Money Transmitters and Payments

Agents, correspondents, intercompany, and contracts

In brief

The contractual label does not determine the regime. What matters is whether the third party receives or delivers funds, interacts with the user, makes compliance decisions, or merely provides technology and support. The entity retains regulatory responsibility even when it outsources execution.

Contractual map of agents, intercompany services, and providers.
Boundary between entity, agent, affiliate, and provider with reserved functions; the illustration is indicative and the regulatory content remains in the reviewed text.

Contents: ten microblogs

Map of decisions and controls

Map of decisions and controls. Columns: Topic, Risk it resolves, and Minimum evidence.
Topic Risk it resolves Minimum evidence
Related agent or provider: classification by function Classification depends on whether the person receives funds from the transmitter to deliver them to the beneficiary and on how the entity intervenes. Interview the operation and observe the flow.
Annual notice of related agents: file and acknowledgment The official agreement provides for the CO to submit, within the first fifteen business days of January, the list of agents and third parties in the designated format and channel. Freeze the universe as of a defined date.
Functions that must not be diluted when hiring third parties Even if a third party performs tasks, the transmitter retains responsibility for agent operations and for compliance with Article 95 Bis. Expressly reserve regulatory decisions.
Limits of intercompany services in a regulated entity Belonging to the same group does not eliminate documentation, confidentiality, security, conflicts, or supervision. Create a detailed catalog of services.
Intercompany MSA: annexes and SLAs that actually work The master agreement must be supported by service orders with scope, deliverables, levels, metrics, price, data, continuity, audit, and termination. Define metrics by service and risk.
Intercompany charges: scope, support, and exclusions The consideration must correspond to real and distinguishable services, with an allocation method and support. Document method, basis, and frequency.
Foreign support and user data Before granting access, the data controller, processor or third party, purposes, transfers, security measures, and subcontracting must be defined. Apply least privilege and masking.
Audit right over critical providers The clause must allow access to information, personnel, systems, and subcontractors in proportional scope, in addition to cooperating with authorities. Distinguish routine audit from incident audit.
Exit plan for a critical provider Termination must allow exporting complete data, maintaining service during the transition, revoking access, destroying copies, and transferring knowledge. Define the exit package and format.
Contract with the user: operation, fee, and responsibility The contract must explain instruction, acceptance, funding, exchange rate, fee, delivery, cancellation, refunds, limits, data, and claims. Use the same statuses in the contract and the product.

Implementation method

Classify each third party by activity, access to funds, access to data, and decision-making capacity. Turn that classification into service annexes, service levels, audit right, continuity, subcontracting, and orderly exit.


Related agent or provider: classification by function

Decision point

Classification starts from the actual function: receiving or delivering funds, promoting, capturing data, operating technology, or deciding on compliance. Access to funds, interaction with the user, and instruction capacity weigh more than the label. The contract is corrected so that its object, controls, and supervision reflect that reality.

Checklist

  1. Interview the operation and observe the flow.
  2. Classify access to funds, data, and decisions.
  3. Review the label, object, and annexes of the contract.

Observed pattern

In an anonymized map, the third party called a "consultant" also coordinated deliveries; the actual function required redesigning the contract and controls.

How to put it into practice

Observe the third party carrying out an operation and compare it with their contract. Record whether they touch funds, data, the user, or decisions. Classify each function by regime and control. If the model changes, update it before operating. Payments and invoices help identify services that were not inventoried. The entity keeps a single list across procurement, legal, and compliance. The contractual designation is only defensible when it matches the acts and the supervision actually exercised.

Stress test

Compare two third parties: one that only hosts infrastructure and another that receives instructions or attends users. Contract, interface, and practice determine the function, not the commercial name. The classification must detail powers, contact with funds, use of the brand, and decision-making capacity. If the provider changes activity during the relationship, trigger a reassessment instead of keeping the initial label.


Annual notice of related agents: file and acknowledgment

Decision point

The annual notice is prepared by reconciling contracts, payments, operations, and compliance records. The universe is frozen as of a date, agents and third parties are classified, and the XML is generated with independent review. The CO keeps the file, hash, and acknowledgment because the submission cannot be reconstructed solely from a working list.

