Rapidly Expanding Fintech Industry Brings Unique Compliance Challenges To Mexico
This is an Insight article, written by a selected partner as part of Latin Lawyer's co-published content. Read more on Insight
Corporate compliance overview
Mexico’s financial sector has undergone significant transformations in recent years, with the rise of fintech companies disrupting traditional financial services through technological innovation. While this has brought about new opportunities, it has also posed challenges for regulatory compliance, particularly given the constantly evolving regulatory landscape. In this chapter, we will examine the importance of compliance for fintech companies in Mexico, challenges they face, and strategies they can employ to ensure compliance.
As we have seen over the past few years, fintech companies have grown in Latin America thanks to several factors, including poor access to traditional banking and obtainment of credit. This growth has had an impact on the size of the economies in Latin America, which is led by Brazil, followed by Mexico, Colombia, Argentina and Chile. According to calculations made by the Interamerican Development Bank, at the end of 2021 the number of fintech companies in Latin America and the Caribbean was estimated to be more than 2,300, an increase of more than 85 per cent since 2017.
The primary goal of fostering a culture of compliance in Mexico is to mitigate legal risks for businesses, executives, shareholders, officers, representatives and employees. Furthermore, compliance is crucial for improving a company’s competitive edge and worth in comparison to both national and international competitors. The Organisation for Economic Co-operation and Development (OECD) has been integrating corporate governance practices into its policies, emphasising that ‘good corporate governance contributes to financial market stability, investment, and economic growth’. To develop strong corporate governance, businesses must satisfy key criteria, such as employing honest management, defining roles and responsibilities within various company divisions, ensuring the efficient, transparent and continuous information flow internally, safeguarding the rights of shareholders, and managing relations among diverse stakeholders.
The fintech industry is rapidly expanding in Mexico and disrupting traditional financial services. Fintech firms operate at the intersection of finance and technology, making them subject to strict regulation and oversight by authorities. Ensuring compliance with relevant laws, regulations and best practices is essential to maintain the trust of customers, investors and regulators alike. This, in turn, fosters a stable and secure environment for the industry to thrive. However, fintech companies face unique compliance challenges compared to traditional financial institutions, as they operate in a constantly evolving technological landscape with new products and services being introduced regularly.
Fintech companies must prioritise establishing robust internal compliance frameworks, staying current on evolving regulations, and fostering a culture of transparency and accountability. Given that fintech companies are relatively new players in the financial landscape, they have garnered significant attention from supervisory authorities, which are keen to monitor their activities and mitigate potential risks.
Noncompliance with regulations can result in severe consequences, such as fines, reputational damage or even the suspension of operations. Fintech entities must prioritise creating effective compliance programmes that are specifically tailored to their business models and products. Conducting a thorough risk assessment to identify and then mitigate potential risks associated with their unique operations and regulatory environment is crucial. Fintech firms should develop targeted policies and procedures to address the intersection of finance and technology, ensuring compliance with stringent regulations and oversight by authorities.
This risk-based approach should be complemented by fostering a strong culture of compliance throughout the organisation, starting with a clear commitment from senior management and the board of directors. Regular training and education for employees, robust monitoring and reporting systems, and encouraging open communication and feedback are crucial components for maintaining compliance and facilitating continuous improvement within the fintech industry.
Fintech companies in Mexico need to navigate a complex regulatory landscape to ensure compliance. Thus reguatory landscape is led by the Financial Technology Institutions Law (the Fintech Law), followed by several regulations issued by the National Securities and Banking Commission, applicable to different types of fintech entities (electronic payment companies, crowdfunding companies or sandboxes), anti-money laundering compliance, programing interfaces, external auditing services providers, among others, as well as the regulations issued by Banco de México in connection with cryptocurrencies. However, fintech companies that prioritise compliance can build a reputation for trustworthiness and reliability, while also fostering a stable and secure environment for the industry to thrive.
As the fintech sector continues to grow and evolve, it is vital for companies to embrace technology to enhance their corporate compliance efforts. The incorporation of cutting-edge technological solutions, such as artificial intelligence (AI), machine learning, and blockchain, can greatly improve the efficiency and effectiveness of compliance programmes. These technologies can be employed in various aspects of compliance management, such as monitoring transactions, identifying risks, and ensuring adherence to regulations. By leveraging advanced technologies, fintech companies can proactively identify and mitigate potential risks, reduce manual errors and streamline compliance processes, ultimately fostering transparency and accountability in the organisation.
