KYC and Onboarding in Mexico: Legal framework and application in onboardings

In Mexico's financial and commercial ecosystem, financial crime prevention has become a fundamental pillar for the stability, security and reputation of any company. The concepts of KYC (Know Your Customer) and AML (Anti-Money Laundering) have transcended their origin in the banking sector to become a strategic necessity and an unavoidable regulatory obligation for a wide range of industries. Understanding and correctly applying KYC/AML processes in Mexico not only helps prevent money laundering and terrorist financing, but also strengthens trust in financial institutions and promotes a secure business environment.

Regulation in Mexico is robust and specific, requiring companies not only to identify their customers, but also to understand the nature of their activities and monitor their transactions to detect and report suspicious transactions. This process, known as "Know Your Customer" or Know Your Customer Mexico, is the first line of defense against money laundering and terrorist financing (ML/FT).

In the current context, where digital transactions have increased exponentially, Mexican companies face the challenge of maintaining high compliance standards while offering agile and efficient user experiences. This balance is particularly critical in sectors such as financial services, real estate, insurance and e-commerce.

KYC and onboarding in the Mexican regulatory context

Know Your Customer (KYC) is a standardized process by which a company verifies the identity of its customers and assesses the potential risks associated with the business relationship. In the context of regulation in Mexico, KYC processes are an essential component of a broader Anti-Money Laundering (AML) strategy.

In the Mexican regulatory framework, KYC processes are based on the principle of "Customer Due Diligence" (CDD), which establishes the obligation for certain sectors to obtain, verify and keep updated specific information about their customers. This information includes identification data, financial situation, sources of income, economic activity and, in specific cases, information on beneficial owners and politically exposed persons (PEPs).

Its main objective is to prevent institutions and companies from being used, intentionally or unintentionally, as vehicles to legitimize illicit capital. The implementation of robust KYC processes allows organizations:

• Verify Identity: Confirm that a customer is who they say they are, using reliable documents and sources of information.
• Understand the Client's Activity: Understand the nature of the client's professional or business activities to determine if your transactions are consistent with their profile.
• Assess Risk: Assign a risk level to each client (low, medium, high) based on factors such as their industry, geographic location, type of transactions and corporate structure. This allows for a risk-based approach, dedicating more resources to monitoring high-risk clients.
• Continuous Monitoring: Monitor customer transactions over time to detect unusual or suspicious patterns that may indicate illicit activities.

In Mexico, the central authority in this matter is the Ministry of Finance and Public Credit (SHCP), through the Financial Intelligence Unit (UIF). The UIF is in charge of receiving and analyzing the transaction reports (known as "Avisos") from the obligated entities and, if necessary, filing the corresponding complaints before the Attorney General's Office. Other entities, such as the National Banking and Securities Commission (CNBV) and the Tax Administration Service (SAT), also play a crucial role in the supervision of compliance.

Sectors required to comply include credit institutions, brokerage firms, finance companies, insurance companies, pension funds, gaming companies, real estate companies and precious metals dealers. Non-compliance with KYC/AML regulations in Mexico can have severe consequences, ranging from fines in the millions of dollars to revocation of licenses and, in serious cases, criminal liability for the company and its executives. Therefore, a well-implemented KYC policy is an indispensable investment in the sustainability and legality of any business.

KYC legal framework in Mexico: LFPIORPI and data protection laws

The legal framework for KYC in Mexico is mainly based on the Federal Law for the Prevention and Identification of Operations with Illicit Proceeds, known by its acronym LFPIORPI, enacted in 2012 and its subsequent amendments. This law constitutes the fundamental pillar of the Mexican anti-money laundering system and establishes specific obligations for those considered vulnerable activities, as well as the obligation to report unusual or suspicious transactions to the authorities, including not only financial institutions, but also sectors such as real estate, gaming and lotteries, trade in precious metals and stones, and professional services among others.

The main obligations imposed by LFPIORPI are:

• Identification of Clients and Users: All entities that carry out the "Vulnerable Activities" defined in the law must integrate identification files of their clients. Information requirements vary depending on whether the client is an individual or a legal entity, but generally include name, date of birth/incorporation, address, RFC, CURP and official documentation (INE, passport, articles of incorporation).
• Filing of Notices: When a transaction exceeds certain monetary thresholds, the entity is required to submit a "Notice" to the UIF through the SAT portal. These notices inform the authority about the completion of the transaction. It is crucial to understand the difference between the "identification threshold" and the "notice threshold", which may be different for each activity.
• Custody of Information: The documentation and information collected must be kept in physical or electronic form for a minimum period of five years, and must be available to the SHCP and SAT for verification visits. Tecalis tools have a minimum of 5 years custody period , extendable if required.
• Designation of a Compliance Representative: Companies must designate a person responsible for overseeing the correct implementation of compliance policies.

The Intersection with the Federal Law for the Protection of Personal Data (LFPDPPP)

The KYC process inherently involves the collection and processing of a large amount of personal and sensitive data. This is where the Ley Federal de Protección de Datos Personales en Posesión de los Particulares, by its acronym LFPDPPP, and its regulations come into play.

