Banking Regulation 2022

Last Updated November 26, 2021

Mexico

Law and Practice

Authors



White & Case, S.C. is recognised for its market-leading presence in Mexico City. It offers highly specialised and integrated services to its clients, utilising critical insight earned over three decades of working on leading innovative transactions and resolving high-profile disputes, working from White & Case’s seamless global platform with 45 offices in 31 countries. The Financial Services Regulatory team comprises 19 lawyers with unparalleled experience, and provides comprehensive advice to the world’s leading financial institutions. It has extensive domestic and international experience in the authorisation process for the establishment, operation and M&A of financial institutions with substantial operations in Mexico., and in providing counsel on compliance with Mexican, US, Asian and European regulations and specialised financing transactions, for financial institutions and corporations operating within and outside Mexico. The practice gives advice to commercial and investment banks, broker-dealers and investment advisers, non-bank lenders, sovereign wealth funds and government-owned banks, and to emerging financial services providers, including fintechs and payment companies.

Principal Legal Framework

The principal laws governing the banking sector in Mexico are as follows:

  • the Banking Law (Ley de Instituciones de Crédito) sets forth the general framework governing banks (instituciones de crédito), including their incorporation and authorisation, governance, ownership, mergers, spin-offs, business activities, insolvency and resolution. It also establishes the scope of authority of the different governmental entities that regulate and supervise banks and their activities;
  • the General Law of Negotiable Instruments and Credit Transactions (Ley General de Títulos y Operaciones de Crédito) sets forth the legal framework governing negotiable instruments, such as promissory notes, cheques, other debt instruments, repurchase transactions, cash and security deposits, credit transactions (ie, loan facilities, revolving lines of credit and letters of credit), pledges, trusts, leases and factoring;
  • the Bank Savings Protection Law (Ley de Protección al Ahorro Bancario) governs the bank savings protection system;
  • the Financial Services User Protection and Defence Law (Ley de Protección y Defensa al Usuario de Servicios Financieros) sets forth the general framework for the protection and defence of financial service users;
  • the Mexican Central Bank Law (Ley del Banco de México) gives the country’s Central Bank powers to promote the healthy development of the financial system and to foster the proper functioning of payment systems;
  • the Mexican Banking and Securities Commission Law (Ley de la Comisión Nacional Bancaria y de Valores) provides the powers of said supervisory body subordinated to the Mexican Ministry of Finance (Secretaría de Hacienda y Crédito Público);
  • the Transparency and Financial Services Ordering Law (Ley para la Transparencia y Ordenamiento de los Servicios Financieros) provides for the adequate operation of card payments networks, as well as measures to avoid excessive commission fees to banking customers; and
  • the Payments Systems Law (Ley de Sistemas de Pagos) regulates some of the country’s high-value payment systems, including those managed by the Mexican Central Bank.

Although banks are heavily regulated, the most relevant regulations concerning their operations are as follows:

  • the general rules applicable to banks (Disposiciones de carácter general aplicables a las Instituciones de Crédito) issued by the National Banking and Securities Commission (the Commission), which set forth the capitalisation, internal control and reporting obligations of banks;
  • the different regulations issued by the Central Bank of Mexico, notably Circular 3/2012, which regulates the passive and active operations of banks, and Circular 1/2005, which sets forth the rules banks must follow in connection with trusts; and
  • the Anti-Money Laundering Rules (Disposiciones de carácter general a que se refiere el artículo 115 de la Ley de Instituciones de Crédito), which set forth the rules that must be followed by banks in connection with their knowledge and identification of clients and customers, reportable transactions and their anti-money laundering policies and procedures.

Principal Authorities

The principal authorities responsible for supervising banks in Mexico are:

  • the Ministry of Finance and Public Credit (Secretaría de Hacienda y Crédito Público), which is responsible for designing and conducting the policies of the Federal Government of Mexico on financial, tax, expenses, income and public debt. The Ministry of Finance, through its Financial Intelligence Unit (Unidad de Inteligencia Financiera), is in charge of regulating banks and other financial entities in connection with anti-money laundering matters (although compliance with these regulations is within the scope of authority of the Commission);
  • the Central Bank of Mexico (Banco de México), which, within its broad scope of authority as the central bank, is in charge of promoting the proper functioning of the financial and payment systems;
  • the Commission, which is in charge of regulating, inspecting and overseeing banks;
  • the National Commission for the Protection and Defence of Financial Services Users (Comisión Nacional para la Protección y Defensa de los Usuarios de Servicios Financieros), which is in charge of the protection and defence of users of the services provided by banks and other financial institutions; and
  • the Institute for the Protection of Bank Savings (Instituto para la Protección al Ahorro Bancario), which manages a deposit insurance available to account holders in case a bank becomes insolvent. The institute will act as the liquidator of banks in Mexico.

Authorisation Requirements

The organisation and operation of a bank in Mexico requires authorisation from the Commission. Prior to granting the authorisation, the Commission must have a favourable opinion of the Central Bank of Mexico with regards to the project. The granting of a bank authorisation is a discretionary authority of the Commission, and such authorisations are non-transferable.

Foreign banks are not allowed to provide banking and credit services through locally established branches, but rather need to establish a subsidiary.

Types of Authorisations

Outside of development banks, which are owned by the Federal Government, the Banking Law provides for two types of bank authorisations:

  • banks (instituciones de banca múltiple); and
  • affiliate banks (instituciones de banca múltiple filiales).

There are very minor differences between these two licences with regard to their corporate organisation, activities and regulation. However, the quantity of information required from the owners of an affiliate bank in the process of authorisation is significantly reduced. Affiliate banks are owned and controlled by a bank established in a foreign country that has entered into a treaty with Mexico. This treaty must contain a provision allowing for the establishment of affiliate banks.

Activities and Services Covered

Article 46 of the Banking Law sets forth a comprehensive list of activities that banks are allowed to perform (including active and passive transactions and financial services). Banks must include in their by-laws the list of activities that they intend to perform. The minimum equity capital requirement for each bank will depend on the activities included in its by-laws. Bank regulations establish three different predefined sets of permitted activities that banks can elect to include in their by-laws, as follows:

  • banks that perform all their permitted activities (Universal Banking), which have the largest minimum equity capital requirement;
  • banks that perform all traditional banking activities but do not perform any securities transactions on behalf of third parties or any non-banking services, and for which there is a lesser capital requirement; and
  • banks that only perform deposit and custody services for legal entities and qualified and institutional investors, investment banking, or the issuance of payment means for which there is an even lesser capital requirement.

Any other combination of permitted activities requires the bank to have the same minimum equity capital as that of the banks that elect to include all of the permitted activities in their by-laws.

The most significant restrictions for banks are the prohibition on acting as underwriters in public offerings of securities and the prohibition on issuing insurance policies.

