Best approach for Mexico open-banking account aggregation under Ley Fintech?
Question
Answers
Great question — the answer is nuanced. Here's the current state as of mid-2026:
Ley Fintech Open APIs: Phase 1 (public product/branch data) is live at most regulated banks. Phase 2 (customer account data with consent) is partially implemented — BBVA MX and Banorte have live endpoints, but Banamex and Santander MX are still in testing. Production access still requires a bilateral agreement or using a licensed ITF aggregator.
Practical recommendation: Use Belvo or Flinks for today. They abstract the inconsistency across banks, handle the OAuth consent screens, and have battle-tested reliability. Data freshness is real-time for BBVA/Banorte; 4–8 hours for others via secure aggregation.
Consent UX with Belvo: your app embeds their Widget SDK which handles the OAuth redirect, credential flow, and MFA. The user never enters credentials in your app directly.
Confirming Belvo is solid in production. We've been on it for 18 months.
One thing to watch: their transaction categorisation for Mexico is decent for SPEI and card transactions but sometimes misclassifies OXXO cash deposits and ATM withdrawals. We built a thin override layer that re-categorises based on transaction description patterns.
Also: their SLA is 99.5% not 99.9%, and they have 2–3 hour maintenance windows on Sunday 02:00–04:00 UTC. If your app is customer-facing in Mexico (UTC-6) that's 8–10 PM Saturday night in CDMX — plan accordingly.
Thank you both. A follow-up on the Ley Fintech path:
If I register as an ITF (Institución de Tecnología Financiera) does that automatically grant me access to all banks' Phase 2 APIs, or do I still need a per-bank agreement? The CNBV registration process seems to take 6–12 months — is there any expedited path for early-stage startups?
Also, does anyone know if the 90-day consent renewal is a hard technical limit in the bank APIs, or is it just a UX recommendation?
@fin_startup_mx — ITF registration does not automatically grant access. Each bank still controls their own Phase 2 API access list. In practice BBVA and Banorte have published public access request processes; the others require bilateral negotiations.
The 6–12 month CNBV timeline is accurate for a full ITF licence. There's no formal expedited path, but CNBV's sandbox programme (Espacio de Prueba) lets you test with synthetic data without a licence. Most early-stage startups use Belvo/Flinks as a licensed ITF intermediary while pursuing their own registration in parallel.
On the 90-day consent: it's a hard technical limit enforced by the bank's OAuth server — the refresh token expires. You must implement a consent re-authorisation flow. Most aggregators handle this automatically if you use their SDK.
Late addition: if you care about historical transaction depth, note that Belvo returns up to 24 months via official bank APIs for BBVA/Banorte, but only 3 months via scraping for institutions that don't have Phase 2 endpoints yet.
If you're using transaction history for credit underwriting or cash-flow scoring, depth matters a lot. Consider whether your model needs 12+ months for meaningful signals — that may push you toward prioritising banks with official API coverage in your launch market.
We're building a personal finance management app targeting Mexican users and need to aggregate bank account data (balances + transactions) from the major banks: BBVA México, Banamex, Santander MX, Banorte.
From my research the Mexico banking API landscape is split between:
Questions: Which approach is most production-reliable today? Is the Ley Fintech API mandate actually enforced? What's the consent UX like for each approach?