Although the volume of new entrants has stabilised, the Mexican fintech ecosystem is transitioning into a more mature phase, characterised by a strategic focus on profitability, scalability and operational resilience. Payments and remittances remain the primary engines of growth, as demand for digital and cross-border transactions persists.

Mexico’s Fintech landscape is increasingly incorporating crypto rails, especially stablecoins, to improve efficiency and reduce costs in payments and remittances.

Notably, Revolut’s entry as a licensed bank ‒ becoming the first independent digital bank to launch full banking operations in Mexico ‒ marks a milestone for digital models and underscores how global fintechs are targeting big underbanked markets.

At the same time, Nu México has obtained regulatory approval to transition from a SOFIPO to a full banking institution, significantly expanding its product suite (including payroll accounts) and reinforcing competitive pressure in the financial sector by leveraging its strong digital-first customer base.

During 2026, Mercado Pago may also formally enter the regulated banking sector.

In addition to private sector developments, the market over the next 12 months may also be shaped by government-led digital payments initiatives. One such governmental initiative involves the launch of a payments-focused “super app”, aimed at accelerating the transition from cash to digital payments through QR-based transactions, led by Financiera del Bienestar and the Agency for Digital Transformation (ATDT).

In Mexico, AI is increasingly used within the financial system to automate processes such as credit risk evaluation, fraud detection, and customer service, enhancing both operational efficiency and competitiveness.

On the regulatory front, significant shifts are underway to modernise the 2018 fintech legal framework(formally known as the Ley para Regular las Instituciones de Tecnología Financiera), as well as other financial regulations requiring updating. The industry is actively pushing for amendments to the Fintech Law to streamline licensing processes, expand the catalogue of permitted activities, and finalise pending open finance regulations. These reforms are expected to be the primary catalysts for the sector's next stage of institutional growth. In parallel, authorities are placing increased emphasis on AML/CTF and sanctions compliance, with a stronger focus not only on the source of funds, but also on the destination and purpose of transactions, driven in part by international enforcement actions and alerts issued by US authorities, including the US Financial Crimes Enforcement Network (FinCEN). This has required fintechs and other financial institutions to enhance transaction monitoring, sanctions screening, and cross-border risk controls.

In addition, public consultations are currently targeting the decentralisation of card payment networks to reduce market concentration and discourage cash usage, with reforms expected to be approved in the next year. A key pillar of this initiative is the restructuring of interchange fees, which currently impose a financial burden on Mexican SMEs and fintechs. By capping these fees, regulators intend to bridge the acceptance gap and make digital payments viable for small-ticket transactions.

In Mexico, the Fintech Law specifically regulates only two types of entities: Electronic Payment Institutions (wallets) and Crowdfunding Institutions. Beyond these specific categories, the broader fintech ecosystem operates under a variety of frameworks depending on their business model. For the purposes of this Q&A, references to fintech entities or regulated fintechs refer exclusively to those covered by the Fintech Law.

Many players fall under legacy financial regulations, such as those governing credit institutions (banks) or investment funds, while others operate as unregulated commercial entities that are not subject to direct financial supervision. Consequently, a significant portion of the sector provides financial services through strategic partnerships with licensed entities or by navigating specialised provisions within existing legal frameworks rather than the Fintech Law itself.

As of 2025, the following verticals dominate the fintech market in Mexico.

• Payments and remittances: central to Mexico’s fintech boom due to the high volume of cross-border transactions, particularly received from the USA.

• Lending: includes consumers and small and medium-sized companies financing. Lending continues to offer new solutions to the users with no credit history and unserved users by legacy players, often supported by alternative data and AI-driven credit assessment models.
• Insurtech: focused on disrupting legacy players by offering personalised micro-insurance primarily through mobile apps, targeting underserved users.
• Wealthtech: focused on helping individuals and businesses manage their investments, retirement funds and savings, this segment leads in AI adoption, particularly in portfolio optimisation and customer analytics.
• Neo-banking: fully digital banks that provide banking services through mobile apps. In this model, legacy players participate by launching their digital branches.
• Cryptocurrency: the number of non-regulated fintechs using crypto technology is increasing. The increase in adoption is driven by the remittances segment and the use of stablecoins, primarily as a functional medium for payments rather than as speculative investment products.

Fintechs are driving innovation in areas like digital lending, insurtech, and payments and remittances, while legacy players are increasingly embracing digital transformation to stay competitive. Collaborations and partnerships are playing an increasingly central role in shaping the next phase of market development.

All financial regulation in Mexico is federal. Financial authorities grant three types of licences based on the financial institution: registrations, authorisations and concessions.

Oversight and enforcement are shared among the following authorities.

• Secretaría de Hacienda y Crédito Público (SHCP): the finance ministry responsible for financial policy and oversight of the financial system, including co-ordinating the banking and securities sectors, overseeing AML/CFT policy and developing and issuing high level financial regulations.
• Comisión Nacional Bancaria y de Valores (National Banking and Securities Commission) (CNBV): the primary regulator responsible for authorising, regulating, supervising and enforcing compliance for banks, fintechs and other regulated financial institutions.
• Banco de México (“Banxico”): Mexico’s central bank, mandated to issue and supply the national currency, promote the healthy development and proper functioning of payment systems, and set certain regulatory conditions for financial operations, mainly related to payments.
• Comisión Nacional para la Protección y Defensa de los Usuarios de Servicios Financieros (National Commission for the Protection and Defense of Financial Services Users) (CONDUSEF): the financial consumer protection authority responsible for promoting transparency and financial education, handling complaints and claims from users of financial services, and safeguarding consumers rights.
• Comisión Nacional de Seguros y Fianzas (National Insurance and Bonding Commission) (CNSF): the insurance and surety regulator responsible for authorising, supervising and regulating insurance companies, bonding institutions and other entities operating in the insurance and surety sector.
• Comisión Nacional del Sistema de Ahorro para el Retiro (National Commission of the Retirement Savings System) (CONSAR): responsible for overseeing and regulating the Mexican retirement savings system.
• Other relevant authorities: the Tax Authority (SAT) for tax obligations and digital invoicing, the Federal Consumer Protection Agency (PROFECO) for consumer protection outside financial services, Intellectual Property (IMPI), the data privacy authorities and the Antitrust Agency, among others. These authorities may assert jurisdiction depending on the specific activity, product or technology involved.

