Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Back
Jul 2022
LinkedIn Created with Sketch. Twitter Created with Sketch.

Mexico: Data Protection in the Financial Sector

Financial Services
sankai / Signature collection / istockphoto.com

1. INTRODUCTION

The right to personal data protection, in accordance with the current framework in Mexico, is a human right recognised in Article 16 of the Constitution of Mexico that grants the people the power to control the use and destination given to their personal data. The right to personal data protection is a right that has the maximum legal protection in Mexico and whose extensive regulation in the public and private sectors establishes a series of obligations for controllers and processors that process personal data.

One of the most delicate sectors regarding privacy and data protection is the financial services because of the large volume of personal data that financial services process, which includes a lot of sensitive data.

The rising threat of data breaches, identity theft, and associated fraud reminds us how important it is for financial institutions to keep the personal data of their costumers well protected. This Guidance Note's purpose is to identify the importance of data privacy from the perspective of the financial services industry, with an emphasis on identifying the main legal provisions - from a data protection perspective - applicable to the key players in the financial services industry.

1.1. Legislation

General framework

In Mexico, the right to the protection of personal data in the financial service industry is regulated by the Federal Law on the Protection of Personal Data Held by Private Parties 2010 ('the Law') published on 5 July 2010, and in the Regulations to the Federal Law on the Protection of Personal Data Held by Private Parties 2011 ('the Regulations') published on 21 December 2011. In addition to the Law and the Regulations, the right to the protection of personal data is regulated extensively by the following secondary provisions:

  • General criteria for determining compensatory measures (only available in Spanish here) published on 18 April 2012;
  • Guidelines on privacy notices (only available in Spanish here) ('the Guidelines') published on 17 January 2013;
  • Recommendations on personal data security (only available in Spanish here), published on 30 October 2013;
  • Parameters of Self-Regulation Regarding the Protection of Personal Data (only available in Spanish here) published on 29 May 2014;
  • Rules of Operation of the Registry of Binding Self-Regulation Schemes (only available in Spanish here) published on 18 February 2015;
  • Guidelines for the use of hyperlinks in a website of the National Institute of Access to Information and Data Protection ('INAI') to publicise privacy notices through compensatory measures (only available in Spanish here) published on 18 January 2016; and
  • Rules of Use of the REA INAI Binding Self-Regulation Scheme Logo and Conditions for its Authorisation (only available in Spanish here) published on 7 April 2017.

The INAI has issued several guides and documents to support the controllers in the application of the data protection law and its Regulations (only available in Spanish here). The guides and documents issued by the INAI include specific studies and recommendations regarding security of personal data, cloud computing services, FinTech, risk assessment methodology, self-regulation schemes, data protection impact assessments, processing of biometric data, codes of conduct to process data related to children and teenagers, and data breach management.

Specific regulations in the financial sector

In the financial sector, it is possible to identify several specific sectoral provisions that regulate particular aspects related to the right to protection of personal data. Due to their relevance in practice, the following can be mentioned:

  • Law on Credit Institutions (only available in Spanish here) ('the LIC') modified on 27 March 2020;
  • Provisions of a General Nature Applicable to Credit Institutions (only available in Spanish here) ('the CUB') modified on 22 June 2022;
  • General Provisions Applicable to Network Providers (only available in Spanish here) ('the Media Network Providers Provisions');
  • General Law of Organisations and Auxiliary Credit Activities (only available in Spanish here);
  • Law on Protection and Defence of the User of Financial Services (only available in Spanish here);
  • Law on Credit Unions (only available in Spanish here);
  • Popular Savings and Credit Law (only available in Spanish here);
  • Law to Regulate the Activities of Cooperative Savings and Loan Societies (only available in Spanish here);
  • Law of the market of values (only available in Spanish here); and
  • Law of Investment Funds (only available in Spanish here).

Specifically, in the insurance sector, the following legal systems can be identified as relevant:

  • Law of Insurance and Bonding Institutions (only available in Spanish here) ('the LISF'); and
  • Sole Circular of Insurance and Bonds (only available in Spanish here) ('the CUSF') modified on 27 March 2020.

