SOFOMs

KYC, controlling beneficial owner, PEP and high-risk clients

In brief

The risk-based approach adds depth; it does not eliminate the minimum file. These ten tools connect representation, ownership, control, PEP, source of wealth, high risk and evidence.

Route to identify the beneficial owner and apply enhanced KYC at a SOFOM.
KYC follows documents and control down to natural persons and adds depth as risk increases.

Common method of the dossier

The unit of analysis is the chain of identity, ownership and control. Every conclusion must link declaration, document, corroborating source, calculation, inconsistency and resolution, without turning the file into an indiscriminate collection of data. Enhanced measures are justified by concrete risk and are reviewed when the structure or the behavior changes; exceptions are applied only after proving their conditions and retaining the current source.

Framework for client identification, ownership and risk

The KYC file separates indispensable information from measures that intensify according to risk. Identity, representation, purpose and structure are not replaced with a commercial label or with informal knowledge of the client. For each data point, the source, date, validation, currency and update route are recorded. Exceptions are interpreted under their exact premise and only affect the element that the rule allows to be treated differently; the rest of the file and of the analysis remains required.

For legal entities it is advisable to work with three representations. The ownership map calculates direct and indirect holdings. The control map incorporates votes, agreements, the power to appoint and other mechanisms of influence. The representation map identifies who can bind the entity and with what limits. A person may appear in one, two or three maps for different reasons. Constitutive documents, books, powers of attorney, declarations and public searches are compared, and contradictions are resolved through documented questions before approval.

The search for natural persons preserves each segment and formula. Holdings across several branches are correctly added together; classes of shares, treasury stock, trusts and circular structures receive specific analysis. If no one exceeds the ownership criterion, control is examined and the prescribed path is applied, without simply concluding that no beneficial owner exists. Listed companies and their subsidiaries require verifying the market, control and continuity of the premise; a brand affiliation or a minority holding is not enough to extend an exception.

Risk signals are not equivalent to conclusions. PEP, tax matches, vulnerable activity, jurisdiction, opacity or behavior trigger a review and proportionate measures. Identity and relevance are confirmed, facts are separated from declarations, and it is determined what additional information responds to the trigger. Source of wealth explains the formation of assets; source of funds explains a flow. Approval conditions have an owner, a limit and an expiry, and they are reopened when ownership, position, product or transactional pattern changes.

The system must prevent an irrelevant file from closing a requirement through a name match and must preserve the history of updates. Tests change the representative, the capital and a third-party transaction to confirm that the file, the rating and the monitoring react. A second reviewer reconstructs a sample from data point to decision. The public version or the one for internal bodies minimizes information; the private repository preserves documents, calculations, searches and approval with traceable access. This framework protects the client from inferences and the entity from decisions that cannot be reproduced.

The quality review also takes rejected files and cases closed with a condition. This makes it possible to know whether the methodology distinguishes a curable absence from a contradiction that changes identity or control. The metrics separate documentation received, validation completed and risk approved; adding up PDFs does not substitute for any of those states.

Base file that cannot be reduced

The file must show what was known at onboarding and what changed. Control currency, apparent authenticity, consistency and source. A legible identification does not resolve an incompatible RFC or an insufficient power of attorney.

How to put it into practice

regulatory baseline by type of person; additional items triggered by factor; and follow-up. For each element record the document, extracted data, validation, date, responsible person, exception and approval. Block the disbursement if an element defined as a precondition is missing.

Documentary core that remains required. Before applying any facility, separate the data and documents indispensable to identify the client, know the representation, understand the purpose and build the file from the additional elements that depend on risk. A commercial policy cannot reduce the core because the client is known, belongs to the group or promises to deliver information later. Operational exceptions are recorded without transforming an absence into confirmed data.