The key regulatory regime applicable to financial industry participants, depending on the business model, are the following.

• Fintechs: subject to Fintech Law. Apart from digital wallets and crowdfunding institutions, it includes provisions for cryptocurrency services, open finance and regulatory sandbox.
• Banks: subject to the Banking Law (Ley de Instituciones de Crédito), which applies to private and state-owned development banks.
• Brokerage firms, stock exchanges, investment advisors: subject to the Securities Market Law (Ley del Mercado de Valores).
• Popular (Non-Banking) Financial Institutions (SOFIPOs): subject to the Popular Savings and Loan Law (Ley de Ahorro y Crédito Popular). These are a type of non-bank financial institutions designed to provide services to unbanked and underbanked populations.
• Lending Entity (SOFOM) and Money Transmitters: subject to the General Law of Credit Activities (Ley General de Organizaciones y Actividades Auxiliares del Crédito). SOFOMs are a type of non-banking credit institution designed to provide credit and lending products. Money transmitters are remittance companies.
• Participants of the Payment System: subject to the Financial Services Transparency Law (Ley de Transparencia y Ordenamiento de los Servicios Financieros), amongst others. This applies to payment networks, including electronic payment systems, service providers, clearing houses, aggregators (PayFacs) and settlement systems.
• Insurtech: subject to the Insurance Law (Ley de Instituciones de Seguros y Fianzas).
• Proptech: subject to the Consumer Protection Law (Ley Federal de Protección al Consumidor), which is applicable to any business providing goods or services to consumers in México.
• Funds: subject to the Investment Funds Law (Ley de Fondos de Inversión), which is applicable to a wide range of investment funds, including public equity, private equity, debt instruments and other financial assets.

In addition, many fintechs operate through a non-regulated scheme, under specific conditions with limited activities or within certain regulatory grey areas or under alliances with licensed entities.

Any direct or indirect compensation, fee, charge, or retention must be disclosed to the customer in a clear and transparent manner. While many fintechs compete with legacy players by offering lower or waived fees, they sustain their operations through diverse monetisation models.

Common structures include the following.

• Transaction and interchange fees: percentage-based fees on payments (usually charged to merchants) or revenue shares earned from card networks.
• Interest and spreads: revenue generated from lending interest or FX margins in payments, remittances and crypto exchanges.
• Subscription and asset fees: recurring memberships for premium features or percentage-based fees on a user’s total assets under management.
• Flat service charges: fixed fees for specific events, such as loan processing, claims or late payments.

The validity of these models relies on transparency, ensuring customers understand all costs and calculation methodologies before entering into a contract.

The Fintech Law was enacted with the purpose of being a flexible regulation, based on principles, layered according to activities and assets, and recognising a dynamic and constantly evolving sector. This approach aims to provide faster innovation and lower operating costs. Under this framework, fintechs are subject to minimum capital requirements, as well as ongoing audit, accounting, and regulatory reporting obligations that are sometimes lower than those applicable to legacy players. However, in practice, many fintechs have expressed concerns that the regulatory framework has not fully achieved this intended level of flexibility, citing licensing timelines, operational restrictions, and compliance burdens as limiting factors for innovation and market entry.

Banks are heavily regulated, with deeper compliance obligations and capital adequacy (Basel standards). They require extensive audits, capital buffers and ongoing reporting. They are supervised more intensively by the CNBV and Banxico, and must meet liquidity, solvency, and governance requirements. Banks also face greater regulatory scrutiny regarding risk management and customer protection.

The above differences are only possible because of the limited activities fintechs can undertake, compared to the extensive catalogue of activities of banks.

Mexico’s regulatory sandbox is regulated under the Fintech Law and its secondary applicable regulations. It was created to allow innovative financial models to operate temporarily and under supervision of the financial authorities, with a simplified and temporary regime. The sandbox was designed as an exception-based mechanism rather than a fast-track authorisation process.

The eligible entities are those aiming to offer regulated financial services in an innovative manner, including already licensed financial entities and entities seeking authorisation to become regulated. It also covers models that do not fit the existing regulatory framework or require testing before full licensing. Both incumbents and new market entrants may apply, provided the innovation cannot be implemented under existing licences without prior testing.

To qualify, applicants must propose an innovative model that differs from existing market practices and requires testing in a controlled environment. The model must provide benefits to customers, be at a minimum viable stage (ready to operate), and be capable of being tested with a limited number of customers under predefined operational, transactional and risk limits. If approved, the regulator may grant a temporary authorisation for up to two years, extendable for one additional year. During this period, the regulator sets operational limits, capital and reporting requirements, and may grant limited regulatory exemptions under a supervised framework. At the end of the sandbox period, participants must either obtain full authorisation or exit the market.

Despite the existence of this regulatory framework, no companies have received formal sandbox approval to date, largely due to a conservative regulatory approach, strict documentation requirements and limited transparency in the evaluation process.

The financial regulatory landscape in Mexico is divided amongst several authorities, each with its own jurisdiction and responsibilities established by law. Regulatory oversight is activity-based rather than entity-based, which often results in overlapping or concurrent jurisdiction. Overlapping jurisdiction in Mexico is managed through a functional allocation of powers based on the specific activities performed. In cases of regulatory uncertainty, market participants commonly request confirmation of regulatory criteria from the relevant authorities in order to clarify the applicable framework.

See 2.2 Regulatory Regime.

