation. Minimal corrective measures include:
Special additional corrective measures include hiring external auditors; refraining from increasing compensation and entering into certain types of transactions; substituting officers, directors and auditors; carrying out transactions to reduce exposure to risk; and amending deposit-taking policies.
A bank with capitalisation below 8% (but higher than 4.5%) may apply to continue as an ongoing business under a conditioned operation regime. To have access to the conditioned operation regime, the bank must:
The trust referred to above shall allow the Bank Savings Protection Institute to exercise economic and corporate rights of those shares in the following circumstances:
The trust will be terminated once the bank reaches and maintains the minimum required ICAP in three consecutive months. The bank must otherwise undergo a resolution process.
The resolution of a bank consists of the actions or procedures implemented by the financial authorities on a bank that is facing solvency or liquidity issues that affect its financial viability. These actions or procedures ensure a proper liquidation (or in certain exceptional cases its restoration) for the protection of depositors, the stability of the financial system and the proper functioning of payment systems.
Generally, a bank resolution process will conclude with the administrative or judicial liquidation of the bank. In exceptional cases, the bank will be rehabilitated. As a general rule, once the Commission has revoked the bank’s authorisation, the Bank Savings Protection Institute will determine whether the liquidation of the bank shall be either judicial or extrajudicial. If the Bank Stability Committee determines that a potential default in the bank’s obligation could trigger negative or adverse effects in other banks or financial institutions, compromising their stability or solvency and, as a consequence, the stability or solvency of the financial system or the proper functioning of payment systems, the resolution can be either through equity capital provided by the Bank Savings Protection Institute, provided that the bank applied for a conditioned operation regime, or through loans granted by the Institute if the bank did not.
In the case of supportive equity contributions, the Bank Savings Protection Institute will initiate the selling of a bank's shares – including those of its shareholders – following the rules set out in the Banking Law. If the Bank Savings Protection Institute provides a loan to the relevant bank, all of the shares issued by the bank will secure the loan until the shareholders of the bank subscribe and pay a capital increase to pay for said loan. If the shareholders do not make this contribution, the Bank Savings Protection Institute will automatically acquire the shares and will sell them thereafter in accordance with the rules set out in the Banking Law.
Liquidation of the Bank
The Bank Savings Protection Institute will act as the liquidator of the bank and will generally be responsible for terminating and concluding all pending business of the bank, including the settling of accounts and the disposition of rights and assets, with a goal to obtain the best price or conditions in connection therewith under strict transparency rules.
In doing the above, the Bank Savings Protection Institute can elect to proceed with the transfer of all or some of the assets and liabilities of the bank to another existing bank or to a bank created for such purposes by the Bank Savings Protection Institute, or to proceed with any other transaction that the Bank Savings Protection Institutes considers as the best option to protect the interests of depositors.
When making any of the foregoing decisions, the Bank Savings Protection Institute will ensure that the cost of any such decision is less than the total estimated cost of paying the deposit insurance over all insured deposits of the bank.
In all instances, the Bank Savings Protection Institute will ensure that all insured deposits are covered in the terms required by law to all depositors.
All actions of the authorities in the process of the resolution and liquidation of banks in Mexico are considered to be in the interests of public order and society. Claims against such actions do not subsequently carry the possibility of suspension. If a claim against such actions prevails, the claimant will only be entitled to the payment of damages and losses.
The required minimum equity capital of banks in Mexico varies, depending on the activities that each bank elects to include as part of its corporate purpose.
Permitted activities of banks are set out in Article 46 of the Banking Law (the Permitted Activities). Pursuant to said article, banks are authorised to:
(i) take cash deposits:
(a) on demand;
(b) returnable by a specified date;
(c) for saving purposes; and
(d) for a certain term or payable with prior advance notice;
(ii) take loans and credits;
(iii) issue bank notes and debentures;
(iv) issue subordinated obligations;
(v) make deposits to foreign banks and financial institutions;
(vi) enter into discount transactions and grant loans and credits;
(vii) issue credit cards based on revolving facilities;
(viii) assume obligations on behalf of third parties based on loans granted through acceptances, endorsements or guarantees of negotiable instruments, as well as through letters of credit;
(ix) perform transactions with securities;
(x) promote the organisation and transformation of all types of entities or companies, and subscribe and hold equity participations in them subject to the provisions of the Banking Law;
(xi) perform all transactions on its own behalf with any commercial documents;
(xii) perform transactions with gold, silver and foreign currencies, including any repurchase (reporto) transactions concerning foreign currencies;
(xiii) facilitate safety-deposit boxes;
(xiv) issue pre-funded letters of credit;
(xv) act as trustee;
(xvi) receive any deposits whether for administration, custody or guaranty on behalf of third parties of any negotiable instruments and shares and generally of all commercial documents;
(xvii) act as common representative of the holders of negotiable instruments;
(xviii) perform treasury and cashier services in respect of negotiable instruments on behalf of the issuers thereof;
(xix) perform the accounting and book-keeping for any companies or entities;
(xx) act as executor in inheritance procedures;
(xxi) act as receiver and liquidator of businesses, premises, bankruptcy and inheritance estates;
(xxii) perform appraisals;
(xxiii) acquire the necessary real estate assets and equipment for the accomplishment of their purpose and to manage such assets as deemed convenient;
(xxiv) enter into financial leasing transactions and to acquire the assets related to such transactions;
(xxv) enter into derivative transactions in accordance with the rules issued by the Central Bank for such purposes;
(xxvi) perform factoring activities;
(xxvii) issue any payment means determined by the Central Bank;
(xxviii) participate in the selling of insurance, subject to the applicable insurance laws; and
(xxix) engage in other similar or related activities authorised by the financial authorities.
