Latam Rules and Regulations

Rules and Regulations: Argentina & Mexico

Rules and Regulations: Argentina

In line with the amendments introduced by Law No. 27,739 to Law No. 25,246, which contemplates the anti-money laundering and financing of terrorism regime (“AML/FT”), General Resolution No. 944/2024, issued by the Argentine Securities Commission (the “CNV”) (the “CNV Resolution”), was published in the Official Gazette on March 25, 2024 and regulates the Registry of Virtual Asset Service Providers (the “VASP Registry”).

In addition, the Financial Information Unit (the “UIF”) issued Resolution No. 49/2024 (the “UIF Resolution”), published in the Official Gazette on the same date, which regulates the activity of the Virtual Asset Service Providers registered with the CNV (the “VASPs”) as new reporting parties before the UIF.

The CNV Resolution and the UIF Resolution became effective on March 26, 2024.

1. The VASP Registry

The CNV Resolution provides that individuals and legal entities residing or incorporated in Argentina, before being able to carry out activities or transactions related to virtual asset services (the “VASP Activities”) 1, must register in the VASP Registry. For those VASP that are currently operating, the CNV Resolution provides a 45-day term to comply with registration.

Such obligation extends to individuals and legal entities residing or incorporated abroad that carry out any VASP Activity, provided that they do so under any of the following modalities: (i) they use any “.ar” domain to carry out their activities or operations; (ii) they have commercial agreements with third parties, subsidiaries, or related parties that enable them to receive funds or assets locally from residents to perform the activities or operations (or any similar activity known as ramp services); (iii) they clearly target their offers to residents in the country; (iv) they carry out advertising activities clearly directed to residents in the country; and (v) their turnover in the country exceeds 20% of their total turnover.

However, those parties performing VASP Activities but whose transactions do not exceed 35,000 purchasing value units (UVA) 2 (which may be updated according to the Reference Stabilization Ratio, “CER” for its acronym in Spanish) per month are excluded from the obligation to be registered in the VASP Registry.

Section 6 of the CNV Resolution emphasizes that registration in the VASP Registry does not imply the granting of a license by the CNV on the VASP Activities.

The CNV Resolution establishes the mandatory disclaimer that must be included by persons registered in the VASP Registry on their website, in any social network or other media related to their activity, including materials for dissemination and/or promotion.

Finally, it should be noted that persons domiciled, incorporated, or residing in non-cooperative jurisdictions for tax transparency purposes and considered non-cooperative or high-risk by the FATF may not be registered in the VASP Registry.

2. Anti-Money Laundering and Terrorist Financing Regime

2.1 Definitions

The UIF Resolution incorporates, among others, the following concepts:

"Virtual Assets": the digital representation of value that can be traded and/or transferred digitally and used for payments or investments. In no case shall Argentina’s legal tender or the currencies issued by other countries or jurisdictions (fiat currencies) be considered as Virtual Assets.

"Self-custody wallets": software that enables interaction with an address in the blockchain system, allowing the transfer or reception of Virtual Assets, in which the users themselves assume the obligation to secure their private keys and have control over the Virtual Assets.

"Blockchain": type of distributed ledger technology (Distributed Ledger Technology, or DLT).

"Clients": those individuals, legal entities, and other legal structures - domestic and/or foreign - and those acting on behalf of the abovementioned, with whom a contractual relationship of a financial, economic, or commercial nature is established, on an occasional or permanent basis. Mere suppliers of goods and/or services shall not be qualified as Clients unless they maintain ordinary business relations with the Reporting Party for purposes other than the mere supply of goods and/or services.

“Virtual Asset Service Provider (“VASP”)”: any individual or legal person that, as a business, performs one or more of the VASP Activities.

“Peer to Peer Transfers (“P2P”)”: the exchange directly between users of Virtual Assets and legal tenders (fiat currencies) and/or between these and other Virtual Assets, where the parties to the transaction contact each other in a safe environment developed by a VASP for this purpose.