No-action letters are not formally recognised under Mexican law. Alternatives include informal discussions with regulators to understand their legal standing or requesting formal interpretations of certain provisions (criteria confirmation). However, regulators will not expressly issue written letters stating that they will not act or enforce compliance regarding an activity that is not formally authorised. 

In Mexico, regulated financial entities are permitted to engage with third parties to carry out certain services related to their operations, under specific regulatory provisions.

There are two main outsourcing regimes.

• Third-party service providers: these may include services such as operations support, database and systems management, or cloud computing infrastructure.
• Commission agents: these act on behalf of and for the account of the regulated entity to provide regulated services directly to end users. They are typically subject to limits on the amount of money they can handle and the specific services they are allowed to provide.

In both cases, regulated entities must comply with outsourcing requirements. Generally, this involves obtaining prior authorisation from the regulator (except if engaging with another regulated entity); however, depending on the nature of the services and the specific entity type, certain activities may only require a formal notice (prior notification) to the authority. These obligations apply to all core operational outsourcing, except in limited cases explicitly exempted under the applicable regulation.

Additionally, outsourced services must comply with strict regulatory requirements, particularly concerning:

• business continuity and contingency planning;
• technological and information security;
• oversight and auditability; and
• clear accountability and responsibility retained by the regulated entity.

Fintech entities in Mexico are liable as gatekeepers for activities on their platforms, in areas such as AML/CFT compliance, fraud prevention, platform misuse by users and third-party partnerships. They can face direct penalties ranging from fines to licence revocation, or suspension of activities.

Regulatory breaches may lead to administrative or criminal sanctions, such as monetary fines and imprisonment. Sanctions imposed by financial authorities are not necessarily final; they can be challenged or appealed before a judicial court.

Key enforcement trends and recent significant actions by the CNBV and other authorities include the following.

• AML/CFT enforcement: in mid-2025, the CNBV imposed record-breaking fines totalling approximately MXN185 million across three major institutions: CiBanco (Bank), Intercam Banco (Bank) and Vector Casa de Bolsa (Brokerage Firm), for (i) systemic failures in reporting international transfers, (ii) accepting cash in US dollars above regulatory limits, (iii) deficiencies in money laundering prevention systems and transaction monitoring, and (iv) reporting lapses and failures in disclosing mandatory information.

These actions were triggered by an international investigation by the US Treasury (FinCEN), leading the CNBV to order temporary managerial interventions to replace the boards of these institutions and ensure operational integrity. To protect the financial system, the CNBV and SHCP oversaw an orderly dismantling for their operations. As a result, none of these entities survived:

1. Intercam was acquired by Kapital Bank;
2. CIBanco sold off its fiduciary division and its vehicle loan portafolio before its banking licence was revoked and subsequently entered into liquidation; and
3. Vector’s assets were transferred to Finamex, another brokerage firm, as part of an orderly exit from the market, followed by the revocation of its authorisation to operate as a brokerage firm.
• Prudential compliance and capitalisation: in December 2024, the CNBV revoked the operating licence of the SOFIPO “Financiera Auxi” after 15 months of failing to meet minimum capitalisation requirements. This underscores that “continuous compliance” is as critical as the initial authorisation.
• Market concentration and antitrust: in July 2025, the antitrust commission concluded an investigation targeting 21 banks and fintechs for alleged price-fixing merchant fees and manipulating costs for interest-free monthly instalments. Following the publication of the Federal Economic Competition Law reform in July 2025, the new authority gained expanded powers to impose fines of up to 20% of annual revenue.
• Lending: for digital lending players, enforcement tends to concentrate on AML/CTF compliance and consumer protection/contract transparency (disclosures, abusive terms, tariffs, among others). Please see 4.1 Differences in the Business or Regulation of Fiat Currency Loans Provided to Different Entities.
• Cryptocurrency: recent amendments to the Anti-Money Laundering Law (the “AML Law”) have strengthened oversight of cryptocurrency exchanges and virtual asset activities by adjusting reporting thresholds and extending obligations to transactions involving non-residents.

Mexico has clear privacy regulations, contained both in financial regulation (financial secrecy and confidentiality obligations) and in the Federal Law on the Protection of Personal Data Held by Private Parties. These rules impose strict requirements on data consent, usage, storage, and cross-border transfers. For fintechs and technology-driven players, compliance with data protection rules has a more immediate operational impact, as their business models rely heavily on digital onboarding, data analytics, cloud infrastructure and cross-border data flows, whereas legacy players often operate on more centralised and historically established systems.

As to cybersecurity, apart from very stringent regulation found in the financial regulation, no general non-financial regulation has been enacted in Mexico. As a result, cybersecurity obligations for fintechs primarily derive from its secondary regulations, contractual standards, and best practices, placing greater emphasis on internal controls, incident response, and third-party risk management, particularly for cloud and software providers.

Regarding other non-financial services regulations, such as social media or software development, Mexico has clear advertising and consumer protection regulations, as well as intellectual property rules, applicable to all entities. Fintechs are often more exposed to these frameworks due to their reliance on digital marketing, online user acquisition, proprietary software development and API-based integrations, while legacy players typically face these issues to a lesser extent or through more traditional channels.

The ATDT has introduced a National Cybersecurity Plan which seeks to unify Mexico’s fragmented cybersecurity standards into a single state policy. The plan also includes the proposal of a General Cybersecurity Law, which is expected to be presented to Congress in the near future.

In addition to financial regulatory oversight, some non-regulatory actors play a role in reviewing and influencing the conduct of financial industry participants.

