A consolidating process persists within the Mexican fintech market, which continues to show constant growth. According to the latest Finnovista Fintech Radar Mexico 2025, Mexico continues to be the second largest fintech market in Latin America, accounting for 803 local fintechs. The participation of foreign fintechs has also reached significant levels, totalling 301. The Radar therefore shows more than 1,000 fintechs operating in the country.

Compared to data for 2024, growth in the number of local fintechs increased by 4%, and revenues increased by 31%, reflecting a more mature industry. Key insights from the report include the following.

• Payments and remittances are the most dynamic segment in terms of growth, both in number of projects and revenue generation. Fintechs in this segment processed more than USD30 million in digital transactions, and this proportion is expected to increase by 76% by 2027.
• Lending continues to be the segment with the highest number of projects and the highest average of revenue.
• Crypto and payments continue to gain ground in the country.
• 68% of fintechs use AI; however, many are leveraging external providers. Fintechs internalise AI technology for analytics and security but tend to outsource user experience and automation. The wealthtech segment leads in AI adoption, with 81% of companies confirming AI implementation; this is followed by digital banking with 73%, and technological infrastructure for banks and fintechs with 69%.
• 75% of Mexican fintechs collaborate with traditional financial institutions.
• Currently, more than 70 million Mexicans use fintech services, and this number is expected to reach 86 million users by 2027.

Despite the growth shown, seven years on from the enactment of the Fintech Law, a reform is expected to lead to a more flexible and collaborative regulatory framework.

A national digital finance strategy (2025–2030) has been launched by the financial authorities, which establishes a roadmap designed to build solutions that drive innovation, including regulatory changes to consolidate Mexico as the digital financial hub of Latin America by 2030. Co-operation between regulators and the private sector will be key to ensuring a competitive, secure and sustainable fintech market.

The Fintech Law was enacted in Mexico in 2018 (officially the Ley para Regular las Instituciones de Tecnología Financiera). It covers two types of financial entities:

• electronic payment institutions (digital wallets); and
• crowdfunding institutions.

The remaining fintech players are addressed by legacy regulations, or are not regulated.

Some of the verticals that currently predominate in Mexico include the following.

• Payments and remittances: central to Mexico’s fintech boom due to the high volume of cross-border transactions, particularly those received from the United States. This is the fastest growing segment, gaining momentum from new wallets, point-of-sale solutions and projects to serve remittances. A governmental authority (Finabien, or Financial for Welfare) even offers digital and in-branch remittance services as an instrument of the Mexican government to promote financial and digital inclusion.
• Lending: digital lending includes consumers and small and medium-sized companies financing. Lending continues to offer new solutions to users with no credit history and unserved users by legacy players.
• Insurtech: focused on disrupting legacy insurance players by offering personalised micro-insurance, primarily through mobile apps, targeting underserved users.
• Wealthtech: focused on helping individuals and businesses manage their investments, retirement funds and savings; this segment leads in AI adoption.
• Neo-banking and challenger banks: fully digital neo-banks that offer banking services through mobile apps. In this business model, legacy players participate with the launch of their digital branches. Also, international players have secured or are in the process of operating in the country via a banking licence. Finally, other players are offering banking-like services, with a limited activity catalogue, using different financial licences such as SOFIPOs (Popular Financial Institutions).
• Cryptocurrency: fintechs using crypto technology went from 6% in 2023 to 10% in 2024, according to Finnovista. Among the most adopted uses that explain this increase are the remittances segment and the use of stablecoins.

From the foregoing, it is clear that the Mexican fintech ecosystem is diverse and expands outside the scope of application of the Fintech Law, with both new and legacy players innovating across verticals. Fintechs are driving innovation in areas such as digital lending, insurtech, and payments and remittances, while legacy players are increasingly embracing digital transformation to stay competitive. The interplay between traditional players and fintechs will continue to shape the future of the industry, with collaborations and partnerships becoming more common.

All financial regulation in Mexico is federal. Financial authorities grant three types of licences based on the financial institution seeking to operate:

• registrations;
• authorisations; and
• concessions.

Depending on the business model, the key regulatory regime applicable to financial industry participants is the following.

• Fintechs: subject to the Fintech Law. Apart from digital wallets and crowdfunding institutions, this includes provisions for cryptocurrency services, open finance and the regulatory sandbox.
• Banks: subject to the Banking Law (Ley de Instituciones de Crédito), which applies to private and state-owned development banks.
• Brokerage firms, stock exchanges, investment advisers: subject to the Securities Market Law (Ley del Mercado de Valores).
• Popular Financial Institutions (SOFIPOs): subject to the Popular Savings and Loan Law (Ley de Ahorro y Crédito Popular). These are a type of non-bank financial institution or savings and loan institution, aimed at serving the unbanked and underbanked population.
• Lending entities (SOFOMs) and money transmitters: subject to the General Law of Credit Activities (Ley General de Organizaciones y Actividades Auxiliares del Crédito). SOFOMs are a type of non-banking financial institution designed to provide credit and lending products. Money transmitters are remittance companies.
• Participants of the payment system: subject to the Financial Services Transparency Law (Ley de Transparencia y Ordenamiento de los Servicios Financieros), among others applicable to payment networks, including electronic payment systems, service providers, clearing houses, aggregators and settlement systems.
• Insurtechs: subject to the Insurance Law (Ley de Instituciones de Seguros y Fianzas), which regulates the insurance industry both for individuals and for businesses.
• Proptechs: subject to the Consumer Protection Law (Ley Federal de Protección al Consumidor), applicable to any business providing goods or services to consumers in México, including proptech services.
• Funds: subject to the Investment Funds Law (Ley de Fondos de Inversión), applicable to a wide range of investment funds, including public equity, private equity, debt instruments and other financial assets.

