Mexico AML/CFT and Sanctions Screening Guide
Mexico's AML/CFT and sanctions-control framework is split across several authorities, sector laws, and reporting systems. The Unidad de Inteligencia Financiera (UIF) receives and analyses financial intelligence, while day-to-day supervision and filing routes depend on whether the business falls under CNBV, CNSF, CONSAR, or SAT/SPPLD.
For compliance teams, the practical question is therefore not only "which list should we screen?" It is how to map the business to the right Mexican regime, collect the right customer and beneficial-owner data, screen the right parties, handle blocked-person and suspicion scenarios, file through the correct channel, and keep evidence that can survive supervisory review.
Why This Matters in Mexico
Mexico has two broad compliance families that should not be blurred.
Financial entities follow sectoral financial laws and supervisory routes. Depending on the activity, the relevant supervisor may be the CNBV, CNSF, or CONSAR, with the UIF receiving and analysing financial intelligence. For these entities, the Lista de Personas Bloqueadas (LPB) is the clearest domestic blocked-person trigger in the reviewed official materials.
Non-financial Actividades Vulnerables follow the LFPIORPI framework and operate through the SAT/SPPLD process. The 2025 LFPIORPI reform materially strengthened beneficial-owner handling, record retention, risk-based controls, training, monitoring, audit concepts, and a 24-hour notice route for suspicious facts or indicia.
Official materials refer to 24-hour reporting for confirmed LPB situations in financial-sector guidance and suspicion notices for vulnerable activities.
SAT criteria say LFPIORPI support information and documentation should be retained for 10 years for acts or operations from 17 July 2025.
SAT criteria treat 17 July 2025 as the effective date for several key LFPIORPI reform points, with some Article 18 obligations tied to updated rules.
The safest publication line is precise: screen Mexican hard-law triggers first, then add foreign lists on a documented risk basis. The Mexican public sources reviewed support the LPB and UN Security Council references as Mexico-facing control anchors. OFAC, EU, UK, and other foreign lists remain important where exposure justifies them, but they should not be described as a universal Mexican domestic-law requirement for every obliged person.
Mexico Is a Multi-Authority Model
Do not present UIF as if it were the only authority in the Mexican AML/CFT workflow. UIF receives and analyses reports and notices, but the operational supervisor and reporting channel depend on the sector.
| Authority | Role | Practical relevance |
|---|---|---|
| UIF | Mexico's financial intelligence unit. It receives reports and notices, analyses information, cooperates with authorities, and may present complaints. | Central intelligence function, but not the only operational authority in Mexican AML/CFT workflows. |
| SHCP | Central finance ministry authority behind sector rules and the UIF framework. | Important because financial-sector AML/CFT provisions often route obligations through SHCP and sector supervisors. |
| CNBV | Supervisor for many financial entities, including banks, brokerage, fintech institutions, SOFOMs, money transmitters, and exchange-related entities. | Key for financial-sector AML/CFT supervision and SITI PLD/FT reporting routes. |
| CNSF | Supervisor for insurers and surety entities. | Relevant for insurance AML/CFT reporting such as relevant, unusual, and internal-concern operations. |
| CONSAR | Supervisor for retirement-system entities. | Relevant for AFORE and retirement-sector AML/CFT formats and reporting obligations. |
| SAT / SPPLD | SAT's internet system for LFPIORPI vulnerable-activity registration, notices, and zero reports. | The operational route for non-financial Actividades Vulnerables. |
The article should therefore speak about Mexico's AML/CFT authority map, not one national AML office.
Who Must Comply
The first operating decision is whether the business is a financial entity under a sectoral financial law or a non-financial vulnerable activity under the LFPIORPI.
| Business type | Main route | Why it matters for screening |
|---|---|---|
| Banks and many CNBV-supervised financial entities | Sectoral financial law, CNBV supervision, SITI PLD/FT, LPB controls. | Screening should support customer identification, unusual-operation detection, LPB handling, and 24-hour blocked-person reporting where applicable. |
| Fintech institutions | LRITF Article 58, CNBV / SHCP / UIF framework. | Treat as financial-entity screening, not as a generic LFPIORPI-only workflow. |
| Brokerage / securities | LMV Article 212, CNBV route. | Screening belongs in the same financial-sector blocked-person and unusual-operation family. |
| Insurance and surety | LISF Article 492, CNSF route. | Screening should support insurance AML/CFT reports and sanctions/blocking workflows. |
| Retirement administrators / AFOREs | LSAR Article 108 Bis, CONSAR route. | Screening and monitoring must align with retirement-sector reporting formats. |
| SOFOMs, money transmitters, exchange centres | CNBV / LGOAAC or relevant sector framework. | The exact route depends on the legal category; do not collapse SOFOM ER and SOFOM ENR into one workflow. |
| Real estate, notaries, dealers, gaming, high-value goods, and other vulnerable activities | LFPIORPI Article 17, SAT/SPPLD route. | Screening supports identification, beneficial-owner capture, notice thresholds, cash-use restrictions, and suspicion notices. |
This distinction is not academic. It affects the supervisor, reporting channel, list logic, evidence set, and the language a vendor can safely use in product claims.
