Fintech companies in Mexico are primarily regulated by the National Banking and Securities Commission (Comisión Nacional Bancaria y de Valores) (“CNBV”), which is responsible for granting licenses and supervising financial technology institutions (“Fintechs”) under the Law to Regulate Financial Technology Institutions (Ley para Regular las Instituciones de Tecnología Financiera) (the “Fintech Law”).

Additionally, Mexico’s Central Bank (Banco de México) (“Banxico”) plays a key role, particularly in overseeing payment systems, electronic money institutions, and virtual assets. Any Fintech operating with electronic payment funds or virtual assets must comply with Banxico’s regulations.

The Ministry of Finance and Public Credit (Secretaría de Hacienda y Crédito Público) (the “Ministry of Finance”) also has oversight auhtority, particularly in financial policy, taxation and anti-money laundering. The Ministry of Finance, together with Banxico and CNBV, forms the Inter-Institutional Committee, which is responsible for reviewing applications for Fintech licenses.

Other regulators may be involved depending on the type of authorization or specific services provided, as follows:

1. The National Insurance and Bonding Commission (Comisión Nacional de Seguros y Fianzas) is involved in the authorization process and oversees insurtech companies.
2. The National Commission for the Pension System (Comisión Nacional del Sistema de Ahorro para el Retiro) regulates Fintechs operating within the pension fund sector.
3. The Financial Intelligence Unit (Unidad de Inteligencia Financiera, “UIF”), which is an agency of the Ministry of Finance, enforces anti-money laundering and counter-terrorism financing obligations, especially for Fintechs dealing with digital assets or cross-border transactions.
4. The National Commission for the Defense of Financial Services Users (Comisión Nacional para la Protección y Defensa de los Usuarios de Servicios Financieros, “CONDUSEF”) handles consumer protection disputes, ensuring Fintech users have recourse in controversial cases.

CNBV and Banxico actively monitor Fintechs through audits, inspections, and regulatory reviews to ensure that:

1. Entities operating in regulated activities have the proper authorizations under Mexican law, especially with Fintech Law.
2. Fintechs comply with financial stability, risk management, and user protection standards.

We expect that regulatory boundaries will move as Mexico continues to adapt its framework to new Fintech activities. There has been a clear historical trend towards adapting the regulatory framework to allow regulated entities to provide their services through new technologies and integrating to digital business models. However, this evolution has largely occurred through incremental adjustments rather than a comprehensive overhaul, which creates diverse complexities for industry participants.

Mexico’s Fintech industry continues to show enormous growth potential. At the same time a number of regulatory and operational challenges that are commonplace in LATAM will continue to affect the pace of market expansion and technology absorption. While the entity-based regulatory framework and evolving supervisory expectations create friction, recent policy initiatives and strategic reforms suggest a gradual shift toward a more friendly environment.

Key challenges shaping the market include:

• Licensing Bottlenecks: Authorizations under the Fintech Law declined in 2024, reflecting higher compliance costs and increased scrutiny.

• Digital Assets and Emerging Technologies: Regulators have not fully exercised their regulatory authority on digital assets, stablecoins, DeFi, and other areas, thereby creating restrictions on the use of virtual assets by regulated entities continue to limit activity in areas such as crypto lending, DeFi, and staking, which remain largely unregulated. At the same time, there are several initiatives to draft bills aimed to regulate new technologies, including AI-driven financial services, through risk-based governance models that aim to balance innovation with consumer protection. In addition to the foregoing, Mexico should act within is international treaty network to lay the regulatory foundations to facilitate cross border digital asset activity.

• Constraints derived from the Regulatory Structure: Mexico’s body of law regulating the financial sector is very formalistic (as it is civil law based), has been continuously amended in various aspects in a way that calls for a comprehensive review for coherence and integration, and remains largely entity-based, limiting regulated institutions to activities expressly authorized under their licenses. This structure requires players to pursue multiple licenses or migrate between regulatory regimes, slowing product expansion and time-to-market.

• Open Finance Implementation Delays: Although mandated by Fintech Law, full implementation of open finance—particularly transactional data sharing—has been delayed due to pending secondary regulation. This has slowed product development and competition, making regulatory progress in this area a key factor for growth over the next 12 months.