Furthermore, many fintechs operate in the country through a non-regulated scheme, under specific conditions with limited activities or within certain regulatory grey areas.

Finally, it is important to mention that traditional financial regulation has not yet been updated to apply to the digital world. New entrants in the Mexican market need to adjust their models to already existing regulation. Moreover, due to adjusting business models to an entity-based framework (with a closed catalogue of activities), many entities are forced to request new licences and migrate their business to different frameworks to survive. This is slowing innovation, disabling access to a full range of products and services, and closing the possibility for similar activities to be subject to different regulations.

Any direct or indirect compensation, fee, charge or retention must be disclosed to the customer in a clear and transparent manner. Most fintechs compete against legacy players by charging lower fees or not charging at all (depending on the vertical). However, the need to generate revenue comes with fee structures and monetisation models, with some examples being the following:

• transaction fees in payments and wallets (percentage-based fee per transaction, usually to the merchant, sometimes to the consumer);
• interest-based revenue in lending;
• subscription/membership fees in some neobanks, wealthtech and insurtech platforms (monthly or annual fee for access to premium features, investment tools of better FX rates);
• assets under management fees, especially in wealthtechs (percentage over value of user’s portfolio);
• FX spread or currency exchange fees, common in remittances, crypto exchanges and international payments (profit to the entity);
• interchange fees, in card issuers as the entity earns a cut of the fee from the card network (profit to the entity); and
• flat fees or service charges, especially in lending or insurance, where a fixed fee is charged for application processing, late payments or claims.

The Fintech Law was enacted with the purpose of being a flexible regulation, based on principles, layered according to activities and assets, recognising a dynamic and constantly changing sector, and allowing faster innovation and lower operating costs. Fintechs must meet minimum capital requirements (much lower than banks).

Banks are heavily regulated, with deeper compliance obligations and capital adequacy (Basel standards). They require extensive audits, capital buffers and ongoing reporting. They are supervised more heavily by the National Banking and Securities Commission (CNBV) and Banxico (the Central Bank), and must meet liquidity, solvency and governance requirements. Also, banks face greater regulatory scrutiny regarding risk management and customer protection.

The above differences are only possible given the limited activities that fintechs can undertake, compared to the catalogue of activities of banks.

Mexico’s regulatory sandbox is regulated under the Fintech Law and secondary regulations. It was created to allow innovative financial models to operate temporarily and under the supervision of the relevant financial authority, with a simplified regime.

Eligible entities are those aiming to offer a regulated financial service in an innovative manner, including already licensed financial entities and entities seeking authorisation to become a regulated financial institution, but with a model not fitting the existing regulatory framework or requiring testing before full licensing.

The key criteria include the following:

• they must propose a “financial innovative model”, defined as one that, for the provision of financial services, uses technological tools or means in ways that are different from those existing in the market at the time that the temporary authorisation is granted under the Law;
• the product to be offered or the service to be provided to the public must require testing in a controlled environment;
• the manner in which the financial activity is intended to be carried out must represent a benefit to the customer of the product or service, compared to what is currently available in the market;
• the project must be at a stage where operations can begin immediately; and
• the project must be capable of being tested with a limited number of customers.

If approved, the relevant regulator issues a temporary authorisation (up to an initial two years, which can be extended by one more year). The regulators define limits, participant caps, capital requirements and reporting obligations. Also, regulators take a “supervised flexibility” approach, monitoring real-time performance and impact and offering temporary exemptions from certain obligations; these can be suspended or revoked if the company breaches conditions or harms users.

At the end of the sandbox period, the companies must apply for full regulatory authorisation, if successful. If not viable or not in the public interest, they must shut down the model following the exit mechanisms authorised in the application process.

Despite the existence of regulation on the matter, no companies have received formal sandbox approval from the authorities. Several have expressed interest or have begun application processes, but none have been publicly approved. This is due in part to perception of the process as slow, strict and opaque, particularly for early-stage fintechs.

Some of the main challenges of the regulatory sandbox are the following:

• regulatory conservatism – authorities remain cautious, especially with crypto or high-risk business models;
• strict documentation requirements – even for a temporary test environment, applicants must prepare full legal, financial and operational plans; and
• limited transparency – authorities have not publicly disclosed detailed updates on sandbox evaluations or a pipeline of pending applications.

The financial regulatory landscape in Mexico is divided among several authorities, each with its own jurisdiction and responsibilities.

The main financial regulators and supervisors are the following.

The Ministry of Finance and Public Credit (SHCP)

This is focused on policy development and oversight at a macroeconomic level, as well as on the issuance of AML/CFT regulation. The SHCP is the leading entity of the financial sector and interprets financial laws. It is usually involved in granting certain financial licences.

The Central Bank (Banco de México or Banxico)

This is responsible for monetary policy, payment systems oversight and foreign exchange. Banxico’s role in the supervision of financial institutions is more related to the operational infrastructure of payment systems, rather than to direct supervision of individual financial institutions (this is the responsibility of other agencies such as the CNBV). It is usually involved in granting certain financial licences.

