10/2/18 - Promontory Currents: CNBV Issues AML/CTF and Sanctions Provisions for Fintech Firms in Mexico
Home > News & Insights > Insights & Publications

10/2/18 - Promontory Currents: CNBV Issues AML/CTF and Sanctions Provisions for Fintech Firms in Mexico

By Daniel Bufithis-Hurie and Chad Carson

The Comisión Nacional Bancaria y de Valores on Sept. 10 published provisions to implement Mexico’s Ley para Regular las Instituciones de Tecnología Financiera (commonly referred to as the FTI regulation) for financial-technology institutions. The FTI regulation defines in-scope FTIs as crowdfunding entities and electronic-money payments entities, including firms engaged in the sale and transfer of cryptocurrencies that do business in Mexico.

Requirements of the FTI Regulation

The FTI regulation establishes anti-money-laundering, counter-terrorist-financing, and sanctions requirements, which are generally consistent with existing Mexican AML/CTF and sanctions requirements for banks. FTIs will be required to establish AML/CTF and sanctions programs that include the following components:

  • AML/CTF Risk Assessment. FTIs must establish a written AML/CTF risk assessment methodology and perform at least one AML/CTF risk assessment per year. The risk assessment should consider risks presented by the FTI’s products and services, customers, geographies, distribution channels, and technical infrastructure.
  • Know-Your-Customer Program. FTIs must collect and verify information on customers (including the ultimate beneficial owners of legal entities), perform additional risk-based due diligence, and risk rate customers. Based on this KYC information, FTIs must develop and periodically refresh customer “transactional profiles,” which will serve as a baseline for the FTI’s ongoing transaction monitoring and customer due diligence.
  • Governance. FTIs must designate an AML compliance officer to manage the firm’s AML/CTF program. In addition, FTIs with at least 25 full-time employees must create a communications and control committee comprised of at least one board member and at least two members of the firm’s management. As is the case with Mexican banks, the CCC must provide regular oversight of an FTI’s AML/CTF program by reviewing key AML/CTF documentation and escalating key issues and decisions to the FTI’s board of directors. FTIs with fewer than 25 employees may delegate the responsibilities of the CCC to the firm’s AML compliance officer.
  • Training. FTIs must conduct annual risk-based AML training for their directors, officers, and employees, with new-hire training required for executive management and staff who work in operations and customer service.
  • Automated Systems. FTIs must develop automated systems for key processes such as transaction monitoring, customer recordkeeping, KYC-document validation, regulatory reporting, sanctions screening, and cybersecurity.
  • Sanctions Screening. FTIs must screen customers against Mexico’s sanctions list, the lista de personas bloqueadas.
  • Regulatory Reporting. FTIs must submit various types of reports to the CNBV, including reports on suspicious activities, internal fraud, large-value transactions, currencies, cross-border transactions, and cryptocurrencies.
  • Independent Audit. FTIs must engage their internal-audit function or an independent third party to conduct an annual review of their AML/CTF programs.

FTIs will likely need to invest significant time and resources to develop and implement compliant AML/CTF programs. For example, the FTI regulation includes specific requirements for FTIs that deal with cryptocurrencies, such as monitoring cryptocurrency transactions. This is a relatively nascent field that will require FTIs to think carefully about how to comply.

FTIs in scope of the FTI regulation must submit a request to the CNBV for authorization within 12 months of the regulation’s publication. While the CNBV is reviewing its application request, the FTI may continue operating as long as it discloses on its website that its authorization is under review and its activities are not currently supervised by the CNBV.

Comparison to the U.S. Regulatory Regime for FTIs

Mexico’s FTI regulation represents the type of comprehensive regulatory framework that is currently missing for U.S. FTIs. For example, certain U.S. FTIs that offer e-money services may face direct regulation through registration with the Financial Crimes Enforcement Network and state-by-state money-transmitter licensing, while other U.S. FTIs that offer e-money services may avoid direct regulation via bank partnerships.

Furthermore, while all U.S. financial institutions are required to adopt and implement AML/CTF programs, AML/CTF regulatory expectations for and oversight of financial institutions vary by institution type. For example, banks and credit unions in the U.S. are subject to different, more stringent requirements than FTIs, although in practice, e-money FTIs must often adopt bank AML/CTF standards to open bank accounts and access U.S. retail and wholesale payment systems. In contrast, the FTI regulation requires Mexican FTIs to adopt and implement bank-level AML/CTF programs.

Although similar to the U.S. AML/CTF regime, in certain key areas such as governance and due diligence, the FTI regulation offers more prescriptive, rules-based requirements than the U.S. regime, which generally encourages firms to adopt a risk-based approach. For example, the FTI regulation contains a requirement to have executive management approve each high-risk customer and each high-risk transaction. Meanwhile, U.S. financial institutions typically adopt clear policy statements establishing their risk tolerance for products offered, transactions facilitated, and customers served. This risk tolerance (typically approved by a firm’s board of directors) then serves to guide day-to-day business decision-making. FTIs doing business in both the U.S. and Mexico will need to ensure that their AML/CTF operations are appropriately tailored to the requirements of both jurisdictions.


Daniel Bufithis-Hurie is a principal in Promontory’s San Francisco office, and Chad Carson is an associate in Promontory’s Washington office.