Current Scenario of the Fintech Market in Mexico

According to the provisions applicable to the fintech market, those entities carrying out activities regulated by the Law Regulating Financial Technology Institutions (Ley para Regular las Instituciones de Tecnología Financiera) or the “Fintech Law” at the time it came into force on 10 March 2018, were required to apply for authorisation to operate as financial technology institutions (instituciones de tenología financiera or IFTs) before the National Banking and Securities Commission (Comisión Nacional Bancaria y de Valores or the CNBV) no later than 25 September 2019. 

Such IFTs and the new ones granted under the Fintech Law should have started being authorised during 2020. However, several IFTs requested extensions to the deadline and the COVID-19 pandemic caused many authorities, including the CNBV, to suspend or postpone their resolution deadlines, causing a delay in the granting of said authorisations. 

At the time of publication, the CNBV had granted only one authorisation for an electronic payment fund institution ("wallet") and one for a crowdfunding institution, and had the resolution of 92 additional authorisations pending: 59 applications to operate as an electronic payment fund institution (institucion de fondos de pago electrónico or IFPE) and 33 to operate as a crowdfunding or collective financing institution (institucion de financiamiento colectivo or IFC). 

However, those individuals or entities that requested authorisation before the CNBV on time and under the terms mentioned above may continue to operate until their request is resolved and must publish on their website or any other media they use that the authorisation to carry out such activity is in progress and, therefore, the activity is not currently supervised by the Mexican authorities. In fact, of the 92 clearances being analysed by the CNBV, 68 are for companies that were operating before the Fintech Law came into effect. 

Legal provisions applicable

Concerning the legal provisions applicable to fintech, the only ones recently enacted are: 

• the General Provisions Regarding Standardised Computer Application Programming Interfaces or "API Provisions" (Disposiciones de Carácter General Relativas a las Interfaces de Programación de Aplicaciones Informáticas Estandarizadas a que hace Referencia la Ley para Regular las Instituciones de Tecnología Financiera) published on 4 June 2020, effective from 5 June 2020; and 
• the provisions applicable to the IFPE regarding cybersecurity and biometrics (Disposiciones aplicables a las instituciones de fondo de pago electrónico a que se refieren los artículos 48, segundo párrafo, 54, primer párrafo y 56, primer y segundo párrafos de la Ley para Regular las Instituciones de Tecnología Financiera), published on 28 January 2021, effective from 28 April 2021. 

Future Scenario of the Fintech Market in Mexico

Within the next 12 months, it is expected that the pending authorisations for the operation of IFTs in terms of the Fintech Law will be resolved by the CNBV. 

Likewise, it is expected that there will be a secondary regulation on open banking, a model that, although regulated by the Fintech Law, is not entirely regulated by the CNBV, as mandated by the legislator. The authority has indicated that it expects to issue the relevant regulation during the first quarter of the year. 

Additionally, it is undeniable that the COVID-19 pandemic will continue to affect the fintech market in Mexico, not only in terms of the resolution of pending authorisations, but also in that it may have a positive impact, considering the boost that mobility restrictions have provided to digital services schemes, including financial services. 

In Mexico, the predominant fintech categories are, on the one hand, the crowdfunding subcategory, ie, the IFCs within the financing vertical and, on the other hand, the wallet, ie, the IFPEs within the payments and transfers vertical. 

The Fintech Law provides for these two types of business models, understanding by: 

• IFC – the activities aimed at putting people from the general public in contact with each other to grant financing regularly and professionally, through computer applications, interfaces, internet pages, or any other means of electronic or digital communication; and 
• IFPE – the services performed regularly and professionally with the public, consisting of the issuance, administration, redemption and transmission of electronic payment funds through computer applications, interfaces, internet pages or any other means of electronic or digital communication. 

Having said this, it should be noted that financial provisions in Mexico are not exclusively found in the Fintech Law, but also in previous provisions regulating the performance of financial entities of the traditional financial or banking model, such as: 

• the Law of Credit Institutions (Ley de Instituciones de Crédito); 
• the Securities Market Law (Ley del Mercado de Valores); and 
• the General Law of Credit Organisations and Auxiliary Activities (Ley General de Organizaciones y Actividades Auxiliares del Crédito), etc.

In this regard, Finnovista’s Fintech Radar Mexico Report dated March 2020 confirms the aforementioned concerning the prevalence of crowdfunding and wallets in the fintech market in Mexico. However, it includes some additional business models that can be found in the fintech environment in the country, namely, payment and remittances, insurtech, wealth management, scoring, identity and fraud, business lending, consumer lending, enterprise financial management, digital banking, trading and markets, personal financial management, and enterprise technologies for financial institutions.

