Money Transmitters and Payments
KYC for senders, beneficiaries, legal entities and cross-border
The file must represent the actual transaction, not merely the person who opened the account. In remittances and cross-border payments, the sender, the user, the beneficiary, the beneficial owner, the originating account, the destination account and, at times, a third-party payer coexist.
Contents: ten microblogs
- Sender and beneficiary: differences in identification
- Occasional or habitual user: do not decide on a single transaction
- KYC file of a sending legal entity
- Beneficial owner: from declaration to corroboration
- PEP and enhanced due diligence in remittances
- Non-face-to-face identification: controls that must be evidenced
- Minimum data in cross-border transfers
- Third-party payments: when to escalate an instruction
- How to remediate incomplete KYC files
- Updating and retention of the KYC file
Map of decisions and controls
| Topic | Risk it addresses | Minimum evidence |
|---|---|---|
| Sender and beneficiary: differences in identification | The sender gives instructions and provides funds. | Assign identifiers by role. |
| Occasional or habitual user: do not decide on a single transaction | The category must apply the definitions and thresholds in force together with the actual relationship and the aggregation of transactions. | Define identity-linking keys. |
| KYC file of a sending legal entity | Existence, purpose, domicile, tax identifiers, representatives, powers, structure and beneficial owner must be evidenced, in addition to the purpose of the relationship. | Validate powers against the transaction. |
| Beneficial owner: from declaration to corroboration | The client's declaration begins, but does not end, the analysis. | Separate economic ownership and control. |
| PEP and enhanced due diligence in remittances | A PEP match requires validating identity, connection, currency and risk, not automatic rejection. | Apply namesake resolution. |
| Non-face-to-face identification: controls that must be evidenced | The file must preserve data, documents, validations, biometrics or mechanisms used, geolocation where applicable, consent and the outcome of the rules. | Link each item of evidence to session and user. |
| Minimum data in cross-border transfers | The flow must preserve originator, beneficiary, participating institutions or providers, country, currency, amount, references and available purpose. | Create an end-to-end data dictionary. |
| Third-party payments: when to escalate an instruction | If the party providing funds does not match the declared sender, the entity must identify the cause, validate roles and apply its risk rules. | Compare the originating account holder with the sender. |
| How to remediate incomplete KYC files | Remediation must prioritize by risk and criticality of the data, set a date, an owner and an operational restriction, and preserve before-and-after evidence. | Classify the gap by cause and impact. |
| Updating and retention of the KYC file | Updating must respond to periodicity and events: expiry, change of representative, activity, domicile, pattern or risk. | Version data and documents with a validity period. |
Implementation method
Design a data model by role rather than a universal form. Mark which fields are mandatory before operating, which can be updated afterward and which inconsistencies block the instruction. Quality must be measured by completeness, currency, traceability and consistency across roles.
Sender and beneficiary: differences in identification
Decision point
Sender and beneficiary must exist as distinct roles even if only one maintains a recurring relationship. The platform preserves minimum data, links, history and delivery channel in order to detect concentrations or chains. For a legal entity, the representative, powers and beneficial owner are added without mixing those identities with the receiving counterparty.
Checklist
- Assign identifiers by role.
- Capture minimum data before executing.
- Monitor relationships and recurrence between counterparties.
Observed pattern
In an anonymized dataset, the beneficiary was stored as free text; normalizing it made it possible to identify multiple senders to the same person.
How to put it into practice
Model many-to-many relationships between senders and beneficiaries. Normalize enough identity to detect concentration without automatically turning the beneficiary into a habitual client. For a legal entity, keep the representative and the beneficial owner separate. Test name changes, namesakes and recurring recipients. Alerts must be able to group by person and by delivery channel. A transaction is explained when it is known who gave the instruction, who provided the funds, who received them and which document evidences each role.