• External auditors assess the accuracy of financial reporting, internal controls, and compliance with applicable accounting standards (eg, IFRS or Mexican Financial Reporting Standards NIF). Regulated entities, particularly those with public reporting obligations or those handling client assets, are legally required to undergo periodic financial audits. Many fintechs and start-ups voluntarily engage auditing firms for credibility with investors, despite not being legally required to do so, especially in the early stages. There is a growing trend of auditors also reviewing non-financial metrics (eg, customer data handling, cybersecurity controls) due to pressure from investors.
• Industry associations and self-regulatory organisations issue best practices, codes of conduct, and may conduct peer reviews or offer certifications. Membership is generally voluntary; however, regulatory authorities often consult with these bodies during rulemaking processes, and their standards may become de facto benchmarks. Participants often follow these standards to gain credibility.
• Private equity funds usually require adhesion to financial regulation and strict standards to qualify as a portfolio company.

In Mexico, it is common for industry participants (particularly in the fintech sector) to offer a combination of regulated and unregulated products or services, especially where technology, data, analytics, or user-facing tools complement regulated financial activities.

Regulated financial institutions are subject to strict activity catalogues and may only provide services expressly authorised under their licence. As a result, these entities cannot directly provide unregulated services.

To address this limitation, market participants typically structure their operations through separate legal entities: one to carry out regulated financial activities (eg, offering payment accounts or securities trading), and other providing auxiliary services.

This separation is designed to prevent regulatory arbitrage and to ensure that unregulated activities do not bypass or compromise the prudential requirements applicable to the regulated entities.

Although the services are often presented to customers through a single digital interface or platform, the underlying operations remain legally and technologically separated.

Mexican authorities require strict transparency when regulated and unregulated services are offered under the same platform or brand. Providers must clearly disclose which legal entity is responsible for each service, which regulatory protections apply, and the appropriate channels for customer complaints.

AML/CFT compliance is a critical priority for both regulated and unregulated fintechs, driven by heightening global scrutiny and aggressive enforcement, such as the recent US designation of Mexican cartels as terrorist organisations (FTOs).

Recent actions and alerts issued by FinCEN have increased the focus on sanctions and cross-border risk. See 1.1 Evolution of the Fintech Market and 2.10 Significant Enforcement Actions.

Mexico’s AML and sanctions rules generally follow the standards imposed by the FATF, of which Mexico is a full member. FATF recommendations on risk-based supervision, KYC, suspicious transaction reporting, and record-keeping, among others, are included in Mexican regulations.

Mexican financial laws and regulations prohibit, in general, non-Mexican-licensed institutions from engaging in any active solicitation activities tending to or promoting the offering of financial services or products within Mexico.

Nevertheless, Mexican law does not prohibit foreign entities from providing financial services to Mexicans, as long as they operate under a reverse solicitation scheme with clear boundaries.

In Mexico, different assets classes require different business models. 

• Virtual assets are regulated under the Fintech Law and the secondary regulation issued by Banxico. These must operate as Virtual Asset Service Providers (VASPs). For regulated fintechs (under Fintech Law), Banxico currently restricts offering these directly to the public, requiring a model where cryptocurrency is used only for internal or back-office operations. Non-regulated entities must comply with AML Law due to the high-risk nature of their activities.
• Security tokens may be subject to traditional securities under the Securities Market Law. Consequently, their business models must incorporate a broker-dealer or authorised investment advisor structure. These models must satisfy disclosure requirements, ensuring that automated algorithms, often used in crypto-trading, are transparent about risk volatility and liquidity constraints.

Legacy players and new entrants (fintechs) are indeed integrating robo-advisory technology. Since Mexico lacks a specific “automated advisor” licence, these solutions are being implemented under their existing authorisation as an investment advisor, in accordance with the CNBV’s “General Provisions Applicable to Financial Entities and Others Providers of Investment Services”. 

Commonly, the implementations follow the following strategies.

• Hybrid models: legacy players are deploying super apps where robo-advisory tools serve as an entry-level feature for smaller portfolios, while high net worth clients receive human-led advice supported by the same robo-advisory or the legacy infrastructure.
• Strategic partnership: legacy players are acquiring or partnering with established fintechs to bypass long development cycles, integrating white-label automated rebalancing and risk-profiling tools.
• Infrastructure modernisation: large players are utilising machine learning to replicate the “user-centric” experience of robo-advisers, focusing on frictionless onboarding and automated “Model Portfolios” that comply with the CNBV’s General Provisions.

In Mexico, the best execution of customer trades refers to the obligation of financial institutions, broker-dealers, investment advisors, robo-advisers, amongst others, to execute trades on behalf of their clients in a manner that ensures the most favourable outcome for the client, in terms of price, speed, and overall execution quality.

Nevertheless, there are some issues relating to the best execution of customer trades, as set out below.

• While the CNBV requires fair treatment of clients under general conduct rules, explicit best execution standards are less developed but are increasingly referenced in practice. This may create regulatory ambiguities and gaps.
• The Mexican financial market is less liquid compared to more developed markets; this can create challenges in achieving the best execution of customer trades.
• Broker-dealers and trading platforms may have limited access to global execution venues compared to those in more developed markets. While there are both domestic exchanges (Bolsa Mexicana de Valores (BMV) and Bolsa Institucional de Valores (BIVA)) and some international exchanges accessible to Mexican brokers, these platforms may have different liquidity levels, order types, and costs associated with them.
• Although a cornerstone of investor protection, the principle of best execution is increasingly strained by the rapid pace of technological innovation and persistent regulatory gaps.
• The rise of automated models and algorithmic trading has introduced complexities that traditional Mexican regulations did not originally envision, often leaving authorities to rely on broad “fair treatment” rules rather than specific technical standards.

Under Mexican law, differences in the business and regulatory framework for fiat currency loans depend primarily on (i) the nature of the lender (regulated financial entity versus non-regulated commercial entity) and (ii) the type of borrower (individuals versus corporations).

From a compliance and onboarding perspective, lending to individuals (versus businesses) allows for a simplified due diligence process in certain cases and enables the use of digital onboarding options. However, both individual and corporate onboarding are subject to a risk-based approach, and enhanced due diligence applies in higher-risk cases.