In terms of the prevention and identification of operations with resources of illegal sources, the following should be noted:

  • Federal Law for the Prevention and Identification of Operations with Resources of Illegal Sources (only available for download in Spanish here) ('the LFPIORPI'); and
  • Provisions of a General Nature referred to in Article 115 of the Law on Credit Institutions (only available in Spanish here) modified on 22 March 2019.

In relation to FinTech, the Law to Regulate Financial Technology Institutions (only available in Spanish here) ('the FinTech Law') is the primary regulatory instrument. There is additional regulation on the processing of personal data in the following provisions:

  • Provisions of a General Nature Applicable to Financial Technology Institutions (only available in Spanish here) modified on 15 December 2021; and
  • Provisions of a General Nature Referred to in Article 58 of the Law to Regulate Financial Technology Institutions (only available in Spanish here) ('the FinTech AML Provisions') modified on 22 April 2021; and
  • Provisions of a General Nature applicable to Electronic Payment Fund Institutions Referred to in Articles 48(2), 54(1), 56(1), and 56(2) of the Law to Regulate Financial Technology Institutions (only available in Spanish here) ('the IFPE Provisions').

In the FinTech sector, the financial institutions and financial technology institutions ('FTIs') are bound to comply with the obligations established in Article 76 of the FinTech Law regarding open finance. However, to date, the regulatory bodies have not issued the legal provisions to regulate the sharing of financial and transactional data between financial institutions and FTIs referred to in Article 76 of the FinTech Law.

Relevant resolutions

The financial services sector has received a lot of complaints before INAI which have resulted in numerous investigations and in the imposition of fines. Relevant resolutions are:

  • 3S.07.02-011/2014;
  • 3S.07.02-0030/2016;
  • 3S.07.02-045/2016;
  • 03S.07.02.008/2017; and
  • 3S.07.02.007/2018.

Relevant sanction procedures ('PISAN') are:

  • PS.0009/14;
  • PS.0006/13;
  • PS.0022/13;
  • PS.0027/15;
  • PS.0045/17;
  • PS.0008/18;
  • PS.0047/18;
  • PS.0067/18; and
  • PS.0016/14, which is the most paradigmatic one because the amount of the fine raised up to MXN 32 million (approx. €1.35 million), which is one the highest fines imposed by the INAI.

1.2. Supervisory authorities

The right to protection of personal data is protected by the INAI, as the main guarantor authority in this matter.

However, there are specific sectoral authorities that also have investigative powers as a result of non-compliance with certain obligations provided for in applicable regulations, and that may collaborate with the INAI on the effective guarantee of the right to protection of personal data. Among the most relevant, the following can be identified:

2. PERSONAL AND FINANCIAL DATA MANAGEMENT

As a general rule, the processing of personal data is subject to the provisions established in the Law and the Regulations, except for those specific cases regulated by specific regulations. For this reason, the Law is taken as the primary reference for the explanation of the aspects concerning the processing of personal data.

2.1. Legal basis for processing

As a legal basis for the processing of personal data, the Law identifies as the primary basis the consent of the owner of the data. Where this processing relates to financial data, consent must be express.

However, Article 10 of the Law indicates that the processing of personal data can be carried out without the consent of the owner when any of the following conditions is met:

  • the processing is provided for in a law;
  • the data appears in publicly accessible sources;
  • the personal data is subject to a prior dissociation procedure;
  • the processing has the purpose of fulfilling obligations derived from a legal relationship between the data owner and the data controller;
  • there is an emergency situation that could potentially harm an individual on their person or property;
  • the processing is necessary for medical care, prevention, diagnosis, provision of healthcare, medical treatment, or the management of health services, while the data owner is not able to grant consent, under the terms established by the General Health Law (only available in Spanish here) and other applicable legal provisions and that said data processing is carried out by a person subject to professional secrecy or equivalent obligation; or
  • a resolution by a competent authority is issued.

