Stablecoins and Blockchain
KYC, Travel Rule, wallets and traceability in stablecoins
Useful traceability combines an identity file, banking context and on-chain evidence. This dossier gathers ten microblogs on KYC/KYB, beneficial owner, Travel Rule, wallets, whitelisting, PEP, lists, transactional profile, alerts and filings under one common rule: every decision must be reconstructable.
Regulatory cutoff: July 9, 2026. Before publishing, reconfirm identification rules, filing formats, UMA values and data-exchange requirements applicable to the obligated party.
Reading route
- KYC file for virtual assets: auditable minimum
- KYB and beneficial owner at an OTC desk
- Travel Rule: international standard and Mexican implementation
- Custodial or non-custodial wallet: due diligence questions
- Whitelisting of wallets and bank accounts
- On-chain traceability: what evidence to retain
- PEP and virtual assets: enhanced risk without automatic rejection
- LPB, sanctions and wallet screening: distinct controls
- Transactional profile and alerts in stablecoins
- Filings and reports: an audit-ready decision file
Analysis method
- Map entities, accounts, wallets, keys, data and jurisdictions.
- Assign to each participant the function it actually performs.
- Separate the Mexican obligation from any FATF standard, foreign list or contractual requirement of the counterparty.
- Turn the conclusion into contracts, controls, records and verifiable evidence.
- Re-examine the file if the captured data, the custody, the analytics provider, the broker or the risk profile changes.
Cross-cutting criterion of the compliance file
Identity, beneficial owner, accounts, wallets, alerts and decisions must retain a common identifier and an update date. Each topic adds the specialized evidence it needs, without restating the general architecture of the file.
KYC file for virtual assets: auditable minimum
Observed pattern. The auditable file connects identity, beneficial owner, purpose, profile, wallets and updating.
The information changes depending on whether the client is an individual, a legal entity, a trust or a foreign structure. Legal entities require existence, powers, structure and beneficial owner. For everyone, PEP, lists, purpose, source/destination and profile are reviewed. Documents must be verified and have update rules.
The crypto layer
In addition to the traditional file, the asset, network, wallet, type of custody, reasonable proof of control, source/destination VASP where identifiable and the data required for the transfer are captured. The address alone does not identify the holder; the client's declaration alone does not replace verifications proportional to risk.
The file must be linked to transactions. If volume, geography or counterparties depart from the profile, information is updated or the matter is investigated. KYC is a continuous process, not a gate crossed once.
Legal basis
LFPIORPI in force, SAT: virtual assets and LFPDPPP in force.
How to put it into practice
Crypto KYC file index. This piece must prove that the file makes it possible to explain who operates, for what purpose and with what funds.
- verify identity and address.
- document activity or occupation.
- capture purpose and volume.
- link accounts and wallets.
- record source and destination.
- schedule updating.
The review must proceed from verifying identity and address, contrast it with capturing purpose and volume, and end in scheduling updating without filling gaps with assumptions. The result returns to design if documenting activity or occupation does not match linking accounts and wallets or if recording source and destination lacks verifiable support.
The file must show first verify identity and address; then document activity or occupation; and finally record source and destination, preserving the relationship among the three steps. If a change of identity, activity, risk, wallet, account or operating pattern appears, the conclusion no longer covers the active version and is reviewed before the next operation.
KYB and beneficial owner at an OTC desk
Observed pattern. The declared org chart requires documentary corroboration and an explanation of effective control down to individuals.
The analysis traces the ownership chain down to individuals or documents why another form of control applies. It also validates that whoever instructs has authority and that the bank account and wallet correspond to the entity or to an approved relationship. Foreign structures require functional equivalents and translation where necessary.
Substance and purpose
A newly created company that intends to operate volumes incompatible with its capital or activity warrants an enhanced explanation; not necessarily rejection. Contracts, statements, invoicing, source of wealth or proportional commercial evidence are requested. The goal is to understand, not to accumulate paper.
