Open Banking & APIs

Series 2 out of 5

In theory, theory and practice are the same. In practice there are not. Yogi Berra, baseball legend and accidental philosopher

In Part 1, we established a paradox at the heart of Mexico's digital banking story: a country with 70 million fintech users where 85% of everyday transactions still happen in cash, a regulatory pioneer that has not fully implemented its own pioneering regulation. Nowhere is that paradox more visible than in the domain of Open Banking and APIs.

This article is about the plumbing. The infrastructure layer that most product teams do not want to talk about in a board presentation but that determines, more than any UX decision or marketing campaign, whether financial data can actually flow where it needs to go. In Mexico, that plumbing is partially built, unevenly deployed, sometimes build over legacy mainframe systems and sitting on top of a regulatory foundation that is incomplete. Let us look at exactly why, what the consequences are, and what the path forward looks like.

What is open Banking?

Before we go anywhere near Mexican regulation, let us be precise about the term, because "open banking" is one of those phrases that has been stretched by marketing teams until it means almost nothing. Open Banking at its core is a data architecture decision: financial institutions expose customer account data and payment capabilities through standardized APIs, accessible by authorized third parties, with explicit customer consent.

That is it. Three components: standardized APIs, authorized third parties, and customer consent. The important word is standardized. An API that BBVA México built specifically for its own mobile app is not open banking. A proprietary data-sharing arrangement negotiated between two specific institutions is not open banking. True open banking requires a shared technical standard that any authorized party can implement without bilateral negotiation. The UK built this with its Open Banking Implementation Entity (OBIE). Brazil built it with the Open Finance Brasil framework. The EU mandated it through PSD2 and is now evolving toward PSD3. Mexico wrote the law for it in 2018.
What Mexico has not yet done is build the implementation infrastructure:the technical standards, the certification process for third-party providers, the consent framework, and the binding API specifications that transforms a legal mandate into an operational ecosystem.

The regulatory architecture: ambitious law, slow implementation

The Ley para Regular las Instituciones de Tecnología Financiera, the Fintech Law of 2018, established a three-tier data classification system that is, on paper, genuinely sophisticated:

• Tier 1. Open Data: Public information that any party can access without restriction. Branch locations, product terms, fee schedules.
• Tier 2.Aggregated Data: Anonymized, statistical data that can be shared with authorized parties for analytical purposes such as market research, credit risk modeling at portfolio level, inclusion analytics.
• Tier 3.Transactional Data: Individual customer data such as account balances, transaction history, payment initiation, accessible only with explicit, granular customer consent.
  

The framework is sound. The problem is implementation speed. The CNBV's legal mandate was to issue secondary regulations, the technical specifications that give the framework operational meaning, within a defined timeframe. Eight years after the law's passage, only one set of secondary regulations has been formally published: the standards governing ATM location and services APIs, released in June 2020. That is the full extent of binding, standardized open banking regulation in Mexico as of mid-2026. ATM locations. No binding rules for transactional data sharing. No mandatory consent frameworks. No accreditation standards for third-party providers. No payment initiation services (PIS) regulation. The Fintech Law wrote the check. The regulators have not yet cashed it.
This is not a bureaucratic footnote. It has direct, measurable consequences for the 795 fintechs and 316 foreign entities currently operating in Mexico's financial ecosystem.

The consequences

Here is what the regulatory gap means in practice, at the engineering level.
Every fintech in Mexico that needs access to bank account data has two options today:

Option A. Screen Scraping.

The third party obtains the user's banking credentials, logs in on their behalf, and extracts data by parsing HTML. This is technically functional, operationally fragile, legally ambiguous, and a security nightmare. It requires the user to hand over their banking password to a third party. It breaks whenever the bank redesigns its web interface. It cannot be audited or monitored by the bank. In any jurisdiction with mature open banking regulation, this approach is being phased out or explicitly prohibited. In Mexico, it remains in active use precisely because the standardized alternative does not exist.

Option B. Bilateral Private API Agreements.