While the LFPIORPI makes it mandatory to collect information, the LFPDPPP regulates how that information should be handled. Companies must ensure that their KYC process complies with the following data protection principles:

• Lawfulness, Loyalty and Consent: The data must be collected in a lawful manner and with the consent of the owner, who must be clearly informed about the use that will be made of it.
• Purpose: Personal data collected for KYC/AML compliance can only be used for this purpose and for those explicitly consented to in the privacy notice.
• Proportionality: Only data strictly necessary to fulfill the stated purpose should be collected.
• Security: Administrative, technical and physical security measures must be implemented to protect data against damage, loss, alteration, destruction or unauthorized use.

The Privacy Notice is the key document through which the customer is informed about the processing of their data. It must clearly specify that your information will be used to comply with the obligations of the LFPIORPI. The correct harmonization of both laws is vital for comprehensive compliance.

NOM-151 requirements for data preservation in KYC processes

In the digital age, most KYC records are created and stored electronically. However, how do you ensure that a digital document, a contract, an identification form or a copy of an INE maintains its integrity and is not altered over time? This is where the Mexican Official Standard NOM-151-SCFI-2016 becomes relevant.

NOM-151 establishes the requirements for the conservation of data messages and the digitalization of documents. Its purpose is to ensure that an electronic document retains its authenticity and integrity from the moment it is generated, making it legally reliable evidence comparable to a physical document.

The main conditions are:

• Use of advanced electronic signature or digital seals on stored files, so that any subsequent alteration is cryptographically detected.
• Inclusion of digital time stamps, which guarantee the accuracy of the date and time the document was scanned or signed.
• Issuance of a certificate of electronic preservation by a Certification Service Provider (CSP) such as Tecalis, which certifies that the digitized document is faithful to the original and has not been modified since its creation.
• Use of cryptographic mechanisms (e.g. hash functions) to ensure the unalterability of stored files.

For Know Your Customer processes in Mexico, this is fundamental. The LFPIORPI requires records to be retained for at least five years. If these records are digital, NOM-151 provides the mechanism for such retention to be legally valid and defensible in the event of an audit or litigation.

This record reliably guarantees that the document existed in a specific form at a specific moment in time. Any subsequent alteration to the document would invalidate the fingerprint, proving that it has been modified. For KYC processes, this means that the identity and documentation presented by a customer on the date of onboarding can be proven with legal certainty.

Identification of users in vulnerable activities: finance, real estate, etc.

LFPIORPI defines as "vulnerable activities" multiple sectors beyond traditional banking. This includes, for example, the real estate industry, car dealerships, jewelry stores, casinos, travel agencies, accounting and notary services, among others. In all these cases, similar KYC procedures apply: the customer must be identified and verified before a relevant transaction (such as the purchase and sale of real estate or a used car) is concluded.

• Real estate sector: Notaries and real estate agencies must verify the identity of the buyer and seller, as well as the origin of the resources in the transaction. Official credentials must be checked and data must be recorded in deeds or digital contracts, keeping backup in accordance with NOM-151.
• Sale of used vehicles: Agencies and dealers validate the identity of the buyer/seller through official credentials and generate a sales contract with electronic signature.
• Jewelry and luxury goods: Merchants identify customers in high-value transactions, recording personal data and transaction details for reporting if necessary.
• Casinos and lotteries: Operators must capture the identification of gamblers making large deposits or withdrawals, using biometric data or real-time verification.
• Professional services: Lawyers, notaries and accountants are required to identify parties when creating companies, transferring assets or managing funds, reporting significant transactions to the FIU.

Identification is not a mere formality. It involves gathering and validating documentation, understanding who the "beneficial owner" is (the natural person who ultimately controls the customer) and applying a risk-based approach to determine whether enhanced due diligence is required.

These measures seek to prevent assets of illicit origin from entering the system through transactions in non-financial sectors. The use of digital systems such as those offered by Tecalis facilitates KYC/AML compliance in these activities.

Differences between Simple Electronic Signature and Advanced Electronic Signature

The distinction between simple electronic signature and advanced electronic signature is a fundamental element for the implementation of digital KYC processes in Mexico. This differentiation has not only technical implications, but also significant legal implications that affect the evidentiary validity of documents and transactions in regulatory contexts.

• Simple electronic signature is defined as data in electronic form consigned together or associated with others, which can be used to identify the signatory. This category includes a wide range of authentication mechanisms, from passwords and PIN codes to basic biometric patterns. Although simple electronic signatures are legally valid in Mexico, their evidentiary force can be more easily challenged in judicial or administrative proceedings.

In contrast, the advanced electronic signature incorporates technical and procedural elements that provide greater security and evidentiary value. To be considered advanced, an electronic signature must meet specific requirements established in the Mexican Commercial Code: it must be uniquely linked to the signatory, allow the identification of the signatory, have been created using means that the signatory maintains under their exclusive control, and be linked to the data to which it refers in such a way that any subsequent change in the data is detectable.

