Vulnerable Activities and AML Compliance
Vulnerable Activities: how to determine obligations, thresholds and registration in SPPLD
Determining whether a transaction is subject to the Federal Law for the Prevention and Identification of Operations with Resources of Illicit Origin (LFPIORPI) requires separating four questions: who carries out the activity, what the specific act is, whether an identification or reporting threshold is triggered, and what obligations exist even without a report. Registration in the Money Laundering Prevention Portal System (SPPLD) is a compliance procedure, not a commercial authorization. The analysis must be documented before automating reports or designing files.
Validity. This document considers the LFPIORPI as last amended on July 16, 2025 and the Regulations amended on March 27, 2026. The rules, criteria, formats and transitory provisions must be verified again before executing an operational change.
Contents
- Credit and administration of resources
- Pawn credit
- Matrix of activities and thresholds
- Accumulation over six months
- SPPLD registration and authorization
- Compliance prior to access
- Factoring and assignment of credit
- Loan, advance and credit
- Reportable transactions
- Compliance implementation map
Common framework
Article 17 of the LFPIORPI enumerates the Vulnerable Activities. Article 18 concentrates obligations of identification, knowledge, Beneficiario Controlador, retention, reports, risk assessment and other controls. Article 23 sets as a general rule that the report be filed no later than the 17th day of the following month. The official portal allows registration, reports and filings to be processed.
The most frequent error is to turn the analysis into a question of amount. The nature of the service must first be characterized. Then it is determined which obligation is triggered by mere performance, which depends on a threshold and which operates through accumulation.
When do credit and administration of resources trigger LFPIORPI?
A useful diagnostic draws the flow from start to finish: who funds, who decides the disbursement, in whose name the account is held, who instructs payments and who receives the consideration. This map avoids confusing advisory, origination or collection with effective administration of resources.
In non-financial credit it is advisable to record by product: lender, borrower, disposition date, amount, collateral, payments and accumulated total. In professional services a distinction must be made between preparing documents or giving advice —which does not automatically amount to carrying out the transaction— and executing financial acts on behalf of the client.
Hypothetical example. A platform presents applicants and calculates payment capacity, but a third party enters into and funds the loans. Its classification should not be resolved by calling the contract a “marketplace”: it is reviewed whether the platform offers the credit, acts on behalf of the lender or administers resources.
How to put it into practice
For an initial review it is advisable to verify: (1) who is obligated to deliver resources; (2) whether there is a credit line or only intermediation; (3) who may order charges or credits; (4) whether the party acts in its own name or in representation; and (5) whether the service is repeated as a business activity. The conclusion must be recorded by product and reviewed when the funder, the concentration account or the mandate changes. This avoids automatically transferring the classification of one flow to another that operates differently.
Legal basis
LFPIORPI, Article 17, sections IV and XI, and Article 18, in its current text.
Why does pawn credit require additional analysis?
The operational file must not stop at identification and contract. It must relate the borrower, guarantor, owner of the asset, appraiser, depositary and payment accounts. When these functions are distributed among providers, the obligated party needs to retain evidence of which control each one carried out.
A good record connects four layers: contract, disposition, collateral and payments. If the collateral is received from a third party, its relationship with the client and the legitimate origin of the asset are documented. If it is released or substituted, the log must preserve authorization and date. This design makes the file verifiable without relying on subsequent explanations.
The reporting threshold must not become a license to ignore smaller transactions. The activity and its identification obligations may operate under a logic distinct from the reporting threshold.
How to put it into practice
The control can be implemented with a unique reference number and four milestones: receipt, appraisal, custody and exit. Each milestone must leave a date, a responsible person and supporting evidence. If the guarantor is distinct from the borrower, their identity, relationship and capacity to affect the asset are documented. If the appraisal changes significantly or there is a substitution, the alert is not only about assets: it may alter the transactional profile and require an explanation of origin. The file should not include more personal data than necessary, but it should include the evidence that allows the complete transaction to be reconstructed.
Legal basis
LFPIORPI, Articles 17, section IV, and 18, available at the Chamber of Deputies.
How should a matrix of activities, thresholds and obligations be read?
The matrix must work in UMA, not only in pesos. The daily value of the UMA for 2026 is $117.31 as of February 1, but the system must retain both the legal multiplier and the value used and the date of the transaction. A table that only stores the equivalent in pesos becomes obsolete each year and makes it difficult to reconstruct historical calculations.
