What Mexico’s RFC waiver means for identity verification in banking
In April 2026, Mexican President Claudia Sheinbaum announced that individuals will no longer need a Federal Taxpayer Registry (RFC) number to open an N2 or N3 bank account.
As the country continues its transition to cashless payments, this move has the potential to bring more than 32 million unbanked, informal workers into the financial system. But it doesn’t come without risk. Financial institutions need to understand how these reforms may inadvertently increase money laundering and other forms of fraud within the country — and have a plan for mitigating those risks.
Below, we take a closer look at how Mexico’s banking system is structured and the impact of removing the RFC number requirement for N2 and N3 accounts. We also cover the identity verification and anti-fraud measures financial institutions should have in place to combat money laundering and other financial crimes.
Note: As of April 2026, President Sheinbaum has issued guidance directing banks to stop requiring RFC numbers for N2 and N3 accounts. The CNBV and Banxico are expected to issue formal policy memorandums to codify this directive into their respective regulatory frameworks.
What is the RFC’s current role in Mexican banking?
In Mexico, a person’s Federal Taxpayer Registry (RFC) number functions similarly to a Social Security number in the US. Issued by the country’s tax administration service (SAT), it serves several functions:
Employers use employees’ RFC number to report the income taxes they’ve withheld from worker paychecks.
Businesses and self-employed individuals use their RFC number to report business income and expenses.
Individuals use their RFC number as a unique identifier when applying for a job, buying or registering a vehicle, purchasing property, opening a bank account, and more.
Because the RFC is a unique identifier, it plays an important role in Mexico’s Anti-Money Laundering (AML) and Know Your Customer (KYC) requirements. In banking specifically, it’s used in conjunction with other information and evidence to verify a person’s identity — though how it’s used and when it is and isn’t required depend on the type of account being opened.
Mexico’s tiered account system explained
In 2011, Mexico implemented a tiered bank account framework. Spearheaded by the National Banking and Securities Commission (CNBV), Secretariat of Finance and Public Credit (SHCP), and the Bank of Mexico (Banxico), this framework applied a risk-based approach to AML, organizing bank accounts into four tiers.
Accounts deemed to carry a lower risk of money laundering and fraud due to lower monthly deposit limits and capped transactions were easier to open and required less evidence during the KYC and AML process.
| Level 1 (N1) | Level 2 (N2) | Level 3 (N3) | Level 4 (N4) |
Description | An entry-level, almost anonymous account | A named, simplified account | Intermediate account | Full-service account |
Who it’s for | Beginners, youth, very simple use cases | Informal workers, low-income earners, first-time banked citizens | Higher-frequency users, small business operators, gig workers | Business clients, high-income individuals, enterprises |
Monthly deposit limit | 750 UDIs (~6,600 MXN / ~$330 USD) | 3,000 UDIs (~26,400 MXN / ~$1,320 USD) with higher allowances for government subsidies | 10,000 UDIs (~88,000 MXN / ~$4,400 USD) | No limit |
KYC requirements | Name, gender, and date of birth (entity of birth also required for remote account openings) | Full name, date of birth, official ID, home address, Unique Population Registry Code (CURP) | Full name, date of birth, official ID, home address, phone, email, CURP | All N3 requirements + additional documentation, cross-referenced against valid ID |
Can it be opened remotely? | Yes | Yes | Sometimes (depends on the bank) | Sometimes — remote opening is permitted for banks that meet CNBV's advanced digital verification requirements (Article 4 Ter); otherwise, an in-person branch visit is required |
Is an ID required? | No | Yes | Yes | Yes |
Is RFC number required? | No | No (though many banks asked for it in practice) | No (though banks often collected it when available) | Yes |
What’s changed: Understanding the RFC waiver
Under President Sheinbaum's announced reforms, banks will no longer be permitted to require an RFC number to open an N2 or N3 account. While a formal regulatory amendment is still pending, banks have been directed to comply.
This aims to remove a significant barrier for the millions of workers who don't have an RFC number. While N4 (full service) accounts still require an RFC number, under the reforms, it will be possible to open an N1, N2, or N3 account without it.
In the past, many banks asked individuals to first register with the country's Tax Administration Service (SAT) to acquire an RFC number before they could open an N2 or higher bank account.
Under the announced reforms, individuals will be able to open a basic account without registering with the SAT or having an RFC number. If the individual registers in the future and acquires an RFC number, they can upgrade it to unlock higher deposit limits, transactions, and other features. The result: more people participate in Mexico’s banking system, and the unbanked population shrinks.
What’s still required despite the reforms
While Sheinbaum's announced reforms aim to make it easier for millions of Mexican workers to open a bank account, they don’t remove other AML or KYC requirements. Before granting an individual an account, banks and financial institutions must still perform:
Unique Population Registry Code (CURP) verification
Database verification against authoritative and issuing sources
Additionally, financial institutions must continue to meet other compliance requirements as enforced by the CNBV, Banxico, and Ley de Instituciones de Crédito (LIC).
Why identity verification matters more than ever
Removing the RFC as a barrier to opening N2 and N3 accounts increases the likelihood that bad actors will try to use the accounts to commit fraud, making other forms of identity verification and AML even more important during account creation.
