Mexico: Fintech

Payments and payment systems are regulated on a federal level, by a variety of laws and regulations. The main laws that govern payments and payment systems in Mexico are:

• The Mexican Constitution, which grants the Mexican Central Bank (Banco de México, “Banxico”) constitutional autonomy and the mandate to, among other things, regulate financial services in Mexico.
• The Central Bank Law (Ley del Banco de México), which stipulates Banxico’s main purposes, including, among others, promoting the well-functioning of Mexican payment systems.
• The Law of Payment Systems (Ley de Sistemas de Pago) sets out the requirements for a payment system to be considered systemically important, as well as Banxico’s authority to regulate and supervise such systems. It also provides a framework for the clearing and settlement of transactions through such systems.
• The Law for the Transparency and Order of the Financial Services (Ley para la Transparencia y Ordenamiento de Servicios Financieros) provides Banxico and the National Banking and Securities Commission (Comisión Nacional Bancaria y de Valores, “CNBV”) with additional tools to regulate payment systems, as well as to promote their transparency and competitiveness including the regulation of fees charged by the participants of card networks.
• The Law to Regulate Financial Technology Institutions (Ley para regular las Instituciones de Tecnología Financiera, the “Fintech Law”) introduces electronic payment funds institutions (instituciones de fondos de pagos electrónicos, “IFPEs”), that are authorised, among others, to keep e-wallets on behalf of their clients.
• Relevant secondary regulation issued by Banxico and/or by CNBV include: (i) Rule (Circular) 14/2017, which regulates the Mexican Peso denominated Interbank Electronic Payments System (SPEI) (amended in 2019 to implement a P2P online and mobile payment system called CoDI (Cobro Digital)); (ii) the Regulations applicable to the Network of Means of Utilization of Funds (Disposiciones de carácter general aplicables a los Medios de Pago), which specifically regulate card networks (the “Payment Regulations”); and (iii) the Regulations applicable to IFPEs (Disposiciones de carácter general aplicables a las Instituciones de Tecnología Financiera).
• The Anti-Money Laundering Law (Ley Federal para la Prevención e Identificación de Operaciones con Recursos de Procedencia Ilícita, the “AML Law”), its regulations and interpretative notes by the Financial Intelligence Unit (Unidad de Inteligencia Financiera) also apply to payment systems, among others, because they apply to issuers and distributors of prepaid, debit, credit and service cards, traveler checks issued by entities other than financial entities, as well as crypto currency exchanges.
• There is little case law issued with respect to payment systems laws and regulations, however there are important judicial holdings to take into consideration by any participant in a card system, including precedents regarding authenticity and use of electronic signatures, vouchers and burden of proof with respect to authorisation of transactions.

Yes, payment services in Mexico may be provided by non-banks. However, the regulation, and required licensing applicable to payment services providers (“PSPs”) varies depending on the type of services offered by PSPs.

Regarding card payment acceptance services, acquirer and aggregation services do not require an ad hoc authorisation or license. Nevertheless, they are subject to reporting and registration obligations set forth in the Payment Regulations, which include, among others, registering their fees with Banxico and CNBV and delivering a yearly informative notice to CNBV.

Additionally, any person offering acquirers, aggregators, brand owners or issuers any services that are required for such entities to carry out their operations in a card network, is characterized as a specialized entity under the Payment Regulations. Specialized entities do not require a license or authorisation to operate. However, they are subject to specific obligations under the Payment Regulations including, reporting obligations.

Finally, we note that certain activities that are usually performed by PSPs may qualify as activities that require a license or authorisation under Mexican law, including (i) solicitation and receipt of deposits, and depository account keeping services, (ii) money remittance services, and (iii) currency exchange services. PSPs, especially those operating on a cross-border basis, should be cautious to structure their operations to avoid being considered as regulated entities.

Cash is still the most widely used payment method in Mexico. According to the National Institute of Statistics and Geography (INEGI), 87% of retail purchases over US$25 in Mexico are paid in cash.

Pursuant to data from the National Commission for the Protection and Defense of Users of Financial Services (CONDUSEF), the use of debit and credit cards for online retail purchases has increased significantly in the past years. The number of online purchases using debit or credit cards grew at an average-quarterly rate of 13.7% from 2015 to 2019. Payments with debit cards, which represent 60% of the total transaction volume prevail over payments with credit cards. However, higher value transactions are generally paid with credit cards, representing 60% of the total transaction volume.

As mentioned above, in 2019, Banxico launched a P2P online and mobile payment system called CoDI (Cobro Digital) for purposes of, among others, providing necessary infrastructure for the issuance and reception of payment instructions to a large portion of the population that still mainly relies on cash. As of August 12, 2020, more than 4 million Mexican bank accounts were validated to issue or receive payment instructions using CoDI.

