- Every Mexican business needs a valid RFC, but it only confirms basic registration, not beneficial ownership or operational legitimacy.
- You must identify anyone with 25%+ ownership OR operational control, regardless of shareholding percentage.
- To meet RFC compliance requirements, you need exact legal names with proper punctuation, notarized corporate documents, and current address verification with specific timeframes.
I’ve been neck-deep in Mexican compliance PDFs for months now (shoutout to ChatGPT and Santiago for the translation help because, guess what? No English versions exist). After wading through CNBV circulars, SAT guidelines, and regulatory documents that make the tax code look like children’s literature, I’m done watching clients hit the same walls over and over.
So here’s what I’m going to do. I’ll break down the actual legal requirements, show you exactly which documents matter, and give you the automated solutions that actually work (at the end).
But first, here’s the overview of what KYB actually looks like in Mexico, so you know what you’re getting into.
KYB in Mexico: Legal Framework Overview (What You’re Actually Required To Do)
Mexican KYB runs on three main regulatory pillars:
- Article 115 of the Ley de Instituciones de Crédito (your primary obligation)
- SAT’s RFC verification system (business legitimacy validation)
- CNBV’s beneficial ownership framework (ultimate control identification).
These work together to create a comprehensive due diligence requirement that goes well beyond basic document collection.
Below is a quick overview of all pillars.
1. Article 115 of the Ley de Instituciones de Crédito (your primary obligation)
First, let’s start with Article 115, as it outlines the core obligations you must follow in order to operate in Mexico.
Before we list obligations, just a reminder – we are going to cover the required three-tier verification, document requirements, and more in the following section anyway. These obligations help you understand the “why” behind that system, so read carefully:
- Risk-based client identification – Implement documented methodology for assessing client risk profiles before establishing business relationships
- Beneficial ownership verification – Identify all individuals with 25%+ ownership or control, including indirect holdings and operational authority
- Ongoing monitoring systems – Maintain continuous transaction monitoring with suspicious activity reporting to UIF
- Enhanced due diligence triggers – Apply additional verification measures for PEPs, high-risk jurisdictions, and complex ownership structures
- Record maintenance requirements – Preserve client identification files and transaction records for regulatory inspection periods
- Staff training obligations – Ensure compliance personnel understand identification procedures and red flag detection
With that said, let’s get to the next core requirement.
2. SAT RFC Validation Requirements
SAT’s RFC system serves as your primary business legitimacy check. Every Mexican business must have a valid RFC number to operate legally, and you’re required to verify this before establishing any business relationship. The 2024 updates introduced exact name-matching requirements, meaning you need the precise legal business name, including all punctuation and spacing, plus verified address postcodes.
The RFC validation confirms basic business registration but doesn’t verify beneficial ownership or operational status. Think of it as the first gate in your verification process, not the complete picture.
3. CNBV Beneficial Ownership Framework
CNBV’s beneficial ownership rules define how to identify who really controls your Mexican business partners.
The framework also captures operational control and indirect ownership structures:
| Threshold/Setup | Control Indicators | Documentation Required |
| 25%+ direct shareholding | Board appointment rights | Shareholder agreements, corporate minutes |
| 25%+ indirect through entities | Management contracts | Organizational charts, control flow diagrams |
| Voting control, regardless of % | Power of attorney arrangements | Legal representative documentation |
| Operational control | Daily management authority | Employment contracts, delegation letters |
Mexican business structures often separate legal ownership from operational control, particularly in family businesses and business groups. CNBV’s framework requires you to map both formal ownership chains and practical decision-making authority.
The beneficial ownership analysis isn’t static. You need ongoing monitoring to detect ownership changes and new appointments that might affect the ultimate control picture. This ongoing obligation extends throughout the entire business relationship.
Required Documents and Data Points (The Official Checklist)
Here’s the complete documentation checklist for Mexican KYB compliance:
- RFC Verification Documents: Valid RFC number, legal representative official identification (INE/passport), notarized power of attorney (copia certificada), address proof not older than 3 months
- Corporate Structure Documentation Documents: Articles of incorporation (Acta constitutiva), notarized constitutional document, RFC numbers for all shareholders/partners within articles of incorporation, written manifestation of RFC numbers if not in constitutional documents
- Legal Representative Verification Documents: Official identification documents, certified copy of notarial power establishing legal representation, proof of legal capacity and authority to represent the entity
- Shareholder/Partner Documents: Valid RFC for each shareholder/partner/associate, identification documents for individuals with 25%+ ownership, foreign partner generic RFC codes (EXTF900101NI1 for individuals, EXT990101NI1 for entities)
- Address and Operations Verification Documents: Rental agreements or service contracts (minimum 6 months for service contracts), utility bills (light/phone/water not older than 2 months), bank account opening contracts not older than 3 months, municipal alignment and official number certificates
These requirements come directly from SAT’s official RFC registration procedures and the regulatory framework established under Article 115 dispositions.
