SOFOMs

AML/CFT manual, RBA, automated systems and controls

In brief

The manual, the RBA methodology and the system are a single control: the manual defines, the RBA measures and decides, and the system executes and preserves evidence. Ten tools make it possible to prove they share data, scales, owners and results.

Relationship between the AML manual, RBA, automated system, evidence and audit.
The manual defines, the RBA decides, the system executes and the evidence makes verification possible.

Common method of the dossier

This dossier follows a technical chain: identified risk, approved rule, configured parameter, source data, result, exception and effectiveness test. A matrix or manual only has value if it can be pointed to where it executes and what log the system preserves. That is why each topic requires comparing design and behavior against normal cases, limits and errors, including who can change a weighting and how an unauthorized modification is detected.

Traceability framework between risk, manual and technology

The control architecture begins with a simple assertion: every described rule must have data, calculation, decision, evidence and an owner. The RBA methodology explains the exposure; mitigants reduce risk only after their operation has been verified; the manual translates decisions into procedures; the system executes the rules that can be automated; and audit examines design and operation. An index links those layers to prevent a documentary modification from becoming separated from the configuration, or a technical change from altering the process without approval.

Data requires a dictionary that identifies source, meaning, format, update, owner and treatment of missing values. Before weighting factors, coverage and quality are verified. An important but incomplete field must not disappear through a lower weight: the methodology adopts a conservative rule, acknowledges uncertainty or opens a data project. Formulas and thresholds are versioned; each result preserves which configuration produced it and what action it triggered. Exceptions have an approver, a reason and an expiry, without manually editing the original rating.

Technological testing is carried out with synthetic cases and controlled samples. It includes an ordinary result, a boundary, missing data, an error, a reversal, a change of profile and an event that must escalate. Input, expected output, observed output, generated task and closure by the correct role are compared. A vendor acceptance does not replace compliance validation, and a screenshot does not replace logs or reproducible queries. Backup, restoration, interface outage and recovery of pending items form part of the same file.

Calibration is designed before looking only at the desired volume. The team documents hypotheses, population, positive and negative cases, sensitivity and limits. A threshold that generates zero alerts requires validating the data feed; one that generates too many requires analyzing the cause before raising it. Changes go through regression on a stable sample to confirm that critical scenarios are not lost. The dashboard combines coverage, usefulness, explained false positives, confirmed cases, unknown data and failed controls.

Evidence of effectiveness is obtained by mitigant and by risk. Normal operation, exception and a known failure are selected; timeliness, coverage, quality and effect on the decision are measured. Findings state population, cause, correction and re-test, updating the layer that is actually defective. The governing body receives the inherent distribution, residual, concentrations and actions outside appetite. With this traceability, the SOFOM can explain why its model produces a given conclusion and how it knows that the declared controls work in real operation.

Practical checklist for the automated system

How to put it into practice

Build a requirement-function inventory and test it with synthetic data. Include an incomplete onboarding, a match, a risk change, an off-profile transaction, an expired alert, a rejected closure, a report and an access revocation. Preserve the expected and obtained result.

Tool: a matrix with obligation, module, rule, source data, frequency, role, positive test, negative test, evidence, incident and version. Run regression after every material change. Vendor accesses must be temporary and traceable.

Tests by automated-system function. The checklist must cover data ingestion, identification, lists, segmentation, alerts, accumulation, monitoring, reports, audit trails, security and retention. For each function, source data, rule, expected result, owner and evidence are defined. A vendor demonstration does not replace tests using the SOFOM's own configuration and catalogs.

Prepare synthetic cases that include an exact and partial match, missing data, a fragmented transaction, a profile change, a reversal and an interface error. Each case is executed end-to-end and compared against the approved manual and methodology. The audit trails must show user, date, change and result without allowing silent alteration. Continuity is also tested: backup, restoration, failure of a source and recovery of pending alerts. Defects are classified by impact and re-executed after correction. The technical file preserves version, parameters, catalogs, inputs, outputs, necessary screenshots, logs and approval. Compliance validates the logic; technology evidences operation and security; audit must be able to repeat a sample without relying exclusively on the vendor.

CNBV, SOFOM E.N.R. regulations and applicable channels.

Bringing the National Risk Assessment down to earth

Use a table national finding → own exposure → data → indicator → control → evidence. If the SOFOM only lends to Mexican companies, it must still analyze foreign chains, third-party payments or digital channels where they exist. Relevance is proven with a model, not with a sector label.

Observed pattern. A good RBA workshop confronts product and compliance with concrete scenarios; that is how risks emerge that a document drafted in isolation does not detect.

How to put it into practice

inventory official sources; select risks; assign an owner; measure exposure; define a mitigant; test effectiveness; approve; and schedule review upon changes. Preserve the version of the NRA consulted and the date.

