Continuing with our analysis of the amendments to the AML/CTF regulatory framework, please be advised that on March 27, 2026, in the evening edition of the Official Federal Gazette (DOF), the decree amending the Regulations of the AML Law was published, effective as of March 28.
The amendment to the AML Law, effective since July 17, 2025, introduced substantive changes: new vulnerable activities, strengthened obligations, updated thresholds, and the incorporation of concepts such as Politically Exposed Persons (PEPs) and Beneficial Owner with a reduced threshold of 25%. The regulatory decree further develops these concepts and powers.
Although the Regulations implement several changes introduced by the AML Law, the amendment of the general rules remains pending (with a deadline extending through July 17, 2026). Obligations such as official forms, PEP consultation procedures, and audit requirements will be subject to such rules. In the interim, compliance shall be governed by the rules in effect as of July 17, 2025.
Set forth below are the most significant changes introduced by the decree, organized by subject matter.
Principal Changes Introduced by the Amendment to the Regulations
The amended Regulations incorporate clarifications regarding definitions, institutional attributions, obligations of reporting entities, and sanctioning proceedings:
I. Definitions and Terminology (Article 2)
Three definitions are added: (i) Reports, meaning those filed in accordance with the general rules; (ii) PEP List, compiled on the basis of the list of public positions applicable to Financial Entities and the information referred to in Article 51 Ter of the AML Law; and (iii) Public Faith Depositaries, which includes notaries public, public brokers (corredores públicos), public officials vested with the authority to authenticate instruments, and facilitators under the General Law on Alternative Dispute Resolution Mechanisms.
II. Attributions of the UIF and the SAT (Articles 3 and 4)
Additional powers are conferred upon the UIF: to issue the form through which authorities shall provide information for the PEP List; to establish exceptions by means of orders published in the DOF; to promote specialized units within state-level entities for the receipt and analysis of financial disclosure information; and to safeguard Notices and Reports on Vulnerable Activities.
The SAT’s powers are expanded: the obligation to receive both Notices and Reports (previously limited to Notices only), verification visits at the Federal Taxpayer Registry (RFC) domicile when the visited party cannot be located, and expanded oversight encompassing Reports, audit opinions, and remediation of findings. Additional powers are granted to request the assistance of law enforcement, to effect electronic notifications, and to require audit opinions and supporting documentation.
III. Rules for Aggregation of Transactions and 24-Hour Notice (Articles 7 and 7 Bis)
a. The aggregation of transactions contemplates a period of up to six months; the Notice for aggregation shall be filed upon the execution of the last transaction that reaches or exceeds the applicable threshold, even if the full period has not elapsed. Where no identification thresholds are established, all transactions shall be deemed Vulnerable Activities subject to aggregation.
b. The obligation to file the 24-hour Notice is reinforced, including in circumstances where the act was not consummated and only the data of the person who attempted to carry it out is available. This obligation shall be contingent upon the updating of the official forms.
IV. Timelines and Sanctioning Proceedings (Articles 8, 9, and 10 Bis)
a. pecific timelines are incorporated for verification and sanctioning proceedings. The SAT shall impose sanctions within a maximum of 10 business days when a request for information is not complied with, without exhausting the sanctioning procedure under the Federal Administrative Procedure Law. The SAT shall issue the findings letter within a maximum of 10 business days and the final resolution within a maximum of 20 business days.
b. The new Article 10 Bis authorizes the SAT to support its resolutions with facts from its own case files, databases, or information provided by other authorities. Certified digital copies shall have the same evidentiary value as originals, and the information contained in Digital Tax Receipts (CFDI) shall be presumed to be accurate.
V. Registration, Enrollment, and Audit Obligations (Articles 12, 12 Bis, and 14)
Registration and enrollment expressly encompass trusts (fideicomisos) and other legal arrangements. The new Article 12 Bis establishes the obligation to obtain and retain the internal or external audit opinion and the documentation evidencing the remediation of findings. Article 14 now refers to the identification of the Beneficial Owner directly, eliminating the term “beneficial owner” (beneficiario controlador) previously used.