• Rising Compliance and Operational Requirements: Enhanced AML/CFT expectations, fraud-prevention rules, data localization requirements, and prior authorization for outsourcing information-technology services have increased compliance complexity. While these measures raise operational costs, they also reinforce trust, resilience, and systemic stability across the financial system.

• Sandbox Utilization The regulatory sandbox framework has yet to deliver tangible results, as it has been considered impractical by entrepreneurs.

Despite these challenges, Mexico’s Fintech ecosystem remains well-positioned for continued expansion. The gradual modernization of innovation frameworks points toward a more coherent and technology-aware regulatory environment. Fintechs that proactively align their business models with regulatory developments, invest in compliance-by-design, and leverage collaborative opportunities with regulated institutions are likely to be well positioned to capture growth in the coming years.

Until 2018, when the Fintech Law came into effect, companies in this sector operating in Mexico did so through other financial models or in a regulatory “gray area”.

Since the issuance of the Fintech Law, Fintechs in Mexico may require authorization depending on the activities that such entities perform.

Entities carrying out the following activities are subject to the supervision and vigilance of authorization granted by the financial regulators:

• solicitation and receipt of deposits and depository account keeping services, and issuance of debit cards linked to such accounts
• investment advisory services
• issuance, management, redeeming and transfer of electronic payment funds
• crowdfunding
• money remittance
• ordinarily carrying out the purchase, sale or exchange of currencies

Fintech Law regulates two types of Financial Technology Institutions or Fintechs, which must obtain a license from CNBV with prior approval from the Inter-Institutional Committee.

These entities are:

• Collective Financing Institutions (Instituciones de Financiamiento Colectivo, or IFCs), authorized to facilitate crowdfunding activities, including peer-to-peer lending, equity crowdfunding, and royalty-based financing.
• Electronic Payment Funds Institutions (Instituciones de Fondos de Pago Electrónico, or IFPEs), authorized to issue, manage, and transfer electronic payment funds (e-wallets), allowing users to store and transfer money or virtual assets. IFPEs can also facilitate payments and withdrawals.

Additionally, non-financial entities that wish to offer financial services through an innovative and novelty model may be granted a special authorization to operate novel models in a Regulatory Sandbox (see question 5.)

Mexico will likely not have new omnibus licenses to cover multiple Fintech activities, although such alternatives should be explored to provide an orderly implementation of stablecoin transactions under the Genious Act and other jurisdictions, and avoid regulatory asymmetries with Mexico’s most important business partners. While regulated financial institutions such as banks, broker-dealers and licensed Fintechs are subject to strict activity catalogues defined by their enabling laws and regulations (which limit them to offering only services expressly authorized under their license) such licensed activities are sufficient to deploy most business models imported into Mexico. Generally, regulated entities cannot provide unregulated services.

Institutional Fintechs typically structure their operations using a number of separate legal entities, including regulated financial entities for restricted or regulated activities (e.g., offering payment accounts or securities trading), and non-regulated entities to provide unregulated or ancillary services. We perceive that Fintechs have realized the limitations of the existing licensing models, and consider pursuing broader licenses whenever possible, including acquiring or applying for full commercial banking licenses.

Mexico’s regulatory sandbox was created by the 2018 Fintech Law, and has not been used in the market since. It is considered a very limited and cumbersome pathway to test innovative financial services. As of January 2026, there are no publicly reported sandbox authorizations, and Fintech start-ups have generally relied on full licensed entities or alternative regulatory structures where available.

Although integrated in the Mexican regulation with the intention of replicating UK’s successful experience, the sandbox has not yet translated into observable benefits.

Key industry participants are engaging with policymakers and members of the Mexican Congress to explore potential adjustments that could make the sandbox more flexible. These discussions are preliminary, with no formal proposal as of yet, and any potential impact would likely materialize, if at all, toward late 2026.

Mexico’s RegTech landscape has grown into a sizeable market (reported at over $290 million in 2025), driven primarily by regulatory compliance needs across the financial system. As Fintech participation expands, regulatory clarity and technology-enabled compliance have become key competitive differentiators.

Supervision is set to shift gradually towards a more technology-driven and data-led model. Regulators are exploring SupTech tools to automate reporting and analytics, signaling a move away from purely reactive supervision toward earlier detection of anomalies and compliance risks. RegTech providers supporting regulated entities are expected to meet third-party outsourcing standards and deliver robust AML/CFT, customer due diligence, screening, and monitoring capabilities.

