Crypto Law Profile

Mexico Federal AML Law (LFPIORPI)

Mexico’s LFPIORPI is an in-force AML statute that treats certain virtual-asset exchange, custody, storage, and transfer services as vulnerable activities subject to registration, customer identification, recordkeeping, and notice obligations.

Mexico Effective Act Jul 17, 2013
View official text Suggest correction

At a glance

Jurisdiction Federal statute applies nationwide in Mexico.
Status In force; latest statutory reform was published July 16, 2025.
Crypto scope Article 17(XVI) covers virtual-asset exchange, custody, storage, and transfer activity.
Notice trigger Current text sets crypto notices at 210 UMA per customer operation or 4 UMA service fee.

Overview

The Ley Federal para la Prevención e Identificación de Operaciones con Recursos de Procedencia Ilícita, commonly referenced as LFPIORPI, is Mexico’s federal anti-money laundering statute for identifying and reporting transactions that may involve illicit-source resources. The law applies throughout Mexico and is in force. Its original text was published in the Diario Oficial de la Federación on Oct. 17, 2012, entered into force nine months later, and the consolidated text reviewed for this profile shows the latest statutory reform published on July 16, 2025.

For crypto markets, the key provision is Article 17, section XVI. It classifies certain virtual-asset services by non-financial entities as “Actividades Vulnerables,” including habitual and professional exchange through electronic, digital, or similar platforms, and services that custody, store, or transfer virtual assets. The current text also reaches covered operations carried out with Mexican citizens from another jurisdiction.

Key provisions for virtual assets

LFPIORPI is not a standalone crypto licensing law. It is an AML/CFT identification and notice regime that brings certain crypto-asset activity into Mexico’s broader vulnerable-activities framework. Covered persons may need to identify clients and users, gather beneficial ownership information where applicable, register or update their vulnerable-activity status through the official portal, retain supporting documentation, and present notices to the Secretaría de Hacienda y Crédito Público.

  • Virtual-asset scope: Article 17(XVI) covers habitual and professional exchange, purchase or sale facilitation, custody, storage, and transfer services for virtual assets by persons other than financial entities.
  • Notice thresholds: the current consolidated text requires notices when a customer operation equals or exceeds 210 times the daily UMA value, or when service consideration equals or exceeds four times the daily UMA value.
  • Suspicion notices: Article 18 requires a notice within 24 hours when the regulated person has facts, indications, or suspicion that resources may be linked to covered illicit-source offenses.
  • Recordkeeping and registration: Article 18 includes duties to keep supporting information and documentation for at least ten years and to register, update, or deregister through the official vulnerable-activities registry.

Status and implementation timeline

The statute is in force, but some 2025 reform obligations are still phase-in dependent. The July 2025 decree generally entered into force on July 17, 2025. However, the new risk-based obligations in Article 18 sections VII through XI take effect on the dates set in updated general rules. SAT and UIF guidance states that the pre-existing regulation and general rules continue to apply until those instruments are updated.

The official anti-money-laundering portal also lists a March 27, 2026 reform to the LFPIORPI regulation. As of this draft’s verification date, the same official source still listed the general rules reforms through the Nov. 30, 2020 amendment, making the next key review item the general-rules update contemplated by the 2025 statutory reform.

Jurisdictional impact

Mexico treats the covered virtual-asset activities as part of its AML vulnerable-activities regime rather than as a general authorization to offer crypto products. SAT guidance states that persons other than financial entities that provide exchange platforms, wallets, purchase-and-sale sites, ATMs, or digital platforms for virtual assets may be supervised by SAT for this activity. Separate fintech, banking, payments, consumer, tax, and securities questions may apply outside this profile.

The law also distinguishes the treatment of financial entities from the treatment of non-financial vulnerable activities. Financial entities remain subject to the AML provisions in their sectoral financial laws, while Article 17 captures listed non-financial activities, including the virtual-asset activity added through Mexico’s fintech-law reform process.

Editorial context

This profile should be read as a legal-reference summary, not legal advice. Editors should verify any updated SAT forms, general rules, UMA amounts, and regulator guidance before publication because the 2025 reform changed statutory thresholds and the implementation materials may be updated independently of the consolidated statute.

Key provisions

AML purpose and national scope

Establishes measures and procedures to prevent and detect transactions involving illicit-source resources across Mexico.

AML/CFT Jul 17, 2013 Source

Virtual-asset vulnerable activity

Covers habitual professional virtual-asset exchange, custody, storage, or transfer services by non-financial entities, including Mexican-citizen operations from abroad.

Regulatory perimeter Sep 9, 2019 Source

Virtual-asset notice thresholds

Current Article 17(XVI) text requires notices at 210 UMA per customer operation or when service consideration reaches 4 UMA.

AML/CFT Jul 17, 2025 Source

Registration and recordkeeping

Requires vulnerable-activity registration or updates and retention of supporting information and documentation for at least 10 years.

Licensing & Registration Jul 17, 2025 Source

Risk-based compliance controls

Adds risk assessments, internal policies, training, automated monitoring, and audit review obligations, with Article 18(VII)-(XI) phase-in set by general rules.

AML/CFT Source

Timeline

  1. Original law published

    The decree issuing LFPIORPI was published in the Diario Oficial de la Federación.

    Enacted Source

  2. Original law entered into force

    Transitory article provided entry into force nine months after publication.

    In force Source

  3. Virtual-asset activity became covered

    SAT/UIF portal states that Article 17(XVI) virtual-asset activity entered into force.

    In force Source

  4. Virtual-asset registration rules updated

    General rules were amended for asset-virtual service registration through the SPPLD process.

    Effective Source

  5. 2025 statutory reform published

    Reform amended LFPIORPI and Article 400 Bis of the Federal Criminal Code.

    Enacted Source

  6. 2025 reform generally in force

    The 2025 decree generally entered into force the day after publication, subject to exceptions.

    In force Source

  7. Regulation reform listed

    The official PLD portal lists a reform to the LFPIORPI regulation published on this date.

    Enacted Source

Who it affects

Actors

Banco de México, Secretaría de Hacienda y Crédito Público, Servicio de Administración Tributaria, Unidad de Inteligencia Financiera

Asset classes

Cryptocurrencies, Virtual assets

Official sources

Consolidated LFPIORPI text Cámara de Diputados Official consolidated statute Jul 16, 2025 Spanish High 2025 LFPIORPI reform decree Diario Oficial / Cámara Official reform decree Jul 16, 2025 Spanish High PLD portal: reform criteria SHCP/SAT Regulator guidance Spanish High PLD portal: legal framework SHCP/SAT Official source index Spanish High SAT virtual-assets vulnerable activity page SAT Regulator guidance Spanish Medium-high

Editorial note

English editorial profile for Mexico’s LFPIORPI. Official legal text is Spanish. Verify current UMA values, SAT forms, and any updated general rules before publishing.