Authorisation Process

The process of authorisation is carried out with the Commission and takes between nine and 12 months. Operations usually commence within 18–24 months after the project has started. The authorisation process involves the following stages:

  • the first stage requires general definitions of:
    1. the corporate structure of the bank, including the activities that it will perform;
    2. the business purposes and feasibility of the project; and
    3. the information technology strategy. Meetings with officers of the Commission are held at this stage, in which the project is presented;
  • in the second stage, the process involves the preparation of a preliminary filing of the application to the Commission. Generally, the application requires the following:
    1. detailed information concerning the direct and indirect shareholders, including financial and tax information and evidence of the licit source of the funds that will be invested in the bank;
    2. the shareholding structure;
    3. detailed information concerning the members of the board of directors, examiners (comisarios), CEO and the officers within the two hierarchical levels below the latter. The appointment of directors and officers will be subject to them passing professional, credit and criminal background checks;
    4. a business plan, a general operations plan and financial projections;
    5. a surety deposit equivalent to 10% of the equity capital of the bank, returned to the applicants upon the commencement of operations and incapable of accruing interest; and
    6. the filing fees of approximately USD2,500;
  • in the third stage, the application is officially filed with the Commission once the comments by the financial authorities are incorporated;
  • in the fourth stage, the authorities make final comments and the applicants make additional filings addressing them; and
  • in the fifth stage, the Commission issues the authorisation.

Thereafter, the bank has 90 days to approve the executed deed of its incorporation. Within 180 days of the approval of the deed of incorporation, the bank requests the Commission to authorise its commencement of operations. Such authorisation involves officers from the financial authorities visiting the bank to test its operations.

At this stage, the applicants must pay the Commission a fee of approximately USD39,500 for the issuance of the bank authorisation and a fee of approximately USD125,000 for the authorisation to commence operations.

After receiving the authorisation to commence operations, the bank may start doing business with the public.

The acquisition and transfer of the shares of a bank in Mexico are subject to the following rules and requirements:

  • acquisitions or sales of less than 2% of the common shares of a bank do not trigger any regulatory requirement;
  • the acquisition or transfer of between 2% and 5% of the common shares of the bank require the transferor and the acquirer to give notice to the Commission within three days of completing the transfer;
  • direct or indirect acquisitions of (or the creation of collateral over) between 5% and 20% of the common shares of a bank require prior authorisation from the Commission, which may be granted taking into consideration the opinion of the Mexican Central Bank. The Commission will perform a thorough business, financial and criminal background check on the applicants during the process of authorisation; and
  • the direct or indirect acquisition of 20% or more of the common shares, or the acquisition of control of a bank by a person or group of persons, requires prior authorisation from the Commission, as well as the prior favourable opinion of the Mexican Central Bank. The Commission will perform a thorough business, financial and criminal background check on the applicants during the process of authorisation and will review the information on the directors and officers that the applicants would intend to appoint, along with any changes that the applicants intend to make to the general operation plan and the internal control system of the bank.

Pursuant to the Banking Law, control over a bank is the ability to impose decisions at the shareholders’ meeting, directly or indirectly. This includes the authority to exercise the voting rights of more than 50% of the shares and the authority to direct the administration, strategy and principal policies of the bank, whether through the ownership of securities or through any other legal means.

In addition, the acquisition of shares or the control of a Mexican bank could require authorisation from the Federal Economic Competition Commission for antitrust matters. Likewise, the acquirer should consider the reporting and investment thresholds of the Securities Market Law (Ley del Mercado de Valores) if the shares of the bank are traded in a Mexican stock exchange.

Banks are not restricted from having foreign investors in their equity capital, but foreign governments are only allowed to participate, directly or indirectly, in the stated capital of banks in Mexico in the following circumstances:

  • if the investment is made pursuant to temporary financial relief programmes;
  • if the participation is indirect and does not represent a controlling interest of the bank; and
  • if the Commission, at its discretion, approves a participation that implies control over the bank, and is made through official legal entities such as funds and development governmental entities subject to:
    1. the investors proving they do not exercise authority functions; and
    2. its decision-making corporate bodies operating independently from the relevant foreign government.

Corporate Governance of a Bank

The board of directors is the principal corporate body in charge of the corporate governance of a bank in Mexico. The board of directors must be integrated by no fewer than five and no more than 15 statutory members, at least 25% of whom (rounded upwards) must be independent. Having independent board members is a concept of corporate governance that requires certain board members not to have any professional, business, commercial or family relationship with other directors, the shareholders or other stakeholders of the bank.

The number of officers of the bank that can form part of the board is limited to one third, as long as they are only either the CEO or officers within the two lower levels from the latter. For each statutory director, an alternate director can be appointed, in the understanding that the alternates of independent directors also qualify as independent directors. The board of directors is required to have a meeting at least every quarter and whenever necessary.

The board of directors is required to have certain committees with advisory duties. The bank must have at least an audit committee, a risk committee, a compensations committee (whose functions, subject to complying with certain requirements, may be performed by the risk committee), a communication and control committee (in charge of know-your-customer and anti-money laundering matters) and a related-party transactions committee.

These committees are auxiliary committees to the board of directors, and one or more of their members must be directors. In the case of an audit committee, all of its members must be directors and the majority of them, including the chairperson, must be independent.

The board of directors, at the audit committee’s proposal, is responsible for establishing the objectives and guidelines of the internal control system. The CEO is responsible for implementing the internal control system throughout the organisation. Once implemented, the audit committee is responsible for submitting the organisational chart, the code of conduct, the appointment of external auditors and the evaluation reports of the internal control system for the board’s approval.

The internal audit department, independent of the CEO, is responsible for reviewing the internal control system, both periodically and systematically, while reporting findings and implemented actions to the audit committee.

A bank's financial information and its control systems are reviewed annually by external auditors and comisarios. The latter are persons appointed by the shareholders’ meeting and are in charge of overseeing the performance of the board of directors in connection with the internal control system.

Directors of a bank in Mexico can only be appointed by the shareholders’ meeting. Pursuant to the Banking Law, all directors need to have technical capabilities, honourability, satisfactory business and credit history and ample financial, legal or administrative knowledge. Most directors of banks in Mexico must be local residents.

No person can act as director for two banks, or a financial group holding companies that own banks, at the same time. The director must inform the shareholders' meeting if he or she is the director of another financial entity.

Officers of a bank, including the CEO and all officers within the two hierarchy levels below the CEO, must be residents of Mexico with evidence of at least five years of previous professional experience in positions of high decision-making.

Authorisation Process

During the processes related to the authorisation of a new bank or to a change of control, the proposed directors, CEO and senior officers of the bank must submit predefined forms and letters for the consideration of the Commission, as well as supporting documentation showing:

  • their personal identification information and immediate family names and relationships;
  • their educational background;
  • their professional experience background;
  • their credit score reports;
  • their absence of criminal records; and
  • their taxpayer registration.

Each director and officer will need to sign a letter, addressed to the Commission, with representations as to their honourability and creditworthiness, authorising the Commission to verify all information provided with the corresponding national or foreign authorities.

The Commission has the right to request additional information as it deems convenient, and may approve or reject the proposed appointment at its discretion.

Ordinary Course

In the ordinary course of business, any appointments of directors or officers must be communicated to the Commission within five business days. In this case, it is the bank that must verify and ensure the compliance of the proposed director or officer with all of the requirements established by law.

