Fintech 2021

Last Updated March 18, 2021


Law and Practice


Cannizzo, Ortíz y Asociados, S.C. was established in Mexico City more than 40 years ago and is an excellent gateway for doing business in Mexico, thanks to its international legal experience and in-depth understanding of the Mexican reality. The firm, which since its establishment has been very active in the banking, insurance and financial sectors, has in the past years evolved and developed special experience in the practice areas inter-related with the fintech ecosystem, ie, banking and finance, insurance, lending, securities, technology, industrial property, compliance, money-laundering prevention and personal data protection, and has closely followed the emergence and growth of the fintech industry in Mexico. The firm advises clients in the legal framework applicable to fintech institutions, new investment models, fundraising, insurance, payments and transfers through technological means. Its clients in the fintech ecosystem participate in several areas, such as crowdfunding, cryptocurrencies, insurtech, trading, wallets and smart contracts.

Current Scenario of the Fintech Market in Mexico

According to the provisions applicable to the fintech market, those entities carrying out activities regulated by the Law Regulating Financial Technology Institutions (Ley para Regular las Instituciones de Tecnología Financiera) or the “Fintech Law” at the time it came into force on 10 March 2018, were required to apply for authorisation to operate as financial technology institutions (instituciones de tenología financiera or IFTs) before the National Banking and Securities Commission (Comisión Nacional Bancaria y de Valores or the CNBV) no later than 25 September 2019. 

Such IFTs and the new ones granted under the Fintech Law should have started being authorised during 2020. However, several IFTs requested extensions to the deadline and the COVID-19 pandemic caused many authorities, including the CNBV, to suspend or postpone their resolution deadlines, causing a delay in the granting of said authorisations. 

At the time of publication, the CNBV had granted only one authorisation for an electronic payment fund institution (wallet) and one for a crowdfunding institution, and had the resolution of 92 additional authorisations pending: 59 applications to operate as an electronic payment fund institution (institucion de fondos de pago electrónico or IFPE) and 33 to operate as a crowdfunding or collective financing institution (institucion de financiamiento colectivo or IFC).

However, those individuals or entities that requested authorisation before the CNBV on time and under the terms mentioned above may continue to operate until their request is resolved and must publish on their website or any other media they use that the authorisation to carry out such activity is in progress and therefore the activity is not currently supervised by the Mexican authorities. In fact, of the 92 clearances being analysed by the CNBV, 68 are for companies that were operating before the Fintech Law came into effect. 

Concerning the legal provisions applicable to fintech, the only ones recently enacted are:

  • the General Provisions Regarding Standardised Computer Application Programming Interfaces or APIs Provisions (Disposiciones de Carácter General Relativas a las Interfaces de Programación de Aplicaciones Informáticas Estandarizadas a que hace Referencia la Ley para Regular las Instituciones de Tecnología Financiera) published on 4 June 2020, effective from 5 June 2020; and 
  • the provisions applicable to the IFPE regarding cybersecurity and biometrics (Disposiciones aplicables a las instituciones de fondo de pago electrónico a que se refieren los artículos 48, segundo párrafo, 54, primer párrafo y 56, primer y segundo párrafos de la Ley para Regular las Instituciones de Tecnología Financiera) published on 28 January 2021, effective from 28 April 2021. 

Future Scenario of the Fintech Market in Mexico

Within the next 12 months, it is expected that the pending authorisations for the operation of IFTs in terms of the Fintech Law will be resolved by the CNBV.

Likewise, it is expected that there will be a secondary regulation on open banking, a model that, although regulated by the Fintech Law, has not been entirely regulated by the CNBV as mandated by the legislator. The authority has indicated that it expects to issue the relevant regulation during the first quarter of the year.

Additionally, it is undeniable that the COVID-19 pandemic will continue to affect the fintech market in Mexico, not only in terms of the resolution of pending authorisations, but also in that it may have a positive impact, considering the boost that mobility restrictions have provided to digital services schemes, including financial services.

In Mexico, the predominant fintech categories are, on the one hand, the crowdfunding subcategory, that is, the IFCs within the financing vertical and, on the other hand, the wallet, ie, the IFPEs within the payments and transfers vertical. 

The Fintech Law provides for these two types of business models, understanding by:

  • IFC – the activities aimed at putting people from the general public in contact with each other to grant financing regularly and professionally, through computer applications, interfaces, internet pages, or any other means of electronic or digital communication; and
  • IFPE – the services performed regularly and professionally with the public, consisting of the issuance, administration, redemption and transmission of electronic payment funds through computer applications, interfaces, internet pages or any other means of electronic or digital communication. 

Having said this, it should be noted that financial provisions in Mexico are not exclusively found in the Fintech Law, but also in previous provisions regulating the performance of financial entities of the traditional financial or banking model, such as:

  • the Law of Credit Institutions (Ley de Instituciones de Crédito);
  • the Securities Market Law (Ley del Mercado de Valores); and
  • the General Law of Credit Organisations and Auxiliary Activities (Ley General de Organizaciones y Actividades Auxiliares del Crédito) etc.

In this regard, Finnovista’s Fintech Radar Mexico Report dated March 2020 confirms the aforementioned concerning the prevalence of crowdfunding and wallets in the fintech market in Mexico. However, it adds some additional business models that can be found in the fintech environment in the country, namely, payment and remittances, insurtech, wealth management, scoring, identity and fraud, business lending, consumer lending, enterprise financial management, digital banking, trading and markets, personal financial management, and enterprise technologies for financial institutions. 

The regulatory regime applicable to industry participants in Mexico in the main verticals, ie, crowdfunding and wallets, is comprised by the following provisions: 

  • the Fintech Law published on 9 March 2018;
  • General provisions issued by the CNBV (known jointly as the “CNBV Provisions”), including: 
    1. General Provisions applicable to IFTs (Disposiciones de Carácter General aplicables a las Instituciones de Tecnología Financiera) published on 10 September 2018; and 
    2. APIs Provisions published on 4 June 2020;
  • Circulars issued by Mexico's Central Bank (Banco de México or Banxico) and the CNBV (known jointly as the “Banxico Provisions”), such as:
    1. Circular 12/2018 regarding transactions of electronic payment fund institutions published on 10 September 2018;
    2. Circular 4/2019 regarding transactions with virtual assets published on 8 March 2019:
    3. Circular 5/2019 regarding the Mexican Regulatory Sandbox published on 8 March 2019;
    4. Circular 6/2019 addressed to the IFC regarding the General Provisions applicable to transactions they carry out in foreign currency and the information reports to Banxico, published on 8 March 2018; 
    5. Circular 8/2019 with modifications to Circular 14/2017 regarding CoDi transfer instrumentation (digital collection) published on 20 May 2019; and 
    6. Provisions applicable to the IFPE regarding cybersecurity and biometrics published on 28 January 2021; and 
  • General Provisions mentioned in Article 58 of the Fintech Law (Disposiciones de carácter general a que se refiere el artículo 58 de la Ley para Regular las Instituciones de Tecnología Financiera), known as the “AML Provisions”, and known jointly with the Fintech Law, the CNBV Provisions and the Banxico Provisions as the “Fintech Provisions”, published on 10 September 2018.