Regulators have advanced API-based regulatory reporting for certain mandatory registries. For instance, institutions are required to submit information through the CONDUSEF-enabled API via the Portal Único de Registros (PUR), subject to limited exceptions for infrastructure or availability constraints. In practice, this has pushed market participants toward system-to-system integrations and more automated compliance reporting.

SAT (the Mexican tax authority) is deploying AI tools to monitor digital transactions and detect underreporting, while seeking broader access to data from financial entities, including Fintechs. This reflects a broader trend toward analytics-driven tax supervision and increased data-sharing expectations.

Mexico does not yet have a specialized body of law governing tokenization, and regulators have made public their view that tokens should generally share the legal characterization of their underlying assets. It is to be expected that the diverse and scattered legal provisions applicable to tokenization will be updated and unified with the purpose of enabling tokenization structures, integrating Mexico to the growing tokenization market and minimizing the uncertainty and risks associated with regulatory asymmetries with the US and the EU. Mexico should not lag behind its most relevant commercial partners with respect to regulatory developments in the tokenization arena. Meanwhile, tokenization structures should be carefully analyzed on a case-by-case basis to ensure compliance in Mexico. It is important to mention that tokenization can fall into the “pure tech” legal classification (e.g., internal DLT for recordkeeping) and remain unregulated in a number of instances.

Mexico has no MiCA-style DeFi perimeter; activity is generally assessed by function (exchange, lending, intermediation, custody, solicitation). For regulated financial entities with respect to digital assets, Banxico continues to maintain its “safe distance” stance: Banxico’s Rule (Circular) 4/2019 restricts regulated entities’ use of virtual assets (activos virtuales) essentially to authorized internal operations (non customer-facing risk-taking).

For stablecoins, Mexican authorities have publicly warned that transactions with respect to a number of instruments marketed as stablecoins may amount to unlicensed deposit-taking activities, given that the Fintech Law does not consider as “virtual assets” any fiat denominated assets .

As a result of recent updates to the Federal Law for the Prevention and Identification of Transactions with Resources of Illicit Origin or AML Law (Ley Federal para la Prevención e Identificación de Operaciones con Recursos de Procedencia Ilícita, the “AML Law”), the reporting thresholds for cryptocurrency activities have been decreased, therefore, digital asset exchanges and digital asset service providers that carry out transactions with a client for an approximate amount of the Mexican peso equivalent of US$1,395 or more within a 6 month period are subject to AML compliance pursuant to the AML Law which entails registration with the Mexican Tax Administration Service and filing reports of such transactions through a dedicated internet platform (Sistema del Portal de Internet). Other AML obligations include the following:

• identify its clients and verify their identity based on official credentials or documentation;
• in case a business relationship is established, collect information regarding the clients’ activity or occupation;
• request information about the client’s beneficial owner (if applicable) and collect documentation that allows their identification; and
• safeguard any information or documentation in connection with its clients’ activities and identification for at least 5 years. Furthermore, such entities must appoint a person responsible for compliance with AML obligations.

Mexico’s recent AML updates include the obligation to obtain and safeguard information on the beneficial owner for virtual-asset transactions. In practice, if a business is acting as a virtual asset service provider or intermediary, it should be prepared to collect KYC files from its clients. FATF guidance also emphasizes higher ML/TF risk for peer-to-peer/self-hosted flows and the need for risk-based controls.

Financial institutions that participate in the Mexican inter-bank payment system are subject to certain enhanced KYC requirements with respect to clients engaged in the digital asset business.

Mexico has not implemented a MiCA/ GENIOUS Actlike prudential framework (authorization category, governance, reserve composition, audits, etc.) specifically for stablecoin issuers/custodians.

Mexican regulators maintain a strong and increasingly practical focus on data privacy, cybersecurity, and operational resilience for Fintech institutions. From a privacy standpoint, Fintechs are subject to the Federal Personal Data Protection Law for Private Parties (Ley Federal de Protección de Datos Personales en Posesión de los Particulares, the “Data Protection Law”), which requires administrative, technical, and physical safeguards, as well as prompt breach notification to affected individuals. Enforcement and oversight functions for private-sector data protection are currently handled by the Ministry of Anticorruption and Good Governance (Secretaría Anticorrupción y Buen Gobierno) (“SBG”). In practice, enforcement activities result from a complaint by the affected individuals: supervisory reviews tend to focus on privacy notices, consent mechanisms, cross-border data transfers, vendor arrangements, and incident response documentation.