The test uses three files: natural person, legal entity and structure with an attorney-in-fact. A reviewer attempts to reconstruct identity, authority, address, activity, beneficial owner and relationship without consulting the executive. Empty fields must prevent or condition onboarding in accordance with the applicable rule, and the system preserves who authorized each exception. If a document expires or changes, the process distinguishes a periodic update from the correction of an initial deficiency. The control sheet shows requirement, source, currency, validation, storage and access. For publication or external diligence, data is minimized; in the private repository, integrity, version and traceability are maintained. In this way, the base file remains verifiable even though enhanced due diligence changes according to risk.

CNBV, AML/CFT provisions for SOFOM.

UBO exceptions for listed companies and subsidiaries

Build an exception sheet describing the listed entity, jurisdiction, official source, percentage and chain. If the subsidiary is not covered or ownership changes, reopen the analysis.

How to put it into practice

identify the premise; obtain evidence of listing; trace the chain; validate control; document the scope; review sanctions/lists; approve; and schedule the update. If it is not proven, apply the ordinary methodology without "forcing" the exception.

Precise scope of the exception for issuers. The status of listed company or subsidiary must not be invoked from memory. The file identifies the market, issuer, control percentage, corporate chain and the rule in force that supports the treatment. An entity with a listed shareholder is not necessarily covered at all of its levels; nor does listing eliminate the need to know representatives, purpose, activity and other client elements.

The analyst draws the chain up to the issuer and marks holdings, control and jurisdictions. Then the official listing source is verified, along with the fact that the subsidiary is indeed controlled, not merely affiliated by brand. If there is an intermediate vehicle, agreement or relevant shareholder outside the perimeter, its effect is documented. The approval indicates exactly what UBO information is not required or is satisfied in another way and what obligations remain. An annual review or one triggered by a change of capital confirms the continuity of the premise. The folder preserves the organizational chart, corporate records, official search, calculation, basis, decision and update alert. When the evidence falls short, the entity returns to the ordinary methodology instead of extending the exception for convenience.

CNBV, identification regulations for SOFOM E.N.R..

High-risk triggers, approval and evidence

The file explains factor, evidence, analysis, measure, approver and date. If accepted, indicate why the residual risk falls within appetite; if rejected, avoid unsupported accusatory language.

Observed pattern. Committees decide better with an exception sheet comparing risk, mitigant and condition, not with a file of hundreds of pages.

How to put it into practice

summary; triggers; identity/UBO; product; purpose; source; lists; mitigants; residual; conditions; monitoring; currency; approvals. Create alerts for expiring documents and conditions.

Trigger separated from the high-risk conclusion. Each signal —opaque structure, PEP, jurisdiction, product, behavior or source of funds— must be linked to a factor and to a verifiable data point. An isolated match starts a review; it does not replace the full assessment. The file preserves what fact escalated the case, when it became known and what additional information was obtained.

Enhanced due diligence designs measures matched to the trigger: additional corporate documents for opacity, asset corroboration for source of wealth or higher approval for PEP exposure. The approver receives a synthesis with facts, resolved alerts, residual risk, conditions and currency. A negative test removes the key document or changes ownership to verify that the system reopens the case. Conditions are monitored and expire; they do not remain as indefinite notes from the executive. The package includes sources, analysis, searches, contact with the client, decision, restrictions and follow-up. If the relationship is rejected, the internal reason is stated precisely and the external communication avoids disclosing controls or turning an unconfirmed alert into an accusation.

Closing criterion. Avoid closed lists that allow automatic approval when a known trigger does not appear. The assessment preserves space for unforeseen facts and requires explaining their relevance. Atypical decisions are analyzed afterward to decide whether they should be incorporated into the matrix or remain as documented judgment.

CNBV, applicable provisions.

Documenting the beneficial owner, powers and structure

Reconcile bylaws, share certificates, the share ledger, minutes and the declaration. If they diverge, record the finding and halt the conclusion or escalate with an express limitation.