The Commission can request the removal of any officer or director that does not comply with the applicable requirements. This can be either at the time of the appointment or at any time thereafter, and the Commission can ban such officers or directors from occupying any positions in the financial sector.

The bank must always open and update, at least annually, a file for each director and officer containing all the information and documentation meeting the applicable requirements.

Remuneration System

Banks must permanently implement, maintain and monitor a remuneration system consistent with effective risk management. The purpose of Mexico's banking remuneration system is to ensure that the ordinary and extraordinary remuneration of its employees, administrative departments, control and business areas and other employees takes into consideration the actual and potential risks related to the individual activities of such employees.

The remuneration system must consider all remuneration, whether in cash or otherwise. It forms part of the internal control system and is ultimately overseen by the board of directors, which is advised on these matters by the remuneration committee, chaired by an independent director.

Unusual remunerations that are determined by individual performance or that of a particular department must not consider exclusively the results of the financial year in which the transactions occurred but also the risks and results seen during a reasonably longer period of time. To this extent, performance reviews must be consistent with and based on results adjusted by present and future risks, liquidity, capital costs and other considerably appropriate variables.

The remuneration system must be flexible enough to allow the bank to reduce or suspend the payment of extraordinary remunerations whenever the bank faces losses or whenever the risk impacts are greater than expected.

A bank's remuneration system must be updated every year and must be made available to the public via its webpages. The information displayed must include a thorough description of the remuneration system, including qualitative and quantitative information and a mention of the actual remuneration amount paid during the relevant fiscal year, indicating if such remuneration was fixed or variable, paid or deferred, and in cash, stock, other equity instruments or otherwise.

AML/CFT Framework

The AML/CFT framework applicable to Mexico is founded on a risk-based approach. Mexican banks must assess their AML/CFT risks yearly, taking the following elements into consideration:

  • products and services;
  • clients (ie, individuals and entities with a sustained, contractual relationship with the bank) and users (ie, persons who do not have contractual agreements with the bank);
  • geographical areas in which the bank operates; and
  • transactional and operational channels.

Identification and Follow-Up of Counterparties

Another AML/CFT requirement for banks in Mexico is the conduct of due diligence and know-your-customer exercises. The scope and degree of these requirements depends on whether they are conducted on:

  • clients or users;
  • individuals, legal entities or trusts; and
  • Mexicans or non-Mexicans.

There are simplified due diligence measures available and exemptions to it according to the client’s risk of AML/CFT. There are banking account levels, which begin with reduced due diligence requirements, subject to lower transactional levels. The permitted transactional level of accounts increases along with the increase in the depth of due diligence requirements. This regulation aims to bolster financial inclusion in the country.

Before COVID-19, banks did not have the widespread ability to start a client relationship remotely. However, the Commission has recently enacted rules that allow banks to remotely execute operations and agreements as long as they verify certain biometric information of customers' IDs against the information in official records held by authorities like the National Electoral Institute (which issues the most commonly accepted photo identification in the country).

Regarding know-your-customer requirements, banks must regularly assess whether their clients have their identifications and documents updated and their transactional behaviour in order to determine the risk they entail to the financial institution.

Internal Structures

Banks must maintain internal structures, policies, controls and procedures against financial crime, including the following lines of defence:

  • a compliance officer, who serves as the link with the authorities (particularly the Commission and the Financial Intelligence Unit);
  • a communications and control committee, which oversees the correct implementation of the AML/CFT measures within the bank and decides whether an operation must be considered as a suspicious transaction;
  • an external or internal auditor; and
  • ultimately, the board of directors, which is responsible for establishing the general strategy in respect of AML/CFT matters.

Banks must have AML/CFT manuals and training in place, which are regularly shared with the Commission.

Reporting to Authorities

Banks are required to periodically file the following AML/CFT reports:

  • relevant operations reports, when identifying transactions of USD7,500 or more;
  • suspicious transactions reports;
  • internal operations reports, to be filed whenever a conduct or omission by a bank’s employee could be contrary to the AML/CFT framework;
  • reports of transactions with virtual currencies, as well as with US dollars in cash; and
  • reports about international transfers of funds and operations with cashier’s cheques.

All these reports have specific thresholds, deadlines and conditions when being filed for the Commission.

Dollar/Peso Exchange

Due to the risk of illicit activities between Mexico and the United States, Mexican authorities have implemented restrictions so that Mexican banks are usually restricted in receiving US dollars in cash, except when there is an economic rationale provided in the regulation – eg, receiving funds from legal entities with branches near the border.

The Bank Savings Protection Law (Ley de Protección al Ahorro Bancario) provides for the creation, organisation and functions of the Bank Savings Protection Institute, which is in charge of managing the savings protection fund.

Bank liabilities that are guaranteed by the Bank Savings Protection Institute are mainly on-demand and term deposits, savings accounts and revolving deposits associated with debit accounts, but only up to the amount of 400,000 inflation adjusted units (known as UDIs) per person – or legal entity – per bank (approximately USD139,000).

The deposit insurance to be provided by the Bank Savings Protection Institute to a bank’s depositors will be paid upon determination of the resolution of a bank. Upon payment, the Bank Savings Protection Institute acquires the claim of the depositor against the relevant bank. Any amount not paid by the Bank Savings Protection Institute can be claimed directly by the depositor from the relevant bank.

Obligations of banks in favour of financial entities, companies within the same financial group as the bank, shareholders, board members, the CEO and the officers within the immediately following hierarchy level, general managers and attorneys-in-fact of the bank are not insured by the Institute. In addition, the deposit insurance does not cover:

  • liabilities documented in negotiable instruments;
  • bearer notes;
  • transactions performed outside the applicable legal, regulatory and administrative framework;
  • bank liabilities that are not within standard banking customs and practice; and
  • any operation related to illegal acts or transactions.

The deposit insurance is exclusive to bank liabilities and, therefore, does not cover financial products such as mutual funds, insurance products and other liabilities of other financial entities, even if the bank acts as the distributor of such products.

Banks have the obligation to pay ordinary and extraordinary contributions to the Bank Savings Protection Institute as determined from time to time by the governing board thereof. All banks must make monthly ordinary contributions to the Bank Savings Protection Institute in an amount equal to the twelfth part of 0.004 of the bank’s deposits and certain other liabilities. Calculating the standard contribution amount is done by subtracting the following from the total account of each bank’s liabilities:

  • term debt instruments issued by other commercial banks;
  • loans to other commercial banks;
  • loans from the Bank Savings Protection Institute;
  • mandatorily convertible debentures issued by commercial banks; and
  • certain future operations.

The Bank Savings Protection Institute may also impose extraordinary contributions on banks, which may not exceed in any one year 0.003 of the deposits of the banks. Extraordinary contributions may be imposed by the Bank Savings Protection Institute when it does not have sufficient resources to satisfy its obligations, given the then-prevailing conditions of the Mexican banking system. Both ordinary and extraordinary contributions, in the aggregate, shall not exceed 0.008 of the liabilities of a bank on any one year.

