.png){kind=small}
Legal Paradox®
Mexico was one of the first countries in the world to legislate open finance. Article 76 of the Ley para Regular las Instituciones de Tecnología Financiera (Ley Fintech), enacted on March 9, 2018, mandated that all financial entities — not just banks, but IFPEs, IFCs, SOFIPOs, SOFOMEs, insurers, pension administrators, credit bureaus, clearinghouses, money transmitters, and sandbox participants — share financial data through standardized APIs (Interfaces de Programación de Aplicaciones Informáticas Estandarizadas). The scope was extraordinary: over +5,000 supervised entities obligated to participate in a data-sharing ecosystem that would, in theory, transform credit access, product comparison, account portability, and financial inclusion.
Eight years later, the revolution remains unfinished. Open Finance stalled at Phase 1 (datos abiertos). The secondary regulation required to operationalize datos agregados and datos transaccionales — the provisions that would actually transform financial services — has never been published. The regulatory delay now exceeds 2,170 days past the statutory deadline and grows by one day, every day, with no indication that CNBV has plans to issue it. In January 2026, entrepreneurs filed an amparo (constitutional lawsuit) against CNBV, Banxico, and SHCP for their omission. Meanwhile, Brazil — which legislated open finance two years after Mexico — already has more than 128 million active consents in its Open Finance ecosystem. Open Finance in Mexico is simultaneously one of the most ambitious regulatory frameworks in Latin America and one of its most conspicuous failures of execution.
The Legal Paradox® Fintech Map tracks every open finance and open banking company operating in Mexico — including API infrastructure providers, data aggregators, payment initiation platforms, and account information services.
Legal Paradox®'s connection to Mexico's Open Finance framework runs deeper than advisory work. In April 2018 — one month after the publication of the Ley Fintech — Legal Paradox® co-produced the first comprehensive Open Banking analysis in Mexico: "What is the potential for open banking in Mexico? Recommendations and roadmap for adopting an Open Banking Standard", published by C Minds, the Open Data Institute, and the FinTech Hub, commissioned by the British Embassy in Mexico through the Prosperity Fund. This study was initiated at the recommendation of the then-head of CNBV's fintech division, and it evaluated the potential impact of open banking, conducted interviews with 30 stakeholders, hosted workshops with 57 government regulators and 22 sector leaders, and surveyed 130 participants over five weeks. Legal Paradox® subsequently participated in Mexico's first Open Finance pilot project through its role as FinTech Regulation Adviser for the British Embassy's Prosperity Fund — the same programme through which the firm contributed to drafting the Ley Fintech secondary regulation.
Open banking is reshaping neobank competition — see our [Neobank Market Analysis 2026]
Article 76 of the LRITF establishes the legal foundation for Open Finance in Mexico. Unlike the European PSD2 model — which applies only to banks — Mexico's framework is universal: it applies to every supervised financial entity in the country, making it one of the broadest open finance mandates globally.
The law categorizes shared data into three tiers, each with increasing sensitivity and regulatory complexity:
Datos Financieros Abiertos (Open Financial Data) — Public, non-confidential information generated by financial entities: products and services offered to the public, fee structures, interest rates (GAT, CAT), location of branches, offices, ATMs, and other access points. This is the only tier fully implemented. CNBV published the corresponding disposiciones de carácter general on June 4, 2020.
Datos Agregados (Aggregate Data) — Statistical information about operations performed through financial entities, processed to a level of aggregation that prevents identification of individual persons or transactions. This includes portfolio composition, sector-level lending patterns, product usage statistics, and market-level activity data. Banxico published Circular 2/2020 on March 10, 2020, establishing API interoperability standards for credit bureaus (Sociedades de Información Crediticia) and clearinghouses (Cámaras de Compensación), partially covering this tier. The broader implementation across all financial entities remains incomplete.
Datos Transaccionales (Transactional Data) — Individual client transaction data: account balances, credit products, payment history, and financial activity associated with specific users. This is the tier that unlocks the transformative use cases — automated credit underwriting, account aggregation, personal financial management, payment initiation, and seamless account switching. Under Article 76, transactional data can only be shared with the client's explicit consent and through authorized intermediaries. This tier has never been implemented. The secondary regulation required to define consent mechanisms, authentication protocols, API technical standards, security requirements, liability frameworks, and authorization processes for third-party data consumers has not been published.