The regulatory regime applicable to industry participants in Mexico in the main verticals, ie, crowdfunding and wallets, is comprised of the following provisions: 

• the Fintech Law published on 9 March 2018; 
• General Provisions issued by the CNBV (known jointly as the “CNBV Provisions”), including: 
1. General Provisions applicable to IFTs (Disposiciones de Carácter General aplicables a las Instituciones de Tecnología Financiera) published on 10 September 2018; and 
2. the API Provisions published on 4 June 2020; 
• Circulars issued by Mexico's Central Bank (Banco de México or "Banxico") and the CNBV (known jointly as the “Banxico Provisions”), such as: 
1. Circular 12/2018 regarding transactions of electronic payment fund institutions, published on 10 September 2018; 
2. Circular 4/2019 regarding transactions with virtual assets, published on 8 March 2019; 
3. Circular 5/2019 regarding the Mexican Regulatory Sandbox, published on 8 March 2019; 
4. Circular 6/2019 addressed to the IFC regarding the General Provisions applicable to transactions they carry out in foreign currency and the information reports to Banxico, published on 8 March 2018; 

1. Circular 8/2019 with modifications to Circular 14/2017 regarding CoDi (digital collection) transfer instrumentation, published on 20 May 2019; 

5. provisions applicable to the IFPE regarding cybersecurity and biometrics, published on 28 January 2021; and 
• General Provisions mentioned in Article 58 of the Fintech Law (Disposiciones de carácter general a que se refiere el artículo 58 de la Ley para Regular las Instituciones de Tecnología Financiera), known as the “AML Provisions”, and known jointly with the Fintech Law, the CNBV Provisions and the Banxico Provisions as the “Fintech Provisions”, published on 10 September 2018.

Secondary Provisions

There are secondary provisions that regulate the above, such as, the General Provisions of the National Commission for the Protection and Defence of Financial Services Users (Comisión Nacional para la Protección y Defensa de los Usuarios de Servicios Financieros or “CONDUSEF”) on transparency and sound practices applicable to the IFTs.

Other Legal Provisions

Other legal provisions applicable to other verticals, considering the amplitude of financial legislation in Mexico, are: the Law of Credit Institutions; the Securities Market Law; the General Law of Credit Organisations and Auxiliary Activities; the Law for the Transparency and Order of Financial Services (Ley para la Transparencia y Ordenamiento de los Servicios Financieros); the Law to Regulate Credit Information Companies (Ley para Regular las Sociedades de Información Crediticia); the Federal Law on the Prevention and Identification of Transactions from Illicit Sources (Ley Federal para la Prevención e Identificación de Operaciones con Recursos de Procedencia Ilícita) (the Anti-money Laundering Law); the Federal Law on the Protection of Personal Data Held by Private Entities or Individuals (Ley Federal de Protección de Datos Personales en Posesión de los Particulares) (the Personal Data Protection Law); etc. 

The compensation model that participants in the fintech ecosystem are authorised to use in Mexico, ie, whether they can charge their customers fees or commissions, directly or indirectly, is not rigid since, in general, the Fintech Provisions do not include an extensive list of permitted charges. However, IFTs are required to submit the scheme of fees to be charged to customers during their transactions to the CNBV, as one of the documents that must be submitted to obtain the CNBV's authorisation. 

In addition to the above, the Fintech Provisions include some isolated provisions on the matter. For example, the Fintech Law provides that IFCs, when establishing risk-shared schemes with their investor customers, are allowed to collect a portion of the fees charged, subject to the condition that the relevant loan is fully repaid, or the project is carried out according to the terms offered, or according to any other scheme that allows the alignment of incentives between the IFC and the investors. In terms of the Banxico Provisions, the IFPEs must allow their customers to make at least one withdrawal per day from their electronic payment funds account through an electronic channel in local currency, at no cost, without charging fees or any other accessory.

The regulation of the fintech industry in Mexico differs from the traditional regulation of financial services that was already in place for other players in the financial system, such as legacy players, in consideration of the different services and options offered by the fintech industry, and the different and new risks that its operation may imply for its users and, in general, for the national financial market. 

Thus, fintech regulation in Mexico acknowledges that, unlike the traditional banking sector, the new industry: 

• attracts its customers through new mechanisms, namely digital channels; 
• accepts diverse response times by making use of technological resources that promote immediacy of request and response; 
• requires a relevant variation in transaction costs for the new emerging companies in the fintech market which, among other things, modifies the scope of their services and will tend to increase market and financial inclusion; and 
• recognises the use of new technologies, such as blockchain or forms of payment that involve new regulatory challenges that did not figure in the traditional banking landscape. 

Furthermore, the legislator acknowledged that for IFTs to be competitive, their regulatory regime had to be dynamic in a world where communications, technology, and the demand for innovative and dynamic services are evolving rapidly. 

Nevertheless, considering that, at the end of the day, they are still financial services, several aspects of the regulations applicable to traditional financial entities were replicated in the fintech legal framework, such as those referring to the requirement to get authorisation to provide the relevant services, protection of the Mexican financial system, and anti-money laundering and combating the financing of terrorism (AML/CFT). 

The Fintech Provisions contemplate “Innovative Models” (Modelos Novedosos), also known as a regulatory sandbox, which implies the possibility for the authority to issue temporary authorisations to operate innovative services (the use of tools or technology different to those available at the time of the request for authorisation) in a controlled and less costly environment. This space allows companies to offer financial services to a limited number of customers, using innovative technological tools or the means to test them, before offering them to the public on a massive scale. 

The parameters in each case for the test environment applicable to the specific innovative model are defined in an individual scheme, case by case, considering that the purpose of the models or schemes is to be experimental, ie, the models do not guarantee any success. 