Bank Secrecy Framework

Banks in Mexico are subject to very strict secrecy rules concerning their customers. Pursuant to the Banking Law, banks in Mexico may not provide any news or information on deposits, bank operations or services, including trusts, to the depositor, debtor, account holder, beneficiary, settlor or principal, their respective legal representatives, or the persons that have been legally authorised to withdraw from the relevant account or to be involved in the corresponding transaction or service.

This secrecy obligation is not related to the reporting obligations of banks with the Commission, the Central Bank, the Bank Savings Protection Institute and the regulators of Mexican banks.

This secrecy obligation will not be considered to have been breached by a bank when information is provided to judicial authorities pursuant to court-issued orders in judicial procedures in which the account holder, settler, beneficiary, trustee or agent is either a plaintiff or a defendant. Furthermore, banks will be exempted from their secrecy obligations and are consequently required to provide information requested by any of the following authorities, typically through the Commission:

  • the Federal Attorney General, local attorney generals or the Military Attorney General, for purposes of evidencing a fact constituting a felony or the probable responsibility of the defendant;
  • the federal tax authorities for tax purposes;
  • the Ministry of Finance and Public Credit for AML/CFT purposes;
  • the Federal Treasurer, for purposes of obtaining statements of account and any other information concerning the private accounts of public servants, other servants and private parties;
  • the federal comptrollership, in the exercise of its investigation and audit authority to verify the growth of assets of federal public servants;
  • the Superior Auditor of the Federation; and
  • the Federal Electoral Institute, in the exercise of its legal duties.

Information and documents provided by banks to the authorities in connection with these bank secrecy exemptions may only be used in the proceedings and for the purposes indicated in the relevant request. The persons that acquired knowledge of such information and documents are required to keep them strictly confidential, even if they cease to be public servants. Any breach of this obligation will subject the relevant person to the applicable administrative, civil or criminal responsibilities as provided by law.

In addition, the Banking Law expressly allows the Ministry of Finance and Public Credit, the Commission, the Bank Savings Protection Institute, the Central Bank and the National Commission for the Protection and Defence of the Users of Financial Services, within their respective scope of authority, to give foreign financial authorities any and all information acquired by said Mexican authorities in the performance of their functions. This is provided that the relevant Mexican authority and the relevant foreign financial authority have entered into reciprocity agreements.

Non-compliance

In any undue disclosure of bank secrets, the employees and officers of banks responsible for breaches of the secrecy rules and the relevant bank will be requiredto pay for the damages and lost profits caused by such breach.

In addition, non-compliance by a bank with the bank secrecy provisions set out in the Banking Law is considered a serious breach and can be sanctioned with fines imposed by the Commission, ranging from approximately USD130,000 to approximately USD435,000.

Capitalisation of Banks in Mexico

The Banking Law requires banks in Mexico to maintain a regulatory capital, expressed as an index (the capital adequacy ratio – ICAP), which shall in no case be less than the sum of the capital requirements associated with (i) market, credit, operational and other risks incurred by banks in their operation; and (ii) their ratio of assets to liabilities.

The Commission, along with other financial authorities in Mexico, has implemented regulations in order to strengthen the composition of the net capital of banks in a manner consistent with the guidelines set forth in the Capital Agreement issued by the Basel Banking Supervision Committee (Basel III Agreement).

Banks in Mexico are required to maintain a minimum capitalisation index, or ICAP, of 8%. The regulatory capital is comprised of Tier 1 and Tier 2 capital. The Common Equity Tier 1 capital must be at least 6%, while the Additional Tier 1 capital ratio must be 4.5%. In addition, banks must maintain a capital conservation buffer of 2.5% of Additional Tier 1 Capital.

Based on their ICAP and their Common Equity Tier 1 and Additional Tier 1 capital ratios, banks will be classified into different categories by the Commission. Such classification may trigger minimum corrective measures and additional special measures that banks must observe in order to improve their capitalisation. Such corrective measures can include the following:

  • restrictions on the payment of dividends and other distributions to the shareholders of the bank, and on extraordinary remuneration for the employees and directors of the bank; and
  • a requirement to file a capital conservation plan or a capital restructure plan for banks that are classified within Category III or lower.

Banks of Local Systemic Relevance

If the Commission determines that a particular bank's potential non-compliance with the obligations could pose a risk for the stability of the Mexican financial system, a payment system or the economy of the country, said bank will be classified as being of Local Systemic Relevance (Instituciones de Banca Múltiple de Importancia Sistémica Local). Local Systemic Relevance Banks will be classified within different degrees of systematic relevance and will be required to add to their capital conservation buffer an additional percentage of the aggregated risk-weighted assets based on the assigned degree of systematic relevance. This additional percentage will range from 0.60% to 2.25%.

Risk Management

Banks are required to establish risk management mechanisms that allow them to perform their activities with risk levels consistent with their regulatory capital, liquid assets and operational capabilities under normal, adverse and extreme conditions. For said purposes, risk management processes implemented by banks must maintain – both systematically and prospectively – the risk level of their principal transactions within their solvency, liquidity and financial feasibility limits, and their accordance with their desired risk profile. Banks must re-establish the risk level whenever a deviation occurs.

Banks classify their risks into the following three categories:

  • quantifiable risks: credit liquidity, market and concentration risks;
  • discretionary risks: technology and legal risks; and
  • non-quantifiable risks: strategic, business and reputational risks.

Banks are required to maintain a capitalisation structure that allows them to cover potential losses derived from all of the risks to which they are or may be exposed under different scenarios, including those in which adverse economic conditions prevail. For these purposes, banks are required to conduct annual stress tests to assess whether they have the necessary capital and to design and maintain a contingency plan (similar to living wills in other jurisdictions), which must be approved by the Commission.

Risk Structures

The board of directors of the bank is responsible for approving the desired risk profile, the risk management framework, the risk exposure levels and the risk tolerance levels, as well as contingency plans (including the contingency financing plan). The board of directors is also responsible for overseeing that the bank has sufficient capital to cover all of its risk exposure.

The CEO is responsible for ensuring that the business units and the risk management department of the bank remain independent from each other at all times, and for co-ordinating the risk management programmes and duties.

The board of directors must create a risk committee to oversee that all transactions performed by the bank are made within the desired risk profile, the integral risk management framework and the risk exposure limits approved by the board.

Liquidity

Banks are required to calculate their Liquidity Coverage Ratio measured in accordance with the Basel III Agreement. The liquidity obligations of banks in Mexico are outlined by the Bank Liquidity Regulation Committee and implemented by the Commission and the Central Bank. The Commission is also responsible for overseeing compliance with the liquidity requirements applicable to Banks.

The Bank Liquidity Regulation Committee is responsible for dictating the guidelines for the establishment of the liquidity requirements of banks. Such guidelines have the purpose of ensuring that banks will be able to meet their payment obligations in different terms and under different scenarios, including under economically adverse conditions. This committee is integrated by high-level officers of the Ministry of Finance, the Central Bank and the Commission.

