Detailed overview
Mexico: Fintech Law, Banxico Virtual Assets and AML Vulnerable Activities
Regulators
Mexico’s crypto and virtual-asset framework is divided among several authorities. Banco de México regulates virtual-asset operations by credit institutions and financial technology institutions. The Comisión Nacional Bancaria y de Valores authorizes and supervises financial technology institutions and administers the securities-market framework. The SecretarÃa de Hacienda y Crédito Público, the Servicio de Administración Tributaria and the Unidad de Inteligencia Financiera administer the AML vulnerable-activity framework for non-financial virtual-asset operators.
Legal framework
Mexico does not have a single general VASP licence for all crypto businesses. The regulatory result depends on the operator and the activity.
Financial institutions and financial technology institutions are subject to the Fintech Law and Banco de México Circular 4/2019. Non-financial virtual-asset exchanges, custodial wallets, storage and transfer providers are primarily regulated as vulnerable-activity operators under the Federal Law for the Prevention and Identification of Operations with Resources of Illicit Origin. Securities tokens and tokenised investment instruments are subject to separate analysis under the Securities Market Law.
Virtual assets under the Fintech Law
The Fintech Law defines a virtual asset as an electronically recorded representation of value used by the public as a means of payment for legal acts and transferable only through electronic means. Legal-tender currency in Mexico, foreign currency and assets denominated in legal-tender currency or foreign currency are excluded.
Financial technology institutions may operate only with virtual assets determined by Banco de México through general provisions. They must obtain prior Banco de México authorization before carrying out those operations.
Banco de México decides the characteristics of virtual assets and the conditions and restrictions for operations involving them. It also establishes custody and control measures. For this purpose, custody and control means possession of the signatures, keys or authorizations sufficient to execute the relevant operations.
Financial institutions and ITFs
Banco de México Circular 4/2019, as amended by Circular 37/2020, currently restricts credit institutions and financial technology institutions to internal virtual-asset operations. These operations require prior Banco de México authorization.
The circular requires institutions to prevent the risks of virtual-asset operations from being transmitted directly or indirectly to clients. It also states that operations are not eligible for authorization where the institution seeks to provide direct customer services of exchange, transmission or custody of virtual assets.
This is a key feature of the Mexican regime. A bank or ITF should not treat Banco de México authorization as a route to provide ordinary customer-facing crypto exchange, transfer or custody services unless the regulatory position changes.
Financial technology institution authorization
A business may need authorization as a financial technology institution if it performs activities attributed to collective-financing institutions or electronic-payment-funds institutions in Mexico. Authorization is requested from the CNBV and requires approval through the statutory process involving the Interinstitutional Committee.
An electronic-payment-funds institution may issue electronic payment funds referenced to foreign currency or virtual assets only with prior Banco de México authorization and subject to the terms and conditions set by Banco de México.
A crypto product that includes customer balances, stored value, payment accounts, merchant settlement, e-money-like claims or payment functionality should therefore be assessed under the financial technology institution rules as well as the AML rules.
Non-financial virtual-asset platforms
Non-financial virtual-asset operators are regulated under the AML vulnerable-activity framework.
The vulnerable activity covers the habitual and professional offering of virtual-asset exchange by persons other than financial entities, through electronic, digital or similar platforms they administer or operate. It also covers platforms that facilitate or perform purchases or sales of client-owned virtual assets, or provide means to custody, store or transfer virtual assets.
The statutory text expressly includes operations carried out with Mexican citizens from another jurisdiction. Offshore incorporation or offshore infrastructure does not, by itself, remove Mexican AML exposure.
A centralized exchange, crypto broker, OTC desk, hosted wallet, custodial wallet, transfer service, storage service or private-key control provider may fall within this vulnerable-activity regime where it habitually and professionally serves Mexican users or Mexican citizens.
A pure software provider may fall outside the regime if it does not administer or operate the platform, facilitate or perform purchases or sales, custody or store assets, control keys, or provide means to transfer assets. The factual role of the provider is decisive.
AML registration
A person performing a virtual-asset vulnerable activity must register with SAT through the AML internet portal before filing the first Aviso. The operator must be registered in the Federal Taxpayer Registry and must have a valid advanced electronic signature.
The SPPLD portal is used for vulnerable-activity registration, Avisos and zero reports. The operator should maintain portal access, filing records, internal approvals and evidence of all submissions.
Thresholds
For virtual-asset vulnerable activities, the current Aviso threshold is 210 times the daily UMA for the customer’s operation amount. There is also a separate threshold of 4 times the daily UMA where the operation gives rise to a service consideration, regardless of how the fee is described.
For 2026, SAT states that the daily UMA from 1 February 2026 is MXN 117.31. This gives a 210-UMA threshold of MXN 24,635.10 and a 4-UMA threshold of MXN 469.24.