There are secondary provisions that regulate the above such as the General Provisions of the National Commission for the Protection and Defence of Financial Services Users (Comisión Nacional para la Protección y Defensa de los Usuarios de Servicios Financieros or the “CONDUSEF”) on transparency and sound practices applicable to the IFTs.

Other legal provisions applicable to other verticals, considering the amplitude of financial legislation in Mexico, are the Law of Credit Institutions, the Securities Market Law, the General Law of Credit Organisations and Auxiliary Activities, the Law for the Transparency and Order of Financial Services (Ley para la Transparencia y Ordenamiento de los Servicios Financieros), the Law to Regulate Credit Information Companies (Ley para Regular las Sociedades de Información Crediticia), the Federal Law on the Prevention and Identification of Transactions from Illicit Sources (Ley Federal para la Prevención e Identificación de Operaciones con Recursos de Procedencia Ilícita) (Anti-money Laundering Law), the Federal Law on the Protection of Personal Data Held by Private Entities or Individuals (Ley Federal de Protección de Datos Personales en Posesión de los Particulares) (Personal Data Protection Law), etc.

The compensation model that participants in the fintech ecosystem are authorised to use in Mexico, ie, whether they can charge their customers fees or commissions, directly or indirectly, is not rigid since, in general, the Fintech Provisions do not include an extensive list of permitted charges. However, IFTs are required to submit the scheme of fees to be charged to customers during their transactions to the CNBV, as one of the documents that must be submitted to obtain the CNBV's authorisation. 

In addition to the above, the Fintech Provisions include some isolated provisions on the matter. For example, the Fintech Law provides that IFCs, when establishing risk-shared schemes with their investor customers, are allowed to collect a portion of the fees charged, subject to the condition that the relevant loan is fully repaid or the project is carried out according to the terms offered or according to any other scheme that allows the alignment of incentives between the IFC and the investors. In terms of the Banxico Provisions, the IFPEs must allow their customers to make at least one withdrawal per day from their electronic payment funds account through an electronic channel in local currency, at no cost, without charging fees or any other accessory. 

The regulation of the fintech industry in Mexico differs from the traditional regulation of financial services that were already in place for other players in the financial system, such as legacy players, in consideration of the different services and options offered by the fintech industry, and the different and new risks that its operation may imply for its users and, in general, for the national financial market.

Thus, fintech regulation in Mexico acknowledges that, unlike the traditional banking sector, the new industry:

  • attracts its customers through new mechanisms, namely digital channels;
  • accepts diverse response times by making use of technological resources that promote immediacy of request and response;
  • requires a relevant variation in transaction costs for the new emerging companies in the fintech market which, among other things, modifies the scope of their services and will tend to increase market and financial inclusion; and
  • recognises the use of new technologies, such as blockchain or forms of payment that involve new regulatory challenges that did not figure in the traditional banking landscape.

Furthermore, the legislator acknowledged that for IFTs to be competitive, their regulatory regime had to be dynamic in a world where communications, technology, and the demand for innovative and dynamic services are evolving rapidly.

Nevertheless, considering that at the end of the day, they are still financial services, several aspects of the regulations applicable to traditional financial entities were replicated in the fintech legal framework, such as those referring to the requirement to get authorisation to provide the relevant services, protection of the Mexican financial system, and anti-money laundering and preventing the financing of terrorism.

The Fintech Provisions contemplate “Innovative Models” (Modelos Novedosos), also known as a regulatory sandbox, which implies the possibility for the authority to issue temporary authorisations to operate innovative services (the use of tools or technology different to those available at the time of the request for authorisation) in a controlled and less costly environment. This space allows companies to offer financial services to a limited number of customers, using innovative technological tools or the means to test them, before offering them to the public on a massive scale.

The parameters in each case for the test environment applicable to the specific innovative model are defined in an individual scheme, case by case, considering that the purpose of the models or schemes is to experiment, ie, the models do not guarantee any success. 

The Mexican Regulatory Sandbox may be authorised for the following applicants.

  • Regulated Entities (Entidades Reguladas), ie, financial entities, IFTs, or persons already subject to the supervision of the Mexican financial authorities. Under the Mexican regulatory sandbox scheme, these entities may be authorised to carry out, on a temporary basis, transactions or activities of their corporate purpose through innovative models. Regulated Entities may only obtain authorisation for a period of one year, which may be subject to an equal extension.
  • Other companies incorporated under Mexican law that differ from the regulated entities mentioned above. In the case of non-regulated companies, only those innovative models that carry out an activity, the performance of which requires a concession, authorisation or registration under financial laws, may enter the Mexican regulatory sandbox scheme. The term of this kind of authorisation may initially be up to two years, with an extension of an additional year.

During the term of the authorisation, the relevant entity must obtain definitive authorisations, concessions, or registries depending on the services offered or, if it is not in its best interest to obtain them, it must enter an exit procedure to terminate the temporary authorisation to operate through an innovative model.

A Slow Start

According to information provided by the authority, to date, only five applications have been received to operate under the regulatory sandbox scheme. Of these five applications, three are pending authorisation, and the other two have been withdrawn by the applicants. 

To encourage applications for authorisation, the CNBV and some public and private entities have promoted contests or programmes, such as the Sandbox Challenge, which was promoted by DAI Mexico (an international development company), the UK Embassy in Mexico, and the CNBV. 

The supervision and enforcement of the Fintech Provisions are entrusted to several authorities:

  • Banxico;
  • the Ministry of Finance and Public Credit (Secretaria de Hacienda y Crédito Público or the SHCP); and 
  • the following supervising commissions: 
    1. the CNBV;
    2. the CONDUSEF; 
    3. the National Insurance and Surety Commission (Comisión Nacional de Seguros y Fianzas or CNSF); and 
    4. the National Commission for the Pension Fund System (Comisión Nacional del Sistema de Ahorro para el Retiro or CONSAR).

Division of Responsibilities

In general terms, Banxico is authorised to set forth, through general provisions, several complementary provisions to the Fintech Provisions, especially regarding transactions in foreign currency and with virtual assets. 

The SHCP is authorised to construct for administrative purposes the provisions of the Fintech Law on behalf of the federal government. 

The acknowledged authority of the supervising commissions depends on the respective spheres of competence granted to them by their respective laws. Thus, for example, in terms of Article 350 of the Securities Market Law, the CNBV has supervisory faculties, in terms of its law; the Law of the National Banking and Securities Commission (Ley de la Comisión Nacional Bancaria y de Valores), concerning securities market intermediaries, investment advisers, self-regulatory bodies, stock exchanges, companies that manage systems to facilitate securities transactions, securities depository institutions, central securities counterparties, securities rating agencies and price vendors. Thus, in these terms, the enactment of different secondary regulation was granted to each financial authority according to the matters each one oversees, the CNBV being responsible for fintech general provisions and the SHCP for the anti-money laundering provisions.

