Answer ... Chapter VI of the General Provisions for Financial Technology Institutions sets out data security and cybersecurity regulations for fintech companies. In this regard, the technological infrastructure of fintech companies must include security measures for the protection of user data, including:
- identification and authentication mechanisms;
- relevant controls for employees who have access to personal data;
- internal policies and procedures for data access and prevention of unlawful data use; and
- measures for the notification of privacy notice changes to users.
Finally, fintech companies are responsible at all times for the protection of users’ personal data.
Answer ... According to Article 67 of the General Provisions for Financial Technology Institutions, fintech companies must prevent and report to the National Banking and Securities Commission (CNBV) any cybersecurity incidents that occur. Fintech companies must immediately investigate the cause of the incident and provide the CNBV with a plan that outlines the actions that will be taken to eliminate or mitigate the risks that have arisen from the incident.