The fight against money laundering has long been a challenging one for authorities in Mexico, who have struggled to prevent crime syndicates and cartels from using the country’s financial system to wash their illicit funds.
In recent years, there has been a concerted effort to align Mexico’s anti-money laundering (AML) requirements with the Financial Action Task Force’s (FATF) recommendations and international standards. Naturally, this has resulted in modernizing and updating the nation’s Know Your Customer (KYC) regulations.
Below, we discuss the importance of KYC in Mexico and take a closer look at the country’s KYC laws and requirements. We also outline key considerations for implementing a KYC program that are compliant with Mexican law and answer other commonly asked questions.
What is KYC?
KYC stands for Know Your Customer and refers to the actions businesses take to ensure their customers are who they claim to be. Most countries’ anti-money laundering (AML) regulations include KYC requirements.
Generally, KYC consists of three key components: identity verification (IDV), customer due diligence (CDD), and transaction monitoring.
Mexico, like many countries, shapes its AML and KYC requirements around the FATF’s 40 recommendations. Given the country’s unique challenges, which we speak about below, there are nuances specific to Mexico that are helpful to understand when designing a KYC/AML strategy.
Importance of KYC in Mexico
Fighting money laundering
According to a 2021 report by the U.S. Department of State, “Illicit actors launder billions of dollars of drug trafficking proceeds through the Mexican financial system annually. Corruption, bulk cash smuggling, extortion, fuel theft, fraud, human smuggling, and trafficking in persons and firearms serve as sources of additional funds laundered through Mexico.” Using KYC to catch money launderers has the potential to stem a wider range of criminal activities.
KYC requirements help combat money laundering in a number of ways. To understand how, it’s helpful to take a look at the three prongs of a comprehensive KYC program:
- Identity verification: Verifying a customer’s identity upon account creation makes it more difficult for criminals to open fraudulent or shell accounts. When legitimate IDs are used, a paper trail is created and can be used by regulators for audits and investigations. The information collected during IDV can also be used to identify suspiciously linked accounts in the future through link analysis, a data science technique used to uncover fraud rings and bad actors.
- Customer due diligence: CDD reviews help fill in a customer’s risk profile, including how likely they are to engage in money laundering. Those deemed to carry more risk may be subject to heightened scrutiny or denied services outright.
- Transaction monitoring: Per the U.S. Department of State report, structured cash deposits are a key way that criminals introduce illicit funds into Mexico’s financial system. Monitoring customer transactions remains one of the most efficient means of identifying this and other suspicious activity.
Increasing financial access
According to the 2021 National Survey of Financial Inclusion, only 49% of adults in Mexico have a bank account, and even fewer (33%) have access to a credit card.
While there are many contributing factors, a major one is distance. Many of Mexico’s unbanked population live in remote or rural regions, where in-person banking is challenging.
Electronic KYC (eKYC) is increasingly making it possible for financial institutions to comply with AML regulations while concurrently enabling more of Mexico’s population to participate in the country’s financial system via online banking and other applications.
KYC regulators in Mexico
In Mexico, AML and KYC compliance are supervised and regulated by a number of different government agencies, depending on the nature of the business.
Designated Non-Financial Businesses and Professions (DNFBPs) — nonfinancial businesses deemed to be susceptible to money laundering due to the nature of their business and transactions — are regulated by the Tax Administration Service (Servicio de Administración Tributaria (SAT)). In Mexico, trust services are the only DNFBP for which AML measures apply.
Retirement fund managers are regulated by the National Commission of the Retirement Savings System (Comisión Nacional del Sistema de Ahorro para el Retiro (CONSAR)).
Bond institutions, surety institutions, and mutual surety companies are regulated by the National Insurance and Bond Commission (Comisión Nacional de Seguros y Fianzas (CNSF)).
All other financial institutions in Mexico fall under the purview of the National Banking and Securities Commission (Comisión Nacional Bancaria y de Valores (CNBV)). This includes, but is not limited to:
- Commercial banks
- Development banks
- Brokerage firms
- Investment fund operators (SOFI)
- Investment advisors
- People's finance corporations (SOFIPOS)
- Community finance corporations (SOFICO)
- Savings and loan corporate societies (SOCAPS)
- Credit unions
- Exchange houses and centers
- General warehouse companies
- Money remittance service providers
In order to better understand Mexico’s KYC requirements, let’s take a look at the laws and memberships that influence them.
