SOFOMs
Corporate governance, powers of attorney, Compliance Officer, CCC and board
Effective governance turns decisions into powers, filings, access, reports and follow-up. These microblogs explain how to avoid gaps when changing the Compliance Officer, how to document the CCC or board, and how to separate corporate office, power of attorney and regulatory role.
Common method of the dossier
The connecting thread is the quality of the corporate decision. For each body or office, a distinction is drawn between who proposes, who challenges, who approves, who executes and who verifies the follow-up. Minutes must not be ceremonial transcripts: they require identifiable inputs, disclosed conflicts, a conclusion, a condition and a review date. That architecture makes it possible to sustain continuity when the Compliance Officer, a board member or access to SITI changes.
Framework for continuity of AML governance
AML governance must be able to answer who held authority, information and operational capacity on any given date. The minutes, acceptance, filing, access and first executed control are distinct milestones. A corporate appointment may be valid while the portal has not yet enabled the officer; a revocation may take effect before the handover is completed. The continuity matrix records those intervals, assigns contingencies and avoids using a later formality to retroactively cover decisions or filings.
The board, the CCC and the Compliance Officer perform functions that need to be delimited according to the applicable structure. The OC prepares, analyzes and escalates; the competent body deliberates and resolves the matters within its remit; the secretariat documents and follows up; audit verifies without operating the control being examined. In small entities, bodies or resources may be concentrated, but the questions of independence, conflict, quorum, information and evidence do not disappear. Where a person performs commercial functions, their involvement in compliance decisions is recorded and mitigated.
Sessions are built from a reconciled package. Alerts, reports, risk changes, system performance, audit, training and remediations show period, source, trend and exceptions. An indicator at zero requires reviewing population and logs to rule out a silent failure. The minute preserves questions, data received, basis, vote, responsible party and date; sensitive annexes remain restricted. At the following session, the status of each prior agreement is presented with its evidence, preventing approval of the minutes from being confused with execution.
Transitions use an inventory of matters and access rights. Before departure, upcoming reports, open alerts, requirements, audit files, calendars, credentials, certificates and contacts are located. Each item has a recipient and validation. If immediate separation prevents a direct handover, the entity protects information, appoints a contingency and reconstructs the inventory under supervision. The prior user is revoked in a coordinated manner; the new responsible party tests recovery and consultation of historical evidence without sharing credentials.
Governance assessment observes results and not only documents. It measures decisions made out of time, overdue agreements, sessions without sufficient information, orphan access rights and cases that could not be reconstructed. One sample follows a matter from alert to determination and another from agreement to system change. The body receives the residual risk and decides on resources, restrictions or escalation. This framework makes continuity verifiable even during simultaneous replacements, periods without alerts and changes in the corporate structure.
Revocation and appointment of the Compliance Officer
Prepare a single chronology. The outgoing OC hands over the manual, EBR, alerts, reports, minutes, audits, plans, folios and notifications. The incoming officer confirms integrity and lists pending items. Confidentiality and cooperation regarding prior periods survive in accordance with the contract and the law.
How to put it into practice
identity/office; basis; revocation; appointment; acceptance; date and time; eligibility; filing instructions; handover; access rights; pending matters; person responsible for verification. At the first subsequent session, ratify receipt and status.
Effective transition of the Compliance Officer. The revocation and the appointment must share a single chronology: decision of the competent body, effective date, acceptance, handover of matters, updating of access rights and regulatory communications. Ambiguous minutes may leave a period in which no one knows who decides on alerts or signs reports. The minute also identifies whether there is an alternate, eligibility restrictions and matters that the outgoing officer must conclude or transfer.
The transition test uses an open alert and an upcoming filing. The new OC must locate the file, basis, pending decision, records and credentials without asking the revoked user for support. In parallel, it is verified that banks, providers and internal areas received a consistent instruction and that the prior responsible party lost access when appropriate. The evidentiary package integrates the notice of meeting, minutes, acceptance, declaration of requirements, handover matrix, revocations, activations, filings and first executed controls. If any formality has not yet concluded, the corporate date is distinguished from operational enablement and a documented temporary measure is adopted. The board reviews the continuity risk, not just the existence of two appointments on paper.
Legal basis
Coordinated changes of OC and CCC
Use separate annexes: prior composition, new composition, open matters and required communications. If the OC sits on the committee, clarify their role in accordance with the provisions and prevent the same person from approving their own performance without a counterweight.
How to put it into practice
validate bylaws and provision; confirm profiles; prepare consent; close the prior session; adopt resolutions; communicate changes; update the organizational chart/manual; test access; convene the first session; and preserve folios. The transition must include investigations and high-risk clients, not just documents.
