SOFOMs

Regulatory calendar for CNBV, CONDUSEF, SIPRES, SITI, REUNE, RECA, RECO and SIC

In brief

The regulatory calendar is not a sheet of dates: it is a system of periodic and event-driven obligations, each with its data source, portal, credential, approver, acknowledgment and reconciliation evidence. These ten microblogs make it possible to build one without confusing “zero”, “not applicable” and “pending”.

Regulatory calendar of a SOFOM with periodic and event-driven obligations.
Every due date needs data, an owner, a portal, validation and an acknowledgment; every change opens its own calendar.

Common method of the dossier

Here the method starts from the triggering event and not from a generic agenda. Each obligation is classified as periodic, event-driven, pre-operational or conditional; it is then linked to a source, system, owner, reviewer, final file and acknowledgment. The calendar must show dependencies between portals and preserve which basis allowed a “zero” to be reported, because a date marked green does not prove that the filing was correct nor that the file can be reconstructed.

Control framework for the regulatory calendar

A SOFOM’s calendar operates as a decision system, not as a schedule of dates. The minimum control unit combines obligation, applicability assumption, data cutoff, owner, approver, channel, file, acceptance and retention. This structure forces a distinction among four states that are often confused: an entity may not have operated; it may have an obligation that is filed at zero; it may fall outside the regulated assumption; or it may have a pending procedure whose request has not yet produced the expected effect. Each state needs its own source and its own conclusion.

Periodic obligations feed on defined closings. Portfolio, accounting, treasury and compliance must use the same cutoff and explain any difference before preparing files. Event-driven obligations, by contrast, arise from a fact such as a change of officer, address, control, product or contractual relationship. The deadline is calculated from the relevant legal trigger and not from the moment the task reached the team. For this reason the corporate and product inventories must send alerts to the calendar, rather than waiting for compliance to discover the change during the monthly close.

Institutional custody of access is part of compliance. An active user is not enough if its recovery depends on a former employee’s phone, if the substitute cannot operate or if the entity does not know which file was transmitted. Each portal needs a functional owner, an authorized user, a protected factor, an enrollment and deactivation procedure, a recovery test and a log. Segregation among preparation, approval and submission is applied to the extent available; when the channel concentrates functions, a subsequent independent review offsets part of the risk and is documented.

Closing evidence is retained in layers. The first contains the frozen basis and reconciliation; the second, the reasoning and approval; the third, the exact file, hash, folio and response; the fourth, corrections and incidents. An acknowledgment proves receipt, but not always substantive acceptance. The owner verifies status and reconciles the expected universe against what was finally received. Technical rejections are separated from content errors so as to correct the appropriate cause and assess whether other periods were built from the same source.

The dashboard for management shows upcoming due dates, open events, tasks blocked by dependencies, rejected submissions, corrections and residual risks. It does not reward the color green for its own sake. A periodic sample traces back from the folio to the source data and another introduces a synthetic event to verify that the flow generates all the affected tasks. In this way the calendar can survive turnover, months without activity, platform changes and the first period with real operations without losing traceability.

Master calendar for CNBV and CONDUSEF

How to put it into practice

Start by separating periodicity from event. Reports and reviews follow cycles; changes of address, officer, powers of attorney, CO, product or fee open new obligations. Then work backwards from the due date: accounting close, reconciliation, analysis, approval, upload, validation and acknowledgment.

Tool — minimum fields: obligation; authority; legal basis; periodicity/event; cutoff; data; owner; reviewer; portal; institutional credential; internal date; legal date; file; folio; status; incident; evidence; next review. Use a traffic light only after defining what “closed” means.

Calendar architecture. CNBV and CONDUSEF obligations must be organized by legal trigger, not only by day of the month. A row distinguishes periodicity, corporate event, start of operations, new product or individual request. In addition to the due date it contains the data cutoff date, source system, preparer, approver, portal, institutional credential, expected file, acknowledgment, substitution rule and retention. That structure reveals dependencies: a change of officer may affect SIPRES, powers of attorney, SITI and AML governance even though each task has a different deadline.

