Law on the Prevention and Identification of Operations with Resources of Illegal Origin


    Law on the Prevention and Identification of Operations with Resources of Illegal Origin

    The Law on the Prevention and Identification of Operations with Resources of Illegal Origin, of 17 October 2012 (‘the LFPIORPI’) (only available in Spanish here) outlines the measures and procedures to be taken by financial entities for the prevention and detection of acts or operations that involve the use of resources of an illegal origin. The LFPIORPI aims to protect the financial system and national economy of Mexico, through promoting inter-institutional coordination for the purposes of collecting useful elements needed in the investigation and prosecution of crimes arising from operations utilising resources of an unlawful origin, those related to the latter, identifying the financial structures of such criminal organisations and how to avoid the use of resources for their financing (Article 2 of the LFPIORPI).

    Last Updated: July 30, 2019

  • According to Article 14 of the LFPIORPI, the following are listed as vulnerable activities: 

    • any act, operation, or service performed by any financial entity, in accordance with the laws that regulate them in each case.

    Under Article 15 of the LFPIORPI, in regard to any vulnerable activities that a financial entity may participate in, in accordance with the LFPIORPI and any other laws which they are regulated by, they are required to conduct the following: 

    • establish measures and procedures to prevent and detect acts, omissions or operations that could be identified in the instances provided under Chapter II of Title 23 of the Federal Penal Code, of 14 August 1931 (only available in Spanish here); 
    • identify its clients and users, in accordance with the provisions of Article 115 of the Law on Credit Institutions, of 18 July 1990 (only available in Spanish here); Articles 87-D, 95 and 95 Bis of the General Law of Auxiliary Credit Organisations and Activities, of 14 January 1985 (only available in Spanish here); Article 129 of the Law on Credit Unions, of 20 August 2008 (only available in Spanish here; Article 124 of the Law of Popular Savings and Credit, of 4 June 2001 (only available in Spanish here); Articles 71 and 72 of the Law to Regulate the Activities of the Cooperative Societies of Savings and Loan Companies, of 14 August 2009 (only available in Spanish here); Article 212 of the Securities Market Law, of 30 December 2005 (only available in Spanish here); Article 91 of the Investment Funds Law, of 4 June 2001 (only available in Spanish here); Article 108 Bis of the Law on Savings Systems for Retirement, of 23 May 1996 (only available in Spanish here); Article 492 of the Law on Insurance and Bonding Institutions, of 4 April 2013 (only available in Spanish here); Article 58 of the Law to Regulate Financial Technology Institutions, of 9 March 2018 (only available in Spanish here) (Article 15(I) of the LFPIORPI); 
    • present to the Secretariat of Finance and Public Credit (‘the SCHP‘) reports on acts, operations and services performed with their clients or conducted with members of the administrative council, attorneys, managers and employees of the financial entity, which may be specified under Article 15(I) of the LFPIORPI or, where appropriate they could contravene or violate the adequate application of the aforementioned provisions;
    • deliver to the Secretariat, through the competent decentralised body, information and documentation related to the acts, operations and services referred to in this Article; and 
    • retain, for at least 10 years, the information and documentation related to the identification of its clients and users or those who have been, as well as those acts, operations and services reported in accordance with this Article, without prejudice to the provisions of this or other regulations which are applicable. 

    In addition, Article 16 of the LFPIORPI stipulates that the supervision, verification and monitoring of financial entities’ compliance with their obligations referred to under Article 15 of the LFPIORPI and the provisions of the laws which specifically regulate their operations, will be carried out, as appropriate, by the National Banking and Securities Commission the National Commission of Insurance and Surety, the National Commission of Retirement Savings System or the Service Tax Administration. 

    Furthermore, Article 17 of the LFPIORPI provides that all acts, transactions and services carried out by financial entities will be considered vulnerable activities, including: 

    • any activities related to gambling, raffles and lottery activities;
    • the issuance and trade, concurrent or professional, rendering of services through service cards, pre-paid cards and all those that constitute instruments for storing monetary value, not issued or sold by financial entities;
    • customary and professional trading of precious metals, precious stones, jewellery or watches;
    • trading or distribution of cars, aircrafts or vessels, whether new or used pre-owned;
    • the rendering of independent professional services, when rendered or provided to a client or on behalf of them;
    • the rendering of services related to the legal authority to attest documents, such as Notary Publics;
    • the creation of personal rights related to the use or enjoyment of real estate properties. 

    These vulnerable activities shall be subject to identification and therefore, to submission to the SHCP of the corresponding notice, provided that they are carried out under the terms and amounts determined for each particular case.  

    Under Article 18 of the LFPIORPI, financial entities engaged in vulnerable activities are obligated to perform the following: 

    • identify clients and users with whom they carry out their own activities subject to supervision and verification of their identity based on credentials or official documentation, as well as copies of the documentation;  
    • where a business relationship is established, the client or user will be requested to provide information about their activity or occupation, based on, among others, the registration and update of activities presented for the purposes of the Federal Taxpayer Registry;  
    • request the client or user to participate in a vulnerable activities information assessment about whether they have knowledge of a beneficiary’s existence and, where appropriate, exhibit official documentation that let them be identified, if it is within their powerotherwise, it will declare that it does not possess such documentation. Such information and documentation must be preserved in a physical or electronic format, for a term of five years beginning from the date of the completion of the vulnerable activity, unless the laws of the subject of the federal entities establish a different deadline; 
    • to guard, protect and avoid the destruction or concealment of information and documentation that supports the vulnerable activity, as well as the one that identifies its clients or users; and  
    • provide the necessary facilities for verification visits to be carried out in the provisions of the LFPIORPIand 
    • present the Notices to the Secretariat at a time and a manner, which is consistent with the provisions under the LFPIORPI. 
  • How OneTrust Helps

    OneTrust Vendorpedia simplifies third-party risk management by combining automation with aggregated vendor research to streamline the vendor engagement lifecycle, from onboarding to offboarding. The platform helps organizations conduct faster and more in-depth security and privacy reviews. 

    Vendorpedia is backed by the world’s largest and most up-to-date database of privacy and security laws, frameworks, and standards, which directly power and enrich OneTrust Vendorpedia. Research is generated by 30 in-house security and privacy experts and a network of 500 lawyers across 300 jurisdictions.  

    For additional details on Vendorpedia, read more here. 

Want to learn more? Login to the full DataGuidance platform.

About OneTrust

OneTrust is the #1 most widely used privacy, security and third-party risk technology platform trusted by more than 3,000 companies to comply with the CCPA, GDPR, ISO27001 and hundreds of the world’s privacy and security laws. OneTrust's three primary offerings include OneTrust Privacy Management Software, OneTrust PreferenceChoice™ consent and preference management software, and OneTrust Vendorpedia™ third-party risk management software and vendor risk exchange. To learn more, visit or connect on LinkedIn, Twitter and Facebook.