Stress test
Consider a sender who remits to three beneficiaries and a beneficiary who receives from several senders. The data model must preserve those relationships without duplicating files or automatically turning each recipient into a client. Analyze concentration and recurrence with normalized identifiers. For a legal entity, the representative, the account holder and the beneficial owner remain distinct roles even when they coincide in a given transaction.
Legal basis
- Legal provisions applicable to money transmitters — DCG derived from article 95 Bis and its amendments.
- Ley General de Organizaciones y Actividades Auxiliares del Crédito (texto vigente) — articles 81-A Bis, 81-B, 81-D, 86 Bis and 95 Bis, depending on the topic.
Occasional or habitual user: do not decide on a single transaction
Decision point
The occasional or habitual classification combines the regulatory definition, the relationship and the aggregation of transactions. Identifiers must link sessions, documents, devices and accounts to prevent structuring from reducing controls. The rule is versioned and explains when a new transaction requires completing or updating the file.
Checklist
- Define identity-linking keys.
- Aggregate transactions in accordance with documented rules.
- Escalate structuring patterns.
Observed pattern
In an anonymized review, different email addresses concealed the fact that the same document and device were accumulating repeated transactions.
How to put it into practice
Define the aggregation rule before reviewing the applicable threshold. Use identifiers that survive changes of email or device. Examine transactions close in time, the originating account and common beneficiaries. When the user changes category, determine which data is missing and whether they may continue to operate. Preserve the regulatory version and the date of the check. The classification must result from the complete relationship, not from how the interface fragmented sessions or created duplicate profiles.
Stress test
Consider a user who splits the amount across devices and email addresses but uses the same originating account and beneficiary. The aggregation must reconstruct the relationship before applying category and requirements. Document which identifiers survive channel changes, when the threshold is crossed and what additional information is requested. The interface cannot turn technical fragmentation into a material exception.
Legal basis
- Legal provisions applicable to money transmitters — DCG derived from article 95 Bis and its amendments.
- Ley General de Organizaciones y Actividades Auxiliares del Crédito (texto vigente) — articles 81-A Bis, 81-B, 81-D, 86 Bis and 95 Bis, depending on the topic.
KYC file of a sending legal entity
Decision point
The corporate file evidences existence, purpose, domicile, tax situation, representation, powers, structure and beneficial owner. Each document responds to one attribute; none replaces all of them. The representative's authority is reviewed against the specific instruction and the structure is updated when shareholders or control change.
Checklist
- Validate powers against the transaction.
- Reconcile the corporate name with the identifiers.
- Update structure and representatives by event.
Observed pattern
In an anonymized matrix, valid documents coexisted with a power of attorney insufficient to order transfers; the attribute-by-attribute review detected the gap.
Frequent risk
Accepting a power of attorney for administration as if it authorized any disposition may invalidate the instruction even though the company is properly identified.
How to put it into practice
Prepare a sheet per attribute and record the document, validity and validation outcome. Powers are read together with the act the representative intends to carry out. For complex structures, add layers and percentages up to the beneficial owner. Review the purpose of the relationship to detect inconsistencies. If a document expires, the system must alert before the next instruction. The file becomes usable when each item of data can be located and any contradictions have a documented resolution.
Stress test
Select a company with a limited power of attorney and a two-layer ownership structure. Compare the requested act with the representative's exact powers, and follow the percentages up to natural persons. The purpose of the relationship must be consistent with the activity, amounts and corridor. An attribute-by-attribute matrix identifies document, validity and validation, allowing operations to be suspended only when the deficiency genuinely affects the instruction.
Legal basis
- Legal provisions applicable to money transmitters — DCG derived from article 95 Bis and its amendments.
- Ley General de Organizaciones y Actividades Auxiliares del Crédito (texto vigente) — articles 81-A Bis, 81-B, 81-D, 86 Bis and 95 Bis, depending on the topic.
Beneficial owner: from declaration to corroboration
Decision point
The declaration of beneficial owner begins a corroboration path. Percentages, layers, special rights and control by other means are reconstructed until reaching a natural person or documenting the applicable exception. Inconsistencies are resolved with sources and an explanation proportionate to the risk.