From a regulatory standpoint, regulated financial entities are subject to licensing, prudential regulation, AML/CFT obligations, and, in some cases, capital adequacy and risk management requirements. By contrast, non-regulated commercial lenders are not subject to prudential supervision but remain subject to AML law, general commercial law, and other applicable regulatory frameworks depending on the structure of the product and the target market.

Underwriting processes in Mexico are not strictly dictated by regulation, although regulated financial entities must comply with certain minimum standards relating to credit assessment, reserves, AML/CFT, KYC, risk management, and consumer protection.

Industry participants typically rely on a combination of:

• credit bureau reports and historical credit behaviour;
• proof of income, bank statements or financial statements;
• tax returns; and
• alternative and behavioural data, or device metadata.

For regulated entities, underwriting practices must align with internal policies approved by management and, where applicable, supervisory expectations regarding risk classification, provisioning and portfolio management.

For non-regulated lenders, underwriting remains largely market-driven, subject to general AML/KYC and fraud prevention obligations.

The sources of funds for fiat currency lending in Mexico vary depending on the type of lender and the business model, including the following.

• Peer-to-peer (P2P) lending or crowdfunding: retail investors or institutional investors lend directly to borrowers via a P2P platform. The platform must: obtain the relevant licence and disclose risks and returns to investors; implement AML/CFT and KYC procedures; ensure proper dispute resolution mechanisms and transparent operations; and fully comply with the Fintech Law.
• Capital raised from investors: private equity, venture capital, or institutional investors that inject funds into a lender (such as a SOFOM or commercial entity) for lending purposes. Regulation is focused on investors’ KYC and source of funds, and full transparency to borrowers.
• Deposit taking: banks may use the funds from their clients’ deposits and lend them to other clients. Fully regulated, banks must obtain a proper licence, comply with capital adequacy and liquidity regulations, and AML/CFT provisions.
• Securitisations or public market: regulated under the Securities Market Law. Proper disclosures, risk management and investor protection are key compliance requirements.

Loan syndication does take place in Mexico, although it is more commonly associated with large-scale corporate, infrastructure, or cross-border financings, rather than consumer or small-ticket lending. In a syndicated structure, one or more lenders act as arrangers, co-ordinating multiple lenders that participate in a single loan facility. The applicable legal framework generally consists of commercial and financial law provisions, and, where syndication is combined with securitisation or capital markets instruments, securities regulation may also apply.

In practice, syndicated lending in Mexico largely follows international market standards, with contractual structures and risk allocation mechanisms similar to those used in other major financial markets.

In Mexico, payment processors generally operate through existing, authorised infrastructures such as the Interbank Electronic Payment System (SPEI), the Interbank Payments System in US Dollars (SPID), or established card payment networks. These payment rails are subject to strict regulatory oversight by Banxico (and the CNBV for card networks) to ensure secure, real-time gross settlement and operational stability. To further modernise these existing payment rails, Banxico has implemented CoDi and DiMo, which leverage the SPEI infrastructure to facilitate instant payments via QR codes (CoDi) and mobile phone numbers (DiMo), providing processors with standardised, low-cost digital tools.

While there is no express legal prohibition against developing proprietary payment rails, any new system involving the settlement of funds between third parties or the custody of client funds is legally classified as a “payment system” under the Law of Banxico. This classification requires formal, prior authorisation from Banxico, creating a high regulatory barrier for new entrants.

A common practice for smaller processors involves the use of concentrating accounts to perform internal compensation. In these models, the entity settles transactions between its own users with its internal ledger without triggering a SPEI instruction for every movement, only using the payment rails for the final liquidation of balances or the cash-out of balances to external bank accounts.

Finally, when processing card transactions, entities must navigate the Card Payment Network framework. This requires participants (including issuers, acquirers, and aggregators) to follow the General Provisions Applicable to Card Payment Networks, under which clearinghouses must be authorised by Banxico.

Cross-border payments and remittances are regulated through a layered legal and supervisory framework designed to promote financial transparency, consumer protection and compliance with AML/CFT standards. All entities that send or receive funds across borders, including banks, money transmitters and regulated fintechs such as wallets, must be duly authorised by the CNBV and comply with applicable registration, internal control and reporting obligations. These include rigorous KYC procedures, robust risk-based monitoring, suspicious transaction reporting, record-keeping and other AML/CFT safeguards.

Beyond AML/CFT, regulators require clear fees and exchanges rate disclosures, operational and technical standards, transparency obligations and user complaint mechanisms to protect consumers and ensure fair market conduct. Banxico plays a central role in overseeing the payment infrastructure, specifically the SPEI, and authorising or restricting certain foreign exchange or virtual asset elements of cross-border transfers.

Supervision is ongoing and has recently been reinforced, with the CNBV increasing inspections and enforcement actions, particularly around remittance transmitters’ compliance with identification and transaction monitoring requirements, reflecting the growing importance of remittances in Mexico’s financial system.

In Mexico, digital marketplaces and trading platforms that facilitate investment or asset trading fall under distinct regulatory regimes depending on the nature of the underlying instruments.

Securities trading platforms operated by authorised broker-dealers are regulated under the Securities Market Law and require authorisation and ongoing supervision by the CNBV, with obligations relating to market transparency, investor protection, prudential requirements, and AML/CFT and KYC compliance.

Crowdfunding and alternative investment platforms and marketplaces that match investors with issuers or projects for equity, debt, or similar arrangements are regulated under the Fintech Law and must obtain CNBV authorisation, comply with disclosure standards, investor eligibility and investment limits, and maintain operational and AML/CFT and KYC controls.

Virtual asset and cryptocurrency trading platforms are not recognised as regulated financial institutions and are therefore primarily subject to general consumer protection laws and AML/CTF obligations as their activities are classified as a “vulnerable activity,” under the AML Law.

Finally, in addition to platforms operated directly by regulated entities, non-regulated operators may host marketplaces that partner with licensed financial institutions to offer regulated products or services, provided that strict transparency and disclosure requirements are met, including clear identification of the regulated entity that is the actual contracting party, so that customers understand who is providing the regulated service and under which legal regime.