Additionally, Mexican commercial banks have developed and launched apps for online e-payments, such as BBVA’s Wallet and Citibanamex’s Pay.

Finally, the Mexican Federal Government continues to make significant efforts to promote financial inclusion, and welcomes initiatives aiming to increase financial inclusion.

Aiming to promote competition, as well as financial inclusion, the Fintech Law provides obligations for Mexican financial entities (including commercial banks), money remittance entities, credit information entities, clearing houses, IFPEs and companies authorised to operate with novel models (“Authorised Entities”), to implement application programming interfaces (“APIs”), and to share information of their customers through such APIs. APIs and the sharing of information must meet the requirements set forth by CNBV, Banxico or the corresponding regulators of the relevant entities.

The information to be shared through APIs is classified under the Fintech Law as: (i) open data, including, among others, non-confidential financial information related to the services offered by the entities; (ii) aggregated data, consisting in statistical and dissociated information related to operations made by or through Authorised Entities; and (iii) transactional data, defined as information related to the use of financial products and services by a customer, including deposit accounts and credits. We note that transferring transactional data of customers requires express consent from the respective owner in all cases.

On June 4, 2020, the CNBV issued the Regulations applicable to APIs (Disposiciones de carácter general relativas a las interfaces de programación de aplicaciones informáticas estandarizadas a que hace referencia la Ley para Regular las Instituciones de Tecnología Financiera). The regulations are applicable to the rest of the Authorised Entities (financial entities, IFPEs, money remittance entities and companies authorised to operate with novel models) but only regulate the handling of open data. Regulation applicable to aggregated and transactional data is still to come.

Similarly, Banxico published Rule (Circular) 2/2020 which is applicable to credit rating agencies and clearing houses. The Circular stipulates among other things, requirements to obtain the prior authorisation from Banxico to set up the relevant APIs. Each of the Banxico regulated entities shall describe the aggregated data per type of transaction that is intended to be share through the API. Also, the entities accessing the information should be previously authorised by Banxico for such purposes. The fees and access terms and conditions should also be approved by Banxico. Banxico has the authority to issue regulations governing the sharing of transactional information.

APIs for offering push-and pull-payment products and services are not provided for in the Fintech Law. Under Mexican law, the control of accounts and e-wallets corresponds at all times to the respective account holders. Any product or service enabling a person different to an account holder, to originate transactions in the latter’s account, should be carefully assessed in order to determine if they comply with Mexican law.

The participants of the Mexican fintech market are expecting said regulation, as access to the data is required to develop and offer new and innovative financial products and services. Regulation of aggregated data is expected at the end of the year 2020, and regarding transactional data until 2021. The issuance of such regulation is crucial for the development of the Mexican fintech environment; according to Finnovista’s 2018 Fintech Mexico Report, APIs are the second most important technology used by startups for sourcing new financial products and services. Finally, in our view the open banking model is crucial in order to reduce the information concentration risk derived from a high concentration of the market by large Mexican financial institutions, thereby, increasing competition in the sector and ultimately benefiting end-customers.

Mexico has a robust set of laws and regulations governing data privacy, including the Federal Law on Protection of Personal Data Held by Private Parties (Ley Federal de Protección de Datos Personales en Posesión de los Particulares) and its secondary regulation (jointly, the “Data Protection Laws”). The Data Protection Laws are applicable to entities (other than credit information entities) that receive and process information of individuals in Mexico, and stipulates the principles, requirements and obligations for any individual or entity to treat, use, disclose and transfer such personal data.

The main obligation for a data controller is to deliver a privacy notice to the data owner and obtaining its consent to treat the information in accordance with the privacy notice. Data controllers should also appoint a data protection officer, as well as adopt and maintain security measures with respect to personal data, which are at least equivalent to those adopted for its own information.

In addition to the foregoing, banks, IFPEs and other depository institutions, as well as other financial entities are subject to the relevant secrecy provisions set forth in their relevant applicable laws and regulations.

Acquirers, aggregators and issuers in a card network are also subject to the security standards set forth in the Payment Regulation, which include obligations to implement determined security measures, encrypt personal information of the cardholder, control access to data bases, etc.

