top of page

Financial Data Protection in LATAM: Residency and Encryption

  • Writer: WAU Marketing
    WAU Marketing
  • Apr 23
  • 4 min read

Updated: 1 day ago

In 2025, Mexico changed the rules of personal data and almost no one in banking saw it coming. The law got stricter and, at the same time, the body that enforced it stopped being autonomous. That combination changes the risk calculus for your institution.


It's no minor tweak. On March 21, 2025, a new Federal Law on the Protection of Personal Data Held by Private Parties took effect, replacing the 2010 one. And with it, the INAI disappeared: its supervisory functions passed to a ministry that reports directly to the Executive, per KPMG's analysis and as confirmed by EY. For a financial institution, that means stricter rules enforced by a regulator with a different incentive structure. Anyone still managing customer data with fifteen-year-old architecture is building up a liability that's no longer just technical: it's legal.


What changed, concretely


The reform tightens exactly the points a bank cares about most:


  • Stricter consent. For financial data, consent must be express and in writing, and revocable at any time. The option to reuse data for "analogous purposes" is gone: each new use requires a new permission, as Greenberg Traurig details.

  • Reinforced ARCO rights, with an addition. Access, rectification, cancellation, and objection remain, with a 20-business-day response window. And a new, very-of-this-era right appears: to object to automated decisions affecting the data subject. If your credit scoring is an algorithm, this concerns you.

  • More obligated parties. The definition of who answers for the data was widened to also reach data processors, as Garrigues summarizes.


And the penalty stopped being symbolic: fines reach hundreds of thousands of UMAs—on the order of tens of millions of pesos, doubling if sensitive data is involved—with prison terms of up to five years for willful misuse, under the new law analyzed by UPLAW and the text published in the DOF. The cost of a data slip no longer fits in a footnote.


Data residency: where your data lives matters


Here's the point that links the law to your architecture. The CNBV's Banking Single Circular requires an institution to seek prior authorization—at least 20 business days in advance—before contracting cloud or third-party services operating wholly or partly outside Mexico, per the CNBV's own guide. The provider must reside in a jurisdiction whose laws protect personal data, and there's an obligation to keep a local copy of the records, as AWS's Mexico compliance guide documents.


Translation for whoever decides the technology: where your data physically lives is a regulated decision, not an infrastructure detail. A core born with configurable data residency—letting you choose and prove where each piece of data is stored and processed—keeps every cloud contract from becoming a bottleneck before the regulator. A core that doesn't account for it forces you to solve it with patches, project by project.


Encryption: not an option, an architectural requirement


The CNBV doesn't leave encryption to discretion: it requires cryptographic keys and encryption processes to live in high-security devices—HSMs—and communication to guarantee integrity and confidentiality, per the Banking Single Circular. On top of that, the PCI DSS 4.0 standard requires, for card data, TLS 1.2 or higher encryption in transit and storing the card number encrypted or tokenized, per the PCI DSS guide and Thoropass's analysis. The most effective strategy is still the one we've championed: get sensitive data out of where it isn't needed, through tokenization, instead of armoring every corner.


All of this works if it's in the foundation. Encryption and key management bolted on at the end, onto a core not designed for them, are fragile and expensive to audit.


It's not just Mexico: the region is a mosaic


If your institution operates—or aspires to operate—in several countries, the challenge multiplies. Brazil has the LGPD, with fines of up to 2% of revenue—capped at 50 million reais per infraction—per the law's own text, and since October 2025 its authority (the ANPD) operates with full sanctioning structure, according to the official gov.br site. Chile launches a European-style law in December 2026, Law 21.719, published in the Official Gazette and available through the National Congress Library. Colombia and Argentina have their own, each with its transfer and residency rules. There's no single regional framework; there's a country-by-country puzzle. No surprise that 84% of financial institutions have already modified their cloud roadmap for privacy, sovereignty, and operational-risk reasons, per an LSEG study reported by InnovaciónDigital360. Architecture that doesn't account for that fragmentation becomes a brake on growing in the region.


How we see it at WAU


At WAU we design cores where data protection isn't a module hung on at the end, but part of the foundation: configurable data residency to meet the CNBV rule without re-engineering, encryption and HSM key management out of the box, and traceable consent management as a first-class data point. Complying with the 2025 law—and with the regional mosaic—stops being a race against the regulator and becomes a property of the system.


If the data reform caught you with a core that wasn't built for it, let's talk. We'll review where you're exposed and map the route to close it. 👉 Book a conversation with our team.


Sources


Comments

bottom of page