Vulnerable Activities and AML/CFT Compliance
Vulnerable Activities and AML/CFT Compliance in Mexico
Vulnerable Activities are lawful activities that the LFPIORPI subjects to identification, know-your-client, record-keeping, filings and controls to prevent transactions involving illicit funds. The regime is not limited to reporting amounts. The 2025 reform added risk-based assessment, manuals, training, automated mechanisms and audit; as of the July 9, 2026 cutoff, those obligations are subject to entry into force in accordance with the applicable Reglas de Carácter General and transitory provisions and should not be presented as fully enforceable without verifying the triggering RCG. The correct program begins by classifying the model, not by filling out a form.
Navigate according to your need
| If you need… | Consult |
|---|---|
| to know whether your activity falls under the LFPIORPI | Activities, thresholds and SPPLD registration |
| to integrate KYC and Beneficiario Controlador | Files and due diligence |
| to submit filings and control XML | Filings and XML in SPPLD |
| to build an EBR, manual or systems | EBR, manual, systems and audit |
| to correct backlogs or prepare for an inspection | Regularization, inspections and sanctions |
| to understand sector-specific obligations | Credit, real estate, virtual assets and professional services |
What changed in the regulatory framework
The LFPIORPI was reformed on July 16, 2025. Among other changes, it updated definitions and activities, strengthened the identification of the Beneficiario Controlador, extended record-keeping to ten years, incorporated registration and enrollment into the statute, and added risk-based assessment, a manual, training, automated mechanisms and audit.
The Reglamento was reformed on March 27, 2026. Its transitory provisions maintain existing rules and forms for various components while the operational regulation is updated. The SPPLD criteria have also been updated. For that reason, no static guide should replace a currency check at the time of implementation.
Hierarchy of reference
- LFPIORPI in force.
- Reglamento and reform decrees.
- Reglas de Carácter General and their amendments.
- Published forms, catalogs and XSD.
- Official criteria and frequently asked questions, identifying their advisory nature.
- Contracts, flows and facts of the specific model.
Map of obligations by stage
Compliance is best understood as a sequence of decisions and evidence. The first stage is to classify. It is determined which person materially carries out the act, whether it acts habitually or professionally, which subsection might be triggered and whether another sector-specific regime exists. The result must be a memorandum per product or flow, not a general conclusion based solely on the corporate purpose. A change of custodian, account, mandate or method of collection may alter that conclusion.
The second stage is to know the parties. Before the ability to obtain information is lost, identity, existence, representation, activity, purpose and Beneficiario Controlador are integrated. A corporate file must continue up the chain of ownership and control to natural persons, including contractual control. If a third-party payer, guarantor, trust or custodian wallet is involved, its role is documented; it is not presumed that the principal client automatically covers everyone.
The third stage is to record transactions. Each movement requires a stable identifier, date, amount, currency, account, contract and relationship with the client. The database must preserve versions and reversals. Storing only monthly balances or aggregate amounts prevents reconstructing drawdowns, advances or payments that formed an accumulation. The UMA value, multiplier and comparison rule used must also remain in the record.
The fourth stage is to decide and file. The company assesses the individual threshold, accumulation, form and calendar. For the 24-hour filing, the trigger is not an amount but facts or indicia in accordance with article 18, subsection VI. The output is subjected to a double control: technical against the XSD and catalogs, and legal-operational against the contract, file and activity. The file is not considered submitted until the status and acknowledgment are preserved.
The fifth stage is to preserve, prove and correct. The evidence must make it possible to go from a filing to each transaction and from any transaction to its file, calculation and decision. Findings are converted into actions with a population, owner, date, evidence and retest. If historical omissions exist, the assessment under article 55 starts from an authentic chronology and the complete universe, not from filing first and asking later. These stages rest on articles 17, 18, 23, 24, 25 and 55 of the LFPIORPI in force.
How to read thresholds without confusing obligations
A figure may serve different functions. Some subsections use a threshold to delimit the covered scenario; others treat the activity as vulnerable from the moment it is carried out and set a threshold for the filing. There may also be a restriction on the use of cash with its own logic. For that reason, a serious matrix never contains only “threshold”: it separates activity, identification, filing, accumulation and restriction.
The minimum control preserves:
- applicable subsection and paragraph;
- legally relevant event and date;
- multiplier and UMA in force on that date;
- original amount, conversion and decimals;
- individual and accumulated condition separately;
- transactions comprising the six-month window;
- decision, reviewer, form and acknowledgment.
The daily UMA for 2026 is $117.31 as of February 1, but a guide should not become a permanent table within the system. The parameter is obtained from the official INEGI publication, is versioned and is tested at the annual change. January transactions are not recalculated retrospectively with the new value.
Transitory status of the EBR, manual, training, systems and audit
Subsections VII through XI added to article 18 must be read together with the decree, the Reglas de Carácter General and their transitory provisions. As of the editorial cutoff of July 9, 2026, this hub distinguishes preparation from enforceability: it recommends designing the capability but does not assert that each component is fully enforceable for every obligated party without identifying the RCG that activates it and the applicable date.