To test the calendar, choose a close with no operations and an event that occurred near a due date. The team must justify whether zero, non-applicability, update or filing is appropriate, and show which source resolved the decision. It is then verified that the accepted file matches the approved basis; “uploaded” does not equal “received without error”. The traffic lights feed on folios and responses, not on the preparer’s declaration. A useful dashboard separates items pending within the deadline, technical rejections, corrections and closed obligations, and it retains evidence of the owner’s review. It also includes substitutions and access recovery so that an absence does not change the regulatory conclusion.

CNBV, SOFOM E.N.R. regulations and CONDUSEF, Single Registry Portal.

Zero-value SIC report

Define the unit of analysis: client, contract, drawdown and balance are not equivalent. A signed contract without a drawdown may not produce a balance, but it may show that the operation began for other controls. The zero-value letter or file must state the cutoff and the source reviewed.

How to put it into practice

export the universe of contracts; identify drawdowns; reconcile balances; document tests and reversals; generate the file; carry out an independent review; retain the SIC’s response; and open an alert for the first month with a portfolio. If there is an incident, do not overwrite the original file.

The SOFOM must maintain a current contract with at least one SIC; the zero does not suspend that relationship.

A zero that must be explainable. A zero-value report to the credit information company requires establishing why the entity has no reportable records in the period: genuine pre-operation, a portfolio not yet originated, a pending migration or a legitimate absence of movements. The conclusion is drawn from portfolio, accounting and contracts, and is documented with the cutoff date. An empty file sent out of habit does not prove that the basis was reconciled or that the current format was used.

The test deliberately changes a synthetic account to confirm that the process stops producing zero and builds the correct record. Identifiers, balance, delinquency, date, quality and the SIC’s response are reviewed; then the case is removed and the reconciliation is redone. If the contract with the SIC is current but the channel has not been enabled or the file is rejected, the status must not be shown as compliance. The monthly file retains the portfolio query, the accounting reconciliation, the signed decision, the layout version, the transmitted file, the acknowledgment or response and the follow-up on incidents. When origination begins, the control owner must receive an alert that replaces the pre-operation logic with the normal cycle of quality and corrections.

CONDUSEF, Provisions on registries, articles 59 and 61 and Law to Regulate the SIC.

Zero-value reports, audit and initial notices

Build an institutional timeline: incorporation, opinion, SIPRES, appointment of the CO, first relationship, first drawdown, first report and first close. That sequence resolves which data existed in each period. Keep a documented decision for “file zero”, “not applicable” or “file with operations”.

Observed pattern. Calendar errors often originate when the firm prepares the report, but operations controls the data and no one formalizes the cutoff. A calendar with an internal freeze date avoids last-minute changes.

How to put it into practice

basis and cutoff; reconciliation; the CO’s analysis; approval; validated file; transmission evidence; folio; immutable copy; incidents; and follow-up. For audit purposes, open from the first month a folder that gathers these packages.

Three conclusions that are not equivalent. “No operations”, “zero report” and “not applicable” describe different situations. The first is a fact that must be reconciled; the second may be a form of presentation provided for by the channel; the third requires a legal rule that excludes the obligation. The initial audit adds a fourth question: even if there is no portfolio, were the controls and the system ready during the period examined? Answering everything with the same box hides implementation failures.

The start-up file links each notice or report to its trigger, enrollment date and evidence. For a selected month, treasury confirms movements, accounting confirms balances, operations reviews contracts and compliance determines the regulatory output. The negative test incorporates a fee or a minimum-amount drawdown to observe whether the “zero” reverses. Initial notices, appointments, access and transmission tests are also documented, because they may fall due before the first operation. The closing minutes explain the reasoning, sources, approver and open tasks; the auditor must be able to repeat the conclusion without relying on a general assertion of pre-operation.

CNBV, electronic media, audit guidelines and manual.