In connection with the Permitted Activities, the Banking Law and the related provisions consider the following options:
Notwithstanding the differentiation of banks with respect to their minimum paid-in equity capital and the requirements regarding their permitted activities, all banks in Mexico – regardless of their size, footprint or business model – are subject to exactly the same set of financial, internal control, compliance and reporting regulations. An exception to this is the very specific set of measures imposed on systemically important banks (see 8.1 Capital, Liquidity and Related Risk Control Requirements).
Based on the foregoing, medium and smaller banks – and banks that specialise in a particular product or business – have for some time been requesting the creation of a differentiated regulatory regime that recognises their specialised business model, market and geographical presence. This would allow them to assume regulatory costs that are better aligned with their size and systemic relevance, allowing them to invest more resources in their specific products and consumers.
Despite the fact that this discussion has been taking place for numerous years, many key players in the financial market have been vocal about the issue and it is likely we will see an effort from both banks and the financial authorities (notably, the Commission) to achieve a differentiated regulatory framework among banks.
A differentiated regulatory framework will have a significant impact on the banking sector and, while it certainly presents a major challenge for authorities, it could foster the expansion and growth of small, medium and specialised banks.
The Mexican financial authorities have continued working towards creating an improved regulatory framework that addresses financial inclusion. This is one of the most urgent matters to address in Mexico, where a very low number of persons have access to financial services provided by duly licensed financial entities.
The efforts of the authorities in this respect have been and will continue to be focused on establishing adequate consumer protection mechanisms and financial education, while also providing for robust technology mechanisms to facilitate remote access and operations. Subsequently, the Mexican government has established a Financial Inclusion National Policy (Política Nacional de Inclusión Financiera). One of the Policy's objectives is to ensure that, by 2024, 77% of Mexicans are using at least one formal financial product from an authorised financial entity. In order to achieve this goal, the Mexican government recognises the need for the private, social and public sectors of its society to work together.
It is likely that regulators will act to ensure that the principles of the policy are implemented and that banks, as well as other financial entities, can develop new channels and products to increase the number of persons that have access to and use financial services and products.
A significant measure taken in this regard was the amendment of the Banking Law and the Mexican Federal Civil Code in March 2020, allowing individuals to open banking cash deposits and use the applicable funds from the age of 15 (the age of consent in Mexico is 18 years old), without the intervention of their parents or tutors. Nonetheless, those underage individuals shall not be able to get loans with a charge to the deposit accounts in analysis.
Another measure put in place to enhance financial inclusion is the simplification of the authorisation of banking correspondents. In Mexico, banks can provide financial services to the public via certain correspondents, who must be allowed to do so by the Commission. The amendments to the applicable regulation, issued in September 2021, consider the risk of the operations executed through the correspondent in order to determine the requirements that such correspondent must comply with in order to be authorised as such by the Commission. In that regard, there are low-risk operations like the payment of banking loans, taxes and services, which only require a notice to the Commission, and there are medium and high-risk correspondent services (eg, account opening) that require the authorisation of the Commission. This is an advance for the development of differentiated regulation between types of banks, as referred to above.
The Mexican financial authorities continue to work on addressing the impact of COVID-19. To this extent, both the Commission and the Central Bank have been implementing measures to promote the stability of the financial system, ensure that borrowers of banks and other financial intermediaries are afforded the best possible conditions to allow for the payment of their loans, and establish countercyclical measures in the economic downturn seen during 2020, and have publicly indicated that they will continue to implement such measures.