A currency matrix may have five columns: added obligation, legal provision, transitory provision, triggering RCG and operational status. The status should not be merely “compliant/non-compliant.” It is more precise to use “pending RCG,” “designed,” “tested” and “activated.” In this way the board can budget and test without receiving a premature legal conclusion.
While activation is being confirmed, the organization can move forward on elements that also strengthen obligations already in force: data inventory, file, ledger, traceability, responsible parties, access controls and a regulatory monitor. If a preventive audit is carried out, it must be named as such; it is not automatically presented as the definitive statutory annual audit. When an applicable RCG is published, the impact, effective date, adjustments, approval, training and deployment are documented.
The source of truth must be the SPPLD legal framework and the official publications, not a commercial summary. The currency file preserves the version consulted and the date, in order to explain why a component was in preparation or was already operating as an enforceable obligation.
The four questions that organize compliance
1. What activity is materially carried out?
Article 17 lists activities. The analysis is not resolved by corporate purpose or marketing. One must observe what the contract promises, who executes it, how funds flow and what act the client enters into.
A company may have several activities or roles. A group may combine a financial entity, a technology provider and a non-financial obligated party. Each person and transaction retains its own regime; reports are not replaced by belonging to the same group.
2. What obligations are triggered?
Activity, identification and filing are distinct concepts. Some subsections have a threshold for the transaction to be vulnerable; others treat the activity as vulnerable and set only a filing threshold. There are also accumulation, zero reports and 24-hour filings.
The matrix must distinguish:
- material scenario;
- obligated party;
- business relationship;
- identification;
- Beneficiario Controlador;
- individual and accumulated threshold;
- cash restriction;
- form and calendar;
- risk, manual, system and audit;
- record-keeping and inspection.
3. What evidence demonstrates compliance?
The program must reconstruct the client and the transaction. The evidence includes contracts, identifications, structure, payments, calculations, alerts, decisions, filings and acknowledgments. A checklist without documents is not proof; nor is a voluminous file without an index.
The practical rule is bidirectional traceability: from a transaction, reach the file and the filing; from a filing, return to the transactions that make up its amount.
4. Who governs and maintains the program?
Legal entities and other covered figures must designate and maintain a representative. If there is no accepted designation, the law attributes the obligations to the corresponding body or administrator. The responsible party needs access, authority and a calendar; an external provider does not replace the obligated party.
The administrative body approves criteria, receives findings and allocates resources. Technology maintains integrity and changes. Operations captures data. Legal classifies and reviews. Audit tests independently.
Data governance, privacy and providers
The AML/CFT program handles identifications, corporate structures, accounts, movements, alerts and sensitive decisions. “Preserve for ten years” does not mean copying everything into any repository. There must be a data inventory that indicates purpose, source, responsible party, access, retention and destruction. Executive reports may use reference numbers and metrics; they do not need to replicate identifications, addresses or blockchain addresses.
The architecture must apply least privilege and segregation. Whoever loads data should not be able to modify parameters and approve filings without a second review. Privileged access, exports, corrections and rule changes leave a log. Backups need restoration testing. An isolated screenshot may illustrate, but it does not demonstrate integrity, coverage or version.
When a provider is involved —onboarding, screening, document custody, XML or blockchain analytics— the contract defines the population, excluded data, service level, incidents, subcontractors, record-keeping, return and right of review. The obligated party retains responsibility and must be able to obtain its files in a usable format upon termination. A provider certificate is complementary evidence, not a substitute for proving one's own flow.
The privacy assessment must accompany the design. Collection channels must be secure, privacy notices consistent, and transfers documented in accordance with the LFPDPPP in force. Minimization also improves quality: it prevents irrelevant documents from hiding critical gaps and reduces exposure in the event of an incident.
The six components of an audit-ready architecture
Classification and registration
Preserve a memorandum per product with the contract, flow, subsection, date and conclusion. SPPLD registration enables compliance but does not authorize services regulated by other laws.
File and Beneficiario Controlador
Integrate requirements per natural person, legal entity, foreign entity, trust and other figures. The declaration is checked against evidence. PEP, lists and source of funds are documented as differentiated controls.
Transaction record
Maintain an individual ledger, with a unique identifier, date, amount, currency, means of payment, contract and accumulated total. Do not overwrite historical records. Preserve the UMA and rule applied.
Filings and reports
Apply a double technical and legal review. Link the file, hash and acknowledgment. Distinguish ordinary, zero, 24-hour and amending filings.
EBR, manual and systems
The EBR defines exposure and measures. The manual translates the obligation into a procedure. The system executes and records. The audit compares the three and tests effectiveness. For these added components, the triggering RCG and transitory provisions must be verified before asserting full enforceability at the cutoff; in the meantime, they can be built and tested as preparatory capability.
Regularization and remediation
Backlogs are quantified before being corrected. Article 55 is assessed with a real chronology. Each finding produces an action, responsible party, evidence and subsequent test.
