The new Mexican FinTech law – balancing innovation, security and stability

August 2018  |  PROFESSIONAL INSIGHT  |  BANKING & FINANCE

Financier Worldwide Magazine

August 2018 Issue

Several factors have contributed to Mexico becoming fertile ground for FinTech companies. As in other countries, the demand for cheaper loans, greater returns and more agile financial services, combined with sentiments of distrust toward traditional financial intermediaries and large sectors of the population left (or feeling) unattended, have resulted in business opportunities for these enterprises. FinTech websites and apps have become widespread, with some of them even developing agencies within corner stores – which make their services available to those who lack access to technological devices.

According to Finnovista, Mexico became the Latin American FinTech leader in 2017, with more than 200 FinTech startups, while a 2017 study by EY puts Mexico in second place, behind Brazil. Considering access to internet and low-cost technology – with about 81 million mobile lines with access to broadband internet reported in the first quarter of 2017 – the number of startups is expected to increase together with consumer adoption and use of FinTech products.

However, information, as well as misinformation, regarding the advantages and opportunities that these new technologies offer, spread fast and without proper supervision. Consequently, consumers are exposed to several risks, few protections and unclear legal remedies. Meanwhile, as the traditional financial system has continued to invest and create units focused on the development of digital banking solutions, they remain constrained by restrictions imposed by laws and regulations directed to ensure the stability and security of the financial system and its consumers, as well as to prevent financial crime. This makes it harder for traditional financial companies to compete with unregulated new business models such as FinTech activities that usually escape the scope of financial regulations and sometimes fall within laxer commercial regulations.

As far as e-commerce is concerned, the Federal Civil and Commercial Codes contain chapters that recognise electronic channels as valid and legitimate means to express consent and give birth to obligations and rights among the parties, as well as being enforceable in court, without imposing the strict regulations applicable to electronic banking. The Federal Consumer Protection Law (not applicable to financial entities) also provides the groundwork on which e-commerce may operate, and is usually applicable to FinTech companies. However, this is less restrictive than financial consumer protections. In addition, FinTech companies may also be required to comply with the commercial anti-money laundering law, which does require certain Know Your Customer (KYC)  and reporting obligations, but which does not require the implementation of systems, review against sanctions, blacklists or compliance with corporate bodies.

From a financial perspective, laws applicable to banks, broker dealers, insurance companies, investment funds, money transmitters and other financial entities contain strict rules regarding authorisation to provide financial intermediation services, including e-channels. However, as a civil law country that emphasises legislative and regulatory enactments, any activity that is not expressly covered by law or regulation may be validly pursued by private parties. Definitions applicable to financial services were developed before the new technological revolution, and activities such as deposit taking, securities intermediation and money transfer fall short of covering e-wallet services, crowdfunding and e-payment platforms. Thus, without habilitating laws, financial regulators are unable to act. This is true even if the FinTech conduct or service clearly falls within the nature of their mandate, the services are equal to those offered by financial intermediaries or could represent a risk to consumers. These loopholes and grey areas have been exploited by FinTech companies, leaving regulators on the sidelines.

In this context, financial regulators became worried as FinTech products offered little or no legal security, uncertain tax consequences and no consumer protection rules. Also, they represented risks due to a lack of supervision, its potential effect on the financial system and as an opening to money laundering and financial crime activities. Thus, in 2016, the Mexican federal government undertook the challenge of drafting a law that would allow technological innovation, while offering consumer protection and financial prudential requirements, without creating unjustified administrative and regulatory burdens to FinTech companies and start-ups. Drafts of the law were discussed with both the banking and FinTech sectors which, at times, requested opposing changes and rules. Banks sought, among other issues, a level playing field – including more flexibility to offer services through electronic channels, as regulations curtailed innovation by traditional intermediaries – permission to invest in FinTech companies and take advantage of synergies, and strict requirements to access application programming interfaces (APIs) by third parties, to guarantee the security of client information. On their side, FinTech companies argued that regulatory requirements and costs would hinder innovation and reduce competition, and that APIs should be subject to few restrictions allowing the development of new products and services.

