Money Transmitters and Payments
Agents, correspondents, intercompany, and contracts
The contractual label does not determine the regime. What matters is whether the third party receives or delivers funds, interacts with the user, makes compliance decisions, or merely provides technology and support. The entity retains regulatory responsibility even when it outsources execution.
Contents: ten microblogs
- Related agent or provider: classification by function
- Annual notice of related agents: file and acknowledgment
- Functions that must not be diluted when hiring third parties
- Limits of intercompany services in a regulated entity
- Intercompany MSA: annexes and SLAs that actually work
- Intercompany charges: scope, support, and exclusions
- Foreign support and user data
- Audit right over critical providers
- Exit plan for a critical provider
- Contract with the user: operation, fee, and responsibility
Map of decisions and controls
| Topic | Risk it resolves | Minimum evidence |
|---|---|---|
| Related agent or provider: classification by function | Classification depends on whether the person receives funds from the transmitter to deliver them to the beneficiary and on how the entity intervenes. | Interview the operation and observe the flow. |
| Annual notice of related agents: file and acknowledgment | The official agreement provides for the CO to submit, within the first fifteen business days of January, the list of agents and third parties in the designated format and channel. | Freeze the universe as of a defined date. |
| Functions that must not be diluted when hiring third parties | Even if a third party performs tasks, the transmitter retains responsibility for agent operations and for compliance with Article 95 Bis. | Expressly reserve regulatory decisions. |
| Limits of intercompany services in a regulated entity | Belonging to the same group does not eliminate documentation, confidentiality, security, conflicts, or supervision. | Create a detailed catalog of services. |
| Intercompany MSA: annexes and SLAs that actually work | The master agreement must be supported by service orders with scope, deliverables, levels, metrics, price, data, continuity, audit, and termination. | Define metrics by service and risk. |
| Intercompany charges: scope, support, and exclusions | The consideration must correspond to real and distinguishable services, with an allocation method and support. | Document method, basis, and frequency. |
| Foreign support and user data | Before granting access, the data controller, processor or third party, purposes, transfers, security measures, and subcontracting must be defined. | Apply least privilege and masking. |
| Audit right over critical providers | The clause must allow access to information, personnel, systems, and subcontractors in proportional scope, in addition to cooperating with authorities. | Distinguish routine audit from incident audit. |
| Exit plan for a critical provider | Termination must allow exporting complete data, maintaining service during the transition, revoking access, destroying copies, and transferring knowledge. | Define the exit package and format. |
| Contract with the user: operation, fee, and responsibility | The contract must explain instruction, acceptance, funding, exchange rate, fee, delivery, cancellation, refunds, limits, data, and claims. | Use the same statuses in the contract and the product. |
Implementation method
Classify each third party by activity, access to funds, access to data, and decision-making capacity. Turn that classification into service annexes, service levels, audit right, continuity, subcontracting, and orderly exit.
Related agent or provider: classification by function
Decision point
Classification starts from the actual function: receiving or delivering funds, promoting, capturing data, operating technology, or deciding on compliance. Access to funds, interaction with the user, and instruction capacity weigh more than the label. The contract is corrected so that its object, controls, and supervision reflect that reality.
Checklist
- Interview the operation and observe the flow.
- Classify access to funds, data, and decisions.
- Review the label, object, and annexes of the contract.
Observed pattern
In an anonymized map, the third party called a "consultant" also coordinated deliveries; the actual function required redesigning the contract and controls.
How to put it into practice
Observe the third party carrying out an operation and compare it with their contract. Record whether they touch funds, data, the user, or decisions. Classify each function by regime and control. If the model changes, update it before operating. Payments and invoices help identify services that were not inventoried. The entity keeps a single list across procurement, legal, and compliance. The contractual designation is only defensible when it matches the acts and the supervision actually exercised.
Stress test
Compare two third parties: one that only hosts infrastructure and another that receives instructions or attends users. Contract, interface, and practice determine the function, not the commercial name. The classification must detail powers, contact with funds, use of the brand, and decision-making capacity. If the provider changes activity during the relationship, trigger a reassessment instead of keeping the initial label.