Checklist
- Separate economic ownership and control.
- Document the steps and sources of corroboration.
- Escalate opaque or circular structures.
Observed pattern
In an anonymized file, the declared person held a minority interest, but an agreement gave them the power to appoint the management.
Frequent risk
Looking only at the largest percentage may overlook the person who appoints directors through a voting agreement.
How to put it into practice
Start with the declaration and map ownership and control along separate paths. Request support for each layer and cross-check against available sources. Veto or appointment rights require reading the agreement, not just the deed. Document why an exception applies and who approved it. If the chain ends in a trust, identify the relevant functions. Corroboration concludes when a third party can follow the steps and understand why the identified person exercises effective ownership or control.
Stress test
Add to the case an agreement granting a veto to a person with a minority economic interest. The initial declaration may not capture that control. The analyst must traverse ownership and rights separately, corroborate each layer and justify the conclusion. If a trust is involved, identify the relevant functions instead of automatically assigning the status to all of its participants.
Legal basis
- Legal provisions applicable to money transmitters — DCG derived from article 95 Bis and its amendments.
- Ley General de Organizaciones y Actividades Auxiliares del Crédito (texto vigente) — articles 81-A Bis, 81-B, 81-D, 86 Bis and 95 Bis, depending on the topic.
PEP and enhanced due diligence in remittances
Decision point
A PEP alert requires validating identity, position, timeframe and connection before raising the risk. If confirmed, the analysis incorporates source of funds, purpose, corridor, frequency and enhanced approvals. The classification must affect monitoring and review, not become an automatic rejection without assessment.
Checklist
- Apply namesake resolution.
- Document source of funds and approval.
- Increase monitoring in accordance with the risk.
Observed pattern
In an anonymized case, a namesake generated an alert; the date of birth and position ruled out the match before it affected the user.
Frequent risk
Treating a namesake as a confirmed match may block unjustifiably and contaminate the file with a false conclusion.
How to put it into practice
Resolve identity before applying risk consequences. Compare the name with date, nationality, position and connection. If confirmed, document the source of funds, purpose and enhanced authorization. Establish an update and monitoring frequency. A former PEP requires a temporal analysis in accordance with the applicable rule. Test that the system distinguishes a potential match from a confirmed one. The file must justify proportionality, avoiding both automatic rejection and an approval that ignores the identified public risk.
Stress test
Test a PEP match with a namesake and another confirmed by position and jurisdiction. The file shows the searches, the disambiguation, the risk of the relationship and the decision on continuity. For the genuine match, source of funds, approval at the appropriate level and enhanced monitoring must precede or condition the transaction. A label without subsequent measures does not constitute enhanced due diligence.
Legal basis
- Legal provisions applicable to money transmitters — DCG derived from article 95 Bis and its amendments.
- Ley General de Organizaciones y Actividades Auxiliares del Crédito (texto vigente) — articles 81-A Bis, 81-B, 81-D, 86 Bis and 95 Bis, depending on the topic.
Non-face-to-face identification: controls that must be evidenced
Decision point
Non-face-to-face identification is proven by the set of data, documents, validations, geolocation and consent used in the session. The relationship between evidence, engine, version and outcome must be preserved. Contingencies define when human review intervenes and which failures require rejection.
Checklist
- Link each item of evidence to session and user.
- Record engine, version and outcome.
- Define manual review and rejection.
Observed pattern
In an anonymized test, the image was legible but the system did not link the liveness result to the specific document; the relationship between the items of evidence was corrected.
Frequent risk
A legible photograph does not establish authenticity or demonstrate that the person present controlled the document.
How to put it into practice
List the controls used in order: capture, authenticity, liveness, external database, geolocation and decision. Each result is linked to session and version. Define which combination allows approval and which requires human intervention. Test a reused image, an expired document and loss of signal. Keep consent and notice accessible. The non-face-to-face file must allow a reviewer to reproduce the path without accessing unnecessary technical secrets or accepting a capture as complete proof.