A fintech negotiates a custom data-sharing arrangement directly with each bank, one institution at a time. This works for the fintechs large enough to have the legal team, the technical resources, and the brand recognition to make a bank want to partner with them. For smaller players, it is prohibitively expensive and slow. The result is a market where integration capability becomes a competitive moat that has nothing to do with the quality of the financial product.
The Mastercard Latin America research puts it precisely: Mexico's open banking lacks ease and cohesion, often still resorting to web scraping, and lacks scope because no PIS regulation yet exists. The consequence is that SPEI, Mexico's genuinely excellent real-time payment infrastructure, cannot be leveraged through open banking the way Brazil's Pix can. Every payment initiation requires a direct bank relationship, not a standardized API call.
Approximately 60% of major Mexican banks have implemented some form of open banking APIs as of 2023, according to CNBV data, but these are largely proprietary implementations, not compatible with a shared standard. Having 60% of banks with APIs and 0% of those APIs speaking the same language is not open banking.

The Brazil contrast

Brazil's Open Finance framework, formally launched in phases from 2021 to 2023, was built on a fundamentally different governance model. Rather than issuing regulations and hoping institutions would comply, the Banco Central do Brasil established a dedicated implementation structure with:

• Binding technical standards for API format, authentication, and data schema, a shared specification that every participant implements identically.
• A certification process for both data providers (banks) and data consumers (fintechs), with clear liability assignment.
• A consent management framework that defines exactly what users authorize, for how long, and with what granularity.
• Payment Initiation Services (PIS) providing the the ability to initiate transfers through the same standardized rails
  

The results are measurable. Brazil's open finance ecosystem recorded 102 billion API calls in 2024, a 96% increase year-on-year from 51.9 billion in 2023. Active user consents reached 61.9 million in 2024, up 45% from 42.9 million the prior year. Payment Initiation API calls grew 194%.
Mexico's fintech market is growing strongly despite the regulatory gap, not because of a standardized infrastructure. That distinction matters enormously for what the next phase of growth looks like, and for who gets to participate in it.

The private sector response

The Mexican fintech ecosystem has not sat idle while waiting for regulatory completion. The private sector response has been pragmatic and, in some respects, genuinely impressive.

- Data aggregators have emerged as the de facto middleware layer. Companies that maintain bilateral agreements with multiple banks, normalize the data into a consistent format, and expose a single API that fintechs can integrate against. This is structurally equivalent to what open banking regulation is supposed to make unnecessary, but in Mexico's context it is filling a genuine gap.
- The Fintech Mexico association has maintained an active Open Finance working group of fintechs and interested banks that prepares technical documents, shares best practices, and advocates for regulatory progress. This kind of industry-led coordination is common in markets where regulatory momentum has stalled, and it has kept the conversation alive and technically grounded.
-Major institutions and players have built their own developer portals and API programs, even without a regulatory mandate. BBVA México's API Market, for instance, offers documented REST APIs for account information, payments, and product data, a genuine implementation of open banking principles operating outside any formal regulatory framework. Other major banks have followed with varying levels of completeness and documentation quality.

In 2025, according to Ozone API's regional assessment, open finance in Mexico has returned to active discussion, with more fintechs entering the market and established institutions looking to expand their API offerings. The new regulatory leadership installed following the 2024 presidential transition has signaled greater coordination between CNBV, Banxico, and SHCP, the three bodies whose alignment is structurally necessary for implementation to move forward.

The Technical Architecture

For the techies in the audience, engineers and architects actually implementing financial integrations in Mexico, here is the practical reality of what the current landscape requires.

The SPEI Layer. Your Non-Negotiable Foundation

Everything begins and ends with SPEI. Banxico's real-time gross settlement system processes interbank transfers around the clock, and every financial institution operating in Mexico connects to it either directly (for banks with a direct SPEI participant license) or indirectly through a sponsoring bank (for IFPEs and other regulated entities).
SPEI itself does not expose a consumer-facing API, it is an interbank settlement system, not an application platform. What it provides is the settlement rail on which every application layer is built. Your CLABE number is a SPEI addressing mechanism. Your instant transfer is a SPEI transaction. DiMo's phone-number-based transfers route over SPEI. CoDi's QR codes initiate SPEI transactions.
The technical implication: any financial product in Mexico that moves money is, at some layer of the stack, a SPEI integration.

