Open Banking Has Arrived in Mexico

Mexico's National Banking and Securities Commission (Comisión Nacional Bancaria y de Valores or CNBV) published on June 4, 2020, in the Official Gazette of the Federation (Diario Oficial de la Federación), the general provisions related to the standardized application programming interfaces (APIs) referred to in the Law to Regulate Financial Technology (FinTech) Institutions (Ley para Regular las Instituciones de Tecnología Financiera) pursuant to article 76 of the Fintech Law, which establishes the obligation for Entities (as defined below) to offer APIs in order to share information between each other.

The Provisions are applicable to financial entities, FinTech institutions, money transmitters, credit information bureaus, clearing houses and companies authorized to operate with New Models (as defined in the FinTech Law), in order to regulate the exchange of the following data types (together referred to as Open Data) through the use of APIs:

• Open Data: includes, without limitation, products and services, location of offices and branches, ATMs and other points of access for products and services
• Aggregate Data: refers to statistical information related to Entity transactions
• Transactional Data: refers to the transactional information of a client, related to their activities within the contracted products, and requires the prior written consent of the client for their exchange

By virtue of these Provisions, the CNBV seeks to ensure that the exchange of the Open Data, between Data Petitioners and Data Providers, (as defined below) is adequate, transparent and equitable.

Participants in the Open Data Exchange

• Data Providers are those financial entities, FinTech institutions, companies authorized to operate with New Models (as defined in the FinTech Law) and money transmitters, who are obliged to establish APIs in order to share Open Data (the Data Providers).
• Data Petitioners are those financial entities, FinTech institutions, companies authorized to operate with New Models (as defined in the FinTech Law), money transmitters and third parties specialized in information technologies (the Data Petitioners).

Obligations for Data Providers

Data Providers must do the following:

• comply with the requirements of exhibits 1, 2 and 3 of the Provisions
• publish clearly, precisely and in Spanish language, on their website or any other means of electronic platform, computer or digital applications, the process that Data Petitioners must follow to access Open Data through APIs and the compensation amounts that, where appropriate, must be paid for the exchange of Open Data
• request authorization and registration of their compensation amounts to the CNBV¹
• establish information security measures and mechanisms to protect the confidentiality and integrity of the Open Data, as well as the infrastructure of the API operation
• have a configuration that guarantees that access is read-only, supports any operation and availability of the service and maintains complete audit records
• in the event of a security incident regarding the information, file a report to the CNBV immediately

Obligations of Data Petitioners

Data Petitioners must:

• have authorization from the CNBV
• be enabled to access the data of the Data Providers to which they request access
• comply with the security guidelines for Open Data and data architecture, as well as with exhibits 1, 2 and 3 of the Provisions

Holland & Knight has extensive experience in banking and finance law. For more information, contact the authors of this client alert or Holland & Knight's Mexico City office.

Notes

¹For authorization, registration and modification, as appropriate, of the compensation amounts, data providers must submit to the CNBV, for each type of API, the method, information and variables used to determine the compensation amounts, as well as any other consideration used in such determination process.

Information contained in this alert is for the general education and knowledge of our readers. It is not designed to be, and should not be used as, the sole source of information when analyzing and resolving a legal problem. Moreover, the laws of each jurisdiction are different and are constantly changing. If you have specific questions regarding a particular fact situation, we urge you to consult competent legal counsel.