Glossary · CNBV (Mexico)
CNBV — Technology governance and banking provisions in Mexico
The Comisión Nacional Bancaria y de Valores (CNBV) is Mexico's financial supervisor: commercial banking, development banking, brokerages, mutual funds, and fintech entities under the 2018 Ley Fintech. Its Disposiciones de Carácter General Aplicables a las Instituciones de Crédito (CUB) cover operational and technology risk management, business continuity, cybersecurity and governance of external providers. For subsidiaries of European groups, DORA-grade requirements are typically applied transversally for consistency.
Full content in Spanish. This English entry is a concise summary. The complete reference (including comparative tables, official sources and Vermont Solutions context) is available in the Spanish version: Read the full entry in Spanish →
Frequently asked
What does CNBV supervise?
CNBV oversees Mexico's financial system: commercial and development banks, brokerages, mutual funds, fintechs (IFPE and IFC entities under the 2018 Ley Fintech), and other licensed entities. It coordinates with Banco de México (Banxico) on monetary policy and payment systems.
What does CNBV require on banking technology governance?
CUB regulations cover operational and technology risk management, business continuity plans, cybersecurity controls, governance of external providers, and regulatory reporting (including security incidents). Detail level is lower than DORA — particularly for TLPT (threat-led penetration testing) and direct supervision of critical ICT providers.
How does it compare with European DORA?
DORA (EU Regulation 2022/2554) is stricter on three dimensions: (1) detailed mandatory registry of ICT providers with direct ESA supervision of designated critical providers; (2) mandatory TLPT every three years for significant entities; (3) binding minimum contractual clauses (Art. 30). CNBV covers the same risk concepts but with less prescriptive operational requirements. Mexican subsidiaries of European groups typically apply the stricter standard (DORA) transversally.
Can a European consultancy serve Mexican banking?
Yes, with no specific restrictions beyond general provider contracting requirements and tax obligations on cross-border services. The Mexican entity must document prior assessment, contractual clauses and continuity mechanisms. Services involving personal data fall under the Federal Law on Protection of Personal Data Held by Private Parties. Vermont Solutions operates cross-border from Spain and meets standard CNBV assessment requirements.
English summary maintained by Vermont Solutions. Citable with attribution. Regulation evolves — verify the latest version at the official source linked in the Spanish entry. Does not constitute legal advice.