The Mexican Regulatory Sandbox may be authorised for the following applicants. 

• Regulated entities (entidades reguladas), ie, financial entities, IFTs, or persons already subject to the supervision of the Mexican financial authorities. Under the Mexican regulatory sandbox scheme, these entities may be authorised to carry out, on a temporary basis, transactions or activities of their corporate purpose through innovative models. Regulated entities may only obtain authorisation for a period of one year, which may be subject to an equal extension. 
• Other companies incorporated under Mexican law that differ from the regulated entities mentioned above. In the case of non-regulated companies, only those innovative models that carry out an activity, the performance of which requires a concession, authorisation or registration under financial laws, may enter the Mexican regulatory sandbox scheme. The term of this kind of authorisation may initially be up to two years, with an extension of an additional year. 

During the term of the authorisation, the relevant entity must obtain definitive authorisations, concessions, or registries depending on the services offered or, if it is not in its best interest to obtain them, it must begin an exit procedure to terminate the temporary authorisation to operate through an innovative model.

A Slow Start

According to information provided by the authority, to date, only five applications have been received to operate under the regulatory sandbox scheme. Of these five applications, three are pending authorisation, and the other two have been withdrawn by the applicants. 

To encourage applications for authorisation, the CNBV and some public and private entities have promoted contests or programmes, such as the "Sandbox Challenge", which was promoted by DAI Mexico (an international development company), the UK Embassy in Mexico, and the CNBV.

The supervision and enforcement of the Fintech Provisions are entrusted to several authorities: 

• Banxico; 
• the Ministry of Finance and Public Credit (Secretaria de Hacienda y Crédito Público or the SHCP); and 
• the following supervisory commissions: 
1. the CNBV; 
2. CONDUSEF; 
3. the National Insurance and Surety Commission (Comisión Nacional de Seguros y Fianzas or CNSF); and 
4. the National Commission for the Pension Fund System (Comisión Nacional del Sistema de Ahorro para el Retiro or CONSAR). 

Division of Responsibilities

In general terms, Banxico is authorised to set forth, through general provisions, several complementary provisions to the Fintech Provisions, especially regarding transactions in foreign currency and with virtual assets. 

The SHCP is authorised to construct, for administrative purposes, the provisions of the Fintech Law on behalf of the federal government. 

The acknowledged authority of the supervising commissions depends on the respective spheres of competence granted to them by their respective laws. Thus, for example, in terms of Article 350 of the Securities Market Law, the CNBV has supervisory faculties, in terms of its law, the Law of the National Banking and Securities Commission (Ley de la Comisión Nacional Bancaria y de Valores), concerning securities market intermediaries, investment advisers, self-regulatory bodies, stock exchanges, companies that manage systems to facilitate securities transactions, securities depository institutions, central securities counterparties, securities rating agencies and price vendors. In this way, the enactment of different secondary regulation was granted to each financial authority according to the matters each one oversees, the CNBV being responsible for fintech general provisions and the SHCP for AML provisions. 

In some cases where the faculties of the financial authorities seem to overlap, eg, when talking about authorisation within the regulatory sandbox scheme, it is foreseen that the competent authority will be the financial authority most closely related, in terms of faculties, to the main activity that will be carried out by the applicant under the proposed new model. 

The Interinstitutional Committee (Comité Interinstitucional), a collegiate body made up of public servants from the SHCP, Banxico and the CNBV, is the body in charge of authorising the organisation and operation of the IFT. However, the CNBV is ultimately responsible for regulating and supervising these types of institutions. 

Regarding sanctions, the Fintech Law determines that fines will be imposed administratively by the supervising commissions or Banxico on financial entities, IFTs, or companies authorised to operate under the regulatory sandbox scheme, and that they will be enforced by the SHCP or Banxico.

IFTs may outsource some of their functions to a third party. Pursuant to the provisions of the Fintech Law, IFTs are authorised to agree with third parties, located in the country or abroad, on the provision of services necessary for their operation, in accordance with the general provisions issued by the CNBV concerning IFCs, and jointly with Banxico in relation to IFPEs. 

Outsourcing of the relevant services does not exempt the IFTs and the persons related to them from complying with the legal provisions applicable to the services they provide. 

In some cases, outsourcing must be previously authorised by a financial authority. Thus, for example, in terms of the provisions of the Fintech Law, IFTs – subject to the approval of the CNBV – may agree with a third party to carry out the receipt of funds. 

When contracting any service with a third party, IFTs must expressly mention that the third party agrees to abide by the provisions of Article 54 of the Fintech Law. 

It is also possible to outsource some services to regulated entities. In this sense, if an authorised financial entity has a stake in a certain IFT, such entity could provide the IFT with technological infrastructure, such as software, databases, operative systems, and applications, as well as related services, for the IFT to support its transactions. For these purposes, it would be necessary to have the authorisation of the CNBV and to enter into a service agreement that includes transfer prices, among other elements. 

Outsourcing by IFPEs

Other services must necessarily be performed by third parties in terms of the law, eg, to evaluate, through independent third parties, the compliance of the IFPE with certain information security requirements, the use of electronic media, and operational continuity. On 28 January 2021, the provisions applicable to these services were published. 