By September 2017, a new draft of the initiative was digitally published on the Federal Regulatory Improvement Commission’s website for public consultation. At that time, the draft, which complied with the guidelines issued by the Financial Stability Board, received support from both the FinTech and bank associations, and few comments from private parties. The initiative was then introduced to the Senate, which received recommendations from the Federal Competition Commission. These were mostly directed toward including regulations that aimed to ensure that FinTech companies were able to compete with traditional intermediaries through access to information and financial services, which the Commission defined as essential assets. The initiative was approved by the Senate with minor changes, and later by the Chamber of Deputies. It was then sent to the Executive, signed and published in the Official Gazette of the Federation in March 2018, thus becoming law.

Among other matters, the FinTech law (Ley para regular las instituciones de tecnología financiera) contains the provisions listed below.

First, it regulates two types of FinTech companies: crowdfunding (debt, equity, co-ownership or royalties) and electronic payment (including e-wallets). Both types are subject to consumer protection, anti-money laundering and prudential rules, which are to be defined in secondary regulations.

Second, it establishes that FinTech companies will be regulated by the National Banking and Securities Commission and the Central Bank, and will require authorisation from the Commission to offer their services in Mexico.

Third, it states that crowdfunding companies will be liable for damages should their clients fail to comply with their obligations (e.g., client profiling and issuing investment and debtor selection criteria, among other characteristics).

Fourth, it establishes that payment companies may, subject to authorisation, offer money transfer services and cash withdrawals (but may not pay returns or interest), among other characteristics.

Fifth, it states that entities that are currently offering services that fall within the scope of crowdfunding or electronic payment companies may continue to operate on the understanding that they must request authorisation within 12 months of the issuance of secondary regulations by the Commission. If they fail to request such authorisation or if the same is denied, they will be required to stop offering their services and will only be authorised to perform such actions necessary to conclude any transactions in place.

Sixth, it states that only financial entities and FinTech companies can transact with such currencies when authorised by the Mexican Central Bank. However, this law does not regulate cryptocurrencies themselves. Secondary regulations will set forth the characteristics to be met by permitted cryptocurrencies.

Seventh, it makes it mandatory for financial institutions and FinTech companies to develop APIs which they may share with other institutions, FinTech companies and, in general, entities specialised in information technology (there is currently no definition of what constitutes an entity specialised in information technology) the following information: (i) public information (e.g., branch locations); (ii) aggregated transaction data; and (iii) transactional information of clients and prior authorisation from such clients. Financial entities may charge fees regarding such information exchanges. However, the law provides that such fees must be transparent and may not constitute entry barriers.

Finally, it creates a regulatory sandbox framework for innovation services, accessible by FinTech companies and financial entities.

Since several matters have been left to secondary regulations, tough negotiations between authorities, the traditional financial sector and FinTech associations are expected. As happened with the negotiations regarding the FinTech law, common ground between the main players is scarce. FinTech companies are likely to push for flexible regulation and supervision, as well as access to financial services and information held by traditional intermediaries to innovate, grow, compete and thrive in an already competitive market. They are also likely to push for light corporate governance including compliance bodies, access to consumer information, small mandatory capital and broad space to develop and experiment with new technologies. Excessive corporate and capital requirements will hinder the possibility for new startups, especially the garage type, while technological requisites could become a barrier to innovation and a pretext to deny access to the financial system and information. FinTech companies’ requests should be understood as legitimate demands if the law is to achieve its purpose.

Notwithstanding, regulators, traditional intermediaries and international bodies also have genuine and valid concerns, stemming from experience and international practices and agreements. For example, the Financial Stability Board identified several issues that merit attention, including mitigating cyber risks, monitoring micro financial risks (funding flows on FinTech) and managing operational risks from third-party service providers (which are becoming more prominent and critical, especially in the areas of cloud computing and data services). There is also the matter of the international treaties and conventions signed by Mexico regarding prevention of crimes, money laundering and terrorism financing, among others, that should also be applicable to FinTech companies as the unlawful use of their services could facilitate any such activities. Regardless of any other considerations, these recommendations and compromises by the Mexican government translate in regulations.