It must also identify regulatory and transitory changes. The 2025 reform added obligations and the Regulations were amended in March 2026. For this reason, the “in force since” column is as important as the threshold.
Recommended control: each row of the matrix must have an internal owner, an official source, a review date, an event that triggers revalidation and a system test. The tool serves to decide; it does not replace the analysis of contracts and flows.
How to put it into practice
The matrix must not be designed as a static legal catalog. It is advisable to add “source data”, “system field”, “deciding control” and “evidence of execution” columns. For example, the type of activity may come from the contract, the relevant date from the ledger and the UMA from a parameters table; the decision is documented in an alert with human review. In anonymized implementations, an apparently complete matrix fails when the date used by finance is the invoice date, while the monitoring engine uses the payment date without an approved rule.
Test each row with three cases: a transaction clearly below; another exactly at the individual limit; and several smaller transactions that, when added, exceed the reporting threshold within six months. Add cancellations, foreign currency and the annual change of UMA. The expected result must indicate identification, report, accumulation and, if applicable, cash restriction separately. This approach turns the table into a verifiable specification and makes it possible to detect whether a legal change needs to modify policy, system, format or all four.
Legal basis
Article 17 of the LFPIORPI in force and official value of the UMA 2026.
How does the accumulation of transactions over six months work?
Article 17 contemplates accumulation over a period of six months. In practice, the control fails when different areas assign distinct identifiers or when only the value of each invoice is monitored. The system must consolidate relationships and transactions without creating matches based on similar names.
The operational rule must answer: which date enters the calculation; how a cancellation is treated; what happens with partial payments; how a data point is corrected; and who approves an exception. The answers vary by activity and format, so a single formula should not be applied to all sectors.
Retaining the individual detail is essential. The aggregate indicates that a possible report exists, but the evidence is built with the transactions that make up the sum. A figure without traceability does not allow the calculation to be explained during an inspection.
How to put it into practice
The engine must retain two results: the individual calculation and the accumulated window. For example, if a section sets an individual limit as “equal to or greater than,” the transaction exactly equal is evaluated by that rule; for smaller aggregated transactions, “exceeds” is applied literally. Rounding prematurely to pesos or programming both conditions with >= may produce false positives. The legal parameter, the UMA used and the result before rounding must remain in the log.
In anonymized controls, another frequent failure is using calendar months instead of a window that allows the applicable six months to be reconstructed for each transaction. The specification must clarify the start date, time zone, valid cancellations, partial payments and corrections. Test a transaction exactly at the limit, a sum exactly equal and another one cent or fraction above. Then reconcile the aggregate with the source transactions and the report. If the same person appears with distinct identifiers, the linkage is approved with objective data; it should not be merged solely by similarity of name.
Legal basis
threshold and accumulation rules contained in Article 17 of the LFPIORPI.
Does registration in SPPLD authorize operations?
The distinction is especially important in commercial communications. Saying “registered with the SAT” must not be presented as approval of the product, solvency or supervision equivalent to that of a financial institution. The correct description explains the limited scope of the registration.
Before carrying out the procedure, the RFC, e.firma, activity and data of the responsible person are validated. The Regulations amended in 2026 contain transitory provisions for registrations and formats while tools are updated. For this reason, the team must retain a capture of the applicable criterion and of the acknowledgment, but not assume that the portal immediately reflects all the new cases.
The sectoral classification remains open: a transaction may involve LFPIORPI and, simultaneously, financial, tax, consumer or personal data rules.
How to put it into practice
Before using the registration in commercial materials, the legal team must approve a limited descriptive formula, for example, that the person is registered to file information relating to certain Vulnerable Activities. Expressions such as “authorized by the SAT,” “supervised” or “approved product” must be avoided. In anonymized reviews, the confusion usually arises when the commercial area receives the acknowledgment and treats it as if it were a sectoral license; that is why the regulatory inventory must assign to each registration its authority, object, scope and renewal date.
The registration folder must contain the RFC and e.firma used, the declared data, the effective start date, the reported activity, the representative, the acknowledgment and captures of contingencies. In parallel, a perimeter memorandum must answer whether another permit or registration is required. When products, channels, corporate control or the responsible person change, both folders are reviewed: the change may affect SPPLD and a distinct regime. This discipline prevents the technical state of the portal from replacing the legal assessment of the business.
Legal basis
SPPLD Portal and Articles 17, 18 and 20 of the LFPIORPI.
What must exist before obtaining access to the SPPLD?
