e-KYC and Biometrics: Legal Risks and Best Practices

BANKING AND FINANCE / by Miguel Gallardo Guerra

The implementation of digital customer identification processes, known as e-KYC (electronic Know Your Customer), has revolutionized the way financial institutions identify their customers. Thanks to biometric technologies, such as facial recognition and fingerprint verification, it is now possible to verify a person’s identity in seconds without having to visit a branch. 

This efficiency, however, must be balanced against regulatory compliance and the protection of personal data. In Mexico, the use of biometrics in the financial sector is regulated by various provisions issued by the CNBV, the Federal Law on the Protection of Personal Data Held by Private Parties, and technical guidelines from the Bank of Mexico.

From a legal perspective, we have identified three critical areas that every organization must address:

1. Informed consent: The customer must clearly consent to the use of their biometric data and understand the scope of its processing.
   
2. Information security: Biometric data is sensitive, and its storage must meet high standards of protection and encryption.
   
3. Proportional use and specific purpose: Not every verification requires biometrics. Their use must be limited to the identification purposes that are strictly necessary.
   

In addition, the use of e-KYC must be integrated into AML/CFT compliance systems so that identity verification is aligned with risk profiles and required regulatory reporting. In certain cases, the implementation of biometric identification technologies, such as facial or fingerprint verification, requires prior authorization from the CNBV, in accordance with applicable provisions and established operational thresholds, as well as compliance with various specific technical requirements.

At the law firm Bello, Gallardo, Bonequi y García, SC (“bgbg”), we have assisted various fintech companies, SOFOMES, and banks with the legal implementation of these processes, ensuring that technology not only streamlines operations but also builds trust and reduces the risk of penalties.

Digital identity is the new face of the customer. Ensuring that we protect it is also part of our legal responsibility.

See you later!