Vulnerable Activities and AML Compliance

LFPIORPI by sector: credit, real estate, virtual assets and professional services

In brief

LFPIORPI does not impose an identical program on everyone. Non-financial credit, real estate development, virtual asset exchange and professional services appear in different fractions of Article 17 and have their own triggering events, thresholds and data. The common program—identification, Beneficiario Controlador, recordkeeping, risk and notices—must be adapted to sectoral contracts and flows. The commercial label does not replace the substantive analysis.

Conceptual comparison of AML controls for credit, real estate, virtual assets and professional services.
The sectors share a discipline of evidence, but not the same triggering fact or the same operational route.

Contents

  1. Professional secrecy
  2. Virtual assets and hashes
  3. Real estate threshold
  4. Real estate red flags
  5. Professional AML clause
  6. Identification and threshold in credit
  7. Stablecoins as an activity
  8. Preparing versus administering
  9. Professional notices
  10. Due diligence in loans

How do LFPIORPI and professional secrecy coexist?

Not every legal consultation is a Vulnerable Activity. The specific service is reviewed: real estate purchase and sale, asset administration, account handling, capital contributions, or the incorporation and operation of vehicles. Preparing is then distinguished from executing on the client's behalf.

The classification file must be independent from the substantive advice and restrict access. Reported information is limited to the format and obligation; strategy, opinion or communication that is not necessary is not incorporated.

The contract informs of legal obligations without turning the client into an approver of notices. Confidentiality clauses cannot prevent compliance with the law.

How to put it into practice

Restrict the compliance folder and use references, not full copies of protected communications. The notice must contain what the format requires, not a narrative of the strategy. The contractual clause states that the provider will fulfill legal duties and request data, without promising absolute confidentiality or disclosing detection methodologies. If the client refuses to provide indispensable information, document the abstention or applicable measure. The committee that decides must include legal sensitivity and leave a memorandum justifying both reporting and not reporting.

Periodically review who may consult the classification record and the substantive file. Separation loses effectiveness if the same broad access allows both folders to be downloaded without operational need or a log.

articles 17, fraction XI, 18, 21 and 22 of the LFPIORPI in force.

What is the role of hashes and blockchain evidence?

The file preserves network, asset, addresses, hash, timestamp, amount, exchange rate or valuation method, controlled wallets and counterparty. If an explorer is used, a reference and evidence are kept; it is not presumed that it will remain available.

Custody and ownership must be distinguished. A deposit address may belong to a provider and represent assets of several clients. The system needs an internal identifier and reconciliation.

Blockchain analysis tools are mitigants, not a sole legal source. Their alerts require policy, review and documented resolution.

How to put it into practice

Preserve explorer evidence with date and source, but do not rely on a screenshot alone. Export the result, the provider's version and the resolution of alerts. For custodian wallets, reconcile the internal subaccount with the on-chain movement and fiat withdrawal. A risk score does not replace facts: document categories, exposure, possible mixers, sanctions or fraud, and the human decision. Limit the publication of addresses and personal data; the private file may link them without turning the blog or executive report into a map of clients.

Run a reverse test: from the fiat entry reach the correct hash, and from the hash return to the client and contract. Discrepancies feed a reconciliation queue with an owner and a deadline.

article 17, fraction XVI, and article 18 of the LFPIORPI, plus the general UIF criterion on virtual assets.

How do real estate thresholds work?

The project amount does not replace the value of the relevant act or transaction. Advances, partial payments and assignments are recorded individually. The UMA is applied according to date and the calculation is preserved.

The participant map distinguishes owner, developer, marketer, trust, buyer and notary. Each analyzes their own obligations; notarial intervention does not automatically release the company.

The classification is documented before deciding on format and notice. This is especially important in projects with several vehicles.

