Fintech in Mexico and the Scope of Regulation

‘Mobile technologies may be the greatest economic revolution we will see in our lives.’

Farhad Irani

The innovative aspects and the evolution of financial technologies have allowed for a strong positioning in the market, transforming the world and marking the beginning of a new era. The term ‘Fintech’ is lexically the union of the abbreviated words that make up the concept of ‘Financial Technology’, which refers to the interaction of financial systems and technology.

The widespread distrust emanating from the financial crisis of 2008 led to the development of financial alternatives that could meet the needs of consumers, alternatives which benefitted fully from the advent of new means of interacting and of carrying out recruitment, as well as of remunerating and investing. It can be argued that Fintech companies have emerged to fill gaps in traditional banking, doing away with the existing limitations on project, company or sector financing; making local and cross-border payments accessible; reducing the need for intermediaries, as well as increasing the monetary and administrative efficiency of financial transactions, among others.

Bowing to international trends for regulating the capture and investment of revenue through the use of technology, Mexico has been forced to legislate on financial services less rigidly, and in ways that are mindful of existing law. Although it responded later than other countries, Mexico currently has a track record of sector start-ups which have flourished and grown significantly.

Nonetheless, the rapid development of financial services provided by entities which essentially operated in a gray area between regulation and complete lack thereof motivated Mexican authorities to undertake the task of reviewing the activity of Fintech companies more closely. The need arose for appropriate regulation similar to working models in other countries that would marry Mexican financial legislation to the reality of financial technologies.

Consequently, the Financial Technology Institutions Law (forthwith referred to as the ‘Law’ or ‘Fintech Law’) was approved and published in the Federal Official Gazette on March 9 of this year. The objective of the Law is to group and regulate banking sector agents, entrepreneurs and private capital owners based on protecting inclusion and financial stability. Fintech Law also endeavours to prevent fraud, money laundering or mobile payments through the use of cryptocurrencies; it protects consumers and creates competition.

Issues with the Regulatory Framework in Mexico Prior to Fintech Law

The emergence and expansion rates of Unregulated Multiple Purpose Financial Companies (Sofom) and Popular Financial Companies (Sofipos), models under which many of the financial technology companies in Mexico operated, made the country the largest market in Latin America, with 140 financial services start-ups. The most common activities of Fintech companies are crowdfunding, loan services to small and medium enterprises, financial consulting, payments and remittances, management of personal and business finance, financial education and savings, markets and foreign currency exchange, and managing cryptocurrency, among others.

The main problem was the lack of regulation in matters of crowdfunding, deposits and payments, and currency exchange, which had never been contemplated under the Securities Market Law or the Credit Institutions Law, among others. Furthermore, the lack of supervision of financial services under the National Banking and Securities Commission (‘CNBV’), and the insufficient consumer protection provided by the Commission for the Protection and Defence of Users of Financial Services (‘CONDUSEF’) or by the Federal Consumer Protection Office (‘PROFECO’) caused a great deal of concern for financial consumers.

Prior to Fintech Law, the only provisions in effect were those outlined in the legal framework for the regulation of electronic commerce. This legislation was however inadequate for covering the type of operations currently carried out in the Fintech sector; attempts were made rather unsuccessfully at interpreting existing law to respond to the needs of the sector. The overall lack of regulation generated significant legal uncertainty for the operation of Fintech start-ups in Mexico, reason for which the federal government was compelled to enact bespoke legislation. However, there are specific challenges inherent to Fintech Law that will be faced by financial technology institutions (‘ITF’), difficulties that will probably favour entities in the financial sector.

The Regulated Fintech

The Law aims to regulate two types of ITF: (i) crowdfunding institutions and (ii) electronic payment fund institutions. It is also responsible for regulating virtual assets - securities not backed by a banking institution. The differentiation of regulated activities leaves out important areas such as credit risk, insurance activities (Insurtech), among others. The net result is regulation in the sector that is largely asymmetrical.

The first type of regulated ITF, crowdfunding, is defined by the Law as activities intended to establish connections amongst members of the general public, with the purpose of granting financing through operations carried out through computer applications, interface platforms, webpages or any other means of electronic or digital communication.

