Following the financial crisis of 2008, financial alternatives to traditional banking were developed to meet consumers' needs. Such alternatives benefitted from the advent of new means of recruiting and interacting with clients, remunerating, and investing. Mexico currently has a track record of flourishing start-ups in the financial technology ("Fintech") sector. This article presents the context in which Mexico developed regulations of the Fintech industry, provides an overview of key regulations and of models to operate Fintech institutions under Mexican law to undertake a regulated fintech model in Mexico.
Context of Fintech in Mexico
The emergence and expansion rates of Unregulated Multiple Purpose Financial Companies (Sofom) and Popular Financial Companies (Sofipos) made the country the largest market in Latin America, although the services were not strictly regulated or supervised.
The main problem was the lack of regulation in matters of crowdfunding, deposits and payments, and currency exchange, which had never been considered under the Securities Market Law, the Credit Institutions Law, or any other laws. The overall lack of regulation generated either significant legal uncertainty for the operation of Fintech start-ups in Mexico or insufficient legislation to cover the operations carried out by the sector.
On March 9, 2018, Mexico enacted the Financial Technology Institutions Law (the "Law") to group and regulate banking sector agents, entrepreneurs, and private capital owners based on protecting inclusion and financial stability, prevent fraud, money laundering or mobile payments through the use of cryptocurrencies, protect consumers and create competition.
The New Fintech Regulatory Framework
The Law is imperative for the interactions of the market participants, associations, regulators and financial institutions in which the financial services such as crowdfunding and electronic payments, provided by Fintech startups, since their organization and operation are now subject to regulation. The Law aims to concentrate and regulate the agents involved in the industry, that is, the banking sector, entrepreneurs and private capital, to protect the inclusion and financial stability; prevent fraud, money laundering operations or regulate mobile payments through the use of cryptocurrencies; protect consumers and maintain competition.
The Law aims to regulate two types of Financial Technology Institutions (ITFs): (i) crowdfunding institutions, and (ii) electronic-payment fund institutions. It also regulates virtual assets—securities not backed by a banking institution. The differentiation of regulated activities leaves out important areas, such as credit risk, insurance activities (Insurtech), among others. The net result is a largely asymmetrical regulation of the sector.
The first type of regulated ITF, crowdfunding, is defined by the Law as activities intended to establish connections amongst members of the general public, with the purpose of providing funding through operations carried out through computer applications, interface platforms, webpages or any other forms of electronic or digital communication.
However, crowdfunding activities include five components, and the Law regulates only three: (i) crowdfunding debt, in which funding is granted to applicants through various investors; (ii) crowdfunding capital, in which the investors acquire a specific interest in the applicant entity, and (iii) crowdfunding co-ownership or royalties, in which an investor acquires a percentage of the revenue, profits, royalties or losses on an applicant's projects, as part of a joint venture or agreement. The remaining two types of crowdfunding (donation-based and reward-based) are not regulated, as they do not require an authorization for carrying out essential activities.
Crowdfunding institutions must perform the obligations established by the Law, as they apply to their operations. For example, all transactions must be done in pesos, or US dollars or cryptocurrencies if an authorization from the Bank of Mexico (BM) is granted; transactions must be subject to money laundering prevention framework, and they cannot issue statements of guaranteed return on investments.
Services offered by electronic payment institutions to the public include the issuance, administration, redemption and transmission of electronic payment funds through the same means available in the case of crowdfunding: computer applications, interface platforms, webpages or any other means of electronic or digital communication.
One common service provided by electronic payment institutions is the opening of funding accounts for customers, where the customers are able to make deposits in local or foreign currency, move certain virtual assets, issue electronic payment transfers, and transfer funds, whether in national or foreign currency or virtual assets, if authorized by the BM. However, no interest, income or any other monetary benefit is paid on the accumulated balance for these transactions and no loans can be granted by these payment institutions.
Both types of ITFs require an operating authorization and funds used by clients in operations with the ITF are not guaranteed by the federal or state government.
The Law defines virtual assets as an electronic representation of currency used by the general public as payment for all types of transactions that are only conducted electronically. In contrast, some users are giving a different use, such as storing currency. Although the exchange of virtual assets generates interest on accounts of public demand, they are neither issued nor endorsed by the BM or any financial institution.
The Law has tasked the BM with determining: (i) which virtual assets are allowed to operate, (ii) the type of operations to be transacted, (iii) the settlement of transactions, and (iv) the characteristics, custody and control measures of the assets. However, the authority that the BM can exercise in issuing secondary provisions for recognizing or determining the characteristics of virtual assets is highly discretionary. This regulatory flexibility casts a shadow of doubt on the effectiveness of the primary provisions of the Law.
If you are interested to set up an account, make sure you do the following things (i) identify the different cryptocurrencies offered in the market and verify the number of users that support the chosen cryptocurrency, the greater the number the better; (ii) confirm that the official site of the offered cryptocurrency is duly authorized for exchanges, and (iii) make sure to have a wallet provider to store the acquired cryptocurrencies so that a safe operation is guaranteed.
Not only does the Law clearly seek to protect ITFs from money laundering or terrorist financing, it also aims to protect against consumer fraud and the unlawful use of personal data by requiring applicants and investors to identify themselves and by regulating the money transfers by consumers. However, this protection has not been enough, since the law dictates that the consumer must bear the entire risk. In addition, market participants need to be fully aware of the financial risks involved, and fintech providers may have internal controls and risk management that need to be carried in strict connection with the Fintech Law provisions and its secondary provisions; the minimum and maximum limits of capital stock permitted by their clients and the amount clients may use; the minimum and maximum limits of cash and money transfers in Mexico and abroad.
