SOFOMs
Incorporation, conversion and operational launch of a SOFOM E.N.R.
The deed is only the beginning. A SOFOM E.N.R. is ready to operate when its corporate regime, technical opinion, registrations, AML/CFT governance, contracts, systems, bank account, relationship with a credit information company and testing evidence all describe the same model. This dossier turns ten launch decisions into implementation tools.
Contents
- Compliance operational checklist
- What the technical opinion establishes
- Validity and renewal
- Bank accounts and de-risking
- Payroll lending before operating
- Evidence of a favorable opinion
- First year and audit
- Regulatory onboarding
- Corporate conversion
- General Operating Plan
Common method of the dossier
The ten decisions in this dossier are arranged as launch gates. A task is not closed by the existence of the document: its dependency must be identified, verified in an end-to-end test and assigned to whoever will stop the launch if it fails. Evidence is designed from the first corporate resolution through the go/no-go minutes, so that the model presented, the configured product and the first simulated operation can be compared without retrospective explanations.
SOFOM compliance operational checklist
How to put it into practice
The useful control is a dependency matrix, not a "done" list. For example, registering a fee is worthless if the engine calculates it differently; appointing the Compliance Officer is insufficient if they lack access; and contracting a SIC is not enough if the database does not reconcile with the portfolio. Each deliverable must indicate version, approver, acknowledgment, prerequisite and next review date.
Implementation tool — launch gate:.
- Valid powers and verified signatures.
- Manual, EBR, CO/CCC and system tested.
- SIPRES, UNE/REUNE, RECA/RECO and a contract with at least one SIC in an applicable status.
- Contract, cover sheet, advertising, CAT and account statement reconciled.
- Test of onboarding, lists, approval, drawdown, payment, collection, SIC and reporting.
- Go/no-go minutes with pending items, risk and responsible party.
Launch test specific to the topic. The launch committee must select a synthetic loan and run it through the versions that will be in force on day one: identification, risk rating, approval, contract, drawdown, accounting entry, account statement, collection, update to the SIC and, if triggered, alert analysis. The result is not a presentation; it is a file in which every timestamp and every amount can be reconciled. If the test uses demo screens or rules different from production, the gate remains open.
A second simulation must introduce a deliberate defect, such as an expired power, an unregistered fee or a file without a controlling beneficial owner. It documents which control stopped the flow, who resolved the incident and what regression confirmed the fix. In this way, the go/no-go minutes distinguish blockers from acceptable pending items and avoid declaring "ready" a front that was only reviewed on paper. Before the real disbursement it is advisable to obtain four items: a dependency map with responsible parties; a signed testing log; an inventory of exceptions with expiration; and evidence that access, folios and backups belong to the entity, not to the provider or advisor that supported the launch.
Legal basis
CONDUSEF, operating status of SOFOM E.N.R. and CNBV, SOFOM E.N.R. regulation.
What a positive technical opinion resolution means
The correct reading separates three planes. First, the opinion procedure and the documents that were submitted. Second, the actual operation on the date of issuance. Third, subsequent changes. A favorable resolution does not address whether the entity added a product, changed channels, replaced the CO or modified its methodology without updating controls.
How to put it into practice
.
- application, resolution and expiration dates;
- version of the manual, EBR and organizational chart submitted;
- products and channels described;
- representations and annexes that supported each fact;
- preventions, responses and folios;
- subsequent changes requiring analysis;
- party responsible for renewal and internal alert.
The record must accompany the resolution in the corporate repository and be reviewed before citing it to banks, investors or counterparties. Avoid commercial phrases such as "the CNBV approved our model" if the document does not have that scope.
Evidentiary reading of the resolution. To understand what the opinion actually established, prepare a table linking each representation in the filing with its annex and with the operating condition existing on the submission date. That traceability prevents extending the resolution to facts the authority did not examine. If the file described one product, one channel and a given compliance structure, the subsequent addition of mobile origination or a material third party requires a new analysis; the phrase "we have a positive opinion" does not address that change.
