Mexico: Fintech

Payments and payment systems are regulated level by several federal laws and regulations. The main laws governing payments and payment systems in Mexico are: the Mexican Constitution, the Law of Payment Systems (Ley de Sistemas de Pago), the Central Bank Law (Ley del Banco de México), the Law for the Transparency and Order of the Financial Services (Ley para la Transparencia y Ordenamiento de Servicios Financieros), and the Law to Regulate Financial Technology Institutions (Ley para regular las Instituciones de Tecnología Financiera, the “Fintech Law”). The constitution grants the Mexican Central Bank (Banco de México, “Banxico”) constitutional autonomy and the mandate to, among others, regulate financial services in Mexico. The Central Bank Law stipulates Banxico’s main purposes, including, among others, promoting the well-functioning of Mexican payment systems. The Law of Payment Systems sets out the requirements for a payment system to be considered systemically important, Banxico’s broad authority to regulate and supervise such systems, and a framework for the clearing and settlement of transactions through such systems. The Law for the Transparency and Order of the Financial Services provides Banxico and the National Banking and Securities Commission (Comisión Nacional Bancaria y de Valores, “CNBV”) with additional tools to regulate payment systems, as well as to promote their transparency and competitiveness including the regulation of fees charged by the participants of card networks. The Law to Regulate Financial Technology Institutions introduces electronic payment funds institutions (instituciones de fondos de pagos electrónicos, “IFPEs”), that are authorised, among others, to keep e-wallets on behalf of their clients. Relevant secondary regulation issued by Banxico and/or by CNBV include: (i) Rule (Circular) 14/2017, which regulates the Mexican Peso denominated Interbank Electronic Payments System (SPEI) (amended in 2019 to implement a P2P online and mobile payment system called CoDI (Cobro Digital)); (ii) the Regulations applicable to the Network of Means of Utilization of Funds (Disposiciones de carácter general aplicables a los Medios de Pago), which specifically regulate card networks (the “Payment Regulations”); and (iii) the Regulations applicable to IFPEs (Disposiciones de carácter general aplicables a las Instituciones de Tecnología Financiera). The Anti-Money Laundering Law (Ley Federal para la Prevención e Identificación de Operaciones con Recursos de Procedencia Ilícita, the “AML Law”), its regulations and interpretative notes by the Financial Intelligence Unit (Unidad de Inteligencia Financiera) also apply to payment systems, among others, because they apply to issuers and distributors of prepaid, debit, credit and service cards, traveler checks issued by entities other than financial entities, as well as crypto currency exchanges. There is little case law issued with respect to payment systems laws and regulations, however there are important judicial holdings to take into consideration by any participant in a card system, including precedents regarding authenticity and use of electronic signatures, vouchers and burden of proof with respect to authorisation of transactions.

Yes, payment services in Mexico may be provided by non-banks. However, the regulation, and required licensing applicable to payment services providers (“PSPs”) varies depending on the type of services offered by PSPs. Regarding card payment acceptance services, acquirer and aggregation services do not require an ad hoc authorisation or license. Nevertheless, they are subject to reporting and registration obligations set forth in the Payment Regulations, which include, among others, registering their fees with Banxico and CNBV and delivering a yearly informative notice to CNBV. Additionally, any person offering acquirers, aggregators, brand owners or issuers any services that are required for such entities to carry out their operations in a card network, is characterized as a specialized entity under the Payment Regulations. Specialized entities do not require a license or authorisation to operate. However, they are subject to specific obligations under the Payment Regulations including, reporting obligations. Finally, we note that certain activities that are usually performed by PSPs may qualify as activities that require a license or authorisation under Mexican law, including (i) solicitation and receipt of deposits, and depository account keeping services, (ii) money remittance services, and (iii) currency exchange services. PSPs, especially those operating on a cross-border basis, should be cautious to structure their operations to avoid being considered as regulated entities.