The integration of technology in compliance management also enables fintech companies to stay ahead of the constantly evolving regulatory landscape. For example, implementing automation and data analytics tools can help fintech entities to monitor effectively large volumes of data, identify patterns and trends, and detect unusual activities that may signal noncompliance. By embracing technology and harnessing its potential in the realm of corporate compliance, fintech companies can maintain a competitive edge and ensure that they remain in line with the highest standards of regulatory adherence, thus safeguarding their reputation and promoting the overall growth and stability of the industry.
Financial technology regulation in Mexico
Mexico’s fintech sector has grown in the past decade given legislative advances that have made Mexico an appealing location for start-up creation and development. Investors have been able to expand their businesses and enter new regional markets. On 9 March 2018, Mexico’s Congress enacted the Fintech Law to regulate financial services using innovative technology. This law provides a framework for regulatory sandboxes, APIs, crowdfunding and electronic payment fund institutions (collectively known as ‘ITF’ in Spanish), making Mexico a leader in the Latin American region for governing the fintech industry.
With the enactment of the Fintech Law, ITFs must adhere to strict regulatory compliance measures. Specifically, they must establish necessary supervisory and internal control structures and disclose procedures and documents to customers and authorities, including in the ITF’s agreements and webpages. Additionally, upon receiving authorisation, ITFs face challenges in implementing and maintaining good corporate practices, such as internal control, anti-money laundering (AML) compliance and external auditing. As a result, it is crucial for fintech companies in Mexico to prioritise the establishment of compliance programmes to navigate the complex regulatory landscape and ensure long-term success in the industry.
On 8 March 2019, the Mexican Central Bank issued Circular 4/2019, which significantly limited the use of cryptocurrencies by ITFs and banking institutions. Under this regulation, such entities can use cryptocurrencies only for internal operations and are prohibited from conducting consumer transactions involving these assets. In Mexico, only cryptocurrency operations conducted by crowdfunding firms, electronic money institutions and banking institutions are regulated under the Fintech Law, its secondary regulations and Circular 4/2019. Transactions between other individuals and entities are not covered by these regulations and instead fall under regular commercial and civil legal provisions.
Compliance provisions in the Fintech Law
The Fintech Law in Mexico includes several articles that address the compliance requirements of ITFs, ensuring that they operate within the bounds of the established regulations. One of the key articles in this regard is Article 39, which outlines the requirements necessary for ITFs to obtain authorisation from the National Banking and Securities Commission (CNBV) to operate. These requirements include:
- Developing and implementing risk disclosure policies, as well as defining responsibilities for the conduct of operations. ITFs are also required to disclose warnings related to the use of interfaces, websites or electronic communication means on their respective platforms.
- Establishing measures and policies for operational risk control and information security. This includes implementing confidentiality policies and ensuring that they are supported by secure, reliable and accurate technological infrastructure.
- Creating policies to address and resolve potential conflicts of interest that may arise during the performance of the ITFs’ activities.
- Implementing fraud prevention policies, as well as measures to prevent operations involving resources of illicit origin and the financing of terrorism.
These regulations highlight the importance of due diligence in the fintech sector. Failure to comply with any of these provisions can result in sanctions, including the cancellation of an ITF’s authorisation to operate. This underscores the need for ITFs to have a comprehensive compliance programme in place to avoid potential penalties and maintain a trustworthy reputation.
Article 48 of the Fintech Law further emphasises the importance of compliance by requiring regulated entities to maintain the stability and proper functioning of their internal control mechanisms and risk management systems. The CNBV and the Mexican Central Bank have been granted the authority to issue specific regulations related to these matters.
To ensure compliance with the Fintech Law and its provisions, ITFs should prioritise the establishment of comprehensive compliance programmes that cover every aspect of their operations. This includes regular reviews and updates of internal policies and procedures to remain current with any changes to the regulatory landscape. Moreover, ITFs should invest in employee training and education to promote a culture of compliance, ensuring that all team members understand the importance of adhering to these regulations and the consequences of noncompliance.
The Fintech Law also contains key provisions relating to the following.
