Home Publications & Resources Client Protection Library

Mexico: Privacy of Client Data

E-mail Print

Researched by: Credit Suisse

Executive Summary

Microfinance in Mexico hit the international headlines in 2007 when its largest microfinance institution (MFI), Compartamos, went public. Compartamous presented some of MFIs which adapted to a for-profit structure and appeared to be the leading way to attract a huge amount of capital to flow into the microfinance projects in Mexico. Questions were raised regarding the conflict interests between the shareholders and underlying clients. More and more people are particularly concerned about the future clients’ indebtedness and potential political risks. From its state regulations, intervention and subsidization, people would seek for some answers.

Introduction

Small and medium enterprises in Mexico generally called PYMEs (pequeña y mediana empresa by initials in Spanish) play a key role in the Mexican Economy. As of 2006, there were about 4 million enterprises in Mexico. Out of those 4 million, 99.8% were small and medium sized enterprises which generated 52 % of GDP and contributed to at least 72% of the formal employment. Among 52% of GDP, 15% from Micro, 14.5% from small and 22.5% from medium enterprises, however, access to credit for PyMEs is limited and costly. According to the Mexican Central Bank, only 21% of Mexican companies received financing from banks in the first quarter of 2010, while more than 84% obtained it through suppliers. Thus, Mexico has been one of the most dynamic microfinance markets with 2.3 million clients in Latin America.

Who’s Who – Microfinance Sector in Mexico

Practitioners

There are two legal forms of deposit-taking institutions in the regulatory framework: Savings and Loans Cooperative Companies (SCAP by initials in Spanish) and Popular Financial Companies (SOFIPOS by initials in Spanish). SCAP is defined as a nonprofit organization which belongs to the social sector as well as a member of the Mexican financial system.

The Law on Savings and Loan created two new organizations for the rural Microfinance sector: Community Financial Companies (SOFINCOS by initials in Spanish) and Rural Financial Integration Organizations (OIFR by initials in Spanish).

Community Financial Companies’ leading object is to support the development of rural productive activities and persons in the rural areas. The volunteer group of Rural Financial Integration Organizations is to promote operational integration of Community Financial Companies.

Micro-credit Non-regulated Financing Companies with Multiple Purposes (SOFOMES E.N.R. by initials in Spanish) are subjected only to limited oversight by The National Commission for the Protection and Defense of Financial Services Consumers (CONDUSEF). Regulated SOFOMES as well as Credit Unions are under the The National Banking and Securities Commission (CNBV)’s supervision.

Regulators and Supervisors

The National Banking and Securities Commission (CNBV, Comisión Nacional Bancaria y de Valores):  established by the Law of the National Banking and Securities Commission of 1995 (Ley de la Comisión Nacional Bancaria y de Valores) established CNBV, is the main regulator of financial institutions.

CNBV is an independent, decentralized sun-agency of the Ministry of Finance and Public Credit, whose mission is “to safeguard the stability of the Mexican financial system and promote its efficiency and inclusive development in benefit of the Mexican society”.

The National Commission for the Protection and Defense of Financial Services Consumers (CONDUSEF) established by the Law of Protection and Defense of the Financial Consumer of January 1999 is the premier consumer protection organization under the authority of the Department of Finance and Public Credit.

CONDUSEF’s main objectives are to promote, advise, protect and defend the rights of people who use financial services offered by institutions operating within Mexico.

According to the law, CONDUSEF must do the following:

  • Inform the public about the services of financial institutions and provide the number of complaints received from each;
  • Establish and maintain a database of reported charges and surcharges accessible to the public;
  • Strengthen the capacity of financial institutions to gather information necessary for reporting to CONDUSEF;
  • Establish and maintain a registry of users who do not want their information to be used for marketing or advertising purposes to which users can subscribe for free;
  • Impose sanctions on institutions that violate the rights of consumers.
  • Federal Institute of Access to Information and Data Protection
  • The Federal Institute is authorized to monitor and enforce compliance with Federal Law for Protection of Personal Data held by Private Persons (Ley Federal de Protección de Datos Personales en Posesión de los Particulares, "LFPDP" or the "Act").
  • Companies will be held liable for interfering with a data subject's exercise of his/her rights for failing to safeguard his/her personal data. Data subjects who believe that a company is not processing their personal data may also request an investigation by the Institute. Following an investigation, the Institute may dismiss the data subject's claim or affirm, reject, or modify a company's answer to a data subject's claim.
  • The Federal Institute's decision may be appealed before the Federal Tribunal of Fiscal and Administrative Justice (the "Tribunal") by either the data subject or the company processing the personal data.10 Penalties for violating the Act's provisions can be as severe as a US$1.4 million fine, a prison sentence of five years, or double the penalties in the event of sensitive personal data.

