Fintech companies in Mexico are primarily regulated by the National Banking and Securities Commission (Comisión Nacional Bancaria y de Valores) (the “Banking Commission”), which is responsible for granting licenses and supervising financial technology institutions (“Fintechs”) under the Law to Regulate Financial Technology Institutions (Ley para Regular las Instituciones de Tecnología Financiera) (the “Fintech Law”).

Additionally, Mexico’s Central Bank (Banco de México) (“Banxico”) plays a key role, particularly in overseeing payment systems, electronic money institutions, and virtual assets. Any Fintech operating with electronic payment funds or virtual assets must comply with Banxico’s regulations.

The Ministry of Finance and Public Credit (Secretaría de Hacienda y Crédito Público) (the “Ministry of Finance”) also has oversight authorities, particularly in financial policy and taxation. The Ministry of Finance, together with Banxico and the Banking Commission, forms the Inter-Institutional Committee, which is responsible for reviewing applications for Fintech licenses.

Other regulators may be involved depending on the type of authorization or specific services provided, as follows:

1. The National Insurance and Bonding Commission (Comisión Nacional de Seguros y Fianzas) is involved in the authorization process and oversees insurtech companies.
2. The National Commission for the Pension System (Comisión Nacional del Sistema de Ahorro para el Retiro) regulates Fintechs operating within the pension fund sector.
3. The Financial Intelligence Unit (Unidad de Inteligencia Financiera), which is an agency of the Ministry of Finance, enforces anti-money laundering and counter-terrorism financing obligations, especially for Fintechs dealing with digital assets or cross-border transactions.
4. The National Commission for the Defense of Financial Services Users (Comisión Nacional para la Protección y Defensa de los Usuarios de Servicios Financieros) handles consumer protection disputes, ensuring Fintech users have recourse in controversial cases.

The Banking Commission and Banxico actively monitor Fintechs through audits, inspections, and regulatory reviews to ensure that:

1. Entities operating in regulated activities have the proper authorizations under Mexican law, especially with Fintech Law.
2. Fintechs comply with financial stability, risk management, and user protection standards.

Both agencies have demonstrated a strong commitment to adapting regulations as the fintech sector evolves. The Banking Commission is regarded as one of the most rigorous financial authorities in Mexico, which fosters confidence among investors and users regarding regulatory compliance. Banxico, for its part, has developed key financial infrastructure initiatives, such as the Interbank Electronic Payments System (Sistema de Pagos Electrónicos Interbancarios) and, recently, CoDi or Digital Collection System (Sistema de Cobro Digital), to facilitate digital transactions, payments and collections through electronic transfers and promote financial inclusion.

Fintech companies in Mexico must comply with strict regulatory requirements, including AML regulations, user protection policies, and risk management standards. While the regulatory framework is stringent and can pose operational challenges, Mexican authorities have demonstrated willingness to support innovation and collaborate with Fintechs.

Mexico’s fintech market has been expanding steadily in recent years, although several challenges pose risks to its continued growth. According to recent industry data, the Mexican fintech ecosystem has reached 1,104 Fintechs, marking a significant increase since 2022. Among them, 803 are local startups (up from ~773 local ventures in 2022), while 301 are international ventures.

While Mexico’s fintech sector continues to grow, there are still several challenges that could impact its sustained growth:

• Regulatory Uncertainty and Compliance Costs: The implementation of secondary regulations, particularly in open finance and digital assets, remains a pending challenge. As Fintechs increasingly seek banking licenses or decide to operate under alternative models, such as Popular Financial Entities or SOFIPOs (Sociedades Financieras Populares), Fintech companies face higher capital requirements, compliance costs, and operational burdens.
• Licensing and M&A Processes: Timing and Complexity: The process to obtain or transfer any license in Mexico is usually complex and lengthy and may be protracted by several factors unrelated with the relevant application.
• Market Saturation and Rising Competition: Traditional banks are launching fully digital banking operations, while some Fintechs are moving towards licensed banking models that allows them to have a wider margin to operate. This increased competition—both among Fintechs and from financial institutions—may pressure profit margins and force market consolidation.
• Operative Hurdles in Regulation. Regulations for participants in the market are in some cases uneven and unclear, especially with respect to retention of third-party services and collaboration with other players in the market.
• Challenges in Digital Payment Adoption: Despite growing fintech adoption, cash remains a dominant payment method in Mexico. Digital payment initiatives such as CoDi and QR-based transactions have yet to reach mass adoption, requiring further publicity among consumers, consumer trust and infrastructure improvements.
• Cybersecurity and Financial Fraud Risks: The expansion of open banking, digital payments, and instant transactions has led to increased financial crime threats in Mexico (more than 31 million attempted cyberattacks in 2024, representing 55% of the total attacks in Latin America). Fintechs must continuously enhance security frameworks and comply with stricter anti-money laundering regulations, in the absence of cybersecurity regulation in Mexico.
• Sustainability of Lending Models: Many Fintech lenders rely on high-interest deposit models using SOFIPOs, which represent elevated funding costs and credit risk exposure. Economic volatility and loan default rates may threaten the long-term viability of some lending-focused Fintechs.

