KYC / AML: What do lending companies need to ask their users to be compliant in Mexico?

Share on facebook
Share on twitter
Share on linkedin

If we’ve learned something in the last few months, it’s that the industry of lending and microcredits is booming in Mexico, with companies like Konfio receiving more than USD $100 million in recent weeks. And all these companies have something in common: they need to be compliant with Mexican financial sector laws and regulations, which is easier said than done – especially for those who are just launching here.

It can indeed be quite complicated, as Mexico has one of the most complex financial systems in the world. Furthermore, its AML/CFT (Anti-Money Laundering / Combating the Financing of Terrorism) regulation and supervision are at the very forefront when it comes to industry standards in the LatAm region. Mexico went even further this year, with the enactment of the FinTech law and its secondary regulations – being one of the first countries to do so in the LatAm.

But what does it mean for lending companies? How does it affect your strategy? What do you need to do to become (and stay) compliant here in Mexico? Leave us the headache, just follow the guide!

Meet CNBV, your new best friend

CNBV, for Comisión Nacional Bancaria y de Valores, supervises and regulates the entities that are part of the Mexican financial system. And yes, this is also the entity that regulates lending and microcredit companies here in Mexico – no matter your legal status or the type of entity you’re working under.

You’re a SOFOM? You’re regulated by the CNBV. A SOFIPO? Same. A newly born microcredit startup that operates only online under an LLC? Well, you’ve guessed it, you’re also regulated by the CNBV. This is not the only thing you have in common, by the way. You are sharing the same identity verification obligations, too – yay!

In terms of customer identification, legal obligations imposed on credit companies in Mexico are linked to two sets of regulations: AML policies and Onboarding obligations that apply every time someone is creating an account on your platform. Both require that you proceed to:

  • General identification and validation of the customer through an ID document verification;
  • KYC process, to make sure the customer is not registered on several watchlists (criminal lists, Politically Exposed Person list, etc).

We’ll focus on those two sets of obligations in this article, and on the checks you must perform during the onboarding phase – ie. before granting a loan to your customer.

What lending companies need to check, according to the law

You need to know your customer, and as such, you need to ask him specific details. Lucky for you, the majority of these elements can be extracted from a simple ID card with a good OCR (for Optical Character Recognition) technology – no need to ask your customer to fill up +50 form fields. Here are all the items that you must ask him by law:

1. A color photo of an official ID document (front & back)

INE (the Mexican voter registration card, which is considered by the government as the most valid ID in Mexico), passport, FM3, or military service cards. Please note that in Mexico, licenses are not usually considered as valid for banking processes. But anyway, from this official ID, you’ll have to extract:

The official template for INE card 

Resultado de imagen de oficial ine template
  • First & last name
  • Birthdate Gender
  • Country of birth & nationality
  • CURP number, for Clave Única de Registro de Población: this is an 18 digits code, unique, used to identify residents and Mexican citizens in the country Direction

2. Other information/document you need to ask

  • RFC number, for Registro Federal de Contribuyentes (a sequence of digits used to identify every taxpayer in Mexico)
  • Phone number or email address
  • Activity / Profession / Job title
  • A proof of the opening of a deposit account
  • A color photo of the customer’s face

Of course, the law also stipulates that you must put in place some processes to detect suspicious behaviors. Meaning that you must also verify the authenticity of the information the customer provided you. If a document is missing, if something looks altered, if the files transferred are of low quality, if any of the given information doesn’t match a specific register, you must be able to immediately suspend the account and the process of contractualization with the customer.

Here are some examples of the verifications you must conduct during the onboarding phase:

  • Make sure the CURP number the customer gave you exists in the Registro Nacional de Población, and match the data registered as well;
  • Make sure the data on the INE matches with the register of the Instituto Nacional Electoral, especially the Código Identificador de Credencial (CIC), the card number, the issuing year, the voter number and voter name.

Regulations also require that you conduct a biometric check of the user, to make sure there is a match between the photo of the ID and the photo/video of their face. You’ll also need to check if the person is registered in one of the watchlists recognized by the Mexican government (ie. Secretaría de Hacienda y Crédito Público, Interpol, Politically Exposed Person list, etc). It’s a match? Well, you must then start a due diligence process 🧐

Credit score checks are not an obligation according to the law, but we don’t need to tell you that this is definitely something you should think of integrating in your identity verification process, before or after the ID check.

Documenting the process itself

Yep, this is right: regulations also require that the integrality of each identity verification process is logged and duly registered. You must indeed register the time and date of each exchange with the customer, but also keep everything the person has sent you (photos, video files, etc), without editing any of it.  

Another obligation if you’re a lending company? Keeping records of every account for up to 10 years! Moreover, the way you keep your records (especially if they’re digitized) needs to comply with NOM-151-SCFI-2016! That seems barbaric to you? Don’t worry, our legal team is here to help 🤓

Getting proof of consent

Last but not the least, when it comes to current lending business models which are mainly cloud-based, CNBV requires lending companies to record their users’ consenting to the credit and the conditions like interest rates and prepayments. Suffice to say, any front end engineer would cringe at the concept of putting a user through this process.

Well, relax: Mati got you covered. The CNBV has validated last year that our product is so robust that our clients could skip this step! This completely changes the way you comply with this set of regulations, but more importantly, how your user interacts with your platform.

Yeah, that’s a lot, but following those obligations is crucial for your business. Not only because if you don’t, you risk fines and an interdiction to operate in Mexico, but also because this would prevent frauds on your platform. So make sure your team has everything in hand to start building a performing identity verification funnel! You’re about to launch in Mexico? No worries: our Legal team is there to help and guide you along the compliance process.👉If you want to know more about Mati and see how we can help you, contact us here! Or read more information regarding KYC / AML regulations here.

Share this post with your friends

Share on facebook
Share on twitter
Share on linkedin

1 comments On KYC / AML: What do lending companies need to ask their users to be compliant in Mexico?

Leave a reply:

Your email address will not be published.

Subscribe to our Newsletter