Also, fintech providers will use Application Programming Interface (APIs) to exchange market participants' private information with financial institutions and other competitors. Companies and market participants need to be aware that their data can only be transferred by means of the APIs if the fintech providers or financial institutions had received written consent of their customers to do so. Additionally, customers may confirm with the fintech provider if it is compling with the legal obligation to adopt systems to prevent money laundering and terrorism financing and know-your-customer policies for personal data processing before hiring with it.[EB1] [EB1]Please condense this section: describe the basic protections and their failures. Then give steps as to how the customer (probably in-house counsel) can verify if the fintech provider is in compliance.
Operating an ITF requires authorization from the CNBV, which is discretionarily granted by the Interinstitutional Committee. This committee is composed of officials from the Ministry of Finance and Public Credit, the BM and the CNBV, and a favorable vote from each is required for authorization to operate as an ITF. Furthermore, if authorization is granted, the Interinstitutional Committee must approve its organizational and operational regulations. Finally, the BM has the authority to recognize ITFs seeking to perform operations with virtual assets or foreign currency.
Any legal entity applying for ITF authorization must be previously incorporated as a Business Corporation (S.A. de C.V.), and its bylaws must include (i) a corporate purpose strictly related to the operations it will engage in; (ii) an address in Mexico, and (iii) the minimum capital necessary to operate. To receive authorization from the CNBV, the application must indicate or include several documents, such as its bylaws, business plan, board of directors, company officers, a financial feasibility study, among others.
Operating an ITF
ITFs handle their clients' funds and limit how much they may use. Any funds received by a client must be from or deposited into accounts opened with a financial institution. In exceptional cases, the CNBV may authorize cash or electronic deposits or transfers from accounts opened abroad. Likewise, funds received from clients must be identifiable and separated from the ITF's own funds. ITFs are therefore required to provide clients with account statements, and financial statements issued by the ITF must be audited by an independent external auditor.
The CNBV oversees ITFs and ensures their compliance with procedures and guidelines on (i) preventing and detecting any acts, omissions, or operations related to terrorist financing and money laundering, (ii) preparing reports on any risk-based actions, operations, or services conducted with clients; on a client's due diligence or knowledge policy and the client's degree of risk; (iii) maintaining appropriate internal structures and standardized computer software interfaces and data exchanges. Similarly, the BM oversees compliance with its regulations on virtual assets, foreign currency transfers, credit bureaus, clearinghouses and transactional reports the ITF is required to submit.
The Regulatory Sandbox
Authorization under a sandbox model is required by companies interested in testing innovative technologies or non-existent or regulated financial services reserved to financial entities. If issued, authorization is specific to these services, limited to two years for commercial companies and one year for financial entities, and its terms and conditions are established therein; and in the event of a conflict between the authorized company or entity and its client, the National Commission for the Protection and Defense of Users of Financial Services (Comisión Nacional para la Protección y Defensa de los Usuarios de Servicios Financieros or the CONDUSEF for its acronym in Spanish ) will oversee any dispute resolution.
All are subject to oversight and are required to report the number of clients with whom they have transacted, the type of transactions, and the risks that may have arisen, among others.
Administrative and Criminal Penalties
Any violation to the Law or to the conditions outlined in the ITF authorization or the sandbox model is subject to administrative or criminal penalties.
Financial institutions, ITFs, and sandbox companies or entities, along with board members, CEOs, executives, officials, employees, and other staff may be penalized.
Fines vary in amount, depending on the degree of the violation, which are limited to 1,000 to 150,000 Units of Measurement and Update (UMA for its acronym in Spanish). Criminal penalties are levied in proportion to the offense committed, and the most severe penalty is seven to fifteen years' prison for conducting any unauthorized transactions. For the imposition of fines, the alleged offender has the right of audience, to express their interest, offer evidence and make allegations, and the procedure is subject to the administrative law and its applicable procedural instances, while in criminal penalties the victim is subject to the criminal laws and system which is more complex than the one referred before.
There are some important takeaways to note the importance of in-house counsel. Their services are critical not only to defend fintech providers from any breach to the law or assist them to meet and comply the legal requirements. Also, in-house counsel are critical for customers not only to verify the legal existence of the fintech provider or that it is duly authorized to operate in Mexico, but also to confirm either that the activities to be carried out are not contrary to the Law or the tax implications of the operations per se.
Inherent Risks and Deficiencies in the Law
Despite evidence indicating that the Law strives to prevent unlawful market operations and to protect consumers, a number of risks have still not been mitigated.
One of these risks involves money laundering. Even though the Law already establishes certain controls on information exchanges to prevent unlawful activities, it does not yet include any measures on fraud or computer crimes, taxing crowdfunding activities, or consumer protection. In addition, the growth in credit without an interest rate referenced by a Central Bank can cause instability and distort the country's monetary policy.
The Law seeks to establish general principles, while secondary provisions look to include other areas not initially considered. Despite significant attempts to establish a regulatory framework, the current Law leaves out several important areas covered in secondary provisions.
To ensure full regulatory compliance and position the company for success, business advisers must remain current on the Law's secondary regulations to avoid violations and penalties.
Finally, there are some important take-aways from the current state of the Fintech Law, and they are (i) there is still a lot of work from the authorities to do in order to provide stability and certainty in the market and to allow innovation and full competition to market participants; (ii) The broad regulatory authority granted to the supervisory bodies allows the continuance of calibration of the regulation according to the timely needs of the market, which in-house counsel must need to follow to provide proper and timely counseling, and (iii) a strict and robust legal framework similar to the one for the credit institutions will result in the short-term expulsion of many small-medium size Fintech providers and it is possible in the future that the lack of compliance with all secondary regulation will drive the search for mechanisms for no-compliance.