Although throughout 2020 the users of cash decreased in almost 7% in Mexico (and the users of other payment methods, mostly debit cards, increased proportionally), cash is still the most widely used payment method in Mexico for retail transactions. According to the National Institute of Statistics and Geography (INEGI), 87% of retail purchases over US$25 in Mexico are paid in cash. Pursuant to data from the National Commission for the Protection and Defense of Users of Financial Services (CONDUSEF), the use of debit and credit cards for online retail purchases has increased significantly in the past years. The number of online purchases using debit or credit cards grew at an average-quarterly rate of 14.2% from 2015 to 2020. Payments with debit cards, which represent approximately 60% of the total transaction volume prevail over payments with credit cards. However, higher value transactions are generally paid with credit cards, representing about 60% of the total transaction volume. As mentioned above, in 2019, Banxico launched a P2P online and mobile payment system called CoDI (Cobro Digital) for purposes of, among others, providing necessary infrastructure for the issuance and reception of payment instructions to a large portion of the population that still mainly relies on cash. The use of CoDI has increased from 52 thousand operations per month in January 2020 to 287,000 transactions by April 2021. Additionally, Mexican commercial banks have developed and launched apps for online e-payments, such as BBVA’s Wallet and Citibanamex’s Pay. Finally, the Mexican Federal Government continues to make significant efforts to promote financial inclusion, and welcomes initiatives aiming to increase financial inclusion.

The Fintech Law aims to promote competition and financial inclusion by requiring Mexican financial entities (including commercial banks), money remittance entities, credit information entities, clearing houses, IFPEs and companies authorised to operate with novel models (“Authorised Entities”), to implement application programming interfaces (“APIs”), and to share information of their customers through such APIs. APIs and the sharing of information must meet the requirements set forth by CNBV, Banxico or the corresponding regulators of the relevant entities. The information to be shared through APIs is classified under the Fintech Law as: (i) open data, including, among others, non-confidential financial information related to the services offered by the entities; (ii) aggregated data, consisting in statistical and dissociated information related to operations made by or through Authorised Entities; and (iii) transactional data, defined as information related to the use of financial products and services by a customer, including deposit accounts and credits. We note that transferring transactional data of customers requires express consent from the respective owner in all cases. On June 4, 2020, the CNBV issued the Regulations applicable to APIs (Disposiciones de carácter general relativas a las interfaces de programación de aplicaciones informáticas estandarizadas a que hace referencia la Ley para Regular las Instituciones de Tecnología Financiera). The regulations are applicable to the rest of the Authorised Entities (financial entities, IFPEs, money remittance entities and companies authorised to operate with novel models) but only regulate the handling of open data. Regulation applicable to aggregated and transactional data is still to come. Similarly, Banxico published Rule (Circular) 2/2020 which is applicable to credit rating agencies and clearing houses. The Circular stipulates among other things, requirements to obtain the prior authorisation from Banxico to set up the relevant APIs. Each of the Banxico regulated entities shall describe the aggregated data per type of transaction that is intended to be shared through the API. Also, the entities accessing the information should be previously authorised by Banxico for such purposes. The fees and access terms and conditions should also be approved by Banxico. Banxico has the authority to issue regulations governing the sharing of transactional information. APIs for offering push-and pull-payment products and services are not provided for in the Fintech Law. Under Mexican law, the control of accounts and e-wallets corresponds at all times to the respective account holders. Any product or service enabling a person different to an account holder, to originate transactions in the latter’s account, should be carefully assessed in order to determine if they comply with Mexican law. The participants of the Mexican fintech market are expecting said regulation, as access to the data is required to develop and offer new and innovative financial products and services. Regulation of aggregated data and transactional data would be expected in 2021. The issuance of such regulation is crucial for the development of the Mexican fintech environment. APIs continue to be one of the most important technologies used by startups for sourcing new financial products and services. Finally, in our view the open banking model is crucial in order to reduce the information concentration risk derived from a high concentration of the market by large Mexican financial institutions, thereby, increasing competition in the sector and ultimately benefiting endcustomers.