In some cases where the faculties of the financial authorities seem to overlap, for example, when talking about authorisation within the regulatory sandbox scheme, it is foreseen that the competent authority will be the financial authority whose faculties are most closely related to the main activity that will be carried out by the applicant under the proposed new model. 

The Interinstitutional Committee (Comité Interinstitucional), a collegiate body made up of public servants from the SHCP, Banxico and the CNBV, is the body in charge of authorising the organisation and operation of the IFT. However, the CNBV is ultimately responsible for regulating and supervising these types of institutions.

Regarding sanctions, the Fintech Law determines that fines will be imposed administratively by the supervising commissions or Banxico on financial entities, IFTs, or companies authorised to operate under the regulatory sandbox scheme, and that they will be enforced by the SHCP or Banxico.

IFTs may outsource some of their functions to a third party. Pursuant to the provisions of the Fintech Law, IFTs are authorised to agree with third parties, located in the country or abroad, on the provision of services necessary for its operation, in accordance with the general provisions issued by the CNBV concerning IFCs, and jointly with Banxico in relation to IFPEs. 

Outsourcing of the relevant services does not exempt the IFTs and the persons related to them from complying with the legal provisions applicable to the services they provide.

In some cases, outsourcing must be previously authorised by a financial authority. Thus, for example, in terms of the provisions of the Fintech Law, IFTs, subject to the approval of the CNBV, may agree with a third party to carry out the receipt of funds. 

When contracting any service with a third party, IFTs must expressly mention that the third party agrees to abide by the provisions of Article 54 of the Fintech Law.

It is also possible to outsource some services to regulated entities. In this sense, if an authorised financial entity had a stake in a certain IFT, such entity could provide the IFT with technological infrastructure, such as software, databases, operative systems, and applications, as well as related services, for the IFT to support its transactions. For these purposes, it would be necessary to have the authorisation of the CNBV and to enter into a service agreement that includes transfer prices, among other elements. 

Outsourcing by IFPEs

There are other services that must necessarily be performed by third parties in terms of the law; eg, to evaluate, through independent third parties, the compliance of the IFPE with certain information security requirements, the use of electronic media, and operational continuity. On 28 January 2021, the provisions applicable to these services were published. 

Outsourcing by IFCs

The general provisions applicable to IFTs include a chapter identified as “Contracting services with third parties”, which sets forth that IFCs will only require authorisation from the CNBV to contract with third parties for the provision of services that: 

  • involve the transmission, storage, processing, safekeeping or custody of sensitive information, images of official identification or biometric information of customers, provided that the contracted third party has access privileges to such information or to the security configuration information, or to the access control administration; and
  • carry out processes abroad related to accounting or treasury, as well as to the registration of customers' transactional movements.

The relevant chapter also includes the rules applicable to subcontracting, such as the documents and information that must accompany the application for authorisation, provisions regarding the list of providers to be kept by the IFCs, etc. 

IFTs are considered as “gatekeepers” with responsibility for some activities on their platforms. In this sense, IFTs are obliged to act as such regarding anti-money laundering provisions and through the implementation of KYC policies.

Within an IFT's application to obtain authorisation from the CNBV, a document of KYC policies, among other elements, must be included. 

Likewise, IFTs must set forth internal policies, criteria, measures and procedures that allow them to identify, acknowledge and mitigate the risks to which they are exposed, keep information on the identification of their customers, and have an automated system that allows them, among other things, to identify possibly unusual transactions on the part of their customers.

The AML Provisions constitute the regulatory framework for the prevention of transactions with resources of illicit origin and countering the financing of terrorism that IFTs must observe to avoid being used as vehicles for the commission of such illicit activities, as well as to prevent the improper use of the financial system through the new services and products that technological innovations offer to the general public.

In terms of the provisions of the Fintech Law, legal acts entered into in contravention of the provisions of such law or its related provisions and conditions, if any, will give rise to the imposition of administrative and criminal sanctions, without, as a general rule, such contraventions being able to nullify the acts, in protection of third parties acting in good faith.

Among the significant enforcement actions included in the provisions applicable to the fintech regulatory framework in Mexico are fines of up to approximately MXN13 million, plus a certain percentage of the transactions carried out in contravention of the AML Provisions and imprisonment, in certain cases.

Among the non-financial services regulations, including the legal provisions applicable to the fintech ecosystem, we can find provisions on protection of personal data, intellectual property, anti-money laundering (AML) and cybersecurity.

Personal Data Protection Provisions

The Fintech Law states that aggregated data, ie, data related to any type of statistical information related to transactions carried out by or through IFTs, must not contain a level of disaggregation such that the personal data or transactions of an individual can be identified. 

Likewise, concerning transactional data, ie, data related to the use of a product or service, as well as any other information related to transactions that customers have conducted or attempted to conduct in the technological infrastructure of IFTs, it states that this is regarded as personal data and can only be shared with the prior express authorisation of the user. This complies with what was already applicable in terms of the Federal Law for the Protection of Personal Data in the Possession of Private Parties (Ley Federal de Protección de Datos Personales en Posesión de los Particulares), a law to which private parties were already subject. It should be added that, in terms of said law, the processing of financial or patrimonial data requires the express consent of the user.

Other provisions related to the protection of personal data by IFTs are found in the General Provisions applicable to IFTs (Article 86, Section IX); Circular 5/2019 regarding the Mexican Regulatory Sandbox (Article 11) and in CONDUSEF's General Provisions on Transparency and Sound Practices (Articles 11 and 52).

Intellectual Property Provisions

Regarding the provisions on intellectual property, the only specific provision foreseen with regard to IFTs states that IFTs must, among other things, attach the draft of the services agreement to the request for authorisation regarding contracting the services of third parties. This service agreement must indicate the probable date of its execution, the rights and obligations of the IFT and the third party, including the determination of intellectual property regarding the designs, developments or processes used for rendering the service.

In addition to this provision, the following two federal laws are applicable to IFTs:

  • the Federal Law for the Protection of Industrial Property (Ley Federal de Protección a la Propiedad Industrial), the main purpose of which, among others, is to protect industrial property, regulate industrial secrets, promote and encourage inventive activity of industrial application, technical improvements, and creativity for the design and presentation of new and useful products; and
  • the Federal Copyright Law (Ley Federal del Derecho de Autor), the main purpose of which is to protect the rights of authors, performers and artists.

AML Provisions

AML Provisions were enacted specifically for the operation of IFTs. The Anti-Money Laundering Law acknowledges financial entities as regulated entities, including IFTs. The law also specifically names, as a vulnerable activity, the regular and professional offering of virtual asset exchange carried out through electronic, digital or similar platforms.

Cybersecurity Provisions

IFTs must have the necessary infrastructure and internal controls to carry out the transactions they are meant to carry out, such as operating, accounting and security systems in accordance with the applicable general provisions. 

Furthermore, on 28 January 2021, the new provisions applicable to IFPEs regarding cybersecurity and biometrics were published. 

Social Media Content

Finally, in Mexico, there is no specific regulation regarding social media content.       