Corporate changes must trigger updating: new shareholders, directors, powers, address, line of business or beneficial owner. The same applies if third-party payers or wallets appear.
Legal basis
LFPIORPI in force, SAT: general information on Vulnerable Activities and FATF VA/VASP 2025.
How to put it into practice
KYB control tree. This piece must prove that the chain ends in corroborated individuals and explains effective control.
- obtain current incorporation documents.
- verify representatives and powers.
- reconcile books and org chart.
- identify beneficial owners.
- document percentages and control.
- resolve opaque structures.
The review must proceed from obtaining current incorporation documents, contrast it with reconciling books and org chart, and end in resolving opaque structures without filling gaps with assumptions. The result returns to design if verifying representatives and powers does not match identifying beneficial owners or if documenting percentages and control lacks verifiable support.
The file must show first obtain current incorporation documents; then verify representatives and powers; and finally document percentages and control, preserving the relationship among the three steps. If a change in shareholding, power, director, trust or control agreement appears, the conclusion no longer covers the active version and is reviewed before the next operation.
Travel Rule: international standard and Mexican implementation
Observed pattern. A distinction must be drawn between Mexican law in force, the FATF standard and the contractual requirement of a foreign counterparty.
FATF revised Recommendation 16 in 2025 and provided for a transition for the changes. That requires version control. It is not correct to assert that every revised detail already applies automatically in Mexico; nor is it prudent to ignore it when a counterparty requires it or the design anticipates interoperability.
Data and decision
The flow defines what information is obtained, verified, retained and transmitted; how it is linked to the hash; what happens if it is missing; and how it is protected. It must also recognize transfers to unhosted wallets, where there is no other VASP to receive data. The response may include enhanced due diligence, proof of control and risk-based limits.
Privacy is not resolved by sending everything. Purpose, proportionality, security, retention and international transfers must be applied, with contracts that prohibit incompatible uses.
What to review
Maintain a matrix by broker with legal basis, fields, protocol, counterparty, encryption, SLA and rejection rule. Test interoperability and retain logs without exposing data on a public blockchain.
Legal basis
FATF: revised Recommendation 16, FATF VA/VASP 2025, LFPIORPI and LFPDPPP.
How to put it into practice
Travel Rule obligation matrix. This piece must prove that Mexican law, the FATF standard and the counterparty requirement appear in distinct columns.
- capture originator.
- capture recipient.
- identify the VASP on each side.
- link wallets and hash.
- document the applicable basis.
- control rejection or missing data.
The review must proceed from capturing the originator, contrast it with identifying the VASP on each side, and end in controlling rejection or missing data without filling gaps with assumptions. The result returns to design if capturing the recipient does not match linking wallets and hash or if documenting the applicable basis lacks verifiable support.
The file must show first capture the originator; then capture the recipient; and finally document the applicable basis, preserving the relationship among the three steps. If a new country, VASP, threshold, format or contractual rule appears, the conclusion no longer covers the active version and is reviewed before the next operation.
Custodial or non-custodial wallet: due diligence questions
Observed pattern. Proof of wallet control must be proportional to risk and not be confused with an automatic assertion of ownership.
For a hosted wallet it is advisable to identify the provider, jurisdiction, license/registration, Travel Rule, assigned address and restrictions. For an unhosted one, the client's declaration and a proportional proof of control are documented, for example message signing or a microtransfer, taking care with security and cost.
Signals that require explanation
A recently created address, an immediate change before settling, multiple clients using the same wallet, funds from mixers or exposure to high-risk categories do not always imply unlawfulness, but they do warrant review. On-chain analysis must consider data quality, distance, network and the possibility of false positives.
The firm also defines which types of wallets it does not accept and why. That policy must be consistent and allow documented exceptions; an arbitrary block can produce opaque decisions.
What to review
Record type, network, date, proof of control, initial and ongoing screening, and the related VASP. Never request seeds or private keys. Revalidate when risk changes or the address is updated.
Legal basis
FATF VA/VASP 2025, LFPIORPI and LFPDPPP.
