Vulnerable Activities and AML Compliance

LFPIORPI regularization: article 55, inspections, audit and sanctions

In brief

Regularizing does not mean filing late reports without a diagnosis. Article 55 may produce abstention from sanction on a single occasion when obligations are voluntarily fulfilled before verification powers are exercised and the failure is expressly acknowledged at the legally required moment. The 2026 Regulations detail that acknowledgment. If the authority has already begun action, the strategy, benefits and risks change. The route requires a complete inventory, evidence, correction and recurrence control.

Conceptual route for regularization and evidence preparation ahead of a verification inspection.
Defensible remediation corrects the cause, evidences the control and makes it possible to reconstruct the closure.

Contents

  1. Article 55
  2. Severity of sanctions
  3. Preventive audit
  4. Post-reform gaps
  5. Remediation scope
  6. Compliance contract
  7. Verifiable report
  8. Response to observations
  9. Remediation matrix
  10. Preparation for inspection

What does article 55 actually allow?

The 2025 reform changed the text and the March 2026 Regulations added requirements for the acknowledgment: written form, legal capacity, complete detail of the failures, statement under oath and correction support. A prior strategy should not be reused without reviewing the new framework.

"Voluntary" requires proving the chronology. The file preserves when it was detected, when it was corrected and whether a notice, request or inspection existed. Concealing failures to preserve a benefit may worsen the position.

The decision must cover the entire universe. Regularizing a sample and omitting known periods contradicts the logic of full acknowledgment and weakens credibility.

How to put it into practice

Before requesting the benefit, confirm the legal capacity, content and deadline of the acknowledgment in accordance with article 55 Bis of the Regulations amended in 2026. The statement under oath requires verifying that the universe is complete; a sample is not enough. Do not backdate documents or describe evidence created during the remediation as contemporaneous. Separate historical support from subsequent correction. If a notice or inspection exists, halt the voluntariness assumption and assess the procedural strategy on the concrete facts.

article 55 of the LFPIORPI and the amendment to the Regulations, including article 55 Bis, in the DOF of 27-03-2026.

Why do not all breaches carry the same consequence?

The sanctioning matrix must link each finding to an obligation, date, transaction and possible fraction. An "average fine" is not calculated for the whole program. Late filing within a certain period is treated differently from a more prolonged omission.

In addition to a fine there may be temporary suspension, effects on permits or communications to other authorities in legally provided cases. That is why the assessment considers operational continuity, reputation and contracts.

The economic calculation uses the UMA and must be reviewed against the text in force. It should not be published as a closed quote without knowing the transactions, periods and procedure.

How to put it into practice

Calculate scenarios and state the assumptions. Use the applicable UMA in force, but do not turn the estimate into certainty or a promise of outcome. Add operational impact: permits, contracts, reputation and administration time. Remediation priority combines severity, population and capacity for voluntary correction. Keep a range and the facts that could move it; this allows the governing body to decide without receiving a figure of false precision.

Recalculate the scenario when the population changes or a filed report is found. Each figure must have a cutoff date, source and owner, so that it does not circulate as a current estimate after becoming obsolete.

articles 52 to 55 of the LFPIORPI in force.

How do you conduct an audit before an inspection?

The work begins with a complete population and reconciliation of sources. Samples are selected by risk and transactions outside the expected systems are sought. Findings are supported with a document and legal basis.

Independence requires that whoever designed a control not be the only person who assesses it. In small organizations, external review and approval by the governing body may be used.

The report distinguishes noncompliance, improvement and pending data. Confusing them prevents prioritization. Correction must preserve the real date; a document is never backdated.

How to put it into practice

Freeze the populations of clients, transactions, reports and acknowledgments with a date and hash. Reconcile accounting, contracts and regulatory systems before sampling. In anonymized audits, taking the sample only from the portal excluded transactions that never reached the portal, precisely the main risk. Selection must include amount, threshold, exception, manual change and non-integrated sources.

For each test document the objective, population, selection, evidence, result and limitation. Whoever designed the control should not be its only evaluator. Classify noncompliance, improvement and pending data, and immediately escalate facts that may affect a voluntary regularization. The preventive audit is a voluntary diagnosis; do not automatically describe it as the legal annual audit added by reform. That obligation requires verifying the triggering RCG, period, independence and scope. The report must preserve the difference between historical facts and evidence generated to correct them.

Upon conclusion, reconcile all findings with the initial population and document non-reviewable transactions. The absence of support is a limitation or finding; it must not silently become a passed test.

articles 18, 25 and 52 to 55 of the LFPIORPI and SPPLD criteria.

What gaps must be reviewed after the 2025 reform?

The review uses a change matrix: prior text, new text, date, impact, area, system, contract and evidence. Adding references to the manual is not enough. If the system does not capture the originator or recipient, the documentary change is not implemented.