Coordinated change of AML governance. Replacing the OC while modifying the composition of the CCC creates two distinct risks: lack of authority to decide and loss of memory about open cases. The corporate agreement must set out which body appoints, from when each member acts, how the interval is covered and who retains the files. Acceptances, impediments and offices are verified before communicating the new structure.
Prepare a transition dashboard with pending decisions, reports about to fall due, audit, remediations and scheduled sessions. Each matter is assigned a prior owner, recipient, date and evidence of handover. In a test session, the new committee analyzes a historical case and a newly generated one; it must access the same information and leave a traceable determination. Afterwards, SITI, repositories, distribution lists, signatures and powers of attorney are reviewed to eliminate orphan access rights. The joint folder contains the revocation and appointment minutes, composition of the body, résumés or applicable verifications, filings, folios, handover minute and first valid session. A transition is closed when the new structure can operate and the control of due dates does not depend on those who left.
Legal basis
CNBV, communications on the composition and changes of the CCC.
Corporate evidence for AML changes
Build a matrix act → body → basis → instrument → passage → filing → folio. If the notarized instrument or registration is pending, describe its status and attach evidence without asserting that it concluded. Limit personal data to what is requested.
Observed pattern. Requirements are addressed more quickly when each assertion in the brief points to a page and clause, not when complete notarized instruments are sent without an index.
How to put it into practice
certified resolution; acceptance; applicable certificate; power of attorney if needed; protected identification; organizational chart; form; acknowledgment; manual update; and access log. Cross-check with SIPRES, banks and contracts when the person also holds other roles.
Corporate evidence connected to operations. An AML change is supported by more than the minutes: the notice of meeting, quorum, power of the body, resolution, acceptance and effective date must be consistent. If powers of attorney or registrations are involved, their status and scope are retained. The corporate matrix links each agreement with the filing, portal, manual, organizational chart, access and process that must be modified; in this way, the document generates verifiable tasks.
The control selects a resolution —for example, a new methodology or replacement of a member— and traces its execution. It is verified which version of the manual was approved, when the system changed, who received training and which was the first case processed under the new rule. A discrepancy is not corrected by retroactively rewriting the minutes; the actual date is documented and the remediation is decided. The file includes controlled drafts, session support, corporate book, communications, uploads and technological evidence. For internal dissemination, an extract is issued with instructions and validity, without exposing deliberations or unnecessary personal data. The reviewer must be able to distinguish decision, formalization, notification and implementation as separate milestones.
Legal basis
Periodic CCC minutes with zero alerts
The OC presents a dashboard with trends and exceptions. The minutes record questions, decisions, responsible parties and deadlines; sensitive annexes are referenced without reproducing more personal data than necessary. If there was no operation, it is explained how this was verified.
Observed pattern. A monthly session can become mechanical. Introducing a rotating "control test" —lists, access rights, file or alert— creates evidence of real supervision without overloading the minutes.
How to put it into practice
quorum; follow-up; OC report; alerts/reports; high risk; lists; system; training; audit/remediation; changes; agreements. Each agreement carries an owner, date and evidence of closure. Preserve annexes in a restricted repository.
Valid session when the dashboard is at zero. A CCC must not limit its minutes to noting that "there were no alerts." The session documents sources consulted, period, population, engine performance, incidents, prior reports, training, risk changes and remediations. Zero may be a legitimate result, but also a symptom of missing data or disabled scenarios; that is why it requires a reconciliation with transaction volume and profile.
The practical review takes a sample of the period and runs it through selected rules to confirm that the system would have generated an alert for the anticipated pattern. Logs of uploads, failures and threshold changes are also inspected. The minutes record questions, information received, conflicts, agreements, responsible parties and dates, not a predesigned narrative. If the committee concludes that the level is reasonable, it explains why according to clients, products, zones and channels; if it detects anomalous silence, it orders testing and follow-up. The session package brings together the notice of meeting, quorum, reconciled dashboard, annexes, voting and subsequent evidence of agreements. The next minute must take up prior pending items, preventing a chain of "zeros" from erasing the traceability of the control.
Legal basis
Content of the OC appointment minutes
Before signing, compare the draft with the bylaws, manual and structure. If the manual names the prior OC, open an update with a responsible party and date. If the OC is external, define access, independence, availability, confidentiality and termination.
Observed pattern. Copied minutes tend to retain the office or date of another entity. Master-data control and a reading by a person outside the project avoids errors with an impact on SITI.
How to put it into practice
competent body?, quorum?, correct person?, date without a gap?, acceptance?, requirements verified?, filing instructed?, handover and access rights defined? Attach support without making sensitive information public.
Content that makes the appointment executable. The minutes identify the person, office, basis, resolving body, effective date, duration or condition, acceptance and powers. They must clarify whether the person replaces someone, how files are handed over and who covers absences. A generic formula of "the OC is appointed" leaves open questions about access to information, direct communication with the board and the capacity to submit reports.