Mexico has a robust set of laws and regulations governing data privacy, including the Federal Law on Protection of Personal Data Held by Private Parties (Ley Federal de Protección de Datos Personales en Posesión de los Particulares) and its secondary regulation (jointly, the “Data Protection Laws”). Data Protection Laws are applicable to entities (other than credit information entities) that receive and process information of individuals in Mexico, and stipulates the principles, requirements and obligations for any individual or entity to treat, use, disclose and transfer such personal data. The main obligation for a data controller is to deliver a privacy notice to the data owner and obtaining its consent to treat the information in accordance with the privacy notice. Data controllers should also appoint a data protection officer, as well as adopt and maintain security measures with respect to personal data, which are at least equivalent to those adopted for its own information. In addition, banks, IFPEs and other depository institutions, as well as broker dealers and other financial entities are subject to the relevant secrecy provisions set forth in their relevant applicable laws and regulations. Acquirers, aggregators and issuers in a card network are also subject to the security standards set forth in the Payment Regulation, which include obligations to implement determined security measures, encrypt personal information of the cardholder, control access to data bases, etc.

The Fintech Law is based on principles of innovation and inclusion, and the policy of Mexican financial authorities is to further those principles in their regulations. Considering the foregoing and acknowledging the ever-changing nature of the fintech industry, the Fintech Law introduced the regulatory framework applicable to sandboxes. The sandbox authorization provided in the Fitnech Law enables nonfinancial entities to temporarily offer financial services by means of a novel model (using tools or technological means differing from those existing in the market), approved by the applicable authority, which would otherwise require a license or authorisation pursuant to Mexican financial laws. Additionally, the Fintech Law allows CNBV and Banxico to give a sandbox authorisation to financial entities to temporarily operate novel models if such activity is restricted by the laws and regulations governing them. Banxico has been particularly active in promoting innovation mainly in order to encourage financial inclusion. CNBV has actively partaken in the “Sandbox Challenge” open competition to incentivize innovation and has traditionally took an open stance towards innovation and use of technology by applicants and financial entities. Finally, we note that the National Commission for the Pension System (Comisión Nacional de Servicios de Ahorro para el Retiro) as well as the National Insurance and Bond Commission (Comisión Nacional de Seguros y Fianzas) have issued regulations setting forth the requirements and procedures to obtain an authorisation to operate novel models to offer products or services which are otherwise restricted to entities authorised by such regulators. We consider that these developments provide a solid basis for insurtech entrepreneurship, and an opportunity for entrepreneurs to dabble in the Mexican pension system and engage Mexican Pension Funds (Afores), which currently hold around MXN $4 trillion (approximately USD $180 billion) in assets under management.

With a consumer confidence that continues to increase to achieve pre-pandemic levels, and a population that is more acquainted with the use of technology and electronic payments, the Mexican Fintech market is ripe for further growth. CNBV has made a good job so far penalizing unfair practices that may lead to the distrust of the public in the Mexican regulated entities, and has procured a levelled ground for the participants in the sector. The risk of a change of policy to restrict the use of technology in the market or the participation of new entities seems to be rather low.  The regulator has shown no signs of an intention to overregulate the industry or limit the use of new technology or models in the sector. Perhaps the short term challenge for the fintech market is to displace cash as the preferred payment instrument. Tackling such challenge will require a coordinated effort by the administration and the market participants to convey trust and reliability to the users. The long term challenge for the fintech market to explode to its full potential is to further financial education in the population since childhood. The Mexican fintech environment is dominated by payment services and consumer lending, which are markets that will likely see a strong recuperation as the economy warms up. On the other hand, we note that the SARS-CoV-2 Pandemic has catalysed the Mexican fintech industry for users, authorities and entities. The interim measures implemented by CNBV have made possible for many entities to on-board a large number of first time users of financial products. The pandemic has significantly contributed in the proliferation of digital products and services, including fintech enterprises, and it is foreseeable that such proliferation will only continue to increase.

There are no specific tax incentives encouraging investment in fintech in Mexico.