Banks must have a financial contingency plan as part of their risk management system, clearly setting out the strategies and policies to be observed and the procedures to follow if there are unexpected liquidity events or trouble liquidating assets. This financial contingency plan must be submitted annually to the Commission, which can subsequently order that changes and amendments are made to it.

If a bank does not comply with its liquidity obligations or determines that it will not comply with them in the future, it shall immediately notify the Commission thereof. In this case, the Commission may require the relevant bank to:

  • inform the Commission and the Central Bank of the causes for such non-compliance;
  • inform its board of directors of its liquidity condition and the causes for any instances of non-compliance;
  • submit a liquidity restoration plan for the consideration of the Commission;
  • suspend distributions (including dividends) to its shareholders; and
  • implement other measures ordered by the Commission.

Furthermore, the Commission can impose additional measures on banks that have a Liquidity Coverage Ratio of less than 90%.

Banks in Mexico must have certain minimum levels of capital. Capital requirements concern both a minimum equity capital and regulatory capital amounts. Capitalisation is an important indicator of a bank’s financial health, a reduction of which, depending on its level, could:

  • trigger “early warnings”;
  • entitle the bank to apply for a conditioned operation regime; or
  • subject the bank to a resolution process.

Once a bank’s capitalisation index falls below 10.5%, said bank will be subject to minimal corrective measures or special additional corrective measures imposed by the Commission, depending on its actual level of capitalisation. Minimal corrective measures include:

  • notifying the board of directors;
  • submitting a recapitalisation programme to the Commission;
  • suspending the payment of dividends, interest on hybrid instruments and bonuses; and
  • refraining from making capital investments.

Special additional corrective measures include hiring external auditors; refraining from increasing compensation and entering into certain types of transactions; substituting officers, directors and auditors; carrying out transactions to reduce exposure to risk; and amending deposit-taking policies.

A bank with capitalisation below 8% (but higher than 4.5%) may apply to continue as an ongoing business under a conditioned operation regime. To have access to the conditioned operation regime, the bank must:

  • file an application with the Commission;
  • cause at least 75% of its shares to be placed in a trust; and
  • prepare and submit a recapitalisation plan.

The trust referred to above shall allow the Bank Savings Protection Institute to exercise economic and corporate rights of those shares in the following circumstances:

  • if the Commission rejects the recapitalisation plan;
  • if the Commission determines that the bank has not complied with the approved recapitalisation plan;
  • if the bank’s ICAP falls to or below 4.5%; or
  • if the bank does not comply with one minimum corrective measure, or fails to comply with its payment obligations.

The trust will be terminated once the bank reaches and maintains the minimum required ICAP in three consecutive months. The bank must otherwise undergo a resolution process.

Bank Resolutions

The resolution of a bank consists of the actions or procedures implemented by the financial authorities on a bank that is facing solvency or liquidity issues that affect its financial viability. These actions or procedures ensure a proper liquidation (or in certain exceptional cases its restoration) for the protection of depositors, the stability of the financial system and the proper functioning of payment systems.

Generally, a bank resolution process will conclude with the administrative or judicial liquidation of the bank. In exceptional cases, the bank will be rehabilitated. As a general rule, once the Commission has revoked the bank’s authorisation, the Bank Savings Protection Institute will determine whether the liquidation of the bank shall be either judicial or extrajudicial. If the Bank Stability Committee determines that a potential default in the bank’s obligation could trigger negative or adverse effects in other banks or financial institutions, compromising their stability or solvency and, as a consequence, the stability or solvency of the financial system or the proper functioning of payment systems, the resolution can be either through equity capital provided by the Bank Savings Protection Institute, provided that the bank applied for a conditioned operation regime, or through loans granted by the Institute if the bank did not.

In the case of supportive equity contributions, the Bank Savings Protection Institute will initiate the selling of a bank's shares – including those of its shareholders – following the rules set out in the Banking Law. If the Bank Savings Protection Institute provides a loan to the relevant bank, all of the shares issued by the bank will secure the loan until the shareholders of the bank subscribe and pay a capital increase to pay for said loan. If the shareholders do not make this contribution, the Bank Savings Protection Institute will automatically acquire the shares and will sell them thereafter in accordance with the rules set out in the Banking Law.

Liquidation of the Bank

The Bank Savings Protection Institute will act as the liquidator of the bank and will generally be responsible for terminating and concluding all pending business of the bank, including the settling of accounts and the disposition of rights and assets, with a goal to obtain the best price or conditions in connection therewith under strict transparency rules.

In doing the above, the Bank Savings Protection Institute can elect to proceed with the transfer of all or some of the assets and liabilities of the bank to another existing bank or to a bank created for such purposes by the Bank Savings Protection Institute, or to proceed with any other transaction that the Bank Savings Protection Institutes considers as the best option to protect the interests of depositors.

When making any of the foregoing decisions, the Bank Savings Protection Institute will ensure that the cost of any such decision is less than the total estimated cost of paying the deposit insurance over all insured deposits of the bank.

In all instances, the Bank Savings Protection Institute will ensure that all insured deposits are covered in the terms required by law to all depositors.

Claims

All actions of the authorities in the process of the resolution and liquidation of banks in Mexico are considered to be in the interests of public order and society. Claims against such actions do not subsequently carry the possibility of suspension. If a claim against such actions prevails, the claimant will only be entitled to the payment of damages and losses.

Differentiated Regulation

The required minimum equity capital of banks in Mexico varies, depending on the activities that each bank elects to include as part of its corporate purpose.

Permitted activities of banks are set out in Article 46 of the Banking Law (the Permitted Activities). Pursuant to said article, banks are authorised to:

(i) take cash deposits:

(a) on demand;

(b) returnable by a specified date;

(c) for saving purposes; and

(d) for a certain term or payable with prior advance notice;

(ii) take loans and credits;

(iii) issue bank notes and debentures;

(iv) issue subordinated obligations;

(v) make deposits to foreign banks and financial institutions;

(vi) enter into discount transactions and grant loans and credits;

(vii) issue credit cards based on revolving facilities;

(viii) assume obligations on behalf of third parties based on loans granted through acceptances, endorsements or guarantees of negotiable instruments, as well as through letters of credit;

(ix) perform transactions with securities;

(x) promote the organisation and transformation of all types of entities or companies, and subscribe and hold equity participations in them subject to the provisions of the Banking Law;

(xi) perform all transactions on its own behalf with any commercial documents;

(xii) perform transactions with gold, silver and foreign currencies, including any repurchase (reporto) transactions concerning foreign currencies;

(xiii) facilitate safety-deposit boxes;

(xiv) issue pre-funded letters of credit;

(xv) act as trustee;

(xvi) receive any deposits whether for administration, custody or guaranty on behalf of third parties of any negotiable instruments and shares and generally of all commercial documents;

(xvii) act as common representative of the holders of negotiable instruments;

(xviii) perform treasury and cashier services in respect of negotiable instruments on behalf of the issuers thereof;

(xix) perform the accounting and book-keeping for any companies or entities;

(xx) act as executor in inheritance procedures;

(xxi) act as receiver and liquidator of businesses, premises, bankruptcy and inheritance estates;

(xxii) perform appraisals;

(xxiii) acquire the necessary real estate assets and equipment for the accomplishment of their purpose and to manage such assets as deemed convenient;

(xxiv) enter into financial leasing transactions and to acquire the assets related to such transactions;

(xxv) enter into derivative transactions in accordance with the rules issued by the Central Bank for such purposes;

(xxvi) perform factoring activities;

(xxvii) issue any payment means determined by the Central Bank;

(xxviii) participate in the selling of insurance, subject to the applicable insurance laws; and

(xxix) engage in other similar or related activities authorised by the financial authorities.

