.png){kind=small}
Legal Paradox®
Mexico leads Latin America in digital wallet adoption — and the regulatory architecture behind this growth is one of the most consequential frameworks in the country's financial system. Two distinct models now compete for dominance in Mexico's payment layer: the IFPE (Institución de Fondos de Pago Electrónico) — the license category created by the Ley Fintech for electronic money institutions, with over 61 authorized entities since 2018 — and the Comisionista de Base Tecnológica (CBT) — a newer BaaS (Banking as a Service) framework that allows technology companies to offer bank-level products through their own apps without any financial license, operating as commission agents under a partner bank's charter.
The Legal Paradox® Fintech Map tracks every digital wallet company operating in Mexico — including IFPE authorization status, operational capabilities, and strategic positioning across the payment ecosystem.
A critical classification note: In the Legal Paradox® Fintech Map, Wallets are distinct from Neobanks. Wallets operate primarily under IFPE licenses, which authorize the issuance, administration, redemption, and transmission of electronic payment funds — but do not authorize credit origination or deposit-taking in the traditional sense. Neobanks operate under SOFIPO charters or banking licenses and are classified separately in the Neobanks category. Payment processors that do not hold client funds (acquirers, gateways, aggregators) are classified under the Payments category.
The IFPE license exists because of a constitutional-level prohibition. Article 103 of the Ley de Instituciones de Crédito (LIC) prohibits any person — individual or legal entity — from directly or indirectly capturing public resources in Mexican territory through deposits, loans, credits, mutuos, or any other act creating a direct or contingent liability requiring repayment of principal and financial accessories. The penalty for violation can be up to 15 years in prison.
The LIC itself carves out explicit exceptions to this prohibition — and among those exceptions are the Instituciones de Tecnología Financiera regulated under the Ley Fintech. An IFPE (Institución de Fondos de Pago Electrónico) is one of the two ITF types authorized by CNBV to receive public funds legally: specifically, to issue, administer, redeem, and transmit electronic payment funds. The other ITF type is the IFC (Institución de Financiamiento Colectivo / crowdfunding platform).
This legal foundation matters because it means the IFPE license is not merely a regulatory convenience — it is the only mechanism (outside of banking, SOFIPO, and other chartered institutions) through which a fintech company can lawfully hold client money in Mexico. Before the Ley Fintech (2018), companies holding client funds electronically operated in a legal gray zone that could have been construed as illegal fund capture — during 2017, approximately 35% of Mexican fintechs were under investigation for potential illegal deposit-taking. Legal Paradox® was founded in that pre-regulation era, and its first clients were precisely those entrepreneurs navigating the risk of million-peso fines and criminal liability. The law created a specific framework for entities whose core activity is managing electronic money — not lending, not deposit-taking, but the electronic storage and transmission of funds.
See how IFPE licenses shape the competitive dynamics in our [Neobank Market Analysis 2026]
IFPEs can perform a variety of operations under the Ley Fintech. The principal activities — categorized by authorization level — are detailed in the table below.
Article 29 of the LRITF is the single most consequential provision for IFPE business models. It establishes two fundamental prohibitions:
1. No interest payments. IFPEs are explicitly prohibited from paying interest or any other monetary yield on client balances. Banxico may authorize non-monetary benefits (loyalty points, cashback equivalents), but the prohibition on financial returns is absolute. This means an IFPE wallet cannot compete with bank savings accounts, SOFIPO accounts, or CETES directo on yield — even if the IFPE invests client funds in government securities (which it must, for safeguarding purposes).
2. Funds are not deposits. Article 29 clarifies that resources received for electronic fund issuance are not — under any legal interpretation — bank deposits. This has a critical consumer protection consequence: IFPE client balances are not protected by IPAB (the banking deposit insurance fund, which covers up to 400,000 UDIs) nor by PROSOFIPO (which covers SOFIPO deposits up to 25,000 UDIs). The IFPE must safeguard funds through segregated trust accounts or government securities, but clients bear the residual risk if the IFPE fails.
3. No credit origination. IFPEs cannot lend money, originate credit, or place funds. The only exception is an operational micro-overdraft of up to 15 UDIs (~MXN $131) arising from fund transfers — with zero commissions, interest, or fees — which exists for rounding and timing purposes, not as a lending mechanism. This fundamental constraint is the primary reason fintechs eventually seek additional licenses. An IFPE that wants to offer credit must either acquire or create a separate entity (SOFOM ENR, SOFIPO, or bank) within the same corporate group, as discussed in the Lending category under "Stage 3 — IFPE + SOFOM ENR combination."