Errors that raise the risk
- assuming that being below the filing threshold eliminates every obligation;
- using SPPLD registration as a purported permit;
- storing only the balance or aggregate amount;
- identifying the representative but not the Beneficiario Controlador;
- using the same file for all types of client;
- generating XML before reconciling transactions;
- copying an EBR or manual from a financial entity;
- buying software without data and change governance;
- regularizing only what is visible and omitting the universe;
- exposing confidential information in public communications or deliverables.
Sector decision tree
Use the following path as an initial filter, not as a ruling:
Which person materially enters into or executes the act?
├─ Offers a loan, advance or credit and is not a financial entity
│ └─ review subsection IV, drawdowns, collateral and accumulation.
├─ Builds, develops, brokers or receives funds for development
│ └─ review subsections V/V Bis, roles, project, payments and form.
├─ Exchanges, facilitates, holds, stores or transfers virtual assets
│ └─ review subsection XVI, wallet control, consideration and territory.
└─ Provides professional services on the listed transactions
└─ separate preparation from execution in the name and on behalf.
After the filter, there are four common checks. First, whether another law regulates the model; SPPLD registration does not grant a sector license. Second, who is the client, representative and Beneficiario Controlador. Third, what event, amount and date feed the calculation. Fourth, what evidence and decision will be preserved. If an answer depends only on the name of the product —“marketplace,” “stablecoin,” “advisory” or “management”— the analysis has not yet reached the material function.
In hybrid models, several branches may coexist. A platform may facilitate a virtual asset, handle pesos and offer credit through different participants. Each person and flow must be analyzed, avoiding the assumption that the report or permit of one entity covers the entire group. The sector guide develops these boundaries with operational examples.
Twelve-week implementation route
| Week | Outcome |
|---|---|
| 1–2 | classification, inventory and responsible parties |
| 3–4 | regulatory matrix, registration and calendar |
| 5–6 | files and Beneficiario Controlador |
| 7–8 | ledger, thresholds, filings and acknowledgments |
| 9–10 | preparation of EBR, manual, alerts and training, verifying RCG/transitory provisions |
| 11 | reconstruction test and preventive review; statutory audit only if already enforceable |
| 12 | remediation, approval and maintenance plan |
The calendar is indicative. If historical transactions or an action by the authority exist, the priorities change.
Pillar resources
Activities, thresholds and registration
Determination and SPPLD guide explains how to separate activity, identification, filing and accumulation, including credit, factoring and portal access.
Files and due diligence
LFPIORPI file guide develops Beneficiario Controlador, foreign legal entities, PEP, lists, source and pledge credit.
Filings and XML
SPPLD filings guide covers day 17, zero reports, 24 hours, DIN/INM, catalogs, amending filings and reconciliation.
Compliance program
EBR, manual and systems guide connects methodology, mitigants, representative, technology and audit.
Regularization and inspections
Article 55 and remediation guide explains conditions, sanctions, preventive audit, matrices and inspection preparation.
Sector applications
Sector guide compares credit, real estate, virtual assets and professional services.
Next step
SVA.LAW advises on classification, files, filings, EBR, manuals, audit and regularization to turn compliance into a verifiable operational system. Schedule a conversation.
Legal basis
- LFPIORPI in force
- Reglamento reform, DOF 27-03-2026
- Official SPPLD portal
- SPPLD legal framework
- SPPLD criteria
Notice: This hub offers general information. It does not constitute legal advice, an opinion or a guarantee of compliance. Each model must be analyzed with facts, contracts and the regulation in force.
Editorial route
Dossiers in this guide
determinacion-y-alta
Vulnerable Activities: how to determine obligations, thresholds and SPPLD registration
Vulnerable Activities: how to determine obligations, thresholds and SPPLD registration | Legal keys, controls and evidence for operating in Mexico.
expedientes-y-debida-diligencia
LFPIORPI files: Beneficiario Controlador, PEP, lists and source of funds
LFPIORPI files: Beneficiario Controlador, PEP, lists and source of funds | Legal keys, controls and evidence for operating in Mexico.
avisos-y-reporteria
LFPIORPI filings and XML in SPPLD: calendar, forms and quality control
LFPIORPI filings and XML in SPPLD: calendar, forms and quality control | SVA LAW guide on regulatory decisions, operational controls and evidence in Mexico.
programa-de-cumplimiento
EBR, manual, systems and audit for Vulnerable Activities
EBR, manual, systems and audit for Vulnerable Activities | SVA LAW guide on regulatory decisions, operational controls and evidence in Mexico.
regularizacion-y-defensa-preventiva
LFPIORPI regularization: article 55, inspections, audit and sanctions
LFPIORPI regularization: article 55, inspections, audit and sanctions | SVA LAW guide on regulatory decisions, operational controls and evidence in Mexico.
aplicaciones-sectoriales
LFPIORPI by sector: credit, real estate, virtual assets and professional services
LFPIORPI by sector: credit, real estate, virtual assets and professional services | Legal keys, controls and evidence for operating in Mexico.