Search for:

In brief

The amendments to the Law that oblige financial institutions to obtain and store real-time geolocation of clients’ mobile devices went into effect in a staggered manner and by sector As of 21 March 2021. The National Banking and Securities Commission (CNBV) will verify that financial institutions comply with this measure. Financial institutions found to be in non-compliance will be subject to the corresponding sanctions.


In depth

The amendment to the general provisions of Article 115 of the Law of Credit Institutions seeks to comply with international standards to combat money laundering and terrorist financing. Several countries and international organizations, including the World Bank and the International Monetary Fund, have also recognized these standards. By implementing and recognizing the standards, Mexico is in compliance with the international commitments derived from the Financial Action Task Force (FATF), especially with the “Guide on Digital Identity” published by the FATF in March 2020.

Financial institutions will collect real-time geolocation of devices to obtain information on geographic zones at the time of executing non-face-to-face transactions carried out on the customer’s device and whose location is unknown. The CNBV will verify that financial institutions comply with this measure. Financial institutions that fail to comply, as well as with any obligation regarding the prevention of money laundering and financing of terrorism, will be subject to the corresponding sanctions.

The measures apply to the following Financial institutions:

  • Investment advisors
  • Money transmitters
  • Multiple purpose financial companies
  • Credit institutions (Banks)
  • Brokerage and exchange houses
  • Savings and loan cooperatives
  • Popular financial companies
  • Investment funds
  • Credit unions

Recommended actions

In accordance with the provisions of the Federal Law for the Protection of Personal Data held by Private Parties (FDPL), any private individual or legal entity that decides on the processing of personal data is obliged to inform the data subjects of the personal data collected and its purposes through a privacy notice.

In this sense, we recommend to verify that all privacy notices addressed to customers of financial institutions comply with the information requirements. Fines of up to one million dollars may be applied in case of non-compliance.

More information

For more information, please refer to the CNBV website, where you will find more information or please contact your usual Baker McKenzie contact.

Author

Carlos Vela Treviño is a partner in Baker McKenzie's Information Technology and Communications Practice Group in Mexico City, and the head of the Firm's Privacy and Data Protection practice in Mexico. He has vast experience in corporate, commercial and transactional work, including M&A, corporate restructuring, corporate governance and private equity transactions. A Certified Information Privacy Manager, he is recognized by Legal 500 and other international publications as one of the country's leading IT/C and media lawyers. Prior to joining Baker McKenzie, he led the IT/C legal practice of a Big 4 consultancy firm.

Author

Daniel Villanueva Plasencia is a member of the Intellectual Property Practice Group at Baker McKenzie Guadalajara. He has extensive experience in data privacy and information security matters; in regulatory issues related to information technologies and consumer protection; in intellectual and industrial property, especially focused on digital environments, including the use and licensing of trademarks, patents and copyrights. Before joining the Firm, he was a founding partner of a local firm in Guadalajara. During the last five years, Daniel has taught the intellectual property class at the Tecnológico de Monterrey, one of the most prestigious universities in Mexico.