How to put it into practice

Model the project at two levels. The legal level identifies vehicle, developer, marketer, trustee, buyer and notary; the transactional level records each receipt, contract, unit, assignment and refund. In anonymized projects, adding the full contractual value at signing and also each payment doubled exposure; in others, reviewing only the deed omitted funds received earlier. The policy must define event and source without assuming that accounting and law use the same date.

Test a transaction exactly at the individual threshold, several below it whose sum is exactly equal, and another that exceeds it within six months. Preserve the multiplier, UMA, equivalent and component transactions. If there are several vehicles, the identity of the subject and the client must be resolved before accumulating; do not consolidate or separate solely for the system's convenience. The classification record determines format and responsible party, and is updated when the role or flow changes.

Include cancellations and refunds in the tests. They should only modify the calculation in accordance with an approved rule and banking evidence; a commercial note without an actual movement is not enough to withdraw the transaction.

article 17, fractions V and V Bis, of the LFPIORPI and INEGI's 2026 UMA.

Which real estate red flags must be escalated?

The catalog must be adapted to the product and market. A foreign investment is not by itself high-risk, but it may require additional documents, translations and traceability. The system avoids discriminatory rules or ones based solely on nationality.

Each alert has minimum information, a responsible party, a deadline, a decision and evidence. If there is suspicion or legal indications, the 24-hour notice is analyzed.

The resolution is not limited to "false positive". It explains why the transaction is or is not coherent and what monitoring will continue.

How to put it into practice

Link each red flag with a question and a measure. "Third-party payment" must ask for identity, relationship, account and purpose; "change of buyer" must reconstruct the assignment, beneficiary and refund. In anonymized alerts, closing as a false positive because the third party was "a relative" left the relationship and the origin of the payment unproven. The resolution must cite documents and explain coherence, not merely assign a label.

Calibrate by product: presale, lot, lease and development do not share exactly the same behavior. Review biases and avoid treating foreign investment as suspicious in itself. Urgent alerts must be kept separate from monthly review and under restricted access. Sample closed alerts and transactions without an alert to measure coverage. If it is decided to continue, establish conditions —own account, additional documentation or monitoring— and a review date. The conclusion must preserve facts without communicating sensitive analysis to the client.

Effectiveness is also measured by handling time and recurrence. Several similar alerts closed without updating rules or training indicate that the catalog is not generating operational learning.

articles 18, fraction VI, and 23 of the LFPIORPI, plus SPPLD criteria.

What must an AML clause in professional services include?

The clause is coordinated with the scope. If the provider only advises, it must not assume by wording the administration of funds. If it will execute payments or handle accounts, authorities, segregation and controls are defined.

The client declares accuracy and changes, but the obligated party retains the duty to verify. Contractual indemnity does not replace compliance.

The clause also identifies secure channels and prohibits sending sensitive data through unauthorized means.

How to put it into practice

Coordinate four documents: scope, AML clause, privacy notice and matrix of powers. The clause does not correct an ambiguous scope. In anonymized contracts, it stated that the advisor "would manage payments" while the commercial intent was only to prepare instructions; that phrase expanded functions and risks. Describing who retains decision, account and signature reduces uncertainty, as long as it matches practice.

Include the obligation to report changes of control, representative, payer and purpose, in addition to delivering documents through a secure channel. Define the effect of the lack of information and the right to terminate, without turning the client's declaration into a substitute for verification. Regulate retention, transfers and return of data. Avoid clauses that require notifying the client before any report, since they may conflict with regulatory confidentiality. Train the team to apply the clause: a contractual right that no one knows how to escalate does not work as a control.

Keep versions by date of signature. When the clause is updated, determine whether an amendment is required for existing clients and what temporary control will cover the portfolio until the migration is completed.

articles 18, 21 and 22 of the LFPIORPI and LFPDPPP in force.

In credit, does identification begin only upon reaching 1,605 UMA?

The mistake of designing onboarding only for reportable transactions leaves clients with smaller transactions without a file, which later accumulate. Identification must occur at the moment the regime marks and before losing the ability to obtain documents.