Stress test
Run onboardings from an emulated device, a session with a reused document and another with a failed liveness check. The rules must produce blocks or review in accordance with the design, without allowing the operator to skip steps. Preserve technical signals, version, decision and retries. The equivalence of the remote channel depends on the set of evidence proven, not on a single positive identity query.
Legal basis
- Legal provisions applicable to money transmitters — DCG derived from article 95 Bis and its amendments.
- Ley Federal de Protección de Datos Personales en Posesión de los Particulares (texto vigente) — principles, privacy notice, transfers and security measures.
Minimum data in cross-border transfers
Decision point
Cross-border correspondent banking requires sufficient information on the originator, beneficiary, participating providers, country, currency and references. The contract allocates rejection, requests for data, sanctions, retention and cooperation. Interfaces are tested to prevent fields from being truncated when translating messages between jurisdictions.
Checklist
- Create an end-to-end data dictionary.
- Test length, format and characters.
- Reject or repair incomplete messages before settlement.
Observed pattern
In an anonymized integration, the purpose was truncated when passing to a foreign provider, weakening monitoring and the handling of inquiries.
Frequent risk
Settling an incomplete instruction and requesting data afterward weakens monitoring, traceability and the ability to deny. The final validation must show that the message was complete before crossing the border.
How to put it into practice
Build a common dictionary with the foreign counterparty before integrating. Test mandatory fields, transliteration, length and country codes. The contract must allow rejecting incomplete instructions and requesting clarification within a defined clock. Preserve the original and the transformed message. Screen lists and the corridor with complete data before settlement. A cross-border sample must travel from the order to the receipt without losing the originator, beneficiary, purpose or intermediate references.
Stress test
Use a transfer that passes through two intermediaries and changes the name format. Verify that the mandatory data travels complete, that each transformation is explainable and that the recipient can associate it with the instruction. A truncated field or one replaced by an internal reference must open an exception. The test includes the message issued, received and stored, with the same tracking key.
Legal basis
- Legal provisions applicable to money transmitters — DCG derived from article 95 Bis and its amendments.
- Ley General de Organizaciones y Actividades Auxiliares del Crédito (texto vigente) — articles 81-A Bis, 81-B, 81-D, 86 Bis and 95 Bis, depending on the topic.
Third-party payments: when to escalate an instruction
Decision point
When a person other than the sender provides the funds, the role and the contractual basis must be explained. Comparing ownership, recurrence and concentration makes it possible to separate a legitimate payment on behalf of another from a concealment of the originator. Exceptions are approved before releasing the instruction.
Checklist
- Compare the originating account holder with the sender.
- Define permitted exceptions and supporting documentation.
- Alert on concentration and recurrence of third parties.
Observed pattern
In an anonymized sample, different funding accounts were concentrated on a single user; the commercial contract did not explain that mechanism.
Frequent risk
Allowing any originating account because the user knows the reference makes the identification of the true funds provider irrelevant.
How to put it into practice
Compare the holder of the originating account with the declared sender in real time. If they differ, request an explanation and support under a catalogued exception. Analyze the recurrence of the third party and concentration across users. The contract must allow rejection and return without ambiguity. Test business, family and unknown payments to separate cases. The decision preserves who provided the funds, on whose behalf and why the entity accepted that the roles did not match.
Stress test
Analyze an instruction funded by a third party's account that shares a surname with the sender. That coincidence is not enough to accept or reject. Compare the declared relationship, purpose, ownership and prior pattern; then document the exception and its approver. If the third party recurs across unrelated users, the concentration must feed monitoring and not remain hidden as an incidental banking detail.
Legal basis
- Legal provisions applicable to money transmitters — DCG derived from article 95 Bis and its amendments.