Financial statements and external auditors.
Articles 49 to 52 focus on the financial statements of ITFs and compliance requirements, which include:
- an annual financial statement audit by an external auditor, appointed by the board of directors (external auditor);
- regulations set by the CNBV defining the characteristics and qualifications of external auditors and the contents of their reports;
- the CNBV’s authority to supervise and examine external auditors, including information requests, supervision visits, appearance requests for auditors, and issuance of audit rules and procedures;
- external auditors must retain information and documents related to the evaluation and issuance of their opinions on financial statements for a minimum of five years. Technological or automated means may be utilised for storage purposes;
- external auditors must share relevant information supporting their opinions, evaluations, and conclusions with the CNBV;
- if irregularities that threaten the ITF’s operation and functioning are discovered during or as a result of an audit, external auditors must report their concerns to the audit committee or company commissioner and the CNBV, or the Mexican Central Bank, as appropriate; and
- external auditors may be held liable under certain circumstances specified in the Fintech Law and applicable regulations.
ITFs must adhere to specific compliance requirements concerning anti-money laundering (AML) and combating the financing of terrorism (CFT), including:
- establishing measures and procedures to prevent and detect acts, omissions, or operations linked to terrorist financing or money laundering – ITFs should develop a risk assessment methodology based on the products, services, practices and technologies used in their operations;
- submitting reports to the Ministry of Finance regarding transactions or services with clients, between clients, and carried out by ITFs’ board members, executives, employees, or attorneys that may be related to terrorist financing or money laundering;
- adequately understanding clients’ backgrounds, specific conditions, economic and professional activities, and geographic locations where they conduct business;
- aafeguarding and ensuring the security of client identification information and documents;
- establishing a communications and control committee; and
- appointing a certified compliance officer.
Board of directors and a managing director
ITFs must appoint a managing director and maintain a board of directors comprising no more than nine members, with at least 20 per cent deemed independent. Article 60 of the Fintech Law outlines the specific requirements for board members, while Article 61 defines independent members.
Depending on their activities, ITFs may need an audit committee to support the board of directors.
These provisions emphasise the importance of ITFs establishing robust compliance programmes that address a wide range of regulatory requirements. By focusing on comprehensive compliance management, ITFs can mitigate risks associated with financial statement audits, AML and CFT measures, governance structures, and audit committees.
On 28 January 2021, the CNBV and the Mexican Central Bank issued the Regulations applicable to Electronic Payment Institutions in connection with information security, as established in Articles 48, Paragraphs 54 and 56 of the Fintech Law (Information Security Regulations), which have the purpose of setting principles of financial inclusion and innovation, promotion of competition, protection of consumers, financial stability and technological neutrality. The Information Security Regulations provide a unified, systematic, coherent and clear regulatory framework that grants legal certainty to the participants of the financial technology market, promotes the growth of electronic payment institutions and safeguards the interests of their customers and the financial system as a whole.
Specifically, the Information Security Regulations contain provisions on security of the information, including confidentiality policies, and account registries, use of electronic, optic or any other technological means, automated systems of data processing and telecommunications.
Data Privacy Protection.
By the very nature of its business, the fintech sector collects and operates with personal data. Fintech companies therefore must ensure compliance with data protection laws, specifically the Federal Law on Protection of Personal Data Held by Private Parties (Mexican Data Privacy Law).
The Mexican Data Privacy Law is the main data protection law in Mexico, regulating the collection, processing, storage and transfer of personal data by private parties. It aims to protect the fundamental right to privacy of individuals and provides guidelines for the processing of personal data by private parties, including fintech companies. Failure to comply with the Mexican Data Privacy Law can result in significant fines and reputational damage for fintech companies.
Fintech companies operating in Mexico must adhere to the requirements set out in the Mexican Data Privacy Law, including obtaining the explicit consent of individuals for the collection and processing of their personal data, limiting the use of personal data to the specific purposes for which it was collected, implementing appropriate technical and organisational measures to protect personal data, and ensuring the accuracy and completeness of personal data. It is crucial for fintech companies to be transparent about their data collection practices and provide individuals with clear and concise information about the purposes for which their personal data will be used.