Legal basis
- General Law of Auxiliary Credit Organizations and Activities (current text) — Articles 81-A Bis, 81-B, 81-D, 86 Bis, and 95 Bis, depending on the topic.
- Official format for the notice of related agents — Article 3 of the Agreement and Annex 1.
Annual notice of related agents: file and acknowledgment
Decision point
The annual notice is prepared by reconciling contracts, payments, operations, and compliance records. The universe is frozen as of a date, agents and third parties are classified, and the XML is generated with independent review. The CO keeps the file, hash, and acknowledgment because the submission cannot be reconstructed solely from a working list.
Checklist
- Freeze the universe as of a defined date.
- Reconcile legal, procurement, operations, and payments.
- Keep the XML, hash, and electronic acknowledgment.
Observed pattern
In an anonymized preparation, procurement had contracts that compliance had not classified; reconciliation prevented omissions from the listing.
How to put it into practice
Extract active contracts and compare them with operations and payments. Confirm the name, identifier, function, and third parties of each agent. Resolve duplicates before generating the XML. Freeze the universe and document later additions for the next event. Carry out separate technical and legal validation. Keep the exact file and the acknowledgment. The responsible party must be able to explain why a person was included or excluded without relying on a list maintained by another area.
Stress test
Maintain an annual cutoff with additions, removals, function changes, and active periods. Each row links the contract, the assessment, and the data required for the notice. Before submitting, reconcile the list against payments, access, and internal owners to uncover omitted third parties. The acknowledgment is associated with the exact version; a later modification is kept as a separate event and does not rewrite the reported cutoff.
Legal basis
- Official format for the notice of related agents — Article 3 of the Agreement and Annex 1.
- General Law of Auxiliary Credit Organizations and Activities (current text) — Articles 81-A Bis, 81-B, 81-D, 86 Bis, and 95 Bis, depending on the topic.
Functions that must not be diluted when hiring third parties
Decision point
The entity may outsource execution, but it must retain direction, access, decision-making, and supervision over AML/CFT. The contractual catalog reserves acceptance, exceptions, reports, and response to authority; the provider delivers data and evidence within the deadline. Indicators make it possible to detect that the function has not been emptied of content.
Checklist
- Expressly reserve regulatory decisions.
- Require evidence and immediate access.
- Supervise performance with indicators and sampling.
Observed pattern
In an anonymized MSA, the provider prepared analyses and also approved exceptions without an authority matrix from the entity.
Frequent risk
Allowing the provider to approve its own exceptions leaves the entity without effective control over the obligation.
How to put it into practice
List the decisions that remain with the entity and the tasks the provider performs. For each one, define access, evidence, and delivery time. Test an exception and an urgent request. The transmitter must be able to replace the third party without losing cases or data. Indicators review quality, not only volume. If the affiliate prepares analyses, someone local approves them with sufficient information. Responsibility is retained through the real capacity to direct and to question.
Stress test
Take an alert decision and trace who set the rules, who analyzed, who approved, and who reported. The third party may perform tasks, but the entity must retain judgment, supervision, and access to evidence. If the contract allows subcontracting, review that chain as well. A responsibility matrix that does not match system permissions or daily practice produces a delegation that is only apparent.
Legal basis
- General Law of Auxiliary Credit Organizations and Activities (current text) — Articles 81-A Bis, 81-B, 81-D, 86 Bis, and 95 Bis, depending on the topic.
- Legal provisions applicable to money transmitters — GPRs derived from Article 95 Bis and its amendments.
Limits of intercompany services in a regulated entity
Decision point
The affiliate must have a defined service, not a generic authorization to operate the Mexican entity. Personnel, systems, data, subcontractors, decisions, and local supervisory capacity are identified. The agreement also addresses confidentiality, continuity, and cooperation in the face of requirements.