Official formats may be updated after the law. During the transition, evidence of the criteria applied and the portal's limitations is preserved. The company must not invent fields, but neither should it ignore information it is already required to obtain.

Each gap receives a temporary and a definitive solution, with a date and an owner.

How to put it into practice

Build a matrix with the prior rule, the amended rule, the transitory provision, the required RCG, the data, process, system, contract, owner and evidence. Use three states: in force, subject to activation and pending analysis. In anonymized projects, updating the manual first created a false appearance of closure because the system still did not capture the originator, recipient or accumulation window. The test must run through the process and not be limited to text.

For added obligations, prepare capacity without inventing a date: design, budget, data, provider and pilot test. Maintain a monitor of official publications and a dated decision on activation. For obligations already in force, prioritize the historical population and retention. If the portal or format does not reflect the change, document the limitation and the criterion applied, without fabricating fields or ceasing to collect enforceable information. Each gap is closed with operational evidence and a retest, not with an isolated memorandum.

The matrix must assign a legal source to each effective date. Provider comments or internal presentations may flag changes, but they do not replace a decree, RCG or official publication.

LFPIORPI in force, Regulations amended in the DOF and SPPLD legal framework.

How is the scope of a remediation defined?

The scope document identifies assumptions and exclusions. If transactions outside a base will not be reviewed, that is stated expressly and the risk is assessed. It also defines deliverables and who makes the legal decisions.

Remediation must produce: an inventory, a regulatory matrix, repaired files, reports or a strategy, quality control, a manual, a system and closure. Not all elements apply equally, but the exclusion is justified.

Success is measured by corrected population and passed tests, not by hours or documents generated.

How to put it into practice

Draft a scope statement with a cutoff date, sources, products, obligations and completeness criteria. Include data that is not available and how it will be obtained. In anonymized remediations, starting with "all clients" concealed that a subsidiary kept its base outside the ERP; discovering it late meant calculations had to be repeated. A map of systems and owners before the analysis reduces that risk.

Divide deliverables into universe, legal decision, correction and sustainability. For each, define acceptance: reconciliation against accounting, complete file, related acknowledgment or control test. Exclusions are approved and reviewed periodically; they must not remain in meeting notes. Add a legal gate to decide whether article 55, an amending report or another route applies before filing. The project ends when a subsequent sample demonstrates that the defect does not reappear, not when the last historical file is delivered.

Reserve a trail of contested decisions: assumptions, alternatives, approver and facts that would require reopening them. That way a change of personnel does not destroy the reasoning used to delimit the universe.

articles 18, 23, 25 and 55 of the LFPIORPI in force.

What must a compliance services contract clarify?

The RACI matrix clarifies who collects, validates, approves and files. Credentials must not be shared informally. If the provider operates the portal, the authorization, accesses and evidence are documented.

The contract defines the dependence on the client's information and the consequences of late data. It also prohibits promising "zero sanctions" and requires escalating facts that change the analysis.

At termination, the complete file, editable formats, logs and schedule must be delivered; not only final PDFs.

How to put it into practice

Attach a catalog of deliverables and source data with frequency, format, owner and quality control. Define what happens if information arrives late and who decides whether to file or abstain. In anonymized services, the provider prepared XML but did not have access to contract corrections; both parties assumed the other validated the amount. An express approval point and evidence of the review closed that gray zone.

Credentials must be named or controlled, never shared by messaging. Regulate subcontractors, incidents, accesses, encryption, retention and assistance during an inspection. The exit clause must require a usable export, an inventory of pending items and revocation of accesses. If the provider designs the EBR, manual, training, system or audit, the contract must distinguish preparation for an obligation whose enforceability depends on RCG/transitory provisions; it must not promise definitive conformity with rules not yet activated.

Include a continuity mechanism if the provider becomes unavailable: up-to-date copies, emergency procedures and authorized persons. Technological dependence must not prevent meeting a legal deadline.

articles 18, 20, 23 and 24 of the LFPIORPI and LFPDPPP in force.

How do you avoid a long but poorly verifiable audit report?

Evidence is referenced without exposing unnecessary data. An ID is assigned to the finding and control. Severity follows a consistent methodology, not the drafter's tone.

The report distinguishes limitations: incomplete population, documents not delivered, inaccessible system. An opinion without a clear scope can convey false assurance.

The final version incorporates management responses, but does not erase disagreements. It preserves the cutoff date and changes.

How to put it into practice

Use stable identifiers for requirements, tests and findings. Evidence is described with enough precision to reproduce it, but without copying PII into the body. In anonymized reports, a finding said "incomplete files" without a population or fields; management could not estimate resources or demonstrate closure. Quantifying the universe, sample, exceptions and severity turns the observation into executable work.