Additionally, fintech companies must ensure that they have the necessary technical and organisational measures in place to protect personal data. This includes implementing appropriate security measures to prevent unauthorised access, disclosure, alteration, or destruction of personal data. Fintech companies must also ensure that their employees are adequately trained on data protection and security measures and have access to policies and procedures that govern the handling of personal data.
The Mexican Data Privacy Law also requires fintech companies to establish internal procedures for handling individuals’ requests to access, modify or delete their personal data. These procedures must be simple, accessible, and timely. Fintech companies must also provide individuals with access to their personal data upon request, as well as information about the origin, use and third-party recipients of their data.
Furthermore, the Mexican Data Privacy Law requires fintech companies to have agreements in place with any third parties that may have access to personal data. These agreements must outline the specific purposes for which the third party is permitted to use the personal data and include appropriate technical and organisational measures to protect the data.
It is essential for fintech companies to keep current with changes in the regulatory landscape to ensure ongoing compliance with data protection laws. In recent years, Mexico has seen significant developments in data protection laws, including the enactment of the General Data Protection Regulation (GDPR) in the European Union. As many fintech companies operate globally, compliance with the GDPR is essential, as it imposes strict requirements on the processing of personal data of individuals in the EU.
Benefits of having good corporate compliance practices
Having a robust corporate compliance programme can offer several advantages to fintech entities and other companies, such as to:
- pursue a long-term vision to achieve an unbiased benefit for all participants within and outside the company, including employees, managers, administrators, investors and the investing public;
- establish a firm framework to perform accurate, clear and useful regular evaluations, including an analysis of potential risk factors within and beyond the regular course of business, alternatives to mitigate the impact of different events on the company and its financial situation, as well as efficient management of capital, cash and liquidity;
- cultivate a culture of review and control of the company’s documentation and information, enabling regular and transparent communication between the company and its stakeholders;
- ensure accountability, equity and transparency at every level and group within the company;
- enhance operational growth with coordinated and transparent systems that attract investment from the investing public;
- create a culture of collaboration with established protocols to prevent conflicts between shareholders and related parties;
- enhance the company’s reputation with the investing public and international markets, positioning it in competitive places nationally and internationally, thereby improving access to financing and capital sources; and
- in the event of a possible sale, the price rises and there is a higher bargaining power due to the entity’s internal regulations.
Challenges going forward
Mexico’s fintech sector has experienced significant growth and transformation in recent years, largely due to regulatory advancements that have made the country an attractive destination for startups and investors. The enactment of the Fintech Law and other regulatory measures has created a complex landscape that fintech companies must navigate to ensure compliance and long-term success.
Challenges for fintech companies in Mexico include establishing robust internal compliance frameworks, staying up to date on evolving regulations, and fostering a culture of transparency and accountability. Fintech entities must prioritise the implementation of compliance programmes that are tailored to their specific business models and products, while also addressing the unique intersection of finance and technology.
Adherence to strict regulatory compliance measures, such as data protection and anti-money laundering, is crucial for mitigating legal risks, improving a company’s competitive edge, and maintaining trust among customers, investors and regulators. A successful compliance programme can also enhance the value of a fintech entity, making it an attractive acquisition target for larger national and multinational groups in the industry.
Going forward, fintech companies in Mexico must continue to adapt to the ever-evolving regulatory landscape and technological advancements while maintaining a strong commitment to compliance, transparency and accountability. By doing so, they can foster a stable and secure environment for the industry to thrive, benefiting all stakeholders and contributing to the country’s overall economic growth.
Additionally, as the global financial landscape continues to evolve, international cooperation and coordination among regulators will become increasingly important. Fintech companies in Mexico must stay informed about international regulatory developments and be prepared to adapt their compliance strategies accordingly. By maintaining a proactive approach to regulatory compliance and actively engaging with regulatory authorities both domestically and internationally, Mexican fintech companies can ensure their continued success in a rapidly changing industry while bolstering their reputation as trusted and reliable financial service providers.
 Ana Sofía Ríos and Valentín Ibarra are partners, and Alejandra Pacheco is a senior associate at Chevez, Ruiz, Zamarripa y Cía.
 See ‘Why Fresh Perspectives on Tech Solutions are Key to Evolving Data-Driven Compliance Monitoring’ by Gabriela Paredes, Dheeraj Thimmaiah, Jaime Muñoz and John Sardar.