Checklist

  1. Freeze the universe as of a defined date.
  2. Reconcile legal, procurement, operations, and payments.
  3. Keep the XML, hash, and electronic acknowledgment.

Observed pattern

In an anonymized preparation, procurement had contracts that compliance had not classified; reconciliation prevented omissions from the listing.

How to put it into practice

Extract active contracts and compare them with operations and payments. Confirm the name, identifier, function, and third parties of each agent. Resolve duplicates before generating the XML. Freeze the universe and document later additions for the next event. Carry out separate technical and legal validation. Keep the exact file and the acknowledgment. The responsible party must be able to explain why a person was included or excluded without relying on a list maintained by another area.

Stress test

Maintain an annual cutoff with additions, removals, function changes, and active periods. Each row links the contract, the assessment, and the data required for the notice. Before submitting, reconcile the list against payments, access, and internal owners to uncover omitted third parties. The acknowledgment is associated with the exact version; a later modification is kept as a separate event and does not rewrite the reported cutoff.


Functions that must not be diluted when hiring third parties

Decision point

The entity may outsource execution, but it must retain direction, access, decision-making, and supervision over AML/CFT. The contractual catalog reserves acceptance, exceptions, reports, and response to authority; the provider delivers data and evidence within the deadline. Indicators make it possible to detect that the function has not been emptied of content.

Checklist

  1. Expressly reserve regulatory decisions.
  2. Require evidence and immediate access.
  3. Supervise performance with indicators and sampling.

Observed pattern

In an anonymized MSA, the provider prepared analyses and also approved exceptions without an authority matrix from the entity.

Frequent risk

Allowing the provider to approve its own exceptions leaves the entity without effective control over the obligation.

How to put it into practice

List the decisions that remain with the entity and the tasks the provider performs. For each one, define access, evidence, and delivery time. Test an exception and an urgent request. The transmitter must be able to replace the third party without losing cases or data. Indicators review quality, not only volume. If the affiliate prepares analyses, someone local approves them with sufficient information. Responsibility is retained through the real capacity to direct and to question.

Stress test

Take an alert decision and trace who set the rules, who analyzed, who approved, and who reported. The third party may perform tasks, but the entity must retain judgment, supervision, and access to evidence. If the contract allows subcontracting, review that chain as well. A responsibility matrix that does not match system permissions or daily practice produces a delegation that is only apparent.


Limits of intercompany services in a regulated entity

Decision point

The affiliate must have a defined service, not a generic authorization to operate the Mexican entity. Personnel, systems, data, subcontractors, decisions, and local supervisory capacity are identified. The agreement also addresses confidentiality, continuity, and cooperation in the face of requirements.

Checklist

  1. Create a detailed catalog of services.
  2. Identify data, systems, and subprocessors.
  3. Maintain local capacity to direct and audit.

Observed pattern

In an anonymized agreement, broad categories such as "operations" concealed compliance and customer-support functions; disaggregating them made it possible to assign owners.

Frequent risk

Belonging to the group does not eliminate data transfers, conflicts, or the need to demonstrate who performed each task.

How to put it into practice

Break the intercompany service down by process, system, and personnel. Identify which data crosses the border and who authorizes access. Establish metrics and evidence for each deliverable. The local entity maintains the knowledge to supervise and respond. Review subcontractors and conflicts. Upon termination, ensure portability and support. The economic group facilitates coordination, but it does not replace a contract nor by itself demonstrate that the regulated company retains effective direction.

Stress test

Examine a group instruction that asks the foreign provider to suspend a user. Determine whether it acts as support in accordance with documented criteria or exercises regulatory discretion. Corporate power of attorney, MSA, and manual must assign the decision to the correct entity. Shared services can contribute technical capacity, but they must not turn the provider into a compliance body without the applicable appointment and responsibility.


Intercompany MSA: annexes and SLAs that actually work

Decision point

The MSA becomes operational through service orders with deliverables, metrics, prices, security, and regulatory support. Uptime does not measure KYC quality, data accuracy, or timely delivery of logs. Each SLA has a source, calculation method, remedy, and escalation between local and foreign responsible parties.

