Vulnerable Activities and AML/CFT Compliance

Vulnerable Activities and AML/CFT Compliance in Mexico

In brief

Vulnerable Activities are lawful activities that the LFPIORPI subjects to identification, know-your-client, record-keeping, filings and controls to prevent transactions involving illicit funds. The regime is not limited to reporting amounts. The 2025 reform added risk-based assessment, manuals, training, automated mechanisms and audit; as of the July 9, 2026 cutoff, those obligations are subject to entry into force in accordance with the applicable Reglas de Carácter General and transitory provisions and should not be presented as fully enforceable without verifying the triggering RCG. The correct program begins by classifying the model, not by filling out a form.

Conceptual map of the compliance cycle for Vulnerable Activities in Mexico.
Compliance is designed as a continuous system: first the perimeter is defined, then evidence of every decision is preserved.
Navigate according to your need. Columns: If you need… and Consult.
If you need… Consult
to know whether your activity falls under the LFPIORPI Activities, thresholds and SPPLD registration
to integrate KYC and Beneficiario Controlador Files and due diligence
to submit filings and control XML Filings and XML in SPPLD
to build an EBR, manual or systems EBR, manual, systems and audit
to correct backlogs or prepare for an inspection Regularization, inspections and sanctions
to understand sector-specific obligations Credit, real estate, virtual assets and professional services

What changed in the regulatory framework

The LFPIORPI was reformed on July 16, 2025. Among other changes, it updated definitions and activities, strengthened the identification of the Beneficiario Controlador, extended record-keeping to ten years, incorporated registration and enrollment into the statute, and added risk-based assessment, a manual, training, automated mechanisms and audit.

The Reglamento was reformed on March 27, 2026. Its transitory provisions maintain existing rules and forms for various components while the operational regulation is updated. The SPPLD criteria have also been updated. For that reason, no static guide should replace a currency check at the time of implementation.

Hierarchy of reference

  1. LFPIORPI in force.
  2. Reglamento and reform decrees.
  3. Reglas de Carácter General and their amendments.
  4. Published forms, catalogs and XSD.
  5. Official criteria and frequently asked questions, identifying their advisory nature.
  6. Contracts, flows and facts of the specific model.

Map of obligations by stage

Compliance is best understood as a sequence of decisions and evidence. The first stage is to classify. It is determined which person materially carries out the act, whether it acts habitually or professionally, which subsection might be triggered and whether another sector-specific regime exists. The result must be a memorandum per product or flow, not a general conclusion based solely on the corporate purpose. A change of custodian, account, mandate or method of collection may alter that conclusion.

The second stage is to know the parties. Before the ability to obtain information is lost, identity, existence, representation, activity, purpose and Beneficiario Controlador are integrated. A corporate file must continue up the chain of ownership and control to natural persons, including contractual control. If a third-party payer, guarantor, trust or custodian wallet is involved, its role is documented; it is not presumed that the principal client automatically covers everyone.

The third stage is to record transactions. Each movement requires a stable identifier, date, amount, currency, account, contract and relationship with the client. The database must preserve versions and reversals. Storing only monthly balances or aggregate amounts prevents reconstructing drawdowns, advances or payments that formed an accumulation. The UMA value, multiplier and comparison rule used must also remain in the record.

The fourth stage is to decide and file. The company assesses the individual threshold, accumulation, form and calendar. For the 24-hour filing, the trigger is not an amount but facts or indicia in accordance with article 18, subsection VI. The output is subjected to a double control: technical against the XSD and catalogs, and legal-operational against the contract, file and activity. The file is not considered submitted until the status and acknowledgment are preserved.

The fifth stage is to preserve, prove and correct. The evidence must make it possible to go from a filing to each transaction and from any transaction to its file, calculation and decision. Findings are converted into actions with a population, owner, date, evidence and retest. If historical omissions exist, the assessment under article 55 starts from an authentic chronology and the complete universe, not from filing first and asking later. These stages rest on articles 17, 18, 23, 24, 25 and 55 of the LFPIORPI in force.

How to read thresholds without confusing obligations

A figure may serve different functions. Some subsections use a threshold to delimit the covered scenario; others treat the activity as vulnerable from the moment it is carried out and set a threshold for the filing. There may also be a restriction on the use of cash with its own logic. For that reason, a serious matrix never contains only “threshold”: it separates activity, identification, filing, accumulation and restriction.

The minimum control preserves:

  • applicable subsection and paragraph;
  • legally relevant event and date;
  • multiplier and UMA in force on that date;
  • original amount, conversion and decimals;
  • individual and accumulated condition separately;
  • transactions comprising the six-month window;
  • decision, reviewer, form and acknowledgment.

