Secondary regulations relating to standardized application programming interfaces (API) under the Fintech Law (Open Banking)
10 min read
Under Article 76 of the Law regulating the Financial Technology Institutions ("Fintech Law") financial institutions, money transmitters, credit reporting companies, clearing houses, financial technology institutions and companies authorized to operate with novel models, are required to establish application programming interfaces ("API") that enable connectivity and access to interfaces developed or managed by other regulated entities and third parties specialized in information technology, with the purpose of sharing open financial data, aggregate data and transactional data, without this constituting a violation of financial secrecy.
Open Banking, Fintech Law, Type of Data and Secondary Provisions
Article 76 of the Fintech Law established for the first time in Mexico the model known as "open banking", which consists on the possibility for certain entities to have open access to financial data kept by entities of the financial system through API, without violating secrecy obligations, and with the purpose of creating better products for users and promoting competition.
Thus, under such Article 76 of the Fintech Law, financial institutions,1 money transmitters, credit reporting companies, clearing houses, financial technology institutions and companies authorized to operate with novel models (the "Regulated Entities") are required to establish API that enable connectivity and access to interfaces developed or managed by other Regulated Entities and third party-IT specialists, in order to share the following data:
- Open financial data: are those that do not contain confidential information, such as information on products and services offered to the general public by the Regulated Entities, the location of their offices and branches, ATMs or other access points to their products and services ("Open Data").
- Aggregate data: are those relating to any type of statistical information related to transactions performed by or through Regulated Entities, but not disaggregated in a manner that could identify customer's personal data or transactions ("Aggregate Data").
- Transactional data: are those related to the use of a product or service, including deposit accounts, credits and access means contracted in the name of the customers of the Regulated Entities, as well as information related to the transactions that customers have carried out or intended to carry out. These data, which constitute personal data of the customers, can only be shared with the customers' prior express consent ("Transactional Data").
Under the Fintech Law, the transfer of data and information is subject to secondary regulation that governs the standards necessary for the interoperability of API, the requirements for Regulated Entities and third party-IT specialists to obtain the authorization to access such data and information from the relevant authority, as well as the fees that Regulated Entities may charge for the transfer of data and information.
In this context, on June 4th, the Mexican Banking and Securities Commission (Comisión Nacional Bancaria y de Valores, the "CNBV") published in the Federal Official Gazette ("DOF") the Regulations governing the applications programming interfaces referred to in the Fintech Law (the "API Regulations"). Likewise, on March 10, the Mexican Central Bank (Banco de México) published in the DOF Rule 2/2020 applicable to credit reporting companies and clearing houses, as required under Article 76 of the Fintech Law regarding standardized application programming interfaces ("Rule 2/2020").
API Regulations – CNBV
Subjects of the regulations and type of data
Financial institutions, money transmitters, financial technology institutions and companies authorized by the CNBV to operate with novel models, in their capacity as data providers ("Data Providers"), are subject to the API Regulations in connection with the transfer of data and information that may be shared through the API.
The API Regulations only govern the transfer and access of Open Data, without any reference to the transfer and access of Aggregate Data and Transactional Data. In this sense, the ultimate purpose of developing new alternative financial products will be achieved upon the regulation of access to Transactional Data, as it is precisely this type of data the one that, after its analysis, may encourage the development of innovative business models.
Access by financial entities, financial technology institutions, companies authorized to operate with novel models, money transmitters and third party-IT specialists to Open Data ("Data Requesters") will be deemed authorized by the CNBV, without needing any express authorization, provided that the API developed or managed by the Data Requester complies with the security guidelines for Open Data and data architecture, as well as with the ATM open data dictionary, included in annexes 1, 2 and 3 of the API Regulations.
Obligations of Data Providers
The API Regulations provide that Data Providers, in the development or management of their API, must comply with the following:
- Technical annexes to the API Regulations: observe the security guidelines for Open Data and data architecture, as well as the ATM open data dictionary, as included in Annexes 1, 2 and 3 of the API Regulations.
- Publications: publish on its website or any electronic communication media, in plain Spanish language, the process to be followed by the Data Requester to access the Open Data through the API, as well as the fees, if any, payable for the transfer of data.
- Terms and conditions: maintain control mechanisms to ensure the confidentiality and integrity of the data as part of its access, processing and storage by the Data Requester.
- Security policy: maintain an information security policy to protect the infrastructure supporting the operation of the API and the confidentiality and integrity of the Open Data. Data Providers subject to particular information security obligations under their applicable regulations must apply the guidelines of the API Regulations, in addition to their applicable regulations.
- Infrastructure: the technological infrastructure of the API must be configured to ensure that access is on a read-only basis, and that full audit records are kept, among others.