Keep an eye out for these three fraud risks in particular:
Duplicate accounts
By design, N2 and N3 accounts require less proof of identity because they carry a lower risk of money laundering. Transaction and deposit limits cap how much a fraudster can launder through any single account. To circumvent this, criminals may attempt to open multiple accounts.
The implication: Preventing duplicate accounts from being created is only half the battle — financial institutions also need to catch any that slip through.
Synthetic identity fraud
Collecting multiple unique pieces of identity evidence (like a government ID, CURP, and RFC number) to open an account makes it more difficult for fraudsters to manufacture a synthetic identity to skirt your defenses. The announced removal of the RFC as a barrier eliminates one of these barriers, increasing the likelihood that fraudsters will attempt to use synthetic IDs.
The implication: Financial institutions can’t rely on a single piece of evidence when verifying the identity of a customer, and they need a way of tying the evidence (e.g. an ID) to the person that’s submitting it.
Account takeover (ATO) fraud and identity mules
Just because a legitimate customer passes identity verification and opens an account doesn’t mean the threat of fraud is removed. Bad actors can engage in account takeover (ATO) fraud to hijack legitimate accounts. Alternatively, fraudsters can pay identity mules to open an account and turn it over to the fraudster.
The implication: Financial institutions need to consider a customer’s identity not only during the account opening process, but throughout the customer life cycle.
How financial institutions can adapt
Just because criminals are likely to exploit the announced removal of the RFC requirement doesn't mean you can simply refuse an account to customers without one. Preventing fraud on your platform requires a more comprehensive approach. Some strategies to consider include:
Build tier-appropriate verification flows
Because account types carry varying levels of risk and AML requirements, it’s important to design different verification flows for each type of account. That way, you’re tailoring how much friction a customer experiences based on the perceived level of risk associated with the account instead of applying the same high level of friction to all customers.
Here's one way to structure your flows:
Account type | Friction level | Verification types |
N2 | Streamlined but secure | Government ID verification CURP database check Selfie verification |
N3 | Moderate friction | N2 verification + document verification Address verification |
N4 | Full KYC | N3 verification + RFC number verification Enhanced due diligence Beneficial ownership (business accounts) |
While it may sound burdensome to need to establish so many different verification flows, the effort is predominantly up front. Once established, you use workflows to automate many of the processes.
Implement transaction monitoring
Transaction monitoring is a necessary part of any AML program. After all, monitoring customer transactions is how you’ll prevent customers from going past their limits. It’s also how you’ll identify suspicious activities that might indicate structuring, a key technique that can be used to launder money without exceeding account limits.
If you see that a customer is approaching their monthly limits, it can be a good idea to use in-app notifications to educate them not only on those limits but also to explain their options for upgrading their account.
Use link analysis to surface fraud rings
Identity verification is integral to your AML processes, but it can't protect against all fraud types. If criminals take control of accounts opened by legitimate customers, for example, identity verification in and of itself won't necessarily help you spot it. Link analysis, which helps you understand how accounts in your system are connected to one another, can fill that gap.
If accounts share suspicious connections or attributes, it could signal a fraud ring in your database. Flagging and surfacing those accounts means you can investigate them further to understand if the connections are benign or likely fraudulent.
For example, if multiple accounts share the same device fingerprint, it may indicate that a single person is using one device to access multiple accounts. Other attributes you might consider watching out for include:
Device ID
Government ID number
Image similarities
Browser fingerprint
IP address
Physical address
In other words, link analysis gives you a layer of protection against fraud that identity verification might otherwise miss.
Reverify accounts strategically
To protect against account takeover attacks specifically, consider reverifying customers, perhaps via selfie verification, either periodically or when certain triggers are met. Triggers can include events like when a customer tries:
updating their funding sources, payment details, contact information, or other account details
logging into their account from an unrecognized device
logging into their account from a suspicious location
initiating a risky or high-value transaction, or one that appears to be structured
If a customer fails reverification, it can be a sign that the account is compromised or that it's been taken over.
Managing risk while expanding financial inclusion
By directing banks to stop requiring an RFC number for all but full-service (N4) accounts, Mexico is working to dramatically expand access to the country's financial system. Millions of individuals that are currently unbanked, including informal workers and those with low incomes, will be able to open bank accounts even without registering with the SAT — paving the way for financial inclusion and supporting Mexico’s transition to a digitized economy.
Of course, this doesn't mean money laundering is no longer a threat or that identity verification is no longer necessary. If anything, it only increases the importance of having a comprehensive identity verification and fraud mitigation strategy in place. More broadly, this directive illustrates that banking regulation must continue to evolve to better serve the underbanked, and financial institutions need the flexibility to keep pace.
With Persona, you can leverage government ID verification, database checks, selfie verification, liveness detection, and more to design and implement automatic, risk-based, and tier-appropriate digital KYC and AML. Link analysis, powered by Persona’s Graph, makes it easier than ever to identify fraud rings, identity mules, and customers with multiple accounts.
Ready to learn more about how Persona can help you meet your compliance needs in Mexico and beyond? Reach out today to speak with a member of our team, or request a free demo to see how it works.