Observed pattern. A diagram with links to passages makes it possible to detect sums that do not add up and facilitates future review without rereading the entire file.

How to put it into practice

node per entity; direct owners; percentage; rights; document; control; natural-person beneficial owner; indirect calculation; date; reviewer. Add an alternative route of non-equity control. Protect the diagram given its sensitivity.

Three maps that must match. Ownership, control and representation answer different questions. The capital chart shows direct and indirect holdings; the control matrix incorporates voting rights, agreements and decision-making capacity; the catalog of powers explains who binds the legal entity. Merging them into a single drawing can hide that the attorney-in-fact is not an owner or that a person controls without exceeding a percentage.

To verify, take constitutive documents, the ledger or cap table, powers of attorney and declarations, and calculate each segment down to natural persons. Public sources corroborate, but they do not substitute for documents nor do they explain every private structure. Discrepancies are presented to the client with a concrete question and the answer is preserved; the most convenient version is not chosen. The file marks the cutoff date, expired documents, calculations, responsible parties and approval. A change of administrator, shareholder or agreement must trigger a review of the three maps and of access. The final conclusion identifies who is the representative, who owns and who controls, with the specific evidence that supports each role.

Closing criterion. Assign a unique identifier to each person and entity in the diagram to avoid confusing namesakes or duplicating holdings. The same identifier must appear in the calculation, the search and the KYC system. The final review looks for branches without a document, percentages that do not add up and powers granted by a different entity.

CNBV, AML/CFT regulations for SOFOM.

PEP, controlling beneficial owner and source of wealth

Document the search, possible namesakes, public information, interview, supporting materials and approval. Avoid asserting an offense based solely on PEP status.

Observed pattern. The best interviews use an asset timeline rather than a generic question. This makes it possible to compare a company, dividends, a sale, salary or other facts against documents.

How to put it into practice

confirm the person; classify the PEP; map the UBO; define the transaction; request sources; reconcile; assess reputation; approve; set monitoring; review periodically. Record whether the information is declared or verified.

Joint analysis of position and assets. PEP status and the identification of the controlling beneficial owner are related but not interchangeable data. First, identity and public role, period, kinship or association where applicable are confirmed; then that person is placed within ownership or control. The source of wealth explains how the assets were formed, while the source of funds addresses the concrete flow of the relationship.

The review must be proportionate and respect minimization. Activity, declared assets, expected transactions and independent documents are compared, without requesting information indiscriminately. A name match is resolved before applying conclusions; a confirmed PEP leads to the prescribed approval and monitoring, not to automatic rejection. The file distinguishes facts, the client's declaration and external corroboration, and records pending inconsistencies. For a corporate structure, the analyst follows the chain down to the person and explains how their influence affects risk. Conditions —limit, update, support for a given transaction— have an owner and a date. Follow-up reviews changes of position, ownership and transactional pattern with the defined frequency.

Closing criterion. The source of wealth is not validated solely against the amount of the requested loan. Available assets and track record are considered, and it is documented why the corroboration is reasonable for the exposure. Any request for additional information must have a defined purpose, access level and retention period.

CNBV, know-your-client provisions.

Corporate shareholders and scope of the file

Classify each intermediate entity as an ownership layer, a control layer or a vehicle without influence. Document why additional information is or is not requested.

Observed pattern. A layered approach avoids requesting hundreds of documents indiscriminately and, at the same time, prevents stopping at the first corporate shareholder.

How to put it into practice

cap table; threshold and calculation; special rights; administrators; registry source; jurisdiction; exception; risk; document; conclusion. Escalate trusts, foundations and companies without a clear equivalent.

A corporate shareholder does not close the investigation. When a legal entity appears in the capital, the file must advance through each level until natural persons are identified or the applicable exception is documented. The name and percentage of the intermediate company are only one segment. Control rights, agreements, trustees, administrators and any mechanism that allows exercising influence other than economic participation are also reviewed.