Despite these challenges, Fintechs in Mexico remain well-positioned for growth, particularly in real-time payments, digital banking, and financial inclusion initiatives. Collaboration with banks, adoption of stronger risk management strategies, and regulatory adaptability will be key to long-term success.

Until 2018, when the Fintech Law came into effect, companies in this sector operating in Mexico did so through other financial models or in a regulatory “gray area”.

Since the issuance of the Fintech Law, Fintechs in Mexico may require authorization depending on the activities that such entities perform.

Entities carrying out the following activities are subject to the supervision and vigilance of authorization granted by the financial regulators:

• solicitation and receipt of deposits and depository account keeping services, and issuance of debit cards linked to such accounts
• investment advisory services
• issuance, management, redeeming and transfer of electronic payment funds
• crowdfunding
• money remittance
• ordinarily carrying out the purchase, sale or exchange of currencies

Fintech Law regulates two types of Financial Technology Institutions or Fintechs, which must obtain a license from the Banking Commission with prior approval from the Inter-Institutional Committee.

These entities are:

• Collective Financing Institutions (Instituciones de Financiamiento Colectivo, or IFCs), authorized to facilitate crowdfunding activities, including peer-to-peer lending, equity crowdfunding, and royalty-based financing.
• Electronic Payment Funds Institutions (Instituciones de Fondos de Pago Electrónico, or IFPEs), authorized to issue, manage, and transfer electronic payment funds (e-wallets), allowing users to store and transfer money or virtual assets. IFPEs can also facilitate payments and withdrawals.

Additionally, non-financial entities that wish to offer financial services through an innovative and novelty model may be granted a special authorization to operate novel models in a Regulatory Sandbox (see question 4.)

The Fintech Law is based on principles of innovation and inclusion, and the policy of Mexican financial authorities is to further those principles through regulation.

Considering the foregoing and acknowledging the ever-changing nature of the fintech industry, Fintech Law introduced the regulatory framework applicable to Sandboxes.

The Sandbox authorization provided for in the Fintech Law enables nonfinancial entities to temporarily (2 years, extendable for 1 more year) offer financial services by means of a regulatory sandbox (using tools or technological means differing from those existing in the market), which would otherwise require a license or authorization pursuant to Mexican financial laws.

Additionally, the Fintech Law allows the Banking Commission and Banxico to grant a Sandbox authorization to financial entities to temporarily operate novel models with activities that are restricted by the laws and regulations governing them.

We note that the National Commission for the Pension System (Comisión Nacional del Sistema de Ahorro para el Retiro) as well as the National Insurance and Bond Commission (Comisión Nacional de Seguros y Fianzas) have issued regulations based on the Fintech Law setting forth the requirements and procedures to obtain an authorization to operate novel models to offer products or services that are otherwise restricted to entities authorized by such regulators.

Initial coin offerings (“ICOs”) are not specifically regulated in Mexico. Securities, AML, and other financial regulations may apply to an ICO depending on the structure of the offering and the relevant digital asset. Tailoring an effective legal framework for the offering, distribution and custody of digital assets in Mexico is a highly technical work that requires a deep analysis on a case-by-case basis.