The National Banking and Securities Commission (CNBV)

This is responsible for regulation and supervision of banking and non-banking institutions, fintechs and the securities market sector, among others. It also supervises and enforces prudential regulation and is part of the body that grants certain financial licences. 

The National Insurance and Bonding Commission (CNSF)

This is responsible for regulation and supervision of the insurance and bonding sectors.

The National Commission of the Retirement Savings System (CONSAR)

This is responsible for overseeing and regulating the Mexican retirement savings system.

The Financial Consumer Protection Agency (CONDUSEF)

This is responsible for ensuring that consumers of financial services (all sectors) are treated fairly and transparently. This includes overseeing financial institutions to ensure that they adhere to consumer protection regulations.

Other Relevant Authorities

These include:

• the Tax Authority (SAT) for tax obligations and digital invoicing;
• the Federal Consumer Protection Agency (PROFECO) for consumer protection outside financial services;
• the Mexican Institute of Industrial Property (IMPI) for intellectual property; and
• data privacy authorities and the antitrust authority, among others.

No-action letters are not formally recognised under Mexican law. Some alternatives are informal discussions with regulators to understand their legal standing or requesting formal interpretations of certain provisions, but regulators will not expressly issue a letter in writing expressing that they will not take action or enforce compliance regarding an activity not formally authorised.

In Mexico, regulated entities such as banks, broker-dealers and authorised fintech entities are permitted to hire third parties to carry out certain services related to their operations, under specific regulatory provisions.

There are two main outsourcing regimes:

• third-party service providers, which may include services such as operations support, database and systems management, or cloud computing infrastructure; and
• commission agents, who act on behalf and for the account of the regulated entity to provide regulated services directly to end users, and are typically subject to limits on the amount of money they can handle and the specific services they are allowed to provide to the public.

In both cases, regulated entities must generally obtain prior authorisation from the CNBV before outsourcing services to third parties, except in certain limited cases explicitly exempted under the applicable regulation.

Additionally, outsourced services must comply with strict regulatory requirements, particularly around:

• business continuity and contingency planning;
• technological and information security;
• oversight and auditability; and
• clear accountability and responsibility retained by the regulated entity.

These frameworks are designed to ensure that, even when services are outsourced, the regulated entity continues to uphold the standards and obligations imposed by law.

Fintech entities are liable as gatekeepers with responsibility for the activities on their platform in areas such as AML/CFT compliance, fraud prevention, platform misuse by users, and third-party partnerships, among others. Sanctions can range from fines to licence revocation or referral to prosecutors. 

Regulatory breaches may lead to administrative or criminal sanctions, such as monetary fines and imprisonment.

Some significant enforcement actions in recent years include the following:

• in December 2024, the CNBV revoked the operating licence of a SOFIPO (Financiera Auxi) owing to 15 months of non-compliance with capitalisation requirements;
• in September 2022, the CNBV fined five brokerage houses for unauthorised operations in the debt market; and
• in August 2022, the CNBV imposed 36 fines totalling MXN25.4 million on ten banks for various infractions, such as failing to provide required administrative and accounting information, omitting information and not complying with liquidity coverage obligations.

Sanctions imposed by the financial authorities are not necessarily final; they can be challenged or appealed before a judicial court.

Mexico has clear privacy regulations, contained both in financial regulation (financial secrecy and confidentiality obligations) and in the Federal Law on the Protection of Personal Data Held by Private Parties, which is applicable to everyone, with no distinctions. These rules impose strict requirements on data consent, usage, storage and cross-border transfers.

As for cybersecurity, apart from the very stringent regulation found in financial regulation, no general non-financial regulation has been enacted in Mexico.

Regarding other non-financial services regulations, such as social media or software development, Mexico has clear advertising and consumer protection regulations, as well as intellectual property rules, applicable to all entities.

In addition to regulatory oversight, some non-regulatory actors play a role in reviewing and influencing the conduct of financial industry participants – for example, as follows.

External auditors assess the accuracy of financial reporting, internal controls, and compliance with applicable accounting standards (eg, IFRS or Mexican Financial Reporting Standards (NIF)). Regulated entities – particularly those with public reporting obligations or those handling client assets – are mandated by law to undergo periodic financial audits. Many fintechs and start-ups voluntarily engage auditing firms for credibility with investors, despite not being legally required to do so, especially in the early stages. There is a growing trend of auditors also reviewing non-financial metrics (eg, customer data handling, cybersecurity controls) due to investor pressure.

Industry associations and self-regulatory organisations issue best practices and codes of conduct, and may conduct peer reviews or offer certifications. Membership is generally voluntary; however, regulatory authorities often consult with these bodies during rule-making processes, and their standards may become de facto benchmarks. Participants often follow the standards to gain credibility.

Private equity funds usually require adhesion to financial regulation and strict standards to qualify as a portfolio company.

In Mexico, it is common for industry participants (particularly in the fintech sector) to offer a combination of regulated and unregulated products or services.

However, regulated financial institutions such as banks, broker-dealers and licensed fintechs are subject to strict activity catalogues defined by their enabling laws and regulations, which limit them to offering only services expressly authorised under their licence. As a result, these entities cannot directly provide unregulated services. To navigate this constraint, institutions typically structure their operations using separate legal entities: one to carry out regulated financial activities (eg, offering payment accounts or securities trading), and another to provide unregulated or auxiliary services. While the services may be delivered to the end user through a single digital interface or platform, the underlying operations are legally and technologically separated, often through distinct corporate vehicles and logical segregation, to avoid breaching regulatory limits.

