Yes, outsourcing by financial institutions — including in respect of cloud services — is regulated, and some specific requirements apply in relation to providing cloud services to financial institutions.

The laws that regulate each kind of financial institution set out the requirements that such institutions must comply with to achieve authorization to procure sourced cloud services.

• Article 328 of the General Rules Applicable to Banks (the "Circular Única de Bancos") sets out the rules regarding outsourcing by banks (institución de crédito)
• Articles 44, 45, 50 and 51 of the General Rules Applicable to Electronic Payment Fund Institutions ("Disposiciones aplicables a las instituciones de fondos de pago electrónico a que se refieren los artículos 48, segundo párrafo; 54, primer párrafo y 56, primer y segundo párrafos de la Ley para Regular las Instituciones de Tecnología Financiera") set out the rules regarding outsourcing by e-wallet institutions (institución de fondos de pago electrónico)
• Articles 85, 86 and 87 of the General Rules Applicable to Financial Technology Institutions ("Disposiciones de Caracter General Aplicables a las Instituciones de Tecnología Financiera") set out the rules regarding outsourcing by crowdfunding institutions (institución de financiamiento colectivo)
• Article 206 of the General Rules Applicable to Brokerage (the "Circular Única de Casas de Bolsa") sets out the rules regarding outsourcing by brokerage firms (casa de bolsa)

In addition, the Federal Law for the Protection of Personal Data Held by Private Entities ("Ley Federal de Proteccion de Datos personales en Posesión de los Particulares") applies to any financial institution that processes personal data. In that regard, the restrictions and requirements for private entities using cloud services to process personal data would apply.