August 14, 2020 / Banking and Finance
Request of authorization to execute agreements andoperations in a remote manner through devices
On July 29 the National Banking and Securities Commission (hereinafter, the “CNBV“) —in order to comply with Recommendation 15 of the Financial Action Task Force (hereinafter, the “FATF“) regarding the need of financial institutions to identify and assess Money Laundering risks (hereinafter, the “ML“) and Financing of Terrorism (hereinafter, the “TF“) which may arise in relation to the use of new technologies or developing technologies— issued through portal “SITI PLD/FT” the “Guide for Non-Regulated Financial Corporations of Multiple Purpose; Investment Advisors, and Money Transmitters intending to present an authorization request to execute agreements and operations in a remote manner through devices” (hereinafter, the “Guide”).
Due to the foregoing, the purpose of this informative gazette is to summarize the most relevant information established in such Guide, which may assist Non-Regulated Corporations of Multiple Purpose, Investment Advisors, and Money Transmitters (hereinafter, the “Obligated Persons“) so that they may consult the use of new technologies and electronic media to bear the current situation and financial institutions may continue to provide their services and make operations without incurring any ML and FT crime.
It is important to highlight that the main purpose of the Guide is to serve as a help tool for the Obligated Persons interested in obtaining approval from CNBV to execute agreements or operations in a remote manner through devices and meet the minimum requirements when submitting the request document.
A. APPROVAL REQUEST.
Obligated Persons must include the following in their request documents for the approval of the client identification process: potential clients or users through remote devices by CNVB; the development of the guidelines established by the Obligated Person to comply with the general Provisions referred to in the Credit Institutions Act, Article 115 in connection with the Law of Credit Organizations and Auxiliary Activities, Articles 87-D and 95-Bis applicable to multiple purpose financial institutions, the general Provisions referred to in the aforementioned law, Article 95-Bis, applicable to the money transmitters referred to in such law, Article 81-A Bis, and the general Provisions referred to in the Stock Market Law, Article 226 Bis, applicable to the investment advisors (hereinafter, the “Provisions“), as applicable; as well as the establishment of methods, measures, or processes that such Obligated Persons will undertake when making the remote identification.
Similarly, it is important to mention that the process referred to above for the remote identification must be established, without limitation, through an audiovisual media, in other words, any mechanism using the sight and sound at the same time and which can be perceived in real-time.
B. DOCUMENTATION THAT MUST BE ATTACHED TO THE REQUEST DOCUMENT.
The document must be presented in the filling offices of CNBV, which is located at Insurgentes Sur No. 1971, Col. Guadalupe Inn, Zip Code 01020, Alcaldía Álvaro Obregón, Mexico City.
Such document must be in Spanish and the original and 2 two copies must be presented, which must include, at least, the following points:
- It must be addressed to the Specialized Authorizations Head Office of the Normativity Vice-Presidency;
- It must contain the name or corporate name and the Mexican financial system catalogue (CASFIM) number or the registry number of the Obligated Person, if applicable;
- It must include an address within the national territory for service of purpose, as well as the adress of one of their representatives;
- It must include the general description of the remote identification process;
- It must include the requests, adding in an express manner the request to remotely execute agreements or operations in a duly grounded manner;
- It must be signed by the Legal Representative and/or General Director and a non-certified copy of the public instrument certifying such capacity must be attached.
C. REMOTE IDENTIFICATION PROCESS OF THE ENTITY.
The Obligated Subjects must develop in detail the remote identification process they will undertake, in which all the criteria, procedures, controls, measures, and technological infrastructure established in the Provisions must be shown.
Similarly, the Guide suggests the Obligated Subject to present the request attaching the documents as exhibits since these may be used as evidence so that CNBV may analyse better the request and eliminate any doubt.
Regarding the documents that must have the signature of the risk responsible or their equivalent (or, in case there is no responsible, the audit committee, the board of directors, or the sole manager of the Obligated Subject) they may comply with this requirement by presenting a document where the appointment of the risk responsible is established by the officers.
Lastly, it is recommended for the Obligated Subjects to attach and consider the criteria established in the compliance formats contained in the Guide, since such formats are adapted to the Provisions.
D. TECHNOLOGICAL RISK
As a result of the new technologies implemented by the Obligated Subjects for the remote identification of their clients, it is important that they consider that, according to the used technology, the place where each process, service, and the detailed location where the information will be stored and handled must be mentioned. Likewise, the Obligated Subjects must describe the architecture of the technology used, in other words, the type of cloud (public, private, or hybrid), the name of the supplier, specific locations where the information will be stored and handled, and the agreement project.
Similarly, as part of the prevention by ML and FT crime commission, CNBV requests the Obligated Subjects to inform the telecommunications chart and the media description to process and transmit the information, data, and files in which its integrity is ensured; as well as to describe the business continuity strategy known as “Business Continuity Plan” of the entity and the participants. Such entities must remember that, in case of contingencies, failures, or interruptions in the technology used, a backup of the information, data, and files must be kept, and the location of this backup in the platform used must be described.
In that regard, as another prevention measure, the technology used must be approved by the risk responsible or their equivalent (if there is no risk responsible, by the audit committee, the board of directors, or the sole manager) and, within such technology, the validation mechanisms providing reliability with which the facial recognition of the applicant is made must be described.
E. INFORMATION SECURITY
The Obligated Subjects must describe the mechanisms for the safe storage of the information, the securing of the communication channels, as well as the mechanisms used for the access management to the systems used in the remote identification process, and the information security incident management process to be undertaken together with the policies and procedures for such incidents.
It is important that the Obligated Subjects remember that once the project is approved, the implementation stage will begin immediately, in which the Obligated Subject must provide CNBV the following:
a. The results of the tests prone to detect vulnerabilities and threats, as well as penetration tests in the components of the technological structure used in the process, whether of the Obligated Subjects or of third parties. The proof of vulnerability mitigation of the entity, which were detected during the tests.
b. The calibration tests of the mechanisms used for the face recognition or the verification of any other biometric element that is used.