The calculation preserves numerator, denominator and currency or class of shares where relevant. A table links each entity to constitutive documents, registry, date, owners and controller. If a jurisdiction makes it difficult to obtain documentation, the case is escalated with enhanced measures or a decision not to proceed; absence is not transformed into "no UBO". The consistency test compares declaration, ledger, public sources and powers of attorney. Documents of subsidiaries or issuers are assessed under their exact premise. The final file includes the complete chain, indirect calculations, discrepancies, searches, approval and planned update. In this way the scope responds to risk and to the actual structure, not to the number of PDFs delivered.

Closing criterion. When the corporate shareholder is a fund or trust, the policy explains how it examines administrator, settlors, beneficiaries and control according to the instrument. The structure is not forced into a conventional corporate organizational chart; the legal mechanism that distributes rights and decisions is documented.

CNBV, SOFOM E.N.R. regulations.

Methodology to reach a natural person

How to put it into practice

In foreign structures, identify equivalent documents and explain their function. In trusts, analyze roles and rights, not just the name.

Observed pattern. Preserving the negative search —what was looked for and not found— is as important as the final document when the subsidiary criterion is applied.

Tool — decision tree: direct natural person?; indirect above the threshold?; control without ownership?; agreement?; special structure?; not identified after diligence?; apply the fallback; approve; update. Record the date and source.

Calculation route down to the natural person. Start with direct ownership and multiply holdings across each level to estimate indirect tenure. In parallel, examine control: votes, appointment of administrators, agreements, trusts and decision-making powers. The methodology sets thresholds and criteria in accordance with the rule in force, but it allows identifying effective control even where the arithmetic holding is smaller.

An example with three layers and two branches proves that the percentages add up correctly and that a duplicated route is not omitted. The analyst preserves source documents and the formula, and a second reviewer reproduces the result. When no person appears through ownership, the steps taken are documented and the control path or the corresponding rule is applied, without simply writing "does not exist". Exceptions for regulated or listed structures are supported separately. The final map shows the cutoff date, beneficial owners, representatives and data to be confirmed. Any transfer, capitalization or new agreement triggers a recalculation. That discipline makes it possible to explain the conclusion to audit without relying on an organizational chart prepared by the client itself.

Closing criterion. The calculation must handle treasury stock, non-voting classes and circular holdings. These cases are escalated to legal review before concluding the effective percentage. The calculation record preserves assumptions and prevents the tool from rounding a result close to the threshold without showing the difference.

CNBV, AML/CFT provisions.

Beneficial owner, controlling beneficial owner and UBO

A glossary prevents tax from delivering a conclusion that compliance reuses without verifying. Map equivalences and differences; do not duplicate documents when a single piece of evidence does satisfy both frameworks.

Observed pattern. Conflicts are usually about language, not facts. A field indicating "framework/definition" alongside the name reduces incompatible conclusions.

How to put it into practice

term; legal source; purpose; threshold; control; exception; evidence; area; date. Train onboarding and tax with the same map.

Consistent use of closely related concepts. "Beneficial owner", "controlling beneficial owner" and "UBO" may appear in different sources or practices, but the file must not interchange them without explaining the applicable definition. The policy adopts terms, ownership and control criteria, and a correspondence for documents from other jurisdictions. The conclusion is stated with the legal category relevant to the SOFOM's process.

The test takes a person with an indirect holding, another with contractual control and an administrator without ownership. The analyst determines which role corresponds to each and what data must be captured. If a platform offers only a UBO field, the design supplements attributes or annexes so as not to lose the distinction. The client's declarations are contrasted with constitutive documents, books, agreements and independent sources. The decision matrix preserves definition, fact, evidence and result per person. It also explains exception cases and the path used when sufficient participation is not identified. This prevents an Anglo-Saxon term from unduly simplifying local obligations or two areas from recording different persons for the same structure.