2.2. Privacy notices and policies

The Guidelines explain that a privacy notice can be presented in three modalities, namely comprehensive, simplified, and short, and each one of them has different contents and general rules for its application.

According to the Law, the Regulations, and the Guidelines, the comprehensive privacy notice (used when the data is collected personally from the data subject, i.e. with the physical presence of the latter) must contain the following informative elements:

  • the identity and address of the person in charge of the personal data;
  • personal data subjected to processing;
  • express indication of sensitive data processed;
  • the purpose of the processing;
  • secondary purposes;
  • the mechanisms to express refusal to processing for secondary purposes;
  • information on the transfers of personal data that are made (third parties and their purpose);
  • a clause that indicates whether the holder accepts the transfer or not, when required;
  • the means and procedure to exercise the right to access, rectify, and delete personal data, as well as oppose its use for specific purposes;
  • the mechanisms and procedures to revoke consent;
  • the options and means to limit the use or disclosure of personal data;
  • information about the use of cookies, web beacons, and similar technologies; and
  • the procedures and means to communicate changes to the privacy notice.

In addition, the Regulations regulate the simplified privacy notice (used when personal data is obtained directly from the data subject, for example, through the internet or by telephone) and state that it must contain the following information elements:

  • the identity and address of the person in charge of the personal data;
  • the purpose of the processing; and
  • the mechanisms offered by the data controller so that the data subject knows the integral privacy notice.

The Regulations also govern the short privacy notice (used when the space for obtaining data is minimal and limited) and indicate that it must contain the following information elements:

  • the identity and address of the person in charge of the personal data;
  • the purpose for the processing; and
  • the mechanisms offered by the data controller so that the data subject knows the integral privacy notice.

However, the provision of the simplified and short privacy notice does not exempt the party responsible for the obligation to provide mechanisms for the data subject to know the content of the integral privacy notice.

Finally, it is appropriate to take into account that the Law, the Regulations, and the Guidelines do not regulate the subject of privacy policies or establish elements for their creation, so their creation and the determination of their elements are optional for those responsible.

2.3. Data security and risk management

According to the provisions of the Law and the Regulations, financial sector institutions are obliged to comply with the security and confidentiality duties concerning the processing of personal data. In order to comply with the duty of security, the institutions must establish the administrative, physical security measures and, where appropriate, techniques that are necessary for the proper protection of personal data against any damage, loss, alteration, destruction, or use, unauthorised access, or processing. In addition, regulated institutions must take into account the provisions of Chapter III of the Regulations, which establishes, among other things, actions for the security of personal data.

Specifically, in the financial sector, the following provisions establish the obligation of security of personal data:

  • Article 46 Bis 1 of the LIC establishes guidelines for the provision of third party services, and Article 96 of the LIC establishes the obligation of credit institutions to establish basic security measures, including the installation and operation of devices, mechanisms, and essential equipment, to provide due protection to individuals in the credit institution's branches, as well as the assets of both the branches and the institution generally; and
  • Section 4 of the CUB establishes the mechanisms that the regulated institutions must establish for the security, confidentiality, and integrity of information transmitted, stored, or processed through electronic means.

2.4. Data retention/record keeping

The Law and the Regulations oblige financial institutions to establish and document the procedures for the conservation and, where appropriate, blocking and deletion of personal data in accordance with the provisions applicable to the subject matter, and take into account administrative aspects, accounting, tax, legal, and historical information. In other words, the particular sectoral regulations must be considered for the establishment of personal data retention periods.