How to put it into practice
Wallet control questionnaire. This piece must prove that the effective ability to execute operations is proven without presuming ownership.
- identify who holds the keys.
- document required signatures.
- verify recovery.
- record sub-custody.
- prove control of the address.
- define the handling of exceptions.
The review must proceed from identifying who holds the keys, contrast it with verifying recovery, and end in defining the handling of exceptions without filling gaps with assumptions. The result returns to design if documenting required signatures does not match recording sub-custody or if proving control of the address lacks verifiable support.
The file must show first identify who holds the keys; then document required signatures; and finally prove control of the address, preserving the relationship among the three steps. If a change of custody, multisignature, sub-custodian, recovery or device appears, the conclusion no longer covers the active version and is reviewed before the next operation.
Whitelisting of wallets and bank accounts
Observed pattern. Linking verified wallets and accounts reduces payments to third parties and improves the reconstruction of exceptions.
Enrollment must use an authenticated channel, independent verification and, for wallets, reasonable proof of control. The bank account is validated against holder and documentation. Third-party payments require a separate policy; they must not be silently added to the client's list.
Change risk
The most vulnerable moment is modification. Email compromise, social engineering or a network error can redirect irreversible assets. That is why dual approval, out-of-band notification, a cooling-off period and a record of who requested, verified and approved are applied.
The list must distinguish source and destination, production and testing, and token/network. A visually similar chain does not guarantee compatibility. Screening is also re-run before relevant operations or when the profile changes.
What to review
Do not allow editing by trading operators; use segregated permissions, immutable logs and change alerts. Any settlement outside the whitelist is halted. Exceptions expire and require a basis.
Legal basis
LFPIORPI, SAT: virtual assets and FATF VA/VASP 2025.
How to put it into practice
Register of authorized destinations. This piece must prove that each destination is linked with a verified client, proof and a current approval.
- verify account holder.
- validate network and address.
- apply proportional proof.
- record approver and date.
- establish validity.
- block changes during operation.
The review must proceed from verifying the account holder, contrast it with applying proportional proof, and end in blocking changes during operation without filling gaps with assumptions. The result returns to design if validating network and address does not match recording approver and date or if establishing validity lacks verifiable support.
The file must show first verify the account holder; then validate network and address; and finally establish validity, preserving the relationship among the three steps. If an enrollment, substitution or compromise of an account, wallet or signatory appears, the conclusion no longer covers the active version and is reviewed before the next operation.
On-chain traceability: what evidence to retain
Observed pattern. The isolated hash is not enough: its context of network, asset, address, date, counterparty and decision must be retained.
The file includes address and network, hash, date/time, provider and version, full result, exposure categories, distance, applied threshold, analyst and decision. If the provider updates labels afterward, the firm must be able to explain what information it had at the time of deciding.
Context and false positives
An indirect exposure is not equivalent to identity or guilt. Client activity, counterparty, relative amount, time, hops, identified service and explanations must be considered. Escalation may conclude to continue, request information, limit, reject or analyze a report; each result needs a rationale.
Traceability is linked to the bank and to KYC. A clean on-chain transfer does not explain the economic origin of pesos, and a matching bank name does not prove control of a wallet.
What to review
Define a matrix of categories and actions, second-line review for critical cases, evidence retention and periodic testing of the provider. Do not publish scores or disclose information that could constitute tipping-off.
Legal basis
LFPIORPI, FATF: quick guide on VA/VASP risks and FATF VA/VASP 2025.
How to put it into practice
On-chain evidence package. This piece must prove that the hash retains sufficient context to reconstruct the legal and operational decision.
- record network and asset.
- capture addresses.
- retain date and block.
- link the internal order.
- archive the risk analysis.
- document the final disposition.
The review must proceed from recording network and asset, contrast it with retaining date and block, and end in documenting the final disposition without filling gaps with assumptions. The result returns to design if capturing addresses does not match linking the internal order or if archiving the risk analysis lacks verifiable support.
