Amendments to the Regulation of the LFPIORPI

April 28, 2026

On March 27, 2026, a Decree reforming the Regulation of the LFPIORPI, effective immediately, was published in the DOF. This is not a technical adjustment; it is a structural change that raises the standard of required compliance, expands the SAT’s enforcement powers, and reduces the response times for regulated entities. Here are the seven critical aspects of the reform.

1. Strengthening the SAT’s Powers | Arts. 4, 8, and 9

SAT now has more aggressive enforcement tools: it may conduct inspections at any address linked to the regulated entity, including that of the RFC; issue notices electronically; and request information at any time. The entire sanctioning process is outlined in two different articles that operate sequentially:

• Art. 8: Request for information with a response time of 10 business days (with an extension up to 5 days).
• Art. 9: Objection period—the SAT has 10 days to make comments and request further information; regulated entities have 5 days to respond; the SAT has up to 20 days to impose penalties if the comments are tacitly accepted (no contrary documentation is provided).
• Art. 10 Bis: Information contained in the CFDI and institutional databases will be presumed to be accurate. The burden of refuting this information lies entirely with the regulated entity.

An incomplete or inconsistent file in the SAT’s CFDI records would be, in and of itself, a risk subject to automatic penalty. Is your documentation ready for review within 10 business days?

2. New Standards for Audits and Remediation | Art. 12 Bis

Article 12 Bis introduces an obligation that goes beyond a simple AML audit: the audit report and supporting documentation must be retained and, upon request, be submitted to the SAT to verify, point by point, an effective remediation of the findings. Both elements are independently enforceable.

An audit report containing findings without documented evidence of remediation is considered an incomplete file by the authority. The AML audit is no longer an annual exercise, but becomes a continuous cycle necessary to close gaps.

3. Notices: Accumulation, Thresholds, and Immediacy | Arts. 5, 6, 7, and 7 Bis

There are four articles with distinct technical mandates that should be read in conjunction. Art. 5 indicates that the date of the act and mandatory regulatory follow-up are those established in the General Rules (RCG). Art. 6 of the Regulation directly stipulates that contributions do not count toward the threshold but are reported in the Notice. Art. 7 requires the Notice to be filed exactly when the cumulative threshold is reached, within a period of 6 months, and not at the end of the period.

Do your monitoring systems trigger alerts before the threshold is reached, or do they only record completed transactions? The difference determines the  likelihood of penalties.

4. Document Retention | Art. 20 and Transitory Article Seven

Notices, reports, supporting documentation, and electronic acknowledgments must be retained for a minimum of 10 years. A critical detail that shouldn´t be overlooked: Transitory Article Seven establishes that the retention period begins for transactions conducted on or after July 17, 2025, and not from the effective date of the Decree (March 28, 2026). Records from that date forward are subject to this new regime.

Passive retention is not sufficient. Immediate availability upon request under Art. 8 makes record keeping an active component of the compliance program.

5.Regime of Politically Exposed Persons | Articles 45 Bis – 45 Quinquies

Chapter Six Bis establishes a specific framework for PEPs, with three provisions that directly impact KYC processes:

• The FIU compiles and maintains an official list of PEPs, restricting access under the Transparency and National Security Act, which limits what a regulated entity may obtain from it.
• Electronic consultation of the FIU list is optional and supplementary: it is only applicable when a status cannot be determined through the standard identification process. This does not replace KYC.
• Reporting authorities must notify changes to the list within 5 business days.

Does the documentation of your KYC procedure demonstrate that the standard process has been exhausted before resorting to an FIU consultation? Without such evidence, enhanced due diligence is not substantiated.

6. Self-Correction Mechanism | Art. 55 Bis

The express acknowledgment of non-compliance as a mitigation tool for sanctions is formalized through four substantive requirements — a complete description of the violations, a sworn statement, evidence of correction/remediation, and verification of the signatory’s identity — as well as two procedural stages with different effects:

• During the verification process (Art. 68 LFPA): greater benefit in terms of penalty reduction.
• During the sanctioning process (Art. 72 LFPA): lesser benefit; delay comes at a cost.

This mechanism only works if there is a prior audit and remediation system in place to demonstrate the required evidence. Without this, express acknowledgment cannot be validated before the SAT.

7. Transitional Provisions: What´s in Effect Today | Transitory Articles 1 through 9

The phased implementation of the reform creates three categories of obligation that must be clearly distinguished:

• Effective today (March 28, 2026): SAT powers, the penalty cycle (Arts. 8–9, Art. 12 Bis), the PEP regime, document retention starting July 2025.
• Suspended until FIU forms are updated: 24-hour Notice (Art. 7 Bis / Trans. 5).
• Subject to the RCG in force or to be issued: date of the act or transaction (Art. 5), various sections of Art. 18 of the Law (Trans. 4).

The pending secondary regulation does not justify inaction regarding the obligations already in force. Each category requires a distinct and immediate operational response.

Impact Map of the Compliance Management System by Domain

How exposed is your organization?

This reform does not allow for deferred implementation. The authority now has expanded powers, reduced response times, and the presumption that information at its disposal is valid. Organizations whose AML compliance program is not technically structured, does not have continuous audits, nor is defensible with documented evidence face a growing risk of materially high sanctions.

A gap analysis is not an optional exercise: it is the first step in determining what is required today, what must be prepared immediately, and what can remain conditional. The cost of acting before a request is issued is significantly lower than the cost of acting afterward.

We assess the specific impact on your organization

Gap analysis · AML manual updates · Audits under international standards · Advisory services for self-correction before the SAT/FIU. Contact: [email protected]