Outsourcing by IFCs

The general provisions applicable to IFTs include a chapter called “Contracting services with third parties”, which sets forth that IFCs will only require authorisation from the CNBV to contract with third parties for the provision of services that: 

• involve the transmission, storage, processing, safekeeping or custody of sensitive information, images of official identification, or biometric information of customers, provided that the contracted third party has access privileges to such information or to the security configuration information, or to the access control administration; and 
• carry out processes abroad related to accounting or treasury, as well as to the registration of customers' transactional movements. 

The relevant chapter also includes the rules applicable to subcontracting, such as the documents and information that must accompany the application for authorisation, provisions regarding the list of providers to be kept by the IFCs, etc.

IFTs are considered as “gatekeepers” with responsibility for some activities on their platforms. In this sense, IFTs are obliged to act as such regarding the AML Provisions and through the implementation of KYC policies. 

Within an IFT's application to obtain authorisation from the CNBV, a document of KYC policies, among other elements, must be included. 

Likewise, IFTs must set forth internal policies, criteria, measures and procedures that allow them to identify, acknowledge and mitigate the risks to which they are exposed; keep information on the identification of their customers; and have an automated system that allows them, among other things, to identify possible unusual transactions on the part of their customers. 

The AML Provisions constitute the regulatory framework for the prevention of transactions with resources of illicit origin and for countering the financing of terrorism, which IFTs must observe to avoid being used as vehicles for the commission of such illicit activities, as well as to prevent the improper use of the financial system through the new services and products that technological innovations offer to the general public.

In terms of the provisions of the Fintech Law, legal acts entered into in contravention of the provisions of such law or its related provisions and conditions, if any, will give rise to the imposition of administrative and criminal sanctions, without, as a general rule, such contraventions being able to nullify the acts, in terms of protecting third parties acting in good faith. 

Among the significant enforcement actions included in the provisions applicable to the fintech regulatory framework in Mexico are fines of up to approximately MXN13 million, plus a certain percentage of the transactions carried out in contravention of the AML Provisions, and imprisonment, in certain cases. 

Among the non-financial services regulations, including the legal provisions applicable to the fintech ecosystem, we can find provisions on the protection of personal data, intellectual property, AML and cybersecurity.

Personal Data Protection Provisions

The Fintech Law states that aggregated data, ie, data related to any type of statistical information to do with transactions carried out by or through IFTs, must not contain a level of disaggregation such that the personal data or transactions of an individual can be identified. 

Likewise, concerning transactional data, ie, data related to the use of a product or service, as well as any other information related to transactions that customers have conducted or attempted to conduct in the technological infrastructure of IFTs, it states that this is regarded as personal data and can only be shared with the prior express authorisation of the user. This complies with what was already applicable in terms of the Federal Law for the Protection of Personal Data in the Possession of Private Parties (Ley Federal de Protección de Datos Personales en Posesión de los Particulares), a law to which private parties were already subject. It should be added that, in terms of said law, the processing of financial or patrimonial data requires the express consent of the user. 

Other provisions related to the protection of personal data by IFTs are found in the General Provisions applicable to IFTs (Article 86, Section IX); Circular 5/2019 regarding the Mexican Regulatory Sandbox (Article 11); and in CONDUSEF's General Provisions on Transparency and Sound Practices (Articles 11 and 52). 

Intellectual Property Provisions

Regarding the provisions on intellectual property, the only specific provision foreseen with regard to IFTs states that IFTs must, among other things, attach the draft of the services agreement to the request for authorisation regarding contracting the services of third parties. This service agreement must indicate the probable date of its execution, the rights and obligations of the IFT and the third party, including the determination of intellectual property regarding the designs, developments or processes used for rendering the service. 

In addition to this provision, the following two federal laws are applicable to IFTs:

• the Federal Law for the Protection of Industrial Property (Ley Federal de Protección a la Propiedad Industrial), the main purpose of which is to protect industrial property, regulate industrial secrets, promote and encourage inventive activity in terms of industrial application, technical improvements, and creativity in the design and presentation of new and useful products; and 
• the Federal Copyright Law (Ley Federal del Derecho de Autor), the main purpose of which is to protect the rights of authors, performers and artists.

AML Provisions

The AML Provisions were enacted specifically for the operation of IFTs. The Anti-money Laundering Law acknowledges financial entities as regulated entities, including IFTs. The law also specifically names, as a vulnerable activity, the regular and professional offering of virtual asset exchange carried out through electronic, digital or similar platforms.

Cybersecurity Provisions

IFTs must have the necessary infrastructure and internal controls to carry out the transactions they are meant to carry out, such as operating, accounting and security systems in accordance with the applicable general provisions. 

Furthermore, on 28 January 2021, the new provisions applicable to IFPEs, regarding cybersecurity and biometrics were published. 

Social Media Content

Finally, in Mexico, there is no specific regulation regarding social media content.

The Fintech Provisions set forth certain cases in which industry participants must or may carry out supervisory activities for IFTs. This possibility is foreseen, fundamentally, in two cases.