State the limitations: sources not delivered, excluded periods, inaccessible systems and reliance on third parties. The management response is incorporated without erasing the auditor's judgment. To close, review evidence and a subsequent sample; approving a policy does not demonstrate execution. Keep an effectiveness note for the added annual audit: if there is no triggering RCG at the cutoff, name the work a "preventive review" or "readiness assessment" and avoid a conclusion of definitive legal compliance.

The sample annex must allow the selection and result to be reproduced through anonymized reference numbers. Without that reference, a reader cannot distinguish a conclusion based on evidence from a general impression.

amended article 18 of the LFPIORPI and SPPLD general criteria.

How do you respond to audit observations?

A useful response avoids absolute defenses. It may acknowledge the condition and discuss severity. If the finding reveals a legal omission, regularization and evidence preservation are assessed immediately.

The matrix preserves the original text, response, evidence, final decision and status. Extensions are approved with a risk and a temporary control.

A finding is not closed because a policy was issued. A sample of a subsequent transaction is tested.

How to put it into practice

Keep the original text and respond point by point. Relate each piece of evidence to the assertion it supports and indicate whether it corrects the cause, the historical population or only contains the risk. In anonymized responses, management attached a new manual to close omitted reports; the document improved the future, but did not resolve the historical population. Separating retrospective and preventive correction avoids false closures.

If a point is contested, include the provision, condition of effectiveness and facts, not adjectives. For added EBR, manual, training, systems or audit obligations, file the RCG/transitory provision that supports the enforceability conclusion. Extensions require a risk and a temporary control. After implementing, the reviewer selects an independent sample. If the finding implies an omission, assess article 55 and the chronology immediately, without altering historical evidence or anticipating a strategy before knowing the universe.

The response must also identify related impacts: an erroneous KYC data point may have affected classification, accumulation and several reports. Closing only the document leaves the transactional effect unremediated.

articles 18 and 55 of the LFPIORPI and SPPLD legal framework.

How do you turn findings into a remediation matrix?

Minimum fields

Minimum fields. Columns: Field and Function.
Field Function
Finding and legal basis defines the problem
Affected population quantifies exposure
Root cause prevents recurrence
Immediate action contains the risk
Definitive action corrects design and operation
Closure evidence allows verification
Subsequent test demonstrates effectiveness

Critical actions are escalated to the governing body. The dashboard does not replace the file of each correction.

How to put it into practice

Break down each finding into verifiable verbs: identify the population, correct files, file, amend a rule, test and monitor. Assign dependencies; do not schedule the report before validating data and classification. In anonymized matrices, all actions were due on the same day and showed "80%" for months because there was no completion criterion. Defining a deliverable and a test per action makes progress objective.

Add columns for the obligation, condition of effectiveness, temporary control and residual risk. For added EBR, manual, training, systems or audit obligations, distinguish "pending RCG," "preparation" and "activated." Report critical, overdue findings and scope changes to the governing body. The closure verifier must not be the only person who executed. After the retest, preserve the sample, result and date; do not delete the original finding, since the history demonstrates how it was managed.

The matrix must show dependencies among actions. If correcting the system precedes recalculating and filing, the dashboard blocks the second task until the first is validated; a manual percentage does not demonstrate that sequence.

articles 18 and 52 to 55 of the LFPIORPI in force.

What should you prepare before a verification inspection?

Article 25 allows support to be requested in writing or during inspections. The company must know where the documentation is and who can produce it. A master index is created and a reconstruction is tested.

Every request is recorded with a date, scope, owner, delivery and acknowledgment. Legal responses are reviewed before sending, but without concealing mandatory information.

If failures are detected, the article 55 analysis must consider whether powers have already begun. The chronology is not presumed.

How to put it into practice

Create a master index with location, custodian, period, format and access level. Simulate a request: select a transaction and produce the contract, file, calculation, report and acknowledgment within a defined time. In anonymized preparations, the documents existed, but the provider's export took days; the organization did not control its own evidence. Testing retrieval before the inspection reveals that dependence.

Designate a coordinator, legal liaison, data owners and a delivery log. Every request is transcribed with its scope and deadline; every submission preserves a copy and acknowledgment. Do not deliver more than needed without reviewing relevance, nor conceal what is requested. Maintain an effectiveness table for added obligations and the official source that supports their status. If omissions appear during the drill, preserve the chronology and immediately assess whether voluntariness may still exist under article 55; an inspection already begun changes the analysis.

Also test the secure disposal of temporary information created to respond. Working copies must be inventoried, protected and deleted in accordance with the policy after confirming that the official file is complete.

articles 25 and 52 to 55 of the LFPIORPI and Regulations amended in the DOF.

Next step

SVA.LAW can lead the diagnosis, regularization and inspection preparation with a file that preserves facts, legal basis and evidence. Learn about our services.


Notice: General information, not advice or a promise of benefit or outcome. The availability of article 55 depends on the concrete facts, chronology, correction, acknowledgment and procedure.