A practical error is to postpone all evidence until credentials are received. If the portal or format does not yet admit a case, the organization must retain a record of the transactions and decisions, document the impediment and follow the official instructions in force. Technical impossibility does not render the substantive obligation nonexistent.
The pre-operational file must include: activity analysis; start date; contracts; clients and transactions; identifiers; proof of payment; calculation of thresholds; registration attempts; official inquiries; and responsible persons. When access is enabled, that inventory makes it possible to determine ordinary or amending reports or a regularization strategy.
The best sequence is “classify, capture, control and file.” Starting with the form usually produces incomplete data or data inconsistent with the contracts.
How to put it into practice
Prepare a “transition ledger” with one record per event, not only per client. At a minimum: internal reference number, activity, section, participant, date, amount and currency, UMA applied, identifiers, supporting document, reporting decision and status of the procedure. Restrict access and record changes. In anonymized operational experiences, regularizations become costly when the business keeps contracts and invoices, but cannot know which version of the data existed on the date the transaction should have been analyzed.
The contingency protocol must indicate who consults official communications, how often the procedure is attempted, what capture is retained and how a deadline is escalated. It must not invent formats or send information through unauthorized channels. When access is enabled, registrations, transactions and possible reports are reconciled against the ledger; any difference is recorded in a decision log. The rule is to preserve a contemporaneous trail, not to reconstruct it months later. This work also makes it possible to detect missing data early and request its correction before it affects multiple filings.
Legal basis
obligations of Article 18 of the LFPIORPI and official obligations section of the SPPLD.
Is every assignment of credit rights a Vulnerable Activity?
The analysis must compare contract and flow. If a company advances resources against accounts receivable, charges a consideration and retains recourse against the assignor, there may be a financing function that requires review under the section on loan, advance or credit. If it only definitively acquires an existing right, the cases may be distinct.
Documenting the conclusion requires keeping: origin of the right, underlying invoice or contract, assignment price, date and payment account, notice to the debtor, recourse, collateral and collection. It must also be reviewed whether the operator is a financial institution or a non-financial person, because the supervision regime changes.
The internal policy must prohibit classifying by commercial label. A brief memorandum per product, updated when the recourse or flow changes, reduces inconsistencies between legal, product and reporting.
How to put it into practice
Compare the contract with a sample of settlements. The memorandum must answer: is the price set as a purchase value or as principal plus yield?, is there recourse for insolvency or only for non-existence of the right?, who notifies and collects?, does the assignor guarantee payment?, is there a reserve and when is it released? In anonymized files, the master contract may say “without recourse,” but a side letter requires repurchasing any overdue portfolio; that evidence changes the economic reading and must not be left out of the analysis.
Use a decision tree per product and not per client. If there is an advance and broad recourse, escalate the non-financial credit review; if there is a definitive purchase, document the price, transfer and assumed risk without automatically concluding that it falls outside every regime. Link the underlying invoice or contract, proof of existence of the right, payment of the price and collection. When collateral or repurchase triggers are modified, reclassify. The conclusion must indicate determining facts and facts that, if they change, require reopening it.
Legal basis
the loan, advance or credit case in Article 17, section IV, of the LFPIORPI in force.
What practical obligations arise from offering a loan, advance or credit?
The operational design must begin before the disbursement. The system must block the disposition if essential data are missing, if it is not known who is acting on their own account or if a risk signal requires approval. Payments, renewals, restructurings and collateral are then linked to the original file.
An effective record has client, transaction and event fields. Instead of overwriting the balance, it retains each disposition and payment. Instead of keeping only the current contract, it maintains versions and agreements. This makes it possible to reconstruct the business relationship and explain accumulations.
Credit between related companies must not be automatically excluded either. Habituality, professionalism, purpose, consideration, origin and intent are reviewed. A documented conclusion is worth more than an informal rule based solely on corporate kinship.
How to put it into practice
Design the control around events: application, approval, disposition, payment, restructuring, assignment, collateral and closing. Each event has mandatory fields and an output: continue, request information or escalate. In anonymized reviews, recording only the monthly balance makes it impossible to reconstruct which disposition crossed the threshold and which documents existed at that time. An immutable ledger of movements, related to the file in force on each date, reduces that gap.