Payment services and consumer lending sub-segments represent more than a third of the Mexican fintech market. These are also the sub-segments that are attracting the most investments into Mexico. SoFi, Goldman Sachs, Softbank and IFC are among the international investors that have invested in Mexican fintech start-ups. Konfío, an online lending platform focused in Mexican small-and medium sized companies (PyMes) recently concluded a Series D investment round, adding up to over US$400 million in funding. Additionally, Rappi, a start-up specialized in online delivery services backed by Softbank, entered into a joint venture agreement with Banorte (one of the largest Mexican commercial banks) to establish a new fintech company. We have also seen significant investments in terms of research and development in connection with cryptocurrencies, blockchain based systems and crowdfunding. Finally, according to Finnovista, insurtech grew at a 46% rate since 2019, outperforming every other subsegment. This could indicate that insurtech could see an increase in investments.

Mexico has a thriving fintech ecosystem founded in users that are increasingly technology savy, communicated and willing to migrate to a technology based economy, as well with regulators focused on the user and allowing participation in the market. The depth of the market explains the very low failure rate of entities in Mexico. The number of fintech start-ups continues to rise steadily. According to a study by the Visa Innovation Center, Mexico is considered the leader in business innovation in Latin America, and provides entrepreneurs with a solid regulatory framework giving legal certainty to innovate and develop disruptive projects. Additionally, a low bank account penetration (27%) partly due to geographical limitations, relatively high internet penetration rate (63.9%), and a young population (average of 27.5 years) (J.P. Morgan), who are more keen to seek innovative financial services providers, provides for interesting business opportunities for fintech start-ups. Additionally, according to J.P. Morgan, Mexico’s e-commerce market is valued at US$22.6 billion, and according to the World Bank and McKinsey more than half of Mexican small-and medium sized companies have no access to financial services. The credit gap for Mexican business is estimated to be at US$ 60 billion. The foregoing has resulted in social culture that traditional financial services providers, such as banks, have not been able to fully overcome, despite the efforts and resources invested in it.  Fintech entities are becoming a major change factor in these regards and are proving to be a substantial part of the solution that is likely to change the social culture in Mexico. Mexico continues to be an investment friendly jurisdiction with an exceptionally large number of free trade agreements, investment protection and double taxation treaties. The Mexican legal mainframe for private equity transactions is sound and well established, and the regulation on fintech is designed to allow private and public investments in the sector.

Foreign employees in Mexico are allowed to work in Mexico provided they obtain a temporary working visa or a visiting visa to carry out remunerated activities. To obtain any of such visas the employer must file an application with the National Immigration Institute (Instituto Nacional de Migración) requesting the visa based on a job offer. There are no current or coming regulation that may facilitate access to talent for Fintechs. We do not expect to see in the near future any change in immigration regulation affecting particularly access to fintech talent.

Financial entities, fintech associations and universities are the main promoters of talent for the fintech industry in Mexico. The contribution of the regulator in the promotion of talent is more visible in the controlling side of the business, where internal comptrollers have to be certified by the regulator. Nonetheless, we do not see substantial gaps in access to talent. The Mexican fintech industry is covered either by local talent or by foreign talent under the current standard immigration regulation. The Mexican fintech industry has low capacity to influence immigration policy.

The Copyright Law (Ley Federal del Derecho de Autor) provides express protection to computer programs. Such protection covers application softwares and operating systems in both, source code and object code. Other type of developments such as databases may also be subject to protection under the Copyright Law, as long as they are deemed intellectual creations based on the selection and layout of data or information. The use, reproduction or profit obtained from a copyright work without the previous consent of the copyright owner would be a breach to the Copyright Law. The copyright owner may claim for compensation before the Industrial Property Mexican Institute (“IMPI”) who may declare injunctions or impose fines. The Industrial Property Law (Ley Federal de la Protección a la Propiedad Industrial) provides useful protections for Fintechs, for example regarding trade secrets and trademarks. For a trade secret to be protected, it must mean a commercial advantage and it must be kept confidential. In the event of misappropriation by a third party, the owner of the trade secret may initiate actions and claim compensation for unfair competition. Regarding trademarks, fintech providers must register their brands with the IMPI to obtain the exclusivity right to use of their brand within Mexican territory. On July 1, 2020, the United States-Mexico-Canada Agreement (USMCA) entered into force (replacing the 1994 North America Free Trade Agreement). The new USMCA (known as T-MEC in Mexico) increases the standards for intellectual property protection in Mexico. The USMCA establishes a number of requirements to be met by the three signatory countries to improve protection to intellectual rights. Among them, the USMCA requires the parties to enact regulation for tougher sanctions and effective actions against infringement of intellectual property.