Before signing, a consistency checklist compares the name and data with the identification, employment or contractual relationship, internal requirements, organizational chart and manual. After the resolution, it is verified that SITI, repositories, lists, matrices and providers reflect the same date. The officer's first act —review of an alert, report or filing— is preserved as evidence of implementation, without pretending it cures prior delays. The folder contains the notice of meeting, agenda, quorum, necessary deliberation, resolution, acceptance, handover, activations and filings. If conflicts or limitations exist, they are recorded together with the measure adopted. The final text must allow audit to determine who held the function on any day of the examined period.
Closing criterion. Compare the date of the minutes with that of the registration in SITI and with the first signed decision. If they do not coincide, describe the interval, the powers available and any affected filing. That temporal note prevents a correct appointment from being used to retroactively cover acts carried out before the officer could materially exercise the office.
Legal basis
Board minutes when there is no CCC
The OC prepares a report comparable to the one the committee would receive: metrics, exceptions, high-risk clients, alerts, reports, systems, training and remediation. The body asks questions, accepts or rejects proposals and assigns closures.
Observed pattern. In small entities, the risk is not having fewer people but mixing roles. A RACI matrix reveals when the person who originated a client also seeks to approve their risk.
How to put it into practice
validate the scenario; approve the calendar; set the agenda; receive the report; document conflicts; adopt decisions; assign responsible parties; verify closures; and reassess the structure when personnel or operations change. The minutes must not simulate a nonexistent CCC.
Board acting without a separate CCC. When the applicable structure allows the board to assume functions, the minutes must show that it addressed each matter with the required depth and periodicity. It is not enough to include "compliance topics" at the end of a corporate session. The agenda differentiates AML decisions, information received, analysis, abstentions and follow-up; board members have access to the necessary dashboard and the OC preserves effective communication.
A test session presents an alert, a system metric, an audit finding and a product change. For each point the minutes identify basis, discussion, resolution, responsible party and date. The secretariat verifies quorum and powers, while compliance controls sensitive annexes and preserves a full version under restricted access. Agreements are transferred to a register that is reviewed at the following meeting. If the board delegates preparation, the decision does not disappear into a minute of the operational area. The annual file makes it possible to count sessions, matters analyzed, overdue pending items and evidence of execution. This traceability proves a real function and avoids using the nonexistence of a CCC as justification for less demanding governance.
Closing criterion. The secretary must classify the board's annexes so that personal or alert information remains restricted, while agreements and due dates stay visible for follow-up. The following agenda includes a table of prior agreements with evidence of execution; in this way, supervision does not end when the minute is approved.
Legal basis
OC and SITI credentials: minimum evidence
Use a log of activations, changes, critical access and deactivations. Separate file preparation, review, signing and submission when the portal allows it. Test recovery every six months and after changes.
Observed pattern. The folio proves submission, but without retaining the exact file that was sent, the content cannot be proven. Package both with a hash and approval.
How to put it into practice
user inventory; institutional email; second contact; MFA; minimal roles; export of acknowledgments; monitoring of notifications; exit protocol; and review of orphan access rights. Any incident is documented with impact and correction.
Minimum chain between appointment and SITI. To demonstrate that the OC could operate, link the minutes and acceptance with the user request, enablement, authentication factor, privileges and first transmission or query. An isolated screenshot does not prove who controlled the account nor during what period. Credentials are safeguarded institutionally and the log records access, changes and revocations without incorporating secrets into the corporate file.
The test is carried out with controlled recovery and with a test file or historical query. The OC must locate the version submitted and its folio; the alternate must be able to continue under the authorized procedure without sharing a password. If the portal registration occurs after the effective date, it is documented how the interval was covered and which filings were affected. When the officer leaves, the revocation is coordinated with the handover and confirmed in the log. The package contains the resolution, minimum institutional identification, role authorization, activation, tests, incidents, changes and deactivation. Audit can then reconstruct not only who was appointed, but who had the material capacity to comply at each cutoff.
Closing criterion. Also review that the recovery phone and email belong to the entity and that the certificates or factors can be transferred in accordance with the channel. A failed test is recorded as a continuity incident, with an authorized alternative and a resolution date, before the next regulatory due date.
Legal basis
CNBV, frequently asked questions about SITI and acknowledgments.
Board with CCC functions in a small SOFOM
An executive dashboard must show trends: incomplete files, aged alerts, high risk, system failures and remediations. Sensitive cases are presented anonymized in the body and with a restricted annex where necessary.
Observed pattern. Counting cases is not enough. Measuring age and recurrence helps the board detect that "zero reports" can coexist with alerts that were never investigated.
How to put it into practice
conflict policies; calendar; advance package; minimum questions; traceable agreements; recusal; follow-up; and annual self-assessment. Confirm the regulatory scenario as the entity grows.
