On January 28, 2021, the Mexican Central Bank and the National Banking and Securities Commission ("CNBV"), published in the Federal Official Gazette the "General regulations applicable to e-money Institutions pursuant to Articles 48, second paragraph, 54, first paragraph and 56, first and second paragraphs of the Law Regulating the Financial Technology Institutions" ("IFPE Provisions").
The Law Regulating Financial Technology Institutions ("Fintech Law") was published in the Federal Official Gazette on March 9, 2018, and established the regulatory framework for the execution of financial transactions and investment services through IT platforms and tools, regulating, among other entities, Crowdfunding and e-money Institutions (the latter, "IFPEs").
Several provisions of the Fintech Law required further development through secondary regulations issued by the CNBV, the Mexican Central Bank and other financial authorities, within the timeframes established for such purposes. Accordingly, on September 10, 2018, the following regulations were enacted:1
- General regulations applicable to Financial Technology Institutions: their main purpose is to establish the necessary requirements, documentation and information to incorporate and operate as a Crowdfunding and IFPE.
- Mexican Central Bank Circular 12/2018: contains operative rules applicable to IFPEs, as well as the applicable regulatory framework for the management of electronic funds, the opening of accounts, the reception and transfer of funds and the execution of foreign currency transactions.
- General regulations pursuant to Article 58 of the Fintech Law: their main purpose is to establish the minimum policies and obligations required to be complied with by Crowdfunding and IFPEs to prevent and detect actions, omissions and transactions that promote, cooperate or that in any way are related with felonies involving transactions with illicit funds.
The following are the main issues regulated by the IFPE Regulations published on January 28, 2021:
Execution of agreements through operational channels2 and transactions that can be executed by such means
The regulations include the terms and conditions for the provision of services by IFPEs to their clients through operational channels, as well as the requirements to authenticate clients, and the notice required to be given to clients when executing transactions, with the purpose of ensuring the security of such transactions. The regulations also provide the security information requirements of the instructions to ensure confidentiality and avoid vulnerabilities, according to international best practices and standards.
IFPE business continuity
The regulations include the obligation of IFPEs to establish a business continuity plan and for its implementation upon the occurrence of any event that complicates, prevents or limits the IFPE from carrying out its transactions or processes affecting clients. The above, to ensure the continuity of those activities and transactions, in addition to the obligation to adopt mechanisms for the management of operational contingencies with the purpose of reducing the risks faced by such entities.
IFPEs are required to notify their clients of any information related to security events involving the loss, extraction, deletion or alteration of personal or sensitive information, whether in the possession of such entities or IFPE’s service providers. In such notice, IFPEs must disclose the actions to be implemented to safeguard the client’s information and, as the case may be, the replacement or substitution of the payment devices or means of authentication, as deemed necessary by the IFPE.
Finally, IFPEs must report to the CNBV and the Mexican Central Bank any operational contingencies lasting more than 30 minutes that occurred in any of the customer service channels or within the entity itself. Accordingly, IFPEs must inform their clients or users whenever one or more operational channels are affected as a consequence of the aforementioned operational contingencies.
The regulations provide detailed terms and requirements applicable to IFPEs in the outsourcing of any services with third parties.
For such purposes, a distinction is made between services (i) requiring an authorization from the CNBV and the Mexican Central Bank, or (ii) that only require the filing of a notification to such authorities. Likewise, the regulations provide the rules applicable for the execution of agency agreements, all of which require authorization from the CNBV.
We highlight the specific rules applicable to the outsourcing of primary cloud computing services providers, applicable to IFPEs that (i) within a period of 12 calendar months, execute more than 3,500,000 transfers, or send or receive funds for an amount greater than the equivalent in Mexican pesos of six million UDI’s, or (ii) at any time, maintain one million accounts3 or hold a total balance in such accounts greater than the equivalent in Mexican pesos to 400 million UDI's.4
According to the IFPE Regulations, the IFPEs mentioned in the previous paragraph are required to comply with specific prudential obligations. Thus, when services provided by a third party are likely to be interrupted, either temporally or permanently, as a result of any rule, order, instruction, mandate or equivalent issued by any foreign authority, directly aiming to prevent, limit, prohibit or freeze the provision of cloud computing services, and such circumstances make it impossible for the IFPE to issue, manage, redeem or transfer electronic funds, IFPEs must adopt special measures in their corresponding continuity plan to safeguard their clients’ interests, as well as to maintain their own security, operative and financial integrity, and the security and operative integrity of the overall payments network.
Such measures may consist of:
- A mechanism for the IFPE to rely on the availability of cloud computing services provided by a secondary provider, so long as the secondary provider is not subject to the same risk as the primary provider.5
- A mechanism for the IFPE to maintain its own infrastructure, allowing the IFPE to perform its business in a jurisdiction other than the foreign jurisdiction in which the risk of service interruption could occur.6
- Any other mechanism authorized by the CNBV and the Mexican Central Bank.
Evaluation by independent third parties
The IFPE Regulations include the obligation of IFPEs to hire the services of an independent third party to evaluate, every two years, compliance by the IFPE with its information security obligations, the use of operational channels, and the implementation of its business continuity plan.
The IFPE Regulations will become effective 90 calendar days after their publication in the Federal Official Gazette. As of the date in which they become effective, IFPEs will have:
- A maximum six-month period to implement the security measures corresponding to communications and computing components. 7
- A nine-month period, to:
- encrypt personal and sensitive information received, generated, stored or transmitted in their technological infrastructure, as well as images of personal identification documents issued by official authorities, clients’ biometrical information and any other information required by the IFPEs policies.
- adopt procedures in order that the clients’ personal data may not be linked to information relating to their transactions.
- Entities that are currently in the process of obtaining an authorization to operate as an IFPE, because they were carrying out transactions of such nature at the time the Fintech Law became effective (pursuant to Article Eighth Transitory of the Fintech Law), will have a period of six months as of the date when each entity obtains its authorization to operate as an IFPE, to notify and request the corresponding authorizations in connection with the hiring of third-party service providers and agents.
Rubio Gonzalez, Shaanty (Legal Intern, White & Case, Mexico City) assisted in the development of this publication.
1 For further details, please refer to the following Client Alert” Mexican FinTech Law Secondary Regulation Becomes Effective
2 Devices, electronic means, optic or any other technology, data processing automated systems and telecom networks that belong to the IFPE technology infrastructure and that, through such means, allow for the execution of transactions by clients.
3 During a period of 12 consecutive calendar months, they have recorded, at any time, a positive balance or, regarding accounts to which a transfer has been made at least once during such period.
4 The above, as a result of the evaluation of the information at the end of each quarter.
5 Either because it is subject to a jurisdiction other than that in which the risk a risk of services interruption may occur, or because it is under the control of a different person from the primary provider, or any other person part of the same corporate group, among others.
6 So long as the execution of the procedures is not made or does not depend on the primary provider, any person exercising control over the primary provider, or any other person subject to the same jurisdiction where the risk may occur.
7 Logic, or logic and physic segregation, of the different networks into domains and subnets; secure configuration according to the type of component, at least, ports and services, incoming and outgoing connections to other networks, and establishment of security mechanisms in the apps to protect against attacks and intrusions.
This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.
© 2021 White & Case LLP