SOFOMs
SOFOM E.N.R. in Mexico: incorporation, AML, products and compliance
A Sociedad Financiera de Objeto Múltiple, Entidad No Regulada (SOFOM E.N.R.) may habitually and professionally carry out credit, financial leasing or financial factoring transactions within the applicable framework. "Non-regulated" does not mean "without regulation": the entity interacts with CONDUSEF, is subject to PLD/FT obligations and to CNBV supervision on that matter, and must align contracts, fees, credit data, governance and evidence.
This guide organizes 80 practical questions into eight dossiers. Its purpose is to help founders, boards, legal officers, Compliance Officers and buyers identify which decision to make and which evidence to retain.
Quick route
| If you need… | Consult |
|---|---|
| To incorporate, convert or begin operations | Incorporation, conversion and start of operations |
| To order dates, portals and acknowledgments | Regulatory calendar |
| To design the board, powers, CO and CCC | Corporate governance and AML |
| To align the manual, EBR and technology | Manual, EBR and systems |
| To resolve KYC, UBO, PEP and high risk | KYC and controlling beneficial owner |
| To analyze reports, SITI and LPB | SITI, reports and LPB |
| To design contracts and credit charges | Products, CAT, fees and CONDUSEF |
| To buy, sell or remediate a SOFOM | M&A, financing and remediation |
What a SOFOM E.N.R. is and is not
The vehicle serves to professionally organize certain financing businesses. It is not a bank, it does not authorize the taking of deposits from the public, nor does it turn any flow into credit. The design begins with the actual product: who delivers resources, to whom, with what obligation of restitution, what collateral exists, who collects, which third parties participate and how it is accounted for.
The E.N.R. designation distinguishes these SOFOM from regulated entities within the meaning contemplated by the LGOAAC. Even so, there are corporate, registry, transparency and user-protection, credit-information and PLD/FT obligations. Each product may further trigger civil, commercial, tax, data and financial-consumer rules.
The compliance system
A functional program has six connected layers:
- Governance: bodies, powers, Compliance Officer, CCC or board, audit and escalation.
- Internal rules: manual, EBR, credit policies, contracts, privacy and procedures.
- Technology: onboarding, file, lists, alerts, calculation, statements, reports, SIC and logs.
- Operation: origination, approval, disbursement, payments, collections, complaints and corrections.
- Evidence: versions, minutes, databases, tests, files submitted, folios and remediation.
- Review: monitoring, audit, supervision, regulatory changes and effectiveness control.
If one layer contradicts another, the SOFOM is exposed. A manual may state that an interview takes place; the platform may fail to capture it. The contract may charge a fee that RECO does not reflect. The SIC report may use an accounting date different from the actual one. The priority is to correct the cause and not only the document the authority observed.
Life cycle of a SOFOM
Design and vehicle
Compare incorporating, converting or acquiring. Define products, customers, channel, funding and compliance capacity before choosing the vehicle. An old company offers no advantage if its books, taxes or registries are uncertain.
Regulatory preparation
Coordinate the technical opinion, SIPRES, SITI, UNE/REUNE, RECA/RECO, SIC, contracts, manual and systems. The sequence depends on the case; each activity must have a clear completion condition.
Go-live
Test the full customer journey and the exceptions. The launch committee must receive evidence, not merely progress statements. Retain the decision minutes and non-critical open items with an owner.
Operation and change
The calendar combines periodic obligations and events. Changes of shareholders, powers, CO, product, charge, channel or provider may trigger simultaneous updates. No material change should be deployed without an impact analysis.
Audit, remediation or sale
Audit assesses design and implementation. Findings are turned into plans with cause, owner, date and evidence. In M&A, those same records allow the entity to be verified and risks to be allocated.
Governance and responsibility
The board or administrator retains responsibilities even when it engages advisory services and technology. The CO needs independence, information and resources; the CCC needs data and follow-up; the provider needs scope and supervision. The minutes must show analysis, decision and closure.
A small SOFOM may have a more compact structure, but not an informal one. If the board assumes functions that would otherwise correspond to the CCC in the applicable case, it must document them with equal discipline.
Risk-based PLD/FT
The minimum file does not disappear because of low risk. The EBR adds proportionality: customer, product, geography, transaction and channel factors feed classification, due diligence and monitoring. Controls only reduce residual risk if they work and it can be proven.
For legal entities, the entity identifies representation, ownership and control. For high-risk customers, it documents source, purpose, approval and follow-up. For alerts and reports, it separates facts, analysis and conclusion.
Products, transparency and data
The product must map all flows. Interest, fee, expense, insurance, technology, FX and third-party charge require a nature and support. Contract, cover sheet, RECA, RECO, CAT, account statement and system must match.
The relationship with the SIC requires authorization, quality and correction. Credit data is not an automatic by-product of accounting; it needs rules, reconciliation and traceability.
Evidence a SOFOM should be able to show
- corporate chain, books, powers and appointments;
- opinion and application/renewal file;
- manual, EBR, versions and approvals;
- system configuration and tests;
- high-risk files and decisions;
- alerts, reports, files and folios;
- contracts, cover sheets, charges and registries;
- SIC reports and reconciliations;
- audits and remediations;
- calendar and event log.