However, crowdfunding activities include five strands, out of which the Law focuses on regulating only three, (i) crowdfunding debt, in which financing is granted to applicants through resources from various investors; (ii) crowdfunding of capital, in which the investors acquire a specific participation share in the applicant entity and (iii) crowdfunding of co-ownership or royalties, in which an investor acquires an aliquot share or equity of the revenue, profit, royalties or losses on an applicant's projects, as part of joint ventures or agreements. The remaining two types of crowdfunding (donation-based and reward-based) are not regulated, as they do not require a licence for carrying out essential activities.

Crowdfunding institutions must comply with obligations defined in Fintech Law, as applicable to various aspects of their operations. For example, their activities must be carried out in national currency, and they cannot issue statements of guaranteed return on investments.

Services offered by electronic payment institutions to the public include the issuance, administration, redemption and transmission of electronic payment funds through the same means available in the case of crowdfunding: computer applications, interface platforms, webpages or any other means of electronic or digital communication.

One common service provided by electronic payment institutions is the opening of funding accounts for customers, where the latter are able to make deposits in local or foreign currency, move certain virtual assets, issue electronic payment transfers, and transfer certain amounts, whether in national currency, foreign currency or virtual assets, if authorised by the Bank of Mexico. However, no interest, income or any other monetary benefit will be paid on the accumulated balance for such transactions, unless instructed by the Bank of Mexico. It should be noted that electronic payment institutions are permitted transactions with virtual assets and foreign currency for deposits and payments, while crowdfunding institutions may only carry out similar operations upon authorisation from the Bank of Mexico.

Both types of ITF require a licence to operate, and resources used by clients in operations with the ITF are not guaranteed by the federal government or state-level public administration.

Virtual Assets

According to Fintech Law, virtual assets are understood as the electronic representation of value which is used by members of the general public as payment for all type of legal transactions, where the transfer can be carried out solely by electronic means. While this definition clarifies that virtual assets be used as means of payment, nowadays some users are giving it a different use, for example that of storing value. Although the exchange of virtual assets generates interest on account of public demand, they are neither issued nor endorsed by the Bank of Mexico or any financial institution.

The Bank of Mexico is the entity tasked by the Law with determining: (i) the virtual assets with which it is permitted to operate, (ii) the type of operations to be carried out, (iii) the settlement of transactions resulting from the delivery to the client of an amount of virtual assets or the amount in national currency for a payment received for the sale of the same, and (iv) the characteristics, custody and control measures of the assets. The criteria employed by the Bank of Mexico for determining the type of virtual assets to be operated with include the use that the public will give them, the way other jurisdictions handle them, as well as additional regulation aimed at controlling the replication of asset units. However, the authority that the Bank of Mexico can exercise in issuing secondary provisions for recognising or determining the characteristics of virtual assets is highly discretionary. This regulatory flexibility casts a shadow of uncertainty on the effectiveness of the primary provisions of Fintech Law.

Although on one hand the Law clearly seeks to protect ITFs from money laundering or terrorism financing, it also aims to protect the consumer from fraud and the inappropriate use of personal data. It has attempted to achieve the latter by requiring the identifying of applicants and investors, and by regulating the delivery and reception of money on the consumer side. However, this protection has not been sufficient, since the law mandates that risks are fully borne by the customer.

Authorisation Procedure

Operating an ITF requires a licence that must be requested from the CNBV, licence which is discretionarily granted upon agreement within the Interinstitutional Committee. Additionally, the Bank of Mexico (BM) has the authority to recognise ITFs intending to carry out activities with virtual assets and foreign currency.

Nonetheless, legal entities seeking to obtain authorisation to become an ITF must previously be incorporated as Public Limited Companies, demonstrate domicile in national territory and have a fixed capital that is share-subscribed and payed out. ITFs may proceed to carry out activities once these requirements have been deemed fulfilled according to the general provisions issued by the CNBV for that purpose. For the moment, it is not possible to predict the criteria that the CNBV will use for determining said provisions; however, this discretionary power is not expected to dictate unattainable requirements that could limit competition, or, conversely, generate provisions so lax that they may destabilise the financial market.

