Credit bureau in Mexico

The credit bureau was exempt from compliance with the law of personal data protection until December 1, 2021, when the Second Chamber of the Supreme Court resolved an amparo in favor of a citizen who claimed access to his personal information from a credit bureau and was rejected. Now that citizen can go through life knowing that the personal data protection law protects him in the exercise of his rights of access, rectification, cancellation and opposition (ARCO) on personal information.

There was never any justification for the credit bureaus – called societies of credit information in the regulatory framework of Mexico – were out of compliance with the personal data law. The only reason was the financial industry lobbying power. When the protection regime in Mexico was designed at the end of the first decade of this century, the financial industry It managed to impose the consideration of fiduciary or banking secrecy to the data collected by the credit bureaus and place them in a separate regulatory sphere, despite the fact that they collect and treat very sensitive data of the users of financial services.

Credit bureaus have enormous power over the processing of personal data, informational self-determination and the enjoyment of citizens’ rights. Despite this, the Inai, responsible for the protection of personal data, has no authority over them: the control and regulation of the credit bureaus rests with the Ministry of Finance, through the National Banking and Securities Commission, Banco de México, Profeco and the Condusef.

The Second Chamber determined that this is wrong: “It is not possible for credit institutions to be excluded from the personal data protection regime. (…) (Its exception creates) a violation also of the principles of legality and legal security of the complainant, by not finding any justification or valid legal assumption that allows the valid exclusion of the ‘credit institutions’ or even that prevents the Inai learn about the procedure habeas data for the effective exercise of ARCO rights of users of the banking and credit service ”, reads the sentence of Minister Alberto Pérez Dayán approved by the Chamber.

The resolution obliges Inai to guarantee the enjoyment of rights to the complaining citizen, who had attended that institute in 2017 due to the refusal of the credit bureau. The Inai had resolved, in accordance with the law, that the complainant could not exercise ARCO rights. The resolution is a victory for the Inai, which by losing achieves a legal criterion to advance in the opening of the credit bureaus.

The function of a credit bureau is to know and publicize the payment behavior of individuals and companies, identify defaulters and help reduce risks for financial institutions. A legitimate function. The idea is to create a “credit history” to detect if they have debts or are in an economic situation that prevents them from contracting new debt. Information is collected for at least 6 years.

But credit bureaus can also serve as tools to invade privacy and intimacy and to discriminate without the possibility of defending those affected. All users of financial services, as well as those who opened an account in the most popular bank or those who took out a washing machine in a department store for months, they have a record in the databases of credit information companies.

I wrote a few years ago: “The need to measure the credit risk, especially in situations where the judicial system is incapable of helping to recover debts, but nothing justifies that the processing of personal data is carried out without complying with the principles of legality, consent, information, quality, purpose, loyalty, proportionality and responsibility ”.

Regarding the violation of the principles of hearing, legality and security indicated by Pérez Dayán, attention must be paid to the violation of the principle of information, which should be understood as transparency and access to data. Those of us who integrate the databases of the credit bureaus (the “clients”, as we are called in the law) can hardly know the records that are kept of us. The Law to Regulate Credit Information Companies gives us the right to request each year a “special credit report”, a copy of our history or a part of our credit history. We have the prerogative to file a claim if we consider that something is wrong in the report, but always under the financial regulatory framework and never on the exercise of human rights.

The credit bureau has existed in Mexico since 1995, a year after the start of the financial crisis known as “the December error” in the government of Ernesto Zedillo. It was created with capital from Banamex (today Citi), Bancomer (today BBVA) and Serfin (today Santander) in partnership with the company Transunion de México. Today the largest companies recognized by the authority are Buró de Crédito and Círculo de Crédito. The law on data protection for individuals was published in 2010.

The credit bureau is nourished with information provided by the commercial banks and the development Bank, public bodies with credit activity (such as Fovissste), department stores that offer credit, mortgage financing and automotive, phone companies, leasing companies, fintech or cooperative savings and loan societies.

The decision of the Second Chamber only has effect for the person who requested the protection of justice against the refusal of Círculo de Crédito to give him access to his personal data (Amparo in Review 179/2021). This means that if today you want to exercise your rights to protect personal data with a credit bureau, you will most likely be prevented by the data law.

So that the access to personal information In the credit bureaus, with the criteria of the personal data protection law, it is universal, two things are needed: that there is jurisprudence or that there are changes in the law.

No one knows what will happen first, but the resolution of the Second Chamber is an incentive for legislators to put the accelerator on and correct an arbitrariness in force for years.

Jose Soto Galindo

Editor of El Economista online


Journalist. Since 2010 he has edited the digital version of El Economista in Mexico City. Master in Transparency and Protection of Personal Data from the University of Guadalajara. He specializes in telecommunications and information technology law. His personal blog is Economicón.

Leave a Comment