The Fintech Provisions set forth certain cases in which industry participants must or may carry out supervisory activities for IFTs. This possibility is foreseen fundamentally in two cases.

Independent External Auditors

The first scenario refers to the obligations included in the Fintech Provisions regarding supervisory activities to be carried out by entities or persons that are not considered financial authorities. For example, the Fintech Law establishes that the annual financial statements of IFTs must be audited by an independent external auditor, who will be appointed directly by their administrative body. It is the CNBV which, through general provisions, determines the characteristics and requirements to be met by independent external auditors, the content of the opinions and other reports that must be rendered; the measures to ensure their adequate alternation, etc.

Trade Associations

On the other hand, IFTs may optionally form trade associations which, among other things, may develop and implement standards of conduct and operation to be complied with by their members to contribute to the healthy development of such institutions. In this sense, trade associations may issue rules to regulate the process to adopt best practices and standards of conduct and operation, and the verification of their compliance.       

Participants of the fintech environment may only offer the products and services they are authorised to offer, and may only perform those activities related to such services and/or other specific activities outlined in the law. 

However, considering that the Fintech Law only recognises two types of IFTs, it is important to consider that other players in the industry are regulated by their relevant financial or non-financial regulatory framework.

Robo-advisers, as autonomous advisory systems controlled by financial entities which, through algorithms and exhaustive data analysis, provide consulting and portfolio management services, can provide financial advisory, wealth management services and the purchase, custody, and sale of securities. In Mexico, only those providing consulting and portfolio management have been incorporated with the industry players. 

As with the rest of the financial activities discussed in this guide, service providers known as robo-advisers require authorisation from the Mexican authorities to act as such.

Among the additional legal provisions applicable to robo-advisers capable of providing financial advisory is the Securities Market Law, specifically Article 225 and the General Provisions Applicable to Investment Advisers (Disposiciones de Carácter General Aplicables a los Asesores en Inversiones).

Legacy players have noticed the relevance that robo-advisers have gained in the market. Therefore, some have already started incorporating them into their investment platforms, and advising their customers based on their financial objectives. 

Some legacy players consider that implementing this kind of tool has allowed them to offer advisory services to a wider range of customers due to the low costs that the implementation of such technology represents.

Among the issues related to the best execution of customer trades by robo-advisers compared to legacy players, it should be highlighted that the simplicity of robo-advisers' operation andtheir greater coverage, make them more accessible to the general public and, above all, more affordable in economic terms. Their simplicity stems from the fact that robo-advisers' advice is provided based on relatively little information on the customer's profile. Likewise, their automated process allows for lower operating costs, which means lower prices for the customer and allows the portfolio offer to be a product that suits each customer.

At this point of technological development, a complex interaction between the software and the customer (human being) may not be possible, but in the future, with the incorporation of artificial intelligence and autonomous learning, technology will surely surpass the advantages of an individual adviser.

In terms of the provisions of the Fintech Law, IFCs are those IFT that put people from the general public in contact with each other to grant financing through crowdfunding, equity crowdfunding or co-ownership or royalty crowdfunding transactions, regularly and professionally, through computer applications, interfaces, websites or any other electronic or digital means of communication.

At first, the Fintech Law defines a customer in general terms, ie, as an individual or legal entity that contracts or performs any transaction with an IFT. However, the General Provisions Applicable to IFTs set forth additional differentiations for loans that may be granted by IFCs which distinguish between those granted to individuals, businesses and other actors.

Collective Debt Financing of Business Loans between Individuals

Under this type of financing, the applicants (legal entities or individuals with business activity) and the investors make contributions so that the applicants receive a loan to finance their activities, to carry out a financial leasing transaction, in which an asset is acquired for the investors, and is leased to the applicant, or to enter into a financial factoring transaction, in which they acquire part of a credit that the applicant has in its favour, with the applicant remaining jointly and severally liable to its debtor, without such right deriving from loans, credits or loans that the applicant has previously granted.

IFCs may publish requests for this type of financing as long as they do not exceed the equivalent in local currency of 1,670,000 Investment Units (Unidades de Inversión or UDIs), which is approximately MXN11 million. IFCs may request authorisation from the CNBV to exceed this limit.

Collective Debt Financing of Personal Loans between Individuals

Under this transaction, the applicant (individual) borrows the resources contributed by the investors.

IFCs may publish requests for this type of financing as long as they do not exceed the equivalent in local currency of 50,000 UDIs (approximately MXN331,000).

Collective Debt Financing for Real Estate Development

In this type of crowdfunding transaction, investors provide credit to applicants to finance real estate development activities.

IFCs may publish requests for this type of financing as long as they do not exceed the equivalent in local currency of 1,670,000 UDIs (approximately MXN11 million). IFCs may request authorisation from the CNBV to exceed this limit.

In addition, the relevant provisions state that IFCs must set forth controls in their platforms that prevent the same investor from making investment commitments that exceed certain percentages based on the financing to be granted. 

Finally, it should be noted that IFCs have different disclosure requirements depending on the type of financing granted.

Regarding the IFC's decision whether an applicant is creditworthy and should receive a loan, within the General Provisions Applicable to IFTs there is a chapter related to the methodology for the evaluation, selection, and qualification of applicants and projects that establishes the information that IFCs must disclose to their potential investors through their platform. This information includes the criteria to be used to select the applicants and the projects to be financed, the way to verify their identity and location, the type of information to be collected to analyse and evaluate the applicants and, if applicable, the activities to verify its veracity, and the general description of the methodology to be used to analyse and determine the degree of risk of the applicants and the projects.

The Fintech Law provides for various sources of funds for performing loans, namely: 

  • collective debt financing – in this type of financing, the investors grant loans, credits, mutual loans or any other financing causing a direct or contingent liability to the applicants;
  • equity collective debt – this financing is used so that investors can purchase or acquire securities representing the capital stock of legal entities that act as applicants; and 
  • collective financing of co-ownership or royalties, which allows investors and applicants to enter into joint ventures or any other type of agreement whereby the investor acquires an aliquot share or participation in a present or future asset or in the income, profits, royalties or losses obtained from the performance of one or more activities or projects of an applicant.

IFCs have a peer-to-peer scheme, where the IFC's main purpose is to contact “investor” customers that contribute to the source of the funds, with “borrower” customers in need of a loan or project financing. 

Exceptionally, IFCs may obtain loans to share risks with their customers, only with prior authorisation from the CNBV.

Syndication of loans by IFCs is possible. However, the general provisions applicable to IFCs state that they must set controls in their platforms that prevent the same investor from making investment commitments that exceed certain percentages based on the financing to be granted. 

Furthermore, IFCs are prohibited from offering projects through their platforms that are being offered at the same time on another IFC platform.

Pursuant to the provisions applicable to fintech in Mexico, IFPEs are not entitled to create new payment rails; instead, IFPEs must use the existing ones. The Fintech Law provides that an IFT will only receive funds from its customers that come directly from money deposit accounts opened in an authorised financial institution. It also states that IFTs are only obliged to deliver funds to their customers by means of credits or transfers to the respective accounts that they have opened in financial institutions.

