The Law to Regulate Financial Technology Institutions, known as the Fintech Law or by its Spanish acronym LRITF, is the backbone of Mexico's fintech regulatory framework. If your company operates, is about to operate, or provides services to companies regulated by this law, understanding its principles, figures and obligations is not optional — it is the difference between building a scalable business and building a regulatory liability.
In this guide we explain, without unnecessary jargon, what the Fintech Law is, when it was enacted, which figures it regulates, what its core principles are, what operational obligations it imposes, what fines apply for non-compliance, and where the Fintech Law 2.0 reform under discussion in 2026 is heading.
What is the Fintech Law and when was it enacted?
The Fintech Law is the Ley para Regular las Instituciones de Tecnología Financiera (LRITF), published in the Official Gazette on March 9, 2018. At the time it was the first comprehensive fintech law in Latin America and one of the most advanced globally. Its origin is the need to provide a legal framework for a phenomenon that was already happening: hundreds of technology companies offering financial services without specific regulation.
The law's stated objective combines five goals that later translate into its principles:
- Promote financial inclusion for the unbanked population.
- Foster innovation in financial services.
- Protect the consumer of digital products.
- Preserve the stability of the financial system.
- Prevent money laundering and terrorist financing in digital channels.
The Fintech Law is complemented by secondary regulation issued by CNBV, Banxico, SHCP and CONDUSEF: the General Provisions applicable to ITFs, Banxico's rules for electronic payment funds, UIF criteria for AML, and CONDUSEF guidelines for consumer protection. The law is only the first floor; the full regulatory edifice is far broader.
The 2018 Fintech Law was a delayed response to a market already in motion. Its merit is having created legal ground where none existed; its weakness is not having anticipated the speed at which innovation would outgrow its categories.
Regulated figures: ITF, IFPE and IFC
The Fintech Law creates an umbrella term, Financial Technology Institution (ITF), which groups two specific figures:
IFPE — Electronic Payment Funds Institution. Companies authorized to issue, manage, transfer and allow withdrawal of electronic payment funds: digitally stored money that the user can spend, transfer to third parties, or withdraw to a bank account. IFPEs are the natural figure for digital wallets, payment aggregators and processors. Minimum capital: roughly 700,000 UDIs (about MXN 5.5M). Cannot take deposits like a bank or extend credit to its clients.
IFC — Crowdfunding Institution. Platforms that connect, through software applications, people seeking financing with people willing to provide it. There are three modalities: debt-based (lending), equity-based, and shared-ownership/royalty (real estate, royalties). This is the legal vehicle for regulated crowdfunding in Mexico. Minimum capital: roughly 500,000 UDIs.
In addition to these two formal figures, the Fintech Law regulates three cross-cutting concepts that affect the entire financial system, not just ITFs:
- Virtual assets. Popularly known as cryptocurrencies. The law defines them, regulates who can operate them and under which conditions, and authorizes Banxico to issue specific rules. Reality: Banxico's rules have been so restrictive that very few formal operators exist in Mexico.
- Novel models (regulatory sandbox). A mechanism for companies with innovations not yet covered by the law to operate under temporary authorization. In practice, the Mexican sandbox has been under-used.
- Open banking. Obligation for financial institutions (banks, SOFIPOs, ITFs) to share standardized data via authorized APIs. Secondary regulation continues to evolve and full implementation is not yet complete.
If your company processes digital payments without taking deposits: you are probably an IFPE. If you connect investors with projects: you are probably an IFC. If you do digital lending: you are not an ITF, you are a SOFOM. This distinction is where most confusion happens and where early regulatory advice matters most.
Principles in the Fintech Law
The Fintech Law builds its entire framework on five guiding principles. Knowing them matters because, when there are gaps or doubts, regulators use them to interpret the law:
- Financial inclusion and innovation. Lower barriers so more Mexicans can access formal services and more companies can innovate. This is the political engine of the law.
- Consumer protection. Transparency in costs, fees, terms and conditions; effective complaint mechanisms; portability of personal data; obligation to provide clear information.
- Financial-stability preservation. Minimum capital, risk controls, strict segregation of customer funds from the ITF's assets, sound corporate governance.