Closing criterion. Align the terminology with notices, contracts, questionnaires and technology fields. If the client declares "UBO" under a foreign definition, the SOFOM translates the answer to its own criterion and requests what is missing. The original data is preserved to show why the local conclusion may be different.

CNBV, Federal Fiscal Code in force and LFPIORPI.

AML checklist for legal entities

How to put it into practice

Observed pattern. A consistency control among the minutes, the power of attorney, the RFC and the bank account detects more risks than reviewing each document in isolation.

Tool: name; incorporation; address; RFC; activity; representative; power of attorney; shareholders; UBO; PEP/lists; purpose; product; source; profile; risk; approval; update. Add a "extracted data" and a "source" column. Take a post-onboarding sample to verify that the system preserved what was approved.

Sensitive data must be limited by role and retention. An annual or enhanced update does not mean requesting everything again: confirm changes and replace expired documents with traceability.

A checklist that follows the life of the legal entity. Onboarding gathers constitutive documents, registration, address, activity, representative, powers of attorney, structure, controlling beneficial owner, purpose, profile, source and searches. Each piece has validation, currency and an update rule. The checklist distinguishes a documentary requirement from data that the system must capture and from analysis that compliance must perform; marking a file as received does not demonstrate the other two.

In the test, change the attorney-in-fact and transfer a holding after onboarding. The control must detect both events, request supporting materials, update the maps and reassess risk without losing the prior history. A third-party payment is included to contrast profile and mandate. Exceptions show approver, reason, limit and expiry, and block transactions that exceed the condition. The sample file must be reconstructed from the system down to the source with restricted access and a search log. A periodic review is based on risk and events, not only on the anniversary. The expected result is a file consistent across KYC, contract, portfolio, alerts and reports.

Closing criterion. The list also indicates documents that may be reused and those that must be obtained directly or updated. This reduces repeated requests without relaxing validation. The client receives a clear explanation of pending items and the system prevents an irrelevant file from satisfying a different requirement through a name match.

CNBV, identification and know-your-client policies.

Former PEP, EDOS/EFOS and vulnerable activities

EDD must end in a decision and conditions. For a former PEP, assess timing and persistent risk. For tax publications, confirm the list and status. For a Vulnerable Activity, verify enrollment, the responsible person, files or notices where they are materially relevant.

Observed pattern. The most defensible EDD records sources and questions, not adjectives. It allows updating if the situation changes without redoing the entire file.

How to put it into practice

signal; verification; client's explanation; documents; UBO; source; product; risk; mitigants; decision; conditions; review. Separate confirmed facts, declarations and inferences.

Different signals, different treatments. A former PEP requires confirming the date of departure, function, persistent influence and follow-up rule. An EDOS/EFOS reference requires verifying identity, status and official source as of the date of the search. Carrying out vulnerable activities describes an obligation or exposure of the client, not in itself proof of unlawful conduct. Grouping the three labels under "high risk" without analysis produces decisions that are hard to defend.

The file opens a line per signal with data, match, relevance and measure. For the former PEP, it may update source of wealth and monitoring; for tax lists, namesake issues and context are resolved; for vulnerable activity, the model, notices and pattern of funds are understood. Measures are combined only when the facts justify it. A reviewer verifies sources and date, while the approver receives residual risk and conditions. The negative test changes the RFC or the date of the charge to confirm that the conclusion is updated. Internal language avoids turning alerts into assertions; external language protects controls and data. The subsequent review addresses new listings, transactions and changes of activity.

Closing criterion. If several signals fall on the same person, avoid counting the same fact twice when rating. The approval note shows the incremental contribution of each factor and how the measure changed. This separation makes it easier to lift a condition when a signal no longer applies without erasing the rest of the analysis.

SAT, official search of publications and CNBV..

Next step

SVA.LAW can review files, beneficial-owner methodologies and high-risk decisions with auditable evidence.

General information; it does not constitute a KYC decision for a specific client.