The Fintech Law is based on principles of innovation and inclusion. Considering the foregoing and acknowledging the ever-changing nature of the fintech industry, the Fintech Law introduced the regulatory framework applicable to sandboxes. The sandbox enables non-financial entities to temporarily offer financial services by means of a novel model (using tools or technological means differing from those existing in the market), approved by the applicable authority, which would otherwise require a license or authorisation pursuant to Mexican financial laws. Additionally, the Fintech Law allows CNBV and Banxico to authorise financial entities to temporarily operate novel models if such activity is restricted by the laws and regulations governing them.

Banxico has been particularly active in promoting innovation mainly in order to encourage financial inclusion. Banxico’s governor has publicly stated that technological advances are key for promoting financial inclusion in developing countries, such as Mexico. As mentioned in question 3 above, Banxico recently implemented the P2P CoDI payment system.

CNBV on the other hand, joined the Global Financial Innovation Network in October of 2019. Nevertheless, as a result of the current government’s austerity policies and budget cuts, coupled with the effect that the SARS-CoV-2 Pandemic has had on governmental activity in general, CNBV’s momentum concerning the development of the Mexican fintech industry has recently slowed down.

Finally, we note that the National Commission for the Pension System (Comisión Nacional de Servicios de Ahorro para el Retiro) as well as the National Insurance and Bond Commission (Comisión Nacional de Seguros y Fianzas) have issued regulations setting forth the requirements and procedures to obtain an authorisation to operate novel models to offer products or services which are otherwise restricted to entities authorised by such regulators. We consider that these developments provide a solid basis for insurtech entrepreneurship, and an opportunity for entrepreneurs to dabble in the Mexican pension system and engage Mexican Pension Funds (Afores), which currently hold around MXN $4 trillion (approximately USD $180 billion) in assets under management.

The SARS-CoV-2 Pandemic together with an economic downturn will have an impact on investments in fintech start-ups and fintech start-ups’ businesses, as consumer confidence continues to drop. According to the National Institute of Statistics and Geography (INEGI), as of May 2020, consumer confidence had dropped six months in a row, reaching a record low during the month of April. The National Commission for the Protection and Defense of Users of Financial Services (CONDUSEF) reported a drop of almost 33% in credit card transactions during the month of April 2020. We do not consider that all fintech sub-segments will be affected equally, however, the Mexican fintech environment is dominated by payment services and consumer lending (Finnovista’s Fintech Radar 2020 Mexico), which are markets that will likely see a slowdown of their business.

On the other hand, we note that the SARS-CoV-2 Pandemic could bring new opportunities for the Mexican fintech industry. For instance, CNBV has announced that it will loosen regulations for opening bank accounts and obtaining loans that used to require in-person interviews, which represented a significant obstacle for digital platforms.

There are no specific tax incentives encouraging investment in fintech in Mexico.

Payment services and consumer lending sub-segments represent 32% of the Mexican fintech market. These are also the sub-segments that are attracting the most investment in Mexico. Goldman Sachs, Softbank and IFC are among international investors that have invested in Mexican fintech start-ups.

Konfío, an online lending platform focused in Mexican small-and medium sized companies (PyMes) recently concluded a Series D investment round, adding up to over US$400 million in funding. Additionally, Rappi, a start-up specialized in online delivery services backed by Softbank, entered into a joint venture agreement with Banorte (one of the largest Mexican commercial banks) to establish a new fintech company.

We have also seen significant investments in terms of research and development in connection with cryptocurrencies, blockchain based systems and crowdfunding.

Finally, according to Finnovista, insurtech grew at a 46% rate since 2019, outperforming every other sub-segment. This could indicate that insurtech could see an increase in investments.

Mexico has a thriving fintech ecosystem, with more than 441 start-ups focused on different sub-segments, including money remittance, crowdfunding, personal financial management, lending and payment services, and a very low failure rate (4.5%) (Finnovista). The number of fintech start-ups founded since 2016 has grown at an average year-to-year rate of 23% (Finnovista). According to a study by the Visa Innovation Center, Mexico is considered the leader in business innovation in Latin America, and provides entrepreneurs with a solid regulatory framework giving legal certainty to innovate and develop disruptive projects.

Additionally, a low bank account penetration (37%) partly due to geographical limitations, relatively high internet penetration rate (63.9%), and a young population (average of 27.5 years) (J.P. Morgan), who are more keen to seek innovative financial services providers, provides for interesting business opportunities for fintech start-ups. Additionally, according to J.P. Morgan, Mexico’s e-commerce market is valued at US$ 22.6 billion, and according to the World Bank and McKinsey more than half of Mexican small-and medium sized companies have no access to financial services. The credit gap for Mexican business is estimated to be at US$ 60 billion.

Mexico continues to be an investment friendly jurisdiction with an exceptionally large number of free trade agreements, investment protection and double taxation treaties. The Mexican legal mainframe for private equity transactions is sound and well established, and the regulation on fintech is designed to allow private and public investments in the sector.