For regulated Fintech institutions, CNBV places cybersecurity and operational resilience at the center of its supervisory framework through the General Provisions Applicable to Fintechs (Disposiciones de carácter general aplicables a las Instituciones de Tecnología Financiera). These rules require formal information security governance, incident reporting to CNBV, and enhanced oversight of outsourcing arrangements involving sensitive or biometric data. Additionally, Open Finance regulation on standardized API is expected to impose concrete cybersecurity controls, including encryption, authentication, audit logs, incident management, and periodic vulnerability and penetration testing.

From an enforcement perspective, supervision is largely event driven. Regulators have broad inspection and sanctioning powers, and cyber incidents, service outages, or weaknesses in third-party arrangements frequently trigger targeted information requests and follow-up reviews. As a result, Fintechs operating in Mexico should expect that material incidents, rapid operational growth, or reliance on critical vendors are the most likely catalysts for supervisory scrutiny and potential corrective measures.

In Mexico, companies engaged in cryptocurrency transactions should approach fraud prevention and AML/CFT compliance as two parallel control tracks. From a fraud-prevention perspective, firms should implement operational controls aimed at protecting users and platform integrity. Key practical measures include real-time transaction monitoring for anomalous behavior, account takeover detection, withdrawal and velocity limits, device and IP risk scoring, and multi-factor or risk-based authentication. These controls should be formalized in written anti-fraud policies, supported by incident response playbooks, and tested periodically. For regulated Fintech institutions taking care of the fiat leg of the crypto operation, these expectations are embedded in the regulation, which emphasize operational risk management, information security, and incident reporting.

Separately, crypto companies subject to the AML Law must implement a structured AML/CFT program. Practical steps include onboarding procedures with customer identification and verification, beneficial owner determination, sanctions and politically exposed person screening, and transaction monitoring designed to identify unusual or suspicious activities.

To be audit-ready, companies should maintain a centralized compliance file containing both fraud and AML materials. This should include policies and manuals, customer and beneficial owner files, monitoring logs, alert resolution records, governance documents, training evidence, and incident response documentation. Where the business interacts with regulated payment rails or open finance interfaces, these companies should facilitate evidence that they are aligned with the technical and security with Banxico and CNBV standards. In supervisory practice, the most common triggers for requirements applicable to the relevant financial institutions.

Fintechs globally, including those operating in or targeting Mexico, are adapting to shifting immigration frameworks primarily through remote work models that allow them to recruit from a diverse international talent pool and, reducing overhead costs while increasing employee satisfaction.

The September 2025 U.S. H-1B visa overhaul creates significant implications for Mexican Fintechs. On September 19, 2025, President Trump issued a presidential proclamation introducing a $100,000 fee tied to H-1B visas, restricting entry of certain H-1B workers unless accompanied by this payment. Regarding the U.S. H-1B visa constraints, Fintechs are increasingly exploring alternatives such as the O-1 visa, which has no annual quotas unlike the H-1B that issues only 85,000 visas annually through a lottery system.

Additionally, under the USMCA (formerly NAFTA), Mexican companies can hire professionals from Canada and the United States in roles such as engineers, scientists, and IT specialists through specific permit categories. This treaty-based framework allows Fintechs to tap into skilled North American talent more efficiently than through standard immigration processes.

The Fintech industry in Mexico is exposed to geopolitical and sanctions-related risks, as recently evidenced by recently sanctions imposed by FinCen to three (formerly solid and reputed) Mexican financial institutions (CIBanco, Intercam Banco, and Vector Casa de Bolsa) motivated by money laundering allegations in the context of increasing pressure by the US administration to the Mexican government to intensify its cooperation in the combat against fentanyl traffic. Such sanctions were seen by many industry participants as a show of force by the US administration, which effectively cut off such institutions’ access to the U.S. financial system and dollar payment rails, and ultimately resulted in their extinction. This precedent highlights the importance of implementing state of the art AML/FT systems, stringent KYC policies, transaction monitoring technology, and compliance tools in the rapidly shifting political and international scenes.

