CNBV AML Fines: Amounts and How to Avoid Them

Running a SOFOM in Mexico without a robust Anti-Money-Laundering (AML) program is not just a regulatory risk: it is a financial bet that can cost millions of pesos. CNBV (Mexico’s banking regulator) has authority to impose fines ranging from 5,000 to 100,000 UMAs (Mexico’s reference accounting unit) per infraction, translating into sanctions between MXN 565,700 and MXN 11,314,000 (based on the 2026 daily UMA of MXN 113.14, per INEGI). What many general managers and compliance officers do not know is that these fines can accumulate: a single inspection visit with multiple findings can generate sanctions exceeding MXN 30 million.

This article breaks down the legal framework that empowers CNBV to sanction, the types of infractions and their specific amounts, the most common root causes we have identified in Mexican financial institutions, and — most importantly — the concrete actions your SOFOM can implement to avoid sanctions.

Legal framework: Why can CNBV fine your SOFOM?

Direct answer: CNBV’s sanctioning authority over AML matters is exercised under 3 statutes: (1) LGOAAC Arts. 95 Bis and 95 Bis 1 (operation of SOFOMs ENR/ER), (2) LFPIORPI (Mexico’s Federal AML Law, sanctions in Art. 53), and (3) CNBV General Provisions (published in the Official Gazette, detailing operating obligations). Non-compliance with any of these enables a sanctioning procedure.

CNBV’s AML sanctioning authority arises not from a single statute but from a legal lattice that grants the regulator broad supervisory, inspection and sanctioning powers. Understanding this framework is essential to size the real risk your institution faces.

General Law of Auxiliary Credit Organizations and Activities (LGOAAC, Arts. 95 Bis and 95 Bis 1). Establishes the general framework for SOFOMs and other non-bank financial entities. Its AML provisions require SOFOMs (both ER and ENR) to establish measures and procedures to prevent and detect acts, omissions or operations that could favor or facilitate money laundering or terrorism financing. Non-compliance enables CNBV to initiate administrative sanctioning procedures.

AML/CFT General Provisions (published in the Official Gazette). Issued by CNBV under the LGOAAC and LFPIORPI (Art. 18), these provisions are the regulator’s operating manual. They specify exactly what a SOFOM must do: from designation of the compliance officer to the deadlines for sending operation reports to UIF (Mexico’s Financial Intelligence Unit), through client identification requirements, risk assessment methodologies and transactional monitoring standards. Each specific obligation is a potential point of infraction and therefore of fine.

CNBV’s sanctioning powers. CNBV acts as judge and supervisor. Through its ordinary and extraordinary inspection visits, the Commission verifies compliance with AML regulation. When non-compliance is detected, it initiates an administrative sanctioning procedure that may result in fines, reprimands, suspensions or even revocation of authorizations or registrations.

CNBV does not need to wait for an act of money laundering to sanction. Fines are imposed for non-compliance with preventive obligations, regardless of whether the institution has been used to launder money. In other words, not having an updated AML manual is sanctionable in itself, without an underlying illicit operation.

Types of infractions and fine amounts (2026)

LFPIORPI sanctions, in its Article 53, classify infractions into three levels of severity, with amounts updated annually based on the UMA:

Minor infractions: 200 to 2,000 UMAs (MXN 22,628 – 226,280). Include filing reports outside the 17-day period, errors in transactional thresholds, lack of identification of low-risk clients and minor documentary omissions.

Serious infractions: 2,000 to 10,000 UMAs (MXN 226,280 – 1,131,400). Include lack of designated compliance officer, absence of risk assessment methodology, lack of training to staff and outdated manuals.

Very serious infractions: 10,000 to 65,000 UMAs (MXN 1,131,400 – 7,354,100). Include systematic failure to report relevant or unusual operations, lack of effective transactional monitoring, omission to identify high-risk clients (PEPs, high-risk geographies) and failure to provide information requested by CNBV.

Additionally, the Banking Law (LIC), applicable supplementarily, allows imposing fines up to 100,000 UMAs (MXN 11,314,000) for repeat very serious infractions.

The 7 most common causes of CNBV fines for SOFOMs

After years working with SOFOMs of different sizes and segments, we have identified seven causes that account for more than 80% of sanctions imposed by CNBV. These are not edge cases: they are recurring failures of institutions that, despite operating in good faith, do not properly implement AML obligations.

1. Outdated or generic AML manuals

The most common finding. Many SOFOMs use templates downloaded from the internet or adapted from other entities, which do not reflect their actual operation. CNBV requires the manual to be specific, updated and consistent with the institution’s effective practices. A manual referencing systems the SOFOM does not have, processes it does not follow or organizational structures that do not exist is immediately identifiable in inspection.

2. Compliance officer without sufficient training

LFPIORPI requires designating a compliance officer with documented expertise. Many SOFOMs assign this role to an executive without specialization, without a formal training program, or to a person who holds other operational functions that compromise independence. CNBV verifies in inspection not only the formal designation but the technical competence and dedication of the officer.

3. Lack of risk-based methodology

CNBV requires every SOFOM to apply a risk-based approach to assess its clients, products and operations. This means having a documented methodology that classifies clients by risk level (low, medium, high), applies enhanced due diligence to high-risk clients (PEPs, high-risk geographies, complex corporate structures) and adjusts monitoring frequency accordingly. Operating with uniform AML controls for all clients is sanctionable.