- Promotion of fair competition. Mandatory open banking, technology neutrality, prohibition of anti-competitive practices, free entry for new players that meet requirements.
- Prevention of illicit operations. Reinforced KYC, transactional monitoring, UIF reporting, cybersecurity controls — the same obligations as any regulated financial institution but adapted to digital channels.
These five principles are also the pillars that the 2026 FATF evaluation will examine when auditing Mexico. An ITF that cannot demonstrate how it materializes each principle in its day-to-day operation will face a problem bigger than administrative fines: a reputational problem with the supervisor.
Does your ITF actually meet the 5 principles in real operations?
DTX Audit™ is a free 45-minute assessment where we map each Fintech Law principle against your current operation. We deliver a Regulatory Maturity Report with concrete gaps and prioritized actions to close them.
Request a free DTX Audit™Operational obligations: how compliance materializes
Principles translate into concrete obligations every ITF must meet. These are the most important — the ones CNBV reviews most often during inspections:
Minimum capital and adequacy. Each figure has a capital floor and, more importantly, an obligation to maintain additional capital proportional to operational volume and risk. ITFs must demonstrate that their capital covers operational, credit (when applicable), market and operational risks.
Customer-funds segregation. In IFPEs, customer funds are not the IFPE's: they belong to the customer. They must be held in specific accounts, separated from operating capital, in authorized banks or instruments. Mixing own funds with customer funds is one of the most serious infractions — and one of the most common in companies with artisanal accounting systems.
AML program. Board-approved manual, communication and control committee, certified compliance officer, customer due diligence (CDD) and enhanced due diligence (EDD), transactional monitoring with alerts, UIF reports (suspicious, unusual, concerning operations) and recurring training. Full detail in our KYC/AML guide.
Cybersecurity. The Fintech Law, together with CUOEF and CNBV guidelines, requires ITFs to maintain a documented cybersecurity program, periodic assessments, continuity plans, incident management and mandatory reporting when breaches occur. Most non-compliance in this area comes from missing audit logs and untested response plans.
Consumer protection. Plain-language contracts, visible total cost (CAT), complaint mechanisms, CONDUSEF response handling, response timelines, indemnification for failures, portability rights. The quality of the user-support function is usually the best indicator of overall compliance maturity.
Regulatory reporting. Beyond UIF reports, ITFs report periodically to CNBV on financial statements, operational indicators, alerts, cybersecurity incidents and much more. Manual report preparation is a typical bottleneck.
Sanctions and fines for non-compliance
The Fintech Law contemplates a sanctions regime that ranges from public warning to revocation of authorization — the regulatory death penalty. Administrative fines are expressed in UMAs (Mexico's reference unit) and depend on severity:
- Minor infractions: 50 to 1,000 UMAs (~MXN 5,000 to 115,000).
- Serious infractions: 1,000 to 10,000 UMAs (~MXN 115,000 to 1.15M).
- Very serious infractions: 10,000 to 100,000 UMAs (~MXN 1.15M to 11.5M), with possible revocation.
Fines are only part of the cost. Revocation means the company cannot operate — and any prior investment, the team, the customer base, the technology stack, all of it is lost. In addition, responsible parties (board, compliance officer, CEO) can face disqualification from the financial system for years.
The math is simple: investing from day one in compliance technology infrastructure is always cheaper than paying fines and, above all, than losing authorization.
Toward Fintech Law 2.0: the reforms ahead
The 2018 Fintech Law was built with the conceptual tools of seven years ago. Today the market has massive Banking-as-a-Service embedded in any non-financial app; super apps that mix payments, credit and commerce; tokenized digital assets that are not classic cryptocurrencies; AI agents that make financial decisions. None of that fits perfectly into the 2018 figures.
The Fintech Law 2.0 reform being discussed in 2026 targets several issues: expanding existing figures, explicitly regulating BaaS, modernizing the virtual-assets regime, strengthening cybersecurity, and tightening AML obligations. The general direction is more requirements, not fewer. Companies already operating to high standards will absorb the changes without trauma; those barely meeting minimums will face a painful transition.
For executives and board members, the reading is: assume requirements will go up, not down. Build compliance technology infrastructure with headroom to absorb new requirements without rewriting everything. That is the difference between the fintechs that scale and the ones that drown.