Authentication and Consent: Building Without a Standard

In the absence of a national consent framework, Mexican fintechs have adopted a patchwork of approaches:

-OAuth 2.0 is the dominant authentication pattern for API-based integrations where one exists. The January 2025 RFC 9700 update to OAuth 2.0 security best practices is the current reference standard for token-based authorization in financial contexts and any new Mexican fintech API implementation should be built against it, not the 2012 original.
-FAPI (Financial-grade API) is the international reference standard used in the UK, Australia, and Brazil. It adds requirements for PKCE (Proof Key for Code Exchange), PAR (Pushed Authorization Requests), and certificate-bound tokens that significantly raise the bar for security. Some Mexican institutions have adopted FAPI profiles informally; none are required to by regulation.
-Consent capture without a national framework means each provider implements its own approach: varying in granularity, duration, revocability, and user clarity. This is functional but creates fragmentation that harms users who cannot easily understand or compare what they have authorized across different products.

The Data Aggregation Pattern: Practical Reality

For most Mexican fintechs today, the practical architecture for accessing multi-institution financial data looks like this:

The aggregator layer, companies like Belvo, Finerio Connect, and Prometeo, normalizes the inconsistency of bilateral bank connections into a developer-friendly API surface. This is structurally similar to what Plaid built in the US before open banking mandates arrived, and it carries the same risks: dependency on a middleware vendor, data quality inconsistencies, and the fundamental fragility of screen-scraping connections that can break silently when a bank updates its web UI. The important technical consideration for any fintech building on aggregator APIs today: design your data model to be aggregator-agnostic. When standardized open banking APIs eventually arrive in Mexico the integration should be swappable without requiring a data architecture overhaul.

Mexico vs. the Region: An Honest Assessment

Brazil has a fully operational, regulated open finance ecosystem with binding standards, 102 billion annual API calls, and PIS capabilities that have transformed the competitive landscape. Pix and Open Finance together represent perhaps the most successful example of coordinated financial infrastructure modernization in the Western Hemisphere in the past decade.
Colombia, which began regulating open finance after Mexico and explicitly drew lessons from the Mexican experience, has outpaced Mexico in implementation. Colombia's open finance decree focused on PIS has executed phased implementation with defined timelines.
The UK model despite being a different regulatory and cultural context demonstrates the institutional design lesson that is most directly applicable to Mexico: implementation requires a dedicated entity (the UK's Open Banking Implementation Entity) that manages technical standards, certifies participants, and resolves disputes. Regulation alone, without a governing body responsible for execution, produces what Mexico has: a mandate on paper and a gap in practice.
Mexico's fintech association remains active and technically sophisticated. Several major banks are building genuine API capabilities. The regulatory coordination signals from the new government are more encouraging than they were in 2022. But the gap between Mexico's 2018 ambition and its 2026 implementation is measured in years and opportunity costs.

What Needs to Happen: The Technical and Regulatory Roadmap

The path from Mexico's current position to a functioning open banking ecosystem is well understood, it has been mapped by the World Bank (2023 technical note), the Fintech México association, and several international advisory bodies. The challenge is not knowledge; it is execution and governance.
The technical requirements are sequential:

1. API Standards Publication.

The CNBV needs to publish binding API specifications for transactional data sharing: account information, transaction history, balance queries with a defined implementation timeline. The UK's Read/Write API specification, Brazil's Open Finance Brasil spec, and the US Financial Data Exchange (FDX) standard all provide proven reference points. Mexico does not need to invent a new standard; it needs to adopt and mandate one.

2.Third-Party Provider Accreditation

A formal process for authorizing fintechs to access bank data through standardized APIs, with defined liability, security requirements, and ongoing compliance obligations. Without this, banks have no regulatory basis for granting API access and no protection against unauthorized use.