Nevertheless, IFPEs may obtain authorisation from the CNBV to receive or deliver amounts of cash to their customers.

IFPEs may, with prior authorisation from the CNBV, make money transfers in local or foreign currency or virtual assets, having received, in the latter cases, prior authorisation from Banxico, through credits and debits between their customers and other IFPEs, as well as account holders or users of other financial entities, or foreign entities authorised to perform similar transactions. 

In Mexico, fund administrators are primarily regulated by the Investment Funds Law (Ley de Fondos de Inversión), formerly known as the Investment Companies Law (Ley de Sociedades de Inversión). The purpose of this law is, among other things, to regulate the organisation and operation of these funds, the intermediation of their shares in the securities market, and the services they must contract to carry out their activities.

The law defines investment funds as those companies whose purpose is the acquisition and sale of the assets that the law considers to be the object of investment, with resources from the placement of shares representing their capital stock, offering them to an undetermined person through financial intermediation services.

It should be noted that the Mexican legal system also provides for an additional type of fund administrator, which are in the form of pension or retirement funds regulated by the Law of the Retirement Savings Systems (Ley de los Sistemas de Ahorro para el Retiro). 

Pursuant to the provisions of Mexican law, persons that distribute shares of investment funds must agree with the investing public, on their behalf, at the time of execution of the respective agreement, the means through which the prospectuses and documents with key information for the investment of the funds whose shares they distribute and, if applicable, their amendments, will be made available for their analysis and consultation, agreeing at the same time on the facts or acts that will presume their consent with respect thereto.

Originally, the creation of an exchange or trading platform for virtual assets was envisaged, however Banxico decided to restrict the transactions with virtual assets (Circular 4/2019), to credit institutions and IFTs in the execution of their internal transactions, as it considered that the provision of services related to virtual assets to the general public by financial institutions would not be convenient and the risks associated with virtual assets should not impact the end user.

Banxico has pointed out that even though IFTs and credit institutions in Mexico are not authorised to offer virtual asset transactions to the public, this does not imply that companies other than these cannot offer services related to virtual assets.

No exchange or trading platform is provided by the Fintech Provisions, therefore no different asset classes are available. The only asset that might be authorised in the near future are virtual assets. In order for them to be classified as such, they must comply with the following characteristics and have:

  • information units which do not represent the ownership or rights of an underlying asset and which are uniquely identifiable, even fractionally, stored electronically;
  • emission controls defined by means of specific protocols to which third parties may subscribe; and
  • protocols in place to prevent replicas of information units or fractions thereof from being available for transmission more than once at the same time.

In Mexico, there is no cryptocurrency or virtual asset market authorised by Banxico in the context of fintech provisions. The emergence of a virtual asset market through companies other than IFTs or credit institutions continues to push the regulator to modify the legislation so that such entities may enter into transactions with virtual assets other than internal transactions. 

Additionally, the emergence of cryptocurrency exchanges has impacted the existing regulation regarding AML compliance. In 2018, in parallel with the enactment of the Fintech Law, several laws were amended, among them, the Anti-Money Laundering Law, to include in its catalogue of vulnerable activities the usual and professional offer of virtual assets exchange by non-financial entities, through electronic, digital or similar platforms that manage, operate or carry out purchase and sales transactions or guard, store or transfer different virtual assets than those acknowledged by Banxico. 

Unlike the regulatory approach in other jurisdictions where virtual assets are compared with securities and listing requirements and standards are provided, regulation in Mexico is limited to recognising them and authorising specific transactions with them, but no listing standards are provided by the regulation. 

No regulation exists regarding the exchange or trading of virtual assets. 

No regulation regarding peer-to-peer trading platforms exists. 

The lack of a specific regulation may give rise to problems regarding the execution of customer trades or any other aspect related to the protection of customers of the financial system. 

No extensive regulation exists regarding the exchange or trading of virtual assets.       

The provisions regarding the fintech industry in Mexico are based on the principles of financial inclusion and innovation, promotion of competition, consumer protection, preservation of financial stability, prevention of illicit transactions, and the establishment of technological neutrality.

There is no specific regulation applicable to the creation and/or usage of high-frequency and algorithmic trading in Mexico.

Mexican legislation does not require market makers to be registered when functioning in a principal capacity. 

There is no specific regulation applicable to the creation and/or usage of high-frequency and algorithmic trading in Mexico, therefore there is no regulation that provides a distinction between funds and dealers that engage in such transactions. 

There is no specific regulation applicable to programmers who create trading algorithms and other trading tools. However, computer programs, defined by the Copyright Law (Ley Federal del Derecho de Autor) as any original expression in any form, language or code, of a set of instructions which, with a given sequence, structure, and organisation, has the purpose of having a computer or device perform a specific task or function, are protected by said law.

Financial research platforms are not regulated by Mexico’s Fintech Law and therefore they are not subject to registration. 

The Fintech Law provides a general obligation for IFTs to adopt the necessary measures to prevent false or misleading information from being spread by them. Likewise, conduct such as disclosure of or benefiting from privileged information, market manipulation, as well as spreading false information about securities, or regarding the financial, administrative, economic or legal situation of public companies, is penalised by the Securities Market Law. 

Mexico’s Fintech Law does not regulate financial research platforms. Therefore, there is no specific regulation regarding a post's content on certain platforms. Nevertheless, unacceptable behaviour, such as disclosure of inside information, may be penalised by the Securities Market Law, where applicable.

Insurtech is not specifically regulated by Mexican laws. The insurance industry is regulated by the Insurance and Bonding Companies Law (Ley de Instituciones de Seguros y Fianzas) and the Insurance Contract Law (Ley Sobre el Contrato de Seguro) and its secondary regulations. There are no specific requirements or processes for insurtech providers different from those applicable to traditional insurance companies. Insurance companies must obtain authorisation from the federal government through the CNSF to be incorporated and to operate as an insurance company, and the relevant authorisation is non-transferable. 

Authorisation to operate as an insurance company will allow said companies to provide insurance services in three general categories: (i) life, (ii) accidents and health, and (iii) damages, which are regulated by the Insurance and Bonding Companies Law and the Insurance Contract Law, by different provisions in each case. However, in addition to this, the relevant insurance products are not treated differently by industry participants and regulators. 

Regtech providers are commonly hired by financial entities to comply with their regulatory requirements. 

The principal area in which regtech is used is to comply with anti-money laundering and countering the financing of terrorism (AML/CFT) provisions. However, regtech providers are not regulated by Mexican law.

The contractual terms between financial entities and regtech providers regarding the performance and accuracy of services are negotiated between the parties; they are not dictated by regulation. Regulations such as the General Rules issued by the CNBV regarding AML/CFT provide that financial entities must implement a risk-based approach (RBA) to assess customers, products, services, and geographical risk, also to report a certain type of transaction and to prevent transactions with persons included in blacklists. Therefore, financial entities usually look for accuracy and updated information from their regtech providers, as well as the tools to comply with due diligence and KYC obligations, and the capacity to identify suspicious transactions and send the relevant reports to the authorities. 