In connection with the Permitted Activities, the Banking Law and the related provisions consider the following options:

  • banks that expressly include in their by-laws the performance of all of the Permitted Activities must have a minimum paid-in equity capital of 90 million UDIs (approximately USD30 million);
  • banks that elect to include in their by-laws only those Permitted Activities identified in items (i), (ii), (iii), (iv), (v), (vi), (vii), (viii), (xi), (xxiii), (xxiv), (xxv) and (xxvi), as a predefined set of Permitted Activities, must have a minimum paid-in equity capital of 54 million UDIs (approximately USD18 million). These banks may also elect to include one or more of the following Permitted Activities: (ix), but only for its own account and not for the account of third parties, (x), (xii), (xiv), (xv), (xvi), (xxii) and, when intended only for the achievement of its corporate purpose, (xxix);
  • banks that elect any of the following predefined sets of Permitted Activities must have a minimum paid-in equity capital of 36 million UDIs (approximately USD12 million):
    1. Permitted Activities (i), (ii), (iv) and (xvi) but exclusively from and with qualified and institutional investors and legal entities;
    2. Permitted Activities (v), (ix), (x), (xi), (xii), (xv), (xvii), (xviii), (xix), (xx), (xxi), (xxii), (xxiii) and, when necessary for the accomplishment of their corporate purpose, (xviii);
    3. Permitted Activities (i)(a), (ii), (v), (vi), but only in respect of the granting of loans and exclusively for transactions entered into with other banks, (ix), but limited to sovereign or bank bonds acting for its own account and not for the benefit of third parties, (xi), (xii), but limited only to foreign currencies, (xxiii), and (xxvii) and (xxviii) only for purposes of achieving its corporate purposes; and
  • banks that elect any other combination or election of Permitted Activities will need to have a paid-in equity capital of 90 million UDIs (approximately USD30 million).

Notwithstanding the differentiation of banks with respect to their minimum paid-in equity capital and the requirements regarding their permitted activities, all banks in Mexico – regardless of their size, footprint or business model – are subject to exactly the same set of financial, internal control, compliance and reporting regulations. An exception to this is the very specific set of measures imposed on systemically important banks (see 8.1 Capital, Liquidity and Related Risk Control Requirements).

Based on the foregoing, medium and smaller banks – and banks that specialise in a particular product or business – have for some time been requesting the creation of a differentiated regulatory regime that recognises their specialised business model, market and geographical presence. This would allow them to assume regulatory costs that are better aligned with their size and systemic relevance, allowing them to invest more resources in their specific products and consumers.

Despite the fact that this discussion has been taking place for numerous years, many key players in the financial market have been vocal about the issue and it is likely we will see an effort from both banks and the financial authorities (notably, the Commission) to achieve a differentiated regulatory framework among banks.

A differentiated regulatory framework will have a significant impact on the banking sector and, while it certainly presents a major challenge for authorities, it could foster the expansion and growth of small, medium and specialised banks.

Financial Inclusion

The Mexican financial authorities have continued working towards creating an improved regulatory framework that addresses financial inclusion. This is one of the most urgent matters to address in Mexico, where a very low number of persons have access to financial services provided by duly licensed financial entities.

The efforts of the authorities in this respect have been and will continue to be focused on establishing adequate consumer protection mechanisms and financial education, while also providing for robust technology mechanisms to facilitate remote access and operations. Subsequently, the Mexican government has established a Financial Inclusion National Policy (Política Nacional de Inclusión Financiera). One of the Policy's objectives is to ensure that, by 2024, 77% of Mexicans are using at least one formal financial product from an authorised financial entity. In order to achieve this goal, the Mexican government recognises the need for the private, social and public sectors of its society to work together.

It is likely that regulators will act to ensure that the principles of the policy are implemented and that banks, as well as other financial entities, can develop new channels and products to increase the number of persons that have access to and use financial services and products.

A significant measure taken in this regard was the amendment of the Banking Law and the Mexican Federal Civil Code in March 2020, allowing individuals to open banking cash deposits and use the applicable funds from the age of 15 (the age of consent in Mexico is 18 years old), without the intervention of their parents or tutors. Nonetheless, those underage individuals shall not be able to get loans with a charge to the deposit accounts in analysis.

Another measure put in place to enhance financial inclusion is the simplification of the authorisation of banking correspondents. In Mexico, banks can provide financial services to the public via certain correspondents, who must be allowed to do so by the Commission. The amendments to the applicable regulation, issued in September 2021, consider the risk of the operations executed through the correspondent in order to determine the requirements that such correspondent must comply with in order to be authorised as such by the Commission. In that regard, there are low-risk operations like the payment of banking loans, taxes and services, which only require a notice to the Commission, and there are medium and high-risk correspondent services (eg, account opening) that require the authorisation of the Commission. This is an advance for the development of differentiated regulation between types of banks, as referred to above.

COVID-19

The Mexican financial authorities continue to work on addressing the impact of COVID-19. To this extent, both the Commission and the Central Bank have been implementing measures to promote the stability of the financial system, ensure that borrowers of banks and other financial intermediaries are afforded the best possible conditions to allow for the payment of their loans, and establish countercyclical measures in the economic downturn seen during 2020, and have publicly indicated that they will continue to implement such measures.

Such measures include the following:

  • establishing special accounting standards for banks to implement restructuring programmes without having to create additional reserves;
  • allowing for the deferral of payments of principal or interest for up to six months;
  • creating new regulatory mechanisms to channel funds to lending activities for micro, small and medium enterprises;
  • allowing for the remote opening of bank accounts by legal entities without any restrictions to their transaction levels; and
  • granting exceptions to banks to charge and collect minimum payments under revolving lines of credit associated with credit cards.

In the short-term additional programmes, it is expected that borrowers can access a restructuring programme if they need to, and banks will be able to benefit from temporary exceptions to the regulatory framework to accommodate the restructuring or refinancing needs of their clients and customers.

Liquidity Requirements Applicable to Banks

In August 2021, the Commission and the Mexican Central Bank jointly issued the General Rules on Liquidity Requirements for Banks (Disposiciones de Carácter General sobre los requerimientos de liquidez para las Instituciones de Banca Múltiple), which will enter into force in March 2022.