Client identification is separate from the Aviso threshold. SAT’s current threshold page treats identification for virtual assets as always required.
AML obligations
Virtual-asset vulnerable-activity operators must identify and directly know their clients or users, verify identity using official documents or other recognized official means, and keep copies of identification materials.
Where a business relationship is established, the operator must obtain information on the client’s activity or occupation. For legal entities, trusts and other legal figures, the operator must identify the beneficial controller. For natural persons, the operator must obtain a declaration about whether the person knows of a beneficial controller and, where applicable, obtain documentation to identify that person.
The operator must keep supporting information and documentation for at least ten years. This includes records that allow reconstruction of individual operations, commercial correspondence and prior analyses.
The operator must register or update its vulnerable-activity registration, cooperate with verification visits, file Avisos and Informes, and file a 24-hour Aviso where it suspects, or has information based on facts or indicia, that resources related to the act or operation may come from or be destined for money-laundering crimes, even if the act or operation is not completed.
The 2025 AML reform added obligations covering risk-based assessment, internal policies, politically exposed persons, group policies, annual training, automated monitoring, intensified monitoring for high-risk customers, and audit. However, the statute provides that Article 18 fractions VII to XI enter into force within the deadlines established by the general rules. Operators should prepare for these obligations but verify the latest implementing rules before finalizing procedures.
Originator and receiver information
Virtual-asset vulnerable-activity operators must obtain, maintain and make available to competent authorities precise information on virtual-asset operations of the originator, the receiver and, where applicable, the beneficial controller.
This is Mexico’s statutory virtual-asset transfer information requirement for non-financial operators. The operational detail is to be set by general rules. Operators should build systems capable of capturing, linking, retaining and producing originator, receiver and beneficial-controller information for virtual-asset transactions.
Compliance representative
Legal entities, trusts and other legal figures conducting vulnerable activities must designate a Representative in Charge of Compliance before the SecretarÃa and keep that designation current.
If there is no representative or the designation is not accepted, compliance responsibility falls to the governing body, sole administrator, settlor or equivalent administrator. The representative must receive annual training.
Clients and users must provide the information and documentation needed for compliance. If the client refuses, the operator must abstain from carrying out the act or operation.
Filing deadline
Avisos must be filed with the SecretarÃa no later than the 17th day of the month immediately following the month in which the reportable operation occurred.
Sanctions
Failure to comply with LFPIORPI obligations can result in administrative fines. Sanctionable conduct includes failure to comply with official requirements, failure to comply with Article 18 obligations, late Avisos, incomplete Avisos, omitted Avisos and participation in prohibited acts.
Current fine bands include 200 to 2,000 UMA for certain compliance failures, 2,000 to 10,000 UMA for certain specified failures, and 10,000 to 65,000 UMA or 10% to 100% of the value of the act or operation, whichever is greater, for omitted Avisos and prohibited acts.
Securities tokens
Tokenised securities require separate securities-law analysis.
The Securities Market Law defines securities broadly to include shares, equity interests, obligations, bonds, warrants, certificates, promissory notes, bills of exchange and other credit instruments that are capable of circulation in the securities markets, are issued in series or mass, and represent share capital, an aliquot part of an asset, participation in a collective credit, or an individual credit right.
Securities must be registered in the National Securities Registry before they can be publicly offered in Mexico. Public offerings require prior CNBV authorization, except for offerings involving simplified-registration securities.
A tokenised share, tokenised debt instrument, receivable token, fund-like interest, profit-participation token, investment contract, derivative-linked token or mass-issued investment token should therefore be reviewed under the Securities Market Law as well as the crypto AML framework.
Risk disclosures and client assets for ITFs
Where an ITF is permitted to operate with virtual assets, it must be able to deliver to the client the amount of virtual assets owned by that client or the Mexican-currency amount corresponding to proceeds from sale. It must comply with settlement and refund rules set by Banco de México.
An ITF may not sell, assign, transfer ownership of, lend, pledge or otherwise affect virtual assets it custodies and controls for clients except by client order.
An ITF operating with virtual assets must disclose, at minimum, that virtual assets are not legal tender and are not backed by the Federal Government or Banco de México, that executed operations may be irreversible, that virtual assets are volatile, and that technological, cyber and fraud risks are inherent to virtual assets.
Current regulatory outlook
The most important current Mexico update is the 2025 AML-law reform and the 2026 AML-regulation amendment.
The 2025 reform entered into force on 17 July 2025, subject to stated exceptions. SHCP must modify the AML general rules within twelve months from entry into force. The obligations in Article 18 fractions VII to XI enter into force according to the deadlines set in those general rules.
The 2026 AML-regulation amendment was published on 27 March 2026 and entered into force the following day. It updates registration, verification, information-request, threshold and transition mechanics.
Crypto operators serving Mexico should treat the AML framework as active now, while monitoring for amended general rules, updated forms and detailed implementation rules after the 2025 reform.