Such measures include the following:
In the short-term additional programmes, it is expected that borrowers can access a restructuring programme if they need to, and banks will be able to benefit from temporary exceptions to the regulatory framework to accommodate the restructuring or refinancing needs of their clients and customers.
Liquidity Requirements Applicable to Banks
In August 2021, the Commission and the Mexican Central Bank jointly issued the General Rules on Liquidity Requirements for Banks (Disposiciones de Carácter General sobre los requerimientos de liquidez para las Instituciones de Banca Múltiple), which will enter into force in March 2022.
These rules follow the guidelines issued by the Banking Liquidity Regulation Committee, which is integrated by the Secretary and Undersecretary of the Ministry of Finance and Public Credit, the president of the Commission, and the Governor and two deputy governors of the Mexican Central Bank. According to these regulations, banks must keep liquid assets of high credit quality to face liquidity needs and obligations for 30 days. Furthermore, the liabilities of the banks must have term and stability features related to the term and liquidity characteristics of the banks’ assets.
Such rules contemplate two ratios:
Banks must report their estimations of these ratios to the Central Bank.
These rules also contemplate scenarios where, depending on their liquidity (estimated by the Liquidity Coverage Ratio and the Net Stable Financing Ratio), banks can be subject to the following corrective measures:
Total Loss Absorbing Capacity
In June 2021, the Commission issued rules to comply with the requirements of Total Loss Absorbing Capacity (TLAC) for the Domestic Systemically Important Banks. These rules enable this specific type of bank to be resilient and have the ability to absorb losses and recapitalise itself, passing losses to investors and reducing the need for government bailouts. TLAC is in addition to the other regulatory capital required (for example, the ICAP), and, in order to comply with the international standard, it must be equal to at least 6.5% of risk-weighted assets.
The requirements to supplement the net capital of the banks shall be enforceable in December 2022, and banks must comply with the totality of this new requirement by December 2025.
Public Clarification of Who Can Provide Banking Services
In December 2020, the Commission issued two public clarifications stating that:
Increased Supervision of the Banking Sector
The Commission has shown increased interest in the adequate knowledge of the levels of capitalisation of the Mexican banking sector. In this regard, in September 2021, it revoked the authorisation to a banking institution in the country that had demonstrated deficient accounting practices and an insufficient ICAP pursuant to applicable regulation, as well as undue operations with related parties that further led to such reduction in the levels of the bank capital.
It is notable that, according to public information from the Commission, it had started reviewing the relevant bank’s capitalisation levels in March 2021, which demonstrates enhanced supervision in the Mexican banking sector.
As the revoked bank’s assets only represent 0.08% of the Mexican banking system, this does not constitute any systemic risk.
The Current Intersection of Banking, Technology and Regulation in Mexico
Technological developments in finance are on the increase in Mexico, which has a dynamic financial and banking sector.
This article will describe the specific trends and developments in the use of technology by Mexican banks, especially in connection with the applicable regulations in the country, analysing the following in particular:
These aspects are usually included in queries by non-Mexican investors interested in providing financial services (particularly banking services) in the country by using novel technologies.
Virtual Currencies and Banks in Mexico
The use of virtual currencies has increased consistently around the world. For example, according to the 3rd Global Cryptoasset Benchmarking Study published by the University of Cambridge in September 2020, there were 101 million crypto-asset users around the world in the third quarter of 2020, compared to 35 million in 2018. Aside from being used as investment instruments or means of payment, crypto-assets are now considered by some to be methods to bring down the user-borne costs of cross-border remittances or even to foster financial inclusion.
In this light, the Law to Regulate Financial Technologies Institutions (Ley para Regular las Instituciones de Tecnología Financiera – the Fintech Law) was published in the Mexican Federal Official Gazette on 9 March 2018. Pursuant to Article 1, one of the objectives of the law is to regulate certain financial services offered through innovative means. Article 30 of the Fintech Law defines virtual assets as the representation of value registered and transferred through electronic means only, which is used as the means of payment for all kinds of legal obligations. Furthermore, Article 88 of the Fintech Law provides that Mexican banks may conduct transactions with virtual assets, as specified by the regulation issued by the Mexican Central Bank.
This regulation was enacted as Rule 4/2019 (Circular 4/2019 Disposiciones de Carácter General aplicables a las Instituciones de Crédito e Instituciones de Tecnología Financiera en las operaciones que realicen con Activos Virtuales), and provides that banks operating in Mexico shall only conduct transactions with virtual assets in connection with internal operations – ie, those activities that banks undertake internally either to provide loans, take deposits and provide other services to clients, or on behalf of the bank itself, thereby effectively ruling out the possibility of banks conducting such transactions using virtual assets with clients.