Institutional custody of SITI and portal access

Inventory each portal, user, email, phone, certificate, device and permission. Distinguish who prepares, reviews, signs and submits. Do not insert passwords into minutes; document the assignment and store secrets in a secure solution.

Observed pattern. In CO transitions, access is frequently revoked first and it is discovered afterward that the recovery email was personal. The correct sequence is to export evidence, create/review substitute access, test and only then revoke.

How to put it into practice

freeze pending items; download acknowledgments; review mailboxes; change contacts; create a substitute user; test reading and submission; revoke; change secrets; document date/time; and review subsequent notifications. Run a semi-annual recovery test even without changes.

Custody as a continuity control. The credentials for SITI and other portals must be linked to authorized functions, not to the tenure of an employee or advisor. The inventory records the user, the holder, the role, the enrollment date, the authentication factor, the institutional recovery means, the privileges, the substitute and the last test. Passwords are not incorporated into minutes or into freely accessible matrices; they are managed in a vault with traceability and segregation.

A quarterly test may simulate the immediate departure of the primary user. Their access is revoked, the substitute recovers the account through the permitted channel, locates a historical submission and prepares a test file without knowing personal secrets. The exercise reveals private phones, third-party emails or certificates that prevent continuity. For sensitive privileges it is advisable to separate preparation, approval and transmission when the portal allows it; if not, a subsequent independent review is added. The access file retains the request, authorization, acceptance, changes, log, revocation and recovery evidence. After changes of CO, representative or provider, the control also verifies that no former user retains visibility or the ability to file information.

CNBV, frequently asked questions about SITI and acknowledgments.

Responding to a SIPRES request about officers

First freeze the facts at the cutoff of the request. Compare SIPRES against bylaws, minutes, powers of attorney, the RPC, the website and contracts. Then build a item → response → exhibit → passage → owner matrix. If there is a contradiction, correct it at the source and in the related portals, not only in the written response.

Observed pattern. The clearest responses cite the page or clause of the instrument instead of attaching a lengthy deed and expecting the authority to find the data.

How to put it into practice

record receipt and deadline; preserve the official letter; validate powers; obtain legible copies; redact unnecessary personal data; number the exhibits; carry out a cross-review; file; retain the acknowledgment; and schedule the resulting updates. Avoid promising notarial or registry dates outside the entity’s control.

Institutional response to the request. Before answering SIPRES, compare the observed officer against the bylaws, the current minutes, the power of attorney, the acceptance, the registration and the actual operation. The goal is not to fill the field with the most recent name, but to explain from what date the person holds powers and which document proves it. If the portal and the instrument use different positions, an equivalence note must be legally supported; it is not advisable to create a retroactive appointment in order to make records match.

The response folder contains the full request, the calculation of the deadline, the matrix of questions, the source documents, the minimized data, the approval and the final file. A reviewer verifies names, RFC, dates, position and powers in each exhibit before uploading. It also confirms that the necessary update has been promoted in the other affected registries. When a registration is missing or the procedure is still pending, the response distinguishes the existing fact from the step to be completed and proposes subsequent evidence, without presenting an acknowledgment as a resolution. After submission, the folio, the exact content and the status are retained, and an owner is assigned to address any prevention or correction. That sequence reduces contradictions between the legal explanation and the entity’s public record.

CONDUSEF, SIPRES and institutional procedures.

Powers of attorney and officers in SIPRES

How to put it into practice

Revocation requires a comprehensive closure: corporate resolution, notarization where applicable, registries, banks, contracts, SIPRES, emails and access. A former attorney-in-fact who remains visible or enabled creates a risk of appearance and operation.

Observed pattern. The problem is usually the lack of a “source of truth”: legal updates the deed and operations keeps an old list. A master record approved by the corporate secretary reduces divergences.

Tool — individual record: internal name; position; date; body; instrument; powers by category; term; joint restrictions; systems; banks; contracts; date of last validation; revocation evidence. The public file should show only what is required and authorized.