Different asset classes, such as cryptocurrencies, stablecoins, and security tokens, are subject to different regulatory regimes.

• Cryptocurrencies (referred to in Mexican law as “virtual assets”) are not considered legal tender or financial instruments, and their regulatory treatment depends on the type of entity involved. For regulated financial institutions, the use and offering of virtual assets is governed by the Fintech Law and secondary regulation issued by Banxico, which limits their use to internal operations and prohibits the offering of virtual asset services directly to the public.

In contrast, non-financial entities that operate cryptocurrency exchanges are treated as engaging in a “vulnerable activity” under the AML Law, which triggers obligations such as KYC, record-keeping, and transaction reporting to the SHCP when applicable thresholds are met.

• Stablecoins are not expressly regulated as a standalone asset class in Mexico, however, the authorities’ position is that, as they are backed by legal tender and issued in exchange for fiat funds, their issuance is deposit-taking, an activity reserved to regulated financial institutions and subject to the corresponding authorisations.
• Security tokens, which represent digital versions of regulated financial instruments such as debt or equity, are fully subject to the Securities Market Law when they function as securities. This means their issuance and trading must be conducted through licensed intermediaries, in compliance with rules on registration, disclosure, investor protection, and supervision by the CNBV.

Please see 6.2 Regulation of Different Asset Classes.

Listing standards for securities are primarily governed by the Securities Market Law, regulations issued by the CNBV and the internal rules of the authorised stock exchanges. The regulatory requirements are standard and similar to other jurisdictions. In particular, issuers need to:

• prepare a prospectus approved by the CNBV;
• disclose audited financial statements;
• comply with corporate governance requirements (such as appointing independent board members and audit committees); and
• meet ongoing disclosure and reporting obligations.

In parallel to these legal requirements, the industry broadly adheres to voluntary Industry Associations and Self-Regulatory Organizations best practices. While not legally binding, these industry standards are widely followed by public companies and are often expected by institutional investors, serving as a key benchmark for governance and market credibility.

Order handling rules apply in Mexico. Principles include best execution, order priority, segregation of proprietary and client orders, aggregation and allocation, client instructions, and record-keeping. These rules are in line with international standards such as those from the International Organization of Securities Commission (IOSCO), of which Mexico is a member.

The rise of P2P platforms in Mexico has expanded access to financial services by enabling users to interact directly through digital marketplaces, particularly in areas such as crowdfunding and alternative investment models (like Crypto P2P and certain DeFi platforms). This has encouraged traditional financial institutions to enhance their digital distribution channels and onboarding processes, while enabling fintech players to develop scalable models that lower intermediation costs and broaden access to capital.

However, from a regulatory perspective, a main challenge is that the securities framework is highly centralised and offers limited flexibility for platform-based or decentralised models, which makes it difficult for P2P platforms to operate beyond primary investment or exempt offerings. Additional challenges include ensuring effective AML/CFT, KYC compliance, maintaining consumer and investor protection standards, and addressing data protection and cybersecurity risks in digital environments.

Payment for order flow is not explicitly permitted nor entirely prohibited in current Mexican regulation, but the practice is generally discouraged and constrained due to conflicts of interest concerns and best execution obligations.

Trading in Mexico is governed by principles of transparency, fair price formation, and investor protection. Issuers and intermediaries must disclose relevant and material information to ensure the market operates on equal information. The Securities Market Law prohibits the distribution of false or misleading information and penalises market manipulation. Insider trading and the misuse of material non-public information are prohibited, and directors, officers, and intermediaries must have confidentiality and conflict-of-interest controls in place. In addition, exchanges and market operators must implement systems and procedures to ensure equal access as well as transparent, orderly, and integrity-based price formation and trading processes, subject to supervision and enforcement by the CNBV.

Please see 6.4 Listing Standards.

In Mexico, there are specific regulations governing the creation and use of high-frequency trading (HFT) and algorithmic trading technologies, particularly for firms operating in regulated markets (eg, equities, fixed income, derivatives).

Rules are found in the Banking Rules (Circular Unica de Bancos) issued by the CNBV, market infrastructure rules (BMV, BIVA and MexDer, each having its own rulebook), Banxico’s regulations, and IOSCO principles.

Different asset classes have tailored regulatory requirements, especially in derivatives and FX, due to risk exposure and market structure.

• Equities (BMV/BIVA): strong focus on pre-trade risk checks, fair access, and trade reporting.
• Fixed income: less algorithmic activity, but subject to price transparency rules and internal compliance.
• Derivatives (MexDer): heavier risk controls due to leverage: margining, clearing, and position monitoring are stricter.
• FX (via Banxico): algorithms in FX markets are regulated primarily by Banxico, especially for liquidity providers.

Financial institutions functioning as market makers in a principal capacity are required to be authorised by the CNBV and/or Banxico as they must be licensed banks or brokerage firms and sign a market-making agreement with the exchange or relevant authority. They must maintain minimum quoting/bidding obligations and submit monitoring and performance evaluations, including reporting and transparency duties. 

Funds and dealers are entities that are subject to different regulatory frameworks, some of the differences include the following.

• Funds engaging in HFT and algorithmic trading: the activities are subject to the Investment Funds Law, which focuses on investor protection, transparency and reporting requirements and are supervised by the CNBV. Funds that use algorithmic or HFT strategies may need to disclose the risks associated with these techniques in their fund documentation and ensure compliance with broader regulations on market conduct and systemic risk.
• Dealers engaged in FT and algorithmic trading: dealers must comply with specific regulations related to their trading activities; this includes anti-manipulation rules, fair pricing practices and liquidity requirements. Dealers are also subject to requirements around capital adequacy, operational risk management, and trade reporting. The CNBV requires financial dealers (such as brokerage firms, market makers, and trading institutions) to be properly licensed and registered to operate in Mexico.