From a compliance standpoint, strict transparency must be followed; therefore, users must be able to clearly identify which legal entity is providing each service, understand what regulatory protections apply, and know how to submit queries or complaints related to each specific service.

Mexican regulators, including the CNBV, Banxico and CONDUSEF, have underscored the importance of transparency in such arrangements and have raised concerns about the risk of misleading users when regulated and unregulated services are combined under the same brand or platform. To mitigate this, entities are expected to maintain clear disclosures and proper internal structuring to ensure regulatory compliance and user protection.

AML and sanctions compliance is a central concern for financial institutions, including regulated and unregulated fintechs, especially as global regulatory scrutiny increases and enforcement becomes more aggressive (eg, the USA designating Mexican drug cartels as foreign terrorist organisations under US law). All entities are expected to adopt robust compliance frameworks to detect, prevent and report suspicious activities under AML/CFT regulation or the Anti-Money Laundering Law.

Some of the key requirements are the following:

• know-your-customer (KYC) procedures;
• transaction monitoring and reporting (eg, suspicious activity reports);
• sanctions screening against national and international lists (eg, OFAC, UN lists);
• record-keeping and audits; and
• risk-based compliance programmes tailored to product and customer profiles.

Some practical implications are the following:

• they must implement or outsource compliance technology, including regtech solutions for customer due diligence and transaction screening;
• they are required to report to regulators, such as the CNBV; and
• there is increasing pressure to demonstrate real-time monitoring capabilities and adaptability to evolving sanctions regimes (eg, FATF blacklists).

Mexico’s AML and sanctions rules do generally follow the standards imposed by the Financial Action Task Force (FATF), of which Mexico is a full member. FATF recommendations on risk-based supervision, KYC, suspicious transaction reporting and record-keeping (among others) are included in Mexican regulations.

Mexican financial laws and regulations generally prohibit non-licensed financial institutions from engaging in any solicitation activities tending to promote or promoting the offering of financial services or products within Mexico.

Nevertheless, Mexican law does not provide any prohibition on foreign financial entities providing financial services in Mexican territory, as long as it is under a reverse solicitation scheme that complies with the following:

• not implying that it is a financial entity authorised by the corresponding Mexican authorities to perform regulated activities;
• not actively soliciting or seeking customer relationships with Mexican customers;
• avoiding a permanent physical presence in Mexico, including offices, agents and representatives, among others – it is possible to establish commercial alliances with strategic partners if such partners are the ones who establish the direct relationship with the Mexican clients;
• not advertising the financial services to the general public through mass media – if it is a web page, it is preferable that it is not a .mx domain and is written in English or the language that applies; and
• clearly stating that the services are provided by a foreign entity with the applicable regulations.

Also, even under reverse solicitation, the foreign institution may need to be compliant with relevant Mexican laws, especially regarding AML/CFT rules. It may still need to report certain activities to Mexican authorities, particularly if involved in large transactions (antitrust).

Robo-advisers are recognised in the Securities Market Law. However, no special secondary regulation has yet been issued, so they must comply with the legacy investment advisers’ provisions.

Robo-advisers are required to provide appropriate disclosures to their users regarding the risks associated with investment strategies, particularly since they often rely on algorithms and automated systems to make decisions. This is in line with CNBV regulations that require financial service providers to disclose risks related to the financial products they offer, including security tokens and cryptocurrencies.

Regarding business models, robo-advisers offering services such as investment advice and portfolio management must be authorised by the CNBV. A specific model of authorisation for robo-advisers is not in place; thus, the entity must comply with the authorisation process of non-automated investment advisers.

In recent years, legacy financial institutions (such as banks, brokerage firms and asset managers) have been increasingly adopting robo-adviser-like solutions or integrating similar technology into their existing services, particularly through the following solutions.

• Partnerships with fintechs that specialise in robo-advisory services. These collaborations allow legacy players to integrate automated features into their offerings without having to build the technology from scratch.
• Some legacy players have developed their own robo-advisory services, including portfolio management, risk assessment and personalised investment recommendations.
• Some legacy players have implemented “super apps” that are integrating robo-advisory/wealth management as a feature into their existing mobile banking applications.
• Legacy players are adopting AI and machine-learning algorithms to provide personalised services, including automated investment advice, trying to replicate the success of robo-advisers.

In Mexico, the best execution of customer trades refers to the obligation of financial institutions, broker-dealers and robo-advisers (among others) to execute trades on behalf of their clients in a manner that ensures the most favourable outcome for the client, in terms of price, speed and overall execution quality. Nevertheless, there are some issues that relate to the best execution of customer trades, such as the following.

• While the CNBV requires fair treatment of clients under general conduct rules, explicit best-execution standards are less developed but increasingly referenced in practice. This may create regulatory ambiguities and gaps.
• The Mexican financial market is less liquid compared to more developed markets; this can create challenges in achieving best execution of customer trades.
• Broker-dealers and trading platforms may have limited access to global execution venues compared to those in more developed markets. While there are both domestic exchanges (such as Bolsa Mexicana de Valores (BMV) or Bolsa Institucional de Valores (BIVA)) and some international exchanges accessible to Mexican brokers, these platforms may have different liquidity levels, order types and costs associated with them.
• Although a cornerstone of investor protection, it is increasingly tested by technological innovation, evolving business models and regulatory gaps.

