Skip to main content

FAQs Concerning Mexico’s New FinTech Law

Why is the FinTech Law relevant?

New Players: Financial Technology Institutions

The Law to Regulate Financial Technology Institutions (the Law or the FinTech Law) is relevant to those who professionally and regularly, by means of technological applications, engage in the following activities: a) putting members of the general public in contact with each other for the purposes of securing funding (crowdfunding), or b) services provided to the general public involving the issuance, management, redemption and transfer of electronic payment funds. Said entities now are specifically regulated, respectively, as Collective Financing Institutions (known as IFCs by its Spanish acronym) and Electronic Payment Funds Institutions (known as IFPEs by its Spanish acronym) and, together with IFCs, Financial Technology Institutions (knows as ITFs by its Spanish acronym), will require an approval granted by the National Banking and Securities Commission (known as CNBV by its Spanish acronym) to conduct operations.

Open Banking: Interaction of the FinTech Sector with Financial Entities

The Law is also relevant for all types of financial entities to the extent that they provide (i) the obligation to share user and transactional information (open banking); (ii) the need for ITFs to use the traditional banking sector in different phases of their activity; and (iii) the possibility of investing in ITFs, among other relevant aspects.

Regulatory Sandbox: Differentiated Regulation for New Models

The Law is also relevant for entrepreneurs or developers with new financial services models, as it establishes a temporary approval system for the testing of such models under limited and controlled conditions (regulatory sandbox), as well as the outsourcing of services to ITFs.

Virtual Assets: Use and Operation

Lastly, the Law proves to be relevant since it is the first legislation in Mexico and one of the first in the world to codify virtual assets (crypto-currencies) at the legislative level, though only to the extent that they are the object of the activities permitted by ITFs and credit institutions.

What are the most relevant aspects of ITF regulation under the FinTech Law?

  • Authorization from the CNBV is required to operate as an ITF, and the requirements for obtaining such authorization are established.
  • ITFs are permitted to capture the general public’s resources, as an explicit exception to the general deposit-taking restriction provided in Mexico’s Credit Institutions Law.
  • Public offers are permitted for the collective financing of debt, of capital or of joint ownership/royalties (through crowdfunding platforms), without the need to comply with the requirements applicable to securities offerings under the Securities Market Law.
  • It has been clarified that resources captured by ITFs are not guaranteed nor covered by federal deposit insurance – Bank Savings Protection Institute (known as IPAB by its Spanish acronym).
  • ITFs and credit institutions are permitted to manage operations involving virtual assets authorized by the Bank of Mexico.
  • IFCs are required to take necessary measures to prevent the spread of false or misleading information throughout their institutions, in the interest of protecting investors using such platforms.
  • It is confirmed that ITFs can interact with other financial entities, either by opening new accounts, exchanging information, or providing services, among other activities.

What obligations does the Law impose on financial entities in terms of connectivity and access to information?

The Law introduces the obligation of financial entities to establish programming interfaces for standardized computer applications (Application Programming Interfaces or APIs) that will enable connectivity and non-discriminatory access to other interfaces. The Law adopts an open API model, under which any entity can request access to another participant’s interface in exchange for a fee, with prior approval from the corresponding Supervisory Committee or the Bank of Mexico, per the entity in question.

The open API scheme provided in the Law has various implications that should be taken into consideration; for example, in personal data protection and free competition matters.

Does this Law regulate ICOs?

Offers commonly known as initial coin offerings or ICOs are a phenomenon that emerged after the draft bill had been prepared, where companies raise funds from participating investors in exchange for virtual assets known as tokens. Such tokens can be granted in exchange for (i) a share in the capital stock of a company or as a holder of debt issued by such company (also known as security token), or (ii) in exchange for products or services offered by such companies (also known as utility token).

The Law does not include an explicit reference to ICOs; however, the fact that it only allows ITFs and credit institutions to operate with virtual assets authorized by the Bank of Mexico could limit the realization of these types of offerings by such entities, since the companies that launch ICOs generally issue a specific token for each ICO. 

The distinctions mentioned in previous paragraphs should be taken into consideration, along with the secondary regulation which will be issued to that effect, when launching an ICO in Mexico. 

What are the new anti-money laundering obligations in relation to ITFs and their operations?

The decree enacting the FinTech Law also includes certain amendments to the Federal Law for the Prevention and Identification of Operations with Proceeds Derived from Illicit Sources (also known as the Anti-Money Laundering Law), which (i) imposes obligations on ITFs to identify customers and users and establish procedures that prevent and detect acts, omissions, or operations involving proceeds derived from illicit sources, including terrorism financing; and (ii) defines as “vulnerable activity” the regular and professional exchange of virtual assets by individuals other than “financial entities,” carried out through electronic platforms, or that provide a medium for safeguarding, storing, or transferring virtual assets that have not been authorized by the Bank of Mexico under the FinTech Law.

Investment Advisors and Robo-Advisors

With the enactment of the FinTech Law, certain provisions of the Securities Market Law were amended to empower the CNBV to supplement the general provisions applicable to investment advisors, with additional rules for individuals offering automated investment advisory and management services (Robo-Advisors).

It is important to highlight that the amendments to the Securities Market Law also include an obligation for investment advisors in general to have a committee that is responsible for the analysis of financial products, as well as to have internal control mechanisms for regulatory compliance in connection with advisory and “non-advisory” services, in line with the regulatory framework on sales practices applicable to the various exchanges. 

What’s next? – Importance of Secondary Regulation

The FinTech Law entered into effect on the day following its publication. However, much of the substantive content of the Law will be regulated by secondary provisions. To that effect, periods of 6, 12, and 24 months were established for regulators to issue such provisions. For ease of reference, we have included a chart indicating the periods or deadlines for the issuance of each group of provisions.

6 months

12 months

24 months


  • Minimum capital
  • Operation of ITFs
  • Limits on resources held on behalf of clients
  • Form and terms of documentation to be presented  regarding anti-money laundering
  • KYC customer guidelines
  • Shareholder and administration information
  • Documentation necessary for authorization requests
  • Limits on receipt/disbursement of cash
  • Accounting rules
  • Parameters regarding blocked people
  • Forms and terms of operations and ITF services with clients


  • Criteria for the selection of solicitors
  • Safeguarding information
  • Collective Continuity



  • Information to investors about the performance of solicitors
  • Use of electronic mediums
  • Third-party services


  • Safeguarding information and operational continuity
  • Periodicity of safety compliance assessment
  • Requirements from independent third parties to evaluate security and operational continuity
  • Third-party services
  • Use of electronic mediums
  • Requirements for equipment operation, media, and authentication

Virtual Assets

  • Define the characteristics of virtual assets, conditions, and restrictions applicable to such transactions


  • Regulatory reports
  • Self-correction programs
  • Additional criteria for temporary authorization of new models
  • Reports to financial authorities


  • Net capital


  • Authentication mechanisms for data access
  • Standards for data exchange
  • Fee amounts
  • Form and terms to request information from entities