Two-Tier Verification System (How Mexican KYB Actually Works)
Mexican KYB operates on a graduated verification approach where the depth of investigation scales with transaction amounts and risk indicators:
Tier 1: Basic Business Verification
The foundation level covers RFC validation, business registration confirmation, and standard identity verification. This applies to routine business relationships under USD 1,000 in cross-border transactions within a one-month period. You collect standard documentation packages, verify legal representative identity through official IDs, and confirm the business exists through SAT systems. Most day-to-day business partnerships operate at this level.
Tier 2: Enhanced Due Diligence Triggers
Enhanced verification automatically escalates your compliance requirements when any of these conditions are met:
- Politically Exposed Persons in beneficial ownership or management
- Cross-border transaction thresholds exceeding USD 1,000 monthly
- Previous regulatory violations or enforcement actions
- Family member or close associate PEP connections
- Business activities inconsistent with stated purpose
- Bearer share structures or nominee arrangements
- Sanctions list matches or close name variations
- Complex multi-layered ownership structures
- Unusual transaction patterns or frequencies
- Rapid ownership or management changes
- Institution-specific transaction thresholds
- Source of funds unclear or unverifiable
- Cash-intensive business activities
- High-risk jurisdiction involvement
- Shell company characteristics
When these triggers hit, you need to ask for additional documentation and senior approval. Also, ensure stepped-up monitoring until the risk factors change or the relationship ends.
Things to Keep in Mind
Key operational considerations that affect how you implement the tier system:
- Dynamic escalation – Business relationships move between verification tiers automatically based on transaction activity, so your systems need real-time threshold monitoring
- Monthly threshold resets – The USD 1,000 cross-border limit resets each month, meaning multiple smaller transactions can trigger enhanced requirements cumulatively
- Retroactive application – When relationships escalate to higher tiers, you need to backfill enhanced due diligence for the entire business relationship, not just future transactions
- Documentation requirements scale – Each tier has specific record-keeping obligations, and regulators expect complete audit trails showing why and when verification levels change.
Understanding these dynamics helps you build compliance systems that automatically adjust verification intensity rather than requiring manual intervention for every threshold change.
Automation Solutions for Mexican KYB Compliance
You could build out a compliance team in Mexico. Hire people who actually understand how SAT works, can read Mexican corporate documents without Google Translate, and know which CNBV circulars actually matter.
But you’re looking at serious overhead: salaries, office space in Mexico City, training costs, and constant turnover because good compliance people get poached fast.
Or you can automate stuff that doesn’t need human judgment. For example:
- CURP verification hits government databases in real time.
- RFC validation pulls current business status straight from SAT.
- PEP screening runs in the background.
- Document parsing pulls the data you need without someone sitting there typing it out.
These tools cut your manual workload by maybe 70-80%, so your team can focus on the weird edge cases that actually need human eyes.
We at Singzy have already built some APIs specifically for this Mexican compliance system. You can handle the routine verification work automatically and get the stuff routed to you that needs actual review.
Thanks to API packaging, the whole thing plugs into whatever you’re already using, scales when you grow, and keeps the audit trail clean for when regulators come knocking.
Want to see how it works? Book a demo, and we’ll walk through your specific setup.
FAQs
Do I need to follow CNBV rules if I'm not a Mexican bank?
If you’re a financial institution operating in Mexico or conducting regulated financial activities, yes. For general business verification of Mexican partners, you can use CNBV standards as guidance but aren’t legally required to follow them completely.
Can I verify RFC numbers myself, or do I need a service provider?
SAT provides a free online validator for up to 5,000 RFC numbers simultaneously. For real-time integration and bulk verification, third-party APIs offer better automation and accuracy.
Are there different requirements for different types of Mexican businesses?
Basic verification requirements are similar, but enhanced due diligence triggers vary. Financial institutions, DNFBPs, and businesses in certain sectors have stricter requirements than general commercial entities.
What should I do if a beneficial owner appears on a sanctions list?
Stop all transactions immediately. File a suspicious activity report if required in your jurisdiction. Conduct an enhanced investigation to confirm the match and determine if the relationship can continue legally.
