e-KYC and Biometrics: Legal Risks and Best Practices

FINANCE AND BANKING / by Miguel Gallardo Guerra

The implementation of electronic Know Your Customer (e-KYC) processes has revolutionized how financial institutions onboard their users. Thanks to biometric technologies, such as facial recognition or fingerprint validation, verifying a customer’s identity now takes just seconds, without needing to visit a physical branch.

This efficiency, however, must be balanced with regulatory compliance and personal data protection. In Mexico, the use of biometrics in the financial sector is regulated by provisions issued by the CNBV, the Personal Data Protection in Possession of Individuals Law, and technical guidelines from Banco de México.

From a legal perspective, we have identified three critical areas that every institution must address:

1. Informed consent: Clients must clearly authorize the use of their biometric data and understand the scope of its processing.
   
2. Information security: Biometric data is highly sensitive and must be stored using high standards of protection and encryption.
   
3. Proportional use and specific purpose: Not every verification requires biometrics. Its use must be limited to strictly necessary identification purposes.
   

Additionally, the use of e-KYC must be integrated into AML/CFT compliance systems, ensuring that identity validation aligns with risk profiles and required regulatory reporting. In certain cases, the implementation of technological mechanisms for biometric identification, such as facial or fingerprint verification, requires prior authorization from the CNBV, in accordance with the applicable provisions and established operational thresholds, as well as compliance with specific technical requirements.

At Bello, Gallardo, Bonequi y García, SC (“bgbg”), we have advised fintechs, SOFOMES, and banks in the legal implementation of these processes, helping ensure that technology not only streamlines operations but also builds trust and reduces exposure to regulatory sanctions.

Digital identity is the new face of the customer. Protecting it is part of our legal duty.

Let’s keep in contact!

Photo. Rights free.