Vulnerable Activities and AML Compliance
LFPIORPI Files: Beneficial Owner, PEP, lists, and source of funds
A useful LFPIORPI file is not a folder of IDs: it is a chain of evidence connecting the client, its representation, Beneficial Owner, activity, transaction, means of payment, risk, and internal decisions. The 2025 reform strengthened identification, retention, and the risk-based approach. The documentation must make it possible to reconstruct individual transactions for at least ten years and to demonstrate what was verified, when, and with what result.
Contents
- Verifiable compliance file
- External audits and KYC
- Real estate Beneficial Owner
- Notarial acts
- Collateral-backed loan
- Interview and consent
- Corporate gaps
- Foreign legal entities
- PEP, lists, and source
- Due diligence for legal entities
Common framework
Article 18 of the LFPIORPI requires identifying and knowing the client, gathering evidence of the Beneficial Owner, retaining support, and reconstructing transactions. Article 21 requires abstaining when the client does not provide the necessary documentation. The operational rules and annexes determine specific data by client type. The information must also be handled in accordance with personal data legislation.
What turns a folder into a verifiable compliance file?
The practical architecture separates master data, documents, transaction, and decisions. The master file avoids duplicating IDs, but each transaction retains its support, threshold calculation, and means of payment. List screenings include evidence of the result and the version of the tool, not just a statement that "it was reviewed."
A file index must flag missing items and the next update date. Expired documents are not deleted: their history is retained and the new version is incorporated. If a piece of data is corrected, the log records the reason and the authorizing person.
The decisive test is reconstruction: take a report or a transaction and arrive at the contract, client, Beneficial Owner, payments, and risk decision without relying on staff memory.
How to put it into practice
Test the file with two walkthroughs. From a transaction, arrive at the client, representative, BO, payment, analysis, and decision. From a report, go back to each component transaction and to the calculation. Record how long it took and what depended on verbal explanations. Missing items become tasks with an owner and a proportional operational restriction. Keep sensitive documents under role-based privileges and log accesses; verifiability does not mean replicating PII in reports or emails. The index can show status and evidence without exposing unnecessary personal data.
Legal basis
identification, support, and retention obligations under Article 18 of the LFPIORPI in force.
Does a recognized audit replace the KYC file?
Auditors' reports, certifications, and public listings can function as mitigants or complementary evidence. To treat them that way, the RBA must explain what risk they reduce and what mandatory control remains. A recognized brand must not become an informal exception to onboarding.
The file must retain what the applicable regime requires and document any simplified measure. If third-party information is used, its validity, coverage, source, and right of access are assessed. The responsible party retains the ability to request additional documents.
A useful control labels each piece of evidence as mandatory, complementary, or mitigant. This prevents a prestigious or voluminous document from concealing a basic absence.
How to put it into practice
Use three labels: requirement, when the evidence directly answers a required piece of data; corroboration, when it confirms information obtained from another source; and mitigant, when it reduces a risk hypothesis without replacing the requirement. Note the expiration date and the event that triggers an update. If a third party provides KYC data, verify the right of access, quality, and the ability to obtain support. The responsibility to decide and to retain the evidence trail remains with the obligated entity; the outsourcing contract does not transfer that burden.
Legal basis
Articles 18 and 21 of the LFPIORPI and obligations published in SPPLD.
How is the Beneficial Owner identified in a real estate transaction?
Real estate developments may involve an owner vehicle, developer, marketer, trust, and buyer. The diagram must separate the parties to the contract from the persons who control or receive the benefit. The source of payment—including third-party payments—may reveal a relationship that the org chart does not show.
The client's declaration is a starting point, not the only proof. It is cross-checked with bylaws, books or certifications, powers of attorney, and corporate structure. When there is a foreign chain, the analysis continues down to natural persons or to reasoned documentation of why it was not possible to proceed and what decision was made.
The result must be recorded on a dated sheet, with evidence and approval if the risk is high.
