I. Background
On May 31, 2024, the National Banking and Securities Commission (“CNBV”) sent to the National Commission for Regulatory Improvement (“CONAMER”) the “Resolution that reforms, adds, and repeals various of the General Provisions referred to in Article 115 of the Credit Institutions Law” (the “Draft”). The complete file can be viewed here.
The Draft responds to the call made by the Financial Action Task Force (“FATF”) for the use of financial technology by financial institutions (“Institutions”) for the prevention of money laundering and terrorism financing (“ML/TF”).
Since March 2019, a non-face-to-face identification regime has been incorporated into the Mexican regulation in terms of ML/TF; however, it has been insufficient regarding the existing risks and considering the update on the 2023 National Risk Assessment.
The Draft is in the process of public consultation for at least 20 business days, with the aim that any interested person may send comments and suggestions, which must be addressed by the authority prior to its publication in the Official Gazette of the Federation.
II. Content of the Preliminary Draft
i. Permitted Identifications
- The identification document may serve as proof of address, as long as it is the same address indicated by the Client.
- New identification documents: The Draft includes new documents to facilitate the identification process both in person and remotely: the military identity card, the voter ID issued by consular offices of the Ministry of Foreign Affairs (“SRE”); identifications granted abroad other than the passport, such as driver's license and credentials issued by federal or equivalent authorities.
- Foreign persons with refugee status may present their temporary CURP. Their accounts will be level 2 low-risk.
ii. Opening non-face-to-face accounts
The Draft modifies the regime so that only non-face-to-face operations can be carried out with individuals and legal entities of Mexican nationality.
- Provisions on technology: The obligation for the CNBV to issue general provisions regulating technological mechanisms for the opening of accounts and conclusion of non-face-to-face contracts continues.
- Validations by account levels: The current Provisions establish the possibility, for Level 1 and 2 accounts, to replace the interview for opening an account with the capture and validation of certain data through a query in the National Population Registry (CURP, name, date, and place of birth). The Draft adds the requirement to validate the mobile phone through a mechanism other than the one provided.
For Level 3 accounts, in addition to the above, Institutions must validate the voter ID or passport directly with the INE/SRE or with a Mexican authority that provides digital verification services.
For accounts whose operation is limited to deposits of up to 30,000 UDIS, individual entrepreneurs and legal entities must consent with their Advanced Electronic Signature, and Institutions must validate (before or after contracting, but always before starting operations) that they carry out business activities and/or that the representative has powers.
- Institutions must retain all digital documents in accordance with NOM-151-SCFI, which is the official Mexican standard on the digitalization and preservation of data messages.
- It is standardized throughout the Provisions that consent can be obtained with an electronic signature or advanced electronic signature.
iii. Holding accounts and Institution's own accounts
- Holding accounts: The Draft adds a new report to be submitted to the Ministry of Finance and Public Credit: all international transfers related to the holding accounts of which the Institutions are holders and in which their clients, executives, officials, employees, or attorneys participate.
- Internal accounts: A new article is added obliging Institutions to develop policies, processes, and procedures in their compliance manual to ensure that the accounts opened internally in the Institutions for administrative purposes are not operated by clients, or operations are carried out instructed by their clients without registration of such instruction.
iv. Internal structures
- Deadline for designation or revocation: The deadline to notify the CNBV about the designation and revocation of the compliance officer is modified from one business day and three respectively, to ten business days following the date of designation or revocation.
- Annual ML/TF audit: The auditor performing the annual internal or external audit in ML/TF must be certified by the CNBV.
- Mandatory certification: Compliance officers will be required to be certified in ML/TF.
v. Terrorism financing: new obligations
- As part of the design and development of the risk-based methodology, there is an explicit obligation to establish specific indicators for both money laundering and terrorism financing crimes.
vi. File review
- Institutions are obliged to subject the identification files to a review process by an official other than the one who elaborated or updated them. Likewise, Institutions must evaluate their automated systems every two years, and it must be done by an area different from the one that developed them.
vii. Automated systems
- Two new functions are added to the automated systems: (i) the execution of the risk assessment model and (ii) client classification
viii. Risk-based approach
The Draft establishes various changes that allow for stricter risk-based supervision, both of Institutions regarding their clients and the CNBV. Among others, the following stand out:
- Operational Report: Institutions must submit to the CNBV within the last ten business days of April each year a report containing quantitative information about their operations, channels, types of clients, types of products and services, as well as the geographical areas where they operate. The format is still pending issuance by the CNBV.
- Differentiated transactional monitoring: Institutions must apply differentiated transactional monitoring criteria for individual clients, legal entities, or trusts.
- Interview: If a client has more than one account in the same Institution or when the transactional level of any of their products exceeds the maximum amount to be considered low-risk, the Institution is obliged to conduct an in-person or remote interview (currently only obliged to integrate the file according to the corresponding risk level). They cannot continue any operation until the above is concluded.
- A paragraph is added stating that Institutions, to determine the transactional level of their clients, may not consider generated interest, transfer returns, or any other bonus.
- Manual: Se adiciona un párrafo mediante el cual se establece la obligación de incluir en el manual de cumplimiento el procedimiento para obtener información adicional de aquellos clientes que representen un mayor grado de riesgo, especificando la información adicional que debe recabarse de dichos clientes en relación con aquellos que representan un grado de riesgo menor, así como la forma en que llevarán a cabo una supervisión más estricta al comportamiento transaccional de dichos clientes, la cual deberá realizarse de forma diferenciada.
ix. FATF
Current provisions obligate Institutions to file an unusual operations report when countries and jurisdictions considered preferential tax regimes or identified by an international organization as lacking measures to combat ML/TF are involved. The Draft proposes to obligate Institutions to the following:
- To determine the risk level of clients conducting transfers, Institutions must consider if such operations involve these countries or jurisdictions.
- Institutions must apply enhanced due diligence measures when providing correspondent services to foreign financial entities domiciled and constituted in such countries or jurisdictions.
- Entities must refrain from conducting correspondent operations with foreign financial entities or financial institutions or intermediaries that have no physical presence in any jurisdiction or do not have a business center.
- The jurisdiction or country involved must be included in the International Fund Transfer Reports.
III. Transitional Provisions
The amendments will enter into force the day after the Draft is published in the Official Gazette of the Federation. However, Institutions must comply with the following obligations within the following periods:
i. Eighteen months:
- Modify their compliance manual and submit it to the CNBV.
- Update their automated systems.
ii. Twelve months:
- Modify their risk assessment methodology
- Ensure that their compliance officers are certified before the CNBV in ML/TF.
* * * *
Campa & Mendoza
This document does not constitute legal advice.