The useful exercise consists of asking a person unconnected to the procedure to reconstruct three sensitive assertions —automated system available, integrated AML body and approved methodology— without consulting personal emails. For each one they must find version, date, approval and evidence of implementation. Differences are classified as ordinary update, possible notice or matter requiring a specific opinion. The language permitted for banks and investors must also be separated from language that would suggest the CNBV authorized the business. The closing file includes the full resolution, preventions, responses, exact annexes and a log of subsequent changes; only that set makes it possible to defend the real scope of the favorable response.
Legal basis
CNBV, frequently asked questions for SOFOM E.N.R., sections on the procedure and scope of the opinion.
Validity, renewal and limits of the opinion
The calendar must work backward from the legal date. First the resolution is validated. Then products, channels, shareholders, control, CO/CCC, manual, EBR, system and audit are compared. Differences are classified as documentary update, operational remediation or explanation. Only then is the file assembled and the portal verified.
Observed pattern. The most difficult renewals usually do not fail because of a missing document, but because of contradictions: the manual says one thing, the risk matrix another and the platform a third. An early cross-review reduces preventions and avoids statements that are hard to sustain.
How to put it into practice
.
- Annual alert to review validity and changes.
- Inventory of open observations and audits.
- System test with synthetic data and log.
- Comparison of manual, EBR, governance and operation.
- Update of annexes and representations.
- Independent consistency review.
- Submission within the current deadline and custody of the acknowledgment.
Deadlines or amounts are not published here as a permanent rule: they must be verified when preparing each procedure. The internal file must, however, record the provision, version and consultation date.
Validity control and material change. The renewal date is obtained from the resolution and from the regime in force at the cutoff; a reverse calendar is then built that reserves time to correct contradictions, not merely to upload documents. Ninety or one hundred and twenty days before the internal milestone, depending on complexity, the SOFOM compares what was submitted with products, channels, shareholders, officers, manual, EBR, system and audit results. Each difference receives grounds, an owner and treatment before the application is assembled.
It is advisable to test the calendar with two events that usually fall outside it: the replacement of the Compliance Officer and a technological modification that alters data or alerts. The team must decide whether each change affects a representation in the file, what internal authorization supports it and what regulatory route applies. A defensible renewal matrix contains the verified legal date, the most conservative internal deadline, rights or fees, documents with version control, open observations, system tests, the party responsible for uploading and an alternate with access. The automatic alert does not prove compliance; the conclusive evidence is a reconciled file submitted through the correct channel, with the file sent, the acknowledgment and a subsequent review of the status.
Legal basis
Bank accounts and de-risking risk
A useful banking package translates the model into expected movements. It must distinguish funding, disbursement, client payments, fees, collection and transfers to third parties. It also explains who authorizes, what alerts exist, how reconciliation is done and what documents will be provided in a review. The commercial narrative must match the contracts and general plan.
Observed pattern. In practice, banks respond better to a table of flows and controls than to a voluminous file without explanation. Sensitive questions arise when an observed transaction does not match the profile presented when the account was opened.
How to put it into practice
.
- structure and controlling beneficial owner updated;
- opinion, manual and AML responsible party;
- diagram of the flow of funds and counterparties;
- expected products, amounts and frequency;
- policies for payments to third parties and refunds;
- daily reconciliation and segregation of funds;
- response contact and support repository.
If a platform or agent is used, add the contract, ownership of the balance, instruction rules, reversals, security and termination. The solution must be expressly temporary or structural, not a fait accompli.
Verifiable banking explanation. A bank can better assess the SOFOM when it receives a quantified diagram of funds, not a generic description of the corporate purpose. The document must separate capital and funding, disbursements, borrower payments, fees, refunds, collection and transfers to providers. For each flow it identifies the account holder, the expected originator, the reconciliation, the alert and the support. Projected ranges are periodically compared with actual movement to explain deviations before they appear to be operations unrelated to the declared profile.