The rollout can be validated with a sample of ten loans that includes a renewal, an early payment, a distinct guarantor, a legal entity and a related transaction. For each one, trace the path from contract to disposition, UMA calculation, file, accumulation and reporting decision. Document exceptions, responsible person and closing date. If the reform adds a control subject to subsequent rules, keep a preparation record and an activation trigger; do not describe it as fully enforceable until the RCG and the transitory provision in force at the time of operating are verified.
Legal basis
LFPIORPI, Articles 17, section IV, and 18, in current text.
How to detect a reportable credit transaction?
The recommended flow has five steps: normalize client; identify transaction; calculate individual amount; update accumulated total; and submit the alert for quality control. The review confirms date, type of act, currency, mandatory data and Beneficiario Controlador.
Revolving contracts require special attention. The approved limit does not necessarily equal a disposition; at the same time, reviewing only the closing balance may hide multiple movements. The policy must define the reportable event according to the nature of the product and applicable format.
A log of closed alerts retains the calculation, decision and evidence. This makes it possible to demonstrate that the company did not omit monitoring even though an alert did not result in a report.
How to put it into practice
The technical rule must be written in legal language and in pseudocode. Example: select dispositions of the classified product; convert with the applicable parameter; evaluate the individual condition; update the accumulated window; exclude only confirmed cancellations; generate an alert with detail. In anonymized implementations, an engine based on the final balance left out a large disposition paid in the same month. Historical testing with real anonymized movements is indispensable to uncover this type of blindness.
The analyst must receive a minimum package: contract and version, event, original amount, conversion, accumulated transactions, client data, BC and an explanation of any correction. Test exact limits, multiple branches, co-borrowers, revolving credit, foreign currency and change of UMA. A discarded alert needs a coded reason and evidence; “not applicable” is not enough. When the system or the format changes, keep the rule version and effective date so past decisions can be explained without retrospectively applying the new logic.
Legal basis
Article 17, section IV, of the LFPIORPI and UMA 2026 published by INEGI.
What is the minimum route from registration to an operational program?
Rollout checklist
| Stage | Minimum evidence |
|---|---|
| Classification | activity memorandum, contracts and flows |
| Registration | RFC, e.firma, representative and acknowledgment |
| Governance | responsible person, backups, calendar and escalation |
| Files | requirements by client type and Beneficiario Controlador |
| Transactions | individual ledger with accumulated totals and supporting documents |
| Reports | rules, formats, double review and acknowledgments |
| Risk | methodology, alerts and authorizations |
| Maintenance | training, audit, remediation and changelog |
Operational experience shows that quality depends on reconciling contracts, databases and reports. The responsible person must be able to select a transaction and trace it in both directions: from the report to the file and from the file to the calculation.
How to put it into practice
Turn the checklist into a plan with owner, dependency, evidence and acceptance criterion. “Create file” is not closed with a template: it is closed when a sample of clients can complete it and the system prevents advancing without critical fields. “Configure alerts” is not closed by programming a formula: it requires tests of limits, accumulation and reconciliation with the ledger. In anonymized deployments, this acceptance criterion reveals that the portal and the commercial database use distinct identifiers, which breaks tracking even when each team believes it has finished.
Before declaring the program operational, run an end-to-end test with one reportable transaction and one non-reportable transaction. Verify identification, BC, date, UMA, accumulated total, decision, XML or capture, submission, acknowledgment, retention and traceability. Record failures as actions with a responsible person and date, not as open observations. For new obligations subject to RCG or transitory provisions, include a validity monitor and prepare capacity, without asserting that the control is enforceable before its regulatory activation.
Legal basis
Articles 18, 20 and 23 of the LFPIORPI and SPPLD Portal.
Decision route
Does the activity materially appear in Article 17?
├─ No → document the conclusion and review other regimes.
└─ Yes → identify subject, client, act and date.
├─ Is there an identification threshold? → calculate and apply.
├─ Is there a reporting threshold? → calculate individual and accumulated.
└─ Fulfill substantive obligations, registration, evidence and governance.
Next step
SVA.LAW can review the model, contracts and flows to convert them into a verifiable obligations matrix, file and reporting process. Explore SVA.LAW’s services.
Legal basis
- LFPIORPI, current text; last amendment DOF 16-07-2025
- Amendment to the Regulations of the LFPIORPI, DOF 27-03-2026
- SPPLD Portal: obligations
- SPPLD Portal: general criteria
- INEGI: value of the UMA 2026
Notice: This content is informational, does not constitute legal advice and does not create an attorney-client relationship. The classification depends on the facts, contracts, flows and applicable regulations of the specific case.