The three-tier architecture was by design, not accident. Legal Paradox® participated in the 270+ meetings with Mexico's financial regulators that produced this framework, and the phased approach reflected a deliberate strategy: build trust with low-risk data (open), establish technical infrastructure with medium-risk data (aggregate), and then unlock the highest-value data (transactional) once the ecosystem had matured. The problem is that the process stalled at phase one.
Understanding Open Finance in Mexico requires understanding what happened — and what did not:
March 9, 2018 — Ley Fintech enacted. Article 76 establishes the Open Finance mandate. Mexico becomes the first Latin American country to legislate open finance. The law's transitory articles establish a 24-month deadline for secondary regulation.
April 2018 — The first comprehensive Open Banking study is published: "What is the potential for open banking in Mexico?" — produced by C Minds, the Open Data Institute, and the FinTech Hub (commissioned by the British Embassy Mexico / Prosperity Fund), with Legal Paradox® participating through its FinTech Regulation Adviser role. The study recommends a phased implementation roadmap.
March 10, 2020 — Banxico publishes Circular 2/2020, establishing API interoperability standards for credit bureaus and clearinghouses. Scope limited to datos abiertos and datos agregados for these specific entities only. The statutory deadline for secondary regulation passes. The delay counter begins.
June 4, 2020 — CNBV publishes disposiciones de carácter general on datos financieros abiertos for all supervised entities. Defines API standards for sharing public information (ATM locations, product catalogs, fee structures). Compliance deadline: June 5, 2021.
June 2021 — Compliance deadline for datos abiertos. Financial entities begin exposing public APIs. The expectation — widely communicated by CNBV — is that datos agregados and datos transaccionales regulation would follow in 2022.
2022 — The expected publication of transactional data rules does not occur. No official explanation is provided. The ecosystem begins to express frustration.
June 2023 — An amparo (constitutional lawsuit) is filed in Quintana Roo by citizen Juan Pablo Ybarra Llamas, arguing that the regulatory omission violates constitutional rights to financial services. CNBV conducts pilot projects with TESOBE/Open Bank Project testing technical specifications and consent frameworks for transactional data.
2024 — CNBV pilots continue. No publication of secondary regulation. The talent exodus from CNBV accelerates — experienced technical staff depart for private sector opportunities, taking institutional knowledge with them.
December 10, 2025 — Entrepreneurs Adrián Martínez Pérez and Gerardo Moreno José file a new amparo before the Eighth District Court in Administrative Matters in Mexico City, naming CNBV, Banxico, and SHCP as respondents. They argue that the regulatory omission has blocked their fintech venture — a platform for managing the financial accounts of deceased persons — from operating. The case highlights a concrete business model made impossible by regulatory inaction.
January 2026 — The amparo attracts media coverage (Milenio, El Financiero). The CNBV faces real-terms budget cuts for 2026 amid a broader austerity environment. The combination of resource constraints, talent loss, and now judicial pressure creates unprecedented institutional pressure on the regulator.
February 2026 — The secondary regulation for datos transaccionales and datos agregados remains unpublished. The delay exceeds 2,170 days past the statutory deadline and grows by one day, every day. Open Finance in Mexico operates in a regulatory limbo: the law mandates data sharing, but the rules required to implement it do not exist.
The practical consequence of the regulatory stall is that the most valuable Open Finance use cases remain either illegal, impossible, or dependent on workarounds:
Account Aggregation — A consumer cannot authorize a single app to display all their accounts across banks, IFPEs, SOFIPOs, and investment platforms in one view. Without standardized transactional APIs, aggregation requires either manual data entry (unusable) or web scraping (technically fragile, legally ambiguous, and prohibited by most institutions' terms of service). Brazil's Open Finance ecosystem already has more than 128 million active consents — demonstrating the latent demand that Mexico's regulatory gap suppresses.
Automated Credit Underwriting — A fintech lender cannot, with the applicant's consent, query the applicant's transaction history across financial institutions to build an income profile and creditworthiness assessment. Instead, Mexican fintechs rely on credit bureau data (limited to formal credit history), alternative data sources (telecommunications, e-commerce), or manual document collection. The result: slower underwriting, higher costs, and exclusion of the informally employed population that Article 76 was specifically designed to serve.
Payment Initiation Services (PIS) — A third party cannot initiate a payment directly from a consumer's bank account, even with consent. This capability — standard in the UK under PSD2 and in Brazil under PIX + Open Finance — would enable account-to-account payments that bypass card networks and their interchange fees. The absence of PIS regulation in Mexico protects incumbent payment processors and card networks from competition.