The most revealing test consists of simulating a payment received into an affiliate account or through an aggregator. Legal determines mandate and ownership; accounting shows where it recognizes the balance; operations proves how it applies it; privacy limits the data shared; and treasury documents reversals and exit. If any of those answers depends on verbal custom, the alternative increases the risk of asset commingling and account closure. The banking continuity file gathers the corporate structure, controlling beneficial owner, opinion and AML governance, third-party contracts, transactional model, sample reconciliations and escalation contact. That coherence helps against de-risking, although it never eliminates the bank's power to manage its own risk.
Legal basis
LGOAAC in force, SOFOM regime, and CNBV AML regulation applicable to the entity.
Payroll lending before operating
Before launching, model at least four routes: normal payment; partial withholding; termination of the worker; and payment applied incorrectly. Each route must produce the same result in the contract, system, accounting, account statement and SIC. If a third party is involved, determine whether it acts as agent, provider or mere data source and limit its powers.
Observed pattern. The most difficult problems appear when the employer stops deducting and the borrower believes the loan has been paid off. Clear notice and early reconciliation prevent an operational problem from turning into incorrect collection and credit data.
How to put it into practice
.
- Consents and privacy notices separated by purpose.
- Contract with an alternative payment method and schedule.
- Deduction file, confirmation and reconciliation.
- Rule for partial, early or duplicate payments.
- Immediate notice of insufficiency or job termination.
- Correction and dispute before the SIC.
- AML scenarios and transactional profile.
Commercial policy must not imply that the employment relationship turns the loan into a guaranteed benefit. Advertising, contract and collection must use the same language.
Scenarios that define the product. Before offering payroll lending, the SOFOM must test what happens when the employer deducts in full, withholds only part, ends the employment relationship, sends a duplicate file or deposits without sufficient reference. Each route is followed in the contract, authorization, system, accounting, account statement, collection and credit report. The worker needs to know that withholding is a payment mechanism and not a guarantee of extinguishment; they must also know the alternative method and how to dispute an incorrect application.
The agreement with the employer or disbursing agent delimits whether it receives data, collects, transmits instructions or acts on behalf of someone. That function determines powers, security, liability, reconciliation and termination. A negative test changes the employment situation without notifying the collection engine: the expected control detects the missing deduction, notifies the borrower without misleading language and avoids reporting delinquency caused by its own error. The launch package comprises a flow table, consents by purpose, schedule, rules for partial and early payments, reversals, corrections before the SIC and AML scenarios. Advertising and commercial scripts must reflect exactly those rules.
Legal basis
CONDUSEF, RECA and Law Regulating Credit Information Companies.
Evidence to retain of a favorable technical opinion
The best structure combines an index and a map of assertions. For each relevant assertion —for example, the existence of the system or the appointment of the CO— record the document, version, passage, cutoff date and responsible party. Duplicate annexes must be identified; superseded versions are retained with a status, not deleted without a trace.
Observed pattern. When an entity changes advisor, the gaps appear in intermediate files: a letter sent without the final annex, an approved manual different from the one uploaded or an acknowledgment without a file. A "closing package" created on the day of submission avoids that loss.
How to put it into practice
.
- resolution and legal grounds;
- application filing and receipts;
- numbered list of annexes;
- version control and hashes;
- preventions, response matrix and folios;
- representations with cutoff date;
- evidence of internal approval;
- log of changes since issuance;
- validity and renewal calendar.
The file is private. For banks or investors, prepare an extract that does not reveal personal data, sensitive architecture or information exceeding the purpose of due diligence.
Map of assertions in the file. A favorable opinion can only be explained if the SOFOM retains what it asserted and the evidence that accompanied each assertion. Create an index with columns for requirement, passage of the filing, annex, version, date, approver and tamper-proof location. Superseded manuals or corrected files are not erased: they are marked as historical to show which document the authority knew and which one governs today. The hash and the folio help distinguish annexes with identical names.
The control must be subjected to a blind reconstruction. A reviewer selects, for example, the appointment of the CO, the functioning of the system and the approval of the EBR; they then attempt to locate the minutes, acceptance, technological evidence, upload, acknowledgment and subsequent change. If they find only the resolution or an advisor's folder, the evidentiary chain is incomplete. When closing the procedure, the application, payments, preventions, response matrix, final submission and resolution are retained, together with an inventory of commitments that must be maintained. For banking due diligence, an extract is prepared with scope and validity without providing personal data, credentials or sensitive architecture. The public version never replaces the controlled private repository.