The Mexican Blocked-Person Baseline
For Mexican financial entities, the clearest domestic blocked-person control is the Lista de Personas Bloqueadas. The legal architecture is visible in sectoral provisions such as Article 115 of the Ley de Instituciones de Crédito and analogous financial-sector rules.
Mexico does not publish the LPB as an open public sanctions file comparable to OFAC, EU, UN, or UK downloadable lists. Article 115 of the Ley de Instituciones de Crédito describes the LPB as a confidential list communicated by SHCP to credit institutions, and requires institutions to immediately suspend acts, operations, or services with listed customers or users.
CNBV training and guidance materials describe the operational consequence of an LPB hit in direct terms: if a supervised subject identifies a customer or user on the LPB, it should suspend the act, operation, or service immediately and send the report to SHCP through CNBV within 24 hours. CNBV materials also explain that if a person is removed from the LPB, the suspended acts, operations, or services should resume.
This is the Mexico-specific hard point that should anchor the article. It is more precise than saying "screen global sanctions lists" without explaining the domestic blocked-person mechanism.
Which Lists to Screen in Mexico
The right list perimeter depends on legal category, customers, counterparties, currencies, banking relationships, group policy, and geography.
| Source | Practical role in Mexico | How to frame it |
|---|---|---|
| Lista de Personas Bloqueadas | Clearest domestic blocked-person trigger for financial entities in the reviewed sources. | Mexican hard-law control for financial-sector workflows. |
| UN Security Council Consolidated List | Strong foreign-source baseline because UN measures are official and CNBV materials reference UN Security Council lists in risk-based controls. | Mexico-facing baseline or near-baseline depending on sector policy. |
| OFAC sanctions lists | Critical where there is U.S. nexus, USD clearing, U.S. persons, correspondent banking, U.S. investors, or group policy. | Risk-based extension, not a universal Mexican domestic-law baseline for every entity. |
| EU financial sanctions data | Relevant for EU parents, EU customers, euro exposure, contracts, or group policies. | Risk-based extension for EU exposure. |
| UK Sanctions List | Relevant for UK customers, counterparties, banking relationships, or internal group policy. | Risk-based extension for UK exposure. |
| Other national or regional lists | May matter for specific corridors, investors, contracts, or counterparties. | Document the policy rationale and legal basis. |
The editorial point is precision: do not under-scope the article, but do not overclaim. A Mexico-only reader should understand that LPB and Mexican sector rules are the local starting point; an international financial-services reader should also understand why OFAC, EU, UK, and other lists may still be operationally necessary.
A Practical Mexico Screening Workflow
Screening in Mexico should be built as a decision workflow, not as a single name search.
- 01
Classify the regime
Determine whether the business is a financial entity, fintech, insurer, retirement entity, SOFOM, money transmitter, or LFPIORPI vulnerable activity. The regulator and filing route change by category.
- 02
Screen the relevant parties
Screen customers, users, beneficial controllers, representatives, counterparties, payment parties, and other relevant actors against the Mexican baseline and risk-based foreign lists.
- 03
Decide, report, and retain evidence
Separate false positives, potential matches, confirmed LPB hits, and ML/TF suspicion. Trigger the correct reporting route and retain the decision record.
A strong Mexico policy should define:
- which Mexican regime applies to the business;
- which lists form the mandatory baseline;
- which foreign lists are added because of exposure;
- which parties are screened at onboarding and during the relationship;
- what identifiers are required to clear or confirm a hit;
- when the case becomes an LPB, unusual-operation, or suspicion-reporting workflow;
- where the report or notice is filed;
- what evidence is retained and for how long.
How to Review Matches
A name hit should not automatically be described as a confirmed blocked-person match. Review should compare the strongest available identifiers.
| Outcome | Meaning | Operational response |
|---|---|---|
| False positive | The customer, user, beneficial controller, or counterparty is not the listed person or entity. | Document the identifier comparison, rationale, reviewer, and source evidence. |
| Potential match | The hit cannot yet be cleared with available information. | Escalate, collect additional documents where lawful, and avoid informal closure. |
| Confirmed LPB match | The party is confirmed against Mexico's blocked-person control. | Suspend the act, operation, or service and follow the relevant 24-hour reporting route through the financial-sector channel. |
| ML/TF suspicion | Facts indicate possible money laundering or terrorist financing, even without a confirmed blocked-person match. | Run the sector-specific unusual-operation or vulnerable-activity notice process. |
For financial entities, the confirmed LPB scenario is the cleanest hard-law example. For vulnerable activities, the more important distinction is often whether a fact, transaction, or attempted transaction creates a notice obligation under LFPIORPI and SPPLD rules.