Mexico's immigration framework generally facilitates the movement of skilled workers, though Fintechs may face practical challenges when relocating key staff. The Federal Labor Law (Ley Federal del Trabajo) establishes that Mexican companies should not have more than 10% non-Mexican workers. This percentage can be suspended if the foreign worker is going to fill a position that requires specific knowledge or skills and is going to provide training in that area, or if the foreign worker will occupy a high-level position. In order to relocate foreign employees to Mexico, a Fintech company must request the issuance of a work permit by the National Migration Institute (Instituto Nacional de Migración) (the “Migration Institute”), following the issuance of the permit, the employee must apply for a work visa or temporary resident card. For the issuance of a work permit, a work visa or temporary resident card processing times can be unpredictable and vary greatly depending on consular availability in the country of origin, and delays are common during high-volume periods. Also, a significant constraint is that temporary visa holders must remain employed by the company that sponsored them, if their contract ends, they must either find a new employer to sponsor a visa transfer or exit the country, and switching employers or changing job functions typically requires a new application. Fintechs may also bring foreign employees into Mexico to perform short-term assignments under 180 days using a visitor visa with permission to carry out paid activities for urgent deployments while longer-term permits are processed. To avoid talent shortages and delays, Fintechs should implement several practical measures. Employers must keep a valid registration with the Migration Institute Employer Registry to sponsor and hire foreign nationals, conduct periodic immigration compliance reviews, use tracking tools to monitor permit status, keep HR updated on law changes and start applications early to avoid project delays.

Immigration processing timelines can create friction for Fintechs seeking rapid market entry in Mexico. Processes before the Migration Institute mean that Fintechs must realistically plan for 8-12 weeks minimum to deploy key foreign personnel into Mexico. Additionally. Fintechs oftentimes have to balance centralized expertise against localization requirements. Employers must be registered as a legal entity in Mexico, either as a domestic company or a foreign branch to sponsor a Mexican work visa or permit, and immigration authorities will review the employer’s incorporation documents, tax compliance, and the legitimacy of the business operation before approving any request. This creates a sequencing prerequisite: entity establishment must precede talent deployment.

The rigidity of the system also presents a challenge: once a visa is granted, foreign workers are legally allowed to perform only the specific role outlined therein, and switching employers or changing job functions typically requires a new application. For early-stage Fintechs where roles evolve rapidly, this inflexibility can hinder operational agility and force companies to either delay launches or initially rely more heavily on local hiring.

In Mexico, these items are primarily protected through copyright, trade secret, and contractual frameworks. The Federal Copyright Law (Ley Federal del Derecho de Autor, the “Copyright Law”) expressly protects computer programs in both source and object code, allowing Fintechs to register their software with the National Copyright Institute (Instituto Nacional del Derecho de Autor) (“INDAUTOR”). While registration is not mandatory to obtain rights, it provides strong evidentiary value in administrative and judicial enforcement proceedings.

Trade secret protection is suitable to proprietary algorithms and smart-contract code and is governed by the Federal Law for the Protection of Industrial Property (Ley Federal de Protección a la Propiedad Industrial) (“LFPPI”), which safeguards confidential technical or commercial information that provides a competitive advantage, provided that reasonable measures are implemented to preserve its confidentiality. Fintechs commonly rely on access controls, code segmentation, internal information security policies, and robust confidentiality, non-disclosure, and non-compete clauses in employment, contractor, and SaaS or development agreements.

Open-source software is not specifically regulated under Mexican law, but license obligations remain enforceable under general contract and copyright principles. Fintechs typically implement internal open-source governance programs to track license types, attribution requirements, and “copyleft” obligations that may affect proprietary code. Mexico does not currently impose AI-specific disclosure requirements; however, Fintechs operating regulated financial services must ensure that algorithmic systems comply with transparency, consumer protection, and risk management obligations under the Fintech Law and regulations issued by financial regulators.

The Industrial Property Law provides express protection to trademarks, commercial names and slogans. Trademarks may be comprised of letters, two-dimensional and three-dimensional shapes, colors, sounds and smells. Fintech companies must register their trademarks, commercial names and slogans with IMPI to obtain the exclusivity right to use their brand within Mexican territory. This registration must be renewed every ten years.
The unauthorized use of a trademark, commercial name or slogan, would be a breach of the Industrial Property Law. The owner of the trademark, commercial name or slogan, may claim compensation before the IMPI who may declare injunctions or impose fines.