Traditional players in the financial services industry have shown great interest in blockchain technology and seek technological solutions to comply with AML/CFT provisions such as customers’ due diligence and KYC processes. At least four of the largest banks in Mexico are exploring the possibility of introducing smart contracts in their transactions, and most banks provide digital services through websites and apps. 

Although the authority (Banxico) acknowledges the multiple risks in the use of technologies such as blockchain, especially when describing them in relation to the use of virtual assets, it has indicated that it does not seek to restrict their use and that the regulations do not prevent the use of these technologies when they are developed for private use and are not associated with a virtual asset. No new rules or interpretations are expected to be accepted in the near future.

Blockchain assets are not considered financial instruments under Mexican regulations. The only recognition of blockchain assets is as virtual assets (cryptocurrencies). They are understood as a value representation electronically registered and used as a means of payment, but in no situation, will they be considered as legal currency. Mexican laws do not regulate blockchain assets that represent stakes in a project or company.

Mexico’s Fintech Law does not address the regulation of blockchain asset issuers nor the initial sale of blockchain assets. Furthermore, they are not considered to be financial instruments, currency, security, or commodity as the case may be in other jurisdictions. 

Fintech provisions in Mexico do not regulate blockchain trading platforms. 

In Mexico, investment funds are mainly regulated by the Investment Funds Law and the General Rules applicable to Investment Funds and to their Service Providers. These regulations provide a list of assets in which funds may invest, and virtual assets are not included.

In Mexico, the only recognised blockchain asset is the virtual asset, which is defined by the relevant regulation as a value representation electronically registered and used as a means of payment, but in no situation, will it be considered as legal currency. Other blockchain assets are not recognised nor regulated by Mexican laws.

Decentralised finance is not defined or regulated in Mexico’s Fintech Law.

The Fintech Law support open banking. It provides that financial entities, money transmitters, credit information entities, financial clearinghouses and entities authorised to operate in regulatory sandboxes, must enable application programming interfaces (APIs) that allow connectivity and access to other APIs from the above-mentioned entities or authorised third parties specialised in information technology to share the following information.

  • Open financial data that contains no confidential information nor personal data. 
  • Aggregated data, statistical information that does not allow the identification of a specific person or their transactions. 
  • Transactional data and the information regarding the transactional profile of customers, which is considered as financial or patrimonial personal data by the Personal Data Protection Law. 

The authorised third parties requiring the relevant information must be capable of identifying an area of opportunity related to financial services and create a value proposal. 

The sharing of data and information under the open banking scheme is subject to secondary regulations. 

In March 2020, and later, in June 2020, the CNBV published the General Rules Regarding Application Programming Interfaces referred to in the Fintech Law, in the Federal Official Gazette. The first publication was applicable to credit information entities and financial clearinghouses and the second publication was applicable to financial entities, money transmitters, entities authorised to operate in regulatory sandboxes, and third parties specialised in information technology. However, these Rules only regulate sharing of open financial data; the relevant regulations regarding aggregated data and transactional data are still pending. 

The regulation of open banking provides that the exchange of data is subject to information security and integrity policies, and the Personal Data Protection Law is applicable to data providers and data requesters involved in the exchange of information under the open banking scheme, but it is not clear how they will address and cope with data privacy and data security concerns. 

Cannizzo, Ortiz y Asociados, S.C.

Moliere 39, Piso 11
Col. Polanco Alc. Miguel Hidalgo
Ciudad de México
CP 11560

(+52) 55 52 79 59 80

(+52) 55 52 80 44 67
Author Business Card

Trends and Developments


Greenberg Traurig, S.C. is an international, multi-practice law firm with more than 2,200 attorneys in 40 offices around the world. The firm has been recognised for its philanthropy, diversity and innovation. Greenberg Traurig’s Mexico City office includes 60-plus attorneys with proven experience in corporate and financial matters, advising clients in today’s legal marketplace within highly regulated sectors. The fintech team advises on corporate structures and governance matters, capital markets and financings, and the myriad of commercial and regulatory issues that impact fintech companies. It represents clients engaged in payments, lending, mobile wallets, personal financial management offerings, virtual currencies and other verticals. The attorneys understand that the fintech industry is rapidly evolving and highly competitive, as businesses face novel and complex legal challenges. The team has the right combination of competencies and qualities to help all its fintech clients thrive, from aspiring disruptors to large financial institutions.


One year ago, few could have predicted the speed at which digitisation, and more specifically, the fintech industry, would grow in 2020. Today, an unprecedented number of consumers in Mexico and elsewhere satisfy their everyday needs through digital means, including making greater use of online and mobile tools to manage their finances than before the COVID-19 pandemic.

But the Mexican fintech sector was in constant evolution well before the pandemic. The size of the country’s domestic market (it is the second-largest economy in Latin America), its strategic geographic location, its predominantly young and digitally-active population with internet and smartphone access, and its pioneering fintech regulations are among the biggest drivers of this evolution.

Since before the inception of the Ley para Regular las Instituciones de Tecnología Financiera (the “Fintech Law”) in March 2018 until today, it is estimated that the number of fintech companies in Mexico has grown more than 80%, to approximately 400 active companies (source: Finnovista). Over two thirds of these companies have successfully raised capital, with the total value of disclosed investment deals surpassing USD1.3 billion in both equity and debt (source: BFA Global).

Despite these encouraging factors, liquidity is likely to be scarcer in the post-pandemic environment. Therefore, some companies will have to focus more on profitability and positive cash flow, than growth at all costs. Furthermore, there is still much to be done to bridge the financial inclusion gap and create more competition for the ultimate benefit of all Mexican consumers. As of June 2020, more than half of the country’s population did not have access to a bank account, and a similar number resorted to informal employment, further bolstering the cash-based economy (sources: Santander México, INEGI and BANXICO).

State of Regulation

From 2018 to date, the Ministry of Finance (Secretaría de Hacienda y Crédito Público), through the National Banking and Securities Commission (Comisión Nacional Bancaria y de Valores or CNBV) and the Central Bank of Mexico (Banco de México or “BANXICO”), the main financial sector regulators, have enacted several pieces of secondary regulation dealing with almost every operational aspect of Mexican fintech, including:

  • minimum capitalisation requirements;
  • internal organisation;
  • risk management and internal control;
  • accounting criteria;
  • transactions in foreign currency and cryptocurrencies;
  • regulatory reporting;
  • anti-money laundering/combating the financing of terrorism (AML/CFT);
  • cybersecurity;
  • regulatory “sandbox” licensing regime;
  • self-correction programmes;
  • consumer protection measures;
  • application programming interfaces (APIs) and open banking;
  • IT infrastructure, business continuity plans (BCPs) and disaster recovery plans (DRPs); and
  • engagement of third-party vendors (including cloud service providers) and agents.