Digital asset exchanges and digital asset service providers that carry out transactions with a client for an approximate amount of the Mexican peso equivalent of US$3,633 or more within a 6 month period are subject to AML compliance pursuant to the Federal Law for the Prevention and Identification of Transactions with Resources of Illicit Origin or AML Law(Ley Federal para la Prevención e Identificación de Operaciones con Recursos de Procedencia Ilícita), which entails registration with the Mexican Tax Administration Service and filing reports of such transactions through a dedicated internet platform (Sistema del Portal de Internet). Other AML obligations include the following:

• identify its clients and verify their identity based on official credentials or documentation;
• in case a business relationship is established, collect information regarding the clients’ activity or occupation;
• request information about the client’s beneficial owner (if applicable) and collect documentation that allows their identification; and
• safeguard any information or documentation in connection with its clients’ activities and identification for at least 5 years. Furthermore, such entities must appoint a person responsible for compliance with AML obligations.

Financial institutions that participate in the Mexican inter-bank payment system are subject to certain enhanced KYC requirements with respect to clients engaged in the digital asset business.

Implementation of a successful token in Mexico requires careful planning and implementation of AML compliance and on/off-ramping fiat funds.

Banxico has broad legal authority to regulate digital assets in the financial system, but it has to this date opted not to approve any digital currency for its generalized use by depository institutions nor to authorize the provision of digital asset wallet services by financial institutions. Banxico’s decision is consistent with its position of maintaining a “safe distance” between virtual assets and the traditional Financial System.

Banxico’s Rule (Circular) 4/2019 restricts Fintechs and banks from using virtual assets beyond “internal operations”, meaning transactions where the institution does not assume any risks associated with the virtual asset. Even for such internal use, entities must undergo a cumbersome and highly detailed authorization process, which requires, among others, disclosing the asset’s characteristics, market behavior, and operational purpose. Mexican non-regulated entities may perform virtual asset transactions, but they must comply with AML Law requirements, including KYC procedures, transaction monitoring, and reporting obligations (refer to answer 6 for AML compliance details).

Despite the foregoing, it is possible to navigate these regulatory challenges to deploy a digital asset business or blockchain product in Mexico. In most instances, the foregoing will entail implementing strong compliance frameworks, including AML/KYC monitoring systems and maintaining accurate transaction records. Despite these restrictions, the use of blockchain technology in the financial sector itself remains unregulated, allowing companies to develop decentralized applications (DApps), smart contracts, and enterprise blockchain solutions outside the financial sector.

In Mexico, there are no specific governmental guidelines regarding tax reporting and obligations for digital assets. However, based on their operational structure, legal setup, business activities, presence in the country, and the way they provide services to Mexican resident users, cryptocurrency companies may be subject to certain tax obligations in Mexico pursuant to the general regime established for providers of digital intermediation services.

Given the evolving regulatory landscape, cryptocurrency companies should seek professional tax and legal advice to determine their specific responsibilities and mitigate potential risks of non-compliance.

Blockchain companies in Mexico must comply with the Federal Law on Protection of Personal Data Held by Private Parties (Ley Federal de Protección de Datos Personales en Posesión de los Particulares), which requires a privacy notice, user consent, a data protection officer, and security measures equivalent to those used for their own information. Financial institutions, including banks, Fintechs, and payment processors, must also comply with sector-specific secrecy provisions and encryption requirements under the Payment Regulation (Disposiciones de carácter general aplicables a las redes de medios de disposición).

To reconcile blockchain transparency with privacy regulations, companies can adopt privacy-enhancing technologies (ZKPs, encryption), off-chain data storage, and compliance-focused smart contracts. The Banking Commission and Banxico have yet to define clear rules for privacy-focused blockchain applications, meaning companies must proactively engage with regulators to ensure compliance while leveraging blockchain’s security advantages.

Mexico is becoming a strong exporter of talent and technology as the financial and technological sector is growing towards consolidation and up to 50% of the Fintechs are registering operations outside the country.

Although there is not specific data on the impact that H-1B and L-1 visas have on the fintech sector, such immigration policies have significant impact on the ability of companies to hire international talent or wanting to centralize operations in the U.S.

Fintech companies in Mexico are subject to the supervision and authority of the Banking Commission, the Ministry of Finance, Banxico and CONDUSEF. Each of these authorities have issued specific laws and regulations in connection with their sector, and each of these regulations establishes several compliance requirements and calls for specific internal controls.