How to put it into practice
Draw two diagrams. The corporate one shows holdings, special rights, directors, and control by agreement; the transaction one shows the property, parties, contributors, disbursing accounts, and recipients. Overlaying them reveals discrepancies that an isolated org chart does not show. In anonymized cases, the buying entity declared a simple structure, but the advances came from a sister company and the refund instruction benefited a person not included. The finding does not prove illegality; it requires understanding and documenting the economic rationale.
The checklist must record, for each level: entity, jurisdiction, percentage, form of control, document, and date. For trusts, identify the relevant roles and powers, not just the trustee. When it is not possible to proceed due to a lack of foreign records, document the steps taken, alternative sources, residual risk, and decision; do not close the sheet with "not applicable." Before signing the deed or releasing funds, reconcile the identity of the payer and refund beneficiary with the approved structure.
Legal basis
Beneficial Owner definitions and obligations under Articles 3 and 18 of the LFPIORPI.
What changes when a notarial act is involved?
In the incorporation of companies, transfer of shares, powers of attorney, or trusts, it is advisable to separate five roles: grantor, appearing party, represented party, formal holder, and person with effective control. A single name may occupy several roles, but the file must not assume so.
The official SPPLD frequently asked questions are guidance and clarify that being a partner or shareholder is not enough on its own: control must be analyzed under the legal definition. They also distinguish representation from ultimate benefit.
When a company uses the notarial instrument prepared by another participant, it must verify that it contains the information it needs and that it can retain it legally. "It's in the deed" is not a KYC conclusion.
How to put it into practice
Build a table of roles per act. In a share transfer, for example, record seller, buyer, representatives, issuing company, registered holder, and natural persons with control before and after. In a trust, distinguish settlor, trustee, beneficiary, technical committee, and who can give instructions. In anonymized files, the typical mistake is to copy as BO the attorney-in-fact who signs, even though their power only authorizes appearing and grants them no benefit or control.
When reusing notarial documentation, perform a sufficiency validation: document, data it establishes, date, known subsequent event, and retention permission. Request additional evidence for changes in shareholding, contractual control, or payments that do not appear in the instrument. If several participants carry out Vulnerable Activities, agree on secure data exchange, but do not assume that a single file automatically satisfies all of them. Data minimization requires sharing only what is necessary and documenting the legal basis for the processing.
Legal basis
SPPLD frequently asked questions and Articles 3, 17, and 18 of the LFPIORPI.
What must the collateral-backed loan file add?
The file must resolve inconsistencies before disbursement: that the guarantor is not the owner, that the invoice does not match, that the appraisal lacks support, or that the payment comes from a third party. Each exception has an approver and a compensating measure.
Information about the asset does not replace the analysis of the source of funds or of the client. Conversely, a complete KYC does not correct a defective ownership chain. The review must operate in parallel.
A control table relates transaction number, borrower, guarantor, asset, appraiser, custodian, amount, dates, and documents. This allows the collateral to be released without losing the history that must be retained.
How to put it into practice
Use an exceptions log before disbursement. For each discrepancy—illegible serial number, invoice in a different name, appraisal without methodology, unreleased encumbrance—indicate the required evidence, approver, and condition. Do not turn the exception into a free-form comment that disappears upon authorization. In anonymized files, photographs of the asset were available, but without a date or reference number; they could not be reliably linked to the asset received. A visible identifier and a custody log would have closed the gap.
On release or enforcement, retain the authorization, recipient, date, condition of the asset, and calculation applied. If the owner or guarantor changes during the life of the loan, update the KYC and not just the contractual annex. Verify that access to photographs, addresses, and asset documents is restricted. The quality test consists of selecting a physical asset and finding the loan, owner, appraisal, and status; then selecting the loan and locating every movement of the collateral.
Legal basis
Article 17, section IV, 18, and 21 of the LFPIORPI in force.
What are the interview record and the consent for?