12-question diagnostic
- Does the corporate purpose match the actual products and flows?
- Can the entity recover all its access without a provider?
- Is the opinion in force and its file complete?
- Do the manual, EBR and system share definitions?
- Does the competent body review useful AML information?
- Does each legal-entity customer resolve to natural persons under a documented methodology?
- Do the alerts have an owner, deadline and evidence of closure?
- Can the reports be reconstructed from the database to the folio?
- Does each charge match in contract, cover sheet, RECO and system?
- Does the SIC information reconcile with the portfolio and accounting?
- Do material changes trigger a multidisciplinary review?
- Do closed findings have evidence of effectiveness?
A negative answer does not always mean non-compliance, but it does mean a hypothesis that must be investigated.
How to read compliance by stages
The same obligation changes form depending on the entity's moment. A SOFOM in design needs to demonstrate that its decisions have an owner and a dependency. A pre-operational entity must prove configuration and zeros with databases. An entity with a portfolio needs to reconcile customers, transactions, statements and reports. A SOFOM for sale must turn all of the foregoing into transferable evidence.
Stage 1: design
The central deliverable is a model map: product, customer, channel, funding, flow, third parties and data. From it, the bylaws, general plan, manual, credit policy, contract and architecture are drafted. Starting with separate templates tends to produce contradictions. The control question is: does each verb of the contract and plan correspond to an actor, system and evidence?
Stage 2: preparation
The entity completes the opinion, registries, governance, a contract in force with a credit-information company, accounts, providers and tests. "Available" is not "operational": a SIC user without a contract in force or a system without negative scenarios does not pass the go-live gate. The competent body must receive a matrix of blockers and not a presentation showing only progress.
Stage 3: first transaction
The first customer is a full regulatory test. Preserve which documents were received, how the beneficial owner was determined, who approved risk and credit, which contract was signed, how disbursement occurred, which data reached the SIC and which alerts were run. The goal is not to produce a perfect file for display, but to verify that ordinary operation generates evidence without extraordinary intervention.
Stage 4: recurring operation
Control shifts from existence to effectiveness. The board and CO need trends: overdue files, aged alerts, corrected reports, SIC differences, complaints, changes and remediations. A low number of incidents is not automatically good; it may indicate poorly configured rules or a lack of detection.
Stage 5: change, audit or sale
Each modification of control, product, charge, channel or provider must trigger an impact sheet. Audit tests samples and evidence. In M&A, the buyer verifies continuity and allocates risks. A mature entity can deliver an evidence package per obligation without depending on a specific person.
The rule of consistency between documents and operation
To assess a control, follow an assertion through six layers:
- Basis: what the rule in force requires or permits.
- Governance: who decided and who is responsible.
- Document: where the policy or product is described.
- System: how it is executed or blocked.
- Operation: what the user or staff member does.
- Evidence: which record allows it to be reconstructed.
Example: "a list is checked before disbursement." The basis defines the duty; the manual indicates the moment and the person responsible; the system executes and records; operations cannot skip it; audit takes a sample; and an incident generates remediation. If a layer is missing, the assertion requires correction or a more precise formulation.
This rule also applies to product. A technology charge must appear with the same nature in the proposal, contract, cover sheet, RECO, CAT, system and statement. If one layer treats it as mandatory and another as optional, there is no single, understandable product.
The contract with a SIC as a continuity control
The relationship with credit-information companies deserves its own attention. Under the CONDUSEF Provisions on registries, the SOFOM must maintain a contract in force with at least one SIC; articles 59 and 61 are the closest reference for the obligation and its registry effects. For this reason, a negotiation, letter of intent or technical access without a contract in force is not sufficient.
The control has three dimensions:
- legal: contract, annexes, term, termination and confidentiality;
- operational: users, layouts, authorizations, submissions, responses and disputes;
- quality: reconciliation among portfolio, accounting, statements and reported data.
In an entity without a portfolio, the contract remains relevant and the zero requires evidence. In a purchase and sale, the buyer must confirm that the contract can continue or plan an overlap. In a product change, it must verify coverage and catalogs. The omission is not resolved by submitting a retrospective file: it requires restoring the relationship and analyzing the consequences.
The three-lines model adapted to a SOFOM
The first line—product, credit, operations, collections and service—generates and controls the data. The second—compliance, risk and legal—designs frameworks, monitors and escalates. The third—audit—assesses independently. In a small entity, the people may be few, but the functions must not collapse into a single approval.
A RACI matrix must cover at least: onboarding, beneficial owner, high risk, credit, disbursement, contractual changes, fees, SIC, alerts, reports, complaints, access and remediation. When one person accumulates functions, establish subsequent review, joint signature or independent sampling.
The board does not execute the control daily; it receives information that allows it to govern it. The CO does not replace product; it questions and escalates. Audit does not design the same process it will later assess. This clarity reduces both omission and the unrealistic expectation that "compliance takes care of everything."