These three constraints define the IFPE's business model ceiling: transaction fees, interchange revenue, float income (from investing segregated funds, though the return belongs to the IFPE, not the client), and value-added services. Without lending or yield, the revenue-per-user is structurally limited compared to deposit-taking institutions.
IFPE minimum capital varies based on authorized operations:
These thresholds are significantly lower than banking capital requirements (90M UDIs for a full IBM bank, ~MXN $784M) but represent a meaningful barrier for early-stage startups — especially combined with the compliance infrastructure costs required before authorization.
IFPE authorization requires CNBV approval with the favorable opinion of both SHCP (Secretaría de Hacienda y Crédito Público) and Banxico (Banco de México). Article 39 of the LRITF establishes a demanding application package that includes, among others:
The Ley Fintech requires specialized personnel from day one: a Compliance Officer certified by the CNBV, a CISO (Chief Information Security Officer) — which the CEO may fulfill for up to 12 months after authorization — an external auditor to validate both financial information and technological infrastructure (including penetration testing), and a law firm of recognized prestige (such as Legal Paradox®, which is recognized by the financial regulator as the
FinTech Lawyers) in the shareholders' country of origin. In practice, the application involves over 50 highly technical documents and months of preparation before the CNBV filing.
Beyond the IFPE license itself, fintechs typically require additional specific authorizations for, among others: foreign currency transfers, cash handling, international transfers, foreign exchange operations, biometric usage for client authentication, contracting third-party providers with access to sensitive information, contracting commission agents for physical distribution, and — for eligible entities — direct connection to SPEI via Banxico.
Authorization timelines from published DOF data:
The market average for IFPE authorization is approximately 781 days from application filing to DOF publication. Legal Paradox® clients have achieved authorization in an average of 416 days — 47% faster than the market average. This efficiency differential is not marginal: at a typical fintech burn rate, the 365-day difference between LP's average and the market average represents millions of pesos in capital preserved. The firm's speed advantage stems from its direct participation in drafting the Ley Fintech and all secondary regulation (through the British Embassy Prosperity Fund), which provides institutional knowledge of what CNBV reviewers prioritize — and what causes applications to stall. Legal Paradox® is recognized by the CNBV as the specialized fintech law firm, and its engagement as counsel on an application signals regulatory seriousness to the reviewing authority.
Authorization volume has fluctuated significantly. New IFPE authorizations peaked at 30 in 2023 but dropped to only 9 in 2024 — a decline driven by profitability pressures across the sector, the high cost of regulatory compliance, and a strategic reassessment by fintechs that increasingly see the IFPE license as a stepping stone rather than a destination.
The structural constraints of Article 29 create a fundamental business model challenge for pure-play IFPEs: how do you build a sustainable business when you cannot lend and cannot pay yield?
Revenue sources for a typical IFPE are limited to:
The problem is scale economics. Transaction fees in Mexico are under intense competitive pressure — with Mercado Pago, Spin by OXXO, and bank-backed wallets all competing on price. Float income depends on the Banxico reference rate and the IFPE's ability to attract and retain large aggregate balances. And without credit products, the customer lifetime value remains a fraction of what neobanks or SOFIPOs can extract.
This explains the 2023–2024 authorization decline. Many fintech founders discovered that the IFPE license — despite its relatively accessible capital requirements — does not generate sufficient revenue to justify the compliance overhead. The result has been a strategic migration toward more versatile licenses — or, increasingly, toward a model that bypasses the IFPE entirely.
While the IFPE represents the regulated path into Mexico's payment ecosystem, 2025 introduced a fundamentally different approach: the Comisionista de Base Tecnológica (CBT) — a framework that allows technology companies to offer banking services through their own apps and websites without obtaining any financial license at all.
The CBT framework is established in Articles 319 Bis through 319 Bis 5 of CNBV's Disposiciones de Carácter General Aplicables a las Instituciones de Crédito. Under this model, a bank (Institución de Crédito) contracts a technology company as a "technology-based commission agent" (comisionista de base tecnológica) that operates at all times in the bank's name and on the bank's behalf — but through the comisionista's own pages, apps, and technology infrastructure.