4. Inefficient transactional monitoring

Transactional monitoring is the heart of an AML program. The norm requires SOFOMs to have monitoring systems that detect unusual operations in real or near-real time, generate actionable alerts and document each alert resolution. Manual or spreadsheet-based monitoring systems are unable to handle the volume and complexity of modern transactions, generating systematic gaps that CNBV identifies in inspection.

5. Untimely or incomplete operation reports

LFPIORPI requires filing relevant operation reports (ROR), unusual operation reports (ROU) and internal-concerning operation reports (ROIP) within strict deadlines via SITI (the FIU’s reporting system). Late, incomplete or missing reports are very serious infractions. Some SOFOMs accumulate hundreds of unfiled reports until inspection — generating cumulative fines that exceed MXN 10 million.

6. Lack of training to operational staff

LFPIORPI requires periodic AML training for all staff in contact with clients or operations. This includes customer service, sales, credit, collections, and operations and finance personnel. Training must be documented with attendance lists, materials, evaluations and verifiable evidence. SOFOMs that train only the compliance officer or do not document their training programs are systematically observed.

7. Absence of independent internal audit

The norm requires SOFOMs to have an internal audit function that periodically evaluates the AML program. This audit must be performed by personnel independent of compliance operations, generate documented reports and follow up on identified findings. Many SOFOMs do not have this function, or assign it to the compliance officer (creating self-audit), which is also sanctionable.

Recent enforcement context

CNBV has progressively intensified its AML supervisory activity on SOFOMs, partly because of Mexico’s commitments under the FATF (GAFI). The 2017–2018 FATF mutual evaluation identified gaps in supervision of non-bank financial entities, and the regulator has responded by increasing the frequency and depth of inspections.

The trend is clear: fines for AML non-compliance grow not because new types of infraction emerge, but because CNBV has expanded its inspection capacity, modernized its detection systems and intensified specialized supervision. SOFOMs that operated for years without a compliance review can no longer assume they will go unnoticed. The next mutual evaluation in 2026 will only accelerate this trend.

How to avoid CNBV fines: concrete actions

1. Conduct an integral compliance diagnostic

Before a CNBV inspection, conduct an independent diagnostic that identifies gaps in your AML program. This includes review of manuals, evaluation of risk methodology, audit of transactional monitoring systems, review of generated reports and verification of training programs. The diagnostic must be technical, with concrete findings and an action plan with deadlines.

2. Implement technology infrastructure for AML

Trying to comply with AML obligations through spreadsheets, generic accounting software or manual processes is statistically a path to fines. Specialized AML systems automate client identification, real-time transactional monitoring, report generation and complete documentation of each step. The technology investment pays for itself with the first avoided fine.

3. Form a compliance officer with continuous specialization

The compliance officer must have an annual specialization program that includes regulatory updates, advanced AML training, case study analysis and participation in industry forums. Investing in continuous formation is significantly less expensive than a fine for technical insufficiency.

4. Establish robust governance

The AML program must have direct executive support, with the general manager and the board involved in supervision. This translates into a formal AML committee, periodic reporting to the board, documented escalation procedures and a culture of compliance permeating the entire organization.

5. Document everything: traceability is your defense

In any CNBV inspection, documentation is the difference between a fine and a clean closure. Every decision, every alert resolution, every executed training, every system update must be documented with date, person responsible and supporting evidence. Audit trails that can be reconstructed quickly are the best defense.

What to do if CNBV detects findings at your institution

If your SOFOM is undergoing an inspection that has identified findings, the natural reaction is to seek to minimize them. The strategy that works is different: collaborate transparently with the regulator, recognize gaps, present an immediate remediation plan and execute with verifiable speed.

CNBV evaluates not only the severity of the infraction, but the institution’s posture during the sanctioning procedure. SOFOMs that demonstrate genuine commitment to remediation, with documented evidence of corrective actions, usually obtain reduced sanctions or alternative measures such as recommendations or improvement plans.

Frequently Asked Questions

What is the maximum fine that CNBV can impose on a SOFOM? Under LFPIORPI, fines can reach 65,000 UMAs (MXN 7,354,100 in 2026) for very serious infractions. With supplementary application of the Banking Law and accumulation of multiple infractions, sanctions exceeding MXN 30 million per inspection have been imposed.

Can my SOFOM be sanctioned even if no money laundering occurred? Yes. The vast majority of CNBV fines are imposed for non-compliance with preventive obligations (manuals, training, monitoring, reports), regardless of whether the institution was used for money laundering. The preventive obligation is independent of any illicit act.

How often does CNBV conduct inspections on SOFOMs? CNBV conducts ordinary and extraordinary inspections. The frequency depends on the size of the institution, its risk profile and history of findings. Larger SOFOMs or those with prior observations may receive annual inspections. Smaller SOFOMs may receive inspections every 2 to 3 years, but no SOFOM is exempt from being subject to extraordinary inspection.

Can I appeal a CNBV fine? Yes, sanctions imposed by CNBV can be challenged via administrative review and through nullity proceedings before the Federal Court of Administrative Justice. However, challenges have higher chances of success when the institution has solid technical documentation that supports its compliance.

What does it cost to implement a robust AML program in a SOFOM? Initial cost varies based on size and complexity, ranging from MXN 200,000 to 1,500,000 for proper implementation. Recurring annual cost (officer, technology, training, audit) ranges from MXN 300,000 to 1,200,000. Compared to a single very serious fine, the investment is recovered before the first inspection.

Sources and references

LFPIORPI (Mexico’s AML statute), Arts. 18 and 53 — DOF
LGOAAC, Arts. 95 Bis and 95 Bis 1 — DOF
AML/CFT General Provisions for SOFOMs — CNBV
UMA value 2026 — INEGI