+3.6 million Online
Banking clients

70 NPS
in Mobile Banking

+2.9 million Mobile
Banking clients

9,387
ATMs

TECHNOLOGY
AND INFRASTRUCTURE
Capital

We have efficiently focused resources on bank operations, ensuring regulatory compliance and maintaining secure, stable systems so we could operate normally with a high availability in all our channels.

TECHNOLOGY
AND INFRASTRUCTURE
Capital

+3.6 million Online Banking clients

70 NPS
in Mobile Banking

+2.9 million Mobile
Banking clients

9,387
ATMs

We have efficiently focused resources on bank operations, ensuring regulatory compliance and maintaining secure, stable systems so we could operate normally with a high availability in all our channels.

Information technologies

102-15, 102-30

Strategy and course

The evolution of payment methods and push for digital banking pose a significant challenge in our ability to respond to the market with the speed it requires. In 2020, the public health emergency served as a catalyst for change, and it showed us what a great, well-coordinated team with a single focus was capable of achieving in a short period of time.

Through these work groups, we made substantial progress in our value proposition, origination, usage campaigns and loyalty programs, generating a much closer channel for communication with the commercial network, which helped us efficiently identify and address concerns. We optimized branch-related processes and tracked our net promoter scores, or NPS, for various products and channels, which served as a guide in redesigning and improving these processes. As a result, Banorte was one of the institutions best rated by its clients in relation to the overall market.

NPS products and channels

Single-product credit cards

72

Mobile Banking

70

Deposits (opening)

68

Acquiring business (opening)

56

Through a cell-based work culture we are prepared to help our clients connect and operate in a digital world, aligning processes, methodologies, labor culture and increased proximity with them, reaffirming our social commitment: a more inclusive, solidary bank.

We make it our business to prioritize technological solutions, which we executed and aligned with the atypical situation prevailing last year. We efficiently focused resources on keeping the bank running properly, ensuring regulatory compliance and the security and stability of our systems. With this we succeeded in operating normally and with high availability in all our channels.

Today, Banorte is the bank with the best digital savings and transactional offering. We completed the full digital cycle for our clients, meaning they can today handle virtually all their credit card services—from applying for a new card or requesting an additional one, administering limits, generating a digital card, blocking it temporarily in the case of loss or permanently in the event of theft, request a replacement and monitor its status until it is safely in hand, activate it, defer purchases and dispute unrecognized charges, all from their Banorte Movil banking app.

45% more new digital accounts during usage campaigns

38% of accounts placed through digital channels have an active digital card

Today, through Mobile or Web Banking, we have reduced the time it takes to open an investment from an average of 30 minutes at a bank branch to between three and five minutes through the app.

Also, part of our social responsibility commitment, 97% of individual clients with current accounts receive their account statements digitally rather than printed—substantially reducing costs while protecting the environment.

A new solution called Payment Link, which we introduced in response to the pandemic, provides a new payment channel for e-commerce: the merchant generates a URL code and sends it via any electronic media, including social media; and clients can make their payments by filling out a simple form.

With all of this, and pursuing the same strategy we have been following for several years, focused on digitalizing our clients, we handled a record number of e-commerce sales during the year.

This earned us a ranking as the 74th top acquiring business in the world according to the “Largest Merchant Acquirers Worldwide” report, and the 11th in Latin America, according to “Latin America’s Largest Acquirers”, both published by The Nilson Report in 2020.

Infrastructure

203-2

Facing digitalization

We have continued our transition to digital technologies and today have 3.6 million active digital banking clients. In the past year we worked on various projects aimed at adapting to a new post-pandemic reality, focusing mainly on digital placement, combining new easily-configured technologies and optimizing user experiences.

We transformed various processes to bring our clients new self-service models with access to assistance from their account executives. Among the most important of these are applying digitally for point-of-sale terminals, and a new process of opening a payroll loan system through tablets; also, strengthen controls and rules for disputing charges through Banorte Móvil, providing a quicker response and greater peace of mind to our clients.

We have 100% digital processes for product origination, from acquisition, activation, purchasing and withdrawals to charge disputes and payments.

The collaborative work scheme for the Banorte Móvil app allows for the platform to be updated each month, ensuring client protection and self-service for managing their accounts.

By continuing to review our technological architecture we now have protocols for the 25 most widely used bank services, meaning we can more quickly respond to requests from the channels and increase the number of transactions per second.