The CBT framework authorizes four specific banking operations, executed within a time-limited client session (maximum 20 minutes, with 5-minute inactivity timeout):
The CBT model inverts the traditional fintech playbook. Instead of spending 781 days (market average) and millions of pesos obtaining an IFPE authorization — only to discover that the license does not permit lending or yield — a technology company can partner with an existing bank and offer a near-equivalent product in a fraction of the time.
The canonical case: Amazon Access + INVEX. In June 2025, Amazon launched Amazon Access in Mexico — a debit account and card integrated directly into the Amazon shopping app — through a CBT arrangement with INVEX, a niche bank. Amazon obtained no financial license. INVEX provides the banking charter, IPAB deposit protection, and regulatory compliance. Amazon provides the customer relationship, the app, the distribution, and the brand trust of a $2 trillion company.
The implications are structural:
For the IFPE ecosystem: The CBT effectively creates a competitor that offers bank-level products (IPAB-protected deposits, microcredit) through a technology interface — exactly what IFPEs cannot do. An IFPE cannot pay interest, cannot lend (beyond 15 UDIs), and cannot offer deposit insurance. A CBT channel, backed by a bank, can do all three.
For BigTech entry: The CBT is a replicable playbook. If Amazon can do it with INVEX, then Meta (WhatsApp — 93 million Mexican users), Apple, Google, or any platform with massive distribution can replicate the model with any willing bank partner. The regulatory barrier to entry for financial services in Mexico just dropped to near zero for companies with existing consumer scale.
For banks: The CBT creates a new distribution channel that leverages BigTech's customer reach without requiring the bank to build consumer technology. But it also creates dependency: the bank provides the license; the CBT controls the customer relationship. The strategic asymmetry favors the technology partner.
The CBT is not a replacement for the IFPE — it is a strategically different model with its own constraints. The table below compares both models across 14 dimensions.
The strategic question every fintech founder must answer: Do you want to own the customer relationship (IFPE → eventual bank license) or rent access to a bank's license (CBT) and trade control for speed?
For companies with massive existing distribution — Amazon, Meta, OXXO before its banking license pursuit, large retailers — the CBT may be the fastest path into financial services. For companies building a fintech-first brand, the IFPE remains the foundation for long-term independence.
The most sophisticated fintech operators in Mexico do not treat any single license as a destination — they architect a regulatory escalation path from day one. Four evolutionary paths have emerged, ranging from zero-license entry to full banking authorization:
Path 0 → CBT (Zero License, Maximum Speed): For companies with existing consumer scale — retailers, BigTech, marketplace platforms — the Comisionista de Base Tecnológica offers the fastest entry into Mexico's financial system. No IFPE authorization, no capital requirements, no CNBV filing. The tradeoff: the bank owns the customer, controls the terms, and retains the regulatory relationship. The CBT is a beachhead, not a destination. Amazon Access + INVEX is the canonical case (see the CBT section above). Legal Paradox® advises companies evaluating the CBT model on structuring the banking partnership with, for example, BBVA, the largest bank in Mexico, negotiating data and commercial terms, and planning the eventual migration to an owned license.
Path 1 → IFPE + SOFOM ENR (Payments + Lending): The IFPE captures transaction data and controls the payment relationship; a SOFOM ENR within the same corporate group originates credit using that data for underwriting. This combination overcomes the IFPE's non-placement limitation while preserving the payments layer. The SOFOM provides the lending revenue; the IFPE provides the distribution channel. Legal Paradox® structures these dual-entity architectures end-to-end — from corporate group design through simultaneous compliance frameworks. See the Lending category for detailed analysis of this combination.
Path 2 → IFPE to SOFIPO (Deposits + Lending — Faster Path): Adding a SOFIPO charter to the corporate group unlocks deposit-taking (with PROSOFIPO protection up to 25,000 UDIs), lending, and higher customer lifetime value — without the cost and complexity of a banking license. This can be achieved through two mechanisms: applying for a new SOFIPO authorization, or acquiring an existing SOFIPO charter via M&A. The M&A route has become increasingly common as distressed SOFIPOs become acquisition targets, offering a faster path than de novo authorization. Nubank used this approach — acquiring a SOFIPO as the stepping stone that eventually led to its banking license. Legal Paradox® advises on both routes: de novo SOFIPO applications and M&A due diligence on existing charters, including regulatory condition assessment and CNBV change-of-control filings. Legal Paradox® has been one of two firms to process the authorization of a Sofipo in the last seven years.