Within sectoral regulations, the following provisions provide obligations for document and information storage periods:

  • the LIC refers to the CUB for the determination of the conservation periods and, in this regard, the CUB establishes the following assumptions and conservation periods:
    • credit files should be kept according to the applicable legal and administrative provisions;
    • the electronic, digital, or magnetic record, the original of the respective document, voice recordings, or any other medium which contains the instructions of their clients must be kept for a period of at least five years as an integral part of their accounting; and
    • the electronic or magnetic record, the original of the respective document, or any other medium that contains the orders of its clients must be kept for a period of two years;
  • Article 15 IV of the LFPIORPI requires financial entities that carry out vulnerable activities to keep, for at least ten years, the information and documentation related to the identification of its clients and users or those who have been, as well as the acts, operations, and services reported in accordance with Article 15, without prejudice to the provisions of the LFPIORPI or other applicable ordinances;
  • the Federal Tax Code (only available for download in Spanish here) establishes a term of five years for the retention of accounting, and documentation related to compliance with tax provisions; and
  • the Code of Commerce (only available in Spanish here) establishes the obligation to keep the original vouchers of their operations and the originals of those letters, telegrams, data messages, or any other documents in which contracts, agreements, or commitments that provide rights and obligations for a minimum term of ten years.

3. FINANCIAL REPORTING AND MONEY LAUNDERING

The LFPIORPI is the central law that regulates the obligations that financial entities must observe to prevent and detect acts or operations that involve resources of illegal sources. In this regard, Article 15 of the LFPIORPI indicates that financial entities that carry out vulnerable activities must establish measures and procedures to prevent and detect acts, omissions, or operations that could be located in the cases provided for in Chapter II of Title 23 of the Federal Criminal Code ('the Criminal Code'), as well as to identify its customers and users, in accordance with the provisions of the applicable regulations. The Provisions of A General Nature Referred to in Article 115 of the LIC (only available for download in Spanish here) ('the Provisions') are set forth as regulating what is ordered by Article 15 of the LFPIORPI.

In relation to the foregoing, Chapter II of the Provisions establishes that regulated entities must prepare and observe a client identification policy, that includes the guidelines established in the Provisions, as well as the criteria, measures, and procedures required for its due compliance, including those related to the verification and updating of the data provided by the clients.

In addition, Article 4 of the Provisions orders the integration and preservation of an identification file for each client before they open an account or enter into a contract to carry out operations of any kind. Such a file should meet a number of outlined requirements, which will depend on whether the client is of Mexican or of foreign nationality, among other things.

Regarding reports that must be issued, Article 15 of the LFPIORPI states that the regulated entities must submit to the SHCP the reports on acts, operations, and services carried out with their clients and carried out by members of the administrative board, directors, and employees of the entity itself, as well as delivering the corresponding information and documentation.

For its part, Article 58 of the FinTech Law establishes that FTIs are obliged to establish measures and procedures to prevent and detect acts, omissions, or operations that could be located in the cases of Articles 139 Quarter or 400 Bis of the Criminal Code, and must submit to the SHCP reports on:

  • the acts, operations, and services performed with their clients and the operations between them; and
  • any act, operation, or service performed by the members of the board of directors, officers, officers, employees, factors, and attorneys-in-fact, who could be located in the cases indicated in the Criminal Code or that, if applicable, could contravene or violate the proper application of the provisions of Article 58 of the FinTech Law.

In compliance with Article 58 of the FinTech Law, the FinTech AML Provisions indicate the form, the terms, and the modalities according to which FTIs must present to the SHCP the legally required reports, specify the characteristics that must be met by the acts, operations, and services that must be reported by the FTI, and provide for the cases, the form, and the terms in which FTIs must comply with the obligations set forth in the FinTech Law.

4. BANKING SECRECY AND CONFIDENTIALITY

Under the provisions of Article 21 of the Law, financial institutions are obliged to maintain the confidentiality of personal data, even after the relationship with the owner of the data has ended.

In particular, Article 142 the LIC establishes the duty of confidentiality and specifies that the information and documentation related to operations and services are confidential, so that credit institutions, in the protection of the right to privacy of their clients and users that is established in this article, in no case may give news or information of deposits, operations or services, except the depositor, debtor, owner, beneficiary, trustor, trustee, commission agent, or principal, their legal representatives, or those who have granted the power to dispose of the account or to intervene in the operation or service.