2.2. Reporting Parties. Registration

The UIF Resolution considers VASPs registered with the CNV as Reporting Parties, which must also register with the UIF within 30 days as from their registration with the CNV.

2.3. Reporting Party's AML/FT System

UIF Resolution incorporates a AML/FT system with a risk-based approach, which shall contain policies, procedures, and controls to identify, evaluate, monitor, manage and mitigate risks identified according to a self-assessment made by the Reporting Party and in the national AML/FT risk assessments with respect to the VASP activities, considering, at least, risks associated to: (i) clients (background, activities, behavior, volume or materiality of operations); (ii) products and/or services provided by the Reporting Party; (iii) distribution channels (face-to-face, internet or ATMs); and (iv) geographical areas in which the products and/or services of the Reporting Party are offered as well as those areas linked to the operation’s process.

The Reporting Party shall analyze separately each VASP activity it performs, being able to submit individual self-assessment reports for each of them or a single consolidated report, which shall be filed with the CNV and the UIF together with the “Risk Tolerance Statement” (identifying the AML/FT risk margin that the Reporting Party is willing to assume according to the terms of the UIF Resolution) before April 30 of each calendar year.

2.4. Compliance with the AML/FT System

It is established that, to comply with the AML/FT system, the Reporting Parties must adopt -as a minimum- policies, procedures, and controls for the purposes of:

(i) corroborating that Clients and their ultimate beneficiary owners are not included in certain registers and lists related to AML/FT (before, and during, the entire business relationship);

(ii) applying all regulations related to Politically Exposed Persons, as established by the UIF;

(iii) carrying out an initial and continuous "due diligence" process for Clients (keeping their respective files updated);

(iv) identifying, verifying, and knowing their Clients’ ultimate beneficiary owners on an ongoing basis;

(v) qualifying and segmenting all Clients according to risk factors;

(vi) establishing alerts and monitoring all operations and/or transactions linked to VASP Activities, with a risk-based approach;

(vii) formulating systematic reports to the UIF 3;

(viii) determining in which cases the Reporting Party shall be entitled to not credit, or to suspend, a Virtual Asset transfer that lacks the required originator and/or beneficiary information, as well as the appropriate follow-up action;

(ix) analyzing and recording all Unusual Transactions 4, and detecting and reporting all Suspicious Transactions 5;

(x) cooperating with the competent authorities;

(xi) not accepting, or dismissing, clients and stating the reasons for such decision;

(xii) developing an annual training on AML/FT for its employees and collaborators;

(xiii) designating a compliance officer and an alternate compliance officer before the UIF and establishing their functions;

(xiv) registering, filing, and keeping information and documentation of a) Clients and ultimate beneficiary owners from the beginning of the relationship and for a minimum of ten (10) years as from the termination of the relationship, and b) the transactions carried out for a minimum of ten (10) years as from the date on which they are made;

(xv) evaluating the effectiveness of the AML/FT system through an independent external review to be carried out annually and the annual internal audit; and

(xvi) ensuring adequate standards in the selection and hiring of directors, managers, employees, and collaborators;

(xvii) establishing a code of conduct;

(xviii) preparing an AML/FT manual, which shall contain the abovementioned policies, procedures, and controls and which shall be reviewed annually; and

(xix) taking into consideration in its risk analysis the countries included by the FATF in the list of jurisdictions under enhanced monitoring and applying enhanced measures in these cases.

The UIF Resolution regulates the duties of the Reporting Party’s management body or highest authority, and the appointment and functions of the compliance officer and deputy compliance officer. The compliance officer shall be supported by an AML/FT Committee, which shall be created by the Reporting Party for such purposes.

Groups 6 may designate a single compliance officer, alternate compliance officer and AML/FT Committee for all its members, provided that the tools for the management and monitoring of operations allow the abovementioned to access to all necessary information in due time and form.

2.5. Due Diligence. Policy for Identification, Verification and Knowledge of the Client and the Ultimate Beneficiary Owner

In relation to the client due diligence process, rules are established to identify, verify, and know clients, which are applicable to individuals, legal entities, or other types of legal structures, both at the beginning of the business relationship, as well as on an ongoing basis for regular clients.

