Mexico’s AML Law Overhaul: 7 Key Changes from the March 2026 LFPIORPI Reform You Need to Know

Documentos legales y de cumplimiento normativo sobre escritorio

If your business has operations, subsidiaries, or counterparties in Mexico, the country’s anti-money laundering framework just changed in ways you can’t ignore. On March 27, 2026, Mexico’s Official Federal Gazette (DOF) published a sweeping reform to the regulations of the LFPIORPI, Mexico’s primary anti-money laundering and counter-terrorism financing law — roughly equivalent to the Bank Secrecy Act in the US. The new regulation took effect March 28, 2026.

This is not a minor refresh. The reform amends 54 of the 59 existing articles and adds 11 new ones, operationalizing the statutory changes Congress passed in July 2025. For compliance officers, in-house counsel, and CFOs, it raises the bar on what an acceptable AML program looks like in Mexico — and shortens the runway to get there.

Below are the seven changes that should be on your radar today.

1. An official PEP list, run by the UIF

The reform creates a dedicated chapter (Capítulo Sexto Bis) governing how regulated entities must handle Politically Exposed Persons (PEPs). Most importantly, screening must now be performed against an official PEP list maintained by Mexico’s Financial Intelligence Unit (UIF), accessible through an electronic channel the authority will publish.

Why it matters: relying solely on commercial PEP databases is no longer sufficient. If your KYC platform doesn’t have a path to ingest or cross-check against the UIF list once it goes live, you have a gap that examiners will eventually find.

2. Mandatory annual AML audits (Art. 12 Bis)

For the first time, Mexican AML regulation explicitly requires annual independent audits — internal or external — of the AML/CFT compliance program.

The regulation requires a formal audit opinion, full documentation of findings, and evidence that observations were remediated. Mexico’s Tax Authority (SAT), which supervises non-financial obligated entities, can request this file at any time.

Why it matters: “paper” compliance programs no longer pass. Boards, audit committees, and parent-company compliance teams should expect to see — and review — Mexico-specific AML audit reports as a standard governance artifact.

3. 24-hour reporting, even for attempted transactions (Art. 7 Bis)

When there are indicators of laundering of illicit proceeds, regulated entities must now file a suspicious activity report within 24 hours — and crucially, the obligation applies even if the transaction was never completed, including operations rejected by the company itself.

Why it matters: turning a client away is no longer a “case closed” event. Your onboarding rejection workflow needs a path to a SAR within one business day.

4. Aggregation of related transactions over a 6-month window (Art. 7)

The reform clarifies that related transactions can be aggregated over a period of up to 6 months to determine whether reporting thresholds have been crossed. The report must be filed as soon as the threshold is reached, not at the end of the aggregation window.

Why it matters: structuring detection has to look back further. Transaction monitoring systems calibrated to monthly or quarterly windows will need to extend their lookback logic.

5. Self-correction program before the SAT (Art. 55 Bis)

The new framework introduces a formal voluntary self-correction procedure. Companies that identify their own non-compliance and remediate it before the SAT initiates a sanctions proceeding can qualify for a significant reduction of penalties — but only once.

Why it matters: if your Mexico operation has been carrying known AML gaps, there is now a defined, time-limited path to disclose and remediate at substantially lower cost than waiting for an inspection.

6. 10-year record retention

The retention period for AML documentation has been extended from 5 to 10 years, applying to operations conducted from July 17, 2025 onward.

Why it matters: this is an immediate IT and data-governance ask. Storage policies, archival systems, and any KYC platform retention defaults should be reviewed against the new horizon, especially for groups whose Mexican retention was previously aligned with shorter local rules.

7. A real risk-based approach, with automated monitoring

The reform reinforces the requirement to operate under a genuine risk-based approach (RBA) across the full client lifecycle and to deploy automated monitoring systems for ongoing customer due diligence.

Why it matters: manual review queues and static client risk ratings won’t survive an inspection. Expect supervisors to ask for evidence that monitoring rules are tied to documented risk factors and tuned over time.

Who is most affected

The reform raises the compliance bar for every regulated entity in Mexico, but a few categories should treat this as a top-of-quarter priority:

  • Foreign companies with Mexican subsidiaries — particularly those whose group AML policies were drafted around US, EU, or UK frameworks and have a “Mexico annex” that now needs a serious refresh.
  • Real estate investors and developers — Mexican real estate is a designated vulnerable activity, and the new audit, retention, and monitoring rules apply directly.
  • Fund managers, CKD administrators, trusts, and investment vehicles with Mexican LP relationships or assets.
  • Fintechs, payment processors, and crypto businesses operating in Mexico under the Fintech Law or any obligated category.
  • Notaries, public fedataries, and professional firms performing vulnerable activities under the LFPIORPI catalog.

What companies should do now

  1. Refresh your Mexican AML policies, manuals, and risk methodology before your next audit cycle.
  2. Plan ingestion of the UIF official PEP list as soon as it goes live, alongside your existing commercial sources.
  3. Stand up — or strengthen — automated, ongoing screening of customers and counterparties.
  4. Build the evidence file for your first mandatory annual audit.
  5. Train compliance, onboarding, and operations teams on the new 24-hour reporting and aggregation rules.
  6. Reassess record retention so that AML files cover the new 10-year window.

How ReferenceCheck.mx can help

For more than 15 years, ReferenceCheck has supported Mexican and international companies with AML, KYC, and due diligence in Mexico.

Our services let you:

  • Run screening against domestic and international lists — OFAC, UN, European Union, United Kingdom, World Bank, plus Mexican sources including SAT 69B, IMSS, and INFONAVIT.
  • Implement continuous monitoring with automated alerts when a client or counterparty appears on a relevant list.
  • Generate auditable, traceable reports that hold up as evidence in CNBV or SAT inspections.
  • Conduct robust PEP verification, including readiness for the UIF’s official PEP list once it is operational.

If your company operates in Mexico and has AML obligations, this reform already applies to you. Contact us and we’ll be happy to review your case.

referencecheck.mx/en#contact

, , , , , , ,