Federal Institute of Access to Information and Data Protection:

  • The Institute is authorized to monitor and enforce compliance with “LFPDP” or the “Act”
  • Companies will be held liable for interfering with a data subject's exercise of his/her rights for failing to safeguard his/her personal data. Data subjects who believe that a company is not processing their personal data may also request an investigation by the Institute. Following an investigation, the Institute may dismiss the data subject's claim or affirm, reject, or modify a company's answer to a data subject's claim.
  • The Institute's decision may be appealed before the Federal Tribunal of Fiscal and Administrative Justice (the "Tribunal") by either the data subject or the company processing the personal data. Penalties for violating the Act's provisions can be as severe as a US$1.4 million fine, a prison sentence of five years, or double the penalties in the event of sensitive personal data.

Available Laws

Microfinance Laws

The Popular Savings and Credit Law (Ley de Ahorro y Crédito Popular) (LACP) is the foundational microfinance law of Mexico. The LACP mandates that all deposit-taking institutions over a minimum asset level register as one of two formal entities SCAPs or SOFIPOs. The main objective of the LACP is to protect deposits and promote popular savings and credit development in Mexico, particularly through:

  • Granting the National Banking and Securities Commission (CNBV) powers to authorize, supervise, regulate, and sanction popular savings and credit entities;
  • Delegating “auxiliary supervision” to federations of SOFIPOs and to a confederation, COFIREM, with the CNBV then having inspection and oversight power over both federations and individual SOFIPOs and SCAPs as well as other less common institutions; and
  • Establishing a deposit insurance scheme for entities under this law, to be administered by the federations, and backed by a national “Protection Fund.”

In addition, the Law includes provisions regarding anti-money laundering. Other anti-money laundering provisions can be found in the Law on Credit Institutions, the General Law on Auxiliary Credit Organizations and Activities, and the Law Regulating the Activities of Cooperative Savings and Loan Societies, among others.

Client Protection Laws

The Act to Regulate the Activities of Cooperative Societies, Savings and Loan (LRASCAP) is related to the consumer protection.

  • Identify that SCAP and SOFIPOS have a different legal framework
  • Respect the nature of SCAP as a nonprofit corporation
  • Recognize the actions taken by the SCAP under the LACP
  • Affirm the powers of the The National Banking and Securities Commission (hereafter CNBV, Comisión Nacional Bancaria y de Valores) : authorization, supervision, regulation and punishment of the sector so as to foster healthy development in protecting savers
  • Regulate all cooperatives that offer services of savings and loans to their members
  • Give the transition necessary for the SCAP to cope with the standard and keep order in the authorization process.
  • Strengthen the protection system of the savings and the auxiliary supervision scheme. SCAP improves the quality of auxiliary supervision through an oversight committee which belongs to the Fund Assistant Protection. SOFIPO maintains the auxiliary supervision scheme through Federations.
  • Strengthen a Protection Fund for savers which seek preventive schemes designed to prevent financial bankruptcies that may affect savings and loans institutions. Increased the coverage of the protection fund from $1,372 USD - $3,430 USD (4.000 to 10.000 UDIS) by each saver, depending of the level to the operations, to up to $8,574 USD (25,000 UDIS) estimated amount which covers at 100% over 99% of savers in the sector.

Data Protection & Privacy Laws

Mexico's Department of the Interior has announced that the country's new Federal Law for Protection of Personal Data held by Private Persons (Ley Federal de Protección de Datos Personales en Posesión de los Particulares, "LFPDP" or the "Act") came into effect on July 6, 2010.

The Act is to enforce "controlled and informed" processing of personal data in order to ensure that Mexican citizens, referred to as "data subjects", possess "privacy and right to self-determination." Companies handling information about data subjects will be forced to comply with specific obligations in the processing of personal data or suffer severe penalties.

Principles for the Protection of Personal Data

Notice and Consent: according to the Act, consent can be obtained by means of a privacy notice that informs the data subject of the information being used, the method of use, the purpose for such use, and the data subject's rights of "access, rectification, and cancellation or opposition." Data subjects may revoke consent at any time without retroactive effect, and companies must establish and explain procedures for such revocation within their privacy notice.