Change management: the control that connects everything
Many instances of non-compliance arise not at incorporation, but at the moment of change. A new charge may affect CAT and RECO; a new provider changes data and access; an acquisition changes control and powers; a new channel modifies the EBR and the system. Change management must begin before the business is approved.
Use a sheet with: description; objective; owner; date; affected customers; basis; corporate, AML, CONDUSEF, SIC, tax, data and technology impact; tests; communications; go-live condition; and subsequent review. Urgent changes may have a fast track, but not an absence of evidence.
After deployment, compare the expected result with actual data. If the change altered classification, charges, reports or the user experience, take a sample and document the correction. In this way the event-driven calendar becomes a business practice and not a reminder exclusive to the legal area.
What it means to be ready for supervision
Being ready does not mean maintaining a permanent data room with duplicates. It means being able to answer a question through index, source and evidence. For each material obligation, the SOFOM must locate the basis in force, policy, person responsible, operational sample, filing or acknowledgment, finding and remediation status.
A solid supervisory response distinguishes four categories: verified fact; the entity's statement; legal interpretation; and future action. Avoid presenting as implemented what is in development. If something does not apply, explain the case and the evidence. If there was non-compliance, describe the cause and correction without backdating.
Privacy is part of the preparation. Files contain identifications, structures, alerts and reports; they should not circulate in full when a matrix or excerpt satisfies the request. Control purpose, access, transfer and retention.
Errors that run through the entire pillar
- Treating "E.N.R." as an absence of supervision.
- Opening operations with critical fronts pending.
- Copying another entity's manuals, contracts or calendars.
- Leaving keys, files or knowledge solely in the provider's hands.
- Replicating data without reconciling it.
- Resolving observations with written submissions, not with operational changes.
- Confusing registration with authorization or full approval.
- Publishing or circulating evidence with unnecessary personal data.
Frequently asked questions
Can a SOFOM E.N.R. take deposits from the public?
The vehicle does not enable banking deposit-taking. Funding and flow must be structured and analyzed separately.
Who supervises a SOFOM E.N.R.?
Different authorities intervene depending on the matter. The CNBV has relevant functions in PLD/FT; CONDUSEF administers registries and user protection; other authorities act within their scope.
Can compliance be outsourced?
Services and technology may be engaged, but institutional responsibility, governance and evidence are not fully transferred.
What is the first document that should be prepared?
Before mass drafting, a map of the model and of obligations is advisable. That map determines the bylaws, plan, manual, system and contracts.
Legal basis
- Ley General de Organizaciones y Actividades Auxiliares del Crédito, current text.
- CNBV: provisions applicable to SOFOM E.N.R..
- CNBV: frequently asked questions for SOFOM E.N.R..
- CONDUSEF: Portal Único de Registros.
- CONDUSEF: SOFOM E.N.R. status lookup.
- Cámara de Diputados: current federal laws.
Next step
SVA.LAW advises on the incorporation and acquisition of SOFOM, PLD/FT, governance, product, contracts, CONDUSEF, audit and remediation. The starting point may be a focused diagnostic with a risk map and deliverables.
This guide is informational, refers to Mexico and does not constitute legal advice. The regime, deadlines and obligations must be verified for the specific entity, product and date.
Editorial route
Dossiers in this guide
Incorporation and start of operations
Incorporation, conversion and start of operations of a SOFOM E.N.R.
Incorporation, conversion and start of operations of a SOFOM E.N.R. | SVA LAW guide on SOFOMs: decisions, controls and evidence to operate in Mexico.
Regulatory calendar and portals
Regulatory calendar CNBV, CONDUSEF, SIPRES, SITI, REUNE, RECA, RECO and SIC
Regulatory calendar CNBV, CONDUSEF, SIPRES, SITI, REUNE, RECA, RECO and SIC | Legal keys, controls and evidence to operate in Mexico.
Corporate governance and PLD/FT
Corporate governance, powers, Compliance Officer, CCC and board
Corporate governance, powers, Compliance Officer, CCC and board | SVA LAW guide on SOFOMs: decisions, controls and evidence to operate in Mexico.
Manual, EBR and systems
PLD/FT manual, EBR, automated systems and controls
PLD/FT manual, EBR, automated systems and controls | SVA LAW practical guide to identify decisions, controls and evidence applicable in Mexico.
KYC and due diligence
KYC, controlling beneficial owner, PEP and high-risk customers
KYC, controlling beneficial owner, PEP and high-risk customers | SVA LAW guide on regulatory decisions, operational controls and evidence in Mexico.
Reports and Blocked Persons List
SITI, reports, LPB, unusual transactions and evidence
SITI, reports, LPB, unusual transactions and evidence | SVA LAW practical guide to identify decisions, controls and evidence applicable in Mexico.
Product and user protection
Credit products, contracts, CAT, fees, default and CONDUSEF
Credit products, contracts, CAT, fees, default and CONDUSEF | SVA LAW guide on SOFOMs: decisions, controls and evidence to operate in Mexico.
M&A and remediation
Purchase, sale, due diligence, financing and remediation of a SOFOM
Purchase, sale, due diligence, financing and remediation of a SOFOM | SVA LAW guide on SOFOMs: decisions, controls and evidence to operate in Mexico.