During the year we were the first bank offering clients the possibility of reserving a place on line at the bank via WhatsApp, another strategy for protecting our clients, avoiding having too many people at the branch at one time and shortening bank lines.

As the first bank with mobile biometrics, we introduced credit card delivery in the “Así de Fácil” (it’s just that easy) channel for authenticating clients in the field, and thus strengthening security to avoid identity theft or spoofing.

36k cards delivered with mobile biometrics

Because we are committed to financial inclusion as an institutional mission, we strengthened our strategic partnerships with fintechs, aggregators and integrators, succeeding in retaining and attracting high-value clients. One of these partnerships is with PayClip, which saw a 24% increase in billing over 2019, and 54% more transactions.

70% growth in e-commerce billing with debit cards; 90% are new clients

Also, thanks to our alliance with Google, we extended our APIs to partners like Rappi and to solutions like CoDi, ATM and other wallets.

During the year, we formed a 50/50 joint venture with Rappi that creates a talented team independent of both companies—called Tarjetas del Futuro SAPI de CV—for the purpose of offering digital financial products. The first will be a RappiCard credit card.

This deal is in keeping with GFNorte’s digital and technological strategy, because not only will it bring more digital banking and financial services to our clients, but helps us maintain our presence and gain penetration in digital financial services. This joint venture is planned as part of an extensive digital financial ecosystem for offering digital services for mobility, merchants and other payments. It will also give us access to a broad base of young users who are more focused on digital media, new technologies and new ways of doing things.

With this transaction, GFNorte reaffirms its commitment to continuing to contribute to Mexico’s development, building on its leadership position in digital financial services.

We created a 50/50 joint venture with Rappi, through which we have build a talented team independent of both companies, for the purpose of offering digital financial products.

Data security

102-15, 102-30, FN-CB-510a.1, FN-AC-510a.1, FN-IB-510b.3, FN-CB-230a.1, FN-CB-230a.2, FN-CF-230a.2, 103-1, 103-2, 103-3

Cybersecurity: protecting information in this new reality

Grupo Financiero Banorte works to continually enhance the level of security for its information assets, both external and internal. As part of this effort, pursuant to security provisions established by the CNBV in its Unified Banking Bulletin, the Risk Policies Committee authorized a methodology for classifying vulnerabilities in the area of data security according to risk level. Based on this methodology, we ran various security tests, like intrusion, secure code and platform tests. With this, our process of managing vulnerabilities is in line with international standards like ISO 27001:2013 and PCI-DSS, for which we have certifications. We also comply with CNBV and Banco de México requirements on the detection, treatment and remediation of critical, high, medium and low vulnerabilities in the infrastructure that supports the bank’s applications.

In 2020, we ran seven intrusion tests with the help of a qualified external consultant.
More than 10,000 code numbers were checked, through both black box and white box testing.
More than 7,200 platform scans were conducted on more than 5,000 servers in all of the bank’s environments.

Our Vulnerability Management Program specifies how to analyze and test vulnerabilities in the technology that supports critical applications. It covers four types of infrastructure: i) regulated applications, ii) applications within the scope of the Business Impact Analysis, iii) critical infrastructure, and iv) other requirements (servers that support some operating process). This program is aligned with the internal methodology for determining the level of risk to vulnerability, based on frequency and severity, which determines specifically which components impact the classification of risk by vulnerability type, and which is updated and authorized by the Risk Policy Committee.

Banorte has an extensive set of data security policies and procedures that define the security strategy to be followed, according both to external regulations and to best practices. These policies are authorized by the bank’s Control and Audit areas, including the Chief Information Security Officer and the Integrity Committee.

Employees receive mandatory security training programs, according to regulations, along with ongoing communication and awareness-raising campaigns. We also conduct e-mail campaigns on phishing scenarios to alert employees to this type of threat.

Each year the Internal Audit area reviews data security processes and control of banking applications, according to a program authorized by the Audit and Corporate Practices Committee.

Various sources and expert projections indicate that the frequency of cyberattack and cyberfraud is growing.

Banorte has an extensive portfolio of data security policies and procedures that define our security strategy, in keeping with external regulations and best practices.

Some examples of these are:

  • Mass theft of information from major corporations around the globe.
  • Attacks on payment systems associated with mobile devices and digital wallets.
  • Cyber-extortion based on ransomware.
  • An increase in phishing, vishing and social engineering attacks taking advantage of current issues (COVID-19, the economy, employment, banking issues and e-commerce).
  • An increase in attacks on employees working remotely, as a substantial number of companies continue to work in “home office” mode, and attacks on infrastructures that provide this remote access.
  • Attacks on the supply chain, having tested the efficacy of the attack and its difficulty of detection.