The file must show first record network and asset; then capture addresses; and finally archive the risk analysis, preserving the relationship among the three steps. If a network reorganization, change of explorer, asset, label or analytics provider appears, the conclusion no longer covers the active version and is reviewed before the next operation.
PEP and virtual assets: enhanced risk without automatic rejection
Observed pattern. PEP status activates enhanced assessment and monitoring, not an automatic rejection without analysis.
The analysis includes domestic and foreign PEPs, family members and related persons in accordance with the applicable framework. It must consider position, jurisdiction, timing, exposure to public procurement, reliable adverse media and the structure used to operate. The results are documented with sources and date.
The transactional layer
In stablecoins, what matters is whether undeclared wallets or companies, high-risk brokers, third-party payments, frequent changes or opacity services are used. No signal is assessed in isolation. The firm compares against the profile and requests a proportional explanation.
The decision must be reviewable: accept with limits, enhanced monitoring and more frequent updating; or reject on a risk basis. Avoid informal rules based solely on nationality or position.
What to review
Assign a case owner, senior approval, a review schedule, specific alerts and evidence of source. Names are re-screened periodically and upon events. Access to the files is restricted.
Legal basis
CNBV: PLD/FT and PEP guides, LFPIORPI and FATF VA/VASP 2025.
How to put it into practice
PEP decision sheet. This piece must prove that the relationship is approved, conditioned or rejected through documented and proportional analysis.
- confirm match and identity.
- describe the public function.
- analyze country and timing.
- review source of wealth.
- obtain enhanced approval.
- define monitoring and review.
The review must proceed from confirming the match and identity, contrast it with analyzing country and timing, and end in defining monitoring and review without filling gaps with assumptions. The result returns to design if describing the public function does not match reviewing source of wealth or if obtaining enhanced approval lacks verifiable support.
The file must show first confirm the match and identity; then describe the public function; and finally obtain enhanced approval, preserving the relationship among the three steps. If a new position, family member, associate, country or adverse information appears, the conclusion no longer covers the active version and is reviewed before the next operation.
LPB, sanctions and wallet screening: distinct controls
Observed pattern. LPB, international sanctions and on-chain analysis are distinct controls with their own sources, decisions and evidence.
The policy defines official sources, frequency, exact or potential match, escalation and actions. For wallets it adds network, provider, categories and timing of the screening. It also establishes what happens to an operation in progress and how to avoid disclosing a protected analysis or report.
Do not mix regimes
The Mexican LPB, foreign lists and commercial policies may produce distinct obligations or risks depending on entity and broker. The contract may allow rejection on broader sanctions, but the file must identify the basis used. "It is blocked" is an insufficient conclusion.
When a match appears after onboarding, balances, operations and relationships are reconstructed. The reaction must preserve evidence, access and decision times.
What to review
A case engine with source, version, compared data, analyst, resolution and approver; periodic and event-driven rescreening; false-positive and coverage testing. Lists and rules are updated without relying on manual spreadsheets.
Legal basis
CNBV: PLD/FT framework, LFPIORPI and FATF VA/VASP 2025.
How to put it into practice
Screening matrix by layer. This piece must prove that each alert retains source, scope, decision, approver and the corresponding action.
- separate the Mexican LPB.
- separate foreign sanctions.
- record on-chain analysis.
- resolve false positives.
- escalate real matches.
- document blocking, rejection or continuation.
The review must proceed from separating the Mexican LPB, contrast it with recording on-chain analysis, and end in documenting blocking, rejection or continuation without filling gaps with assumptions. The result returns to design if separating foreign sanctions does not match resolving false positives or if escalating real matches lacks verifiable support.
The file must show first separate the Mexican LPB; then separate foreign sanctions; and finally escalate real matches, preserving the relationship among the three steps. If a list update, provider, on-chain rule or match appears, the conclusion no longer covers the active version and is reviewed before the next operation.
Transactional profile and alerts in stablecoins
Observed pattern. Useful alerts compare observed conduct with purpose, volume, counterparties, brokers and wallet risk.