Checklist

  1. Define metrics by service and risk.
  2. Add deadlines for evidence and cooperation.
  3. Provide for credits, remediation, and escalation.

Observed pattern

In an anonymized MSA, the technical annex measured uptime but not the delivery of evidence for requirements; a regulatory SLA was added.

Frequent risk

A catalog that only says operations or technology makes it impossible to know what evidence the affiliate must deliver.

How to put it into practice

Each service order must indicate outcome, frequency, source, and price. Design metrics for KYC quality, alerts, and evidence, in addition to availability. Align time zones and escalation clocks. Test how a request from an authority is handled. Service credits do not replace remediation. Keep performance reports and meetings. A useful SLA makes it possible to decide whether the service complies and what happens when incorrect data affects a regulatory obligation.

Stress test

Use a high-severity incident to read the MSA. The affected service, response time, escalation, access to records, cooperation, and recovery must appear, with consistent annexes. Then compare the text with a real ticket. An SLA expressed only as an availability percentage does not cover investigation, compliance, or restoration of the data needed to explain an operation.


Intercompany charges: scope, support, and exclusions

Decision point

Intercompany charges must correspond to real, measurable services allocated with a consistent method. Personnel, licenses, infrastructure, and extraordinary items are separated, and fines or the affiliate's own losses are excluded. Invoice, service order, and metric are reconciled to prove substance and approval.

Checklist

  1. Document method, basis, and frequency.
  2. Exclude fines, willful misconduct, and unauthorized costs.
  3. Reconcile the invoice with services and metrics.

Observed pattern

In an anonymized review, a global fee included personnel, licenses, and extraordinary costs with no allocation rule; separating the components made the charge auditable.

Frequent risk

A global fee without a basis may shift costs the entity never received or was not authorized to assume.

How to put it into practice

List the components of the charge and the allocation basis. Compare personnel, licenses, and actual usage with the invoice. Exclude penalties, duplicates, and unrequested services. Approve extraordinary items before incurring them. Keep fiscal and operational evidence consistent. Review whether the price incentivizes volume over quality. Reconciliation must allow a third party to recalculate the amount and locate the associated deliverable, preventing a global fee from concealing critical functions or the affiliate's own losses.

Stress test

Select a monthly charge that mixes licenses, personnel, and development. Separate each component, its allocation basis, and the benefited entity, and link it to deliverables. The support must make it possible to exclude activities not contracted or reserved. A global invoice paid regularly proves an outlay, but it does not evidence scope, reasonableness, or that the regulated company received the declared service.


Foreign support and user data

Decision point

Foreign remote access is data processing even if there is no download. Role, purpose, transfers, subprocessors, location, security, and revocation are defined; the view is then limited to what is necessary. The privacy notice and the contract must match the technical access matrix.

Checklist

  1. Apply least privilege and masking.
  2. Document transfers and subprocessors.
  3. Record access, purpose, and revocation.

Observed pattern

In an anonymized flow, support viewed complete files to resolve interface errors even though it only needed technical identifiers.

Frequent risk

Giving support complete files to resolve an interface error violates minimization and unnecessarily broadens the potential incident. The permissions matrix must prove that support only viewed the fields needed to resolve the ticket.

How to put it into practice

Build a matrix of fields visible by support profile. Test that masking and restrictions work from abroad. Record ticket, purpose, time, and revocation. The contract covers subprocessors and incidents; the privacy notice reflects the applicable transfer. Avoid using complete production data in tests. A review must demonstrate that support only accessed what was necessary and that any export was controlled, encrypted, and deleted in accordance with the instruction.

Stress test

Test a ticket to which a user identification is attached. Verify the storage region, the foreign team's access, download, retention, and deletion. The actual flow must match the contract and the privacy notice, including subprocessors. If the solution allows resolution with masked data, that configuration is preferable; operational convenience does not justify full exposure by default.


Audit right over critical providers

Decision point

The audit right must cover evidence, personnel, systems, and subcontractors, with a routine channel and another for incidents or requirements. Notice, confidentiality, costs, and remediation are agreed without allowing the provider a discretionary veto. For payments, the scope includes fraud, chargebacks, PCI, and assigned AML controls.