Independent External Auditors

The first scenario refers to the obligations included in the Fintech Provisions regarding supervisory activities to be carried out by entities or persons that are not considered financial authorities. For example, the Fintech Law establishes that the annual financial statements of IFTs must be audited by an independent external auditor, who will be appointed directly by their administrative body. It is the CNBV which, through general provisions, determines the characteristics and requirements to be met by independent external auditors; the content of the opinions and other reports that must be rendered; the measures to ensure their adequate alternation; etc.

Trade Associations

On the other hand, IFTs may optionally form trade associations which, among other things, may develop and implement standards of conduct and operation to be complied with by their members to contribute to the healthy development of such institutions. In this sense, trade associations may issue rules to regulate the process to adopt best practices and standards of conduct and operation, and the verification of their compliance.        

Participants of the fintech environment may only offer the products and services they are authorised to offer, and may only perform those activities related to such services and/or other specific activities outlined in the law. 

However, considering that the Fintech Law only recognises two types of IFTs, it is important to consider that other players in the industry are regulated by their relevant financial or non-financial regulatory framework. 

Regarding AML, IFTs are obliged, pursuant to the AML Provisions and subject to CNBV’s prior opinion, to comply with the following. 

• To implement measures and procedures aimed at avoiding and preventing acts, omissions or transactions that could be considered as financing of terrorism or transacting with funds of illicit origin. The aforementioned measures and procedures must be contained and developed in a document that must be submitted to the CNBV. 
• To submit to the SHCP, through the CNBV, reports on:
1. the acts, transactions or services that IFTs execute with their clients and the transactions among such clients, related to financing of terrorism or transactions using funds of illicit origin; and

1. any act, transaction or service performed by members of the board of directors, managers, officers, employees, factors, and attorneys-in-fact of IFTs that might be involved with the financing of terrorism or transactions using funds of illicit origin. 

It could be claimed that the above-mentioned obligations are unreasonable and disproportionate when compared with the general provisions applied to traditional financial institutions (eg, banks). If the Mexican authorities impose the same provisions for IFTs as for any other traditional financial institution, IFTs might lose their attractiveness in relation to their services’ flexibility, accessibility and low costs. Although no one is suggesting a material deregulation for IFTs, it might be appropriate to have a regulation where an ad hoc legal framework is applied to IFTs. Also, the AML Provisions could affect the market efficiency of the IFTs in so far as the corresponding regulation does not contribute to an increase in social welfare, and the costs thereof do not exceed the corresponding benefits.

On the other hand, non-regulated IFTs do not have to comply with the AML Provisions, which might be in violation of the free competition principles, while the corresponding rights arising from the current regulation would not be retroactively applicable to non-regulated IFTs, which would create unreasonably unfair treatment of the latter. 

Additionally, some argue that the SHCP and the CNBV should analyse whether IFTs are comparable with other traditional financial institutions and, if not, that the AML Provisions should be amended in order to provide a fair legal framework for IFTs, where regulatory costs are reduced and one of the financial systems’ pillars – financial inclusion – is complied with. Additionally, it only seems fair that the CNBV should make its best effort to grant or, as the case may be, deny authorisation, to non-regulated IFTs, in order to allow fair economic competition. 

Robo-advisers, as autonomous advisory systems controlled by financial entities which, through algorithms and exhaustive data analysis, provide consulting and portfolio management services, can provide financial advisory, wealth management services and the purchase, custody and sale of securities. In Mexico, only those robo-advisers providing consulting and portfolio management have been incorporated with the industry players. 

As for the rest of the financial activities discussed in this guide, service providers known as robo-advisers require authorisation from the Mexican authorities to act as such. 

Among the additional legal provisions applicable to robo-advisers capable of providing financial advisory are the Securities Market Law, specifically Article 225, and the General Provisions Applicable to Investment Advisers (Disposiciones de Carácter General Aplicables a los Asesores en Inversiones). 

Legacy players have noticed the relevance that robo-advisers have gained in the market. Some have therefore already started incorporating them into their investment platforms, and advising their customers based on their financial objectives. 

Some legacy players consider that implementing this kind of tool has allowed them to offer advisory services to a wider range of customers due to the low costs that the implementation of such technology represents. 

Among the issues related to the best execution of customer trades by robo-advisers compared to legacy players, it should be highlighted that the simplicity of robo-advisers' operations and their greater coverage, make them more accessible to the general public and, above all, more affordable in economic terms. Their simplicity stems from the fact that robo-advisers' advice is provided based on relatively little information on the customer's profile. Likewise, their automated process allows for lower operating costs, which means lower prices for the customer and allows the portfolio offer to be a product that suits each customer. 

At this point of technological development, a complex interaction between the software and the customer (human being) may not be possible, but in the future, with the incorporation of artificial intelligence and autonomous learning, technology will surely make it possible for a robo-adviser to surpass the advantages of an individual adviser.

In terms of the provisions of the Fintech Law, IFCs are those IFT that put people from the general public in contact with each other to grant financing through crowdfunding, equity crowdfunding or co-ownership or royalty crowdfunding transactions, regularly and professionally, through computer applications, interfaces, websites or any other electronic or digital means of communication. 

At first, the Fintech Law defines a customer in general terms, ie, as an individual or legal entity that contracts or performs any transaction with an IFT. However, the General Provisions Applicable to IFTs set forth additional differentiations for loans that may be granted by IFCs which distinguish between those granted to individuals, businesses and other actors. 