However, the second paragraph of Article 142 of the LIC establishes exceptions to the confidentiality of the information and indicates that the credit institutions will be obliged to give information when requested by the judicial authority by virtue of an order issued in court in which the owner or, as the case may be, the trustor, trustee, trustee, principal, or commission agent, is a party or defendant. Also, banking secrecy may be derogated when the information is requested by the Attorney General of Mexico, the Attorney General of Military Justice, Attorneys of the States of the Federation, federal treasury authorities, such as the SHCP, the Superior Audit of the Federation, the holder and undersecretaries of the Secretariat of the Public Function, the Treasury of the Federation, and the Unit of Control of the Resources of the Political Parties.

5. INSURANCE

In the insurance sector, the Law is also applicable, so that the processing of personal data is governed by the provisions in it. However, the LISF and the CUSF are the main regulatory systems.

The LISF foresees different obligations related to the subject of protection of personal data as information exchange, in order to strengthen the measures to prevent and detect acts, omissions, or operations that could favour, render aid, assistance, or cooperation of any kind for the commission of crimes against their clientele or the institution itself and establish measures and procedures to prevent and detect acts, omissions, or operations that may favour, render aid, assistance, or cooperation of any kind for the commission of the crimes provided in Articles 139 or 148 Bis of the Criminal Code, or that could be located in the cases of Article 400 Bis of the Criminal Code, as well as issue reports to the competent authorities.

6. PAYMENT SERVICES

In Mexico, payment services are regulated by various provisions, including the Network Providers Provisions, that establishes various obligations for participants in that ecosystem. In particular, obligations related to the security of personal data are as follows:

  • ensure that point of sale terminals and other devices used for card payments have readers that allow obtaining the information of the integrated circuit or chip cards when they have such circuits;
  • encrypt messages or use encrypted means of communication, in the transmission of sensitive information (the cardholder's personal information containing names, in conjunction with card numbers, account numbers, credit limits, balances, or authentication information) of the cards and their operations, from the device where the transaction originates to the reception for authorisation by the issuers;
  • ensure that the cryptographic keys and the encryption and decryption process are installed in high-security devices, such as the so-called hardware security module;
  • have controls for accessing the databases and files corresponding to the operations and services carried out through the means of payment networks, even when said databases and files reside in backup storage media;
  • generate records, logs, and audit trails of the operations and services performed that show at least the date and time, card data, and other information that allows identifying the largest number of elements involved in the access and operation of the card payments, as well as the identification data of the point of sale terminal used by the cardholder to perform the operation in question;
  • store the information involved in payment processing services with cards, including records, logs, and audit trails, safely for a minimum period of 180 calendar days counted from generation and contemplate mechanisms to prevent their alteration, as well as maintaining internal control procedures for access and availability;
  • conduct safety reviews focused on verifying sufficiency in the applicable controls for the processing and telecommunications infrastructure for card payments; and
  • have preventive, detection, dissuasive, and response procedures to security incidents, controls, and computer security measures to mitigate threats and vulnerabilities related to the services provided in the media networks, which may affect the participants in the payment network with a card or cardholders.

Additionally, Circular 13/2017 (only available in Spanish here) establishes the obligation to observe at all times the technical, operative, computer security, and operational risk management, the protection of issuing customers, interoperability, and those actions related to the use of the payment system in the performance of illicit activities necessary to propitiate the proper functioning of the payment system.

7. DATA TRANSFERS AND OUTSOURCING

Transfers of personal data are subject to the provisions of the Law, so they must be limited to the purpose that justifies them and complies with the following:

  • notification to the data owner, through the privacy notice, which must contain a clause indicating whether or not the data owner agrees to the transfer of their data;
  • consent of the owner of the data except if such transfer:
    • is provided for in a law or treaty in which Mexico is a party; 

    • is necessary for the prevention or medical diagnosis, the provision of healthcare, medical treatment, or the management of health services;
    • is made to holding companies, subsidiary, or affiliated companies under the common control of the data controller, or to a parent company or to any company of the same group as the data controller who operates under the same internal processes and policies;
    • is necessary by virtue of a contract concluded or to be concluded in the interest of the owner, between the data controller and a third party;
    • is necessary or legally required for the safeguarding of public interest, or for the administration or administration of justice;
    • is necessary for the recognition, exercise, or defence of a right in a judicial proceeding; and
    • is necessary to maintain or fulfil a legal relationship between the data controller and the data owner;
  • communication of the privacy notice, as well as the purposes for which the holder subjected the processing to the third parties to whom said data are transferred, assuming the same obligations as the responsible party who transferred said data; and
  • formalised through a legal instrument.