The Act also provides special requirements for processing "sensitive personal data." It gives data subjects the rights to:

  • access their data;
  • have inaccuracies in their data corrected;
  • deny transfers of their data; and
  • oppose use of their data or have it deleted from a company's system for "legitimate" reasons.

Privacy Notice Content: a company's privacy notice must, at a minimum, inform data subjects about:

  • the company's identity and address;
  • the purpose for processing the data;
  • the options and means available to the data subject for limiting use or disclosure of his/her personal data;
  • the means by which the data subject may exercise his/her rights of access, rectification, cancellation, and opposition under the Act;
  • any planned transfer of the data; and
  • the procedure and means for informing the data subject about changes to the privacy notice

Accuracy of Data and Purpose of Use: the Act requires companies to ensure that personal data is accurate and up-to-date. If a company intends to use the personal data for any purpose not outlined in the privacy notice, it is required to provide notice and obtain renewed consent from the data subject. Any personal data retained for the purpose of proving or disproving a claim of breach of contract must be eliminated after 72 months from the date of the alleged breach.

Responsibility for Third-Party Use: the Act addresses certain responsibilities in relation to third parties. A company must take "necessary and sufficient" measures to guarantee that the terms of the privacy notice are respected at all times by the company and by any third parties with which it bears "some legal relationship." Thus, the Act requires that companies legally impose on their third-party providers and partners necessary and sufficient binding obligations consistent with the Act's requirements.

Security Measures in Maintaining Data: the Act requires companies to establish and maintain security measures and administrative techniques to protect the personal data against damage, loss, alteration, destruction, or unauthorized access or use.

Data Breach Notification: the Act requires "immediate" notice to the data subject of any security breach that "significantly" affects his or her "property or moral rights."

Confidentiality: the Act requires companies and third parties involved in the processing of personal data to maintain the confidentiality of personal data at all times. The obligation to maintain confidentiality exists even after the relationship with the data subject ends.

Data Subject Rights: date subjects generally have the right to oppose use of their data, access their data, have inaccuracies in their data corrected, or have their data deleted. A data subject's request for cancellation triggers a "blockade period" during which the personal data shall be suppressed. During this period, a company may only retain the personal data for purposes of investigating liability arising from such use.

Data Transfers: in most instances, a company must disclose to data subjects any planned transfer of personal data to third parties and include a clause in the privacy notice allowing the data subject to accept or deny such transfer. Once personal data is transferred to a third party, the third party is also subject to the requirements of the Act. The Act provides that national or international transfers of data may be carried out without the consent of a data subject when the transfer is made to, among others, holding companies, subsidiaries or affiliates under common control of the company, or a parent company or any associated company working under the same processes and internal policies.

Procedure for Data Subject Exercise of Rights: in some cases, a data subject may petition the Institution to ensure that a company satisfies its duty to the data subject under the Act. The data subject must submit this petition within 15 days from the date that the company responds to its opposition or request for access, rectification, or deletion of data. The Institute will conduct its own investigation and make a determination as to whether or not the company has satisfied its duty to the data subject. If the Institute determines that the company has not satisfied its duty, the company must comply with the Institute's decision and provide the Institute with a written account of its compliance within 10 days of being notified of the decision. The Institute's decisions may be appealed to a tribunal for adjudication.

Violations and penalties: the Institute considers: the nature of the data involved; whether there was blatant impropriety on behalf of a company in responding to a data subject's request; whether a company's act or omission was intentional; a company's financial capacity; and whether a company has previously violated the Act. Penalties for violations of the Act may include:

  • Warning: a warning issued to comply with a data subject's request for access, rectification, cancellation, or opposition pursuant to the Act.
  • Fine: the Law provides for high amounts of fines for several infringements (base limit is approximately US$400 and the upper limit reaches approximately US$1.5 million) (Article 64)
  • Imprisonment

Conclusion

A study by Marulanda Consultores and commissioned by DAI Mexico indicates that the Mexican Microfinance industry is in a state of “precarious maturity”, however, there must-address challenges, especially with respect to the over-heating market, requirements of transparency to consumers, strengthening institutions, technical assistance for them to diversity their target segments. It is of urgency that the standard of microcredit and its account classification applies to all brokers operating on products in the market, regardless of their legal forms (banks, SCAP, SOFIPO and even SOFOM). And all credit transactions regardless of size are required to report to credit bureaus. The national authorities should encourage different sized institutions to develop competitive advantages for the benefit of entrepreneurs and customers from different segments, contributing to the country’s economy growth.


Back to Client Protection Library