To address AI-driven impersonation and digital fraud, Fintechs and other companies increasingly rely on continuous monitoring of online platforms, mobile app marketplaces, social networks, and advertising channels to detect unauthorized brand use. These efforts are commonly supported by cease-and-desist procedures and formal complaints before IMPI based on trademark infringement and unfair competition provisions.

Where impersonation or synthetic media is used to commit fraud or identity theft, criminal enforcement mechanisms under the Federal Criminal Code (Código Penal Federal) become applicable. In parallel, contractual brand-use policies and platform terms of service, combined with cooperation agreements with payment platforms and social media providers, have become essential tools to enable rapid content takedowns and protect consumer trust.

When dealing with the technical aspects of a collaboration or partnership, Fintechs (either startups or well-established players) rely on licensing and or SaaS or Platform agreements that are exhaustively reviewed and negotiated. In many instances, Fintechs share their proprietary IP on a need-to-know basis with technical personnel indicated by their partner.

Mexican legislation and practice generally recognize work-for-hire agreements to allocate IP rights among the parties. In principle, pursuant to the Copyright Law all copyrightable works are owned by their relevant author; and all software, computer programs and databases developed by a company’s employees, as per the instructions of the employer, shall be owned by said company. Fintechs may implement contracts allocating their rights with respect to IP, documenting the contributions of each party, and outlining their respective rights.

By the same token, Fintechs and their business partners and developers may enter into licensing agreements with respect to licenses. Pursuant to Mexican law, the owner of a trademark is the person or entity registered as such before the IMPI. Therefore, it is important for trademark owners to register the trademark, commercial name or slogan, and to establish contractual provisions determining the limited use of trademarks in a specific business relationship.

When engaging with open-source communities, Fintechs typically implement internal policies to track code contributions and ensure that no proprietary technology is unintentionally released under open-source licenses. Likewise, open-source communities must establish clear guidelines to ensure how ownership and rights of use are allocated to the contributors.

As indicated in questions 16 through 18 above, to ensure adequate protection of their technology or brand, Fintechs may, among others: (i) register their IP before INDAUTOR and their trademarks, commercial names and slogans before the IMPI; (ii) disclose that their IP is registered; (iii) seek relevant relief before INDAUTOR (see question 16) or IMPI (see question 17) as applicable, (iv) implement internal policies, procedures and contracts providing for adequate protection, and (v) implement technical measures to ensure that sensitive information is not transferable or duplicated.

Enforcement strategies in Mexico are largely administrative and judicial, relying on IMPI and INDAUTOR procedures, as well as civil and, in certain cases, criminal actions. In cross-border scenarios, Fintechs often supplement local enforcement with international mechanisms under treaties such as the USMCA (T-MEC) and the TRIPS Agreement, which facilitate cooperation and recognition of IP rights across jurisdictions.

As mentioned in Question 19 above, from a Mexican perspective, cross-border IP enforcement is primarily supported through international treaties to which Mexico is a party, including the TRIPS Agreement and the USMCA (T-MEC). These instruments establish minimum standards of protection and cooperation mechanisms for the recognition and enforcement of intellectual property rights abroad.

For Fintech products relying on distributed infrastructure or decentralized code, Mexican courts and authorities continue to apply traditional principles of territoriality, meaning that rights must generally be registered or recognized in Mexico to be enforceable locally. Fintechs therefore often adopt multi-jurisdictional IP filing strategies to ensure protection in key markets where infrastructure nodes, users, or commercial operations are located. Contractual frameworks also play a central role, particularly through governing law and jurisdiction clauses, arbitration agreements, and cross-border licensing terms that define enforcement venues and remedies in the event of misuse or infringement.

In Mexico, Fintechs typically structure licensing and commercialization through detailed long-form software, SaaS, and technology transfer agreements that define ownership, scope of use, sublicensing rights, and limitations on modification or redistribution. These agreements are supported by copyright protection under the Federal Copyright Law and, where applicable, trade secret safeguards under the Industrial Property Law.