With regard to FinTech, Article 76 of the FinTech Law establishes that financial institutions, money transmitters, credit information societies, clearinghouses, FTIs, and companies authorised to operate innovative models, are obliged to establish application program interfaces to share open financial data, aggregate data, and transactional data (note that said transfer of data will not imply a breach of bank secrecy).

With regard to the subcontracting of services, the provisions of the Regulations must be fulfilled, namely any subcontracting of services by the data processor implying the processing of personal data must be authorised by the data controller and must be made in the name, and on behalf, of the data controller. After obtaining authorisation, the data processor must formalise the relationship with the subcontractor by contract or other instrument that permits its existence, scope, and contents to be proven.

On the other hand, according to the Law, the contracting of services, applications, and infrastructure in cloud computing must be subject to compliance with the provisions of Article 52 of the Regulations, which requires the contracting of services in which the provider complies with the following:

  • applies data protection policies similar to the applicable principles set out in the Law and the Regulations;
  • makes transparent subcontracting which involves information about the service which is provided;
  • refrains from assuming ownership of the data processed through its service;
  • maintains confidentiality; and
  • has mechanisms to:
    • disclose changes in their service conditions and privacy policies;
    • allow the data controller to limit the type of processing of personal data about which it provides the service;
    • establish and maintain adequate security measures;
    • guarantee the deletion of the data once the service has been provided to the data controller and that the data controller to recover it; and
    • prevent access to data from unauthorised persons.

Additionally, the provision of cloud computing services is subject to the provisions of Chapter XI of the CUB relating to the contracting of services or commissions. In this regard, the provisions of Article 318 of the CUB are applicable, indicating that credit institutions must comply with the following requirements:

  • have a report that specifies the operational processes or the administration of databases and computer systems of the institution that are the object of the services or commissions to be hired, as well as the standards and procedures for selecting the third party;
  • provide in the contract for the provision of services or the respective commission, or another document stating the unconditional who provide the service or the commissioner to:
    • receive home visits from the external auditor of the institution, from the CNBV or third parties designated by the CNBV for the purpose of carrying out the corresponding supervision, with the only purpose of obtaining the information to verify the contracted services or commissions allow the institution to comply with the applicable regulations;
    • deliver at the request of the institution, to the external auditor of the institution and CNBV or the third party it designates books, systems, records, manuals, and documents in general, related to the provision of the service in question;
    • inform at least 30 calendar days in advance of any amendment to its corporate purpose or internal organisation that could affect the provision of the service object of the contract; and
    • in this case, keep confidential the information related to the assets, liability transactions, and service operations that the commission agents celebrate with bank customers, as well as the relative of the last one;
  • have policies and procedures to monitor the performance of the third party or commission agent and compliance with their contractual obligations, containing the following:
    • the restrictions or conditions, with respect to the possibility that the third party or commission agent subcontracts, in turn, the provision of the service;
    • the confidentiality and security of customer information;
    • the obligations of the institution and the third party or commission agent, the procedures to monitor compliance, as well as, in this case, the legal consequences in the event of non-compliance;
    • the mechanisms for the solution of disputes regarding the contract for the provision of services and commission;
    • business continuity plans, including contingency procedures in case of disasters;
    • the use and development in favour of the institution on the databases proceed of the services and commissions;
    • the establishment of guidelines to ensure that third parties or commission agents receive regular training and information, in relation to the services or commissions hired; and
    • compliance with the minimum operating and security guidelines indicated in Annexes 52 and 58 of the CUB if the services or commissions to be contracted refers to the use of technological infrastructure or telecommunications;
  • have plans to evaluate and report to the board, the audit committee, or the general directorate of the institution, according to the importance of the contracted service, the performance of the third party or commission agent, as well as compliance with applicable regulations related to that service;
  • provide that the general directorate, the audit committee, as well as the internal auditor of the institution define and monitor, according to their competency, compliance of the mechanisms for the proper management, control, and security of the information generated, received, transmitted, processed, or stored in the execution of services or commissions that refer to the use of technological infrastructure, telecommunications, or information processing, which are carried out partially or totally outside the national territory; and
  • establish the approaches that allow the institutions, through their general directorate, to evaluate the extent to which the respective contracts may qualitatively or quantitatively affect the operations carried out by the institution, in accordance with its purpose.