Collective Debt Financing of Business Loans between Individuals

Under this type of financing, the applicants (legal entities or individuals with business activity) and the investors make contributions so that the applicants receive a loan to finance their activities, or to carry out a financial leasing transaction, in which an asset is acquired for the investors, and is leased to the applicant, or to enter into a financial factoring transaction, in which the investors acquire part of a credit that the applicant has in its favour, with the applicant remaining jointly and severally liable to its debtor, without such right deriving from loans, credits or loans that the applicant has previously granted. 

IFCs may publish requests for this type of financing as long as they do not exceed the equivalent in local currency of 1,670,000 Investment Units (Unidades de Inversión or UDIs), which is approximately MXN11 million. IFCs may request authorisation from the CNBV to exceed this limit.

Collective Debt Financing of Personal Loans between Individuals

Under this transaction, the applicant (individual) borrows the resources contributed by the investors. 

IFCs may publish requests for this type of financing as long as they do not exceed the equivalent in local currency of 50,000 UDIs (approximately MXN331,000).

Collective Debt Financing for Real Estate Development

In this type of crowdfunding transaction, investors provide credit to applicants to finance real estate development activities. 

IFCs may publish requests for this type of financing as long as they do not exceed the equivalent in local currency of 1,670,000 UDIs (approximately MXN11 million). IFCs may, however, request authorisation from the CNBV to exceed this limit.

In addition, the relevant provisions state that IFCs must set forth controls in their platforms that prevent the same investor from making investment commitments that exceed certain percentages, based on the financing to be granted. 

Finally, it should be noted that IFCs have different disclosure requirements depending on the type of financing granted. 

Regarding the IFC's decision as to whether an applicant is creditworthy and should receive a loan, within the General Provisions Applicable to IFTs there is a chapter related to the methodology for the evaluation, selection, and qualification of applicants and projects that establishes the information that IFCs must disclose to their potential investors through their platform. This information includes the criteria to be used to select the applicants and the projects to be financed, the way to verify their identity and location, the type of information to be collected to analyse and evaluate the applicants and, if applicable, the activities to verify the veracity of the information, and the general description of the methodology to be used to analyse and determine the degree of risk presented by the applicants and the projects. 

The Fintech Law provides for various sources of funds for performing loans, namely: 

• collective debt financing – in this type of financing, the investors grant loans, credits, mutual loans or any other financing, causing a direct or contingent liability to the applicants; 
• equity collective debt – this financing is used so that investors can purchase or acquire securities representing the capital stock of legal entities that act as applicants; and 
• collective financing of co-ownership or royalties, which allows investors and applicants to enter into joint ventures or any other type of agreement, whereby the investor acquires an aliquot share or participation in a present or future asset or in the income, profits, royalties or losses obtained from the performance of one or more activities or projects of an applicant. 

IFCs have a peer-to-peer scheme, where the IFC's main purpose is to contact “investor” customers that contribute to the source of the funds, with “borrower” customers in need of a loan or project financing. 

Exceptionally, IFCs may obtain loans to share risks with their customers, only with prior authorisation from the CNBV. 

Syndication of loans by IFCs is possible. However, the general provisions applicable to IFCs state that they must set controls in their platforms that prevent the same investor from making investment commitments that exceed certain percentages based on the financing to be granted. 

Furthermore, IFCs are prohibited from offering projects through their platforms that are being offered at the same time on another IFC platform. 

Pursuant to the provisions applicable to fintech in Mexico, IFPEs are not entitled to create new payment rails; instead, IFPEs must use the existing ones. The Fintech Law provides that an IFT will only receive funds from its customers that come directly from money deposit accounts opened in an authorised financial institution. It also states that IFTs are only obliged to deliver funds to their customers by means of credits or transfers to the respective accounts that they have opened in financial institutions. 

Nevertheless, IFPEs may obtain authorisation from the CNBV to receive or deliver amounts of cash to their customers.

IFPEs may, with prior authorisation from the CNBV, make money transfers in local or foreign currency or virtual assets, having received, in all the above cases, prior authorisation from Banxico, through credits and debits between their customers and other IFPEs, as well as account holders or users of other financial entities, or foreign entities authorised to perform similar transactions.

In Mexico, fund administrators are primarily regulated by the Investment Funds Law (Ley de Fondos de Inversión), formerly known as the Investment Companies Law (Ley de Sociedades de Inversión). The purpose of this law is, among other things, to regulate the organisation and operation of these funds, the intermediation of their shares in the securities market, and the services they must contract to carry out their activities. 

The law defines investment funds as those companies which have as their purpose the acquisition and sale of the assets that the law considers to be the object of the investment, with resources from the placement of shares representing their capital stock, offering them to an undetermined person through financial intermediation services. 

It should be noted that the Mexican legal system also provides for an additional type of fund administrator, in the form of pension or retirement funds regulated by the Law of the Retirement Savings Systems (Ley de los Sistemas de Ahorro para el Retiro).