Proportional design without loss of function. In a small SOFOM, having the board cover CCC tasks may reduce layers, but it increases the need to separate preparation, decision and review. The governance matrix assigns to the OC the preparation of the case, to the board the resolution where appropriate and to an independent function the verification. Members declare conflicts and receive sufficient information before voting.
The calendar reserves specific sessions for alerts, reports, EBR, manual, systems, audit and training. An agenda test shows whether an urgent matter can be decided between sessions and how it is ratified afterwards. Minutes avoid conclusory statements without support; they link the agreement to the annex and to the executed task. If a board member also participates in sales or origination, the deliberation records the mitigation of that conflict. The governance file incorporates composition, competencies, calendar, information packages, minutes and follow-up. The indicators include overdue agreements and cases without quorum, not just the number of meetings. Proportionality is demonstrated through controls that work with the available resources, not through the omission of responsibilities.
Closing criterion. The board's annual self-assessment compares the necessary competencies with training, attendance and the quality of decisions. If technical experience is lacking, support is obtained without delegating the vote or exposing complete files. The minutes identify the opinion received and the way in which the body reached its own conclusion.
Legal basis
Removal, appointment and follow-up of the OC
Define indicators before evaluating and allow the OC to explain limitations. If the cause of performance is a lack of data or resources, the body must correct the environment, not just replace the person.
Observed pattern. The OC's work plans function better with concrete evidence by quarter than with a subjective annual rating.
How to put it into practice
deliverables; due dates; alerts; escalations; folios; training; findings; resources; independence; incidents; and commitments. On exit, add inventory and continuity.
Sequence of removal and follow-up. The departure of the OC requires identifying the reason, competent body, effective date and treatment of matters under their custody. If there is an investigation, conflict or breach, the entity separates the employment facts from the regulatory decisions and protects evidence. The replacement is prepared before revoking critical access, unless the risk requires immediate suspension with documented contingency.
The handover inventory includes alerts, reports, requirements, audits, remediations, calendar, users and master files. Each line is assigned a recipient and validation. During the first thirty days of the new responsible party, the board reviews access, due dates and first decisions to detect a loss of continuity. A historical sample verifies that the full file remains available and that traceability does not depend on the outgoing officer's email. The file brings together the resolution, acceptance by the successor, handover minute, revocations, activations, filings and initial follow-up. If there is an interval, it is explained who exercised each function and under what power. The removal ends when the pending risks have an owner and the new structure has executed a verifiable cycle.
Closing criterion. Communications to personnel and third parties are scheduled after defining the effective date and the contingency. This prevents contradictory instructions or requests directed to the outgoing officer. The transition report also shows whether there were delayed decisions and how they were reviewed once the function was restored.
Legal basis
Powers of attorney, board, statutory examiner and operational control
Build a map of critical decisions: funding, credit, payments, contracts, accounts, data, high risk, reports, systems and remediation. For each one, define limits, individual/joint signature, conflict and evidence.
Observed pattern. Gaps appear when the bylaws grant broad powers but internal policies do not establish limits. The solution is to coordinate external power and internal delegation without asserting that a policy revokes a power of attorney vis-à-vis third parties.
How to put it into practice
legal organizational chart; matrix of powers of attorney; RACI; catalog of decisions; conflict rules; signatures; access rights; annual review; and revocation protocol. Reconcile with SIPRES and banks.
Map of authority for decisions and execution. The board, attorneys-in-fact, statutory examiner and operational managers perform distinct roles. The matrix of powers identifies who approves policies, enters into contracts, moves resources, submits information, supervises and reviews. For sensitive acts it adds limits, joint signatures and expected evidence. The objective is to prevent a broad power of attorney from replacing deliberations reserved to the body, or the statutory examiner from appearing as the operator of the control it is supposed to oversee.
Select three transactions: engagement of a critical provider, product approval and regulatory filing. Trace them from agreement to signature, configuration and follow-up. Any leap —a contract signed before approval, a user without a power of attorney, or a review carried out by the person who executed it— is recorded as a gap. Changes of administration update the bank, portals, repositories and certificates, not just the corporate book. The governance package contains bylaws, minutes, powers of attorney in force, revocations, matrix, logs and samples. A semiannual review compares documentation with actual access and authorized payments. The useful conclusion indicates which acts were valid, which require ratification or correction and which control will prevent recurrence.
Closing criterion. Include in the sample a transaction rejected for lack of power and verify that treasury or the electronic signature block execution. If the control only detects the excess after the payment or contract, the matrix must be translated into technological limits or joint signatures, not remain a legal reference.
Legal basis
Next step
SVA.LAW can review the governance architecture, prepare transitions and align minutes, powers of attorney, manual, portals and reports.
General information; the structure and communications must be reviewed for each entity.