The AML/CFT Manual: Governing and Mandatory Instrument

The Anti-Money Laundering and Counter-Financing of Terrorism (AML/CFT) Manual is the fundamental document for any company or individual that engages in vulnerable activities under the Federal Law for the Prevention and Identification of Operations with Resources of Illicit Origin (LFPIORPI), also known as the Anti-Money Laundering Law.

This manual acts as the governing instrument that translates legal obligations into clear policies, criteria, measures, and operating procedures.

Purpose and Obligation

Its purpose is to prevent, detect, and report operations linked to resources of illicit origin and terrorist financing. By doing so, it aligns the entire organization under a common language, clear responsibilities, and verifiable controls.

In addition to being the cornerstone of the compliance strategy, its preparation and custody is an explicit legal obligation. It is important to note that, with the recent July reforms to the Anti-Money Laundering Law, the requirements for preparing this manual are stricter than ever.

Essential Content

The AML/CFT Manual must comprehensively cover the following elements:

• Objectives and Scope

• Compliance Governance

• Know Your Customer (KYC) and Identification

• Risk Management

• Limits on the Use of Cash and Virtual Assets

• Reports to the Authority

• Training

• Audit

• Systems

• Document Retention

• Periodic Update

How to Properly Prepare an AML/CFT Manual?

While it is true that every vulnerable activity is unique and every Obliged Entity has specific needs that its manual must address, there are constant and essential elements that must be considered when designing it. Therefore, a general guide for the manual's preparation is presented below:

The manual must start by defining its objective and general scope of application. It is essential to explicitly state that its compliance is mandatory for the entire obliged audience, including shareholders, directors, employees, and any third party involved in the entity's vulnerable activities, applying without exception in all operating locations.

Table of Contents and Content Map

A structured index must be included to serve as a framework for the drafting and subsequent verification of compliance. Suggested chapters include:

• Manual Preparation and Update

• Vulnerable Activities

• General Obligations

• Cash and Virtual Assets Limits

• Know Your Customer (KYC) Policies

• Risk Classification and Methodology

• Reports to the Authority (Relevant, Unusual, Internal Concerns)

• Internal Structures (Compliance Officer)

• Training and Dissemination

• Automated System

• Other Obligations

• General Provisions

• Consultation Lists

Applicable Regulatory Framework

It is necessary to include a summary table that establishes the regulatory link between the LFPIORPI, its Regulations, and the General Character Rules (RCG). This table should organize key topics (such as identification, notices, use of cash, beneficial owner, inspections, information reserve, and penalties) to guide the reader on the legal basis for each measure.

II. Operation and Compliance

Compliance Officer/Manager

The Compliance Officer or Manager (or the corresponding area) must be formally designated, defining them as the primary responsible party for submitting notices, issuing operating criteria, and coordinating with other internal control committees. Their members and contact details must be listed.

General Operating Process

It is required to diagram the minimum operating flow for executing vulnerable activities. This "parent procedure" must be located at the beginning of the manual and include the following steps:

• Identification of the vulnerable activity.

• File integration and custody.

• Obtaining signatures and declarations (data, privacy, beneficial owner).

• Document cross-reference against originals.

• Format capture.

• Verification against the Blocked Persons Lists (AML/CFT) and the List under Article 69-B of the CFF (Federal Tax Code).

• Definition/Explanation of cash limits.

• Submission of notices/reports and handling of authority requirements.

Inventory of Vulnerable Activities and Thresholds

For each fraction of Article 17 of the LFPIORPI that applies to the Obliged Entity, the following must be detailed:

• Description of the activity.

• Identification Threshold.

• Notice Threshold.

• Limits on the Use of Cash/Virtual Assets (expressed in UMA and its equivalent in pesos per period).

Furthermore, the obligation to submit the “no-operations report” when the notice threshold is not reached must be made explicit.

Policy on Limits and Payment Prohibitions

This section must specify the activities subject to limits or prohibitions on the use of cash and virtual assets. It is crucial to establish the prevention and return procedure if undue cash payments are detected. This procedure must include the operation's record, client notification, and an analysis by the Compliance Officer to determine the need for a notice to the authority. A table of limits by applicable fraction must be attached.

Know Your Customer (KYC) and Identification Policy

KYC criteria and procedures must be established, covering:

• File Integration and Retention: Documentation must be retained for a period of 10 years, in physical and digital formats, with defined access controls.

