XICO), the Ministry of Finance and Public Credit (SHCP), and the National Commission for the Protection and Defense of Financial Service Users (CONDUSEF), among other authorities, under a specific framework: the Law to Regulate Financial Technology Institutions (Fintech Law) and its secondary regulations.
The Fintech Law integrated financial technology institutions (FTIs) into the national financial system and empowered the CNBV and BANXICO to issue general provisions regarding authorization, operation, information security, business continuity, and contracting with third parties (providers). This means that when you buy a fintech, you're not facing just any acquisition: you assume obligations and expectations similar to those of other supervised financial entities.
For an institutional buyer, the challenge in any M&A of regulated businesses is clear: to capture the strategic value of the fintech without inheriting legal risks that could compromise the return on investment, the group's reputation, or even its relationship with the regulator. In this context, a well-designed due diligence process and the support of a corporate law firm with regulatory experience make a tangible difference in how the transaction is structured, negotiated, and executed.
Before discussing red flags, it's important to be clear about what's truly on the table when you want to buy a fintech. It's not just about a technology platform or a user base, but a set of elements that include the license or authorization to operate as an electronic payment fund institution (IFPE), a crowdfunding institution (IFC), or another entity regulated by the Fintech Law; the authorizations, opinions, or registrations linked to the business model —for example, provisions applicable to electronic payment fund institutions regarding information security, operational continuity, and contracting with third parties—; and the fintech's historical relationship with the CNBV and other authorities, considering inspection visits, requirements, observations, corrective measures, self-correction models, and potential sanctions.
Secondary regulations also establish strict requirements regarding shareholding structure, the origin of funds for those intending to hold equity in an FTI, as well as specific rules for acquiring or encumbering shares of these entities. In other words, in any M&A of highly regulated businesses, authorities not only evaluate the target fintech; they also thoroughly analyze the institutional buyer and the new control group that will be behind the license.
The general provisions applicable to FTIs detail the information and documentation that must be submitted by those intending to hold equity in them, including financial standing, origin of funds, credit history, and business trajectory. In an operation to buy a fintech, it is usually necessary to obtain prior authorization from the CNBV for significant changes in the shareholding structure, to demonstrate that the new control group has the technical, financial, and compliance capacity to operate a regulated business, and to coordinate the closing of the transaction with the authority's timelines, which impacts how the closing conditions and the mechanics of closing en M&A.
If the due diligence does not correctly map the authorization assumptions, reporting requirements, and post-closing obligations, the buyer may end up with a transaction that is “closed” between the parties from a contractual perspective, but which in practice remains stalled at the regulatory level.
A first red flag when buying a fintech is to assume that its regulatory status is complete and to value the business as if it were already fully consolidated. This happens when the license has been applied for but formal authorization from the CNBV does not yet exist; when authorization has already been granted, but is conditional on meeting certain requirements within specific deadlines; or when the business model has been operating under a different structure —for example, through a regulated third party— without being regularized as an ITF, despite de facto complying with the assumptions of the Fintech Law.
In M&A of regulated businesses, these nuances are critical. If you pay as if the fintech had a robust license, but in reality it operates in a gray area or under a transitional regime, the value you think you are buying depends on future events and not on a consolidated regulatory position. A due diligence must thoroughly review the complete authorization file, the CNBV's official communications, and any pending deadlines or conditions; confirm that the activities currently carried out by the fintech align with the scope of its license and with the current regulatory interpretation; identify if there are operations that should actually be reserved for entities with another type of authorization —for example, schemes close to public fundraising in unforeseen structures—; and verify that regulatory reporting is up to date, without warnings or fines that might signal a change in the authority's stance.
In acquisitions of regulated businesses, supervisory history is as relevant as financial statements. ITF regulation is based on the premise that the CNBV must safeguard the stability of the system and the interests of financial service users, imposing corrective measures and sanctions where appropriate. Therefore, when analyzing the acquisition of a fintech, it is advisable to meticulously review inspection visits and their results, open or partially addressed observation letters, any economic sanctions imposed, commitments made with the authority regarding remediation or self-correction —including process changes and technological adjustments—, as well as any indication of incomplete regulatory reporting, reports submitted past due, or findings that will reasonably lead to sanctions.
A due diligence focused solely on contracts and financial statements, that fails to analyze the regulatory file, leaves the institutional buyer exposed to inheriting a complicated relationship with the CNBV and other supervisory authorities that already have the entity on their radar.