8. BREACH NOTIFICATION

However, the financial institutions must comply with the provisions of Article 168 Bis 16 of the CUB, which states that in the event that an information security incident occurs, the following should be done:

  • adopt the necessary measures to inform the CNBV immediately by e-mail with acknowledgment of receipt via the [email protected] account or through other way indicated by the CNBV, whereby the notification must contain at least:
    • the date and time of the incident;
    • the indication of whether the incident continues or, as the case may be, whether it has ended and its duration;
    • a description of said incident; and
    • an initial assessment of the impact or severity;
  • carry out an immediate investigation regarding the causes that generated the incident and establish a work plan that describes the actions to be implemented to eliminate or mitigate the risks and vulnerabilities that led to the incident; the plan must indicate, at least, the personnel responsible for its design, implementation, execution and follow-up, deadlines for its execution, as well as technical, material and human resources, and has to be sent to the CNBV within 15 business days after the incident has ended;
  • when the information security incident involves the extraction, lost, deletion, or modification of sensitive information or the institutions suspect that some act involving unauthorised access to said information, the CEO or the person designated by them, must notify customers of the possible loss, extraction, alteration, loss, or unauthorised access to their information, within the next 48 hours; and
  • keep a record in the databases of the incidents, failures, or vulnerabilities detected in the technological infrastructure, which includes at least the information related to the detection of failures, operational errors, attempted computer attacks ,and those effectively carried out, as well as loss, extraction, alteration, loss, or improper use of information of the users of the technological infrastructure, where the date of the event and a brief description of it, its duration, service or affected channel, affected customers and amounts, as well as the corrective measures implemented.

9. FINTECH

Article 76 of the FinTech Law recognises the figure of open banking which represents a paradigm shift for the financial services industry in Mexico. The obligations enshrined in Article 76 require financial service providers to share information with authorised companies through the use of Application Programming Interfaces ('APIs'). It is clear that the intent behind these obligations is to promote competition in the market to generate more innovation for the benefit of financial user services.

Article 76 of the FinTech Law establishes three different sets of data that financial entities may exchange through the use of APIs:

  • open data: such as information on products and services;
  • aggregated data: the operational statistical information of an institution; and
  • transactional data: information related to the financial behaviour of a person, who must give their authorisation for the exchange.

Of the above categories, only transactional data would be considered as personal information protected under the Law, which means that such communications of data should be done in accordance with the rules specified in such law for data transfers.

In the FinTech sector, the issuance of the legal provisions to regulate the personal data that the FTIs and other legal entities must share to comply with the open finance obligations in accordance with Article 76 of the FinTech Law is pending.

Now, regarding security incidents suffered by crowdfunding institutions ('IFC') regulated under the FinTech Law, these shall comply with the following:

