Bank of Mexico Circular 4/2019 is Mexico’s central-bank regulation for virtual asset operations by credit institutions and financial technology institutions. As of June 30, 2026, Banco de México publishes a compiled text of Circular 4/2019 that includes the amendment made by Circular 37/2020. The original circular was published in the Diario Oficial de la Federación on March 8, 2019 and entered into force the following day; the 2020 amendment entered into force on October 1, 2020.
What Circular 4/2019 Covers
The circular implements part of Mexico’s Fintech Law framework by defining the virtual assets that covered institutions may use and by setting terms, restrictions, authorization requirements, and information requirements for operations with those assets. Its scope is deliberately narrow: it applies to “Instituciones,” meaning credit institutions and authorized financial technology institutions, and it defines a virtual asset operation as an internal operation carried out directly or indirectly with virtual assets.
The practical effect is to keep virtual asset activity within a controlled institutional perimeter. Covered institutions may conduct virtual asset operations only when the activity is an internal operation and only with prior authorization from Banco de México. The circular also states that institutions must prevent the risk of those operations from being transmitted directly or indirectly to clients.
Key Restrictions on Customer-Facing Crypto Services
Circular 4/2019 is especially important for crypto exchanges, custody, and transfer services because it states that operations seeking to provide direct customer services for exchange, transmission, or custody of virtual assets are not eligible for authorization under the circular. That does not describe every crypto activity in Mexico, but it is a major perimeter rule for banks and regulated fintech institutions.
- Internal operations only: virtual asset operations must support internal institutional processes rather than direct retail crypto services.
- Prior authorization: institutions must submit authorization requests to Banco de México before conducting covered operations.
- Customer-risk separation: institutions must explain how they will prevent customers from bearing risk from the virtual asset operation.
- Defined asset features: eligible assets must have identifiable electronic units, protocol-based issuance controls, and mechanisms to prevent double spending.
Authorization, Risk Management, and Operational Controls
The authorization request must describe the operating model, compliance measures, expected benefits, operating manuals, protocol characteristics, market characteristics, and the processes in which the virtual asset will be used. The institution must also justify why the activity is not a direct service or operation offered to clients.
The risk-management requirements are broad. Circular 4/2019 calls for an integrated risk framework covering business, exchange-rate, financial, operational, cybersecurity, illicit-finance, and reputational risks. Institutions must review that framework at least annually and report newly generated risks and their potential impact to Banco de México where updates are required.
Third Parties and Independent Reviews
The circular allows covered institutions to contract third parties, including domestic institutions and foreign entities, for services related to virtual asset operations, subject to prior authorization. Contracting documentation must address confidentiality, audit access, information requests, continuity measures, and other controls. Circular 37/2020 amended the third-party approval requirement so that the relevant approval refers to the institution’s own administrative body rather than the third party’s administrative body.
Circular 4/2019 also requires an independent third-party evaluation of compliance. The evaluation must be presented to the institution’s administrative body and, where applicable, audit committee, and submitted to Banco de México within the specified time period. These review obligations reinforce the circular’s approach: virtual asset technology may be used inside regulated institutions, but only under a documented, supervised, risk-contained model.
Regulatory Significance for Mexico
Banco de México has described its broader policy as maintaining a “healthy distance” between virtual assets and the Mexican financial system while allowing technological use inside financial institutions where it can improve efficiency or functionality. In that context, Circular 4/2019 is best understood as a binding perimeter and authorization framework for internal virtual asset operations, not a general consumer-facing crypto licensing regime.