These rules follow the guidelines issued by the Banking Liquidity Regulation Committee, which is integrated by the Secretary and Undersecretary of the Ministry of Finance and Public Credit, the president of the Commission, and the Governor and two deputy governors of the Mexican Central Bank. According to these regulations, banks must keep liquid assets of high credit quality to face liquidity needs and obligations for 30 days. Furthermore, the liabilities of the banks must have term and stability features related to the term and liquidity characteristics of the banks’ assets.

Such rules contemplate two ratios:

  • the Liquidity Coverage Ratio, which results from dividing specific liquid assets by the total net cash flows of the bank, in terms of Basel III; and
  • the Net Stable Financing Ratio, which is the proportion of resources (either own or borrowed) that can actually be available to the banks, vis-à-vis those that are required (depending on elements such as terms and liquidity of assets and positions) by the institutions, throughout the year.

Banks must report their estimations of these ratios to the Central Bank.

These rules also contemplate scenarios where, depending on their liquidity (estimated by the Liquidity Coverage Ratio and the Net Stable Financing Ratio), banks can be subject to the following corrective measures:

  • filing reports on their liquidity situation to the board of directors, and to the Commission and the Central Bank;
  • refraining from operations that may affect the bank’s liquidity;
  • filing before the Commission a liquidity restauration plan, which must be previously approved by the Mexican Central Bank; and
  • suspending payments of dividends to shareholders of the banks.

Total Loss Absorbing Capacity

In June 2021, the Commission issued rules to comply with the requirements of Total Loss Absorbing Capacity (TLAC) for the Domestic Systemically Important Banks. These rules enable this specific type of bank to be resilient and have the ability to absorb losses and recapitalise itself, passing losses to investors and reducing the need for government bailouts. TLAC is in addition to the other regulatory capital required (for example, the ICAP), and, in order to comply with the international standard, it must be equal to at least 6.5% of risk-weighted assets.

The requirements to supplement the net capital of the banks shall be enforceable in December 2022, and banks must comply with the totality of this new requirement by December 2025.

Public Clarification of Who Can Provide Banking Services

In December 2020, the Commission issued two public clarifications stating that:

  • entities who have not been duly authorised (eg, as banks or their correspondents) cannot offer banking services – if they do so, they shall face the sanctions according to applicable law; and
  • the public must consult the public register of the Commission, which includes those entities authorised to provide banking services, before executing contracts, operations or transactions with legal entities, particularly through technological means.

Increased Supervision of the Banking Sector

The Commission has shown increased interest in the adequate knowledge of the levels of capitalisation of the Mexican banking sector. In this regard, in September 2021, it revoked the authorisation to a banking institution in the country that had demonstrated deficient accounting practices and an insufficient ICAP pursuant to applicable regulation, as well as undue operations with related parties that further led to such reduction in the levels of the bank capital.

It is notable that, according to public information from the Commission, it had started reviewing the relevant bank’s capitalisation levels in March 2021, which demonstrates enhanced supervision in the Mexican banking sector.

As the revoked bank’s assets only represent 0.08% of the Mexican banking system, this does not constitute any systemic risk.

White & Case, S.C.

Torre del Bosque – PH
Blvd. Manuel Ávila Camacho #24
Col. Lomas de Chapultepec
11000 Ciudad de México
Mexico

+52 55 55 40 96 00

+52 55 55 40 96 99

whitecasemexico@whitecase.com www.whitecase.com
Author Business Card

Trends and Developments


Authors



White & Case, S.C. is recognised for its market-leading presence in Mexico City. It offers highly specialised and integrated services to its clients, utilising critical insight earned over three decades of working on leading innovative transactions and resolving high-profile disputes, working from White & Case’s seamless global platform with 45 offices in 31 countries. The Financial Services Regulatory team comprises 19 lawyers with unparalleled experience, and provides comprehensive advice to the world’s leading financial institutions. It has extensive domestic and international experience in the authorisation process for the establishment, operation and M&A of financial institutions with substantial operations in Mexico., and in providing counsel on compliance with Mexican, US, Asian and European regulations and specialised financing transactions, for financial institutions and corporations operating within and outside Mexico. The practice gives advice to commercial and investment banks, broker-dealers and investment advisers, non-bank lenders, sovereign wealth funds and government-owned banks, and to emerging financial services providers, including fintechs and payment companies.

The Current Intersection of Banking, Technology and Regulation in Mexico

Technological developments in finance are on the increase in Mexico, which has a dynamic financial and banking sector.

This article will describe the specific trends and developments in the use of technology by Mexican banks, especially in connection with the applicable regulations in the country, analysing the following in particular:

  • virtual currencies and their connection with banks in Mexico;
  • open banking regulatory reforms;
  • cybersecurity challenges; and
  • the possibility for banks to open accounts and execute contracts remotely.

These aspects are usually included in queries by non-Mexican investors interested in providing financial services (particularly banking services) in the country by using novel technologies.

Virtual Currencies and Banks in Mexico

The use of virtual currencies has increased consistently around the world. For example, according to the 3rd Global Cryptoasset Benchmarking Study published by the University of Cambridge in September 2020, there were 101 million crypto-asset users around the world in the third quarter of 2020, compared to 35 million in 2018. Aside from being used as investment instruments or means of payment, crypto-assets are now considered by some to be methods to bring down the user-borne costs of cross-border remittances or even to foster financial inclusion.

In this light, the Law to Regulate Financial Technologies Institutions (Ley para Regular las Instituciones de Tecnología Financiera – the Fintech Law) was published in the Mexican Federal Official Gazette on 9 March 2018. Pursuant to Article 1, one of the objectives of the law is to regulate certain financial services offered through innovative means. Article 30 of the Fintech Law defines virtual assets as the representation of value registered and transferred through electronic means only, which is used as the means of payment for all kinds of legal obligations. Furthermore, Article 88 of the Fintech Law provides that Mexican banks may conduct transactions with virtual assets, as specified by the regulation issued by the Mexican Central Bank.

This regulation was enacted as Rule 4/2019 (Circular 4/2019 Disposiciones de Carácter General aplicables a las Instituciones de Crédito e Instituciones de Tecnología Financiera en las operaciones que realicen con Activos Virtuales), and provides that banks operating in Mexico shall only conduct transactions with virtual assets in connection with internal operations – ie, those activities that banks undertake internally either to provide loans, take deposits and provide other services to clients, or on behalf of the bank itself, thereby effectively ruling out the possibility of banks conducting such transactions using virtual assets with clients.

This restriction on Mexican banks operating with virtual assets for the public reflects the rather conservative stance of the Mexican banking regulators (particularly the Mexican Banking and Securities Commission and the country’s Central Bank) with respect to this type of instrument, despite the overt interest of the shareholders of some high-profile banks in being able to offer operations with such assets to the clients of those financial entities.