Translating the NRA to the entity's own profile. The National Risk Assessment provides the country's threats and vulnerabilities, but the SOFOM must explain how they affect its clients, products, channels, regions and operations. A matrix selects relevant findings, identifies concrete exposure, available data and existing control. Unrelated topics are discarded with a reason; copying national conclusions without that bridge does not produce an institutional assessment.

The exercise begins with three plausible scenarios for the portfolio: use of opaque legal entities, third-party payments and operation in exposed regions or sectors. It estimates how they could occur, what signals would remain in the data and which mitigant should respond. A sample is then reviewed to determine whether those signals are actually captured. Management decides on changes to appetite, due diligence, alerts, training or product, with a deadline and an owner. The file preserves the version of the NRA consulted, the relevance analysis, internal sources, approval and implementation evidence. At the next review, incidents and metrics are compared to confirm whether the translation was reasonable or needs adjustment.

Closing criterion. Also document the national risks analyzed and discarded, with a reason tied to the model. That list prevents a future review from confusing omission with decision. When the portfolio or channel changes, the discards are reopened and compared with new data before maintaining the conclusion.

UIF, National Risk Assessment 2023.

Designing an RBA methodology for a SOFOM

How to put it into practice

Document each variable and its source. Treat unknown values expressly; do not convert them into low risk. Validate the distribution to prevent all clients from ending up in the same band.

Observed pattern. Models become auditable when a third party can recalculate a sample with the dictionary and obtain the same result.

Tool — methodology sheet: objective; scope; factors; catalog; sources; cleansing; scales; weights; formula; controls; residual; thresholds; approval; recalculation; exceptions; validation; versions. Add a complete synthetic example and a sensitivity test.

Reproducible construction of the RBA. The methodology starts from defined units of analysis —client, product, channel, region or transaction— and establishes observable factors for each one. Scales, weights and missing-data rules are documented before the aggregate result is known. Inherent risk is then calculated, the effectiveness of mitigants is assessed and the residual is obtained; mixing control inside the exposure factor produces a reduction that is difficult to explain.

A set of boundary cases tests the methodology: two nearly identical clients separated by a threshold, a complex corporate structure, an unknown data point and a partially effective control. The analyst must reproduce the rating from current sources and version. Exceptions are approved with grounds and an expiry, without manually changing the result to accommodate a commercial decision. The documentation includes the data dictionary, formulas, change governance, validation, results, limits and actions by level. The board or committee receives distribution, concentrations and residual outside appetite. Subsequent calibration uses alerts, cases and observed losses, preserving why each adjustment improves discrimination and does not merely reduce volume.

Closing criterion. The model's output must trigger concrete controls: additional information, approval, limits, monitoring or rejection. Prove that two different levels generate different actions and that the decision is recorded in the file. A rating that only colors a dashboard, with no operational effect, does not complete the risk-based approach.

CNBV, applicable AML/CFT provisions.

ML/TF indicator catalog

Avoid duplicate indicators that count the same fact twice. Distinguish a static condition —a complex structure— from dynamic behavior —a deviation from the profile. Catalog changes require an impact analysis on existing clients.

Observed pattern. A catalog kept separate from the matrix makes it easier to discover variables that the system never captures or captures with a different catalog.

How to put it into practice

code; name; risk; factor; definition; source; values; score; unknown; evidence; frequency; owner; update rule; effective date; version. Test boundary cases and document the result.

An indicator with purpose and verifiable data. The catalog describes, for each signal, the risk it seeks to detect, population, fields, time window, formula, threshold, exclusions, severity and action. “Unusual transaction” is not an executable indicator; it must be turned into a condition that the system can calculate and the analyst can interpret. Nonexistent or low-quality fields are flagged as a limitation, not replaced by hidden assumptions.

To validate the catalog, select a third-party payment, structuring, an abrupt change of behavior and a list match. Generate a positive case and a near case that should not alert. The comparison reveals duplications, gaps and thresholds that do not discriminate. Each change preserves version, justification, approval and regression testing on a stable sample. Indicators are linked to typology, RBA factor, analysis owner and performance metric. The dashboard shows coverage, useful alerts, explained false positives, unknown data and confirmed cases. Retiring a rule requires assessing the risk left without coverage and assigning a replacement, preventing the pursuit of efficiency from silencing relevant exposures.

Closing criterion. Each alert must preserve which version of the indicator produced it. If the catalog changes while the case is open, the analyst uses the rule in force at the event and documents any reassessment. This makes it possible to explain differences between similar cases and avoids retroactively applying new thresholds without analysis.

CNBV, guidelines and provisions for SOFOMs.

Inherent vs. residual risk

How to put it into practice

Separate the risk scale from the control scale. For inherent vs. residual risk, the test is limited to its own data, decision and support. Assess coverage, automation, frequency, exceptions and results. For inherent vs. residual risk, the test is limited to its own data, decision and support. Do not deduct points arbitrarily, nor allow a generic control to neutralize any risk.

