If a financial institution does not comply with the regulatory requirements applicable to it, the National Banking and Securities Commission (CNBV) can request that the institution terminate the contractual relationship with the cloud service provider. It can also potentially impose administrative sanctions on the financial institution (these sanctions will be determined by the authority on a case-by-case basis and may vary depending on the severity of the breach).

In addition, from a privacy perspective, not complying with the requirements set forth by the Federal Law for the Protection of Personal Data Held by Private Entities ("Ley Federal de Proteccion de Datos personales en Posesión de los Particulares") could result in the imposition of a fine on the data controller. See the response to the question on data privacy and/or data security laws for more information.