I. Background
On April 30, 2024, the National Banking and Securities Commission (“CNBV”) sent a preliminary draft of the “Resolution amending the General Provisions applicable to Credit Institutions” (the “Preliminary Draft”) to the National Commission for Regulatory Improvement (“CONAMER”). The complete file of the Preliminary Draft can be consulted here.
In accordance with the regulatory improvement process, the Preliminary Draft is currently undergoing public consultation for a period of at least 20 business days, with the aim of allowing any interested person to submit comments and suggestions, which must be addressed by the authority before its publication in the Federal Register and entry into force.
II. Content of the Preliminary Draft
The Preliminary Draft aims to amend the General Provisions applicable to Credit Institutions to specifically introduce the technology-based commission agents, defining them as a third party who may act on behalf of Credit Institutions (the “Institutions”) through web pages or software applications -apps, which will be limited to the following banking operations:
a) Opening Tier 2 accounts and transferring funds associated with such accounts.
b) Granting loans for amounts limited to three thousand UDIs .
c) Payments for goods and services, and
d) Consulting balances and movements.
When contracting technology-based commission agents, Institutions must consider additional requirements and obligations in addition to those already in effect, as follows:
a) Information security, operational processes, and database and computing systems management.
b) Likewise, Institutions must know and gather from the technology-based commission agents’ information and documentation related to their information servers, contracts in force with third parties, and the employees who will carry out the operational processes related to financial services.
c) The information that Institutions must ensure that the technology-based commission agents make known to their customers, on the use and registration of public and private keys, and the factors that will allow customers to be authenticated for the execution of operations.
III. Operational Process
The process to be followed to execute operations through technology-based commission agents will be that all customers must be previously authenticated by the Institution. Therefore, the customer will be redirected from the commission agent’s interface to the Institution’s for verification and authentication, then redirected back to the agent’s interface to carry out the operation.
This means that once the customer has been authenticated, the technology-based commission agent will have access to the customer’s information and will be able to carry out the transaction. However, the permissions granted to the commission agent to access the customer’s information will be revoked either (a) once the transaction has been completed, (b) the allowed time to carry out the operation expires, or (c) due user inactivity, the session expires.
Regarding the contracts that Institutions enter into with the technology-based commission agents, it is to be found that certain clauses must be settled that will prevent the agent from processing, transmit, store, modify, or copy the authentication factors information necessary to authorize the operations; the usage and processing of the client’s information through encrypted messages; the maximum allowed times to carry out the operations; employee information and notices of changes thereto; among others.
IV. Business Strategic Plan
In order to carry out operations through technology-based commission agents, Institutions must submit their Business Strategic Plan (commonly known by its initials in Spanish, “PEN”), to the CNBV for authorization prior to the signing of the commercial commission contract, and for a single time only. The PEN must provide the fulfillment of the forementioned requirements, and those specifically contained in Annexes 57, 58, and 59, as well as the model for the commercial commission contract that will be used.
The Preliminary Draft does not change the reasons for which Institutions must request a new authorization to the approved PEN, which remain being the following:
i. Reforms that imply changes to the terms under which the operations would be executed.
iiSubstantial changes on the terms and conditions of the contract.
iii. Operations not included in the PEN.
iv. Implementation of a new technology, or
v. Operating with new agents not foreseen in the PEN.
However, the Preliminary Draft carries a contradiction regarding the items iii, iv, and v outlined above, as while the current regulation mandates a new PEN authorization in those cases, the Preliminary Draft merely stipulates that the CNBV shall authorize (i) the technical requirements as listed on Annex 59, and if given case, the description of the new technology and its implementation, and (ii) the draft of the commercial commission contract in accordance with the authorized PEN.
It is worth noting that the Preliminary Draft mandates that the draft contract mentioned in item (ii) must comply with the requirements stated in the Provisions, with the exception of the provisions set forth in the second paragraph, Section I of Article 324 of the Provisions, which refer to the operations that the commission agent manager will contract on behalf of the Institutions.
V. Transitional Provisions
The transitional provisions will require Institutions to make adjustments to the contracts they already have in force with their commission agents within eighteen months of the Preliminary Draft’s entry into force. These changes will apply to contracts with commission agents with physical establishments, these changes are including but not limited to:
i. Include flowcharts that specify the operational or database and IT system management processes, and the physical location of the Institution’s servers.
ii. Acceptance by the commission agent of the delivery of additional information and documentation, in addition to the current one, during audits.
iii. Restrictions and conditions regarding the possibility of subcontracting the provision of on-demand computing and technology infrastructure services through the internet.
iv. Dispute resolution mechanisms between the commission agent and the subcontracted third party.
v. The information that must be published by Institutions and commission agents to the public, and
vi. The information contained on Annexed 58 and 59.
* * * *
This document does not constitute legal advice. If specific information or legal counsel is required, please contact us.
Campa & Mendoza
