Resolución CNBV de biometría facial: guía de cumplimiento 2026
News

Facial Biometrics in Mexican Banking: What the New CNBV Resolution Requires and How to Be Compliant by November

The resolution published on July 1 in Mexico’s Official Gazette of the Federation formally authorizes facial recognition as an identity verification factor for higher-risk banking operations and introduces, through the new Annex 71, a set of binding technical specifications. For credit institutions, this is not a product announcement—it’s a compliance project with a ticking clock. Here’s what the regulation requires, the public debate your teams will need to navigate, and how each requirement translates into an auditable technology architecture.

On July 1, 2026, Mexico’s National Banking and Securities Commission (CNBV) amended the General Provisions Applicable to Credit Institutions to explicitly incorporate facial recognition into the approved identity verification mechanisms, alongside fingerprint verification. The resolution entered into force on July 2, triggering a clear countdown for compliance, risk, and technology teams: 90 business days to align processes and infrastructure.

The operational details matter, because they define the implementation roadmap.

Scope: Which Operations and Which Accounts?

The regulation does not require biometrics for every banking procedure. It targets higher-risk in-person transactions:

Passive operations associated with Level 4 accounts.

Active transactions, payment services, or payment instrument operations linked to Level 3 and Level 4 accounts, whether opened at the institution itself or elsewhere.

To understand the scope, it’s important to recall how these account levels fit within the CNBV’s simplified customer identification framework:

Level 3. Accounts requiring enhanced customer identification (name, official ID, proof of address, and contact details), with a monthly deposit limit of approximately 10,000 UDIs. Available to both individuals and legal entities.

Level 4. Traditional bank accounts with full customer identification files and no deposit limit. This is the segment with the highest exposure to money laundering and fraud risks.

In other words, the regulator concentrates biometric verification precisely where identity fraud has the greatest consequences. For banks, this clearly defines the workflows requiring attention: remote onboarding, strong customer authentication, and authorization of high-value transactions.

Two structural conditions complete the regulatory framework.

First, a biometric record may only be incorporated into a bank’s own database after being matched against official records—such as those maintained by the INE, SRE, the tax authority, or another federal agency offering biometric verification—with a minimum 90% match rate.

Second, biometric databases cannot be sold, transferred, shared, or made interoperable with other institutions or third parties. At present, only fingerprints and facial biometrics are permitted.

At Facephi, we see a significant difference between simply meeting the legal requirements and truly complying with Annex 71 in a way that provides real protection. Implementation details make all the difference: how identity matching is performed against INE or SRE databases, how deepfakes are detected, how every verification is logged for inspection, how biometric templates are tokenized and protected, where the data resides, and how complete audit trails are maintained. Choosing the right technology provider is therefore fundamental.


Schedule a demo for your compliance team and we’ll show you, step by step, how each CNBV requirement translates into a process that your risk and audit teams can independently verify.


Public Concerns Around the Resolution

Public debate is already gaining momentum:

“Your face will become your signature.”

“Will banks store my face and fingerprints?”

“What happens if they’re hacked?”

Behind these headlines lies a technically valid concern that compliance teams should prepare to address, because it will inevitably come from customers, journalists, and regulators alike.

A compromised password can be replaced. A face or fingerprint cannot.

Biometric data is permanent, and safeguarding it requires security standards well beyond conventional cybersecurity practices.

The resolution recognizes this risk and translates it into concrete technical obligations.

The new Annex 71 does not simply authorize facial recognition in the abstract. It authorizes its use only when institutions can demonstrate logical segregation of biometric databases, encryption, liveness detection, full auditability, and irreversible deletion procedures.

For financial institutions, the right way to interpret the regulation is not “comply so we can use biometrics.”

It is:“Use biometrics in a way that is compliant by design.”

That distinction is what separates an inspection finding from an effective control.

The Compliance Clock Is Already Ticking

For compliance teams, the deadlines are clear:

Around August 1, 2026 (30 calendar days)

Institutions with an active biometric database must submit the notification required under Annex 75, indicating the database creation date and the biometric modalities stored. Filing the notice carries neither fees nor penalties.