This restriction on Mexican banks operating with virtual assets for the public reflects the rather conservative stance of the Mexican banking regulators (particularly the Mexican Banking and Securities Commission and the country’s Central Bank) with respect to this type of instrument, despite the overt interest of the shareholders of some high-profile banks in being able to offer operations with such assets to the clients of those financial entities.
Open Banking Regulations
Article 76 of the Fintech Law provides that financial entities operating in Mexico (including banks) must establish standardised application programming interfaces, which are connections between computers or computer programs, so that the following data is exchanged between those financial entities:
The model of open banking considered in the Mexican Fintech Law can enhance the user experience of financial services consumers and fulfil the needs of underserved groups, in line with the financial inclusion public policy efforts propelled by the Mexican government, serving objectives like the improvement of socioeconomic conditions, tackling financial crimes, and decreasing the informal and submerged economy of the country.
In that regard, the Mexican Banking and Securities Commission issued the General Rules related to the standardised application programming interfaces referred to in the Fintech Law (Disposiciones de Carácter General relativas a las interfaces de programación de aplicaciones informáticas estandarizadas a que hace referencia la Ley para Regular las Instituciones de Tecnología Financiera), published in the country’s Official Gazette on 4 June 2020. Such regulation refers only to open financial data (ie, information that does not relate to transactions of the financial services consumer, either aggregate or disaggregate) which, as explained above, does not pose any particular challenges or risks in terms of data protection for financial personal information, like being subject to a specific treatment under Mexican law.
In this regard, the President of the Mexican Banking and Securities Commission has expressly indicated that the authority is currently working to issue the particular regulation of standardised application programming interfaces used to exchange transactional data, focusing on security measures to protect the information in analysis.
Cybersecurity in the Mexican Banking Sector
According to the Working Paper published on 11 February 2020 by the Bank of International Settlements, titled "Operational and Cyber Risks in the Financial Sector" (authored by Aldasoro, Gambacorta, et al), “cyber losses are a small fraction of total operational losses, but can account for a significant share of total operational value-at-risk.”
In March 2021, the President of the Mexican Banking and Securities Commission mentioned in a speech that cyber-attacks against digital banking products are likely to grow in number. This remark is particularly important, as mobile banking accounts in Mexico have increased 21% in 2021 as compared to 2020. The Mexican banking regulation defines mobile banking as banking services provided through electronic means where a username is filled in on, and associated to, an access device (for example, a mobile phone).
Furthermore, multiple media outlets reported that the President of the Mexican Banking and Securities Commission also stated during the virtual ceremony for the Prize Citibanamex for Financial Education 2020, held on 11 August 2021, that mobile banking contracts quadrupled in the country between 2015 and 2020.
To diminish the impact of cyber-attacks, the Commission amended the General Rules applicable to Banks (Disposiciones de Carácter General aplicables a las Instituciones de Crédito), as published in the Mexican Official Gazette on 27 November 2018. This amendment included the following preventative measures:
Regarding cybersecurity and data protection, Mexican banking institutions face not only the challenge of correctly applying the relevant provisions of the General Rules applicable to Banks, as amended in November 2018, but also the need to spread awareness among financial consumers of the importance of following good preventative practices to avoid and mitigate possible data breaches that could affect people’s electronic devices and, hence, their personal information.
Together with the increasing adoption by Mexican financial authorities (eg, the Commission or the Central Bank) of technologies to conduct their supervision activities due to the current health situation in the country, all of this indicates that there is increasing acknowledgement of the fact that cybersecurity and personal financial data protection are truly shared and continuous efforts.
Remote Banking in Mexico
Throughout the Mexican financial sector, authorities have undertaken efforts to allow the remote provision of services and execution of contracts, and the banking sector has been at the forefront of those measures. For example, on 12 October 2020, the Mexican Banking and Securities Commission amended the General Rules applicable to Banks in order to allow legal entities to open bank accounts with the maximum level of transactionality in a remote fashion.
Such regulatory amendment further developed certain extraordinary measures adopted by the authorities on 21 June 2020, in order to ensure the provision of banking and financial services in Mexico throughout the COVID-19 pandemic. Before these extraordinary measures were put in place, only individuals could open bank accounts remotely.
In Mexico, banks have repeatedly proven their importance as the basis of the country’s financial system. The adoption of technology into their different business models is inevitable and poses interesting challenges from the legal perspective, among others. Therefore, it is important to be aware of the Mexican regulatory landscape, particularly heading towards the efforts of economic recuperation after the COVID-19 pandemic.