Fintech Licences

The Fintech Law imposed a licensing requirement on companies falling within either the crowdfunding or e-money (wallet) categories, known as Instituciones de Financiamiento Colectivo (IFCs) and Instituciones de Fondos de Pago Electrónico (IFPEs), respectively. There is also a sandbox-type licence for companies wishing to operate innovative models. The Fintech Law's transitory articles provided that all companies that were already operating under the newly regulated models should apply for the corresponding licences with the CNBV by no later than 25 September 2019, after which, they would be allowed to continue operating until their formal licensing.

According to the CNBV, 85 institutions applied for a licence before the deadline (25 IFCs and 60 IFPEs), but at the time of writing, only one company of each type had been formally authorised. Although many more are expected to follow during the remainder of the year, as the government endorses its commitment to the sector, the licensing process has been longer than some participants expected, and the large number of applications from "grandfathered" institutions could delay the prospects for licensing of new players. Finally, and although such information is not public, it is worth noting that, despite several industry promotional efforts, only a handful of companies have applied or are contemplating applying for a sandbox licence.

Notable Trends and Developments

High-growth verticals

For the reasons explained in detail below, during 2021 we expect the most active financial services business models will continue to be payments services and remittances (among which we anticipate greater adoption of BANXICO’s digital contactless payment solution “CoDi”), and lending (where higher margins will continue to lure financial and non-financial entities), both for consumers and SMEs (which continue to be an underbanked segment). Other verticals, such as insurtech and Software as a Service (SaaS) – with a special mention for companies offering automatisation of enterprise financial products (eg, accounting, payroll, and enterprise resource planning (ERP), as well as financial management services) – are likely to grow as well. Last but not least, the continuous movement towards a digital, cash-based economy will require consolidation by the IFPEs of their third-party agency networks with large drug-store chains, convenience stores and the like in order to facilitate and enable cash-in and cash-out movements (similar to what the Mexican banks did a decade ago). Integration between agency networks and fintechs would increase demand for third-party providers of cybersecurity, identity fraud, cloud computing, privacy and AML compliance solutions. 


As Mexicans have become accustomed to working from home, remote shopping and contact-free payments have risen sharply, as have app-based money exchanges.

But a few months before shelter-in-place measures were enacted in most of the country, BANXICO had begun the roll-out of “CoDi” (short for Cobro Digital), a QR code-based digital payments platform allowing individuals to buy and sell goods through the country’s SPEI (Sistema de Pagos Electrónicos Interbancarios) – a real-time EFT system for low and large-value P2P, C2B and B2B transfers – without commissions or fees. This key initiative aims to accelerate the transition to a cashless ecosystem while promoting financial inclusion. Although CoDi’s biggest challenge is still to break the culture of cash use, given its reliance on the applications of domestic banks to use it and the lack of real incentives for the latter to co-operate due to the system being free, its mass adoption and full potential remain to be seen.

Amendments are in the works (after a period of public consultation that concluded last December) for an expanded version of SPEI to include indirect participants (in addition to existing direct participants) with specific functions, to cater to the growing demand for electronic payments. However, due to bandwidth and message size restrictions, SPEI works with a proprietary message protocol for domestic transactions (and SWIFT MT for cross-border operations) and, although developing translators is apparently being considered, BANXICO has given no indication of migration to the ISO20022 standard that could further enrich SPEI’s value-added services and enhance inter-operability with other regional and cross-border schemes.

“As-a-service” models

On 4 December 2020, the CNBV made an announcement indicating that only regulated financial institutions (ie, commercial banks and fintech companies that are either licensed or in the process of obtaining a licence) may present themselves as financial services providers to the public.

Despite not constituting a new piece of regulation, and although it finds support in Mexican law provisions preventing licensed financial entities from transferring or assigning their licences to third parties, this announcement contradicts a global industry trend by essentially denying legal status to customer-facing companies leveraged on “as-a-service” models that allow them, efficiently and cost-effectively, to offer certain financial services independently via APIs.

While unfortunate, and even confusing for some, this announcement seems to have been justified by consumer protection considerations. However, for the good of the industry in general, and although the CNBV has not in any way suggested it, we believe that a more thorough analysis of the model, its benefits and implications even from a supervision perspective, could eventually lead to specific enabling regulation.

Embedded finance: every company will be a fintech company

Digitalisation and COVID-19 accelerated the digital payments trend Mexico had been following for the past few years. Embedded finance, as the possibility to offer financial services through a wide variety of platforms and apps by non-financial services providers, creates business opportunities for retailers and industries to expand their value propositions by partnering with fintech companies. Through these alliances, traditional financial services providers (eg, insurance companies in Mexico, where insurance penetration remains very low according to Swiss Re’s World Insurance: Regional Review 2019) will get access to new apps and marketplaces with vast consumer bases and friendly interfaces as additional cost-effective distribution channels for their products. At the same time, retailers of all sizes and from all industries (eg, ridesharing companies, consumer technology companies, and Telcos, among others) may offer financial solutions to their customers (eg, from simpler payment solutions to offering consumer lending, instalment loans, and others) as a way to create a better and stickier customer experience and additional sources of revenue.

Embedded finance and open banking regulation will also increase demand for third-party specialists, offering, as a service, complex infrastructure for non-financial companies to offer financial services. This trend will obviously create legal challenges, as traditional business lines between financial and non-financial entities will become even more blurred. Similarly, an increase in providers of financial infrastructure, which reduces costs and time-to-market for non-financial companies and fintech start-ups to launch financial products, will continue to pose questions about the fintech “as-a-service” model, as discussed above, and how future regulation and financial supervision may address associated challenges.

From unbundling to rebundling

As has happened elsewhere in the world, the first wave of Mexican fintechs strived to be best at one thing – essentially, unbundling single aspects of financial services, whether it was payments, lending, digital banking or even trading, with the mission of executing a better service, or in some cases, better only for a particular consumer segment. This was in part due to infrastructure-related barriers of entry (ie, each participant having to build their own technology stack).

However, also in line with the rest of the world, as Mexican fintechs have matured some have come full circle in the sense that, having executed very well on single-product offering strategies and having found a product-market fit, they have earned the opportunity to expand their features. This, together with the original barriers of entry being lowered by infrastructure businesses now catering specifically to fintechs and helping them build products in less time and at less cost, as well as consumer preferences for having access to a wider range of products on the same platform or from a trusted provider (ie, a more holistic experience), is now enabling fintechs to expand their product footprints more easily and with a very promising reward (ie, gaining more data on consumers’ behaviour). Finally, investors have proved to be more than sympathetic to this rebundling trend because it opens the door to potential new lines of revenue. This strategy may prove particularly successful in the investment/wealth management vertical where, we believe, the rebundling of services and the trend towards embedded finance, discussed above, could be a much easier route than providing financial education to consumers. 


