In general terms, an arrangement will be regarded as cloud outsourcing within the scope of the rules when a financial institution (except for an e-wallet or crowdfunding institution) contracts with a third-party service provider for the rendering of operational processes or the administration of databases and computer systems (i.e., cloud services). Generally, 30 days' prior notice must be given to the National Banking and Securities Commission (CNBV) when such services are to be provided directly from Mexico by a local service provider. However, where a bank contracts for these services, advance authorization from the CNBV would be required where such services are provided or executed partially or entirely from abroad by a foreign service provider, without taking into account whether such services affect qualitatively or quantitatively the applicable financial institution's operation.

As for e-wallet and crowdfunding institutions, advance authorization from the CNBV and the Bank of Mexico will be required if an e-wallet/crowdfunding institution intends to contract with a third-party service provider that will carry out the transmission, storage, processing, safekeeping or custody of personal or sensitive information, personal identification documents issued by official authorities or biometric information of the e-wallet/crowdfunding institution's users, and only if the service provider (i.e., a cloud service provider) has privileged access to and control of said information or its security configuration. If the cloud service provider will not have access to nor control of the information held in the cloud, authorization from the CNBV is not required.

In addition, the Federal Law for the Protection of Personal Data Held by Private Entities ("Ley Federal de Proteccion de Datos personales en Posesión de los Particulares") (LFPDPPP) applies where personal data is processed by a financial institution located in Mexico. The extraterritorial application of the LFPDPPP is limited but encompasses processing by a foreign entity (e.g., a cloud service provider) on behalf of a data controller based in Mexico. However, the particular requirements and restrictions to use cloud services for the processing of personal data are only triggered when the data controller adheres to the service provider's terms and conditions by means of general contracting conditions or clauses.