VI. Document Retention (Article 20)
The retention period for Notices and Reports has been adjusted from five to ten years from the date of filing and issuance of the electronic acknowledgments of receipt, calculated as of July 17, 2025.
VII. New PEP Regime (Chapter Six Bis)
a. A new chapter (Articles 45 Bis through 45 Quinquies) is established to regulate the compilation and classification of the PEP List by the UIF, subject to transparency and national security regulations.
b. The list may be shared with decentralized bodies of the Ministry of Finance and Public Credit (SHCP) for supervisory purposes, subject to the execution of an agreement.
c. Financial Entities and persons engaged in Vulnerable Activities may electronically consult the UIF to determine whether a Client or User qualifies as a PEP, when such determination cannot be made during the identification process.
d. The obligated authorities shall update the relevant information within 5 business days following any change.
VIII. Other Relevant Amendments
a. Date of the act or transaction (Article 5): The date is no longer defined as the date of execution but rather as the date established in the general rules for each Vulnerable Activity. For activities under Section XII of Article 17, this includes the date of notarization.
b. Linked transactions in gaming and wagering (Article 21 Bis): The criteria for determining when a series of linked transactions exists in gaming with wagering, contests, or sweepstakes are defined, including digital platforms. Threshold: 325 times the daily value of the Measurement and Update Unit (UMA) within a 24-hour period.
c. Loans, lending, and credit (Article 24): The moment at which the act is deemed to have been carried out is amended: previously, it was upon the execution of the contract; henceforth, it is when the funds derived from the loan, lending arrangement, or credit facility are made available to the Client or User.
d. Agreements with Collegiate Entities (Article 33 Bis): Maximum term of 10 years, with the possibility of renewal for an equal or lesser term, subject to SAT verification and UIF assessment of the quality of the Notices.
e. Express acknowledgment of violations (Article 55 Bis): A new procedure is added, which includes a written submission to the SAT detailing the infractions, a statement under oath that the violations have been remedied and supporting documentation. Deadlines: (i) 5 days following the verification record (first infraction), or (ii) 15 days following notification of the commencement of the sanctioning proceeding (repeat offense).
f. Training (Article 52): The catalog of entities authorized to issue training certifications is expanded to include the Ministry of Security and Citizen Protection and the National Guard.
IX. Transitional Provisions
The decree establishes a detailed transitional regime that includes, among other relevant aspects, the abrogation of all administrative provisions that contravene the decree.
What Comes Next?
With these Regulations, a fundamental step has been taken in the implementation of the new AML/CTF framework. However, the key component is the set of general rules that the SHCP must issue before July 2026, which Will define: official forms, PEP consultation procedures, simplified identification measures, audit requirements, and transaction monitoring mechanisms.
To download the decree from the DOF, please click the link below:
https://www.dof.gob.mx/nota_detalle.php?codigo=5783547&fecha=27/03/2026#gsc.tab=0
Our team remains at your disposal to assist you in implementing this new regulatory framework. If your company engages in vulnerable activities, please contact us to schedule a diagnostic session.
For additional information, contact:
Luis Burgueño, Partner:+52 (55) 5258 1003 | lburgueno@vwys.com.mx
Alberto Córdoba, Partner:+52 (55) 5258 1016 | acordoba@vwys.com.mx
Diego Sierra, Partner:+52 (55) 5258 1039 | dsierra@vwys.com.mx
Raymundo Soberanis, Partner:+52 (55) 5258 1059 | rsoberanis@vwys.com.mx
Ricardo Cacho, Partner:+52 (55) 5258 1000 | rcacho@vwys.com.mx
Max Morales, Associate:+52 (55) 5258 1014 | mmorales@vwys.com.mx
Joel Domínguez, Associate:+52 (55) 5258 1027 | jdominguez@vwys.com.mx