Account Switching / Portability — A consumer cannot seamlessly transfer their direct debits, recurring payments, and standing orders from one institution to another. Switching costs remain high, locking consumers into relationships with institutions that may not serve them well — precisely the dynamic Article 76 was designed to disrupt.
Financial Management and Advisory — Automated budgeting tools, savings optimization, insurance comparison, and holistic financial planning all require cross-institutional transaction data. Without regulated access, these services operate with incomplete information, reducing their value to consumers.
Succession and Estate Management — The amparo filed in December 2025 highlights a specific use case: locating and managing all financial accounts, insurance policies, investments, and obligations of a deceased person. Without transactional data APIs, families navigating a death must contact every financial institution individually — a process that can take months and often results in unclaimed accounts.
Despite the regulatory gap, Mexico's Open Finance ecosystem has not stood still. Companies have built infrastructure, developed workarounds, and positioned themselves for the eventual implementation of full transactional data regulation. The market has evolved around the constraint rather than waiting for its removal.
Belvo — The leading open finance API platform in Latin America. Founded in 2019, Belvo has raised over USD $70 million (Kaszek, Quona Capital, Visa, Citi Ventures) and powers more than 80 million connected accounts across the region. In Mexico, Belvo works with BBVA, Banco Azteca, and Banamex, among others. The company provides financial data aggregation, enrichment, and payment initiation — operating ahead of formal regulation through bilateral agreements with financial institutions rather than through the standardized APIs that Article 76 envisions. Belvo's recent pivot toward AI-driven insights (its "Intelligent Ecosystem") signals that the value proposition is shifting from raw data connectivity toward automated decision-making built on top of aggregated financial data.
Finerio Connect — A Mexico City-based open finance platform that raised USD $6.5 million (Third Prime among others). Founded in 2018, Finerio began as a consumer personal finance app, pivoted to B2B in 2020 when inbound demand from banks and fintechs for financial data infrastructure accelerated. Finerio provides account aggregation, data categorization, and analytics as white-label services for financial institutions.
Syncfy (formerly Paybook) — Provides connectivity to banking and fiscal data sources in Mexico and Latin America. Syncfy's platform enables identity verification, account validation, and financial data retrieval through APIs — serving fintechs, lenders, and corporate clients that need programmatic access to financial information.
Prometeo — A cross-border open banking API providing connectivity across 10+ Latin American countries and the US. In Mexico, Prometeo enables account-to-account payments and financial data access through a single integration.
In the absence of standardized banking transaction APIs, Mexican fintechs have increasingly turned to fiscal data — information held by the SAT (Servicio de Administración Tributaria) — as a proxy for financial activity. Tax records, invoice data (CFDI), and fiscal compliance information provide insight into income, business activity, and financial behavior without requiring bank-level transactional access. Several aggregation platforms now offer SAT connectivity as a core product, effectively building an alternative data layer while the banking data layer remains locked.
This workaround has limitations: fiscal data reflects invoiced activity (formal economy) and tax compliance, not real-time account balances, spending patterns, or savings behavior. It also excludes the informal economy — precisely the population that Open Finance is supposed to serve. But for credit underwriting and business intelligence, fiscal aggregation has become a critical bridge technology.
Payment initiation — the ability for a third party to trigger a payment directly from a consumer's bank account — operates in Mexico through existing payment rails (SPEI, card networks) rather than through regulated open banking PIS APIs. Companies like Fintoc (a Legal Paradox® client) and Belvo offer payment initiation products, but these function through direct integrations with specific banks rather than through the standardized, consent-driven framework that Article 76 contemplates.
The practical difference: current payment initiation requires bilateral agreements with each bank, creating fragmentation. A standardized PIS framework would enable any authorized third party to initiate payments from any bank account, with the customer's consent, through a single API standard — dramatically reducing integration costs and enabling new business models (direct debit, subscription payments, instant merchant settlements).