The system preserves all drawdowns for accumulation. Revolving contracts and partial payments require defining the event, not using only the approved limit or the final balance.

The matrix distinguishes activity, identification, notice and reinforced follow-up. A single threshold does not resolve the four.

How to put it into practice

Configure onboarding before the first drawdown and apply requirements according to client type and risk. The ledger preserves each drawdown, even if it is below the notice. In anonymized portfolios, the system opened a file upon crossing the limit, but multiple movements already existed and the client did not respond; requesting information from the outset would have avoided a relationship impossible to reconstruct. The abstention under Article 21 also loses its usefulness if the control arrives after disbursement.

Test a simple contract, a revolving line, a partial payment, a restructuring and accumulation. Do not use the approved limit or the final balance as a substitute for the event. Separate the individual "equal to or greater than" condition from accumulation that "exceeds" within the legal period. The matrix must indicate activity, identification, notice and reinforced measure in separate columns. For EBR and other added controls, verify RCG/transitory provisions before describing them as fully enforceable as of the cutoff.

Reconcile active clients against files and movements monthly. An undrawn line may require different treatment from a drawdown, but it must never disappear from the inventory of relationships and changes.

articles 17, fraction IV, 18 and 21 of the LFPIORPI in force.

When can a stablecoin transaction be a Vulnerable Activity?

The legal definition excludes legal tender, foreign currencies and assets denominated in them, but the classification of a token requires analysis, not its commercial name. The reform also reached transactions offered from another jurisdiction to Mexican citizens.

The file separates originator, receiver, Beneficiario Controlador, wallets, asset, network, valuation and consideration. The two notice thresholds of fraction XVI —transaction and consideration— are modeled separately.

SPPLD registration does not replace financial authorizations if the model carries out another regulated activity.

How to put it into practice

Draw the flow with client, liquidity provider, exchange, custodian, fiat accounts and wallets. Indicate who sets the price, receives orders, controls the keys, delivers the asset and collects. In anonymized models, the company claimed "software only," but it kept the omnibus wallet and could authorize withdrawals; that authority changed the analysis. Compare terms, architecture and actual permissions, not just the interface.

For each transaction preserve asset, network, address, hash, originator, receiver, BC, amount, consideration and valuation. Model the thresholds set by the fraction without mixing them and test accumulation. If the service is offered from abroad to Mexican clients, document the territorial nexus and the criterion in force. Separate LFPIORPI from the Fintech Law, payments, tax and consumer protection. A conclusion per product must list the determining facts and changes —custody, account, liquidity or representation— that require reopening it.

The analysis must include contingencies of depeg, network change and token substitution, because they may alter valuation, counterparty or custody without changing the commercial name of the service.

article 17, fraction XVI, of the LFPIORPI and UIF criterion on virtual assets.

What is the difference between preparing and administering funds?

The analysis is based on powers and flow. Holding a broad power of attorney that is not used may be relevant; executing payments without appearing in the contract is too. Engagement, powers of attorney, accounts, instructions and signatures are compared.

To reduce ambiguity, the contract limits powers, prohibits receiving funds in the provider's accounts and defines that the client retains decisions, unless the service requires otherwise and compliance is implemented.

Each recurring service is classified at the outset and when the scope changes.

How to put it into practice

Use a matrix of powers with columns for propose, approve, sign, instruct, hold in custody and reconcile. Relate contract, power of attorney, credential and account. In anonymized services, the provider was not listed as a signatory, but it had a shared banking token and prepared and sent transfers; practice exceeded the role. The review of technological access is as important as the notarial power of attorney.

If only advice is intended, the client must retain the account, credentials, decision and sending; the provider documents recommendations. If the service needs to execute, classify, segment functions and establish dual approval and a ledger. Review when personnel, account, provider or scope changes. The record must identify the specific financial act and the representation, not conclude globally that the entire project is or is not reportable. This protects professional secrecy without using it to ignore a material function.