Checklist
- Create a detailed catalog of services.
- Identify data, systems, and subprocessors.
- Maintain local capacity to direct and audit.
Observed pattern
In an anonymized agreement, broad categories such as "operations" concealed compliance and customer-support functions; disaggregating them made it possible to assign owners.
Frequent risk
Belonging to the group does not eliminate data transfers, conflicts, or the need to demonstrate who performed each task.
How to put it into practice
Break the intercompany service down by process, system, and personnel. Identify which data crosses the border and who authorizes access. Establish metrics and evidence for each deliverable. The local entity maintains the knowledge to supervise and respond. Review subcontractors and conflicts. Upon termination, ensure portability and support. The economic group facilitates coordination, but it does not replace a contract nor by itself demonstrate that the regulated company retains effective direction.
Stress test
Examine a group instruction that asks the foreign provider to suspend a user. Determine whether it acts as support in accordance with documented criteria or exercises regulatory discretion. Corporate power of attorney, MSA, and manual must assign the decision to the correct entity. Shared services can contribute technical capacity, but they must not turn the provider into a compliance body without the applicable appointment and responsibility.
Legal basis
- General Law of Auxiliary Credit Organizations and Activities (current text) — Articles 81-A Bis, 81-B, 81-D, 86 Bis, and 95 Bis, depending on the topic.
- Federal Law on the Protection of Personal Data Held by Private Parties (current text) — principles, privacy notice, transfers, and security measures.
Intercompany MSA: annexes and SLAs that actually work
Decision point
The MSA becomes operational through service orders with deliverables, metrics, prices, security, and regulatory support. Uptime does not measure KYC quality, data accuracy, or timely delivery of logs. Each SLA has a source, calculation method, remedy, and escalation between local and foreign responsible parties.
Checklist
- Define metrics by service and risk.
- Add deadlines for evidence and cooperation.
- Provide for credits, remediation, and escalation.
Observed pattern
In an anonymized MSA, the technical annex measured uptime but not the delivery of evidence for requirements; a regulatory SLA was added.
Frequent risk
A catalog that only says operations or technology makes it impossible to know what evidence the affiliate must deliver.
How to put it into practice
Each service order must indicate outcome, frequency, source, and price. Design metrics for KYC quality, alerts, and evidence, in addition to availability. Align time zones and escalation clocks. Test how a request from an authority is handled. Service credits do not replace remediation. Keep performance reports and meetings. A useful SLA makes it possible to decide whether the service complies and what happens when incorrect data affects a regulatory obligation.
Stress test
Use a high-severity incident to read the MSA. The affected service, response time, escalation, access to records, cooperation, and recovery must appear, with consistent annexes. Then compare the text with a real ticket. An SLA expressed only as an availability percentage does not cover investigation, compliance, or restoration of the data needed to explain an operation.
Legal basis
- Legal provisions applicable to money transmitters — GPRs derived from Article 95 Bis and its amendments.
- Federal Law on the Protection of Personal Data Held by Private Parties (current text) — principles, privacy notice, transfers, and security measures.
Intercompany charges: scope, support, and exclusions
Decision point
Intercompany charges must correspond to real, measurable services allocated with a consistent method. Personnel, licenses, infrastructure, and extraordinary items are separated, and fines or the affiliate's own losses are excluded. Invoice, service order, and metric are reconciled to prove substance and approval.
Checklist
- Document method, basis, and frequency.
- Exclude fines, willful misconduct, and unauthorized costs.
- Reconcile the invoice with services and metrics.
Observed pattern
In an anonymized review, a global fee included personnel, licenses, and extraordinary costs with no allocation rule; separating the components made the charge auditable.
Frequent risk
A global fee without a basis may shift costs the entity never received or was not authorized to assume.
How to put it into practice
List the components of the charge and the allocation basis. Compare personnel, licenses, and actual usage with the invoice. Exclude penalties, duplicates, and unrequested services. Approve extraordinary items before incurring them. Keep fiscal and operational evidence consistent. Review whether the price incentivizes volume over quality. Reconciliation must allow a third party to recalculate the amount and locate the associated deliverable, preventing a global fee from concealing critical functions or the affiliate's own losses.