Programmers who develop and create trading algorithms and other electronic trading tools are not directly regulated in Mexican law, but licensed entities using them would usually have to comply with applicable regulations when hiring them.

Please see to 2.8 Outsourcing of Regulated Functions.

Insurers are regulated under the Law on Insurance and Surety Institutions (LISF) and secondary regulation issued by the CNSF. The LISF establishes prudential obligations, such as maintaining technical reserves, measuring and managing assumed risks, and guaranteeing the financial capacity to cover those risks. Risk assessment and underwriting processes are an integral part of the risk management and solvency systems supervised by the CNSF. Although there is no regulation that dictates the underwriting process step-by-step, the regulations require institutions to design, maintain, and review their risk assessment and product approval processes before commercialisation.

Insurtechs in Mexico are not regulated by a specific, separate law for underwriting; they remain subject to the LISF and secondary regulation if they operate directly as insurers or develop products involving risk assumption.

Although all types of insurance, such as life, annuities, property and casualty, must comply with the general legal framework established by the LISF and secondary regulation, regulators and industry participants treat them differently because risk characteristics and financial obligations vary among them.

The LISF classifies and authorises distinct operations and branches, such as (i) life, (ii) accidents and health, and (iii) damage. Each branch has its own nature and risks, requiring different technical bases to calculate premiums, reserves and solvency capital.

Regtech providers are not regulated as a separate type of entity under Mexican regulation. There is no law that specifically licenses or supervises regtech firms; they instead fall under the general corporate, data protection, cybersecurity, consumer protection, and industry specific compliance requirements relevant to their activities.

However, when regtech solutions are used by regulated financial institutions, the institutions themselves remain responsible for compliance with requirements imposed by authorities such as the CNBV and the CNSF, including third-party risk management, notification, or prior authorisation obligations, depending on the nature and criticality of the service.

Please see 2.8 Outsourcing of Regulated Functions and 9.2 Contractual Terms to Ensure Performance and Accuracy.

As there is no specific regulation for regtech providers, the following distinction must be made.

• If regtech providers seek to contract with licensed financial institutions, then they must comply with the third-party service providers rules and specific contractual clauses should be included regarding information security, business continuity, audit rights for regulators and liability for service failures. For further information, please see 2.8 Outsourcing of Regulated Functions.
• If regtech providers seek to contract with non-regulated companies, there are no regulations governing the contractual terms, allowing flexibility to negotiate contractual obligations with providers, usually following industry customs.

Traditional financial institutions are actively exploring blockchain but are generally doing so with caution and strategic intent, rather than large-scale implementation. Their approach focuses on efficiency, security, and compliance, and tends to prioritise permissioned (private) blockchain solutions over public blockchains.

Blockchain technology is not regulated, but activities related to blockchain, such as cryptocurrencies (virtual assets) are subject to regulations under legal frameworks, like the Fintech Law. However, companies implementing blockchain are still required to comply with general data protection laws, contractual and consumer protection regulations.

Even though the Mexican authorities and regulators are monitoring technology developments such as blockchain, no proposals or reforms are expected in the short term.

The assets are not regulated according to the technology in which they are based, but rather to the type or instrument they are and the person/entity who offers them. For example, tokens that give investment or profit rights may be treated as securities and regulated under the Securities Market Law. Cryptocurrencies are classified as virtual assets under the Fintech Law or the AML Law, depending on who is offering them. Other assets, such as utility tokens and NFTs, are generally not treated as financial instruments and are mainly subject to consumer protection and general commercial laws.

In Mexico, there is no specific legal regime regulating issuers of blockchain-based assets. There is no regulated “issuer” under this framework, except to the extent that the tokenised asset may fall under pre-existing financial laws (eg, as a security).

Mexico has not adopted specific regulations for Initial Coin Offerings (ICOs) or other initial offerings of crypto-assets; ICOs are not expressly prohibited, but they are not regulated either.

The treatment changes if the asset granted in an ICO meets the criteria for a financial security under the Securities Market Law, if the tokens represent property rights, participation, debt, or profit expectations attributable to the efforts of others, they could be classified as securities. In that case, the initial offering would be subject to securities regulation.

Please see 10.3 Classification of Blockchain Assets.

Staking services relating to cryptocurrencies are not specifically regulated in Mexico. Financial institutions are prohibited from offering such services to customers, and non-financial entities may trigger AML/CTF and consumer protection obligations.

In Mexico, the provision of lending services involving cryptocurrencies (virtual assets) is not explicitly regulated as a financial activity under current legislation. While the Fintech Law provides a limited regulatory framework for the use of virtual assets by fintech institutions, it does not extend to the offering of credit or lending services denominated in, or backed by, cryptocurrencies.

As a result, companies or platforms offering crypto-based lending operate in a regulatory grey area and are not subject to supervision by the CNBV or Banxico unless they also engage in other regulated financial services. However, given that these activities involve the granting of credit or loans, they may fall within the scope of “vulnerable activities” under the AML Law, which classifies the offering of loans, with or without collateral, by non-financial entities as subject to AML obligations. In such cases, service providers must identify clients and file reports with the SHCP when they reach a certain threshold.

Therefore, while crypto lending is not expressly prohibited, it is currently unregulated and may still trigger AML reporting requirements depending on how the service is structured and offered.

Cryptocurrency derivatives cannot be offered to the public through Mexican regulated entities unless explicitly authorised, and no such authorisation has been granted to date.

Please see 10.1 Use of Blockchain in the Financial Services Industry.

As of today, there is no specific regulation in Mexico that directly governs DeFi protocols or platforms. The existing legal framework is focused on centralised, identifiable financial intermediaries, such as banks, broker-dealers, and licensed fintech institutions.

