SOFOMs

SOFOM E.N.R. in Mexico: incorporation, AML, products and compliance

In brief

A Sociedad Financiera de Objeto Múltiple, Entidad No Regulada (SOFOM E.N.R.) may habitually and professionally carry out credit, financial leasing or financial factoring transactions within the applicable framework. "Non-regulated" does not mean "without regulation": the entity interacts with CONDUSEF, is subject to PLD/FT obligations and to CNBV supervision on that matter, and must align contracts, fees, credit data, governance and evidence.

Map of six components and five stages of the compliance of a SOFOM E.N.R.
An operable SOFOM aligns governance, AML, product, data, evidence and review throughout its entire life cycle.

This guide organizes 80 practical questions into eight dossiers. Its purpose is to help founders, boards, legal officers, Compliance Officers and buyers identify which decision to make and which evidence to retain.

Quick route

Quick route. Columns: If you need… and Consult.
If you need… Consult
To incorporate, convert or begin operations Incorporation, conversion and start of operations
To order dates, portals and acknowledgments Regulatory calendar
To design the board, powers, CO and CCC Corporate governance and AML
To align the manual, EBR and technology Manual, EBR and systems
To resolve KYC, UBO, PEP and high risk KYC and controlling beneficial owner
To analyze reports, SITI and LPB SITI, reports and LPB
To design contracts and credit charges Products, CAT, fees and CONDUSEF
To buy, sell or remediate a SOFOM M&A, financing and remediation

What a SOFOM E.N.R. is and is not

The vehicle serves to professionally organize certain financing businesses. It is not a bank, it does not authorize the taking of deposits from the public, nor does it turn any flow into credit. The design begins with the actual product: who delivers resources, to whom, with what obligation of restitution, what collateral exists, who collects, which third parties participate and how it is accounted for.

The E.N.R. designation distinguishes these SOFOM from regulated entities within the meaning contemplated by the LGOAAC. Even so, there are corporate, registry, transparency and user-protection, credit-information and PLD/FT obligations. Each product may further trigger civil, commercial, tax, data and financial-consumer rules.

The compliance system

A functional program has six connected layers:

  1. Governance: bodies, powers, Compliance Officer, CCC or board, audit and escalation.
  2. Internal rules: manual, EBR, credit policies, contracts, privacy and procedures.
  3. Technology: onboarding, file, lists, alerts, calculation, statements, reports, SIC and logs.
  4. Operation: origination, approval, disbursement, payments, collections, complaints and corrections.
  5. Evidence: versions, minutes, databases, tests, files submitted, folios and remediation.
  6. Review: monitoring, audit, supervision, regulatory changes and effectiveness control.

If one layer contradicts another, the SOFOM is exposed. A manual may state that an interview takes place; the platform may fail to capture it. The contract may charge a fee that RECO does not reflect. The SIC report may use an accounting date different from the actual one. The priority is to correct the cause and not only the document the authority observed.

Life cycle of a SOFOM

Design and vehicle

Compare incorporating, converting or acquiring. Define products, customers, channel, funding and compliance capacity before choosing the vehicle. An old company offers no advantage if its books, taxes or registries are uncertain.

Regulatory preparation

Coordinate the technical opinion, SIPRES, SITI, UNE/REUNE, RECA/RECO, SIC, contracts, manual and systems. The sequence depends on the case; each activity must have a clear completion condition.

Go-live

Test the full customer journey and the exceptions. The launch committee must receive evidence, not merely progress statements. Retain the decision minutes and non-critical open items with an owner.

Operation and change

The calendar combines periodic obligations and events. Changes of shareholders, powers, CO, product, charge, channel or provider may trigger simultaneous updates. No material change should be deployed without an impact analysis.

Audit, remediation or sale

Audit assesses design and implementation. Findings are turned into plans with cause, owner, date and evidence. In M&A, those same records allow the entity to be verified and risks to be allocated.

Governance and responsibility

The board or administrator retains responsibilities even when it engages advisory services and technology. The CO needs independence, information and resources; the CCC needs data and follow-up; the provider needs scope and supervision. The minutes must show analysis, decision and closure.

A small SOFOM may have a more compact structure, but not an informal one. If the board assumes functions that would otherwise correspond to the CCC in the applicable case, it must document them with equal discipline.

Risk-based PLD/FT

The minimum file does not disappear because of low risk. The EBR adds proportionality: customer, product, geography, transaction and channel factors feed classification, due diligence and monitoring. Controls only reduce residual risk if they work and it can be proven.