The Fintech Law and its regulations provide the requirements to operate as a crowdfunding institution, an electronic payment funds institution, and/or a regulatory sandbox, as well as the main aspects of virtual assets, APIs and the authorization process for Fintech companies. Under these regulations, Fintech companies must comply with technological and security requirements, reporting obligations and providing certain information on their corporate structure, among others. Banxico has also issued certain regulations (circulares) in connection with transactions with virtual assets (see answer 7 above), foreign currencies and electronic payment funds whereas CONDUSEF has issued regulations in connection with transparency obligations.

Important compliance requirements include appointing a compliance officer and a chief information security officer, meeting the requirements of the inter-bank payment system, implementing a backup cloud service for non-Mexican SaaS vendors, obtaining authorizations or delivering notices in respect of a number of service providers, keeping proper files of all third party vendors and service providers, establish a risk assessment methodology, enforce KYC requirements and report if a client is executing unusual or suspicious transactions, among others.

In short, given the diversity of regulations, the multiplicity of regulatory requirements and their correlative compliance actions, it is fundamental for any participant in the industry to rely on a very clear regulatory requirements map, as well as to design internal controls to ensure compliance.

Entering the Mexican market calls for a very comprehensive approach, including consideration of the following key aspects:

• Key segments are highly competitive. The majority of the Mexican fintech market revolves around payments and remittances, personal loans, enterprise financial management and technological infrastructure for financial institutions. Identifying any gaps in the services to provide differentiated solutions is critical in these segments.
• Partnerships with financial institutions. Entering the market through strategic partnerships with established financial institutions may facilitate and provide certain advantages to new competitors, including time-to-market and leveraging their partner’s credibility with their existing consumers. Several Mexican financial institutions are open to discuss partnerships and business integrations with newcomers.
• M&A. An M&A transaction may be the path of least resistance into the Mexican market despite the lengthy authorization processes. We would expect a continued increment of M&A transactions in the sector as a result of newcomers finding their way into the Mexican fintech market.
• Artificial Intelligence. 68% of Fintechs in Mexico already use artificial intelligence. This means that understanding how to incorporate AI-driven solutions is crucial for these companies, whether for credit scoring, fraud prevention, or customer service.

The main risks that Fintechs may encounter in Mexico include bureaucracy and a rigid and complex regulatory framework. The combination of a complex regulation and a slow regulator affects the arrival of new products and players into the market, drives up regulatory costs, and affects the efficiency of several operational processes, including contracting of certain key third party vendors.

Although there are no specific financial risks disproportionately affecting Mexican Fintechs, it may be considered that many Fintechs may find it hard to secure financing from local sources, and many look to the global markets to obtain funding. Other factors such as cybersecurity and technological risks should be considered and addressed structurally.

Yes, Fintechs may outsource several business functions to providers abroad. Depending on the nature of the services, collective funding institutions and electronic payment funds institutions must either obtain authorization from, or deliver a prior notice to, the Banking Commission.

As indicated above, electronic payment funds institutions must contract with a primary and secondary cloud service provider. The secondary provider must not be exposed to the same risks as the primary provider is exposed in its home jurisdiction. In other words, such institutions must ensure that the secondary provider’s services will not be interrupted for the same reasons and thus must be located offshore.

The implementation of security policies, manuals and adequate remedies in the documents regulating the provision of services to Fintechs are effective protections of their software from any unauthorized use. In many instances, Fintechs take a more pragmatic approach towards the protection issue by implementing trade secret type measures that make it de facto nearly impossible to duplicate or extract their software. With respect to any patents obtained in other jurisdictions, such patents would be subject to protection and registration in Mexico. Certain fintech innovations may be patentable in Mexico, although most of the patents in the market are non-Mexican or registered outside of Mexico.

Registration of proprietary software in Mexico is possible and should be considered on a case-by-case basis. The Copyright Law (Ley Federal del Derecho de Autor) provides specific protection to computer programs. Such protection covers application software and operating systems in both source code and object code. Other types of developments such as databases may also be subject to protection under the Copyright Law, if they are deemed intellectual creations based on the selection and layout of data or information. The unauthorized use or reproduction of, or profit from, copyrighted works would be a copyright violation subject to compensation, protective injunctions, and fines and other sanctions that the owner may pursue before the National Copyright Institute (Instituto Nacional de Derechos de Autor, “INDAUTOR”).