Correspondence between power and public data. SIPRES must reflect who represents the SOFOM and with what support, but not every internal attorney-in-fact necessarily plays the same regulatory role. Build a matrix per person with corporate position, type of power of attorney, limitations, term, instrument, registration and reported function. The review detects revoked powers that are still published, officers without acceptance or position titles that do not exist in the bylaws.

The test case consists of signing a contract and handling a request. For each action it is asked who may execute it, whether it requires joint signature and what evidence a third party would consult. If the portal shows a different person, the impact is assessed and the correction is processed with a transparent date. The update must be coordinated with the bank, providers, the UNE, SITI and signature repositories so that the same revocation produces practical effects. The file retains the minutes, the power of attorney, the registry certificate where applicable, the acceptance, the upload, the acknowledgment and a capture of the public result. An annual review and another triggered by event are safer than waiting for an observation, especially when there is turnover or powers granted for a specific transaction.

CONDUSEF, SIPRES portal.

Current contract with a credit information company

The contract must be read together with the process. Identify the covered products, the initial basis, periodicity, formats, authentication, incidents, disputes, termination and return or retention. The SOFOM remains responsible for the accuracy of the data it generates; the provider does not correct an erroneous portfolio classification.

Observed pattern. In due diligence, an invoice or an active user may suggest a relationship, but only a contract, its term and evidence of operation prove full control. Also verify whether the SIC covers the products actually offered.

How to put it into practice

confirm the current contract and exhibits; users; query authorization; the file sent; the response; reconciliation; disputes; contacts; continuity; and the termination date. If you change SIC, plan an overlap so as not to leave a period without a contract.

Contractual term and reporting capacity. Maintaining a current contract with at least one credit information company requires more than keeping the signed cover page. The SOFOM must verify the counterparty, the service, the covered products, the date, renewals, termination, users, formats, security and the effective capacity to send and correct information. The applicable articles of the CONDUSEF regime are read together with the instrument and the entity’s operational status; a commercial proposal or a portal account does not replace the current contract.

The continuity test selects a synthetic account, generates the record, validates the fields, transmits through the permitted environment and documents the response. It then tries a correction to verify that a disputes channel exists and that the account statement can be reconciled. If the entity does not yet originate, it leaves evidence of preparation, of the period’s conclusion and of the trigger that will activate real reports. An annual control reviews renewal and service changes; a monthly one confirms access, layout and reconciliation. The file gathers the contract and its exhibits, authorizations, owners, tests, files, acknowledgments, rejections and remediation. This distinguishes the legal existence of the relationship from its technological functioning and from the quality of the reported data.

CONDUSEF, Provisions on registries, arts. 59 and 61 and LRSIC.

SIC data update and quality calendar

Map each field to a system, table, rule and owner. Do not allow manual edits without a log. After submission, compare accepted, rejected and modified records; investigate differences before the next cycle.

Observed pattern. “Quality” reports are more useful when they separate errors of origin, transformation and upload. This way remediation is not limited to correcting a monthly file.

How to put it into practice

universe of loans; additions/removals; balance; delinquency; payments; status; and identifiers. Add a sample of account statements and settlement letters. For disputes, preserve the original file, the investigation, the decision, the correction and the communication.

Credit data quality cycle. The SIC calendar begins before the file is generated. It sets the portfolio close, the accounting reconciliation, the data freeze, validations, approval, transmission, response, correction and handling of disputes. Each stage has an owner and a source; the balance, delinquency, identifier and date fields must not be completed from parallel spreadsheets without reconciliation. Layout or catalog changes are tested in advance and are linked to a version.

An effective sample combines a current loan, a partial payment, delinquency, settlement, restructuring and corrected data. The reviewer traces back from the file sent to the contract, movements and account statement to confirm that the borrower’s history does not change between systems. Technical rejections are separated from substantive errors and the time to final acceptance is measured. When a dispute modifies information, the correction is tracked both in the SIC and in the internal records and in communications to the user. The monthly dashboard presents expected, sent, accepted, rejected, corrected and pending records, with their cause. That visibility prevents a receipt folio from concealing an incomplete population or a decline in quality.