Mexico's regulatory stall is particularly conspicuous when measured against peer jurisdictions:
Brazil — Implemented Open Finance in phases starting February 1, 2021. Phase 2 (customer data sharing) launched in August 2021 and Phase 3 (payment initiation via PIX) followed in October 2021 — completing the transactional data framework within approximately 17 months of the founding resolution (Resolução Conjunta nº 1, May 4, 2020). As of early 2026, Brazil's Open Finance ecosystem has surpassed 128 million active consents, governed by the Associação Open Finance Brasil (AOF) under BCB oversight, with standardized FAPI-based API security profiles. Brazil's central bank (BCB) took an active, prescriptive approach — defining technical standards, testing environments, and dispute resolution mechanisms in advance. The result: rapid adoption and a functioning ecosystem.
United Kingdom — The original open banking model. The CMA's Retail Banking Market Investigation Order was issued on February 2, 2017, requiring the nine largest banks (the "CMA9," holding over 90% of current accounts) to build open APIs. The Read/Write API standard went live approximately 11 months later, in January 2018. The Open Banking Implementation Entity (OBIE) — legally registered as Open Banking Limited — managed technical standards, certification, and dispute resolution. Over 10 million users were connected by mid-2024, growing to approximately 16 million by end of 2025. The UK model demonstrates that regulatory infrastructure (not just regulation) is required — a dedicated entity that manages standards, certifies participants, and resolves disputes. Joint oversight involved the FCA, CMA, PSR (Payment Systems Regulator), and HM Treasury.
Mexico — Legislated open finance on March 9, 2018. Published datos abiertos rules in June 2020. Datos transaccionales and datos agregados regulation: unpublished as of February 2026 — over 2,170+ days past the statutory deadline. No dedicated implementation entity. No standardized testing environment. No certified third-party framework. Mexico had a first-mover advantage in legislation and lost it entirely in execution.
Colombia — Published Open Finance regulations through Decreto 1297 de 2022, initially establishing a voluntary framework. The 2023 National Development Plan (Ley 2294 de 2023) added mandatory provisions, and the Superintendencia Financiera issued technical standards via Circular Externa 004 de 2024. Colombia is now advancing faster than Mexico despite legislating later, with defined timelines for implementation phases. The irony is that Colombia was trained by financial regulators from Mexico.
The lesson is consistent across jurisdictions: legislation without implementation infrastructure — a dedicated entity, technical standards, testing environments, certification processes, and dispute resolution — produces a regulatory mandate that exists on paper but not in practice. Mexico has the legislation. It lacks everything else.
Article 76 of the LRITF establishes that entities seeking access to financial data through APIs must obtain authorization from the relevant supervisory commission (CNBV, CONSAR, CNSF, or CONDUSEF, depending on the data source) or from Banxico (for credit bureaus and clearinghouses). The authorization requires, among others:
A work plan detailing the intended use of data, technical infrastructure, and security measures. A model interconnection contract (contrato de interconexión) defining terms of data exchange. A digital certificate authorized by Banxico for information transmission. Registration of any fees (contraprestaciones) charged for API access — which must be equitable and transparent, and which Banxico can veto if it finds them anticompetitive.
However, because the full secondary regulation has not been published, the authorization framework for transactional data access does not yet exist. Companies operating in the Open Finance space today do so through bilateral agreements with financial institutions, not through the regulated API framework that Article 76 envisions.
The Ley Fintech establishes that transactional data can only be shared with the explicit consent of the client. The secondary regulation — when published — must define, among others:
Consent collection mechanisms (how clients authorize data sharing). Consent duration and revocation procedures (how clients withdraw authorization). Data use limitations (what authorized parties can do with the data). Incident response obligations (notification requirements in case of data breaches — the law requires notification to the relevant commission within two hours of detection).
Until these rules are published, the consent framework remains undefined — creating legal uncertainty for companies that aggregate transactional data through non-API channels (screen scraping, direct integrations). Legal Paradox® advises Open Finance companies on navigating this regulatory uncertainty, structuring bilateral data-sharing agreements that anticipate the eventual regulatory framework, and preparing compliance architecture for the transactional data rules when they are finally published.
Open Finance infrastructure companies in Mexico face a structural business model challenge analogous to the IFPE profitability problem described in the Wallet category: the regulatory framework that would generate the highest-value revenue streams (transactional data, payment initiation) does not yet exist.
Current revenue models for Open Finance infrastructure providers include, among others:
Per-connection fees — Charging fintechs and corporates for each account connection or data retrieval through the platform. Pricing typically ranges from fractions of a cent to several cents per API call, depending on data type and volume.
Subscription models — Monthly or annual access to the aggregation platform, tiered by number of connections, data types, or API call volume.
Payment processing fees — For platforms that offer payment initiation, a percentage or flat fee per transaction.