Regarding other technological innovations such as hardware and integrated circuit schemes, the Industrial Property Law (Ley Federal de Protección a la Propiedad Industrial) also provides specific protection. These innovations must be registered with the Mexican Industrial Property Institute (Instituto Mexicano de la Propiedad Industrial, “IMPI”). This registration shall be in force for a term of 10 to 20 years, depending on the nature of technological innovation

On July 1, 2020, the United States-Mexico-Canada Agreement (USMCA) entered into force (replacing the 1994 North America Free Trade Agreement). The USMCA (known as T-MEC in Mexico) increases the standards for intellectual property protection in Mexico. The USMCA establishes several requirements to be met by the three signatory countries to improve protection of intellectual property rights. Among them, the USMCA requires the parties to enact regulations for tougher sanctions and effective actions against infringement of intellectual property.

The Industrial Property Law provides express protection to trademarks, commercial names and slogans. Trademarks may be comprised of letters, two-dimensional and three-dimensional shapes, colors, sounds and smells. Fintech companies must register their trademarks, commercial names and slogans with IMPI to obtain the exclusivity right to use their brand within Mexican territory. This registration must be renewed every ten years.

The unauthorized use of a trademark, commercial name or slogan, would be a breach of the Industrial Property Law. The owner of the trademark, commercial name or slogan, may claim for compensation before the IMPI who may declare injunctions or impose fines.

Open-source software is not specifically regulated in Mexico. To address the gaps in the Copyright Law, it is important to outline all of the necessary terms and conditions in the licensing agreements. As the Copyright Law still provides protection to software, these provisions would still be enforceable before INDAUTOR (see question 15).

Additionally, software developed based on open-source software would oftentimes be considered new work separate from the software and subject to protection (unless otherwise provided in the open-source licensing agreements or terms and conditions of use of the open-source software). The new software may also be registered before INDAUTOR and avail protection to the relevant author (see question 15).

When dealing with the technical aspects of a collaboration or partnership, Fintechs (either startups or well-established players) rely on licensing and or SaaS or Platform agreements that are exhaustively reviewed and negotiated. In many instances, Fintechs share their proprietary IP on a need-to-know basis with technical personnel indicated by their partner.

Mexican legislation and practice generally recognize work-for-hire agreements to allocate IP rights among the parties. In principle, pursuant to the Copyright Law all copyrightable works are owned by their relevant author; and all software, computer programs and databases developed by a company’s employees, as per the instructions of the employer, shall be owned by said company. Fintechs may implement contracts allocating their rights with respect to IP, documenting the contributions of each party, and outlining their respective rights.

By the same token, Fintechs and their business partners and developers may enter into licensing agreements with respect to licenses. Pursuant to Mexican law, the owner of a trademark is the person or entity registered as such before the IMPI. Therefore, it is important for trademark owners to register the trademark, commercial name or slogan, and to establish contractual provisions determining the limited use of trademarks in a specific business relationship.

As indicated in questions 15 through 18 above, to ensure adequate protection of their technology or brand, Fintechs may, among others: (i) register their IP before INDAUTOR and their trademarks, commercial names and slogans before the IMPI; (ii) disclose that their IP is registered; (iii) seek relevant relief before INDAUTOR (see question 15) or IMPI (see question 16) as applicable, (iv) implement internal policies, procedures and contracts providing for adequate protection, and (v) implement technical measures to ensure that sensitive information is not transferable or duplicated.

In Mexico, financial institutions and Credit Information Companies (Sociedades de Información Crediticia) must ensure fair and non-discriminatory credit scoring models, aligning with data protection and consumer protection laws. Additionally, credit information companies are legally obligated to consider all available data in their databases without discrimination, as established in Article 13 of the Credit Information Companies Law.

For Fintechs providing credit scoring and lending services, this means that their AI models must: (i) incorporate all available credit data and avoid selective biases in data usage, (ii) undergo audits to verify that scoring models do not disproportionately favor or penalize certain groups, and (iii) ensure transparency by making their AI decision-making processes explainable to consumers and regulators.

