top of page

Open Finance in Mexico: What the Fintech Law Demands of You

  • Writer: WAU Marketing
    WAU Marketing
  • Jan 20
  • 3 min read

Updated: Jun 23

On paper, Mexico was the first country in Latin America to legislate Open Finance. In practice, it's still waiting for the rules that would make it real.


That tension is exactly what any financial institution operating in—or eyeing—Mexico needs to understand. Because the obligation already exists—it's been in the law since 2018—but the piece that truly changes the business still hasn't been published. And that gap defines what you should be doing with your core today.


What the law says (and since when)


Mexico legislated Open Finance on March 9, 2018, within the Law to Regulate Financial Technology Institutions—the Fintech Law. Its Article 76 establishes something powerful: the obligation of financial entities and fintech institutions to share their clients' data through standardized APIs, per Holland & Knight's analysis. It's not a recommendation; it's a mandate that reaches more than 5,000 supervised entities, according to Legal Paradox.


The law contemplates three layers of data:


  • Open data: product and service information (locations, fees, rates). Public, no consent needed.

  • Aggregated data: statistical information, without identifying the client.

  • Transactional data: each client's actual activity, shared with their express consent. This is the layer that transforms credit, scoring, and experience.


Where the bottleneck is


Here's the uncomfortable part. The CNBV published the rules for open data on June 4, 2020, as Holland & Knight confirmed. But the secondary regulation for aggregated and, above all, transactional data—the part that actually operationalizes Open Finance—remained unpublished at the start of 2026, more than 2,170 days past the deadline the law set, according to law firm SMPS Legal. No dedicated implementation entity, no standardized testing environment, no third-party certification framework. Mexico took the lead in legislation and lost it in execution.


The contrast stings: Brazil legislated Open Finance two years after Mexico and already has more than 128 million active consents, making it the world leader in the sector, per a Sensedia report cited by specialized media. Colombia advanced by decree and then made its provisions mandatory, according to Latinia. Mexico holds the oldest legal framework in the region and one of the most stalled in execution.


So what can you actually do today?


Far more than it seems. Regulatory inaction is no excuse for technological inaction—quite the opposite. Three concrete fronts:


First, what's already accessible. Open and aggregated data are available; you can consume them today to enrich products and analytics.


Second, bilateral agreements. Several Mexican banks already expose APIs ahead of any mandate. A prepared institution can close voluntary data-sharing agreements with early-adopter partners and start building real use cases while the competition waits for the decree.


Third, and most important: get the core ready. When the CNBV finally publishes the transactional-data specs, there will be two kinds of institutions—those ready to connect in weeks, and those starting a 12-to-18-month re-engineering. The difference isn't decided by the regulator; it's decided by you, today, in the architecture you choose.


The target is moving: Fintech Law 2.0


There's another reason not to sit still. The 2018 framework already fell short against models that didn't exist back then—embedded finance, Banking-as-a-Service, AI scoring. That's why a reform is under discussion, a "Fintech Law 2.0," aimed at extending the law toward open-finance APIs, AI-driven credit scoring, and digital-asset custodians, tied to the national digital identity Llave MX, according to SMPS Legal's analysis and Aurora Policy Solutions. Anyone designing their core only around the 2018 law is modernizing toward a framework that's about to change.


Don't forget the privacy layer: any use of client data in Mexico requires express consent, a privacy notice, and respect for ARCO rights under the Federal Data Protection Law. Your architecture has to manage consent natively, not as a patch.


How we see it at WAU


At WAU we get cores ready for Open Finance even when the final rules aren't written yet. We design the API and consent-management layer so that, when the CNBV publishes, your institution connects without re-engineering—and in the meantime, you're already capturing value with open data and bilateral agreements.


If you want your core on the right side of that gap when the decree arrives, let's talk. We'll help you map the readiness path. 👉 Book a conversation with our team.


Sources


Comments


bottom of page