A useful record is not an identical form for everyone. It must reflect in-person or remote modality, interviewer identity, date, inconsistencies, and clarifications. If a PEP, third-party payer, or complex structure arises, it must show the escalation.
Consent must not be used as unlimited authorization. The company defines purposes, legal basis, transfers, and retention in accordance with the data law. Notices to the authority have a specific regime and do not depend on a contractual clause that allows the client to veto them.
The electronic signature or acceptance is retained together with evidence of integrity, document version, and channel. A loose image without version or timestamp offers little proof.
How to put it into practice
The interview must be tailored to risk without becoming an indiscriminate interrogation. Start with open-ended questions about line of business, transaction, purpose, structure, and payments; then confirm documentary data and clarify discrepancies. Record relevant answers objectively, without the interviewer's opinions. In anonymized processes, a form with all boxes marked "yes" did not explain why the client used a third-party account; a contemporaneous note and evidence of the relationship would have allowed the case to be assessed.
For remote interviews, retain the identification mechanism, date and time, script version, acceptance, and any interruption. Do not record audio or video by default: assess necessity, notice, and security. Consent must distinguish purposes that truly require authorization from processing supported by another legal basis. Verify that the accepted version matches the archived one. If an answer triggers PEP, complex structure, or third-party payer, generate a specific task; the interview only adds value if its alerts reach the decision flow.
Legal basis
Article 18 of the LFPIORPI and LFPDPPP in force.
What are the most frequent gaps in corporate files?
Remediation must prioritize risk and not just the percentage of fields. A gap that prevents identifying the client or Beneficial Owner is more serious than a complementary piece of data. The matrix classifies critical, high, medium, and administrative; it assigns a responsible party and a date.
It is not advisable to overwrite the file. The finding, request, response, validation, and closure are retained. For large portfolios, the batch control must allow returning to the individual client.
Incomplete files may require restricting new transactions. Article 21 supports abstaining when the necessary information is not provided. The policy must define who decides and how it is communicated without revealing sensitive analysis.
How to put it into practice
Create a matrix with columns for requirement, expected evidence, finding, severity, affected transaction, action, owner, and date. Use objective criteria: critical if it prevents knowing who the client is or who can bind it; high if it prevents identifying the BO or explaining payments; medium if it reduces corroboration; administrative if it does not affect the conclusion. In anonymized remediations, measuring "90% of documents complete" concealed that the missing 10% concentrated all the complex structures. The indicator must weigh risk and volume, not just the number of files.
Do not overwrite the finding when the document arrives. Retain the request, response, validation, and closure, in addition to the previous version. Define restrictions for new transactions and approvable exceptions. An update campaign must include a secure channel, document validation, and bounce control; sending IDs by open email creates a different risk. When closing the batch, sample complete and failed files to verify that the solution did not just improve the appearance of the dashboard.
Legal basis
Articles 18 and 21 of the LFPIORPI in force.
What evidence should a foreign legal entity be asked for?
The practical list may include incorporation and amendments, certificate of good standing, register of directors, powers of attorney, shareholding structure, IDs, and proof of address. Availability changes by country, so the analysis must accept reasoned equivalences and not a Mexican list impossible to meet.
Chains of companies require an org chart with percentages and non-shareholding control. If a trust, partnership, or other figure appears, equivalent roles and persons with control or benefit are identified.
The file records the jurisdiction, public source consulted, access restrictions, and validation. A printout without a URL or date quickly loses its usefulness.
How to put it into practice
Prepare an equivalences sheet by jurisdiction only after reviewing the official source. For each document, record the issuer, data established, public or private access, update, and need for apostille or translation. In anonymized files, a "certificate of incumbency" was treated as shareholding proof even though it only listed directors. Translating the title is not enough: someone must explain the content and its evidentiary limit.