• The Advanced Electronic Signature (FIEL) represents the most recognized standard of advanced electronic signature in Mexico. The FIEL uses asymmetric cryptography technology with digital certificates issued by qualified service providers, providing security levels equivalent to the autographic signature for tax purposes and, by extension, for many other legal purposes.

Choosing between Simple and Advanced Electronic Signatures in KYC Processes

The decision to use a simple or advanced electronic signature in Know Your Customer (KYC) processes is based on three key factors:

• Risk level: For high-value or high-risk transactions, advanced electronic signatures are usually required to ensure the integrity and legal validity of the process.
• Specific regulations: Current regulations may dictate the type of signature required.
• Evidentiary value: The need for solid proof in the face of potential litigation will tip the balance in favor of the advanced signature.

Implementation of the Advanced Electronic Signature

To implement advanced electronic signatures in KYC processes, it is necessary to collaborate with authorized Certification Service Providers (CSP), such as Tecalis. These providers are responsible for:

• Issue and manage the necessary digital certificates.
• Comply with the rigorous technical standards of Mexican regulations.
• Maintain a secure and reliable public key infrastructure (PKI).

The Importance of Time Validation

A critical aspect of advanced electronic signatures is time validation. To ensure the long-term legal validity of documents, digital time-stamping mechanisms must be used. This certifies the exact time of signature, which is critical for KYC documents that must be retained for extended periods of time.

International Interoperability

It is important to consider the recognition of the signature in other countries. While the Mexican advanced electronic signature may have limited recognition internationally, there are standards that facilitate the acceptance of digitally signed documents across borders.

Functions and Relevance of Certification Service Providers (CSPs) in Mexico

For the digital signature in Mexico and other digital trust services such as KYC/AML processes to work, a supporting infrastructure is needed. This function is fulfilled by Certification Service Providers (CSPs) such as Tecalis.

A PSC or QTSP is a legal entity or public institution accredited by the Ministry of Economy to issue digital certificates and provide other services related to electronic signatures. They are similar to notaries in the digital world, providing certainty and confidence to electronic transactions.

Certification service providers also play an important role in preventing identity fraud. Digital certificate issuance procedures include rigorous identity checks that can complement traditional KYC processes. These checks can include comparisons with official databases, biometric verification, and face-to-face procedures when necessary.

Its most important functions in the context of regulation in Mexico are:

• Issuance of Digital Certificates: PSCs can also issue certificates for specific purposes.
• Issuance of Digital Time Stamps (Timestamping): As mentioned, this service is essential to prove the existence of a document at a specific time, fundamental for the long-term validity of the archives.
• Issuance of Conservation Certificates (NOM-151): They are the only entities authorized to issue certificates that comply with NOM-151, guaranteeing the integrity of digital KYC files in the long term.
• Identity Validation: Before issuing a certificate, the PSC must perform a rigorous process of validating the applicant's identity, similar to a KYC process.

The relevance of certification service providers is indisputable. Without them, there would be no standardized and legally recognized mechanism to guarantee the integrity of documents and the authenticity of signatures in the digital environment. By hiring the services of a CSP such as Tecalis to implement Know Your Customer and electronic signature processes, companies not only comply with a technical standard, but also legally shield their digital onboarding processes.

Digital identity verification using official RENAPO and CURP records

The first step in any KYC process is identity verification. In the past, this required the physical presence of the customer and the manual review of documents. Today, thanks to tools such as Tecalis', this frictionless process can be performed remotely, securely and instantly, connecting directly to official Mexican government information sources. The two most important databases for this purpose are:

• CURP (Clave Única de Registro de Población): The CURP is a unique 18-character alphanumeric code assigned to all citizens and residents of Mexico. It is the fundamental identity key in the country.
• RENAPO (National Registry of Population and Personal Identification): It is the government entity responsible for registering and accrediting the identity of all persons in Mexico. It maintains the national CURP database.

A robust digital identity verification process in Mexico with Tecalis tools follows these steps:

• Data Capture: The client provides their full name and CURP through a digital platform.
• Real Time Query: The company's system, through a secure connection (API), sends a validation request to RENAPO's web service.
• Data Validation: The RENAPO service compares the CURP and name provided with its official database and returns a response. This response can confirm that the CURP is valid, that it corresponds to the name provided and, crucially, the status of the registration (e.g., if the person has been registered as deceased).

This validation is an extremely powerful anti-fraud control. It prevents the use of false or stolen identities and ensures that the person you are dealing with is real and alive.

In addition to CURP, many digital onboarding solutions complement this verification with validation of the voting credential (INE) against the National Electoral Institute's databases and validation of fiscal data (such as the Tax Identification Card) against SAT records. The combination of these validations creates a nearly foolproof digital identification process, laying a solid foundation for the entire KYC/AML compliance lifecycle in Mexico.

Tags