Financial institutions in Mexico did not make the honor roll this year in the country’s latest report card on anti-money laundering and counter-terrorism financing efforts, which addressed serious weaknesses in the way banks assess and manage such risks.

The recently released 236-page “Mutual Evaluation Report” on Mexico was conducted by the Financial Action Task Force (FATF), an independent, inter-governmental body that develops and promotes policies to protect the global financial system against money laundering and terrorist financing. For the first time since 2008, FATF assessed Mexico’s overall level of compliance with the FATF’s 40 anti-money laundering and counter-terrorism financing (AML/CTF) recommendations, recognized globally as a gold standard.

Although the FATF noted that Mexico has a “mature AML/CFT regime, with a correspondingly well-developed legal and institutional framework,” it also discussed several risks that have not yet been fully addressed by financial institutions. These risks concern customer profiling; the identification and risk classification of Politically Exposed Persons (PEPs); the identification of beneficial owners; and the quality of suspicious transaction reports.

This article explores some of those key risks, as well as opportunities for improvement, identified in the report:

Beneficial ownership risk. Many financial institutions seek to identify beneficial owners only to a limited extent, thwarting efforts to assess and manage money laundering and terrorism financing risks. Specifically, where financial institutions are required to identify beneficial owners—for legal persons categorized as high risk and natural persons—they “tend to over-rely on customers’ self-declarations to determine who the beneficial owners are,” the report stated.

Most legal persons are not categorized as high risk. In these situations, financial institutions need only obtain information on corporate customers’ first layer of legal ownership, without seeking to reach the natural persons who ultimately own or control the entity.

“While some foreign banks, consistent with their group-wide policies, attempt to identify and verify the identity of the ultimate beneficial owners of legal persons regardless of their risk ratings, this is not the common practice of domestic FIs when dealing with legal persons not classified as high risk,” the report stated. The compliance lesson here is that compliance officers at financial institutions must dig deeper to identify the true beneficial owners to fully protect themselves from domestic and international money laundering and terrorist financing threats.

“This issue, like many others raised in the FATF Report, is not unique to Mexico,” says Juliana Carter, an associate at law firm Ballard Spahr. In fact, the U.S. Customer Due Diligence (CDD) regulations issued by the Financial Crimes Enforcement Network, and expected to take effect in May 2018 specifically allow covered financial institutions to rely upon customer declarations regarding beneficial owners.  “This is because it can be supremely difficult for—and, thus, unfair to expect—financial institutions to vet the accuracy of a declaration that Person X ‘really’ is a beneficial owner of Entity Y,” Carter says.


Mexican regulators must enact regulations like the CDD regulations in the United States before financial institutions can better identify their beneficial owners. Only then can financial institutions perform certain enhanced due diligence on potential clients in the case of red flags, or where declarations of beneficial ownership may not be accurate.  “This due diligence could include checking available databases or public filings,” Carter says.  

Financial institutions don’t need to look any further than HSBC to learn what can happen when a bank fails to maintain an effective AML program and conduct appropriate due diligence on foreign correspondent account holders. In 2012, HSBC paid a then-record fine of $1.2 billion for helping Mexican drug cartels launder $881 million in drug trafficking proceeds through HSBC Bank USA. As part of that resolution, HSBC entered into a five-year deferred prosecution agreement, which ended in December 2017.

Politically exposed persons (PEPs) risk. Many large financial institutions have developed methodologies to risk categorize customers based on multiple parameters, including type of customer; geographical region; products and services (e.g., involvement in international transactions or cash transactions). Nonetheless, these methodologies for risk categorizing customers “don’t often appear sufficiently robust to reasonably reflect customer risk profiles,” the FATF stated. This is evidenced by the fact that most financial institutions categorize PEPs as low risk, “reflecting their lack of understanding of money laundering threats of corruption,” the report stated.

“A serious concern across all sectors is that beneficial owners are being identified only to a limited extent, systematically weighing on entities’ effectiveness in assessing and managing money laundering and terrorist financing risks.”
Financial Action Task Force

To identify domestic PEPs, many financial institutions rely on public databases where the names of certain senior officials at federal and state levels are published. Senior military officers, executives of state-owned companies, and officials at the municipal level, however, are not considered domestic PEPs and, thus, are not subject to the same level of transparency. 