Under Mexican law, fiat currency loans can be granted by regulated or non-regulated (commercial) entities. If granted by commercial entities, the major applicable regulation is the Anti-Money Laundering Law. If granted by financial entities, certain tax benefits may apply when requirements are met. Some of the regulated entities that can grant loans are banks, SOFIPOs and SOFOMs.

The underwriting process in Mexico is not dictated by regulation, though it does establish certain methodology for regulated entities, such as obligations to evaluate creditworthiness, AML and KYC requirements, risk management rules, and capital adequacy or consumer protection standards.

Credit scoring usually includes credit bureau reports, proof of income or bank statements, tax returns, or the use of alternative data (behavioural data, device metadata, social media signals, or transactional history from e-commerce or payment processors).

The sources of funds for fiat currency loans vary depending on the type of lender.

Peer-to-Peer (P2P) Lending or Crowdfunding

Retail investors or institutional investors lend directly to borrowers via a P2P platform. The platform must:

• disclose risks and returns to investors;
• implement AML and KYC procedures;
• ensure proper dispute resolution mechanisms and transparent operations; and
• in general, ensure full compliance with the Fintech Law.

Capital Raised From Investors

This includes private equity, venture capital or institutional investors that inject funds into a lender (such as a SOFOM or commercial company) for lending purposes. Regulation is focused on investors’ KYC and source of funds, and on full transparency to borrowers.

Deposit Taking

Banks may use the funds from their clients’ deposits and lend them to other clients. Fully regulated by banking regulation, banks must obtain a proper licence, and comply with capital adequacy and liquidity regulations as well as with AML/CFT provisions.

Securitisations or Public Market

This is heavily regulated by the Securities Market Law. Proper disclosures, risk management and investor protection are key compliance requirements.

Syndication of fiat currency loans does take place in Mexico, though it is primarily seen in large-scale loans (such as infrastructure projects or cross-border financing) or corporate financing. General commercial and financial provisions apply or, if securitised, the Securities Market Law would apply.

The process in Mexico is relatively equivalent to global standards.

In Mexico, payment processors are generally expected to operate through existing, authorised payment infrastructures, such as the Interbank Electronic Payment System (SPEI), the Interbank Payments System in US dollars (SPID) or Card Payment Networks – all of which are subject to regulatory oversight by Banxico, and in the case of card networks, by the CNBV as well.

The SPEI and SPID are real-time gross settlement systems that allow for secure and immediate transfer of funds between accounts held at different financial institutions – both are administered by Banxico. They are a core component of Mexico’s payment system infrastructure and are subject to strict technical and operational standards issued by Banxico.

Furthermore, when a payment processor handles card-based transactions, it becomes a participant in a Card Network and is required to comply with the provisions set out in the General Provisions Applicable to Card Payment Networks. These rules establish obligations related to technical and operational standards, interoperability, user fee transparency, fraud prevention, business continuity and fair commercial practices.

Although there is no express legal prohibition against the development of new or proprietary payment rails, any system that involves the settlement of funds between third parties, client fund custody or systemic risk may be deemed a payment system under the Law of Banco de Mexico, and would therefore require prior authorisation from the central bank. In practice, many fintech companies develop their own front-end technology (eg, digital wallets, QR code solutions or APIs), but operate on top of existing rails and must comply with technical, security and operational standards.

In Mexico, cross-border payments and remittances are regulated primarily to ensure financial transparency, consumer protection and compliance with AML/CFT standards. Banks, money transmitters and regulated fintech institutions are each subject to sector-specific regulations issued by the CNBV, which include obligations such as KYC requirements, internal controls, suspicious transaction reporting and record-keeping. These requirements vary based on the institution’s licence and business model.

Beyond AML/CFT compliance, cross-border payment providers must also meet authorisation requirements, adhere to operational and technological standards, and comply with rules on fee transparency, exchange rate disclosure and user complaint mechanisms.

While supervision is primarily conducted by the CNBV, Banxico plays a central role in managing the infrastructure that enables fund transfers, particularly through systems such as the SPEI, and oversees activities related to the use of foreign currency. Together, these regulatory layers aim to ensure that cross-border transfers are secure, traceable and accessible to users.

The regulatory framework applicable to marketplaces and trading platforms in Mexico depends largely on the nature of the asset being traded and the role the platform plays in facilitating transactions.

For the trading of traditional financial instruments, the most heavily regulated environments are the official stock exchanges: BMV and BIVA. These are classified as centralised markets under the Securities Market Law and are subject to comprehensive oversight by the CNBV. Listing and operational requirements are extensive, including strict rules on disclosure, corporate governance, transparency and market conduct.

In parallel with the exchanges, broker-dealers may operate internal order-matching systems or facilitate over-the-counter trades. While these systems do not constitute formal markets, they act as execution mechanisms and are also subject to CNBV supervision.

Within the fintech sector, regulated crowdfunding platforms may facilitate investment in financial products, typically without taking custody of client funds or executing trades themselves. These platforms operate under the Fintech Law, which focuses on investor protection, transparency and operational integrity, rather than traditional market infrastructure regulation.