Data enrichment and analytics — Premium services that categorize, label, and analyze raw financial data, transforming it into actionable insights for credit scoring, fraud detection, or financial management.
White-label solutions — Licensing the aggregation technology to banks and fintechs that embed it within their own products.
The companies that have achieved significant scale — Belvo ($70M+ raised, 80M+ connected accounts), Finerio ($6.5M raised), Fintoc (IFPE-licensed, Legal Paradox® client) — have done so by operating across multiple Latin American markets, diversifying beyond Mexico's incomplete regulatory environment. The Mexican market alone, constrained by the absence of transactional data regulation, does not yet generate the API call volume that would sustain infrastructure economics at venture scale.
The eventual publication of transactional data secondary regulation — whether driven by the amparo, institutional renewal at CNBV, legislative pressure, or competitive embarrassment relative to Brazil and Colombia — would trigger a cascade of consequences across Mexico's financial ecosystem:
For banks: Mandatory API exposure of client transaction data will enable competitors to build products on top of banking relationships. Banks that treat Open Finance as a compliance burden will lose clients to institutions that leverage it as a distribution channel. Banks that proactively build API ecosystems — enabling fintechs to create value-added services on their data — can strengthen client relationships and generate new revenue.
For fintechs: Full transactional data access unlocks the credit underwriting use case — the single most commercially valuable application. Fintechs that can assess creditworthiness from real transaction data (income, spending patterns, savings behavior) rather than credit bureau scores will offer faster, cheaper, and more inclusive lending. The IFPE + SOFOM ENR combination described in the Lending category becomes dramatically more powerful when the IFPE can access the borrower's complete financial picture across all institutions.
For Open Finance infrastructure providers: Companies that have built aggregation platforms during the regulatory gap will have a significant first-mover advantage when standardized APIs are mandated. Their existing integrations, data models, and client relationships position them as the infrastructure layer through which the ecosystem operates.
For consumers: Account portability, automated savings optimization, cross-institutional financial management, and competitive product comparison become possible for the first time. The 50+ million Mexican adults who lack formal credit access could benefit from transaction-based credit scoring that does not depend on traditional credit bureau history.
For Legal Paradox® clients: Open Finance regulation will generate a wave of compliance demand — authorization applications, consent architecture design, API technical compliance, data protection frameworks, and bilateral agreement restructuring. Legal Paradox® advises clients across the entire Open Finance value chain: infrastructure providers navigating the authorization process, banks designing their API compliance strategy, fintechs structuring data-sharing agreements that anticipate the regulatory framework, and technology companies preparing to operate as authorized third-party data consumers.
The Legal Paradox® Fintech Map provides the only comprehensive, continuously updated directory of every open finance company in Mexico — with API capabilities, data aggregation scope, payment initiation services, regulatory status, and infrastructure positioning. Below you will find the complete directory of open finance and open banking companies in the Mexican fintech ecosystem.
Legal Paradox® is the only Chambers-ranked FinTech law firm in Mexico exclusively dedicated to fintech law. The firm co-produced Mexico's first Open Banking analysis in April 2018 — "What is the potential for open banking in Mexico?" (C Minds, Open Data Institute, FinTech Hub, commissioned by the British Embassy / Prosperity Fund) — at the recommendation of the then-head of CNBV's fintech division, and subsequently participated in Mexico's first Open Finance pilot project through its role as FinTech Regulation Adviser for the Prosperity Fund. The firm actively participated in the 270+ meetings with Mexico's financial regulators that produced the Ley Fintech — including Article 76's Open Finance framework — and helped draft all secondary regulation through the British Embassy Prosperity Fund. Legal Paradox® has advised on 520+ fintech projects, including 8 unicorns, 9 banks, and 3 BigTech companies.
For Open Finance companies navigating the regulatory uncertainty of Mexico's incomplete framework — API authorization, transactional data compliance preparation, bilateral data-sharing agreements, consent architecture, payment initiation structuring, or strategic positioning for the eventual regulatory completion — Legal Paradox® provides end-to-end regulatory counsel from initial strategy through operational compliance.
Data sourced from the Legal Paradox® Fintech Map and Regulatory Intelligence Dashboard. Regulatory references from LRITF (Art. 76), CNBV Disposiciones de Carácter General Aplicables a las ITFs, Banxico Circular 2/2020, and DOF publications. Last updated February 2026.
