MEXICO Law and Practice Contributed by: Lizette Neme, Andrea López-Malo, Shannon Reilly, Rodolfo Flores and Dunia Salum, Áurea Partners
Law reform in July 2025, the new authority gained expanded powers to impose fines of up to 20% of annual revenue. • Lending: for digital lending players, enforcement tends to concentrate on AML/CTF compliance and consumer protection/contract transparency (disclo - sures, abusive terms, tariffs, among others). Please see 4.1 Differences in the Business or Regulation of Fiat Currency Loans Provided to Different Enti - ties . • Cryptocurrency: recent amendments to the Anti- Money Laundering Law (the “AML Law”) have strengthened oversight of cryptocurrency exchang - es and virtual asset activities by adjusting reporting thresholds and extending obligations to transac - tions involving non-residents. 2.11 Implications of Additional, Non- Financial Services Regulations Mexico has clear privacy regulations, contained both in financial regulation (financial secrecy and confi - dentiality obligations) and in the Federal Law on the Protection of Personal Data Held by Private Parties. These rules impose strict requirements on data con - sent, usage, storage, and cross-border transfers. For fintechs and technology-driven players, compli - ance with data protection rules has a more immedi - ate operational impact, as their business models rely heavily on digital onboarding, data analytics, cloud infrastructure and cross-border data flows, whereas legacy players often operate on more centralised and historically established systems. As to cybersecurity, apart from very stringent regula - tion found in the financial regulation, no general non- financial regulation has been enacted in Mexico. As a result, cybersecurity obligations for fintechs primar - ily derive from its secondary regulations, contractual standards, and best practices, placing greater empha - sis on internal controls, incident response, and third- party risk management, particularly for cloud and software providers. Regarding other non-financial services regulations, such as social media or software development, Mexi - co has clear advertising and consumer protection reg - ulations, as well as intellectual property rules, appli - cable to all entities. Fintechs are often more exposed
to these frameworks due to their reliance on digital marketing, online user acquisition, proprietary soft - ware development and API-based integrations, while legacy players typically face these issues to a lesser extent or through more traditional channels. The ATDT has introduced a National Cybersecurity Plan which seeks to unify Mexico’s fragmented cyber - security standards into a single state policy. The plan also includes the proposal of a General Cybersecurity Law, which is expected to be presented to Congress in the near future. 2.12 Review of Industry Participants by Parties Other Than Regulators In addition to financial regulatory oversight, some non- regulatory actors play a role in reviewing and influenc - ing the conduct of financial industry participants. • External auditors assess the accuracy of finan - cial reporting, internal controls, and compliance with applicable accounting standards (eg, IFRS or Mexican Financial Reporting Standards NIF). Regu - lated entities, particularly those with public report - ing obligations or those handling client assets, are legally required to undergo periodic financial audits. Many fintechs and start-ups voluntarily engage auditing firms for credibility with investors, despite not being legally required to do so, espe - cially in the early stages. There is a growing trend of auditors also reviewing non-financial metrics (eg, customer data handling, cybersecurity controls) due to pressure from investors. • Industry associations and self-regulatory organisa - tions issue best practices, codes of conduct, and may conduct peer reviews or offer certifications. Membership is generally voluntary; however, regu - latory authorities often consult with these bodies during rulemaking processes, and their standards may become de facto benchmarks. Participants often follow these standards to gain credibility. • Private equity funds usually require adhesion to financial regulation and strict standards to qualify as a portfolio company.
544 CHAMBERS.COM
Powered by FlippingBook