Legal basis
First year of operations and AML audit
The first step is to define "start of operations" for each system: signing of contracts, first drawdown, first relationship, first SIC inquiry or first transaction. A timeline with supporting documents is then retained. If there was no activity, the zero must arise from databases, accounting and minutes; not from a generic statement.
Observed pattern. An auditor who arrives at the end of the year cannot recreate a log that never existed. Entities that prepare an evidence package monthly reduce cost, discussion about cutoffs and the risk of documentary observations.
How to put it into practice
.
- Clients and files opened/closed.
- Operations, portfolio and reconciliation.
- Alerts, decisions and reports.
- Minutes and CO report.
- System access and changes.
- Training and tests.
- Incidents and remediations.
- Zero declaration with source, where applicable.
Do not change dates or backdate minutes to "complete" the file. An explained and remediated limitation is preferable to artificial evidence.
First complete control cycle. The first year must be planned as a sequence of evidence: first onboarding, first risk assessment, first alert, first CO or CCC decision, first report or determination not to report, first update to the SIC, first complaint and first independent review. Waiting until the annual audit to discover that a log was never enabled turns an early defect into a full population of operations without support.
The audit sample must include months without activity and exceptions, not only correct files. The auditor compares the manual, configuration, source file and result; it also verifies that findings have a cause, a responsible party, a date and a re-test. The board receives trends and residual risk, not a list of documents. It is useful to set milestones at 30, 90, 180 and 365 days to review access, reconciliations, reports, training, file updates and product changes. If the SOFOM is not yet operating, each obligation is classified as zero, not applicable or pending with specific grounds. Closing the first year requires demonstrating that the controls survived staff turnover, system failures and at least one case outside the ordinary flow.
Legal basis
Regulatory onboarding: SIPRES, REUNE, RECA, RECO and SITI
The sequence begins with a master data table: name, RFC, address, representatives, powers, officers, brand, products and contacts. Each portal reuses part of that information, but with different catalogs and documents. If a datum changes, the owner of the change must trigger all related updates.
Observed pattern. In regularization projects, the greatest effort is not filling out forms, but explaining why a portal shows a former officer while the deed and the website already show the new one. A "source of truth" record avoids contradictory answers.
How to put it into practice
.
- portal, obligation and legal grounds;
- institutional credential and recovery;
- input data/documents;
- responsible party and approver;
- submission date, folio and status;
- dependency with product or launch;
- event that requires updating;
- subsequent test of the public record.
The contract with a SIC is not optional while the SOFOM remains registered: CONDUSEF points to this obligation in articles 59 and 61 of the Provisions on registrations. The relationship must be current and operational, not merely under negotiation.
Sequence of registrations and dependencies. Registrations must not be processed as isolated rows. SIPRES provides institutional identity; REUNE depends on the UNE and its contact channels; RECA and RECO relate to contracts and fees; SITI requires responsible parties and credentials; the relationship with a SIC needs a contract, format and submission capacity. A matrix orders prerequisite, procedure, master datum, responsible party, alternate, folio and operating condition to prevent each portal from describing a different entity.
Verification is performed from the perspective of an external user and from internal operations. It is checked that name, address, officers and contacts appear correctly; that information is then compared with powers, contract, cover sheet, system and support scripts. For access, onboarding, recovery, revocation and handover are tested, without sharing personal accounts. A change of address or officer must trigger tasks in all affected registrations, with differentiated deadlines. The onboarding file ends when the statuses are confirmed and the executable product matches what is registered; a pending application acknowledgment must not be presented as an authorization or as a general clearance to originate.
Legal basis
CONDUSEF, Provisions on registrations, articles 59 and 61 and Single Registrations Portal.
