This is an update to the “Client Alert” published on May 15th, 2024 by Campa & Mendoza.
I. Content of the Provisions.
Today, the National Banking and Securities Commission (“CNBV”) published in the Federal Registry (“DOF”) the “Provisions amending the General Provisions applicable to Credit Institutions” (the “Provisions”), which can be consulted here.
The Provisions aim to amend the General Provisions applicable to Credit Institutions (the “Provisions”) to specifically introduce the technology-based commission agents, defining them as a third party who may act on behalf of Credit Institutions (the “Institutions”) through web pages or software applications -apps, which will be limited to the following banking operations:
a) Opening Tier 2 accounts and transferring funds associated with such accounts.
b) Granting loans for amounts limited to three thousand UDIs .
c) Payments for goods and services, and
d) Consulting balances and movements.
When contracting technology-based commission agents, Institutions must consider additional requirements and obligations in addition to those already in effect, as follows:
a) Information security, operational processes, and database and computing systems management.
b) Likewise, Institutions must know and gather from the technology-based commission agents’ information and documentation related to their information servers, contracts in force with third parties, and the employees who will carry out the operational processes related to financial services.
c) The information that Institutions must ensure that the technology-based commission agents make known to their customers on the use and registration of public and private keys and the factors that will allow customers to be authenticated for the execution of operations.
II. Operational Process.
To execute operations through technology-based commission agents, all customers must be previously authenticated by the Institution. Therefore, the customer will be redirected from the commission agent’s interface to the Institution’s for verification and authentication and then back to the agent’s interface to carry out the operation.
This means that once the customer has been authenticated, the technology-based commission agent will have access to the customer’s information and will be able to carry out the transaction. However, the permissions granted to the commission agent to access the customer’s information will be revoked either (a) once the transaction has been completed, (b) the allowed time to carry out the operation expires, or (c) due user inactivity, the session expires.
Regarding the contracts that Institutions enter into with the technology-based commission agents, it is to be found that specific clauses must be settled that will prevent the agent from processing, transmitting, storing, modifying, or copying the authentication factors information necessary to authorize the operations; the usage and processing of the client’s information through encrypted messages; the maximum allowed times to carry out the operations; employee information and notices of changes thereto; among others.
III. Business Strategic Plan.
In order to carry out operations through technology-based commission agents, Institutions must submit their Business Strategic Plan (commonly known by its initials in
Spanish, “PEN”) to the CNBV for authorization before the signing of the commercial commission contract and for a single-time only. The PEN must fulfill the aforementioned requirements and those contained explicitly in Annexes 57, 58, and 59, as well as the model for the commercial commission contract that will be used.
The Provisions do not change the reasons for which Institutions must request a new authorization to the approved PEN, which remain the following:
i. Reforms that imply changes to the terms under which the operations would be executed
ii. Substantial changes in the terms and conditions of the contract.
iii. Operations not included in the PEN
iv. Implementation of a new technology, or
v. Operating with new agents not foreseen in the PEN.
However, the Provisions carry a contradiction regarding the items iii, iv, and v outlined above, as while the regulation mandates a new PEN authorization in those cases, the Provisions merely stipulates that the CNBV shall authorize (i) the technical requirements as listed on Annex 59, and if given case, the description of the new technology and its implementation, and (ii) the draft of the commercial commission contract in accordance with the authorized PEN.
It is worth noting that the Provisions mandate that the draft contract mentioned in item (ii) must comply with the requirements stated in the Provisions, with the exception of the provisions set forth in the second paragraph, Section I of Article 324 of the Provisions, which refer to the operations that the commission agent manager will contract on behalf of the Institutions.
IV. Administrators of Commission agents.
Regarding the regime of commission agents' administrators, the last paragraph of Article 319 Bis prohibits commission agents' administrators from subcontracting to technology-based commission agents. However, the Provisions does not establish the prohibition in Article 321 Bis 2, which refers to the administrators of commission agents and the characteristics, requirements and prohibitions for the hiring of commission agents in the name and on behalf of credit institutions.
V. Transitional Provisions.
The transitional provisions will require Institutions to make adjustments to the contracts they already have in force with their commission agents while also complying with the given obligations that arise from said adjustments within eighteen months of the Preliminary Draft’s entry into force. These changes will apply to contracts with commission agents with physical establishments, these changes include but are not limited to:
i. Include flowcharts that specify the operational or database and IT system management processes, and the physical location of the Institution’s servers.
ii. Acceptance by the commission agent of the delivery of additional information and documentation, in addition to the current one, during audits.
iii. Restrictions and conditions regarding the possibility of subcontracting the provision of on-demand computing and technology infrastructure services through the internet.
iv. Dispute resolution mechanisms between the commission agent and the subcontracted third party.
v. The information that must be published by Institutions and commission agents to the public, and
vi. The information contained on Annexed 58 and 59.
* * * *
This document does not constitute legal advice. If specific information or legal counsel is required, please contact us.
Campa & Mendoza