Finally, there is a growing segment of unregulated or lightly regulated platforms, particularly in the crypto-asset space, where entities may enable the buying and selling of digital assets without falling within the formal definitions of regulated marketplaces. These platforms operate in a legal grey area and are not currently subject to the same disclosure or investor protection rules as traditional or fintech-regulated platforms.

Different asset classes, such as cryptocurrencies, stablecoins and security tokens, are subject to different regulatory regimes. The Mexican legal framework distinguishes these assets based on whether they are considered financial instruments, virtual assets or unregulated instruments.

Cryptocurrencies (referred to in the law as “virtual assets”) are not considered legal tender or financial instruments, and are only partially regulated under the Fintech Law and secondary regulation, allowing financial institutions to only conduct internal operations with them – meaning operations carried out internally for their own account or between their clients. Financial entities are prohibited from offering virtual asset services directly to the public.

In parallel, under the Anti-Money Laundering Law, crypto exchanges are non-financial entities considered to be undertaking a “vulnerable activity”, triggering obligations such as KYC and transaction reporting to the SHCP when certain thresholds are met.

Stablecoins are excluded from the legal definition of virtual assets and, instead, are considered currency (ie, that which backs the stablecoin).

Finally, security tokens, which represent digital versions of regulated financial instruments such as debt or equity, are fully subject to the Securities Market Law when they function as securities. This means that their issuance and trading must be conducted through licensed intermediaries, in compliance with rules on registration, disclosure, investor protection and supervision by the CNBV.

Please refer to 6.2 Regulation of Different Asset Classes.

Listing standards for securities are primarily governed by the Securities Market Law, regulations issued by the CNBV and the internal rules of the authorised stock exchanges. The regulatory requirements are standard and similar to other jurisdictions – mainly, issuers need to:

• prepare a prospectus approved by the CNBV;
• disclose audited financial statements;
• comply with corporate governance requirements (such as appointing independent board members and audit committees); and
• meet ongoing disclosure and reporting obligations.

In parallel with these legal requirements, the industry broadly adheres to voluntary industry associations and self-regulatory organisations best practices. These include the adoption of the Code of Principles and Best Practices of Corporate Governance, which outlines recommendations on transparency, board structure, shareholder rights and internal controls. While not legally binding, these industry standards are widely followed by public companies and are often expected by institutional investors, serving as a key benchmark for governance and market credibility.

Order handling rules do apply in Mexico. Principles include:

• best execution;
• order priority;
• segregation of proprietary and client orders;
• aggregation and allocation;
• client instructions; and
• record-keeping.

These rules are in line with international standards such as those from the International Organization of Securities Commissions (IOSCO), of which Mexico is a member.

The rise of peer-to-peer (P2P) trading platforms has fairly impacted traditional and fintech players. Some challenges for traditional financial institutions have included:

• disintermediation threats;
• pressure to innovate; and
• trust and brand advantage.

For fintech players, new opportunities have risen as regards competition, differentiation and strategic alliances.

A major impact of the rise of P2P trading platforms can be for the market and consumers, including (among others):

• legal uncertainty;
• a lack of KYC/AML compliance; and
• a lack of consumer protection and supervision.

Crypto P2P and DeFi platforms may fit into these kinds of platforms.

Payment for order flow is not explicitly permitted nor entirely prohibited by name in current Mexican regulation, though the practice is generally discouraged and constrained due to conflict-of-interest concerns and best-execution obligations.

Market integrity and market abuse are primarily established in the Securities Market Law, as well as in the secondary regulations mainly enforced by the CNBV. Basic principles include the following:

• transparency is fundamental – participants are required to disclose information including financial statements, corporate events and material changes that could affect securities;
• insider trading is strictly prohibited;
• market manipulation is prohibited, such as placing fake orders to manipulate prices and artificially inflating the price of a security to sell it at a profit;
• the stock exchanges are required to maintain fair and orderly markets, assuring fair trading and equal access; and
• financial institutions, intermediaries and public companies must adhere to AML/KYC regulations.

Please refer to 6.4 Listing Standards.

In Mexico, there are specific regulations governing the creation and use of high-frequency trading (HFT) and algorithmic trading technologies, particularly for firms operating in regulated markets (eg, equities, fixed income, derivatives).

Rules are found in:

• the Banking Rules (Circular Unica de Bancos) issued by the CNBV;
• market infrastructure rules (BMV, BIVA and MexDer, each having its own rulebook);
• Banxico’s regulations; and
• IOSCO principles.

Different asset classes have tailored regulatory requirements, especially in derivatives and FX, due to risk exposure and market structure:

• equities (BMV/BIVA) – strong focus on pre-trade risk checks, fair access and trade reporting;
• fixed income – less algorithmic activity, but subject to price transparency rules and internal compliance;
• derivatives (MexDer) – heavier risk controls due to leverage, and margining, clearing and position monitoring are stricter; and
• FX (via Banxico) – algorithms in FX markets are regulated primarily by Banxico, especially for liquidity providers.

Financial institutions functioning as market makers in a principal capacity are required to be licensed or authorised by the CNBV and/or Banxico, sometimes through a formal selection process. Market makers must be licensed banks or brokerage firms and must sign a market-making agreement with the exchange or relevant authority. They have to maintain minimum quoting/bidding obligations and submit monitoring and performance evaluations, including reporting and transparency duties.

Funds and dealers are entities that are subject to different regulatory frameworks. Some of the key differences include the following.

