Overview of AML Framework

Legal Status of Crypto Activities

Cryptocurrency transactions involving virtual assets by non-financial entities are classified as "vulnerable activities" for AML purposes under Mexico's regulatory framework. This classification brings crypto businesses under the scope of Mexico's comprehensive anti-money laundering regime.

Scope of Application

Who Must Comply:

• Non-Financial Entities: Crypto exchanges, wallet providers, trading platforms
• Foreign Entities: Any platform serving Mexican users, regardless of location
• Financial Institutions: Banks and fintechs (with additional restrictions)

Key Principle: In August 2021, the Financial Intelligence Unit established that non-financial entities engaged in virtual asset transactions with clients in Mexican territory, even if incorporated abroad or with technological infrastructure located elsewhere, must comply with Mexico's AML framework.

Key Regulatory Bodies

1. Financial Intelligence Unit (UIF)

• Role: Primary AML enforcement agency
• Responsibilities:
• Receiving and analyzing suspicious transaction reports
• Coordinating with international counterparts
• Investigating financial crimes
• Authority: Operates under Ministry of Finance and Public Credit (SHCP)
• Recent Activity: Received over 8.4 million alerts in first half of 2025, with 47% (4,073,212) related to virtual assets - a 423% increase from 2024

2. Ministry of Finance and Public Credit (SHCP)

• Role: Overall policy oversight
• Functions: Implementation and enforcement of AML/CTF regulations involving virtual assets

3. Tax Administration Service (SAT)

• Role: Practical compliance administration
• Functions:
• Registration of vulnerable activity providers
• Collection of monthly reports
• Tax compliance monitoring

4. National Banking and Securities Commission (CNBV)

• Role: Financial sector oversight
• Functions: AML compliance for banks and securities firms

5. Attorney General's Office (PGR)

• Role: Criminal enforcement
• Functions: Investigation and prosecution of money laundering cases

Legal Foundation

Primary Legislation

Federal Law for the Prevention and Identification of Transactions with Resources of Illicit Origin (LFPIORPI)

• Common Name: Anti-Money Laundering Law
• Amendment: Modified in March 2018 to specifically address virtual assets and cryptocurrencies
• Definition: Virtual assets defined as "representations of value electronically registered and utilized by the public as a means of payment for all types of legal transactions, which may be transferred only electronically"

2018 Fintech Law

• Integration: Worked in conjunction with AML law amendments
• Impact: Created regulatory framework for virtual assets

Vulnerable Activities Classification

Definition

The regular offering and professional exchange of virtual assets is considered a designated business and profession under Mexican law, making it subject to AML requirements.

Covered Activities

1. Cryptocurrency Exchange Services
2. Virtual Asset Custody
3. Crypto-to-Crypto Trading
4. Fiat-to-Crypto Exchange
5. Virtual Asset Transfer Services
6. Cross-Border Crypto Payments

Key Distinction

• Financial Entities: Subject to more robust AML regime if offering crypto services
• Non-Financial Entities: Subject to simpler but comprehensive AML requirements including KYC and periodic reporting

Reporting Requirements

Transaction Reporting Thresholds

Primary Threshold

Transactions equal to or exceeding approximately USD $3,500 (equivalent of 645 UMAs or MXN 70,027.65) must be reported to the Ministry of Finance and Public Credit.

Monthly Reporting

Monthly reporting obligations with SAT for any cryptocurrency/digital asset transactions equal to or greater than the equivalent of 645 UMAs (approximately USD $4,181).

Historical Context

Original threshold established at approximately US$2,638 as of May 2018, with requirement starting September 2019.

Reporting Destinations

1. UIF: Suspicious transaction reports
2. SAT: Monthly transaction reports for vulnerable activities
3. SHCP: High-value transaction notifications

Recent Trends

Virtual asset alerts reached 4,073,212 in first half of 2025, representing 47% of all alerts received by UIF - a massive 423% increase from 777,394 alerts in the same period in 2024.

Compliance Obligations

1. Know Your Customer (KYC) Requirements

Customer Identification

Identify and obtain KYC information and documents from users receiving cryptocurrency/digital asset services to prepare and maintain KYC files.

Required Documentation:

• Official identification documents (copies must be retained)
• Proof of address
• Occupation information for business relationships
• Beneficial ownership information (for entities)

Enhanced Due Diligence

• Politically Exposed Persons (PEPs)
• High-risk transactions
• Cross-border activities
• Unusual transaction patterns

2. AML Manual and Policies

Internal AML Manual

Must have an AML manual establishing internal policies, procedures, and responsible officers/teams to comply with AML obligations (no specific guidelines for content and format provided).

Required Elements:

• Risk assessment procedures
• Customer due diligence processes
• Transaction monitoring systems
• Suspicious activity detection
• Record-keeping protocols
• Training programs

3. Compliance Officer

Designation Requirements

Must designate with SAT an officer responsible for compliance with AML obligations and filing of monthly reports.

Responsibilities:

• Oversee AML compliance program
• File required reports
• Coordinate with authorities
• Conduct internal monitoring

4. Employee Training

Regular training must be provided to employees, ensuring they are knowledgeable about AML/CFT laws and regulations, including how to identify and report suspicious activities.