The daily UMA for 2026 is $117.31 as of February 1, but a guide should not become a permanent table within the system. The parameter is obtained from the official INEGI publication, is versioned and is tested at the annual change. January transactions are not recalculated retrospectively with the new value.

Transitory status of the EBR, manual, training, systems and audit

Subsections VII through XI added to article 18 must be read together with the decree, the Reglas de Carácter General and their transitory provisions. As of the editorial cutoff of July 9, 2026, this hub distinguishes preparation from enforceability: it recommends designing the capability but does not assert that each component is fully enforceable for every obligated party without identifying the RCG that activates it and the applicable date.

A currency matrix may have five columns: added obligation, legal provision, transitory provision, triggering RCG and operational status. The status should not be merely “compliant/non-compliant.” It is more precise to use “pending RCG,” “designed,” “tested” and “activated.” In this way the board can budget and test without receiving a premature legal conclusion.

While activation is being confirmed, the organization can move forward on elements that also strengthen obligations already in force: data inventory, file, ledger, traceability, responsible parties, access controls and a regulatory monitor. If a preventive audit is carried out, it must be named as such; it is not automatically presented as the definitive statutory annual audit. When an applicable RCG is published, the impact, effective date, adjustments, approval, training and deployment are documented.

The source of truth must be the SPPLD legal framework and the official publications, not a commercial summary. The currency file preserves the version consulted and the date, in order to explain why a component was in preparation or was already operating as an enforceable obligation.

The four questions that organize compliance

1. What activity is materially carried out?

Article 17 lists activities. The analysis is not resolved by corporate purpose or marketing. One must observe what the contract promises, who executes it, how funds flow and what act the client enters into.

A company may have several activities or roles. A group may combine a financial entity, a technology provider and a non-financial obligated party. Each person and transaction retains its own regime; reports are not replaced by belonging to the same group.

2. What obligations are triggered?

Activity, identification and filing are distinct concepts. Some subsections have a threshold for the transaction to be vulnerable; others treat the activity as vulnerable and set only a filing threshold. There are also accumulation, zero reports and 24-hour filings.

The matrix must distinguish:

  • material scenario;
  • obligated party;
  • business relationship;
  • identification;
  • Beneficiario Controlador;
  • individual and accumulated threshold;
  • cash restriction;
  • form and calendar;
  • risk, manual, system and audit;
  • record-keeping and inspection.

3. What evidence demonstrates compliance?

The program must reconstruct the client and the transaction. The evidence includes contracts, identifications, structure, payments, calculations, alerts, decisions, filings and acknowledgments. A checklist without documents is not proof; nor is a voluminous file without an index.

The practical rule is bidirectional traceability: from a transaction, reach the file and the filing; from a filing, return to the transactions that make up its amount.

4. Who governs and maintains the program?

Legal entities and other covered figures must designate and maintain a representative. If there is no accepted designation, the law attributes the obligations to the corresponding body or administrator. The responsible party needs access, authority and a calendar; an external provider does not replace the obligated party.

The administrative body approves criteria, receives findings and allocates resources. Technology maintains integrity and changes. Operations captures data. Legal classifies and reviews. Audit tests independently.

Data governance, privacy and providers

The AML/CFT program handles identifications, corporate structures, accounts, movements, alerts and sensitive decisions. “Preserve for ten years” does not mean copying everything into any repository. There must be a data inventory that indicates purpose, source, responsible party, access, retention and destruction. Executive reports may use reference numbers and metrics; they do not need to replicate identifications, addresses or blockchain addresses.

The architecture must apply least privilege and segregation. Whoever loads data should not be able to modify parameters and approve filings without a second review. Privileged access, exports, corrections and rule changes leave a log. Backups need restoration testing. An isolated screenshot may illustrate, but it does not demonstrate integrity, coverage or version.

When a provider is involved —onboarding, screening, document custody, XML or blockchain analytics— the contract defines the population, excluded data, service level, incidents, subcontractors, record-keeping, return and right of review. The obligated party retains responsibility and must be able to obtain its files in a usable format upon termination. A provider certificate is complementary evidence, not a substitute for proving one's own flow.

The privacy assessment must accompany the design. Collection channels must be secure, privacy notices consistent, and transfers documented in accordance with the LFPDPPP in force. Minimization also improves quality: it prevents irrelevant documents from hiding critical gaps and reduces exposure in the event of an incident.