The provisions applicable to ITFs require that those intending to maintain equity participation meet requirements for integrity, financial standing, and lawful origin of funds. At the same time, the regulator expects corporate governance structures that are consistent with the size, complexity, and risks of the business model. In this context, when acquiring a fintech, it is a red flag to find significant shareholders or controlling beneficiaries who were not properly disclosed to the CNBV, shareholder agreements that contradict the bylaws or authorization conditions, or a formal governance structure —board, committees, and powers— that does not align with how daily operational decisions are made.
In the acquisition of regulated businesses, these types of inconsistencies are not merely an internal organizational issue: they can imply that the authorizations granted by the CNBV were based on an incomplete or incorrect picture. The fintech's due diligence must reconstruct effective control and verify that it aligns with what was declared to the regulator and with the structure that will result after closing, so that there are no regulatory surprises when the authority reviews the new control map.
The Fintech Law and its secondary provisions coordinate with anti-money laundering legislation and the CNBV's powers to require ITFs to establish anti-money laundering and counter-terrorism financing (AML/CFT) systems commensurate with their risks. When evaluating the acquisition of a fintech, it is essential to look far beyond the AML/CFT manual and the mere existence of internal policies.
The review must cover the quality of KYC (Know Your Customer) files and onboarding processes, the relationship between the volume of alerts generated and the alerts actually analyzed and reported, the history of reports to the authority —unusual, suspicious, relevant operations— and the consistency of the criteria applied, as well as previous observations or sanctions related to AML/CFT issues and the actual progress in their remediation. It is also important to verify that the automated system is correctly implemented and that the Compliance Officer has a formal appointment, functional independence, and the corresponding certifications.
In M&A, AML/CFT legal risks are particularly critical because they can trigger investigations involving the acquiring group. A due diligence limited to documentary review, without stress testing data, operations, and processes, rarely captures the true exposure or allows for quantifying the cost of bringing the prevention system up to date.
The regulations applicable to electronic payment fund institutions devote entire chapters to information security, technological infrastructure, business continuity, and third-party contracting, including cloud computing services. For a buyer, this means that the technological assessment cannot be limited to aspects of performance or scalability: it must align with prudential and supervisory requirements.
When acquiring a fintech, the due diligence must consider how the entity contracts critical technological services—for example, cloud solutions, transactional core, KYC digital, and anti-fraud systems—and confirm whether these contracts require authorizations or notifications to the CNBV and Banco de México, especially when sensitive user information is at stake. It is also important to verify compliance with obligations to report information security incidents and operational contingencies that exceed certain thresholds, as well as the existence and updating of business continuity plans that the regulator can review.
In M&A of regulated businesses, it becomes red flag finding an extreme reliance on a single vendor without robust contracts aligned with applicable regulations, a lack of evidence regarding continuity testing and incident management protocols, or a history of significant outages that were not properly reported to the authorities or managed for users. The risks in this area combine technological, regulatory, commercial, and reputational components.
Many strategies for acquiring a fintech are justified by access to data: transactional behavior, alternative scoring, spending patterns, risk algorithms. However, this data is subject to personal data protection rules, banking secrecy, and increasingly, to open finance schemes which involve information exchanges with third parties under specific criteria.
In the context of M&A, it's concerning to find a lack of a clear inventory of personal data, databases, and information flows; no structured mapping of data transfers to third parties—vendors, business partners, large technology platforms, payment processors—; or that privacy policies and user notices do not reflect what the fintech actually does with the information. A due diligence comprehensive review examines contracts with data providers, consent schemes, legal bases for processing, implemented security measures, and a history of incidents or breaches. Each breach in this area can result in proceedings before INAI, CNBV, CONDUSEF, or even class-action lawsuits.
The regulations applicable to Financial Technology Institutions (ITF) govern, among other aspects, contracting with third parties that provide services to fintechs, including suppliers, commission agents, and correspondents. They also require transparency in the terms under which clients are served. Therefore, when analyzing a potential acquisition of a fintech, it makes sense to thoroughly review the contractual ecosystem that underpins the business model.
This involves analyzing adhesion contracts with end-users —particularly the clarity of fees, responsibilities, and complaint mechanisms, as well as their proper registration, where applicable— and contracts with strategic partners such as marketplaces, affiliated businesses, correspondent banks, or aggregators. It's also advisable to understand revenue distribution schemes and, especially, how responsibilities and costs are allocated in scenarios of fraud, service outages, or operational errors.