5. Record-Keeping

All records related to customer identification, due diligence measures, and transactions must be securely maintained for a minimum of five years.

Required Records:

• Customer identification files
• Transaction records
• Suspicious activity reports
• Training records
• Internal monitoring reports

6. Transaction Monitoring

Companies must monitor transactions and report any suspicious, unusual, or relevant activities to Mexico's Financial Intelligence Unit.

Registration Requirements

SAT Registration

Must obtain registration with the Ministry of Finance and Public Credit through the Mexican Tax Administration (SAT) as provider of vulnerable activities.

Process Steps

1. Initial Registration: Register as vulnerable activity provider
2. Officer Designation: Appoint compliance officer with SAT
3. Documentation Submission: Provide required business documentation
4. Ongoing Compliance: Maintain registration status

Foreign Entities

The UIF has determined that foreign platforms (including exchanges) are subject to its supervision and must comply with all Anti-Money Laundering Law obligations, including SAT registration.

Penalties and Enforcement

Enforcement Powers

In the first half of 2023, the UIF blocked over 3,653 million pesos (approximately $180 million USD) in suspicious transactions.

Types of Penalties

1. Monetary Fines: Potentially millions of pesos based on violation severity
2. Administrative Penalties: Formal warnings, corrective actions
3. Business Restrictions: Prohibition from government contracts
4. Reputational Damage: Public disclosure of violations
5. Criminal Prosecution: For serious money laundering violations

Recent Enforcement

US Treasury's FinCEN designated three Mexican financial institutions (Intercam Banco, CIBanco, and Vector Casa de Bolsa) as major money laundering risks in June 2025.

Recent Developments

2025 Regulatory Updates

Key changes include broadening the definition of beneficial owners, updating business relationship concepts, expanding vulnerable activities list, and introducing definitions for politically exposed persons.

Increased Scrutiny

• Alert Volume: 70.7% increase in UIF alerts in first half of 2025
• Crypto Focus: Virtual assets now account for 47% of all alerts
• International Cooperation: Enhanced coordination with US authorities

Stablecoin Regulations

CNBV and Bank of Mexico published criteria on stablecoin offerings in July 2021, treating fiat-backed stablecoins as collective investment schemes requiring authorization.

Practical Compliance Guide

For Crypto Exchanges

Immediate Requirements

1. Register with SAT as vulnerable activity provider
2. Designate compliance officer with SAT
3. Implement KYC procedures for all customers
4. Establish transaction monitoring systems
5. Create AML manual with internal policies
6. Set up reporting infrastructure for monthly SAT reports

Ongoing Obligations

• Monthly transaction reporting to SAT
• Suspicious activity reporting to UIF
• Employee training programs
• Record maintenance (5-year retention)
• Internal auditing and monitoring

For Foreign Platforms Serving Mexico

Compliance Strategy

Foreign platforms must decide between voluntary compliance with Mexican AML law or risk regulatory action, with some adopting conservative approaches regardless of their location or regulation.

Recommended Approach:

1. Legal Assessment: Determine applicability of Mexican law
2. Risk Analysis: Evaluate compliance versus business withdrawal
3. Implementation: If serving Mexican users, implement full compliance
4. Documentation: Maintain detailed compliance records

Best Practices

Transaction Monitoring

• Implement automated monitoring systems
• Set appropriate threshold alerts
• Regular system testing and calibration
• Staff training on alert investigation

Record-Keeping

• Digital record management systems
• Secure data storage with encryption
• Regular backup procedures
• Clear data retention policies

Customer Due Diligence

• Risk-based approach to customer classification
• Enhanced due diligence for high-risk customers
• Regular customer profile updates
• Beneficial ownership identification

Training Programs

• Regular AML training for all staff
• Specialized training for compliance personnel
• Documentation of training completion
• Updates for regulatory changes

Key Takeaways

✅ Compliance Essentials

• Virtual asset transactions are "vulnerable activities" under Mexican AML law
• Registration with SAT required for all crypto service providers
• Monthly reporting obligations for transactions above ~$3,500 USD
• Comprehensive KYC and customer due diligence required
• Foreign entities serving Mexican users must comply

⚠️ Critical Requirements

• Designated compliance officer must be appointed with SAT
• AML manual with internal policies and procedures required
• Employee training and ongoing monitoring mandatory
• 5-year record retention requirement
• Suspicious activity reporting to UIF required

📈 Regulatory Trends

• Significant increase in virtual asset monitoring and alerts
• Enhanced international cooperation on AML enforcement
• Evolving definitions and expanded vulnerable activities
• Increased scrutiny of cross-border transactions

🎯 Strategic Considerations

• Early compliance reduces regulatory risk
• Robust AML programs provide competitive advantage
• International coordination becoming more important
• Technology solutions essential for effective monitoring

Disclaimer: This guide is for informational purposes only and should not be considered legal advice. AML regulations are complex and subject to change. Companies should consult with qualified legal professionals specializing in Mexican financial regulation and AML compliance before implementing compliance programs or making business decisions related to virtual assets in Mexico.