For smart contracts and AI models, Fintechs and other companies rely on contractual restrictions, audit rights, and confidentiality obligations to maintain control over proprietary logic and training data. From a compliance perspective, cross-border licensing strategies often incorporate choice-of-law provisions, data protection clauses aligned with Mexico’s Personal Data Protection Law, and representations ensuring that foreign users comply with applicable financial and consumer protection regulations in their local jurisdictions.

Mexico does not currently have an AI-specific statute or binding regulatory framework applicable to Fintechs or financial institutions. The use of AI in financial services is therefore governed by existing sector-specific laws rather than technology-specific rules. Legislative and regulatory initiatives have been discussed, including a 2025 draft proposal inspired by the EU AI Act. The proposal would require mandatory explainability and bias testing for high-risk credit algorithms, along with local nuances such as Spanish-language fairness metrics and mandatory human review for lending decisions involving indigenous communities.

Since there is no AI-specific regulations, the body of law governing AI systems in the context of underwriting, advisory and fraud protection is the same as the one that is currently applicable to the relevant regulated entities in the Fintech industry (which remain the primary obligor with respect to regulatory compliance notwithstanding the use of any technology),, rather than technology-specific rules:

• Credit scoring and lending: Financial institutions and Credit Information Companies must ensure fair and non-discriminatory scoring models in line with data protection and consumer protection laws. Credit Information Companies are legally required to consider all available data in their databases without discrimination, which in practice constrains selective or biased use of AI inputs.

• Investment advisory and robo-advisory services: The applicable perimeter is defined by the Securities Law which impose duties of transparency, suitability, fair treatment, and non-misleading conduct regardless of whether decisions are made by humans or algorithms.

• Fraud detection and AML/CFT systems: Obligations derive primarily from the AML Law and its secondary rules, requiring risk-based controls, transaction monitoring, and reporting to the SAT/UIF. Where AI is used, regulators expect human oversight, auditability, and clear escalation mechanisms, with the regulated entity remaining fully liable for compliance failures.

• Open finance and data use: While the Fintech Law established the legal basis for Open Finance, incomplete secondary regulation has limited full implementation, constraining the large-scale deployment of AI-driven analytics based on transactional data.

While there are no specific regulations on how algorithmic fairness, explainability, and bias mitigation can be implemented and evidenced, in practice, companies demonstrate compliance by maintaining a documented internal control and compliance framework around their automated systems, consistent with the general supervisory powers of the regulators over governance, internal controls, and operational risk management. This typically includes written documentation describing the purpose and scope of each material model, the data sources used, validation and testing methodologies, and internal approval processes. Periodic performance and outcome reviews (including consistency and error-rate analysis) are used to evidence that automated decisions remain aligned with legal and business rules. With respect to explainability, the legal emphasis in Mexico is on consumer transparency rather than on technical disclosure. While companies are not required to publish or disclose their algorithms, they are expected to be able to explain the main factors that affect access to a financial product or service. As a result, companies maintain internal “reason code” frameworks for credit denials, alerts, or account actions, which allow staff to translate automated outcomes into customer-facing explanations and to respond effectively to inquiries by the regulators.

Under the Industrial Property Law, AI-generated content cannot be directly protected as intellectual property, since Mexican law only recognizes human authorship. The Supreme Court of Mexico has ruled that creativity is a human trait, reinforcing that AI cannot be an inventor or author. However, Fintechs may protect their proprietary AI models through trade secrets, software copyrights, and patents related to AI development.

When using third-party AI tools, Fintechs must carefully assess licensing agreements to avoid potential infringement issues, especially considering that copyright laws in Mexico do not yet address AI-generated content explicitly. The growing debate over AI and copyright protection, suggests that Mexican regulators may need to issue clearer rules on AI-generated works and dataset usage.

From a data protection standpoint, the training of AI models on financial or customer data is governed by the Data Protection Law. Fintechs must ensure that personal data is processed only for purposes disclosed in the applicable privacy notice, in a manner that is adequate, relevant, and not excessive. Therefore, data subjects must expressly consent the use of their personal information for training of AI models. In addition, Fintechs must implement appropriate technical and organizational security measures, and comply with restrictions on domestic and cross-border data transfers.