LFPIORPI Vulnerable Activities
For non-financial activities, the key source is the LFPIORPI. Article 17 defines the vulnerable activities. Article 18 sets core obligations such as identifying clients or users, collecting information, keeping records, presenting notices, and protecting information.
The 2025 reform makes this especially important for screening content.
The source inconsistency should be handled openly. SAT's criteria page says the ten-year retention period applies to acts or operations from 17 July 2025. Some older SAT public pages still show five-year language. A public article can explain that conflict, but firm workflow wording should be checked against the latest rules and Mexican counsel.
How Suspicious Activity Is Reported
Mexico does not have one reporting route for all sectors.
| Scenario | Reporting route | Practical note |
|---|---|---|
| CNBV-supervised financial-sector reports | SITI PLD/FT and related CNBV electronic processes. | Used for many financial-sector AML/CFT reports and filings. |
| Insurance / surety reports | CNSF reporting products and formats. | Includes report families such as relevant, unusual, and internal-concern operations. |
| Retirement-sector reports | CONSAR formats and retirement-sector framework. | Relevant for AFORE and retirement entities. |
| LFPIORPI vulnerable-activity notices | SPPLD. | Used for registration, notices, and zero reports. |
| Confirmed LPB hit in financial-sector workflow | Report through the relevant financial-sector path to SHCP via the supervisor. | CNBV materials describe immediate suspension and 24-hour reporting for supervised subjects. |
For vulnerable activities, the post-reform article should highlight the 24-hour notice route. The reviewed sources support this sentence: if there is suspicion or factual indicia that resources may come from, or be intended for, illicit-resource or terrorist-financing activity, a notice may be required within 24 hours, including where the act or operation was not completed under the regulation reform.
This is useful for product teams because it turns "monitoring" into a concrete workflow: detect the fact, preserve the evidence, classify the notice route, file through SPPLD where applicable, and retain the case record.
Evidence and Audit Trail
Mexico screening evidence should show both the list decision and the regime decision.
| Evidence area | What to keep |
|---|---|
| Regime classification | Why the business or operation was treated as financial-sector, fintech, insurance, retirement, SOFOM, money-transmission, or LFPIORPI vulnerable-activity workflow. |
| List policy | Which Mexican and foreign lists were screened, why they were selected, and when they were last refreshed. |
| Input data | Customer or user names, aliases, official IDs, beneficial-controller data, representatives, counterparties, account or wallet data, and transaction details. |
| Match review | Candidate records, identifiers compared, documents reviewed, false-positive rationale, escalation, and approval. |
| Reporting decision | Whether the case triggered LPB handling, unusual-operation reporting, a vulnerable-activity notice, a 24-hour route, or no report. |
| Retention record | Case ID, reviewer, timestamp, source evidence, final outcome, and retention horizon used. |
Weak evidence is a common failure point. A note that says "cleared" is not enough. A defensible file should explain why a hit was cleared, why a match was confirmed, why an operation was suspended, or why a notice was filed.
Mexico AML/CFT Screening Checklist
Use this checklist to build a Mexico-ready operating model:
- Classify the business under the right regime: financial entity, fintech, insurer, retirement entity, SOFOM, money transmitter, exchange-related activity, or LFPIORPI vulnerable activity.
- Map the supervisor and channel: CNBV / SITI PLD/FT, CNSF formats, CONSAR formats, or SAT / SPPLD.
- Treat the LPB as the clearest Mexican domestic blocked-person trigger for financial-sector workflows.
- If the firm is authorised to receive LPB information, handle it as confidential operational data rather than as a public list feed.
- Include UN Security Council lists in the Mexico-facing baseline or near-baseline where the firm's sector policy supports it.
- Add OFAC, EU, UK, and other lists where exposure, banking relationships, currencies, contracts, or group policy justify them.
- Capture enough identifiers to resolve hits: legal name, aliases, official IDs, date of birth, nationality, address, registration data, beneficial-controller data, representatives, counterparties, wallets, accounts, and transaction context.
- Separate false positives, potential matches, confirmed LPB matches, unusual-operation indicators, and vulnerable-activity suspicion notices.
- Configure 24-hour workflows for confirmed LPB situations and post-reform LFPIORPI suspicion scenarios where applicable.
- Preserve the source, list version or refresh timestamp, screened data, candidate result, rationale, reviewer, decision, filing action, and retention basis.
- Flag source conflicts, especially the public 5-year versus 10-year vulnerable-activity retention language, for legal validation before turning them into internal policy.