“As a result, the risks posed by domestic PEPs are being managed only to a limited extent,” the report stated. The compliance and legal risk this poses, as described by the report, is that many financial institutions “do not obtain additional information on the origin and destination of funds and the intended nature of the business relationship or require manager’s approval for establishing such relationships.”

Examples of enhanced measures that regulations require financial institutions to perform on their high-risk customers include obtaining a manager’s approval before establishing the business relationship; obtaining additional information on origin and/or destination of funds and the nature of business relationship; and reviewing their risk profiles at least twice a year.

Suspicious transaction reports (STRs). Another concern noted by the FATF concerns the quality of STRs. Specifically, the reporting by large financial institutions of “Unusual Transaction Reports” (UTRs), defined as transactions that may be related to money laundering or terrorist financing, is “not always as prompt as it should be,” the report stated.

Financial institutions must use automated systems to monitor transactions and generate alerts as a first step for identifying UTR/STRs. Many financial institutions said UTRs/STRs are triggered most often by involvement of cash transactions; inconsistencies between a customer’s profile and transactional behavior; and high-risk locations of the customer or transaction.

“In general, large banks’ systems seem more robust, while the concerns are greater with respect to smaller banks and non-banks,” the report stated. It added that these findings are consistent with observations made by the Comisión Nacional Bancaria y de Valores (CNBV), an independent agency responsible for supervising and regulating financial institutions in Mexico.

Specifically, the CNBV noted that some financial institutions generate either too few or too many alerts. In the former instance, reports that should have been reviewed were not flagged, whereas in the latter instance, the quality and promptness of the analysis may have been compromised, according to the report.

The broader compliance lesson here: Some financial institutions “need to calibrate their systems to address this issue,” the report suggested. Some need to improve on the quality of reporting, notably in relation to performing an adequate analysis and preventing the omission of critical information.

Again, Mexico is not alone in needing to improve its reporting; the United States similarly struggles with financial institutions filing too many reports or reports that are too opaque. “Typically, better training of employees leads to better suspicious activity reporting, the quality of which often turns on the report's level of detail,” Carter says.

Laudable compliance practices

The report did not contain all bad news for financial institutions. For example, the FATF noted, many banks and brokerage firms appear to be implementing AML/CFT requirements regarding wire transfers beyond legal obligations. This is because banks generally consider wire transfers a high-risk product.

Among a few good risk management practices mentioned, some banks include the beneficiary’s name and account number in cases where the bank is the ordering institution; screen transfers that lack information, including that on the beneficiary, in cases where the bank is the intermediary or beneficiary institution; and take actions upon detection of wire transfers that lack information—such as either rejecting transfers or requesting missing or invalid information from the institution from which the transfer was received.

Furthermore, the report stated, financial institutions generally pay special attention to business relationships and transactions with persons in high-risk jurisdictions. Some financial institutions and money services businesses—money remitters, exchange centers that only conduct currency exchange, and exchange houses that are authorized to carry out both remittance and currency exchange activities—indicated that they don’t deal with persons, whether natural or legal, from countries for which the FATF calls for counter measures.

Additionally, some have also developed their own list of additional high-risk countries with which they do not conduct business. For transactions involving jurisdictions with strategic deficiencies identified by the FATF, financial institutions indicated that they “subject transactions involving these jurisdictions to enhanced monitoring by, for instance, developing special parameters or lowering the threshold for alerts to be generated,” the report stated.

Compliance certifications

To further help improve and standardize AML/CFT knowledge and practice among compliance and audit professionals who render services to financial institutions, the CNBV implemented a program requiring that all compliance officers, as well as internal and external auditors, be certified through an examination process administered by the CNBV. The objective of this certification is to validate that compliance and audit professionals engaged in such activities possess the necessary knowledge on AML/CTF.

Certification must be renewed every five years. Since rolling out this requirement gradually since June 2015 across the various sectors supervised by CNBV, over 2000 certifications have been issued. The program is in the process of being extended to the insurance and pension fund sectors.

“The FATF’s Mutual Evaluation Report on Mexico illustrates that successful AML procedures cannot occur in a vacuum, and that the success of FIs in implementing those procedures often depends upon context and the country in which they operate,” Carter says. Although financial institutions can always work on improving their internal systems and processes, she says, “ultimately the adequacy of a particular country’s AML system is a function of the relationship between industry and government, and the extent of the problems that a particular country may be facing.”