Pursuant to the provisions of Mexican law, persons that distribute shares of investment funds must agree with the investing public, on their behalf, at the time of execution of the respective agreement, the means by which the prospectuses and documents with key information on the investment of the funds whose shares they distribute and, if applicable, their amendments, will be made available for their analysis and consultation. At the same time, these persons must agree on the facts or acts with respect to which they will presume the investing public's consent.

Originally, the creation of an exchange or trading platform for virtual assets was envisaged, however, Banxico decided to restrict transactions dealing with virtual assets (Circular 4/2019) to credit institutions and IFTs in the execution of their internal transactions, as it considered that the provision of services related to virtual assets to the general public by financial institutions would not be convenient and the risks associated with virtual assets should not impact the end user. 

Banxico has pointed out that even though IFTs and credit institutions in Mexico are not authorised to offer virtual asset transactions to the public, this does not imply that companies other than these cannot offer services related to virtual assets. 

No exchange or trading platform is provided by the Fintech Provisions, therefore no different asset classes are available. The only assets that might be authorised in the near future are virtual assets. In order for them to be classified as such, they must comply with the following characteristics and have: 

• information units which do not represent the ownership or rights of an underlying asset and which are uniquely identifiable, even fractionally, and stored electronically; 
• emission controls defined by means of specific protocols to which third parties may subscribe; and 
• protocols in place to prevent replicas of information units, or fractions thereof, from being available for transmission more than once at the same time.

In Mexico, there is no cryptocurrency or virtual asset market authorised by Banxico in the context of the Fintech Provisions. The emergence of a virtual asset market through companies other than IFTs or credit institutions continues to push the regulator to modify the legislation so that such entities may enter into transactions with virtual assets other than internal transactions. 

Additionally, the emergence of cryptocurrency exchanges has impacted the existing regulation regarding AML compliance. In 2018, in parallel with the enactment of the Fintech Law, several laws were amended, among them the Anti-money Laundering Law, to include in its catalogue of vulnerable activities the usual and professional offer of the exchange of virtual assets by non-financial entities, through electronic, digital or similar platforms that manage, operate or carry out purchase and sales transactions or guard, store or transfer different virtual assets than those acknowledged by Banxico.

Unlike the regulatory approach in other jurisdictions where virtual assets are compared with securities, and listing requirements and standards are provided, regulation in Mexico is limited to recognising virtual assets and authorising specific transactions with them, but no listing standards are provided by the regulation.   

No regulation exists regarding the exchange or trading of virtual assets. 

No regulation regarding peer-to-peer trading platforms exists. 

The lack of any specific regulation may give rise to problems regarding the execution of customer trades or any other aspect related to the protection of customers of the financial system. 

No extensive regulation exists regarding the exchange or trading of virtual assets.       

The provisions regarding the fintech industry in Mexico are based on the principles of financial inclusion and innovation, promotion of competition, consumer protection, preservation of financial stability, prevention of illicit transactions, and the establishment of technological neutrality.

There is no specific regulation applicable to the creation and/or usage of high-frequency and algorithmic trading in Mexico. 

Mexican legislation does not require market makers to be registered when functioning in a principal capacity. 

There is no specific regulation applicable to the creation and/or usage of high-frequency and algorithmic trading in Mexico, therefore there is no regulation that provides a distinction between funds and dealers that engage in such transactions. 

There is no specific regulation applicable to programmers who create trading algorithms and other trading tools. However, computer programs, defined by the Copyright Law (Ley Federal del Derecho de Autor) as any original expression in any form, language or code of a set of instructions which, with a given sequence, structure and organisation, has the purpose of having a computer or device perform a specific task or function, are protected by said law. 

Financial research platforms are not regulated by Mexico’s Fintech Law and therefore they are not subject to registration. 

The Fintech Law provides a general obligation for IFTs to adopt the necessary measures to prevent false or misleading information from being spread by them. Likewise, conduct such as disclosure of or benefiting from privileged information, market manipulation, as well as spreading false information about securities, or regarding the financial, administrative, economic or legal situation of public companies, is penalised by the Securities Market Law. 

Mexico’s Fintech Law does not regulate financial research platforms. There is therefore no specific regulation regarding a post's content on certain platforms. However, unacceptable behaviour, such as disclosure of inside information, may be penalised by the Securities Market Law, where applicable. 

Insurtech is not specifically regulated by Mexican laws. The insurance industry is regulated by the Insurance and Bonding Companies Law (Ley de Instituciones de Seguros y Fianzas) and the Insurance Contract Law (Ley Sobre el Contrato de Seguro) and its secondary regulations. There are no specific requirements or processes for insurtech providers different from those applicable to traditional insurance companies. Insurance companies must obtain authorisation from the federal government through the CNSF to be incorporated and to operate as an insurance company, and the relevant authorisation is non-transferable.   

Authorisation to operate as an insurance company will allow said companies to provide insurance services in three general categories: (i) life, (ii) accidents and health, and (iii) damages, which are regulated by the Insurance and Bonding Companies Law and the Insurance Contract Law, by different provisions in each case. However, in addition to this, the relevant insurance products are not treated differently by industry participants and regulators.   

Regtech providers are commonly hired by financial entities to help them comply with regulatory requirements. 

The principal area in which regtech is used is to comply with AML/CFT provisions. However, regtech providers are not regulated by Mexican law. 