However, the absence of DeFi-specific regulation does not mean that all DeFi-related activities are unregulated. Authorities may assess what the platform or participants do, rather than how the technology is labelled. If trading involves security tokens, the Securities Market Law may apply, and where it involves the exchange of cryptocurrencies by non-financial entities, AML/CTF obligations may be triggered.

Therefore, if a person or entity develops, controls, markets, or profits from a DeFi protocol, authorities may look through the decentralised label and treat them as a functional intermediary.

There is no specific regulation for funds investing in blockchain assets. Funds will have to comply with the Investment Funds Law, regardless of the assets in which they invest.

In Mexico, virtual assets and blockchain assets are distinct.

• Virtual assets: defined by the Fintech Law as digital representations of value used as a means of payment. They are not legal tender, are not securities, and lack government backing. Mexican banks and fintechs are prohibited from offering them directly to the public.
• Blockchain assets: unlike virtual assets, they lack a specific legal definition in Mexico. While virtual assets are a type of blockchain asset used for payments, other blockchain applications (like NFTs or utility tokens) may be treated as intangible property under general civil or commercial law rather than financial regulation.

NFTs and NFT platforms are not regulated in Mexican law, but they are subject to certain regulatory frameworks based on the nature of the asset and the activities involved, including the Fintech Law, Securities Market Law, Banxico regulations, consumer protection laws and intellectual property laws. Cases where NFTs may be regulated by financial laws include:

• when NFTs are used as a means of payment or involve the custody or transfer of funds (which could qualify as regulated activities under the Fintech Law);
• when NFTs grant economic or profit-sharing rights or are marketed as investment products (potentially classifying them as securities);
• when transactions rely on virtual assets or payment system infrastructure subject to central bank oversight; or
• when platforms offer services to the public and commercialise digital content, thereby activating consumer protection and intellectual property obligations.

Stablecoins are not expressly regulated as a standalone asset in Mexico. The Fintech Law’s definition of “virtual assets” excludes assets denominated in legal tender or foreign currency, so fiat-backed stablecoins do not fall within that category. However, the regulators’ position is that when stablecoins are issued in exchange for fiat money, they may be treated as deposit-taking, an activity reserved for regulated financial institutions. As a result, their public issuance or offering generally requires authorisation, and there is no specific regime governing reserves or redemption mechanics for stablecoins as such.

The Fintech Law established Mexico as a pioneer by mandating an open finance model, which is broader than “Open Banking” because it requires data sharing across the entire financial ecosystem. Under Article 76 of the Fintech Law, all financial entities are obligated to share three types of data via standardised APIs: (i) open data (products and locations), (ii) aggregated data (statistical), and (iii) transactional data (individual customer history).

However, full implementation has stalled because the CNBV and Banxico have yet to issue the necessary secondary regulations for the most critical categories. As of January 2026, the only fully operational rules apply to open data regarding ATM locations and basic branch services.

In Mexico, banks and technology providers address data privacy and security concerns raised by open banking primarily through adherence to the applicable regulatory framework, secrecy, customer consent, and mandatory internal control measures. Under Fintech Law, financial entities must operate within the scope of their CNBV authorisation and implement policies and systems to ensure confidentiality, integrity, and availability of customer information, including secure technological infrastructure, information security controls, and fraud and cyber-risk prevention measures.

In addition, the applicable financial laws require financial institutions to maintain the privacy and confidentiality of customer data, mandating the use of strong encryption methods for data transmission between financial institutions. At the same time, the Mexican Data Protection Law requires any organisation, including banks and technology providers, to implement data protection measures to ensure that personal information is handled properly and securely. 

Fraud is regulated through a combination of criminal law, financial regulations and sector specific rules.

• Criminal law: the Federal Criminal Code classifies fraud as a criminal offence; it includes obtaining money, goods, or services through deception, trickery or misrepresentation. The penalty depends on the amount defrauded along with fines and restitution.
• Financial and banking regulations govern misconduct within their respective sectors, including unauthorised transactions, investment fraud, virtual asset-related misconduct, and insurance fraud. Violations may lead to administrative sanctions and criminal persecution.

In July 2024, the CNBV introduced new regulations aimed at enhancing fraud prevention within banking institutions. These rules are designed to strengthen banks’ internal control frameworks to more effectively detect and prevent fraudulent activities. This includes implementing robust systems and procedures to identify, monitor, and mitigate potential fraud risks. The new framework also places particular emphasis on internal fraud and insider threats by requiring enhanced segregation of duties, surveillance mechanisms, and internal reporting processes.

Mexican regulators focus primarily on fraud schemes that pose systemic risk, threaten consumer protection, or facilitate money laundering or other financial crimes, with increasing attention on technology-enabled and cyber-related fraud.

Key areas of concern include identity theft and account takeover, unauthorised and socially engineered electronic payments (including authorised push-payment fraud), cyber fraud such as phishing and credential compromise, and investment or crowdfunding misconduct. Authorities such as the CNBV and the Financial Intelligence Unit (UIF) require financial institutions and fintech providers to implement robust KYC, strong customer authentication, transaction monitoring, and reporting controls, particularly in digital onboarding and automated transaction environments.

Please see 12.1 Elements of Fraud.

A fintech service provider in Mexico may be held responsible for customer losses depending on the specific circumstances of the loss and the provider’s conduct.

Liability may arise where losses result from:

• negligence or failure to implement adequate security or fraud prevention measures;
• system failures or operational deficiencies;
• breach of applicable regulatory obligations; and
• unauthorised transactions attributable to inadequate authentication, monitoring or internal controls.

The extent of liability is determined by financial regulations, consumer protection laws, and, where relevant, contractual arrangements with customers. Regulatory authorities such as the CNBV, Banxico and CONDUSEF may impose administrative sanctions, restitution obligations, or corrective measures.

Conversely, fintech providers may limit or exclude liability where losses are attributable to customer misconduct, third-party actions beyond the provider’s control, or compliance with regulatory instructions, subject to mandatory consumer protection standards and public policy considerations.