Grupo Financiero Banorte has a Security Operations Center that permanently monitors network traffic and the behavior of various applications that make up our infrastructure. We also have a security intelligence team that carries out a proactive and reiterative search for fraud alerts, as well as threats that might affect the security of our information.

In the past two years we have invested heavily both in organizational infrastructure and in the implementation of various technological tools that have enabled us to strengthen our processes, resulting in a 73% reduction in the net amount of fraud-related losses.

  • PRM: Proactive Risk Manager, the core fraud prevention platform
  • VCAS: Visa Consumer Authentication Service, a system for preventing fraud in secure e-commerce transactions (3D)
  • VRM: Visa Risk Manager, a system for preventing fraud in e-commerce transactions for VISA BINs
  • DI: Decision Intelligence, a system for preventing fraud in cross-border e-commerce transactions for Mastercard BINs
  • VERI: Biometric verification for account opening
  • UG AA: Update of the Adaptive Authentication system
  • PRM AMG: A module for generating regressive models by using machine learning
  • POC Ethoca: A concept test for the system that detects chargeback fraud/improves disputed charge issues
  • BIOCATCH: Biometric authentication system for e-banking

We comply with all laws and regulations as well as international standards and best practices. The most important of these are:

  • General provisions applicable to credit institutions, specifically the resolution to modify these provisions to include section Eight Bis –regarding information security, published on November 27, 2018 in the Official Gazette of the Federation
  • General Provisions applicable to brokerage firms
  • Credit Institutions Law
  • Federal Law on Protection of Personal Data in the Possession of Private Parties
  • ISO 27001:2013
  • Payment Card Industry Data Security Standard (PCI DSS)

Data privacy

418-1, FN-CF-220a.2

As mandated by law, Banorte has various privacy notices posted permanently on its website.

Banco Mercantil del Norte has a committee that meets quarterly to discuss personal data protection. Its purpose is to analyze, evaluate, predict risk, and to issue resolutions on the protection of personal data, through planning, monitoring, and review of policies, procedures, strategies and actions for continuous improvement in this area. It also works to build a culture of personal data protection, seeking to prioritize the interests of those to whom the data belong and their privacy, in addition to internal rules and external regulations.

The internal policy established by GFNorte regarding the protection of personal data applies to the following companies:

  • Banco Mercantil del Norte, S.A., Institución de Banca Múltiple, Grupo Financiero Banorte
  • Arrendadora y Factor Banorte, S.A. de C.V. SOFOM E.R., Grupo Financiero Banorte
  • Casa de Bolsa Banorte, S.A. de C.V., Grupo Financiero Banorte
  • Almacenadora Banorte, S.A. de C.V., Organización Auxiliar del Crédito, Grupo Financiero Banorte
  • Fundación Banorte A.B.P.
  • Administradora de Servicios Profesionales Especializados, S.A. de C.V. (ASPE)
  • Seguros Banorte, S.A. de C.V., Grupo Financiero Banorte
  • Pensiones Banorte, S.A. de C.V., Grupo Financiero Banorte

The Internal Audit area conducts an annual audit of Banco Mercantil del Norte, regarding its compliance with the Federal Law on Protection of Personal Data in the Possession of Private Parties. It also covers these aspects in its reviews of various processes.

Additionally, in previous years we have engaged external experts to verify compliance with personal data protection regulations at Banco Mercantil del Norte.

Among the main actions taken to ensure compliance in this area are:

Banorte’s internal regulations stipulate the possible sanctions for non-compliance with personal data protection regulations.
Client data remain in our systems for a period of ten years following the end of our commercial relationship with them, as established by law.
Employees receive annual training on personal data protection. In 2020, 97% of our people were trained. We also maintain an awareness-building campaign for all our staff through various internal communication channels.

In 2020 we received, through our Client Experience area, 93 claims regarding protection of personal data. The Personal Data Protection Committee evaluated all of these and determined that none of them represented demonstrable actions by the bank in violation of data protection laws that might affect the client.

Note: The circumstances under which personal data might be transferred are described in our privacy notice, published at www.banorte.com. Updates to the privacy notice may also be viewed on our website at www.banorte.com