The Fintech Law and its secondary regulation including Rule (Circular) 4/2019 issued by Banxico, establish the regulatory framework for cryptocurrencies. Each cryptocurrency should be carefully analysed to determine its legal attributes, especially in view of any tokens associated therewith. The classification and legal treatment of a cryptocurrency may vary drastically depending on the characteristics of the cryptocurrency and its corresponding token, and such characteristics may in turn determine the rules applicable to the offering, distribution, custody and even taxation of such cryptocurrency any transactions involving them. That being said, a large number of cryptocurrencies may be characterized, as a rule of thumb, as movable intangible and fungible property for Mexican law purposes. Cryptocurrencies are not considered national or foreign fiat currency even if they are stable coins. The Fintech Law grants ample regulatory authority to Banxico with respect to cryptocurrencies. Banxico has adopted a very cautious position with respect to the distribution of cryptocurrencies in Mexico, among others, because Banxico perceives that the public may not have sufficient information to adequately understand the complexities associated with a cryptocurrency, there may be information asymmetries between the public and the operators of such assets, and also there may not be an objective basis to determine the value, supply and offer with respect to a cryptocurrencies. Banxico has opted to put some “safe distance” between cryptocurrencies (and their perceived risks) and the Mexican public. Although the Fintech Law provides that IFPEs may keep crypto denominated accounts for their clients, and that banks may carry out transactions with respect to cryptocurrencies, in both cases, solely with respect to cryptocurrencies approved by Banxico, Rule (Circular) 4/2019 issued by Banxico restricts the use of cryptocurrencies by Fintechs and banks to “internal operations” (i.e., operational transactions whereby any risks stemming from the cryptocurrencies are assumed by the entity), and solely with respect to cryptocurrencies that are approved to each entity after a thorough authorisation procedure that includes practically every aspect of the cryptocurrency, its characteristics, operation and market, as well as a clear identification of the “internal operation”. In addition to the foregoing, Banxico has amended the regulations governing the SPEI to increase the KYC/AML requirements of depositary institutions with respect to their clients engaged in the transfer of cryptocurrencies. On the other hand, any Mexican entity offering crypto exchange or custody services in Mexico is subject to the compliance requirements set forth in the AML Law (among others, keeping KYC files and meet certain reporting requirements).

Initial coin offerings (“ICOs”) are not specifically regulated in Mexico. Currently, the authorisations to operate cryptocurrencies do not contemplate ICOs, but only exchange, transfer and custody of cryptocurrency. We do not expect regulation on ICOs will be issued within the next year.

There are certain blockchain-based products designed and operated by foreign payment processors that operate in Mexico today and that simplify the operation of multiple accounts for international remittances. An example of a live blockchain project in Mexico is Prescrypto. This product enables medical doctors to issue, sign, track and record digital prescriptions keeping sensitive clinical data safe using blockchain technology. The blockchain technology prevents prescription frauds and makes more efficient the provision of health services.