Observed pattern. Teams tend to overvalue controls they are familiar with. For inherent vs. residual risk, the test is limited to its own data, decision and support. A sample of files or alerts provides more objective evidence than a self-assessment.

Tool: for each risk, describe scenario, likelihood/impact, inherent, control, design, test, finding, effectiveness, residual, appetite and action. Make it possible for audit to follow the supporting records. For inherent vs. residual risk, the test is limited to its own data, decision and support.

A separation that avoids double discounts. The inherent reflects exposure before controls: nature of the client, product, channel, geography and behavior. The residual is calculated after testing the design and functioning of mitigants. An existing policy does not automatically reduce risk; it must show coverage, frequency, evidence and results. Nor should the same control be counted across several factors without explaining its contribution.

Use a case with high exposure and two mitigants: well-operated enhanced due diligence and monitoring with data failures. The first may reduce part of the risk; the second retains limited effectiveness until it is corrected. The calculation records assumptions and sensitivity so that a reasonable change of weight does not produce arbitrary jumps. If the residual exceeds appetite, the response may be a condition, restriction, improvement or non-onboarding, but it needs a competent body and a deadline. The file combines the inherent matrix, control tests, effectiveness assessment, residual, decision and follow-up. In future reviews, incidents and exceptions are compared to verify that the declared reduction was observed in practice.

CNBV, AML/CFT regulations For inherent vs. residual risk, the test is limited to its own data, decision and support.

For inherent vs. residual risk, the test is limited to its own data, decision and support.

Justifying internal weightings

Test concentration and correlation. Product and transactionality may partially measure the same phenomenon; if both weigh heavily, they duplicate it. Use a committee to debate, not just to approve.

Observed pattern. Sensitivity reveals when a dominant factor makes the others irrelevant. Adjusting before launch avoids re-rating the entire portfolio without explanation.

How to put it into practice

hypothesis; evidence; proposed weight; scenarios; distribution; sensitivity ±; correlation; decision; date; version. Preserve rejected alternatives and the reason. After operating, compare weights against alerts and findings.

Grounds for each weight. Weightings must reflect relative importance and quality of evidence, not the preparer's preferences. The file explains what risk each factor represents, why it deserves a given weight, how it interacts with others and what would happen if the data were missing. Internal sources, the NRA, typologies, portfolio and incidents may support the decision, always with a cutoff date.

Validation modifies one weight at a time and observes clients that change level. If small variations alter a proportion disproportionately, or if a factor dominates without reason, the model needs adjustment. Known cases of higher and lower exposure are also compared to verify a logical ordering. Commercial decisions are not used as a calibration target. The committee receives the sensitivity analysis, distribution, exceptions and limits, and records the criterion adopted. Each version preserves formula, data, results and approval. When evidence is insufficient, a temporary conservative stance with a data-gathering plan may be used, avoiding presenting an estimate as empirical truth.

Closing criterion. Compare the weighting against measurement capacity: a theoretically important factor fed by incomplete data needs explicit treatment. It may increase uncertainty, trigger a conservative rule or generate a data project. Reducing its weight only because it is hard to measure would hide the limitation instead of managing it.

CNBV, applicable provisions.

Initial calibration of indicators

How to put it into practice

Use a representative sample or synthetic scenarios and preserve before/after. If a few clients concentrate risk, review whether it is real or the product of a defective data point.

Observed pattern. Models improve when compliance records why an alert was useful or false, not just that it was closed.

Tool: version; sample; assumptions; distribution; percentiles; extremes; unknowns; capacity; threshold; result; approval; revalidation date. Any material adjustment requires regression and impact analysis.

Calibration before accumulating one's own history. The initial stage combines documented expert judgment, test data, market information and synthetic scenarios. For each indicator, population, expected frequency and the result of positive and negative cases are defined. Provisional thresholds are labeled as such and a date is set to review them with real operation.

A parallel run over available historical data or a simulated portfolio makes it possible to measure volume, duplication and concentration. The team manually inspects alerts across different ranges, not only the highest ones, and records why they were useful or irrelevant. If a rule generates total silence, the data feed is verified first; if it produces excess, the cause is analyzed before raising the threshold. Changes are subjected to regression to ensure that critical cases continue to be detected. The calibration package includes hypotheses, sample, results, limitations, approval and a recalibration date. After launch, the dashboard compares expectation with alerts, escalated cases and data quality to turn the initial configuration into accumulated evidence.

Closing criterion. Define in advance what evidence will justify moving a threshold: minimum sample size, stability, confirmed cases and the absence of critical loss. The review date does not require modifying it; it requires documenting why it is kept or changed based on comparable results.

CNBV, SOFOM E.N.R. regulations.