Late October / Early November 2026 (90 business days)

Full compliance with the amended provisions and the technical requirements established in Annex 71, including facial biometric systems.

International developments add further pressure.

Mexico retains its standing with the Financial Action Task Force (FATF) but faces an on-site evaluation during 2026. Meanwhile, FinCEN’s June 2025 actions against Mexican financial institutions made one point unmistakably clear: regulators assess the actual effectiveness of controls—not merely whether policies exist on paper.

In that context, a biometric identity verification system that documents every decision and withstands regulatory scrutiny becomes part of the evidence demonstrating that an institution’s anti-fraud controls genuinely work.

Frequently Asked Questions

What does the new CNBV resolution establish regarding facial biometrics?

The resolution, published in the Official Gazette of the Federation on July 1, 2026, formally authorizes facial recognition as an identity verification factor in Mexican banking and replaces Annex 71 with binding technical specifications. It applies to higher-risk in-person operations involving Level 3 and Level 4 accounts.

When does the regulation take effect, and how long do banks have to comply?

The regulation entered into force on July 2, 2026, one day after publication. Credit institutions have 90 business days—until late October or early November 2026—to fully align their processes and infrastructure with Annex 71, including facial biometric systems.

Which accounts and transactions require facial biometric verification?

The requirements apply to passive transactions involving Level 4 accounts and active transactions, payment services, or payment instrument operations involving Level 3 and Level 4 accounts.

Level 3 accounts require enhanced customer identification and have a monthly deposit limit of approximately 10,000 UDIs.

Level 4 accounts are traditional bank accounts with full customer due diligence and no deposit limits.

What is CNBV Annex 71?

Annex 71 is the technical annex that the resolution completely replaces. It defines the requirements for fingerprint verification (Section I) and facial biometric verification (Section II), including 1:1 matching against official records, liveness detection, encryption, logical database segregation, and secure deletion. It is the technical specification banks must demonstrate compliance with.

What is the Annex 75 notification, and when is it due?

Institutions operating an active biometric database must notify the CNBV using the Annex 75 format, indicating the database creation date and the biometric modalities stored.

The deadline is 30 calendar days, approximately August 1, 2026, and filing the notification carries neither fees nor penalties.

Will banks store my face? Is it safe?

A properly designed biometric system does not store a photograph of your face. Instead, it stores a tokenized biometric template—an irreversible mathematical representation from which the original facial image cannot be reconstructed.

The biometric data is validated against official records maintained by agencies such as the INE or SRE, and the regulation expressly prohibits selling, transferring, or sharing biometric databases between institutions.

What technical requirements does Annex 71 establish for facial recognition?

Annex 71 requires:

  • 1:1 facial matching against INE or SRE records with a minimum 90% match rate.
  • Presentation Attack Detection (PAD) compliant with ISO/IEC 30107-3.
  • Deduplication referencing NIST FRVT methodologies.
  • Encryption both in transit and at rest.
  • Logical segregation of biometric databases.
  • Irreversible deletion when operations cease.

Can a deepfake fool a bank’s facial recognition system?

This is precisely why the regulation mandates Presentation Attack Detection compliant with ISO/IEC 30107-3.

Modern passive liveness detection distinguishes a real person from photographs, videos, or synthetic faces without adding friction to the customer experience, while image injection detection addresses one of today’s most sophisticated fraud vectors.

What happens if a financial institution fails to comply with the CNBV resolution?

Non-compliance exposes institutions to inspection findings during CNBV supervisory visits, as well as regulatory and reputational risks—particularly in a year when Mexico faces a FATF on-site evaluation.

Ultimately, supervisors assess whether controls work effectively in practice, not simply whether they exist in written policies.

Ready to protect your users?

Discover how Facephi's biometric technology can safeguard your identity verification process.

Facephi Facephi Identity Platform Onboarding Authentication UX Consultancy Facephi Builder Facephi Central Services Fraud Intelligence Platform Identity Fabric KYB Platform Teseo Identity Wallet IDV Suite Cuentas Mula Behavioural Biometrics Linkedin YouTube X Facebook
Secret Link