Stress test
Select a monthly charge that mixes licenses, personnel, and development. Separate each component, its allocation basis, and the benefited entity, and link it to deliverables. The support must make it possible to exclude activities not contracted or reserved. A global invoice paid regularly proves an outlay, but it does not evidence scope, reasonableness, or that the regulated company received the declared service.
Legal basis
- General Law of Auxiliary Credit Organizations and Activities (current text) — Articles 81-A Bis, 81-B, 81-D, 86 Bis, and 95 Bis, depending on the topic.
- Legal provisions applicable to money transmitters — GPRs derived from Article 95 Bis and its amendments.
Foreign support and user data
Decision point
Foreign remote access is data processing even if there is no download. Role, purpose, transfers, subprocessors, location, security, and revocation are defined; the view is then limited to what is necessary. The privacy notice and the contract must match the technical access matrix.
Checklist
- Apply least privilege and masking.
- Document transfers and subprocessors.
- Record access, purpose, and revocation.
Observed pattern
In an anonymized flow, support viewed complete files to resolve interface errors even though it only needed technical identifiers.
Frequent risk
Giving support complete files to resolve an interface error violates minimization and unnecessarily broadens the potential incident. The permissions matrix must prove that support only viewed the fields needed to resolve the ticket.
How to put it into practice
Build a matrix of fields visible by support profile. Test that masking and restrictions work from abroad. Record ticket, purpose, time, and revocation. The contract covers subprocessors and incidents; the privacy notice reflects the applicable transfer. Avoid using complete production data in tests. A review must demonstrate that support only accessed what was necessary and that any export was controlled, encrypted, and deleted in accordance with the instruction.
Stress test
Test a ticket to which a user identification is attached. Verify the storage region, the foreign team's access, download, retention, and deletion. The actual flow must match the contract and the privacy notice, including subprocessors. If the solution allows resolution with masked data, that configuration is preferable; operational convenience does not justify full exposure by default.
Legal basis
- Federal Law on the Protection of Personal Data Held by Private Parties (current text) — principles, privacy notice, transfers, and security measures.
- Legal provisions applicable to money transmitters — GPRs derived from Article 95 Bis and its amendments.
Audit right over critical providers
Decision point
The audit right must cover evidence, personnel, systems, and subcontractors, with a routine channel and another for incidents or requirements. Notice, confidentiality, costs, and remediation are agreed without allowing the provider a discretionary veto. For payments, the scope includes fraud, chargebacks, PCI, and assigned AML controls.
Checklist
- Distinguish routine audit from incident audit.
- Guarantee access to evidence and subprocessors.
- Regulate costs, confidentiality, and remediation.
Observed pattern
In an anonymized contract, the audit could only take place once a year with long notice, even after an incident; an extraordinary channel was created.
Frequent risk
An annual audit with prolonged notice is of no use when there is an active breach or an authority deadline.
How to put it into practice
Define the audit scope by risk and event. The extraordinary channel is triggered by fraud, a breach, or a requirement without waiting for the annual visit. Include subprocessors, logs, and relevant personnel. Agreeing on confidentiality must not prevent the delivery of evidence. Record findings and correction date, with the right to validate. In payments, test a chargeback and an AML control. The clause works when it produces timely access and verifiable remediation, not merely when it grants an abstract power.
Stress test
Trigger the audit right through a concrete request for logs and an interview with the provider's responsible party. Measure the deadline, format, and restrictions received. If the clause only allows generic certifications, assess whether it is enough to investigate the contracted risk. The file keeps the request, response, finding, and remediation, demonstrating that the right is exercisable and not a decorative phrase.
Legal basis
- Legal provisions applicable to money transmitters — GPRs derived from Article 95 Bis and its amendments.