  • report to the CNBV, immediately, of any information security incident, via an email sent to [email protected] or through other means indicated by the CNBV itself, indicating at least:
    • the start date and time of the information security incident in question and, where appropriate, the indication of whether it continues or has concluded and its duration;
    • a description of the event or incident, as well as an initial assessment of the impact or severity; and
    • IFC institutions must send via email to [email protected]x or through other means that the CNBV itself indicates, within five business days following the identification of the security incident of the information in question, the information contained in Annexes 11 and 12 of the CUITF (Article 67-I of the FinTech Law);
  • carry out an immediate investigation into the causes that generated the information security incident and establish a work plan that describes the actions to be implemented to eliminate or mitigate the risks and vulnerabilities that led to the aforementioned incident, indicating at least:
    • the personnel responsible for its design, implementation, execution, follow-up, and deadlines for its execution; and
    • the technical, material, and human resources, which must be sent to the CNBV within a period of no more than 15 business days (CUITF Article 67-II of the FinTech Law);
  • when the information security incident refers to the sensitive information that is in the custody of the IFC or third parties that provide services, was extracted, lost, eliminated, altered, or the realisation of some act that involves unauthorised access to said information, the general manager or, where appropriate, the sole administrator or the person designated by any of these, must notify the clients of the possible loss, extraction, alteration, misplacement, or unauthorised access to their information within the 48 hours after the information security incident occurred or when it became known, through the means of notification that the client has indicated for that purpose, in order to prevent it from the risks derived from the misuse of the information that has been extracted, lost, eliminated, or altered, as well as of the measures that must be taken and, where appropriate, carry out the reposition of the corresponding disposition means or the replacement of the necessary authentication factors (CUITF Article 67-II of the FinTech Law); and
  • store the information of the information security events classified as relevant and information security incidents in the means determined by the IFC, which must be retained for at least ten years (CUITF, Article 68 of the FinTech Law).

The Electronic Payment Fund Institutions ('EPFI') must comply with obligations established in Chapter IV of the IFPE Provisions which provide the following obligations:

  • keep a record in databases of relevant security incidents in accordance the elements foreseen in Article 41 of the IFPE Provisions;
  • In the event of a security incident or a security information event takes place notify the Bank of Mexico and the CNBV by email sent to [email protected] and [email protected] email indicating at least the start date and time of the information security incident attempt and, where appropriate, the indication of whether it continues or has concluded and its duration, a description of such event or incident, as well as an initial assessment of the impact or severity;
  • carry out an immediate investigation into the causes that generated the information security incident and establish a work plan that describes the actions to be implemented to eliminate or mitigate the risks and vulnerabilities that led to the aforementioned incident, indicating at least:
    • the personnel responsible for its design, implementation, execution, follow-up, and deadlines for its execution; and
    • the technical, material, and human resources, which must be sent to the Bank of Mexico and CNBV within a period of no more than 15 business days (Article 42(2) of the IFPE Provisions); and
  • when the information security incident refers to the sensitive information that is in the custody of the EPFI or third parties that provide services and was extracted, lost, eliminated, altered, or the realisation of some act that involves unauthorised access to said information, the general manager or, where appropriate, the sole administrator or the person designated by any of these, must notify the clients of the possible loss, extraction, alteration, misplacement, or unauthorised access to their information, within the 24 hours after the information security incident occurred or when it became known, through the means of notification that the client has indicated for that purpose, in order to prevent it from the risks derived from the misuse of the information that has been extracted, lost, eliminated, or altered, , as well as of the measures that must be taken and, where appropriate, carry out the reposition of the corresponding disposition means or the replacement of the necessary authentication factors (Article 42(III) of the IFPE Provisions).

10. ENFORCEMENT

Compliance with the personal data regulations is the responsibility of the INAI, which has a broad investigative power concerning possible breaches of data protection regulations and can establish a research procedure, a PV, or a PISAN. If the breach of the obligations of the Law is verified, the fines may range from 100 Units of Measure and Update ('UMA') to 320,000 UMA (approx. €388 to €1,200,000). Such fines are separate from the sanctions that may be imposed by the CNBV for breach of the provisions of the LIC and the CUB.

11. ADDITIONAL AREAS OF INTEREST

Not applicable.

Alexis Cervantes Attorney
[email protected]
Isabel Davara Attorney
[email protected]
Davara Abogados, Mexico City

Company

Our Policies

Your Rights

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
© OneTrust, LLC. All Rights Reserved.
The materials herein are for informational purposes only and do not constitute legal advice.
Feedback