Mexico’s KYC and AML laws
Mexico's AML law — the Federal Law for the Prevention and Identification of Transactions with Resources of Illicit Origin — was passed in 2012 and went into effect in 2013. It applies to individuals and businesses in Mexico, as well as foreign businesses that operate branches or subsidiaries in the country.
Interestingly, the law lists 15 “vulnerable activities,” in addition to financial services, to which the tenets of the law apply. These include:
- Gambling games, contests, or sweepstakes.
- Services cards or credit (including prepaid cards).
- Traveler's checks.
- Operations by mutual, guarantee, credit, or loan.
- Construction services and the development of real estate.
- Marketing or brokering of precious metals, gems, and watches.
- Auctions or marketing of works of art.
- Marketing of new or pre-owned vehicles.
- Armored delivery services using new or used vehicles.
- Relocation services or custody of money or securities.
- Professional independent services related to buying, selling, advising, or otherwise managing a business or assets.
- Notaries and messengers.
- Receipt of donations by associations or nonprofit corporations.
- Foreign trade services.
- Use or enjoyment of real estate.
Each of these services is subject to its own transaction limit under the law. If a company offers these services to customers and the transaction meets the limit, it triggers the need for KYC, beneficial ownership checks and verification, record keeping, and reporting.
The law was amended in 2018 to add services related to digital assets and cryptocurrencies. This makes cryptocurrency exchanges, digital wallet providers, and other crypto service-related businesses subject to Mexico’s AML and KYC requirements.
Additionally, the Law to Regulate Financial Technology Institutions (also known as the Fintech Law) was passed in 2018 and officially made fintech companies subject to AML and KYC compliance.
Mexico’s KYC requirements
Under Mexico’s AML law, financial institutions and any other business offering vulnerable activities to customers must comply with the law’s KYC requirements.
For individuals
Before providing regulated services to a customer, businesses must first verify the identity of any individual seeking to open an account. At a minimum, this includes collecting and verifying the following information:
- Name
- Date of birth
- Nationality
- Residential address
- Taxpayer registration code (RFC)
- Telephone number
- Email address
Verification typically involves a combination of government ID verification (driver’s license, passport, residency card, visa, etc.) and document verification (proof of address, visa, taxpayer identification number), and a minimum of two identification documents must be collected. Likewise, database verification can be used to screen individuals against politically exposed persons (PEPs) and sanctions lists.
When a customer is onboarded digitally for certain types of accounts, banks are required to perform a video interview (video KYC) to ensure that the individual opening the account matches the face appearing on the uploaded ID document.
As of 2017, biometric verification is also required whenever an individual seeks to open an account with a bank or credit institution. In these instances, the institution is required to collect an applicant’s fingerprints and verify them against those contained within the National Electoral Institute’s (INE) records. In order to mitigate the risk of identity theft, any time a customer attempts to complete a withdrawal or transfer of at least 1,500 investment units (frequently abbreviated as UDIs and created in response to 1995’s Mexican Peso Crisis), their fingerprints must be collected and reverified.
In cases where an individual is not registered to vote (and therefore does not have their fingerprints on file), a different government ID verification, document verification, and video verification will suffice.
For corporations
When the customer is a corporation or organization, the following information must be collected and verified:
- Corporate name
- Nationality
- Taxpayer registration code (RFC)
- Serial number of advanced electronic signature
- Address
- Telephone number
- Date of formation
- Email address
Beneficial owners must also be identified and verified according to the process above.
Automated KYC for businesses with Persona
Building a KYC program that is compliant with Mexico’s AML laws and regulations is paramount for any financial institution seeking to do business in the country. Persona’s flexible and customizable identity solutions are designed to empower you to build the KYC program that you need — regardless of jurisdiction.
With Verifications, you can incorporate a number of methods into your strategy:
- Government ID verification: Decide which IDs you’ll accept for IDV, including drivers licenses, passports, temporary or permanent residence cards, and more.
- Document verification: Determine the documents you’ll accept for address verification, such as a recent utility bill, legal proof, or other documents.
- Selfie verification: Collect selfies for liveness detection during onboarding and reverification.
Further enrich your understanding of customer risk with Reports, which enables you to cross-check against PEP databases, sanctions lists, and watchlists. You can also conduct adverse media checks and phone/email risk checks.
Take advantage of automation with Workflows to scale your verification strategy in a resource-efficient manner.
Use Graph, our link analysis tool, to understand how accounts are linked together via shared account details and transaction activity. Uncover risky account connections and potential fraud rings in a data-driven and automated manner.
Interested in learning more? Learn how Brex uses Persona to complete identity verification and comply with KYC requirements in more than 100 different countries. Start for free or get a demo today.