Open Banking Regulations

Article 76 of the Fintech Law provides that financial entities operating in Mexico (including banks) must establish standardised application programming interfaces, which are connections between computers or computer programs, so that the following data is exchanged between those financial entities:

  • open financial data, which is financial information that does not include confidential information, such as the description of products and services offered to the public, the location of offices and branches, etc;
  • aggregate data, which is related to statistical information on transactions but does not allow the identification of personal data. Nonetheless, this information can only be accessed by entities that fulfil specific authentication mechanisms pursuant to the regulation issued by the Mexican Banking and Securities Commission; and
  • transactional data, which consists of specific information on products used by the clients of the financial entities (including banks), where the identity of the client can be known and, therefore, is subject to specific personal data processing rules which require, among other things, the consent of the dataholder, according to the Mexican Federal Law for the Protection of Personal Data Held by Non-Governmental Parties (Ley Federal de Protección de Datos Personales en Posesión de los Particulares).

The model of open banking considered in the Mexican Fintech Law can enhance the user experience of financial services consumers and fulfil the needs of underserved groups, in line with the financial inclusion public policy efforts propelled by the Mexican government, serving objectives like the improvement of socioeconomic conditions, tackling financial crimes, and decreasing the informal and submerged economy of the country.

In that regard, the Mexican Banking and Securities Commission issued the General Rules related to the standardised application programming interfaces referred to in the Fintech Law (Disposiciones de Carácter General relativas a las interfaces de programación de aplicaciones informáticas estandarizadas a que hace referencia la Ley para Regular las Instituciones de Tecnología Financiera), published in the country’s Official Gazette on 4 June 2020. Such regulation refers only to open financial data (ie, information that does not relate to transactions of the financial services consumer, either aggregate or disaggregate) which, as explained above, does not pose any particular challenges or risks in terms of data protection for financial personal information, like being subject to a specific treatment under Mexican law.

In this regard, the President of the Mexican Banking and Securities Commission has expressly indicated that the authority is currently working to issue the particular regulation of standardised application programming interfaces used to exchange transactional data, focusing on security measures to protect the information in analysis.

Cybersecurity in the Mexican Banking Sector

According to the Working Paper published on 11 February 2020 by the Bank of International Settlements, titled "Operational and Cyber Risks in the Financial Sector" (authored by Aldasoro, Gambacorta, et al), “cyber losses are a small fraction of total operational losses, but can account for a significant share of total operational value-at-risk.”

In March 2021, the President of the Mexican Banking and Securities Commission mentioned in a speech that cyber-attacks against digital banking products are likely to grow in number. This remark is particularly important, as mobile banking accounts in Mexico have increased 21% in 2021 as compared to 2020. The Mexican banking regulation defines mobile banking as banking services provided through electronic means where a username is filled in on, and associated to, an access device (for example, a mobile phone).

Furthermore, multiple media outlets reported that the President of the Mexican Banking and Securities Commission also stated during the virtual ceremony for the Prize Citibanamex for Financial Education 2020, held on 11 August 2021, that mobile banking contracts quadrupled in the country between 2015 and 2020.

To diminish the impact of cyber-attacks, the Commission amended the General Rules applicable to Banks (Disposiciones de Carácter General aplicables a las Instituciones de Crédito), as published in the Mexican Official Gazette on 27 November 2018. This amendment included the following preventative measures:

  • banks must appoint a Chief Information Security Officer, who is one of the corporate officers and governance mechanisms responsible for the cybersecurity of the relevant financial entity; and
  • banks must hire external third-party technological services providers to conduct penetration tests on their systems, so that they are able to take any preventative information technology measures, as needed.

Regarding cybersecurity and data protection, Mexican banking institutions face not only the challenge of correctly applying the relevant provisions of the General Rules applicable to Banks, as amended in November 2018, but also the need to spread awareness among financial consumers of the importance of following good preventative practices to avoid and mitigate possible data breaches that could affect people’s electronic devices and, hence, their personal information.

Together with the increasing adoption by Mexican financial authorities (eg, the Commission or the Central Bank) of technologies to conduct their supervision activities due to the current health situation in the country, all of this indicates that there is increasing acknowledgement of the fact that cybersecurity and personal financial data protection are truly shared and continuous efforts.

Remote Banking in Mexico

Throughout the Mexican financial sector, authorities have undertaken efforts to allow the remote provision of services and execution of contracts, and the banking sector has been at the forefront of those measures. For example, on 12 October 2020, the Mexican Banking and Securities Commission amended the General Rules applicable to Banks in order to allow legal entities to open bank accounts with the maximum level of transactionality in a remote fashion.

Such regulatory amendment further developed certain extraordinary measures adopted by the authorities on 21 June 2020, in order to ensure the provision of banking and financial services in Mexico throughout the COVID-19 pandemic. Before these extraordinary measures were put in place, only individuals could open bank accounts remotely.

Conclusion

In Mexico, banks have repeatedly proven their importance as the basis of the country’s financial system. The adoption of technology into their different business models is inevitable and poses interesting challenges from the legal perspective, among others. Therefore, it is important to be aware of the Mexican regulatory landscape, particularly heading towards the efforts of economic recuperation after the COVID-19 pandemic.

White & Case, S.C.

Torre del Bosque – PH
Blvd. Manuel Ávila Camacho #24
Col. Lomas de Chapultepec
11000 Ciudad de México
Mexico

+52 55 55 40 96 00

+52 55 55 40 96 99

whitecasemexico@whitecase.com www.whitecase.com
Author Business Card

Law and Practice

Authors



White & Case, S.C. is recognised for its market-leading presence in Mexico City. It offers highly specialised and integrated services to its clients, utilising critical insight earned over three decades of working on leading innovative transactions and resolving high-profile disputes, working from White & Case’s seamless global platform with 45 offices in 31 countries. The Financial Services Regulatory team comprises 19 lawyers with unparalleled experience, and provides comprehensive advice to the world’s leading financial institutions. It has extensive domestic and international experience in the authorisation process for the establishment, operation and M&A of financial institutions with substantial operations in Mexico., and in providing counsel on compliance with Mexican, US, Asian and European regulations and specialised financing transactions, for financial institutions and corporations operating within and outside Mexico. The practice gives advice to commercial and investment banks, broker-dealers and investment advisers, non-bank lenders, sovereign wealth funds and government-owned banks, and to emerging financial services providers, including fintechs and payment companies.

Trends and Development

Authors



White & Case, S.C. is recognised for its market-leading presence in Mexico City. It offers highly specialised and integrated services to its clients, utilising critical insight earned over three decades of working on leading innovative transactions and resolving high-profile disputes, working from White & Case’s seamless global platform with 45 offices in 31 countries. The Financial Services Regulatory team comprises 19 lawyers with unparalleled experience, and provides comprehensive advice to the world’s leading financial institutions. It has extensive domestic and international experience in the authorisation process for the establishment, operation and M&A of financial institutions with substantial operations in Mexico., and in providing counsel on compliance with Mexican, US, Asian and European regulations and specialised financing transactions, for financial institutions and corporations operating within and outside Mexico. The practice gives advice to commercial and investment banks, broker-dealers and investment advisers, non-bank lenders, sovereign wealth funds and government-owned banks, and to emerging financial services providers, including fintechs and payment companies.

Compare law and practice by selecting locations and topic(s)

{{searchBoxHeader}}

Select Topic(s)

loading ...
{{topic.title}}

Please select at least one chapter and one topic to use the compare functionality.