The Bank of Mexico Virtual Asset Authorization Regime is Mexico’s central-bank framework for virtual asset operations by financial technology institutions and credit institutions. It is centered on Banco de México Circular 4/2019, the general provisions for credit institutions and financial technology institutions that carry out operations with virtual assets. The regime is in force as of July 2, 2026. Circular 4/2019 was published in the Diario Oficial de la Federación on March 8, 2019, entered into force the following day, and now appears in a consolidated Banxico text that incorporates Circular 37/2020.
Regulatory purpose of Banco de México Circular 4/2019
Circular 4/2019 implements powers in Mexico’s Fintech Law, which defines virtual assets as electronically registered representations of value used by the public as a means of payment and excludes legal tender, foreign currency, or assets denominated in them. The law provides that financial technology institutions may operate only with virtual assets determined by Banco de México and must obtain prior authorization. Article 88 separately extends a similar prior-authorization framework to credit institutions. The circular sets the characteristics of eligible assets, the terms and restrictions for covered operations, the information institutions must submit, and the features of the resulting authorizations.
The framework should not be read as a public-facing crypto exchange license. Banco de México stated when issuing the rules that it sought to maintain distance between virtual assets and the financial system while allowing potentially useful technology for efficiency or functionality. That policy choice is reflected in the circular’s narrow focus on internal operations.
Covered institutions and virtual asset operations
The circular defines an “Institution” as a credit institution or a financial technology institution authorized under the applicable banking and fintech laws. It defines internal operations as activities carried out internally to support passive, active, service, proprietary, or international fund-transfer processes. An operation with virtual assets is a direct or indirect internal operation with those assets under the circular.
Core authorization limits
- Covered institutions may carry out virtual asset operations only when the operation is an internal operation and only after prior authorization from Banco de México.
- Institutions must not operate outside the terms of the authorization granted.
- Institutions must prevent the risk of the virtual asset operation from being transmitted, directly or indirectly, to clients.
- Requests to provide direct client services for exchange, transmission, or custody of virtual assets are not eligible for authorization under the circular.
Application package and risk controls
An applicant must submit its proposed operating model, measures to prevent client risk transmission, a regulatory compliance comparison, the expected benefits of the operation, operating manuals, and a comprehensive risk framework. The manual must describe the asset, relevant protocols, market characteristics, internal processes, and controls for protocol changes. The risk framework must address business, foreign-exchange, financial, operational, cybersecurity, money-laundering, and reputational risks, among others.
Banco de México may request additional information and decides whether the proposed asset and internal operation meet the circular’s requirements. Institutions must review the risk framework each calendar year and report new risks and potential impact where updates are needed.
Outsourcing, independent review, and enforcement hooks
The circular permits third-party services connected with internal virtual asset operations, including services by foreign entities, but requires prior authorization for those arrangements. Contracts must preserve confidentiality, allow access and audits, and permit Banco de México to verify compliance. Foreign service-provider arrangements must address data protection, continuity, and support.
Institutions must also hire an independent third party to evaluate compliance with the circular, and the evaluation must be performed every two years. Banco de México may revoke an authorization for failures involving manuals, risk reporting, client-risk protections, risk-control policies, disclosure, or operating outside the authorization. The Fintech Law also provides monetary penalties for conducting virtual asset operations without prior authorization or with assets not determined by Banco de México.
Status and review notes
As of the verification date, no future phase-in date or scheduled review milestone was identified for the circular itself. Editors should verify whether Banco de México has granted or published institution-specific authorizations before connecting this profile to named companies or products. This profile is for legal-reference purposes and is not legal, tax, investment, or compliance advice.