Checklist

  1. Distinguish routine audit from incident audit.
  2. Guarantee access to evidence and subprocessors.
  3. Regulate costs, confidentiality, and remediation.

Observed pattern

In an anonymized contract, the audit could only take place once a year with long notice, even after an incident; an extraordinary channel was created.

Frequent risk

An annual audit with prolonged notice is of no use when there is an active breach or an authority deadline.

How to put it into practice

Define the audit scope by risk and event. The extraordinary channel is triggered by fraud, a breach, or a requirement without waiting for the annual visit. Include subprocessors, logs, and relevant personnel. Agreeing on confidentiality must not prevent the delivery of evidence. Record findings and correction date, with the right to validate. In payments, test a chargeback and an AML control. The clause works when it produces timely access and verifiable remediation, not merely when it grants an abstract power.

Stress test

Trigger the audit right through a concrete request for logs and an interview with the provider's responsible party. Measure the deadline, format, and restrictions received. If the clause only allows generic certifications, assess whether it is enough to investigate the contracted risk. The file keeps the request, response, finding, and remediation, demonstrating that the right is exercisable and not a decorative phrase.


Exit plan for a critical provider

Decision point

An orderly exit defines the data package, format, rules, attachments, logs, assistance, and transition period. Before terminating, an export is tested and it is verified that another team can reconstruct cases. At closing, access is revoked and the deletion of copies not retained is certified.

Checklist

  1. Define the exit package and format.
  2. Test migration before a crisis.
  3. Ensure assistance, deadline, and certified deletion.

Observed pattern

In an anonymized plan, the provider could deliver CSV files but not rules, logs, or attachments; reconstructing the file would have been impossible.

Frequent risk

Receiving only a CSV of operations may leave behind decisions, versions, and evidence needed for AML.

How to put it into practice

Specify formats, dictionary, attachments, rules, and logs of the exit package. Run an early export and reconstruct several cases. Define assistance, costs, and coexistence period. Access revocation occurs after validating migration. Require a deletion certificate with identified legal exceptions. The plan must cover operational knowledge, not only data. An orderly termination makes it possible to continue reporting and service without depending on the previous provider's tools or personnel.

Stress test

Assume an immediate termination while there are pending operations and data on the platform. The plan must prioritize continuity, verifiable export, access revocation, and subsequent destruction, with responsible parties on both sides. Test that the exit format can be loaded into the alternative. Having a list of substitute providers is not enough if keys, documentation, or time to migrate are missing.


Contract with the user: operation, fee, and responsibility

Decision point

The contract with the user must use the same statuses as the product and support: received, funded, accepted, sent, delivered, rejected, or refunded. It explains fee, FX, limits, data, cancellation, and claim. The provider's obligations are distinguished from the transmitter's responsibility toward the customer.

Checklist

  1. Use the same statuses in the contract and the product.
  2. Show price and exchange rate before confirming.
  3. Define evidence and the claim channel.

Observed pattern

In an anonymized form, the definition of "completed operation" did not match the system; aligning statuses reduced disputes over timing.

Frequent risk

Defining a completed operation differently in the contract and the ledger generates disputes that are impossible to reconcile.

How to put it into practice

Compare the contractual terms with the statuses visible in the application and support. Define the moment of acceptance, the possibility of canceling, and the treatment of refunds. Break down price and FX before confirming. Keep the consent to the applicable version. Test a claim from reference to resolution. The provider's limitations must not eliminate the transmitter's responsibility. The contract works when the user and the operation describe the same sequence and offer sufficient evidence to correct an error.

Stress test

Reconstruct a disputed refund from the contract and the prior screen through to the receipt and user support. It must be clear who executes, when the instruction is considered accepted, what fee applies, and what happens in the event of an error. If partners are involved, internal responsibility limitations cannot produce contradictory messages toward the person who contracted the service.


Next step

SVA.LAW can review Agents, correspondents, intercompany, and contracts within your specific model and turn the analysis of Money Transmitters and Payments into decisions, owners, and implementation evidence. Start a conversation.