Funds Engaging in HFT and Algorithmic Trading

Activities are subject to the Investment Funds Law (which focuses on investor protection, transparency and reporting requirements) and are supervised by the CNBV. Funds that use algorithmic or HFT strategies may need to disclose the risks associated with these techniques in their fund documentation and ensure compliance with broader regulations on market conduct and systemic risk.

Dealers Engaging in FT and Algorithmic Trading

Dealers must comply with specific regulations related to their trading activities – this includes anti-manipulation rules, fair pricing practices and liquidity requirements. Dealers are also subject to requirements around capital adequacy, operational risk management and trade reporting. The CNBV requires financial dealers (such as brokerage firms, market makers and trading institutions) to be properly licensed and registered to operate in Mexico.

Programmers who develop and create trading algorithms and other electronic trading tools are not directly regulated in Mexican law, but licensed entities using them would usually have to comply with regulation to hire them.

Please refer to 2.8 Outsourcing of Regulated Functions.

Insurance institutions in Mexico follow a process to assess risk and determine the terms of the specific insurance policy. The process typically includes application, risk assessment, pricing and terms, and approval or denial.

The CNSF is the main regulatory and supervisor authority for the insurance industry in Mexico, including the insurtech segment, both of which must comply with the Insurance Law. This law establishes rules for underwriting practices, solvency requirements and consumer protection. Regarding the underwriting process, the Insurance Law includes disclosure requirements, risk management and consumer protection.

Different types of insurance are treated differently by both industry participants and regulators. All insurance products must comply with the general legal and regulatory framework (the Insurance Law and secondary legislation), though there are also specific rules, supervisory practices and operational differences based on the type of insurance. Types of insurance mainly differ regarding:

• the risks covered;
• the way the products are marketed;
• the types of customers involved;
• capital requirements; and
• the reserves for ensuring the payment of future claims.

All types of insurance institutions are governed by the CNSF.

In Mexico, there is no specific, standalone regulation for regtech providers. Nevertheless, they must adhere to the same general regulatory framework that applies to other financial services firms, depending on the services they provide (including AML regulations, data protection laws and cybersecurity standards). 

Please refer to 2.8 Outsourcing of Regulated Functions.

As there is no specific regulation for regtech providers, the following distinction must be made:

• if regtech providers seek to contract with licensed financial institutions (banks, broker-dealers and authorised fintech entities), they must comply with the third-party service providers’ rules, and specific contractual clauses should be included (for this scenario, please refer to 2.8 Outsourcing of Regulated Functions); and
• if regtech providers seek to contract with non-regulated companies, there are no regulations governing the contractual terms, thus allowing flexibility to negotiate contractual obligations with providers (usually following industry customs).

Traditional financial institutions are actively exploring blockchain but are generally doing so with caution and strategic intent rather than large-scale implementation. Their approach focuses on efficiency, security and compliance, and tends to prioritise permissioned (private) blockchain solutions over public blockchains.

Blockchain technology itself is not regulated, but activities related to blockchain such as cryptocurrencies (virtual assets) are subject to regulations under legal frameworks – eg, the Fintech Law. However, companies implementing blockchain are still required to comply with general data protection laws, and contractual and consumer protection regulations.

Even though Mexican authorities and regulators are monitoring technology developments such as blockchain, no proposals or reforms are expected in the short-term.

Blockchain assets are not regulated according to the technology in which they are based, but rather according to the type or instrument that they are. For example, blockchain assets may be virtual assets, and they are regulated by the Fintech Law. Other assets can include those traded in the securities exchange if they comply with the definition in the Securities Market Law. Stablecoins are considered legal tender, and banking and currency exchange regulations will apply.

Please refer to 6.2 Regulation of Different Asset Classes.

Please refer to 10.3 Classification of Blockchain Assets.

As for ICOs and token sales, Mexico does not have a specific framework – rather, the law regulating the underlying asset would apply.

Please refer to 6.2 Regulation of Different Asset Classes.

Staking is not specifically regulated, but it may trigger regulation under the Fintech Law, Banxico rules or even the Securities Market Law, depending on the structure (especially if offered by a licensed entity).

In Mexico, the provision of lending services involving cryptocurrencies (virtual assets) is not explicitly regulated as a financial activity under current legislation. While the Fintech Law provides a limited regulatory framework for the use of virtual assets by fintech institutions, it does not extend to the offering of credit or lending services denominated in, or backed by, cryptocurrencies.

As a result, companies or platforms offering crypto-based lending operate in a regulatory grey area and are not subject to supervision by the CNBV or Banxico unless they also engage in other regulated financial services. However, given that these activities involve the granting of credit or loans, they may fall within the scope of “vulnerable activities” under the Anti-Money Laundering Law, which classifies the offering of loans, with or without collateral, by non-financial entities as subject to AML obligations. In such cases, service providers must identify clients and file reports with the SHCP when they reach a certain threshold.

Therefore, while crypto lending is not expressly prohibited, it is currently unregulated and may still trigger AML reporting requirements depending on how the service is structured and offered.

Also, in line with the regulator’s statements, providers are expected to include disclaimers stating that the service is not regulated or supervised by financial authorities, and users assume the associated legal and financial risks.

Cryptocurrency derivatives cannot be offered to the public through Mexican-regulated entities unless explicitly authorised, and no such authorisation has been granted to date.