3.Consent Framework

Standardized rules for how customers authorize data sharing: scope, duration, revocability, and user-facing disclosure requirements. This is the consumer protection layer that transforms data sharing from a technical capability into a trustworthy product.

4.Payment Initiation Services

The extension of open banking from data access to payment execution, enabling authorized third parties to initiate SPEI transfers on behalf of users through standardized APIs. This is what would allow Mexico to replicate the use cases that have made Pix transformative in Brazil.

None of these steps require new legislation. The Fintech Law of 2018 already provides the legal basis. What they require is regulatory will, institutional coordination, and the kind of sustained technical effort that is unglamorous in press releases but foundational to everything built on top of it.

The Opportunity

Here is the counterintuitive insight for anyone building financial products in Mexico today: the regulatory gap is simultaneously the biggest friction and the biggest opportunity in the market.
It is friction because every integration is custom, every data agreement is bilateral, and every new player must rebuild infrastructure that should be standardized. The cost of this friction falls disproportionately on smaller fintechs and ultimately on end users.
It is opportunity because the moment binding open banking standards arrive in Mexico, and the regulatory signals suggest that moment is closer than it was two years ago, the competitive landscape will restructure rapidly. The fintechs that have built API-ready architectures, invested in clean data models, and developed relationships with the major banking institutions will be positioned to move immediately. Those that have not will face the same integration challenge all over again, against competitors who are already running.
The Mexico open banking market was valued at $3.2 billion in 2024 and is projected to reach $6.8 billion by 2029. That growth will not happen smoothly.
Build for that moment. Even if you cannot yet see when it arrives.

Sources & References

Open Banking in Mexico: Eight Years of Promise, Still Waiting on the Regulations* (March 2026). https://www.openbankingtracker.com/blog/open-banking-in-mexico-eight-years-of-promise-still-waiting-on-the-regulations2. Open Banking Tracker

Open Finance Mexico, Regulatory Overview. https://www.openbankingtracker.com/regulation/mexico-open-finance3. Ozone API

The Status of Open Finance in Latin America in 2025* (August 2025). https://ozoneapi.com/blog/the-status-of-open-finance-in-latin-america-in-2025/4. Ozone API

Mexico Open Finance Country Profile (July 2024). https://ozoneapi.com/the-open-finance-tracker/atlas/mexico/5. Mastercard Data & Services

Open Banking in Latin America. https://www.mastercard.com/us/en/news-and-trends/Insights/2024/open-banking-latin-america.html6. Legal Paradox

Open Finance Fintechs in Mexico: Regulatory Intelligence* (February 2026). https://www.legalparadox.com/categories/open-finance7. Mexico Business News

The Path for Open Finance in Latin America in 2024 (December 2024). https://mexicobusiness.news/tech/news/path-open-finance-latin-america-20248. BusinessWire / ResearchAndMarkets

Mexico Embedded Finance Databook Report 2025(October 2025). https://www.businesswire.com/news/home/20251009802671/en/Mexico-Embedded-Finance-Databook-Report-20259. Chambers and Partners

Fintech 2025: Mexico (March 2025). https://practiceguides.chambers.com/practice-guides/fintech-2025/mexico10. Weidemann.tech

Open Banking in Mexico: Current Landscape and Future Prospects (August 2024). https://weidemann.tech/open-banking-in-mexico-current-landscape-and-future-prospects/11. Open Bank Project

Intercam Banco's Journey to Open Finance Compliance in Mexico. https://www.openbankproject.com/case-study/intercam-banco-open-finance-compliance-mexico/12. Scalable Solutions

Open Banking API Standards: Driving Digital Asset and Fintech Integration(October 2025). https://scalablesolutions.io/blog/posts/open-banking-api-standards13. TechAhead

Open Banking API Strategy: Building Secure Third-Party Integrations at Scale (April 2026). https://www.techaheadcorp.com/blog/open-banking-api-strategy/