Converting a company into a SOFOM
The decision to convert must be made after modeling the product. The corporate purpose must not copy a broad template without confirming which activities will be carried out and which are reserved. The banking, securities and management powers must correspond to the operation and to the internal control scheme.
Observed pattern. Conversions fail when a correct meeting is held but no one manages the "last mile": registration, powers, certificates, accounts, portals and contracts. The entity is left legally reformed and operationally blocked.
How to put it into practice
.
- Due diligence of the company and the capital chain.
- Memo of the model and permitted activities.
- Draft bylaws, governance and powers.
- Meeting, notarization and registration.
- Books, shares and controlling beneficial owner.
- Tax, e.firma, banks and contracts.
- Opinion and regulatory registrations.
- Product tests and launch minutes.
Statements of an "inactive company" must be backed by accounting, banks, invoicing and contracts. Converting does not erase prior contingencies.
Conversion with verifiable continuity. Before amending the bylaws, investigate whether the company already entered into contracts, opened accounts, issued invoices, processed data or granted loans. That history defines which obligations and liabilities accompany the new stage. The minutes must harmonize name, principal purpose, applicable regime, management and powers, while the transition plan assigns responsible parties for the opinion, registrations, AML, product, SIC, bank, accounting and technology.
A corporate date does not make the entity operational. The continuity test follows an existing contract and a new one to verify which corporate name, powers, notices, accounts and systems are used. It also reviews that communication to clients and third parties does not assert nonexistent authorizations. If the company had prior activity unrelated to the SOFOM model, the portfolio, taxes, files and contingencies are separated, and it is decided what must be remediated before launch. The conversion file contains the initial due diligence, resolutions, registered instruments, powers matrix, inventory of contracts and data, deregistrations and registrations in portals, product tests and final launch minutes. This prevents the change from being merely nominal.
Legal basis
LGOAAC in force and CONDUSEF, SOFOM E.N.R. operating status.
SOFOM General Operating Plan
Build the document from flows, not from prose. For each stage identify input, decision, system, responsible party, evidence and exception. Then connect the plan with the manual, credit policies, contracts, architecture and calendar. A physical office described in the plan must not conceal a digital onboarding; a "manual" decision must not in fact be an ungoverned algorithm.
Observed pattern. In operational reviews, the most revealing inconsistencies appear in verbs: the plan says the SOFOM "receives" funds, while the contract attributes that function to a third party. Specifying who does what avoids risks of deposit-taking, mandate, data and reconciliation.
How to put it into practice
.
- Does each product have a flow and a contract?
- Does each flow identify ownership of the funds?
- Does the credit policy match the engine?
- Does the EBR reflect clients and channels?
- Do the statements and SIC arise from the same database?
- Do third parties have scope, SLA and exit?
- Do changes trigger review and version control?
Review the plan before launching material products, channels or providers. Retain the effective date, approval and change matrix.
A plan that can be verified. The General Operating Plan must turn strategy into observable operational routes. For each product it describes the target client, channel, origination, approval, funding, drawdown, payment, collection, fees, accounting, SIC, AML and complaint handling. Projected volumes need assumptions and limits; otherwise they are useless for sizing staff, technological capacity or alerts. Provider functions are shown within the flow and linked to their contracts.
Consistency is tested by selecting an operation from the plan and reproducing it on the configured platform. If the document promises manual assessment but the engine approves automatically, or if it omits a fee that appears on the cover sheet, the model is not yet closed. Also prepare scenarios of growth, provider disruption and rejected product to show who decides and what information is retained. A defensible plan includes an organizational chart and powers, architecture and data, AML controls, regulatory matrix, projected financial statements, risk map, indicators and implementation schedule. Each subsequent material change is recorded with its impact on manuals, contracts, registrations, systems and communications, preventing the plan from becoming a snapshot of the initial procedure.
Legal basis
Next step
SVA.LAW can turn the current state of a SOFOM into an operational launch matrix, identify blockers and coordinate corporate, AML, product, CONDUSEF and SIC evidence.
General information for Mexico; it does not constitute legal advice. Requirements and deadlines must be verified for the specific entity, product and date.