Mexican financial regulators have not yet issued AI-specific regulations, but compliance with fair lending principles is essential. As AI regulations evolve, Fintechs should proactively adopt bias-mitigation frameworks and independent audits to align with best practices, although now they have no regulatory obligation to do so.

Under the Industrial Property Law, AI-generated content cannot be directly protected as intellectual property, since Mexican law only recognizes human authorship. The Supreme Court of Mexico has ruled that creativity is a human trait, reinforcing that AI cannot be an inventor or author. However, Fintechs may protect their proprietary AI models through trade secrets, software copyrights, and patents related to AI development.

When using third-party AI tools, Fintechs must carefully assess licensing agreements to avoid potential infringement issues, especially considering that copyright laws in Mexico do not yet address AI-generated content explicitly. The growing debate over AI and copyright protection, suggests that Mexican regulators may need to issue clearer rules on AI-generated works and dataset usage.

Fintechs must comply with financial laws, including Fintech Law and its secondary regulations. While there is no specific AI regulation, the Banking Commission has started issuing recommendations regarding AI usage, urging financial institutions, particularly SOCAP’s (Savings and Loan Cooperatives)—to implement internal policies and protocols to mitigate risks associated with AI tools.

The National AI Agenda 2024-2030 proposes future regulatory developments that could impact Fintechs, particularly in risk assessment and algorithmic transparency. The Banking Commission’s recent warnings indicate that AI adoption in financial services is under scrutiny, and Fintechs should prepare for potential future compliance requirements.

Fintech companies should adopt a comprehensive AI risk management framework to mitigate legal liabilities.

Some examples of key strategies are:

1. Regulatory Compliance & Oversight. Ensuring AI aligns with Mexican financial regulations, including AML obligations and anti-discriminatory and consumer protection laws.
2. Data Protection & Cybersecurity. Compliance with the Personal Data Protection Law to safeguard sensitive financial data.
3. Incident Response & Redress Mechanisms. Implementing robust protocols to address AI failures, security breaches, and customer disputes.

The recent concerns about data poisoning in AI models, along with security issues such as the ChatGPT bug that exposed user data, highlight the critical need for robust cybersecurity protocols. Future Mexican AI regulations may introduce stricter AI governance requirements, making proactive compliance essential for Fintechs.

Although there are currently no specific rules addressing liabilities exclusively arising from defective AI systems, existing legal frameworks such as the Federal Consumer Protection Law (Ley Federal de Protección al Consumidor), the Federal Civil Code (Código Civil Federal), and the Federal Law on Protection of Personal Data Held by Private Parties (Ley Federal de Protección de Datos Personales en Posesión de los Particulares) apply generally. These frameworks allow individuals to claim compensation for damages, including damage caused by defective AI.

We see strong disruption in (i) payday and personal lending, (ii) targeted, simpler and customer friendly payment products, (iii) how cryptocurrencies are being introduced in Mexico for investors and financial entities (including remittance companies), (iv) distribution of personal investment products, (v) open-banking services; and (vi) increase in availability of funding in crowdfunds. We are also aware of several projects that will be deployed shortly and may have a disruptive effect by offering a more comprehensive scope of electronically delivered services to the end user. We see how developers and data processors strive to deliver better solutions to meet security requirements, increase levels of service and offer more efficient and reliable IT services. With the recent increase of Fintech authorizations, we are likely to see significant examples of disruption through Fintech in Mexico as novel models.

Payment services, consumer lending and enterprise technologies for financial institutions represent approximately 60% of the new companies in the sector. These are also the sub-segments that are attracting the most investments into Mexico. SoFi, Goldman Sachs, Softbank, Dalus Capital, Ignia Partners and the International Finance Corporation are among the various international investors that have invested in Mexican Fintechs, particularly in Series A and B rounds of such entities.

Recent defaults of certain payday loans, individual loans and lease companies have depleted a substantial portion of their market value, thereby signaling investors to take a more conservative approach to the lending and leasing sector. Investments through strategic partnerships between banks and startups are also present in the market and will continue to develop in the future once open banking regulations are issued. We have also seen significant investment in terms of research and development in connection with cryptocurrencies, blockchain based systems, proptech, wealthtech, insurtech and crowdfunding. Payments and remittances services represent the strongest sub-segments for investment and development.