Foreign employees in Mexico are allowed to work in Mexico provided they obtain a temporary working visa or a visiting visa to carry out remunerated activities. To obtain any of such visas the employer must file an application with the National Immigration Institute (Instituto Nacional de Migración) requesting the visa based on a job offer.

There are no current or coming regulation that may facilitate access to talent for Fintechs. We do not expect to see in the near future any change in immigration regulation affecting particularly access to fintech talent.

Financial entities, fintech associations and universities are the main promoters of talent for the fintech industry in Mexico. The contribution of the regulator in the promotion of talent is low.

Nonetheless, we do not see substantial gaps in access to talent. The Mexican fintech industry is covered either by local talent or by foreign talent under the current standard immigration regulation.

The Mexican fintech industry has low capacity to influence immigration policy.

The Copyright Law (Ley Federal del Derecho de Autor) provides express protection to computer programs. Such protection covers application softwares and operating systems in both, source code and object code.

Other type of developments such as databases may also be subject to protection under the Copyright Law, as long as they are deemed intellectual creations based on the selection and layout of data or information.

The use, reproduction or profit obtained from a copyright work without the previous consent of the copyright owner would be a breach to the Copyright Law. The copyright owner may claim for compensation before the Industrial Property Mexican Institute (“IMPI”) who may declare injunctions or impose fines.

The Industrial Property Law (Ley Federal de Propiedad Industrial) provides useful protections for Fintechs, for example regarding trade secrets and trademarks. For a trade secret to be protected, it must mean a commercial advantage and it must be kept confidential. In the event of misappropriation by a third party, the owner of the trade secret may initiate actions and claim compensation for unfair competition. Regarding trademarks, fintech providers must register their brands with the IMPI to obtain the exclusivity right to use of their brand within Mexican territory.

On July 1, 2020, the United States-Mexico-Canada Agreement (USMCA) entered into force (replacing the 1994 North America Free Trade Agreement). The new USMCA (known as T-MEC in Mexico) increases the standards for intellectual property protection in Mexico. The USMCA establishes a number of requirements to be met by the three signatory countries to improve protection to intellectual rights. Among them, the USMCA requires the parties to enact regulation for tougher sanctions and effective actions against infringement of intellectual property.

The Fintech Law and its secondary regulation including Rule (Circular) 4/2019 issued by Banxico, establish the regulatory framework for cryptocurrencies.

Each cryptocurrency should be carefully analysed to determine its legal attributes, especially in view of any tokens associated therewith. The classification and legal treatment of a cryptocurrency may vary drastically depending on the characteristics of the cryptocurrency and its corresponding token, and such characteristics may in turn determine the rules applicable to the offering, distribution, custody and even taxation of such cryptocurrency any transactions involving them. That being said, a large number of cryptocurrencies may be characterized, as a rule of thumb, as movable intangible and fungible property for Mexican law purposes. Cryptocurrencies are not considered national or foreign fiat currency even if they are stable cryptocurrencies.

The Fintech Law grants ample regulatory authority to Banxico with respect to cryptocurrencies. Banxico has adopted a very cautious position with respect to the distribution of cryptocurrencies in Mexico, among others, because Banxico perceives that the public may not adequately understand the complexities associated with a cryptocurrency, there may be information asymmetries between the public and the operators of such assets, and also there may not be an objective basis to determine the value, supply and offer with respect to a cryptocurrencies. Banxico has opted to put some “safe distance” between cryptocurrencies (and their perceived risks) and the Mexican public.

Although the Fintech Law provides that IFPEs may keep crypto denominated accounts for their clients, and that banks may carry out transactions with respect to cryptocurrencies, in both cases, solely with respect to cryptocurrencies approved by Banxico, Rule (Circular) 4/2019 issued by Banxico restricts the use of cryptocurrencies by Fintechs and banks to “internal operations” (i.e., operational transactions whereby any risks stemming from the cryptocurrencies are assumed by the entity), and solely with respect to cryptocurrencies that are approved to each entity after a thorough authorisation procedure that includes practically every aspect of the cryptocurrency, its characteristics, operation and market, as well as a clear identification of the “internal operation”.

In addition to the foregoing, Banxico has amended the regulations governing the SPEI to increase the KYC/AML requirements of depositary institutions with respect to their clients engaged in the transfer of cryptocurrencies. On the other hand, any Mexican entity offering crypto exchange or custody services in Mexico is subject to the compliance requirements set forth in the AML Law (among others, keeping KYC files and meet certain reporting requirements).