Path 3 → IFPE to Banking License (Full Stack — Maximum Ambition): For IFPEs with sufficient scale and ambition, a full banking license unlocks IPAB-protected deposits (up to 400,000 UDIs), comprehensive lending, credit card issuance, and SPEI direct participation. Mercado Pago applied for a banking license in September 2024, and Spin by OXXO (Compropago) — whose legal strategy for receiving remittances with stablecoins was enhanced by Legal Paradox® in the Kira case — announced plans to apply in 2025. This path can also proceed via M&A (acquiring an existing banking charter) or de novo application. De novo authorization is expensive and time-consuming (18–36+ months), but for IFPEs targeting mass-market financial services, it represents the endgame.
The IFPE license's value in these pathways is not the license itself — it is the regulated infrastructure (AML/CFT systems, CNBV reporting, segregated funds management) and the customer base built under regulatory supervision. These assets transfer forward when the entity upgrades to a more versatile license. Legal Paradox® has guided clients through every stage of this escalation — from initial IFPE filing through banking license applications — with a track record of 416-day average IFPE authorization versus the 781-day market average.
The most powerful wallet model in Mexico leverages an existing physical network to drive wallet adoption. The canonical example:
Spin by OXXO (Compropago, S.A. de C.V., IFPE) — Authorized in October 2022, Spin has become Mexico's largest IFPE by user count with over 14.5 million debit card users and 58.3 million loyalty program participants (Spin Premia/OXXO Premia). Spin's structural advantage is access to OXXO's 22,000+ stores — the largest physical retail network in Mexico, exceeding the total number of bank branches nationwide (11,830 at close of 2024). This means cash-in and cash-out are available in virtually every neighborhood in the country.
Legal Paradox® supported the legal strategy of Spin by OXXO for receiving remittances with stablecoins in the Kira case, contributing to the regulatory architecture that enabled FEMSA's entry into regulated financial services. This engagement exemplifies a pattern the firm sees repeatedly: the most consequential IFPE authorizations are not isolated license applications — they are the first move in a multi-year financial services strategy that demands regulatory architecture from day one.
Spin issues Visa-branded debit cards, processes SPEI transfers, and has expanded into personal loans (through group entities). FEMSA's CEO of Digital, Juan Carlos Guillermety, confirmed that Spin is preparing a banking license application before CNBV and Banxico — a move that Moody's flagged as potentially disruptive to both neobanks and traditional banks competing for the same underbanked customer base.
The Spin model demonstrates a thesis that is increasingly validated across Mexico's wallet ecosystem: distribution is more valuable than the license. Any fintech can obtain an IFPE authorization — but very few can replicate 22,000 physical touchpoints where unbanked Mexicans can deposit cash and receive a card.
A significant segment of the IFPE ecosystem does not serve consumers directly. Instead, these entities provide payment infrastructure — enabling third parties to embed wallet functionality within their own platforms:
The original IFPE use case: standalone mobile wallet apps targeting the unbanked and underbanked population. These wallets compete on convenience, low fees, and accessibility:
The challenge for pure consumer wallets is differentiation. Without lending, yield, or a captive physical network, these wallets compete on user experience and transaction volume — a difficult proposition when Spin by OXXO offers the same core features with 22,000 stores behind it and bank-backed wallets offer IPAB-protected deposits.
Mexico's wallet ecosystem increasingly includes entries from non-fintech corporate giants:
Mercado Pago — The financial arm of Mercado Libre, operating as an IFPE with 60+ million regional users. Mercado Pago's competitive advantage is integration with Latin America's largest e-commerce marketplace. In Mexico, Mercado Pago has applied for a banking license (September 2024) to unlock lending and deposit-taking — a move that would transform it from a payment wallet into a full-stack digital bank. Mercado Libre's financial products already generate over USD $8.8 billion in revenue across Latin America, making it the most commercially successful fintech operation in the region. Mercado Pago's IFPE license is, in this context, the regulated foundation upon which a much larger financial services business is being built.