The Operation of the ITF

ITFs must handle the limited monetary resources of their clients, or the funds which clients may have available, reserves which when received from or delivered to the consumer must come from or be deposited to accounts opened with financial entities. Exceptionally, the CNBV may authorise the receipt or transfer of amounts in cash, or the transfer of electronic funds from accounts opened with financial entities abroad. These limitations force the ITFs to document the monetary transactions made.

Likewise, resources received from clients must be kept identified by client and need to be segregated from the ITF's own resources. To this end, ITFs are required to provide clients with account statements. On the other hand, financial statements issued by the ITF must be audited by an independent external auditor.

Oversight of ITFs

The CNBV is the financial authority tasked with supervising compliance on the part of the ITF. Likewise, the Bank of Mexico will act as the oversight body with respect to the provisions that emanate from it.

The Regulatory Sandbox

Authorisation under a sandbox model is required of companies interested in trialling innovative technological activities, or when providing financial services different from the existing and regulated ones. The authorisation that financial authorities issue for this purpose will be exceptional for these services, and time-bound to two years. The terms and conditions for the authorisation of the provision of the specified services is established therein, and in the eventuality of conflict between the authorised company and its client, the CONDUSEF will oversee dispute resolution.

Legal entities, financial entities and ITFs may request to operate under the sandbox model, although in the case of the latter two a shorter operating time is considered when the authorisation is granted. All three types of institutions are subject to supervision and will be required to report the number of clients they have had transactions with, the operations they have performed, and the risks that may have arisen, among other obligations.

Administrative and Criminal Sanctions

The imposition of sanctions for non-compliance with the Law or the conditions outlined in the authorisation to operate whether as an ITF, or in the sandbox model, is subject to administrative or criminal penalties.

Financial entities, innovation companies, ITFs and companies authorised to operate with sandbox models, as well as the members of the board of directors, general managers, executives, officials and employees, among other staff, may be sanctioned.

Fines vary in amount depending on the level of the administrative transgression, and criminal sanctions are proportional to the offense. It should be noted that one of the most severe sanctions mandates imprisonment for seven to fifteen years for carrying out activities without having the corresponding authorisation.

The Risks and Deficiencies Inherent in Fintech Law

Although there is evidence that the Law has sought to prevent illicit operations on the market, as well as to protect consumers in the transactions they undertake, there is a number of risks that have not been mitigated.

One of the risks concerns money laundering, where even though the Law establishes certain information exchange controls for preventing illicit activities, it does not stop related fraud or computer crime that may occur. Another risk of a fiscal nature that the Law does not contemplate relates to the exacting of tax for crowdfunding activities, or to consumer protection, as resources invested by customers are not guaranteed. Likewise, long-term risks are also possible, such as in monetary policy, which can be affected by the growth of the volume of credit in the absence interest rates referenced by a Central Bank. This can generate instability and distortions within the country's monetary policy.


In principle, Fintech Law seeks to establish general principles, while secondary provisions aim to cover other areas not initially contemplated. While over-regulation has the tendency to limit entrepreneurship, the current Law, despite significant attempts at establishing a regulatory framework, leaves several areas which for the moment are inadequate, and that will need to be remedied. In addition, there is evidence in the text of the Law to contend that although it seeks to protect both the industry and the financial resources of customers, there is a certain inclination in favour of the traditional banking sector, which reflects the long-standing status quo privileges of the latter.

Mexico, as an emerging country in the Fintech sector, must be mindful of the progress of financial technology, and understand it is likely to be ahead of the Law. Regulators and supervisors must aim to be constantly up-to-date in order to meet the needs that accompany innovation in technology. Financial regulation needs to learn from and respond to the changes rippling through the market, even more so if the innovative projects proposed by some start-ups seek to correct the inefficiencies of traditional banking and add competition in the sector, favouring users.

This opinion is provided based on the interpretation of laws applicable in Mexico.