The six components of an audit-ready architecture

Classification and registration

Preserve a memorandum per product with the contract, flow, subsection, date and conclusion. SPPLD registration enables compliance but does not authorize services regulated by other laws.

File and Beneficiario Controlador

Integrate requirements per natural person, legal entity, foreign entity, trust and other figures. The declaration is checked against evidence. PEP, lists and source of funds are documented as differentiated controls.

Transaction record

Maintain an individual ledger, with a unique identifier, date, amount, currency, means of payment, contract and accumulated total. Do not overwrite historical records. Preserve the UMA and rule applied.

Filings and reports

Apply a double technical and legal review. Link the file, hash and acknowledgment. Distinguish ordinary, zero, 24-hour and amending filings.

EBR, manual and systems

The EBR defines exposure and measures. The manual translates the obligation into a procedure. The system executes and records. The audit compares the three and tests effectiveness. For these added components, the triggering RCG and transitory provisions must be verified before asserting full enforceability at the cutoff; in the meantime, they can be built and tested as preparatory capability.

Regularization and remediation

Backlogs are quantified before being corrected. Article 55 is assessed with a real chronology. Each finding produces an action, responsible party, evidence and subsequent test.

Errors that raise the risk

  • assuming that being below the filing threshold eliminates every obligation;
  • using SPPLD registration as a purported permit;
  • storing only the balance or aggregate amount;
  • identifying the representative but not the Beneficiario Controlador;
  • using the same file for all types of client;
  • generating XML before reconciling transactions;
  • copying an EBR or manual from a financial entity;
  • buying software without data and change governance;
  • regularizing only what is visible and omitting the universe;
  • exposing confidential information in public communications or deliverables.

Sector decision tree

Use the following path as an initial filter, not as a ruling:

Which person materially enters into or executes the act?
├─ Offers a loan, advance or credit and is not a financial entity
│  └─ review subsection IV, drawdowns, collateral and accumulation.
├─ Builds, develops, brokers or receives funds for development
│  └─ review subsections V/V Bis, roles, project, payments and form.
├─ Exchanges, facilitates, holds, stores or transfers virtual assets
│  └─ review subsection XVI, wallet control, consideration and territory.
└─ Provides professional services on the listed transactions
   └─ separate preparation from execution in the name and on behalf.

After the filter, there are four common checks. First, whether another law regulates the model; SPPLD registration does not grant a sector license. Second, who is the client, representative and Beneficiario Controlador. Third, what event, amount and date feed the calculation. Fourth, what evidence and decision will be preserved. If an answer depends only on the name of the product —“marketplace,” “stablecoin,” “advisory” or “management”— the analysis has not yet reached the material function.

In hybrid models, several branches may coexist. A platform may facilitate a virtual asset, handle pesos and offer credit through different participants. Each person and flow must be analyzed, avoiding the assumption that the report or permit of one entity covers the entire group. The sector guide develops these boundaries with operational examples.

Twelve-week implementation route

Twelve-week implementation route. Columns: Week and Outcome.
Week Outcome
1–2 classification, inventory and responsible parties
3–4 regulatory matrix, registration and calendar
5–6 files and Beneficiario Controlador
7–8 ledger, thresholds, filings and acknowledgments
9–10 preparation of EBR, manual, alerts and training, verifying RCG/transitory provisions
11 reconstruction test and preventive review; statutory audit only if already enforceable
12 remediation, approval and maintenance plan

The calendar is indicative. If historical transactions or an action by the authority exist, the priorities change.

Pillar resources

Activities, thresholds and registration

Determination and SPPLD guide explains how to separate activity, identification, filing and accumulation, including credit, factoring and portal access.

Files and due diligence

LFPIORPI file guide develops Beneficiario Controlador, foreign legal entities, PEP, lists, source and pledge credit.

Filings and XML

SPPLD filings guide covers day 17, zero reports, 24 hours, DIN/INM, catalogs, amending filings and reconciliation.

Compliance program

EBR, manual and systems guide connects methodology, mitigants, representative, technology and audit.

Regularization and inspections

Article 55 and remediation guide explains conditions, sanctions, preventive audit, matrices and inspection preparation.

Sector applications

Sector guide compares credit, real estate, virtual assets and professional services.

Next step

SVA.LAW advises on classification, files, filings, EBR, manuals, audit and regularization to turn compliance into a verifiable operational system. Schedule a conversation.


Notice: This hub offers general information. It does not constitute legal advice, an opinion or a guarantee of compliance. Each model must be analyzed with facts, contracts and the regulation in force.

Editorial route