From a local standpoint, experience has guided the evolution of regulations and has forced traditional financial entities to accept them. Mexico suffered a deep economic crisis in 1994 (just four years after the privatisation of banks in 1990), in part due to unlawful activities by Mexican banks. Also, several incidents affecting clients have occurred, including cases of fraud and bankruptcy caused by agency problems within the traditional financial sector. From these experiences, regulators and intermediaries have adapted rules, policies and procedures to promote the stability of the system and its entities, as well as consumer protection. These changes have required a difficult transformation in the corporate culture of such companies, as well as high administrative and financial costs. While the return to these investments has led to more stability (Mexico was barely affected by the 2008 international financial crisis) and higher acceptance by consumers (even if slowly achieved) there is still distrust in traditional entities and the unavoidable risk of a new financial crisis is ever-present.

External factors, such as a high crime rate, and very public compliance scandals involving, among other matters, money laundering crimes, have affected the perception of the Mexican financial system. This situation has resulted in barriers to interaction with international intermediaries, even when Mexican entities are subject to strict regulations compliant with international recommendations. Mexican financial entities must endure high costs to comply with anti-money laundering regulations, including having compliance bodies and systems, filing reports (banks, for example, must file up to six different types of reports), performing KYC processes, holding records and processing clients and transactions against government lists. Homogeneous requirements guarantee that the system is protected, and lighter regulations could mean a gateway for crime to an otherwise closed system.

In addition, there is an argument to be made from a justice perspective. Traditional intermediaries have worked hard to reach consumers and innovate while complying with the burden of strict regulation. Losses have been suffered to develop databases of clients who fulfill their obligations. Constant changes to rules have required additional investment and required time-consuming capacity-building processes. Negotiations have also been held to allow the use of new technologies. This opens the market to new players who may not be subject to the same regulatory costs or have access to authorisation from regulators and information produced by intermediaries and consumers of the financial system. This could incentivise regulatory arbitrage, deter investment by traditional financial entities and, as a matter of principle, result in opposition.

Regarding APIs and information exchange, to guarantee the safety of the system and consumers, FinTech companies must share the costs and burden of security mechanisms. All parties involved should be able to recuperate the investment made to develop interfaces and the value of databases. Also, authentication mechanisms should be in place to guarantee the identity of any person who authorises the disclosure of information. As this involves some of the most sensitive information of any person, as acknowledged by the Mexican personal data authority, its regulation should not be developed favouring cost-efficiency or innovation. Omissions and low standards applicable to information could increase the risk of fraud, among other financial crimes, which could adversely, irreversibly affect the stability of the system and consumer lives.

Mexican authorities have a constitutional mandate to seek financial stability. However, failure to set the boundaries in which FinTech companies can act is certainly a loss for the public and an invitation for actors that seek to operate outside the legal framework. Thus, regulators must listen to all parties involved and find a balance that benefits both the consumers and the system. While there is sure to be a compromise, it is, however, imperative that such compromise does not represent a vulnerability to the strength of the whole system. For Mexican banks, many of which are subsidiaries to international entities, the FinTech law is an opportunity to develop new tools and technological means to improve the consumer experience, by taking advantage of their international group’s experience in developing strategies that allow the strength of traditional banking to be combined with technological innovation and the flexibility of FinTech business models.

While it is too soon to judge the positive and negative effects of the FinTech law, it is clear that it will change the Mexican financial system and its players. Regulators, financial entities and FinTech companies must understand, evaluate and agree on the scope of its regulation, and its possible impact on consumers and the system.

 

Jorge Gaxiola Moraila is founding partner and Alexis Leon Trueba and Gabriel Franco Fernández are partners at Gaxiola Calvo Sobrino y Asociados, S.C. Mr Moraila can be contacted on +52 (55) 5682 6178 or by email: jgaxiola@gcsa.com.mx. Mr Trueba can be contacted on +52 (55) 5682 6178 or by email: aleon@gcsa.com.mx. Mr Fernández can be contacted on +52 (55) 5682 6178 or by email: gfranco@gcsa.com.mx.

© Financier Worldwide

BY

Jorge Gaxiola Moraila, Alexis Leon Trueba and Gabriel Franco Fernández

Gaxiola Calvo Sobrino y Asociados, S.C.

©2001-2024 Financier Worldwide Ltd. All rights reserved. Any statements expressed on this website are understood to be general opinions and should not be relied upon as legal, financial or any other form of professional advice. Opinions expressed do not necessarily represent the views of the authors’ current or previous employers, or clients. The publisher, authors and authors' firms are not responsible for any loss third parties may suffer in connection with information or materials presented on this website, or use of any such information or materials by any third parties.