The know your customer or know your client (KYC) guidelines and regulations for financial services require that professionals try to verify the identity, suitability, and risks involved with maintaining a business relationship.
National regulatory framework regarding AML and effective date of the regulations
Mexico’s AML regulatory framework is contained, initially, in the Federal Law for the Prevention and Identification of Operations with Illicit Resources (Ley Federal para la Prevención e Identificación de Operaciones con Recursos de Procedencia Ilícita, “AML Law”), which came into effect on 17 October 2012. However, generally speaking, KYC obligations are commonly contained in secondary regulations specific for each kind of regulated entity (for example, there are specific regulations for banks, which are separate, although similar to those of FinTechs and other regulated entities).
Mexico tends to follow the guidelines from the Financial Action Task Force, although certain aspects (such as thresholds) may vary.
National regulator or relevant authority for AML controls
The main regulator would be the Ministry of Finance and Public Credit (Secretaría de Hacienda y Crédito Público, “SHCP”), together with secondary dependencia, the most relevant of which is the SHCP. There are other relevant authorities tasked with ensuring compliance with the Mexican AML framework (such as the Financial Intelligence Unit (Unidad de Inteligencia Financiera, “UIF”). However, the regulatory roles fall mainly to the first two (2) authorities.
Customer Due Diligence
Conduct of a typical KYC identification process
The specific procedure and requirements vary between each regulated entity. Certain regulated entities may, for example, allow the remote onboarding of institutional clients, provided enough information is given, while others may still require face-to-face identification and physical documentation.
The most common requirement in KYC procedures tends to be identifying the ultimate beneficiary owners of all transactions, on varying degree, with the strictest procedures requiring the identification of the individual(s) who will benefit from the transaction.
Possibility to meet customer due diligence requirements by relying on third parties who are obliged by law themselves to comply with AML regulations
Regulated entities are expected to carry out their own AML and KYC procedures, and there are few entities that are allowed to rely on the AML procedures of other entities; specifically, banks are allowed, when they are a part of a financial group, to create and conserve the KYC file of a customer in any of the entities that are part of the group, subject to certain conditions.
Possibility to outsource customer due diligence by contract to other third parties who are not obliged by law to meet AML regulations and rely on these (e.g., WebID, IDnow, PostIdent)
Certain aspects of the KYC procedure may be outsourced to service providers (for example, several regulated entities are allowed to execute services agreements with providers who provide identity verification procedures). However, there is no express authorisation to outsource the whole AML/KYC procedures of regulated entities.
Presence of a license or registration requirement for the third party in case of outsourcing customer due diligence
There is no specific authorisation requirement for the third party, but the regulated entity shall remain responsible vis-à-vis their customer.
Entities that could be relied on specifically by law as a third party to comply with AML regulations (regardless of outsourcing)