For international chains, build the org chart from the client down to natural persons and identify holdings, contractual control, and roles of trusts or partnerships. Capture the date of each source, as the layers may not be updated to the same day. If there is a legitimate access restriction, request professional certification or alternative documentation and submit the limitation to risk approval. Retain the URL, relevant excerpt, and consultation date of public records, but avoid downloading personal data that does not contribute to the analysis. The final decision must be understandable to a reviewer who is not familiar with that jurisdiction.
Legal basis
Articles 3, 18, and 21 of the LFPIORPI and SPPLD criteria.
How to integrate PEP, lists, and source of funds without contaminating the file?
The list screening must preserve the name searched, variations, date, list, result, and resolution of possible matches. Foreign lists may be risk signals or contractual requirements, but must not automatically be described as the Mexican Blocked Persons List.
For the source of funds, activity, statements, contracts, accounts, and purpose are compared. There is no universal document. The level of evidence increases with risk and complexity.
Decisions—continue, request information, restrict, or reject—must be substantiated. Sensitive details are protected through role-based access and are not included indiscriminately in commercial copies.
How to put it into practice
Separate the file into three related sheets. The PEP sheet documents position, jurisdiction, timing, connection, and enhanced measures. The lists sheet retains the terms searched, source, version, and resolution of matches. The economic sheet compares activity, purpose, amounts, accounts, and support. In anonymized reviews, a name match was closed verbally because the date of birth was different; by not retaining the source or the comparison, the decision could not be reproduced later.
Define escalation according to a combination of factors, not by an isolated result. A PEP does not imply automatic rejection; a third-party payment does not by itself demonstrate an illicit origin. But a PEP, an opaque structure, and an unrelated account justify enhanced information and approval. Preserve only the necessary data and limit access to sensitive notes. The output must indicate continue, continue with conditions, restrict, or reject, with grounds and next review. For controls added by reform or subsequent rules, verify that they are in force before presenting them as a fully enforceable obligation.
Legal basis
Articles 18 and 21 of the LFPIORPI and general SPPLD criteria.
What is the due diligence sequence for a legal entity?
Minimum matrix
| Layer | Control question |
|---|---|
| Existence | Does the entity exist and is the document in force? |
| Representation | Can the person enter into the transaction? |
| Activity | Is the product consistent with its line of business? |
| Control | Which natural persons exercise ultimate benefit or control? |
| Transaction | Are the amount, account, and purpose consistent? |
| Risk | What signals require enhanced due diligence? |
| Decision | Who approved it and with what conditions? |
The update is guided by changes and risk. A modified corporate structure, PEP, address, activity, or transaction pattern must trigger a review even if the scheduled date has not arrived.
How to put it into practice
Implement gates. Without validated existence, representation is not approved; without a valid representative, the transaction is not entered into; without sufficient structure, the BO is not closed; without transaction coherence, funds are not released. Exceptions require a reason, deadline, and approver. In anonymized onboarding, collecting all the pieces in parallel reduced apparent times, but allowed disbursement while the power of attorney was still under review. Gates can be automated without turning the legal decision into a blind checkbox.
Test the sequence with a simple domestic company, a foreign chain, and an entity with contractual control. For each, record which document resolves each question, who validated it, and what change requires an update. Integrate ledger alerts: if the payer or recipient does not match, the file returns to purpose, control, and origin. Keep versions and record what information was current at the time of the transaction. The result is not "complete KYC," but a dated conclusion, with conditions, scope, and next review.
Legal basis
Articles 3, 18, and 21 of the LFPIORPI in force and SPPLD obligations.
Next step
SVA.LAW can design requirements by client type, findings matrices, and auditable files without turning onboarding into a collection of disconnected documents. Explore our services.
Legal basis
- LFPIORPI in force
- Amended Regulation, DOF 27-03-2026
- SPPLD frequently asked questions
- SPPLD obligations
- LFPDPPP in force
Notice: General information, not legal advice. The applicable documentation depends on the type of activity, client, transaction, risk, and rules in force.