For legal entities, the entity identifies representation, ownership and control. For high-risk customers, it documents source, purpose, approval and follow-up. For alerts and reports, it separates facts, analysis and conclusion.

Products, transparency and data

The product must map all flows. Interest, fee, expense, insurance, technology, FX and third-party charge require a nature and support. Contract, cover sheet, RECA, RECO, CAT, account statement and system must match.

The relationship with the SIC requires authorization, quality and correction. Credit data is not an automatic by-product of accounting; it needs rules, reconciliation and traceability.

Evidence a SOFOM should be able to show

  • corporate chain, books, powers and appointments;
  • opinion and application/renewal file;
  • manual, EBR, versions and approvals;
  • system configuration and tests;
  • high-risk files and decisions;
  • alerts, reports, files and folios;
  • contracts, cover sheets, charges and registries;
  • SIC reports and reconciliations;
  • audits and remediations;
  • calendar and event log.

12-question diagnostic

  1. Does the corporate purpose match the actual products and flows?
  2. Can the entity recover all its access without a provider?
  3. Is the opinion in force and its file complete?
  4. Do the manual, EBR and system share definitions?
  5. Does the competent body review useful AML information?
  6. Does each legal-entity customer resolve to natural persons under a documented methodology?
  7. Do the alerts have an owner, deadline and evidence of closure?
  8. Can the reports be reconstructed from the database to the folio?
  9. Does each charge match in contract, cover sheet, RECO and system?
  10. Does the SIC information reconcile with the portfolio and accounting?
  11. Do material changes trigger a multidisciplinary review?
  12. Do closed findings have evidence of effectiveness?

A negative answer does not always mean non-compliance, but it does mean a hypothesis that must be investigated.

How to read compliance by stages

The same obligation changes form depending on the entity's moment. A SOFOM in design needs to demonstrate that its decisions have an owner and a dependency. A pre-operational entity must prove configuration and zeros with databases. An entity with a portfolio needs to reconcile customers, transactions, statements and reports. A SOFOM for sale must turn all of the foregoing into transferable evidence.

Stage 1: design

The central deliverable is a model map: product, customer, channel, funding, flow, third parties and data. From it, the bylaws, general plan, manual, credit policy, contract and architecture are drafted. Starting with separate templates tends to produce contradictions. The control question is: does each verb of the contract and plan correspond to an actor, system and evidence?

Stage 2: preparation

The entity completes the opinion, registries, governance, a contract in force with a credit-information company, accounts, providers and tests. "Available" is not "operational": a SIC user without a contract in force or a system without negative scenarios does not pass the go-live gate. The competent body must receive a matrix of blockers and not a presentation showing only progress.

Stage 3: first transaction

The first customer is a full regulatory test. Preserve which documents were received, how the beneficial owner was determined, who approved risk and credit, which contract was signed, how disbursement occurred, which data reached the SIC and which alerts were run. The goal is not to produce a perfect file for display, but to verify that ordinary operation generates evidence without extraordinary intervention.

Stage 4: recurring operation

Control shifts from existence to effectiveness. The board and CO need trends: overdue files, aged alerts, corrected reports, SIC differences, complaints, changes and remediations. A low number of incidents is not automatically good; it may indicate poorly configured rules or a lack of detection.

Stage 5: change, audit or sale

Each modification of control, product, charge, channel or provider must trigger an impact sheet. Audit tests samples and evidence. In M&A, the buyer verifies continuity and allocates risks. A mature entity can deliver an evidence package per obligation without depending on a specific person.

The rule of consistency between documents and operation

To assess a control, follow an assertion through six layers:

  1. Basis: what the rule in force requires or permits.
  2. Governance: who decided and who is responsible.
  3. Document: where the policy or product is described.
  4. System: how it is executed or blocked.
  5. Operation: what the user or staff member does.
  6. Evidence: which record allows it to be reconstructed.

Example: "a list is checked before disbursement." The basis defines the duty; the manual indicates the moment and the person responsible; the system executes and records; operations cannot skip it; audit takes a sample; and an incident generates remediation. If a layer is missing, the assertion requires correction or a more precise formulation.

This rule also applies to product. A technology charge must appear with the same nature in the proposal, contract, cover sheet, RECO, CAT, system and statement. If one layer treats it as mandatory and another as optional, there is no single, understandable product.