Under Article 76 of the Fintech Law, Data Providers must register their new fees and modifications implying an increase with the CNBV, no less than 30 calendar days prior to their effectiveness. A decrease of an authorized fee must be registered not less than two calendar days prior to its effectiveness.
Additionally, under the API Regulations, the authorization, registration and modification of fees for each type of API requires a filing with the CNBV informing the method, information and elements used to determine the fees, as well as any other concept considered to make such determination.
Rule 2/2020 – Mexican Central Bank
Subjects of the rule
Clearing houses and credit reporting companies are subject to Rule 2/2020 in the transfer of data and information that may be shared through API.
Likewise, financial entities, money transmitters, credit reporting companies, clearing houses, financial technology institutions, companies authorized to operate with novel models and third party-IT specialists that intend to access data and information from clearing houses and credit reporting companies through API, must obtain the prior authorization from the Mexican Central Bank (the "Recognized Entities").
Authorization to create an API for Aggregate Data and, where applicable, Open Data
Clearing houses and credit reporting companies must obtain the prior authorization from the Mexican Central Bank to create an API, considering the following:
- Authorization request: Clearing houses and credit reporting companies must include in the application request: (i) evidence of compliance with the applicable minimum interoperability requirements, as well as mechanisms to ensure the privacy and integrity of data during their transfer, (ii) a plan describing the processes for operation of the API and related legal considerations, and (iii) a form of interconnection agreement containing obligations of confidentiality, security and integrity of information, as well as causes for suspension or termination of access to the information.
- Open Data: Clearing houses and credit reporting companies not authorized to offer products and services directly to the public and that do not have branches or other locations to offer such products, are not required to share this Open Data through their API.
- Aggregate Data: Clearing houses and credit reporting companies must provide through their API any type of statistical information related to transactions, but not disaggregated in a manner that could identify customer's personal data or transactions.
Rule 2/2020 does not govern the requirements for the transfer and access of Transactional Data, and only provides that, upon the respective clearing house or credit reporting company obtaining its authorization to create an API for Aggregate Data and Open Data (as applicable), it must submit an additional application for the authorization to transfer Transactional Data, in accordance with the requirements set forth by the Mexican Central Bank through secondary regulation.
In this context, the Fourth Transitory Article of Rule 2/2020 provides that, prior to the submission of the referred application, the entity must submit no later than March 5, 2021 its proposal of the type of data and information that must be included in this category, as well as the mechanisms for the authentication, identification and obtaining of data, in addition to the express consent of the respective customers for such purposes (as applicable).
Authorization to Recognized Entities for API Access
Starting on the date of publication by the Mexican Central Bank of the types of data and information that clearing houses and credit reporting companies will be authorized to transfer through API, parties interested in gaining access to the API must submit a request describing the measures to be implemented to comply with the standards established in the API, in order to secure the information and other processes related to their connectivity with the API, and the types of data and information intended to be accessed through the API.
Fees charged by clearing houses and credit reporting companies for the transfer of data and information must be fair, transparent and must not constitute formal, regulatory, economic or practical entry barriers. To this end, these entities must submit an application to the Mexican Central Bank for the registration of new fees and their increases, no less than 30 calendar days prior to their effectiveness. For registrations implying a decrease in the authorized fee, its registration must occur no less than two calendar days prior to its effectiveness.
If the clearing houses or credit reporting companies decide to apply the fees for which the Mexican Central Bank has made and published observations, the Mexican Central Bank may veto those fees and such entities shall be prevented to charge them.
Rule 2/2020 will become effective on March 5, 2021. Clearing houses and credit reporting companies will have a period of 360 days from the date of effectiveness of Rule 2/2020 to obtain the authorization from the Mexican Central Bank to create API for Open Data and Aggregate Data.
1 Means the holdings and sub-holding companies of financial groups, banking institutions, broker-dealers, stock exchanges, mutual fund managers, mutual fund distribution companies, credit unions, auxiliary credit organizations, foreign currency exchanges, multiple purpose financial companies, popular financial companies, community financial companies with operation levels I to IV, rural financial integration organizations, cooperative savings and loan companies with operation levels I to IV, institutions for the deposit of securities, central securities counterparties, rating institutions, credit information companies, insurance institutions, bonding financial institutions, mutual insurance companies, pension fund managers, as well as other institutions and public trusts carrying out activities in which the CNBV, the Mexican Insurance and Bonding Commission (Comisión Nacional de Seguros y Fianzas) or the Mexican Commission for the Pension System (Comisión Nacional del Sistema de Ahorro para el Retiro), have supervision and surveillance authority.
This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.
© 2020 White & Case LLP