Crypto Law Profile

Bank of Mexico Virtual Asset Authorization Regime for Financial Technology Institutions and Credit Institutions

Banco de México Circular 4/2019 sets a prior authorization regime for Mexican ITFs and credit institutions to conduct internal virtual asset operations.

Mexico Effective Regulation Mar 9, 2019

At a glance

Jurisdiction Mexico; Banco de México regime for ITFs and credit institutions.
Status In force; Circular 37/2020 amendment is incorporated in Banxico text.
Scope Prior authorization for internal virtual asset operations; direct client exchange, transfer, and custody are outside scope.
Effective Date Original Circular 4/2019 entered into force on 2019-03-09.

Overview

The Bank of Mexico Virtual Asset Authorization Regime is Mexico’s central-bank framework for virtual asset operations by financial technology institutions and credit institutions. It is centered on Banco de México Circular 4/2019, the general provisions for credit institutions and financial technology institutions that carry out operations with virtual assets. The regime is in force as of July 2, 2026. Circular 4/2019 was published in the Diario Oficial de la Federación on March 8, 2019, entered into force the following day, and now appears in a consolidated Banxico text that incorporates Circular 37/2020.

Regulatory purpose of Banco de México Circular 4/2019

Circular 4/2019 implements powers in Mexico’s Fintech Law, which defines virtual assets as electronically registered representations of value used by the public as a means of payment and excludes legal tender, foreign currency, or assets denominated in them. The law provides that financial technology institutions may operate only with virtual assets determined by Banco de México and must obtain prior authorization. Article 88 separately extends a similar prior-authorization framework to credit institutions. The circular sets the characteristics of eligible assets, the terms and restrictions for covered operations, the information institutions must submit, and the features of the resulting authorizations.

The framework should not be read as a public-facing crypto exchange license. Banco de México stated when issuing the rules that it sought to maintain distance between virtual assets and the financial system while allowing potentially useful technology for efficiency or functionality. That policy choice is reflected in the circular’s narrow focus on internal operations.

Covered institutions and virtual asset operations

The circular defines an “Institution” as a credit institution or a financial technology institution authorized under the applicable banking and fintech laws. It defines internal operations as activities carried out internally to support passive, active, service, proprietary, or international fund-transfer processes. An operation with virtual assets is a direct or indirect internal operation with those assets under the circular.

Core authorization limits

  • Covered institutions may carry out virtual asset operations only when the operation is an internal operation and only after prior authorization from Banco de México.
  • Institutions must not operate outside the terms of the authorization granted.
  • Institutions must prevent the risk of the virtual asset operation from being transmitted, directly or indirectly, to clients.
  • Requests to provide direct client services for exchange, transmission, or custody of virtual assets are not eligible for authorization under the circular.

Application package and risk controls

An applicant must submit its proposed operating model, measures to prevent client risk transmission, a regulatory compliance comparison, the expected benefits of the operation, operating manuals, and a comprehensive risk framework. The manual must describe the asset, relevant protocols, market characteristics, internal processes, and controls for protocol changes. The risk framework must address business, foreign-exchange, financial, operational, cybersecurity, money-laundering, and reputational risks, among others.

Banco de México may request additional information and decides whether the proposed asset and internal operation meet the circular’s requirements. Institutions must review the risk framework each calendar year and report new risks and potential impact where updates are needed.

Outsourcing, independent review, and enforcement hooks

The circular permits third-party services connected with internal virtual asset operations, including services by foreign entities, but requires prior authorization for those arrangements. Contracts must preserve confidentiality, allow access and audits, and permit Banco de México to verify compliance. Foreign service-provider arrangements must address data protection, continuity, and support.

Institutions must also hire an independent third party to evaluate compliance with the circular, and the evaluation must be performed every two years. Banco de México may revoke an authorization for failures involving manuals, risk reporting, client-risk protections, risk-control policies, disclosure, or operating outside the authorization. The Fintech Law also provides monetary penalties for conducting virtual asset operations without prior authorization or with assets not determined by Banco de México.

Status and review notes

As of the verification date, no future phase-in date or scheduled review milestone was identified for the circular itself. Editors should verify whether Banco de México has granted or published institution-specific authorizations before connecting this profile to named companies or products. This profile is for legal-reference purposes and is not legal, tax, investment, or compliance advice.

Key provisions

Prior authorization for internal operations

Covered institutions may conduct virtual asset operations only as internal operations and only with prior Banco de México authorization.

Authorization Mar 9, 2019 Source

Client-facing crypto services excluded

Requests to offer direct client exchange, transmission, or custody of virtual assets are not eligible under Circular 4/2019.

Client services Mar 9, 2019 Source

Virtual asset characteristics

Eligible assets must meet specified information-unit, protocol, issuance-control, and double-spend prevention characteristics.

Asset perimeter Mar 9, 2019 Source

Application and risk framework

Applications must include the operating model, manuals, regulatory mapping, client-risk safeguards, and a comprehensive risk framework.

Risk management Mar 9, 2019 Source

Third-party service authorization

Institutions need prior authorization to contract third parties for services tied to internal virtual asset operations.

Outsourcing Mar 9, 2019 Source

Independent compliance evaluation

Institutions must hire an independent third party to evaluate compliance; the evaluation must occur every two years.

Audit Mar 9, 2019 Source

Timeline

  1. Fintech Law published

    Mexico published the Ley para Regular las Instituciones de Tecnología Financiera, creating the statutory basis for virtual asset rules.

    Enacted Source
  2. Circular 4/2019 published

    Banco de México issued the general provisions for covered institutions’ virtual asset operations.

    Enacted Source
  3. Circular 4/2019 entered into force

    The circular became effective the day after publication in the Diario Oficial de la Federación.

    In force Source
  4. Circular 37/2020 amendment published

    Banco de México published an amendment clarifying approval requirements for third-party contracting.

    Enacted Source
  5. Circular 37/2020 amendment in force

    The amendment entered into force on the next banking business day after DOF publication.

    In force Source

Who it affects

Actors

Banco de México, Comisión Nacional Bancaria y de Valores, Secretaría de Hacienda y Crédito Público

Asset classes

Virtual assets

Official sources

Editorial note

This profile treats Circular 4/2019 as Banxico’s binding regulatory regime for covered financial institutions. It should be read with the Ley para Regular las Instituciones de Tecnología Financiera and any later Banco de México updates.