The contract with a SIC as a continuity control

The relationship with credit-information companies deserves its own attention. Under the CONDUSEF Provisions on registries, the SOFOM must maintain a contract in force with at least one SIC; articles 59 and 61 are the closest reference for the obligation and its registry effects. For this reason, a negotiation, letter of intent or technical access without a contract in force is not sufficient.

The control has three dimensions:

  • legal: contract, annexes, term, termination and confidentiality;
  • operational: users, layouts, authorizations, submissions, responses and disputes;
  • quality: reconciliation among portfolio, accounting, statements and reported data.

In an entity without a portfolio, the contract remains relevant and the zero requires evidence. In a purchase and sale, the buyer must confirm that the contract can continue or plan an overlap. In a product change, it must verify coverage and catalogs. The omission is not resolved by submitting a retrospective file: it requires restoring the relationship and analyzing the consequences.

The three-lines model adapted to a SOFOM

The first line—product, credit, operations, collections and service—generates and controls the data. The second—compliance, risk and legal—designs frameworks, monitors and escalates. The third—audit—assesses independently. In a small entity, the people may be few, but the functions must not collapse into a single approval.

A RACI matrix must cover at least: onboarding, beneficial owner, high risk, credit, disbursement, contractual changes, fees, SIC, alerts, reports, complaints, access and remediation. When one person accumulates functions, establish subsequent review, joint signature or independent sampling.

The board does not execute the control daily; it receives information that allows it to govern it. The CO does not replace product; it questions and escalates. Audit does not design the same process it will later assess. This clarity reduces both omission and the unrealistic expectation that "compliance takes care of everything."

Change management: the control that connects everything

Many instances of non-compliance arise not at incorporation, but at the moment of change. A new charge may affect CAT and RECO; a new provider changes data and access; an acquisition changes control and powers; a new channel modifies the EBR and the system. Change management must begin before the business is approved.

Use a sheet with: description; objective; owner; date; affected customers; basis; corporate, AML, CONDUSEF, SIC, tax, data and technology impact; tests; communications; go-live condition; and subsequent review. Urgent changes may have a fast track, but not an absence of evidence.

After deployment, compare the expected result with actual data. If the change altered classification, charges, reports or the user experience, take a sample and document the correction. In this way the event-driven calendar becomes a business practice and not a reminder exclusive to the legal area.

What it means to be ready for supervision

Being ready does not mean maintaining a permanent data room with duplicates. It means being able to answer a question through index, source and evidence. For each material obligation, the SOFOM must locate the basis in force, policy, person responsible, operational sample, filing or acknowledgment, finding and remediation status.

A solid supervisory response distinguishes four categories: verified fact; the entity's statement; legal interpretation; and future action. Avoid presenting as implemented what is in development. If something does not apply, explain the case and the evidence. If there was non-compliance, describe the cause and correction without backdating.

Privacy is part of the preparation. Files contain identifications, structures, alerts and reports; they should not circulate in full when a matrix or excerpt satisfies the request. Control purpose, access, transfer and retention.

Errors that run through the entire pillar

  • Treating "E.N.R." as an absence of supervision.
  • Opening operations with critical fronts pending.
  • Copying another entity's manuals, contracts or calendars.
  • Leaving keys, files or knowledge solely in the provider's hands.
  • Replicating data without reconciling it.
  • Resolving observations with written submissions, not with operational changes.
  • Confusing registration with authorization or full approval.
  • Publishing or circulating evidence with unnecessary personal data.

Frequently asked questions

Can a SOFOM E.N.R. take deposits from the public?

The vehicle does not enable banking deposit-taking. Funding and flow must be structured and analyzed separately.

Who supervises a SOFOM E.N.R.?

Different authorities intervene depending on the matter. The CNBV has relevant functions in PLD/FT; CONDUSEF administers registries and user protection; other authorities act within their scope.

Can compliance be outsourced?

Services and technology may be engaged, but institutional responsibility, governance and evidence are not fully transferred.

What is the first document that should be prepared?

Before mass drafting, a map of the model and of obligations is advisable. That map determines the bylaws, plan, manual, system and contracts.

Next step

SVA.LAW advises on the incorporation and acquisition of SOFOM, PLD/FT, governance, product, contracts, CONDUSEF, audit and remediation. The starting point may be a focused diagnostic with a risk map and deliverables.

This guide is informational, refers to Mexico and does not constitute legal advice. The regime, deadlines and obligations must be verified for the specific entity, product and date.

Editorial route