Audit actual permissions at least when personnel joins or leaves. Revoking the formal power of attorney without removing the token, user or remote access leaves a material capacity in place that contradicts the documented classification.

article 17, fraction XI, and article 22 of the LFPIORPI in force.

When is a notice filed for complex professional services?

A corporate transaction may combine advice, drafting of contracts, account handling and execution of payment. The file separates each function and determines who carried out the transaction. Teams must not classify the entire project by its most visible phase.

The format must describe the activity without exposing unnecessary protected information. Legal and compliance review the boundary between obligation and professional secrecy.

The company preserves the memorandum, powers of attorney, instruction, account, payment and decision. This allows justifying both filing and not filing a notice.

How to put it into practice

Break the matter down into service units. For an acquisition: due diligence, negotiation, documents, incorporation of the vehicle, account opening, funding and payment. Mark in which the provider acts and in which it only advises. In anonymized projects, classifying everything as "M&A" concealed that a team member had the power to release the price. The record per function identified the event susceptible to a notice without indiscriminately reporting the entire file.

Before closing, confirm the power of attorney in force, account, signatories, BC and traceability of the payment. Afterward, preserve the instruction, receipt, calculation and decision. If no notice is filed, the memorandum explains the absence of representation or execution with evidence. If a notice is filed, it minimizes data to the format. The confidentiality of the decision requires limited access; the client does not approve the notice. Review the instructions in force and do not automatically transfer the logic of financial reports.

If the mechanics change between signing and closing —for example, a paying agent joins—, reopen the record. The prior classification does not automatically cover a new function incorporated at the last minute.

articles 17, fraction XI, 22, 23 and 24 of the LFPIORPI.

What are the particularities of due diligence in loans and credit?

For an individual, identity, activity, address, own account and third parties are verified. For a legal entity, existence, powers, structure and ultimate control are added. If a third party pays, the relationship and justification are documented.

The process blocks disbursement when critical elements are missing and escalates PEPs, lists, opaque structures or inconsistencies. Updates are triggered by events and periodicity.

The final matrix links KYC, contract, transaction and notice. Separating these repositories without a common identifier prevents reconstruction.

How to put it into practice

Design requirements by role and event. The borrower provides identity and purpose; the legal entity adds existence, powers and control; the guarantor demonstrates the relationship and the asset; the third-party payer explains the link and account. In anonymized files, the surety was identified, but the actual owner of the collateral was another company without a file. Separating roles and requiring evidence for each one avoided assuming that a single identification covered everyone.

Before disbursing, test powers, BC, account and collateral. Afterward, the ledger updates payments, changes and accumulation without overwriting history. Review triggers include restructuring, atypical prepayment, a new account, change of BC and substitution of collateral. For added EBR obligations, verify RCG/transitory provisions before describing the assessment as fully enforceable as of the cutoff; even so, documenting risk allows proportionate measures to be applied. The quality test runs from the payment to the file and from the notice to each component drawdown.

An exceptions dashboard must block new drawdowns when identity, powers or BC are missing, and allow only documented, temporary exceptions approved by a person other than the originator.

articles 17, fraction IV, 18 and 21 of the LFPIORPI in force.

Sectoral comparison

Sectoral comparison. Columns: Sector, Initial question and Distinctive evidence.
Sector Initial question Distinctive evidence
Credit who offers and draws down? drawdowns, payments and collateral
Real estate what role and act is carried out? project, property, contract and payments
Virtual assets what service and control exists? wallets, hash, originator and receiver
Professional services does it prepare or execute on behalf? scope, power of attorney, account and instruction

Next step

SVA.LAW can classify sectoral contracts and flows and turn them into LFPIORPI controls proportionate to risk. Learn about our services.


Notice: General information, not legal advice. The outcome depends on functions, contracts, flows, participants and the regulations in force.