On July 16, 2025, the decree amending the LDP and the General Population Act (“LGP”) was published in the Federal Official Gazette; these laws set forth the creation of the PUI as the central and mandatory technological tool for the search, location, and identification of missing persons.
This platform serves as a primary source of real-time, on-demand information, requiring companies that provide financial, telecommunications, transportation, healthcare, education, and/or delivery services (the “Various Institutions”) to link their databases to national registries via web services that enable CURP validation and biometric data management.
This framework has established a series of obligations for such companies that were and/or must be met at various points in time following the amendment. These Various Institutions must ensure that they comply with this new regime, or face penalties.
I. New Obligations
In accordance with the guidelines and procedures applicable to the PUI2, these Various Institutions must fulfill a series of requirements to ensure interoperability with the PUI. Various Institutions must verify their identity by obtaining the institutional MX Key for formal registration with the National Population Registry (“RENAPO”). Once their identity has been verified, Various Institutions must develop their own backend service with specific endpoints that allow them to receive official search requests, perform queries in their databases using the CURP, and notify the authorities of any matches with the PUI.
In addition, the regulatory framework requires that interconnection infrastructure meet strict cybersecurity, authentication, and protocol requirements, as well as undergo security testing to identify and address vulnerabilities before connectivity is authorized.
II. Breach and Risks
The deadline for these Various Institutions to request access to the PUI expired on March 31, 2026. Therefore, any Various Institutions that did not do so in a timely and proper manner will be considered in breach of the requirements and, consequently, may be subject to a financial penalty imposed by the authority.
According to Article 43 Bis of the LDP and Article 114 Bis of the LGP3, individuals who possess databases and do not allow access to them or do not keep the information up to date will be sanctioned by the Ministry of the Interior with fines ranging from 10,000 to 20,000 times the daily value of the UMA, which currently amounts to fines of approximately $1,173,100 MXN to $2,347,400 MXN.
III. Step-by-Step Remediation and Regularization Strategy
Given that the compliance deadline has already expired, our full-service firm (with extensive experience in Compliance, Regulatory matters, Data Privacy, Corporate law, and Administrative Litigation) focuses on designing a comprehensive action plan that enables Various Institutions to identify the obligations arising from the legislation at issue in order to achieve compliance therewith; to determine the human and technological resources required to achieve proper interconnection with the PUI; and to develop a strategy to address a potential administrative proceeding for non-compliance, if applicable. This strategy would also consider the potential benefits of voluntary compliance.
We hope this note is useful to you and for more information or clarification of any matter, please find below the contact information of our experts:
Luis Burgueño, Partner: +52 (55) 5258-1003| lburgueno@vwys.com.mx
Raymundo Soberanis, Partner: +52 (55) 5258-1059| rsoberanis@vwys.com.mx
Gloria Martínez, Counsel: +52 (55) 5258-1014| gmartinez@vwys.com.mx
Carlos Ugalde, Associate: +52 (55) 5258-1003| cugalde@vwys.com.mx