Pursuant to a survey conducted by GFT Technologies in 2017, 63% of surveyed Mexican bank executives, a high amount in comparison to other countries, noted the important role that artificial intelligence plays in the digital transformation of financial services. As part of their obligations under the open banking regulations (see question 4 above), Mexican banks and other financial entities will increasingly use artificial intelligence for the processing of shared data. Efficient data processing would result in an increased offering of better-designed financial products and services, and therefore would also promote the much-needed financial inclusion. The implementation of many AI related processes by financial entities will in many instances have to be outsourced to non-Mexican service providers, and may be subject to the approval of the regulators (specially CNBV). Additionally, several banks and other financial entities have implemented artificial intelligence in their internal (operative) tasks, including customer services. There are artificial intelligence tools to deliver “roboadvisory” services for asset managers, and treasury services. Unfortunately, the regulations applicable to sharing transactional and aggregated data are still pending, which are crucial to encourage open banking and artificial intelligence to be applied in connection therewith. It is expected that Regtech will be deployed by financial authorities to oversee financial entities in Mexico, especially for anti-money laundering purposes. Correlatively, financial entities will use artificial intelligence to meet the Regtech requirements, and also to drive down the costs (and increase the efficiency) of their anti-money laundering compliance burden. In our view, the regulatory approach towards the use of artificial intelligence by financial entities will continue to promote the use of artificial intelligence in the financial sector heightening the responsibilities chief information officers and holding financial services and operations (whether automated or not) to the same standards.

Insurtech must be understood as the use of new technology to improve the quality and increase business opportunities at various value-added phases in the insurance industry. Insurtech projects have increased significantly in several areas of the insurance industry such as distribution, underwriting, valuation, prevention, claims handling, risk distribution, among others.

Auto insurance is probably the strongest line of business in insurtech. Also innovative business models have been recently developed in health insurance to provide access to health services to the large number of Mexicans that are uninsured or seek for an alternative to the public healthcare system.

From a high-level perspective, Fintechs are disruptive in the Mexican market as they have gained a significant penetration in the payments market, which continues to be dominated by the seven largest commercial banks. Commercial banks and other depositary institutions (including popular financial entities similar to thrifts) have generally welcomed the collaboration with Fintechs, especially IFPEs. Depositary institutions realized that their strategic alliances with IFPEs and payment service providers result in an increase of their liabilities. Certain depositary institutions have partnerships with Fintechs, whereby Fintechs design and offer new payment products and depositary institutions take care of the account keeping and compliance part of the business. These alliances have resulted in an accelerated time-to-market for a number of products. We also expect that bigger Fintechs will eventually have the intention of migrating their business model into a bank or thrift. It is to be expected that as the Fintechs grow stronger and claim their legitimate place in the (still) bank dominated payments market, bigger players will be vigilant for investment, co-investment and acquisition opportunities. In the following years, we may see an increased M&A activity in the sector. Crowdfunds have been regulated as microfinance entities and although they have had good penetration in the market, we would expect to see an increased use of crowdfunds by the public at large (both as an investment opportunity and as a funding alternative) in the years to come, as there is an enormous potential market for their services, and they may easily coexist with other well established microfinance products (such as pay day loans, and pawn shops).

The vast majority of banks and other financial institutions have internalized fintech R&D and are active in developing their own innovation programmes and developments. Some of the bigger commercial banks invest heavily in fintech tools, and banks affiliated with foreign financial institutions take advantage of the fintech developments developed by their (most times, larger and more invested) parent. Incumbent financial institutions will continue to carry their own R&D in fintech tools while keeping a close proximity with the new developments launched in Mexico.

At this point in time, disruption has been more about how financial services are delivered more than about how much have such disruptive agents penetrated the market. We see strong disruption in (i) payday and personal lending, (iii) targeted, more simple and customer friendly payment products, (ii) how crypto currencies are being introduced in Mexico for investors and financial entities (including remittance companies), (iv) distribution of personal investment products, and (v) more available funding in crowdfunds. We are also aware of a number of projects that will be deployed shortly and may have a disruptive effect by offering a more comprehensive scope of electronically delivered services to the end user. We see how developers and data processors strive to deliver better solutions to meet security requirements, increase levels of service and more efficient and reliable IT services.  With the recent increase of fintech authorizations, we are likely to see significant examples of disruption through fintech in Mexico as novel models, which will foreseeably disrupt the market, have just recently obtained their authorization or are still awaiting it.