- Banxico opens consultation on new cyber and data rules
for banks
- Proposals aim to standardize digital risk management
and resilience
- Focus on cyber threats cloud services and third party
dependencies
- Banks would face stronger governance and security obligations
- Final rules expected after consultation ends February 2026
The consultation, which runs until Feb. 11, 2026, reflects growing
concern over the resilience of banking infrastructure as digitalization
accelerates and cyber threats become more sophisticated.
The proposed changes focus on safeguarding the integrity of
information flows and protecting systems critical to the functioning of
Mexico’s payments and financial reporting ecosystem.
“The objective is to establish a standardized regulatory framework
that incorporates elements to safeguard information security and computer
security,” Banxico said, adding that the measures are designed to protect
information integrity amid rising digital threats and ongoing organizational
modernization.
Banxico said the rapid digital transformation of Mexico’s
financial sector has expanded the potential attack surface for malicious
actors.
As the country’s monetary authority and the regulator of payment
systems, the central bank said it is seeking to reduce systemic vulnerabilities
by modernizing its information technology manual and reinforcing minimum
security expectations for supervised institutions.
A key driver of the consultation is the growing gap between
existing regulatory requirements and the realities of modern banking
infrastructure.
Banxico highlighted the increasing sophistication of cyberattacks
targeting financial institutions, alongside the obsolescence of some legacy
communication protocols when confronted with cloud based architectures and
complex third party service arrangements.
The proposed reforms are intended to encourage banks to adopt a
proactive cyber resilience posture, rather than relying on reactive incident
response.
In particular, the measures are designed to ensure the operational
continuity of the information collection system used by the central bank, known
as SAIF, which supports supervisory oversight and policy functions.
Under the draft framework, banks would be required to strengthen
governance and accountability around information security.
Institutions would need to appoint a compliance officer to act as
a qualified technical representative and primary point of contact for
information supplied to Banxico.
Banks would also be permitted to designate additional operators,
representatives, and technology administrators to support these
responsibilities.
The proposals place a stronger emphasis on third party and
infrastructure risk. Banks would be expected to assume responsibility not only
for their own systems, but also for the security of infrastructure operated by
external service providers.
This includes implementing controls to detect and manage
cybersecurity incidents that could disrupt operations connected to SAIF.
Security requirements outlined in the consultation include the
mandatory use of secure communication protocols across computing environments,
along with the deployment of tools to detect viruses, malicious code, and
system vulnerabilities.
These measures are intended to establish a consistent baseline for
cyber defenses across the banking sector.
Operational resilience also features prominently in the proposed
rules. Banks would be required to maintain robust business continuity plans to
ensure they can meet data supply obligations at all times.
At the same time, the framework allows for flexibility by
permitting alternative controls, provided institutions receive prior
authorization from the Bank of Mexico.
Once the consultation period closes in February 2026, Banxico will
revie w industry feedback before finalizing the secondary regulation.
The changes are expected to have a direct impact on bank
information technology teams, driving updates to security policies, governance
arrangements, and reporting processes.