- Circular 14/2017: SPEI provisions, compiled text — Circular 14/2017, compiled text with amendments, including Circular 9/2026.
How to remediate incomplete KYC files
Decision point
Remediation classifies each gap by attribute, cause, risk and possibility of recovery. A migration error requires a different solution from a document that was never requested. While the correction is under way, the policy defines restrictions and priority; closure is validated against a sample and preserves the previous and new value.
Checklist
- Classify the gap by cause and impact.
- Block or limit according to risk.
- Validate the correction with independent sampling.
Observed pattern
In an anonymized table, most gaps came from migration and not from clients; separating the technical cause from the documentary one made it possible to correct in batches without fabricating data.
Frequent risk
Filling fields with "not applicable" or generic values improves percentages but worsens the accuracy of the file.
How to put it into practice
Calculate the impact of each missing field on identification, profile, lists and reporting. Mass migration defects are corrected with a technical rule and reconciliation; individual ones require contact or restriction. Avoid completing by inference. Preserve the previous value, the new source and the date. An independent sample validates that the correction reached all systems. The backlog is closed by risk resolved and evidence, not because a cell is no longer empty.
Stress test
Order the remediation by impact: an expired identity, a beneficial owner not corroborated and outdated contact data do not warrant the same response. Define which transactions may continue, which require a limit and which are suspended. The dashboard preserves the contact attempt, the document received, the validation and the closure. Declaring the file "complete" without resolving contradictions merely shifts the risk to the next review.
Legal basis
- Legal provisions applicable to money transmitters — DCG derived from article 95 Bis and its amendments.
- Ley General de Organizaciones y Actividades Auxiliares del Crédito (texto vigente) — articles 81-A Bis, 81-B, 81-D, 86 Bis and 95 Bis, depending on the topic.
Updating and retention of the KYC file
Decision point
Updating is triggered by period and by event: expiry, change of representative, domicile, activity, structure or pattern. The history must not be overwritten because it explains what the entity knew when carrying out a transaction. Retention balances traceability, restricted access and personal data obligations.
Checklist
- Version data and documents with a validity period.
- Trigger updates by events.
- Apply retention and access in accordance with the regulations.
Observed pattern
In an anonymized file, overwriting domiciles eliminated the explanation of a historical alert; versioning resolved the problem.
Frequent risk
Keeping only the latest domicile may render an alert or a decision taken on the basis of earlier information inexplicable.
How to put it into practice
Maintain a history of documents and attributes with a validity date. Relevant events must trigger a task even if the periodic review is not yet due. Compare new data with pattern and lists before replacing the active version. Restrict access to historical versions without improperly deleting them. Test a change of representative and a change of domicile. Retention must explain what the entity knew at each transaction and how it reacted when that information changed.
Stress test
Select files with different onboarding dates, risk levels and recent activity. The engine must calculate the correct next milestone and escalate overdue ones without deleting the previous version. When a material item of data changes, preserve the request, support, validation and effect on the profile. The retention policy must also cover closed accounts and allow reconstructing which information was in force when a historical transaction was executed.
Legal basis
- Legal provisions applicable to money transmitters — DCG derived from article 95 Bis and its amendments.
- Ley Federal de Protección de Datos Personales en Posesión de los Particulares (texto vigente) — principles, privacy notice, transfers and security measures.
Legal basis
- Ley General de Organizaciones y Actividades Auxiliares del Crédito (texto vigente) — articles 81-A Bis, 81-B, 81-D, 86 Bis and 95 Bis, depending on the topic.
- Legal provisions applicable to money transmitters — DCG derived from article 95 Bis and its amendments.
- Ley Federal de Protección de Datos Personales en Posesión de los Particulares (texto vigente) — principles, privacy notice, transfers and security measures.
Next step
SVA.LAW can review KYC for senders, beneficiaries, legal entities and cross-border within your specific model and turn the Money Transmitters and Payments analysis into decisions, owners and implementation evidence. Start a conversation.