Mexico is still a very small market for cryptocurrencies (or virtual assets, as the Fintech Law calls them), relative to other countries. Although regulation has been enacted in the form of the Fintech Law, the Federal Law for the Prevention and Identification of Operations with Proceeds of Illicit Sources (the “AML Law”) and BANXICO’s Regulation 4/2019, the approach has been conservative and not what most players expected. Among financial institutions, for example, it limits permitted operations with cryptocurrencies to only banks and fintechs (IFCs and IFPEs) and, with prior approval, only to proprietary transactions or so-called “internal transactions”, which are somewhat confusingly defined as those internally conducted by financial institutions that enable them to engage in passive (deposit-taking), active (lending) and service transactions with their customers. In the end, Regulation 4/2019 is clear insofar as banks and fintechs are required to prevent the direct or indirect exposure of their customers to the risks of operating with cryptocurrencies.

However, it is important to note that there are currently no restrictions or licensing requirements in Mexico preventing non-financial entities or individuals from owning or trading in cryptocurrencies (although they are required to report such transactions under the AML Law). This has allowed home-grown exchanges to continue operating – often voluntarily adopting the highest international industry standards – and it has attracted foreign exchanges.

On the other hand, restrictive regulation has prevented fintechs from developing more sophisticated products (eg, crypto-funds, local exchange-traded funds (ETFs) or even derivatives). But there is light at the end of the tunnel. Although different in many respects from traditional cryptocurrencies, Central Bank Digital Currencies (known as CBDCs) are generating interest globally, and this could drive BANXICO to formally engage in such an initiative and, as a by-product, generate more confidence in virtual currencies in general. This, together with the fact that local crypto-exchanges are growing larger (in some cases, even via the inorganic route of M&A), could boost adoption and market sophistication.

Open finance/APIs

Open finance is undoubtedly one of the most disruptive initiatives of the last few decades. It rests on the principle that users (not financial institutions) own their financial data.

Going one step further than more sophisticated markets like the UK, which served as a regulatory model, Mexican regulators have, through the Fintech Law and two sets of general provisions regarding APIs issued in March and June of 2020, adopted a unique bi-directional approach in which all financial institutions (not only banks, but also fintechs, including those holding sandbox approvals) will be required to share data through APIs in an effort to promote financial inclusion, enhance competition and, ultimately, foster more efficient processes and much higher customisation of financial products for the benefit of consumers.

However, although important strides have been taken in setting out the technical specifications of APIs, regulation issued so far deals only with certain financial intermediaries (namely credit reporting companies and clearing houses) and with open data (ie, information on products and services that entities offer to the general public, the location of offices, branches, ATMs, interest rates and fees), which is one of three existing categories of data – the other two being aggregated data (ie, statistical information, eg, periodic cash withdrawals in a given area, successful loan applications from applicants in similar industries or in consumer age or gender ranges) and transactional data (ie, specific customer/activity data like balances, transactions, investments, purchases or insurance activity). 

Additionally, the Mexican open finance regime requires that data providers obtain approval on, and register the considerations to be charged to, data applicants with the CNBV, without much detail on best practices or approval criteria, which could limit its development. But perhaps above all else, research suggests that the open finance initiative has not evenly permeated all the financial entities it affects or even within single organisations, where innovation or business development departments seem to be much more aware of its benefits and implications than compliance and risk departments, which could also hinder its full adoption (source: Open Vector).


The unprecedented growth of digital financial services will likely increase cybersecurity threats and financial supervision. Mexican regulators are conscious of these possibilities. Based upon recently published regulations, wallet companies authorised under the Fintech Law must abide by and comply with minimum technical standards to guarantee business continuity (including having a DRP), information security and confidentiality. Also, fintech companies must appoint a chief information security officer and carry out mandatory independent penetration testing audits every two years. Wallets hiring third-party technology services providers and foreign cloud computing providers must, under certain circumstances, have contingency plans that allow them to promptly resume their business operations in the event of service interruptions. In addition, any third-party agents hired by the wallet companies must comply with the minimum requirements for technical infrastructure, as defined therein. Provisions addressed to wallet companies are simply a confirmation of the regulator’s view that similar risks and/or operations require similar regulation and supervision.

Considering the cost and burden of meeting these standards, it is likely that we will see a rise in the number of companies offering, as a service, third-party solutions to reduce costs. Ancillary and related services such as cloud computing, identity verification, fraud-prevention and the like will continue their growth trend. 


Fintech in Mexico is no longer a foreign word reserved for internet enthusiasts and technology geeks. Recent growth and the increased demand for digital solutions and provision of services through digital channels has created the need for almost any company to consider how to leverage financial services to expand their value proposition to their customers and find additional margins. The prevailing trend of digitisation has accelerated rapidly due to a combination of COVID-19, a huge financially under-served population and consolidation of the millennial generation in the economy. Accordingly, we will continue to see a combination of new start-up fintech companies, increased VC and PE funds investment, innovation from financial services incumbents, and alliances among all types of corporations. 

Opportunities are everywhere and will continue to grow. On the regulation side, it is important to underscore that the Fintech Law in Mexico regulates only a relatively small sector of financial services offered through digital platforms and interfaces. As other traditional financial services become digitised, several other laws and existing regulations that overlap will need to be considered or amended. Regulators will continue to face the struggle between not impairing innovation for new financial services, while at the same time protecting the stability of the financial system and enforcing consumer protection. This is just the beginning.

Greenberg Traurig, S.C.

Paseo de la Reforma No 265
Ciudad de México 06500

+52 55 5029 0000;
Author Business Card

Law and Practice


Cannizzo, Ortíz y Asociados, S.C. was established in Mexico City more than 40 years ago and is an excellent gateway for doing business in Mexico, thanks to its international legal experience and in-depth understanding of the Mexican reality. The firm, which since its establishment has been very active in the banking, insurance and financial sectors, has in the past years evolved and developed special experience in the practice areas inter-related with the fintech ecosystem, ie, banking and finance, insurance, lending, securities, technology, industrial property, compliance, money-laundering prevention and personal data protection, and has closely followed the emergence and growth of the fintech industry in Mexico. The firm advises clients in the legal framework applicable to fintech institutions, new investment models, fundraising, insurance, payments and transfers through technological means. Its clients in the fintech ecosystem participate in several areas, such as crowdfunding, cryptocurrencies, insurtech, trading, wallets and smart contracts.

Trends and Development


Greenberg Traurig, S.C. is an international, multi-practice law firm with more than 2,200 attorneys in 40 offices around the world. The firm has been recognised for its philanthropy, diversity and innovation. Greenberg Traurig’s Mexico City office includes 60-plus attorneys with proven experience in corporate and financial matters, advising clients in today’s legal marketplace within highly regulated sectors. The fintech team advises on corporate structures and governance matters, capital markets and financings, and the myriad of commercial and regulatory issues that impact fintech companies. It represents clients engaged in payments, lending, mobile wallets, personal financial management offerings, virtual currencies and other verticals. The attorneys understand that the fintech industry is rapidly evolving and highly competitive, as businesses face novel and complex legal challenges. The team has the right combination of competencies and qualities to help all its fintech clients thrive, from aspiring disruptors to large financial institutions.

Compare law and practice by selecting locations and topic(s)


Select Topic(s)

loading ...

Please select at least one chapter and one topic to use the compare functionality.