How Checklynx Supports the Workflow
Checklynx supports Mexico screening as a workflow, not only as a list lookup. Teams can screen customers and counterparties, compare identifiers, manage alert review, preserve decision evidence, run batch or API checks, monitor changes, and maintain a record of why each case was cleared, escalated, reported, or retained.
That matters in Mexico because the obligations differ by sector. A fintech, an insurer, a money transmitter, a real-estate company, and a notary do not all share the same supervisor or reporting channel. A practical system should preserve the context around the regime, the list policy, the hit review, and the reporting decision.
Where a regulated firm is authorised to receive confidential LPB information through official channels, Checklynx can help consume that data inside a controlled screening workflow: restrict access, preserve refresh history, separate LPB results from public-list results, record reviewer decisions, and retain evidence without treating the LPB as a public downloadable source.
Build a Mexico-ready screening workflow
Use Checklynx to screen customers and counterparties, manage alert review, monitor list updates, and retain evidence for AML/CFT teams.
FAQ
What is Mexico's financial intelligence unit?
Mexico's financial intelligence unit is the UIF. It receives and analyses reports and notices, while CNBV, CNSF, CONSAR, and SAT/SPPLD each matter for different sectors and workflows.
Does Mexico have one AML/CFT rulebook for all sectors?
No. Financial entities follow sectoral financial laws and supervisor-specific provisions. Non-financial vulnerable activities follow LFPIORPI and the SAT/SPPLD process.
What is the Lista de Personas Bloqueadas?
The Lista de Personas Bloqueadas is Mexico's blocked-person control mechanism used in financial-sector AML/CFT frameworks. It is not published as an open public sanctions list. Article 115 of the Ley de Instituciones de Crédito says SHCP informs credit institutions through a confidential blocked-person list, and a confirmed LPB match can require immediate suspension of acts, operations, or services and reporting through the applicable supervisor route.
Should Mexican firms screen UN, OFAC, EU, and UK lists?
UN lists are the strongest foreign-source baseline because they are official and referenced in Mexican risk-based materials. OFAC, EU, UK, and other lists should be added where the firm's exposure justifies them, such as USD clearing, foreign counterparties, group policy, or cross-border contracts.
Are OFAC, EU, and UK lists mandatory for every Mexican obliged entity?
The reviewed Mexican public sources do not support a blanket rule that every obliged entity must screen those lists as a universal domestic-law requirement. They are important risk-based extensions for internationally exposed firms.
What happens after a confirmed LPB match?
CNBV materials describe immediate suspension of the relevant act, operation, or service and reporting to SHCP through CNBV within 24 hours for supervised subjects. The exact process should follow the applicable sectoral rule and supervisor instructions.
What changed in the 2025 LFPIORPI reform?
The reform strengthened beneficial-controller handling, record retention, risk-based evaluation, internal policies, annual training, automated monitoring, audit or review concepts, and a 24-hour notice pathway for suspicious facts or indicia.
Does the LFPIORPI 24-hour notice apply if the transaction is not completed?
The March 2026 regulation reform materials indicate that the notice route can apply even where the act or operation was not completed. Firms should validate the operative rule against the latest SAT/SPPLD rules and counsel advice.
Where are vulnerable-activity notices filed?
Through SPPLD, the SAT portal for LFPIORPI registration, notices, and zero reports.
How long should records be retained?
For LFPIORPI vulnerable activities, SAT criteria say ten years for acts or operations carried out from 17 July 2025, but older SAT pages still show five-year language. For financial sectors, the exact period should be checked against the applicable sectoral provisions.
Official Sources Explained
- UIF: What is the UIF?: official description of Mexico's financial intelligence unit and its role in receiving and analysing reports and notices.
- CNBV AML/CFT programme page: official CNBV page on prevention, inspection, and surveillance of PLD/FT/FPADM obligations.
- SAT / SPPLD portal: operational source for vulnerable-activity registration, notices, zero reports, obligations, criteria, and FAQs.
- SAT LFPIORPI criteria: source for post-reform criteria including 10-year retention from 17 July 2025 and timing caveats for some Article 18 obligations.
- LFPIORPI consolidated text: legal backbone for vulnerable activities, identification, beneficial controller, notices, recordkeeping, risk-based controls, and post-reform obligations.
- Ley de Instituciones de Crédito: banking-law source for Article 115 and the blocked-person architecture.
- Ley para Regular las Instituciones de Tecnología Financiera: fintech-law source for Article 58 and ITF AML/CFT obligations.
- UN Security Council Consolidated List: official UN list source for risk-based sanctions screening.
- OFAC Sanctions List Service: official U.S. list-delivery endpoint for firms with U.S. exposure, USD clearing, or group-policy requirements.
- EU consolidated financial sanctions data: official EU sanctions data source.
- UK Sanctions List: official UK designations source.
Last reviewed: 25 May 2026.