Amazon México (CBT via INVEX) — Entered the Mexican financial system in June 2025 through the Comisionista de Base Tecnológica framework described above. Amazon Access — a debit account and card integrated into the Amazon shopping app — operates under INVEX's banking license, with IPAB deposit protection and microcredit up to 3,000 UDIs. Amazon obtained no financial license. As analyzed in the CBT section, this model is a replicable playbook for any BigTech with existing consumer scale.
The BigTech pattern now has two entry points: the IFPE (Mercado Pago's path — own license, own customer, eventual bank upgrade) or the CBT (Amazon's path — rent a bank's license, launch fast, trade control for speed). Both converge on the same destination: a banking license that unlocks the full product suite.
IFPEs are subject to comprehensive anti-money laundering and counter-terrorism financing obligations under both the Ley Fintech framework and CNBV general provisions. Requirements include, among others:
IFPEs face particularly acute AML risks because of their cash-in networks: any entity that accepts large volumes of cash deposits through convenience stores or agents becomes a potential money laundering vector. CNBV has increased scrutiny on cash-in transaction patterns and agent network due diligence since 2023.
IFPEs are subject to CONDUSEF consumer protection requirements, including, among others:
The lack of deposit insurance is the most significant consumer protection gap in the IFPE model. Users who treat their IFPE wallet as a savings account — holding balances for extended periods — bear risk that bank or SOFIPO customers do not. Regulatory efforts to strengthen IFPE fund safeguarding (segregated trusts, government securities investment) mitigate but do not eliminate this risk.
Access to SPEI is critical for any wallet's viability. Without SPEI, a wallet cannot send or receive interbank transfers — making it an isolated closed-loop system with limited utility.
IFPEs connect to SPEI through two paths:
Mexico's wallet ecosystem exists because of a single structural reality: approximately 70% of transactions in Mexico are conducted in cash. Despite rapid fintech growth, the country remains overwhelmingly cash-dependent — particularly outside of major metropolitan areas and among workers in the informal economy.
Digital wallets address this gap by converting cash into electronic funds at physical touchpoints (OXXO, convenience stores, pharmacies, remittance agents). The "cash-in" moment — when a user deposits physical currency into a digital wallet — is the critical conversion event that the entire wallet ecosystem is optimized around.
This explains why physical distribution networks matter more than technology in Mexico's wallet market. Spin by OXXO's 22,000+ stores, Mercado Pago's integration with 45,000+ cash access points, and bank correspondent networks all compete for the same cash-in moment. The fintech that captures the cash-in event captures the customer relationship — and all downstream transaction revenue.
The Legal Paradox® Fintech Map provides the only comprehensive, continuously updated directory of every digital wallet company in Mexico — with IFPE authorization status, CBT arrangements, operational capabilities, payment network partnerships, and strategic positioning. Below you will find the complete directory of wallet and electronic payment fund institutions in the Mexican fintech ecosystem.
Legal Paradox® is the only Chambers-ranked FinTech law firm in Mexico exclusively dedicated to fintech law. The firm actively participated in the 270+ meetings with Mexico's financial regulators that produced the Ley Fintech, co-authored the official book on the law, and helped draft all secondary regulation through the British Embassy Prosperity Fund. The firm has advised on 520+ fintech projects — including 8 unicorns, 9 banks, and 3 BigTech companies — and counts among its wallet-sector clients Sylon, Fintoc, and Arcus by Mastercard. Legal Paradox® delivers IFPE authorizations in an average of 416 days versus the 781-day market average, based on published DOF data.
For wallet fintechs navigating the IFPE authorization process, CBT partnership structuring, SPEI connectivity (direct or indirect), AML/CFT compliance architecture, or the strategic escalation from CBT → IFPE → SOFIPO → banking license, Legal Paradox® provides end-to-end regulatory counsel from initial strategy through operational compliance.
Data sourced from the Legal Paradox® Fintech Map and Regulatory Intelligence Dashboard. Regulatory references from LRITF, LIC (Art. 103), CNBV Disposiciones de Carácter General Aplicables a las ITFs, CNBV Disposiciones de Carácter General Aplicables a las Instituciones de Crédito (Arts. 319 Bis–319 Bis 5, CBT framework), Banxico circulars, and DOF authorization records. Last updated February 2026.