To date, there is no specific regulation in Mexico that directly governs DeFi protocols or platforms. The existing legal framework is focused on centralised, identifiable financial intermediaries, such as banks, broker-dealers and licensed fintech institutions.

However, the absence of DeFi-specific regulation does not exempt all activity from legal risk. If a party facilitates or promotes the trading of cryptocurrencies or security tokens (even through a decentralised platform), they may still fall within the scope of existing laws, depending on the function they perform. For example, if the tokens being traded qualify as securities, their offering or intermediation could trigger obligations under the Securities Market Law, especially if the service targets the public or involves Mexican investors. Similarly, if a platform enables the habitual and professional exchange of virtual assets, and is operated by a non-financial entity, it could be considered a “vulnerable activity” under the Anti-Money Laundering Law, requiring registration and reporting.

Therefore, if a person or entity develops, controls, markets or profits from a DeFi protocol, authorities may look through the decentralised label and treat them as a functional intermediary, especially if there is a clear point of contact or governance.

There is no specific regulation for funds investing in blockchain assets. Funds will have to comply with the Investment Funds Law, regardless of the assets in which they invest.

Virtual currencies are regulated under the Fintech Law. Please refer to 6.2 Regulation of Different Asset Classes.

Blockchain assets are not regulated per se. Please refer to 10.3 Classification of Blockchain Assets.

NFTs and NFT platforms are not yet explicitly regulated in Mexican law, though they are subject to certain regulatory frameworks based on the nature of the asset and the activities involved. The Fintech Law, the Securities Market law, Banxico regulations, consumer protection laws and intellectual property laws may be applicable.

The Fintech Law defined the general basis for open finance in Mexico. Article 76 of said Law establishes, for financial entities and some other market participants, the obligation to share and make available open, aggregate and transactional data. Since it involves an exchange of information between financial institutions and not only between banks, the Mexican model is more open finance than open banking. The Fintech Law, fulfilling its purpose of being a law based on principles and establishing broad criteria, left the power to the CNBV and the Central Bank to issue secondary rules with the API standards to be applied for open finance.

Full implementation of open finance has not been possible since much of the regulation has not been issued. Up-to-date secondary regulation only focuses on open data for ATMs.

To ensure the proper functioning of open finance, both banks and technology providers must comply with the regulatory framework, including secrecy, data privacy and data security requirements.

The Fintech Law establishes guidelines for sharing financial data through APIs. This ensures that customers have the right to grant explicit consent before their data is shared with third-party providers. Also, the law requires financial institutions to maintain the privacy and confidentiality of customer data, mandating the use of strong encryption methods for data transmission between financial institutions.

Moreover, the Mexican Data Protection Law requires any organisation, including banks and technology providers, to implement data protection measures to ensure that personal information is handled properly and securely.

Nevertheless, secondary legislation for the exchange of aggregated and transactional data is still pending following the enactment of the Fintech Law.

Fraud is regulated through a combination of criminal law, financial regulations and sector-specific rules.

Criminal Law

The Federal Criminal Code classifies fraud as a criminal offence; it includes obtaining money, goods, or services through deception, trickery or misrepresentation. The penalty depends on the amount defrauded, and includes fines and restitution.

Financial and Banking Regulations

Violations may lead to administrative sanctions and criminal prosection:

• the Banking Law governs fraud involving banking services (unauthorised transactions, phishing, identity theft);
• the Securities Law governs securities and investment fraud (misrepresentation in the sale of stocks, bonds, ponzi schemes, pyramid schemes);
• the Fintech Law governs fraud in fintech platforms and virtual assets; and
• the Insurance Law governs insurance fraud (staging accidents, faking deaths, inflating claims).

In July 2024, the CNBV introduced new regulations aimed at enhancing fraud prevention within banking institutions. These rules are designed to strengthen banks’ internal control frameworks to more effectively detect and prevent fraudulent activities.

Specifically, the CNBV’s regulations require banks to integrate comprehensive fraud-prevention measures into their internal controls. This includes implementing robust systems and procedures to identify, monitor and mitigate potential fraud risks. The goal is to ensure that banks have proactive mechanisms in place to safeguard against fraudulent activities and protect consumers. The new internal control regulations also target the risk of internal fraud/insider threats by requiring institutions to have better surveillance, segregation of duties and fraud-reporting mechanisms.

Regulators are particularly focused on fraud types that pose the greatest risks to the financial system, public finances and consumer protection, and are increasingly focused on digital and cyber-enabled financial fraud, especially in light of the rapid growth in electronic and mobile banking.

Given the rise in digital financial services, organised crime and corruption, regulators are actively prioritising high-impact fraud schemes, especially those with links to money laundering, tax evasion and financial market abuse.

As for identity theft and account takeover, the CNBV and the Unidad de Inteligencia Financiera (UIF) require financial institutions to implement stronger KYC and authentication processes to prevent these attacks, including biometric checks and multi-factor authentication.

Tax fraud is a priority for the current federal government, and is estimated to cost billions of pesos annually. A reform in 2020 made large-scale tax fraud a serious federal crime with no access to bail.

Please refer to 12.1 Elements of Fraud.

A fintech service provider can be held responsible for customer losses in specific situations, particularly when the loss arises from negligence, system failure, non-compliance with regulations, or unauthorised transactions. The extent of this liability is shaped by the Fintech Law, consumer protection laws and financial services regulations enforced by authorities such as CONDUSEF, the CNBV and Banxico.