To mitigate risk, data-sharing and AI vendor agreements in Mexico generally include:

• Clearly allocate intellectual property rights, including ownership of source code, derivative works, and improvements, particularly in co-development, licensing, or outsourcing arrangements, to avoid unintended transfers of proprietary technology.

• Limit data use strictly to the agreed and documented purposes, prohibiting secondary use, commercialization, or model training outside the authorized scope.

• Impose confidentiality and information-security obligations equivalent to those applicable to regulated financial institutions, including technical and organizational safeguards.

• Grant audit, inspection, and regulatory access rights, allowing the Fintech and relevant authorities to verify compliance with legal and supervisory requirements.

• Require prompt notification and cooperation in the event of data breaches, security incidents, or regulatory inquiries.

In higher-risk AI or data-intensive arrangements, these agreements also typically include IP indemnities, as well as data return or deletion obligations upon termination.

In Mexico, there is currently no AI-specific regulation applicable to financial services in Mexico. The regulatory approach focuses on the financial entity and the relevant activity being performed, not the technology used to perform it. Accordingly, the use of AI by Fintechs is not prohibited; however, all applicable legal and regulatory obligations continue to apply regardless of whether a process is automated or human-driven Therefore, obligations relating to suitability, fair treatment, non-discrimination, transparency, and consumer protection apply equally to automated and manual processes.

This means that Fintechs remain fully responsible for the outcomes generated by AI systems. They must ensure that automated models do not produce discriminatory or arbitrary results, that credit information and personal data is used in a complete and lawful manner, and that consumers receive clear and truthful information about decisions affecting access to financial products or services.

Potential AI-related liability in Mexico is expected to arise primarily through the application of existing civil, consumer protection, financial, and data protection regimes, rather than through new, AI-specific causes of action.

One emerging area of exposure is negligent service provision, where an AI system that produces systematically erroneous or harmful outcomes may be treated as a defective service under the Federal Civil Code and the consumer protection regulations, giving rise to claims for damages, refunds, or regulatory sanctions.

A second area of risk is deficient governance and supervision of technology and third-party providers. Under the Fintech Law, regulated institutions remain responsible for outsourced and technological services, and the regulator has authority to sanction companies for inadequate internal controls, operational risk management, or compliance frameworks. Where AI models or vendors operate without proper oversight, documentation, or audit trails, regulators may characterize this as a failure of governance rather than as a purely technical issue.

To build a defensible framework, Mexican companies are increasingly formalizing technology and model risk governance programs aligned with existing regulatory expectations on internal controls and operational risk. These typically include:

• senior management accountability for material automated systems;
• documented model inventories and change-management processes;
• periodic performance and consistency testing;
• “human-in-the-loop” review for high-impact decisions; and
• integrated incident response, complaint handling, and data breach protocols.

Aligning these controls with the Fintech Law, the AML Law compliance framework, and internationally recognized risk-management standards allows Fintechs to demonstrate proactive supervision and materially reduce both regulatory and civil litigation exposure.

One of the most significant areas of disruption in Mexico continues to be digital payments and embedded finance.

Another notable trend is the integration of lending, payments, and wallet services into non-financial platforms, including e-commerce, mobility, and enterprise resource management systems. These embedded finance models allow users to access financial products without interacting directly with traditional banks, reshaping distribution channels and customer acquisition strategies.

The growth of regulated electronic payment funds institutions and partnerships between Fintechs and licensed banks has also accelerated the rollout of digital onboarding, automated credit scoring, and cross-border remittance solutions, particularly targeting underbanked and SME segments.

From a Mexican perspective, the most impactful potential reform is the full implementation of Open Finance under the Fintech Law, which would expand mandatory data-sharing beyond banking to include insurance, pensions, and other financial sectors. This is expected to significantly enhance competition, product personalization, and cross-platform financial services.

Cross-border regulatory coordination, particularly within North America under the USMCA (T-MEC), also holds strong potential for streamlining IP protection, digital trade, stablecoins, and technology licensing frameworks. Greater alignment in compliance standards could reduce barriers for Mexican Fintechs seeking to scale regionally.

Finally, regulatory clarity around virtual assets and stablecoins, particularly in relation to Banxico’s authorization framework and AML obligations under the AML Law, could enable more structured innovation in tokenized payments and cross-border settlement solutions while maintaining financial system safeguards.