The contractual terms between financial entities and regtech providers regarding the performance and accuracy of services are negotiated between the parties; they are not dictated by regulation. Regulations such as the General Rules issued by the CNBV regarding AML/CFT provide that financial entities must implement a risk-based approach (RBA) to assess customers, products, services and geographical risk, as well as to report a certain type of transaction and to prevent transactions with persons included in blacklists. Therefore, financial entities usually look for accuracy and updated information from their regtech providers, as well as the tools to comply with due diligence and KYC obligations, and the capacity to identify suspicious transactions and send the relevant reports to the authorities.

Traditional players in the financial services industry have shown great interest in blockchain technology and seek technological solutions to comply with AML/CFT provisions, such as customers’ due diligence and KYC processes. At least four of the largest banks in Mexico are exploring the possibility of introducing smart contracts in their transactions, and most banks provide digital services through websites and apps.  

Although the authority (Banxico) acknowledges the multiple risks in the use of technologies such as blockchain, especially when describing them in relation to the use of virtual assets, it has indicated that it does not seek to restrict their use and that the regulations do not prevent the use of these technologies when they are developed for private use and are not associated with a virtual asset. No new rules or interpretations are expected to be accepted in the near future. 

Blockchain assets are not considered financial instruments under Mexican regulations. The only recognition of blockchain assets is as virtual assets (cryptocurrencies). They are understood as a value representation electronically registered and used as a means of payment, but in no situation will they be considered as legal currency. Mexican laws do not regulate blockchain assets that represent stakes in a project or company. 

Mexico’s Fintech Law does not address the regulation of blockchain asset issuers or the initial sale of blockchain assets. Furthermore, they are not considered to be financial instruments, currency, security or a commodity, as the case may be in other jurisdictions. 

Fintech provisions in Mexico do not regulate blockchain trading platforms. 

In Mexico, investment funds are mainly regulated by the Investment Funds Law and the General Rules Applicable to Investment Funds and to their Service Providers. These regulations provide a list of assets in which funds may invest, and virtual assets are not included. 

In Mexico, the only recognised blockchain asset is the virtual asset, which is defined by the relevant regulation as a value representation electronically registered and used as a means of payment, but in no situation will it be considered legal currency. Other blockchain assets are neither recognised nor regulated by Mexican laws. 

Decentralised finance is neither defined nor regulated in Mexico’s Fintech Law.

Although Fintech Law does not regulate NFTs, certain rights and liabilities may be associated with their issuance.

Federal Copyright Law

NFTs might be considered as subject to the Federal Copyright Law, as NFTs are digital assets, the authenticity and ownership of which can be demonstrated and verified using distributed ledger technology. They can therefore be used to create a tokenised proof of title to a unique digital version of an underlying digital or physical asset (ie, images, videos and paintings). The Federal Copyright Law protects any original art which is susceptible to being divulged or reproduced in any form or media from the moment such art is fixed in a material form, without any requirement, registration or document proving its authorship. Therefore, if someone creates a unique digital version of the work as a data file using blockchain, or any other kind of distributed ledger technology, that excludes the possibility of the NFT being edited or deleted. This makes it possible for them to be freely traded with verifiable security of exclusive ownership and transaction traceability, and to be protected by Federal Copyright Law, which provides the authors with the following: (i) moral rights, recognising the authorship; and (ii) economic rights, consisting of perceiving any royalty by art exploitation.

Fintech Law and Federal Copyright Law

Additionally, NFTs could be subject to the Fintech Law, since they may be used as a financial instrument, electronic money or a collective investment instrument. Therefore, the Fintech Law and Federal Copyright Law, among other Mexican provisions, might be amended to include a clear legal framework which addresses and takes into account the complexity of the NFTs.

The Fintech Law supports open banking. It provides that financial entities, money transmitters, credit information entities, financial clearing houses and entities authorised to operate in regulatory sandboxes, must enable application programming interfaces (APIs) that allow connectivity and access to other APIs from the above-mentioned entities or authorised third parties specialised in information technology, to share the following information: 

• open financial data that contains no confidential information or personal data; 
• aggregated data and statistical information that does not allow the identification of a specific person or their transactions; and 
• transactional data and the information regarding the transactional profile of customers, which is considered as financial or patrimonial personal data by the Personal Data Protection Law.   

The authorised third parties requiring the relevant information must be capable of identifying an area of opportunity related to financial services and create a value proposal. 

The sharing of data and information under the open banking scheme is subject to secondary regulations. 

In March 2020, and later, in June 2020, the CNBV published the General Rules Regarding Application Programming Interfaces referred to in the Fintech Law, in the Federal Official Gazette. The first publication was applicable to credit information entities and financial clearing houses, and the second publication was applicable to financial entities, money transmitters, entities authorised to operate in regulatory sandboxes, and third parties specialised in information technology. However, these Rules only regulate the sharing of open financial data; the relevant regulations regarding aggregated data and transactional data are still pending. 

The regulation of open banking provides that the exchange of data is subject to information security and integrity policies, and the Personal Data Protection Law is applicable to data providers and data requesters involved in the exchange of information under the open banking scheme, but it is not clear how data privacy and data security concerns will be addressed.