Alerts may observe structuring, fiat-crypto-fiat velocity, third-party payments, wallet changes, multiple jurisdictions, exposure to opacity services, incompatible activity or circular patterns. They must be calibrated to the product; copying banking rules without context generates noise.
From alert to case
The alert only opens a question. The analyst reviews KYC, history, bank, blockchain, explanation and documentation. The decision may close with a basis, update the profile, apply limits, terminate the relationship or evaluate a filing/report. The system retains evidence and times.
Effectiveness is measured: coverage, false positives, aged cases, scenarios without data and feedback. Exact thresholds are sensitive information and must not be published.
What to review
A versioned catalog with purpose, data, logic, severity, owner and testing. Validation before production and documented tuning. The committee receives aggregate metrics, not unnecessary personal details.
Legal basis
FATF: quick guide on VA/VASP risk, FATF VA/VASP 2025 and LFPIORPI.
How to put it into practice
Profile and scenarios sheet. This piece must prove that alerts compare actual behavior against documented purpose and limits.
- define expected volume.
- record frequency and assets.
- identify countries and counterparties.
- incorporate accounts and wallets.
- calibrate scenarios.
- measure resolution and recurrence.
The review must proceed from defining expected volume, contrast it with identifying countries and counterparties, and end in measuring resolution and recurrence without filling gaps with assumptions. The result returns to design if recording frequency and assets does not match incorporating accounts and wallets or if calibrating scenarios lacks verifiable support.
The file must show first define expected volume; then record frequency and assets; and finally calibrate scenarios, preserving the relationship among the three steps. If a deviation in volume, frequency, broker, counterparty or wallet risk appears, the conclusion no longer covers the active version and is reviewed before the next operation.
Filings and reports: an audit-ready decision file
Observed pattern. The file must make it possible to reconstruct data, analysis, approval, submission, acknowledgment and any subsequent correction.
For virtual assets it must connect client, operation, consideration, account, wallet, hash and period. It also records zero reports where applicable and retains evidence that the universe truly was zero, not that the system omitted data.
Validity control
The 2025 LFPIORPI reform and the transition of rules make it essential to version parameters. A threshold found on an old page must not be coded without checking against the law, rules, portal and applicable UMA. The file retains the source used for each period.
Modifications are made by procedure; the original file is not deleted. Discrepancies between the operation and the XML/template feed remediation of the system.
What to review
A signed monthly reconciliation between the subledger and the reportable universe, a quality checklist, acknowledgments, an error log, backup and restricted access. Audit selects samples from the universe, not only from what was submitted.
Legal basis
SPPLD Portal, SAT: virtual assets and formats and LFPIORPI in force.
How to put it into practice
Filing and report index. This piece must prove that a reviewer can reconstruct source data, analysis, approval, submission and acknowledgment.
- retain the base operation.
- document the reporting rule.
- archive analysis and narrative.
- record the approver.
- link the submitted file and acknowledgment.
- control corrections and follow-up.
The review must proceed from retaining the base operation, contrast it with archiving analysis and narrative, and end in controlling corrections and follow-up without filling gaps with assumptions. The result returns to design if documenting the reporting rule does not match recording the approver or if linking the submitted file and acknowledgment lacks verifiable support.
The file must show first retain the base operation; then document the reporting rule; and finally link the submitted file and acknowledgment, preserving the relationship among the three steps. If a correction, late submission, change of criterion or new information appears, the conclusion no longer covers the active version and is reviewed before the next operation.
Dossier closing
An identification policy cannot be transferred intact to another product without reviewing users, channels, data and reporting obligations. Closing requires a file index, escalation rules and samples that demonstrate traceability among alert, decision and filing.
Back to the Stablecoins and Blockchain hub.
Next step
SVA.LAW can review KYC, Travel Rule, wallets and traceability in stablecoins within the concrete model and turn the Stablecoins and Blockchain analysis into decisions, responsible parties and implementation evidence. Start a conversation.