In M&A of regulated businesses, a poorly aligned contractual basis can lead to conflicts with partners regarding who is responsible to the user in a relevant incident, and to risks of sanctions due to misleading customer information or unbalanced clauses. An essential part of due diligence fintech involves testing scenarios: what happens if there's a serious incident, who communicates with users, who absorbs the economic impact, and who must report to the authority, with what deadlines and under what protocol.
An M&A transaction requires a due diligence tailored to the business, the license, and the buyer's profile. The standard corporate and tax checklist is a starting point, but it's not enough. The regulatory review must cover the license and applicable provisions, records with CNBV, BANXICO, SHCP, and CONDUSEF, inspection visits, official communications, and any corrective measures or sanctions imposed. On the corporate side, it's necessary to review the shareholding structure, shareholder agreements, identification of controlling beneficiaries, powers of attorney, corporate governance, and its alignment with the requirements of the Fintech Law.
On the technological front, the analysis must cover infrastructure, information security, business continuity plans, contracts with critical suppliers, and compliance with prudential requirements. For AML/CFT (Anti-Money Laundering/Combating the Financing of Terrorism), it's important to understand the role of the Compliance Officer, the quality of policies and procedures, the status of records, the flow of alerts and generated reports, as well as associated observations. Regarding data and privacy, it's necessary to examine the responsible parties, the applied regulatory framework, previous breaches, consent mechanisms, and data flows to third parties. Finally, in operations and contracts, the review should cover agreements with clients, suppliers, strategic alliances, and correspondents, and their consistency with regulatory obligations and the fintech's value proposition.
The due diligence only adds value if its findings translate into concrete business decisions. Based on these findings, it is often necessary to adjust the valuation based on identified legal risks and the cost of remedying them, define conditions precedent linked to CNBV authorizations or the correction of critical issues before closing, and design indemnity structures, holdbacks, and mechanisms for escrow and schemes for earn-out that align incentives between seller and buyer. Closing without incorporating these variables into the purchase agreement is taking on risks that will be very difficult to renegotiate once control has changed hands.
A corporate law firm with fintech experience must be able to navigate two constantly intersecting planes with ease. On one hand, the M&A plane itself: negotiation of the SPA, price structure, indemnities, conditions precedent, covenants and other contractual elements of the transaction. On the other, the regulatory plane: a close reading of the Fintech Law and its general provisions, knowledge of CNBV's supervisory practices and its sensitivity to changes of control and the entry of new economic groups.
In practice, their contribution to a fintech acquisition includes defining the scope and depth of the due diligence fintech, prioritizing critical issues and realistic timelines; translating technical findings —for example, gaps in information security or operational continuity— into concrete contractual clauses and mitigation mechanisms; and, together with the buyer, designing a post-closing regulatory integration plan that includes notifications, process adjustments, internal policy updates, and strengthening corporate governance.
To avoid inheriting unnecessary legal risks when acquiring a fintech, the approach must cover the entire transaction lifecycle. Before signing, it's crucial to map out the necessary authorizations and probable timelines with the CNBV and other authorities, and design a structure—whether it's a stock purchase, asset acquisition, merger, or other arrangement—that aligns with the Fintech Law and applicable financial regulations. Between signing and closing, the focus shifts to coordinating with the CNBV and other relevant authorities to obtain authorizations and non-objections, as well as implementing urgent corrections identified during the due diligence, prioritizing those that the authority will scrutinize most closely.
After closing, attention shifts to integrating compliance and AML/CFT systems with the buyer group's standards, reviewing and updating contracts with users, suppliers, and partners to align risk distribution, and strengthening corporate governance and regulatory culture within the acquired fintech. A firm that understands the M&A logic of regulated businesses doesn't just react to specific observations but anticipates how the authority will interpret the transaction and structures it accordingly.
When you're evaluating acquiring a fintech in Mexico, it's helpful to have some key questions at hand to assess the level of risk and the quality of preparation:
If you don't have clear answers to these questions, the operation is likely built on a fragile foundation. In that scenario, the decision doesn't have to be to abandon the acquisition, but rather to rethink how to acquire a fintech: expand the scope of the due diligence, negotiate price and terms, and rely on advisors who are comfortable navigating the M&A landscape of regulated businesses and in communication with the financial regulator.
.png)
.webp)
