On July 11, 2024, the Resolution amending the Regulations applicable to credit institutions (the "Resolution")1 regarding Digital Agents was published in the Federal Official Gazette.
The purpose of the Resolution is to create a new type of banking commercial agent identified as "Digital Agents," referring to third parties who act on behalf and for the account of Banking Institutions ("Banks") through their own websites or software applications. This type of agents is different from the previously defined commercial agents, who have been redefined as "Agents with Physical Establishments".
Characteristics of Digital Agents
The Resolution incorporates a new Section to the Second Section of Chapter XI of Title Five of the Regulations applicable to banking institutions (the "Banking Regulations"), which outlines the requirements to hire Digital Agents. The requirements for hiring this new category include several aspects, including:
-
Operations
Digital Agents may only be hired to publicly offer (i) the opening of Level 2 bank accounts and transfers of funds associated with these accounts; (ii) the granting of credits in amounts not exceeding 3,000 UDIs (approximately US$1,380); (iii) the payment of goods and services; and (iv) balance and transactions checks of the products and operations that the client has contracted and performed with the Bank, respectively, through the Digital Agent.
-
Authorization Procedure
Banks will require the prior authorization from the National Banking and Securities Commission ("CNBV") to hire Digital Agents, evidencing compliance with the requirements of Chapter XI of Title Five of the Banking Regulations, which include, among others, the following:
(a) Commercial Agency Agreements
- Commercial agency agreements between Banks and Digital Agents must include the following concepts, among others:
- the unconditional acceptance by the agent to identify its employees, pursuant to Annex 58 of the Banking Regulations, which regulates the Technical Requirements for the Operation of Electronic Means for the Operations of banking agents;
- the exchange of client information with the Bank when using web pages or computer applications must be through a secure channel, observing applicable requirements;
- the prohibition to subcontract the services, except for services related to on-demand computing and technological infrastructure via the Internet;
- the mechanisms to resolve disputes related to the agreement between the agent and a subcontracted third party; and
- the obligation of the Digital Agent to comply with secure information handling requirements applicable to Banks.
(b) Subcontracting
Digital Agents are allowed to subcontract third parties for the provision of on-demand computing services and technological infrastructure via Internet to support their operations. When subcontracting said services, a report must be prepared including the name, address and the agreement between the Digital Agent and its subcontractors
(c) Interaction between Banks and Digital Agents
The communication between clients and Banks through the Digital Agent's Technological Infrastructure must meet the requirements of the Banking Regulations to conduct banking operations, providing clarity regarding the operating environment through messages to the client.
"Technological Infrastructure" includes computing equipment, data processing and communication facilities, communication equipment and networks, operating systems, databases, applications and systems of both Banks and Digital Agents. It also includes aspects related to the identification and segregation between them, as well as the authentication protocols and encryption keys that must be used in communications.
(d) Authentication Factors and Sessions
To conduct operations through Digital Agents, clients must be authenticated through Level 2 and 32 Authentication Factors. Banking Regulations require mechanisms for the connectivity between the Digital Agent and the Bank, and the Bank is responsible for the authentication activities, as Digital Agents are not permitted to perform this activity.
Additionally, the Banking Regulations include requirements regarding sessions initiated by clients, considering duration, inactivity times and closure scenarios.
-
Use of Information
Aggregated and disaggregated information obtained from operations cannot be used, shared, sold, or granted except to the client, the Bank and the Digital Agent. However, the parties may agree on terms and conditions to use, process, and transfer aggregated client information for processing.
Applicable reforms to hire service outsourcing and agents in general
The Resolution also impact certain articles of Chapter XI of Title Five of the Banking Regulations that must be observed in service outsourcing and commercial agencies in general.
-
Service Report
The Resolution increases the requirements applicable to the preparation of Service Reports, as such report must now include a flowchart specifying operational processes or database and computer system administration, the information exchanged in these processes, and the physical location of the Bank's servers.
-
Agreements
Commercial agency agreements must also include the following additional provisions:
- Unconditional acceptance by service providers or agents to deliver to the CNBV control figures, information structures, reports, operational tests and documents evidencing compliance with Banking Regulations, which may be delivered digitally and signed using Advanced or Reliable Electronic Signature.
- The prohibition on subcontracted third parties from carrying out Operations3 and functions on their own account or different from those agreed upon in the agreements.
- For commission agency agreements, additional scenarios must be included in relation to operational aspects, prohibitions to condition the operation on the acquisition of products or services, and exclusivity, among others.
-
Screening
Banks must show the CNBV that they verified that the service providers or agents and their shareholders and subcontractors are not included on official lists related to money-laundering, through a statement in the authorization application letter.
Transitional provisions
The Resolution became effective on July 12, 2024; however, it also sets forth a transitional period of 18 months, that is, until January 12, 2026. During such period, Banks must amend the existing agreements entered with third parties referred to in Chapter XI of the Banking Regulations, to incorporate the obligations derived from the Resolution.4
Within the same period, Banks must simultaneously comply with the obligations arising from the amendment to such agreements.
The transitional provisions do not specify whether the CNBV must previously authorize the amendments in the agreements and other documents of the file, as such amendments could be considered a material change to the terms originally authorized, so it will be necessary to follow the indications of the authority at the relevant time.
1 Available at https://www.dof.gob.mx/nota_detalle.php?codigo=5732991&fecha=11/07/2024#gsc.tab=0
2 Authentication Factors Level 2 comprise information that only the client knows, such as a password and PIN.
Authentication Factors Level 3 consist of dynamic, one-time use information, OTP.
3 As defined in Article 1, Section CXXI of the Banking Regulations.
4 That is, Articles 318, Sections II and III, subsection a), numeral 3 and subsection b), numeral 1, second paragraph and numeral 3; and 324, Section VII, of the Banking Regulations.
White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.
This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.
© 2024 White & Case LLP