Initial coin offerings (“ICOs”) are not regulated in Mexico. Currently, the authorisations to operate cryptocurrencies do not contemplate ICOs, but only exchange, transfer and custody of cryptocurrency.

We do not expect regulation on ICOs will be issued within the next year.

There are certain blockchain-based products designed and operated by foreign payment processors that operate in Mexico today and that simplify the operation of multiple accounts for international remittances.

An example of a live blockchain project in Mexico is Prescrypto. This product enables medical doctors to issue, sign, track and record digital prescriptions keeping sensitive clinical data safe using blockchain technology. The blockchain technology prevents prescription frauds and makes more efficient the provision of health services.

Pursuant to a survey conducted by GFT Technologies in 2017, 63% of surveyed Mexican bank executives, a high amount in comparison to other countries, noted the important role that artificial intelligence plays in the digital transformation of financial services. As part of their obligations under the open banking regulations (see question 4 above), Mexican banks and other financial entities will use artificial intelligence for the processing of shared data. Efficient data processing would result in an increased offering of better-designed financial products and services, and therefore would also promote the much-needed financial inclusion.

Additionally, several banks and other financial entities have implemented artificial intelligence in several internal (operative) tasks, including customer services. There are artificial intelligence tools to deliver “robo-advisory” services for asset managers, and treasury services.

Unfortunately, the regulations applicable to sharing transactional and aggregated data are still pending, which are crucial to encourage open banking and artificial intelligence to be applied in connection therewith.

It is expected that Regtech will be deployed by financial authorities to oversee financial entities in Mexico, especially for anti-money laundering purposes. Correlatively, financial entities will use artificial intelligence to meet the Regtech requirements, and also to drive down the costs (and increase the efficiency) of their anti-money laundering compliance burden.

In our view, the regulatory approach towards the use of artificial intelligence by financial entities will continue to promote the use of artificial intelligence in the financial sector heightening the responsibilities chief information officers and holding financial services and operations (whether automated or not) to the same standards.

Insurtech must be understood as the use of new technology to improve the quality and increase business opportunities at various value-added phases in the insurance industry. Insurtech projects have increased significantly in several areas of the insurance industry such as distribution, underwriting, valuation, prevention, claims handling, risk distribution, among others.

Auto insurance is probably the strongest line of business in insurtech. Also innovative business models have been recently developed in health insurance to provide access to health services to the large number of Mexicans that are uninsured or seek for an alternative to the public healthcare system.

From a high-level perspective, Fintechs are disruptive in the Mexican market as they have gained a significant penetration in the payments market, which continues to be dominated by the seven largest commercial banks.

Commercial banks and other depositary institutions (including popular financial entities similar to thrifts) have generally welcomed the collaboration with Fintechs, especially IFPEs. Depositary institutions realized that their strategic alliances with IFPEs and payment service providers result in an increase of their liabilities.

Certain depositary institutions have partnerships with Fintechs, whereby Fintechs design and offer new payment products and depositary institutions take care of the account keeping and compliance part of the business. These alliances have resulted in an accelerated time-to-market for a number of products. We also expect that bigger Fintechs will eventually have the intention of migrating their business model into a bank or thrift.

It is to be expected that as the Fintechs grow stronger and claim their legitimate place in the (still) bank dominated payments market, bigger players will be vigilant for investment, co-investment and acquisition opportunities. In the following years, we may see an increased M&A activity in the sector.

Crowdfunds have been regulated as microfinance entities and although they have had good penetration in the market, we would expect to see an increased use of crowdfunds by the public at large (both as an investment opportunity and as a funding alternative) in the years to come, as there is an enormous potential market for their services, and they may easily coexist with other well established microfinance products (such as pay day loans, and pawn shops).

The vast majority of banks and other financial institutions have internalized fintech R&D and are active in developing their own innovation programmes and developments.

Some of the bigger commercial banks invest heavily in fintech tools, and banks affiliated with foreign financial institutions take advantage of the fintech developments developed by their (most times, larger and more invested) parent.

Incumbent financial institutions will continue to carry their own R&D in fintech tools while keeping a close proximity with the new developments launched in Mexico.

At this point in time, disruption has been more about how financial services are delivered more than about how much have such disruptive agents penetrated the market.

We see strong disruption in (i) how cryptocurrencies are being introduced in Mexico for investors and financial entities (including remittance companies), (ii) targeted, more simple and customer friendly payment products, (iii) higher yield investments and lower cost and (iv) more available funding in crowdfunds. We see how developers and data processors strive to deliver better solutions to meet security requirements, increase levels of service and more efficient and reliable IT services.