• Pre-Interview: Define whether it is in-person or remote, detailing the required validations for the process.

• Document Cross-Reference and Handling: Establish the procedure for cross-referencing against originals and handling documents with strike-throughs or amendments (including valid alternatives and references).

• Other Identification Means: List the means of identification that are accepted as valid.

• Reserve and Confidentiality: Establish the prohibition of the practice known as “tipping-off” (disclosure of information about reports or requirements to clients).

III. Risk Management, Monitoring, and Reporting

Key Formats and Evidence

The manual must incorporate the essential client onboarding formats: Individual (PF), Legal Entity (PM), Trust (Fideicomiso), and the Beneficial Owner format. It is essential to include the Risk Grade Determination Form (DGR). Specific responsibilities for capturing, reviewing, and archiving all these documents must be defined.

Screening Lists

The exact procedure for consulting the LD/FT, OFAC/PEP lists, and the list under Article 69-B of the CFF must be documented. It is mandatory to retain evidence of each consultation (screenshots or search folios). If an automated system is not in place, the temporary manual method and the process for safeguarding the proof must be described.

Risk Classification and Re-evaluation

The manual will establish the methodology and factors used for the client's initial classification. It must include reclassification rules and an annual verification protocol for high-risk files. This protocol will include, where applicable, home visits and obtaining enhanced information (e.g., source and destination of funds, documentation of Politically Exposed Person - PEP status, and required internal approvals).

Institutional Risk Assessment Methodology

The process for the design and periodic update of the entity's risk assessment methodology will be described. This includes the identification of new risks, the impact of new technologies, and the obligation to adjust the compliance program whenever the authority requests it or the institutional risk matrix requires it.

Transactional Profile and Alert System

It is essential to define how the expected transactional profile is established, what the alerts generated by the system will be, and the procedure for managing deviations (analysis, documentation, escalation to the Compliance Officer, and, if applicable, the submission of the corresponding notice).

Reports to the Authority (Notices and Reports)

Clear criteria must be included for:

• Relevant Operations: Define the threshold and procedure.

• Unusual Operations: Describe the circumstances that constitute them.

• Internal Concern Operations: Define what constitutes them.

• 24-Hour Notice: Establish the protocol for urgent cases.

• No-Operations Reports: Specify the periodicity.

The deadlines, submission means (SPPLD), and internal roles responsible for their generation and submission will be detailed.

IV. Structure, Control, and Continuous Improvement

Internal Structures and Functions

The integration and functions of the Compliance Committee, the responsibilities of the Compliance Officer, and the role of the Compliance Members must be specified. Furthermore, the meeting mechanisms, approval criteria, and the casting vote, if applicable, will be defined.

Training and Dissemination

The manual will establish a mandatory annual training program that includes evaluations and the issuance of certificates. It must set a minimum passing score, the repetition of courses in the event of regulatory updates, and a specific policy for new hires and personnel in function. It is vital to retain the certificates and evidence of all training provided.

Automated System and Transition

The functional requirements of the system (monitoring, profiles, operation accumulation, alerts, PEP, and high-risk tracking) must be described. If the tool is not implemented, the transitional manual procedure and the evidence of its application will be documented.

Audit and Continuous Improvement

The periodicity and scope of the internal or external audit will be set, based on the institutional risk level. The process for addressing and correcting findings and the subsequent manual update will be detailed.

Document Retention and Traceability

Rules for the custody of documentation (for a minimum period of 10 years) will be established, defining the supports (physical/digital), access controls, and the procedures to follow in the event of requirements, appeals, or lawsuits.

Approval, Version Control, and Submission

The internal approval circuit (Officer → Committee), deadlines, and, if required by the authority, the submission via the SPPLD with the corresponding acknowledgment receipt retained, will be defined. It is mandatory to retain version control of all editions of the manual.

Manual Update Procedure

A process for updating will be established that includes regulatory monitoring, impact analysis, Committee approval, and internal publication. The annual review and extraordinary reviews due to relevant regulatory changes will be scheduled.

An effective manual is, in essence, a compliance operating system. By precisely defining the governance, flows, thresholds, lists, KYC, risks, alerts, reports, training, audit, and technology, the organization transforms legal obligations into practical and measurable controls. The key to its effectiveness lies in keeping it "alive": training, monitoring, auditing, documenting, and updating, closing the vulnerable activity cycle with evidence and constant traceability to the authority.