Law to Regulate Credit Information Companies.

Regularizing SIPRES, RECO, REUNE, SITI and SCPADI

Build an inventory with four states: correct; outdated; missing; not applicable. Attach evidence and an owner. Critical findings —lost access, a non-existent SIC contract, false corporate data or an overdue report— are escalated immediately.

Observed pattern. In remediation programs, sequence matters: updating the officer first in one portal may generate another inconsistency if the power of attorney is not yet ready. A dependency map avoids redoing filings.

How to put it into practice

initial snapshot; legal matrix; prioritization; a 30/60/90-day plan; version control; filing; acknowledgment; public verification; root-cause analysis; procedure update; and a report to the governing body. Do not use backdating or declare a pending registration as completed.

Regularization by universe and cause. SIPRES, RECO, REUNE, SITI and SCPADI contain different data and purposes; that is why a cleanup campaign begins with an inventory of obligations, not with mass uploads. For each system, the legal basis, registered entity, officers, products, periods, source data, access and last folio are compared. Discrepancies are grouped by common cause —a corporate change not propagated, lost credentials, a misaligned product or a close without reconciliation— to avoid correcting only the visible screen.

The plan prioritizes what affects the user, prevents a filing or reveals inaccurate information. Each action defines whether it is an update, a clarification, a substitution, a late report or a support request, and it retains the previous version to explain the transition. A cross-check takes an officer and a product: both must appear consistently in minutes, powers of attorney, the contract, RECA/RECO, SIPRES, complaint handling and the system. Pending items are not marked closed with the initial acknowledgment; acceptance is verified and, where a public query exists, the resulting data. The final report distinguishes the corrected gap, the historical risk, the affected population and the preventive control that will change the ordinary process.

CONDUSEF, Single Registry Portal and CNBV, SOFOM E.N.R..

Monthly and event-driven obligations

Assign each event an “impact sheet” that includes corporate, CNBV/AML, CONDUSEF, tax, banks, contracts, data and communication. The change committee decides which actions are a precondition and which may be closed afterward within a deadline.

Observed pattern. A date-based calendar tends to fail with M&A or launches because no one recognizes the event as an obligation. Embedding the regulatory analysis within the procurement, product and board processes makes the control preventive.

How to put it into practice

does it change who controls, signs, charges, decides, processes data, moves funds or appears before the public? If the answer is yes, open a sheet. Record the legal basis, notice/registration, dependency, effective date, communication and subsequent proof. Review monthly the events that occurred against minutes, tickets and contracts to detect changes that were not escalated.

Frequency and trigger matrix. Monthly obligations arise from defined periods; event-driven obligations are activated by changes of officer, address, product, control, contract or operational situation. The calendar must keep both types related. If an event occurs during the close, it is documented which version of the data corresponds to the period and which must be communicated as an update, avoiding mixing cutoffs or presenting future information as current.

To validate the matrix, simulate a replacement of the CO mid-month and a first origination on the last day. Compliance identifies the affected notices, reports, registrations and approvals; operations freezes the correct basis; the reviewer checks deadlines from the legal fact, not from when the email was received. Each task retains the legal basis, evidence of the trigger, the owner, the file, the folio and the result. Obligations without movement require an express conclusion —zero or non-applicability— supported by portfolio and accounting. The dashboard must show open events even if they have no upcoming “monthly date” and alert when a dependency, such as a power of attorney or access, prevents compliance. In this way the calendar represents the entity’s reality and not a mere collection of recurring reminders.

Current LGOAAC, CNBV and CONDUSEF..

Next step

SVA.LAW can build the calendar from the entity’s actual state, regularize portals and design controls for access, reconciliation and events.

General information; confirm the legal bases, dates, formats and applicability for each entity.