- Federal Law on the Protection of Personal Data Held by Private Parties (current text) — principles, privacy notice, transfers, and security measures.
Exit plan for a critical provider
Decision point
An orderly exit defines the data package, format, rules, attachments, logs, assistance, and transition period. Before terminating, an export is tested and it is verified that another team can reconstruct cases. At closing, access is revoked and the deletion of copies not retained is certified.
Checklist
- Define the exit package and format.
- Test migration before a crisis.
- Ensure assistance, deadline, and certified deletion.
Observed pattern
In an anonymized plan, the provider could deliver CSV files but not rules, logs, or attachments; reconstructing the file would have been impossible.
Frequent risk
Receiving only a CSV of operations may leave behind decisions, versions, and evidence needed for AML.
How to put it into practice
Specify formats, dictionary, attachments, rules, and logs of the exit package. Run an early export and reconstruct several cases. Define assistance, costs, and coexistence period. Access revocation occurs after validating migration. Require a deletion certificate with identified legal exceptions. The plan must cover operational knowledge, not only data. An orderly termination makes it possible to continue reporting and service without depending on the previous provider's tools or personnel.
Stress test
Assume an immediate termination while there are pending operations and data on the platform. The plan must prioritize continuity, verifiable export, access revocation, and subsequent destruction, with responsible parties on both sides. Test that the exit format can be loaded into the alternative. Having a list of substitute providers is not enough if keys, documentation, or time to migrate are missing.
Legal basis
- Legal provisions applicable to money transmitters — GPRs derived from Article 95 Bis and its amendments.
- Federal Law on the Protection of Personal Data Held by Private Parties (current text) — principles, privacy notice, transfers, and security measures.
Contract with the user: operation, fee, and responsibility
Decision point
The contract with the user must use the same statuses as the product and support: received, funded, accepted, sent, delivered, rejected, or refunded. It explains fee, FX, limits, data, cancellation, and claim. The provider's obligations are distinguished from the transmitter's responsibility toward the customer.
Checklist
- Use the same statuses in the contract and the product.
- Show price and exchange rate before confirming.
- Define evidence and the claim channel.
Observed pattern
In an anonymized form, the definition of "completed operation" did not match the system; aligning statuses reduced disputes over timing.
Frequent risk
Defining a completed operation differently in the contract and the ledger generates disputes that are impossible to reconcile.
How to put it into practice
Compare the contractual terms with the statuses visible in the application and support. Define the moment of acceptance, the possibility of canceling, and the treatment of refunds. Break down price and FX before confirming. Keep the consent to the applicable version. Test a claim from reference to resolution. The provider's limitations must not eliminate the transmitter's responsibility. The contract works when the user and the operation describe the same sequence and offer sufficient evidence to correct an error.
Stress test
Reconstruct a disputed refund from the contract and the prior screen through to the receipt and user support. It must be clear who executes, when the instruction is considered accepted, what fee applies, and what happens in the event of an error. If partners are involved, internal responsibility limitations cannot produce contradictory messages toward the person who contracted the service.
Legal basis
- General Law of Auxiliary Credit Organizations and Activities (current text) — Articles 81-A Bis, 81-B, 81-D, 86 Bis, and 95 Bis, depending on the topic.
- Requirements to obtain registration as a money transmitter — RECC-TD portal and official list of requirements.
Legal basis
- General Law of Auxiliary Credit Organizations and Activities (current text) — Articles 81-A Bis, 81-B, 81-D, 86 Bis, and 95 Bis, depending on the topic.
- Legal provisions applicable to money transmitters — GPRs derived from Article 95 Bis and its amendments.
- Official format for the notice of related agents — Article 3 of the Agreement and Annex 1.
- Federal Law on the Protection of Personal Data Held by Private Parties (current text) — principles, privacy notice, transfers, and security measures.
Next step
SVA.LAW can review Agents, correspondents, intercompany, and contracts within your specific model and turn the analysis of Money Transmitters and Payments into decisions, owners, and implementation evidence. Start a conversation.