What operations must prove against the manual

Control versions, approval, training and effective date. Technical procedures may live in annexes, but they must be linked without contradiction.

Observed pattern. The words “automatically” and “always” are testing red flags: they require demonstrating that no undocumented alternative paths exist.

How to put it into practice

select ten assertions; trace evidence; test an exception; record the gap; assign correction; update the manual/system; train; and repeat. Include the vendor and contingency.

From regulatory text to system output. Select concrete obligations from the manual and turn them into tests: data that must be captured, timing, rule, decision, record and retention. For identification, a file is inspected; for accumulation, transactions are combined; for lists, updating is tested; for alerts, a case is followed through to its closure. Each result is compared with the version of the manual in force, not with a vendor presentation.

Differences are classified carefully. The documentary design, the parameterization, the interface or the human execution may fail; correcting only the symptom leaves the other layer misaligned. A negative test omits an essential field and another alters the date to confirm that the control responds. The file contains requirement, case, data, expected output, observed output, evidence and defect. After remediation, regression is run and the element that was actually wrong is updated. The final approval identifies accepted limitations and compensating controls with an expiry. Thus, the operation demonstrates reproducible compliance instead of a superficial match between manual and screen.

Closing criterion. Incorporate business users into acceptance: a technically correct output may not generate the task or escalation that the manual promises. The evidence must include the notification, the work queue and closure by the corresponding role, not only the value calculated in the database.

CNBV, AML/CFT Manual guidelines.

Linking manual, audit and system

Use stable IDs for obligations and controls. Do not change names in each document. Findings are linked to the control, version and closure test.

Observed pattern. This matrix reduces lengthy narrative responses to requirements, because each item already has localized evidence.

How to put it into practice

inventory; mapping; gaps; tests; findings; plan; evidence; re-test; approval. Review a sample quarterly and after material changes.

Consistency triangle. The manual defines the rule, the system executes it and audit verifies design and functioning. A single index links the manual paragraph, the configuration requirement, the test, the evidence and the audit procedure. When a rule changes, the control opens tasks for the other two layers; no version is considered closed until the chain is complete.

The reviewer takes three findings: one documentary, one technological and one operational. For each one, they identify cause, affected population, correction, update of the manual or system and an independent re-test. If audit only recommends “adjusting the policy” for an interface failure, the remedy is insufficient. The audit trail preserves effective dates to know which rule applied to each transaction. It is also tested that the auditor's sample comes from the complete population and that the logs cannot be edited by the preparer. The report to the governing body shows discrepancies between layers, residual risk and overdue actions. Traceability allows the next audit to verify effectiveness without rebuilding the relationship between documents and configuration from scratch.

Closing criterion. Maintain an inventory of controls without automated testing and explain how audit obtains the complete population. If the system does not preserve a certain data point, the limitation is remedied or temporarily covered with controlled evidence. A manual spreadsheet with no owner or traceability does not close the relationship between the three layers.

CNBV, audit and manual guidelines.

Evidence of mitigant effectiveness

Combine metrics and qualitative tests. A low alert rate may be effectiveness or poor parameterization; investigate the cause. Report trends to the CCC/board and material exceptions.

Observed pattern. The most convincing evidence includes a detected failure and its correction, because it demonstrates that the control and governance react.

How to put it into practice

risk; control; indicator; source; period; target; result; sample; exception; cause; action; re-test; residual. Do not close solely with an updated document.

Observed effectiveness, not formal existence. Each mitigant needs a verifiable assertion: what risk it reduces, over what population, with what frequency and through what result. For due diligence, coverage and quality are measured; for monitoring, detection and resolution; for training, application in cases; for segregation, authorizations and exceptions. The mere approval of a policy evidences documentary design, not operation.

The test takes an ordinary sample, an exception and a known failure. It is verified whether the control acted on time, left evidence and changed the intended decision or exposure. Defects are quantified by population and period to avoid intuitive extrapolations. When a mitigant is partially effective, the residual assessment preserves that limitation and assigns remediation. The file gathers objective, owner, data, sample, result, incident and re-test. Indicators such as complete files or closed alerts are complemented with quality and timeliness. The governing body receives a conclusion by mitigant and by risk, so that it can decide on investment, restriction or acceptance based on evidence of real functioning.

Closing criterion. The testing frequency must respond to volatility, changes and criticality. A stable control can be reviewed periodically; a recently corrected one requires closer follow-up. The schedule makes clear when old evidence ceases to be sufficient to sustain the declared risk reduction.

The test record also identifies the exact period during which the effectiveness conclusion can be sustained.

CNBV, SOFOM provisions and guidelines..

Next step

SVA.LAW can diagnose consistency between manual, RBA, data and system, and prepare tests reusable in audit and supervision.

General information; the methodology must be adapted to the model and the regulation in force.