As part of the Due Diligence process, the UIF Resolution establishes that the Reporting Party shall qualify and segment its clients by low, medium, or high risk, especially assessing certain risks detailed in the Resolution.

In cases where the Reporting Party determines that the client is a low-risk client, the simplified due diligence procedure may be used. If the client is determined to be a high-risk client, enhanced due diligence measures must be applied.

The non-identification of clients, or the impossibility to identify them, shall be understood as an impediment to engage in professional relationships, or if already engaged, to continue them.

2.6. Monitoring, Analysis and Reporting

Based on the risk analysis and the specific activity carried out, before engaging in business relationships, the Reporting Party shall draw up the Client's transactional profile. The Reporting Party shall monitor its Clients' transactions and ensure that they are consistent with their profile and associated risk level.

The Resolution requires the Reporting Parties to establish transaction control rules and automated alerts to monitor their Clients’ transactions. In addition, the Resolution lists, by way of illustration, certain circumstances that may be interpreted as triggers for alerts and controls and requires the Reporting Parties to deepen the analysis of any Unusual Transaction by obtaining information in order to corroborate or reverse the detected unusuality.

Moreover, the Resolution sets forth that Reporting Parties shall report to the UIF Suspicious Transactions within (i) 24 hours from the date on which the suspicious money laundering transaction is concluded, not exceeding 90 calendar days from the date on which the transaction was carried out or attempted; and (ii) 24 hours from the date on which the transaction was carried out or attempted in the case transactions involving the financing of terrorism or the financing for the proliferation of mass destruction weapons.

2.7. Other Rules

The UIF Resolution requires Reporting Parties to comply with the identification of the originator and beneficiary of transactions covered by the travel rule, in the terms established by the FATF International Standards and in the modality established by the UIF for the exchange and validation of such information.

The UIF Resolution also provides for the obligation of the Reporting Parties to monitor the deposits made in cash and take measures tending to mitigate the risks of those activities involving high volumes of cash to apply Enhanced Due Diligence measures (in case the Reporting Party deems it necessary based on its risk analysis). In this sense, deposits for amounts greater than, or equal to, six (6) Adjustable Minimum Living Wages (SMVM) require the Reporting Party to identify the person carrying out the operation in accordance with the parameters set forth by UIF Resolution.

2.8. Effective Date

Although it is established in the UIF Resolution that it shall become effective the day after its publication in the Official Gazette, the Resolution sets forth deadlines for the enforcement of the following obligations:

i. Self-Assessment Report: the first self-assessment report and the methodology, contemplating the analysis for the 2024 period, must be submitted before April 30, 2025.

ii. Independent External Reviewer's Report: the first report of the independent external reviewer, contemplating the analysis for the 2024 period, must be submitted before August 31, 2025.

iii. Annual Systematic Report: the first systematic report, including the information required for the 2024 period, shall be submitted between January 2 and March 15, 2025.

3. Penalties

Any party that fails to comply with the obligations and duties set forth in the Resolution shall be subject to penalties, pursuant to the provisions of Chapter IV of Law No. 25,246 7.

1 Section 4 bis of Law No. 25,246 (as amended) defines a virtual asset service provider as an individual or legal person that, as a business, performs one (1) or more of the following activities or operations for or on behalf of another individual or legal person: (i) the exchange between virtual assets and legal tender (fiat currencies); (ii) the exchange between one or more forms of virtual assets; (iii) the transfer of virtual assets; (iv) the custodial and/or administration of virtual assets or instruments enabling control over virtual assets; and (v) the participation in and provision of financial services related to an issuer’s offer and/or sale of a virtual asset (the "VASP Activities").

2 Approximately AR$27,000,000.

3 Monthly Systematic Reports (two separate reports per month), to be submitted between the 1st and 15th day of each month with respect to the previous calendar month, informing the UIF about: (i) transactions made with Virtual Assets, including information on the operator, the holder of the funds and the recipients, the types of transactions, dates, amounts, currency, country of origin and country of destination; and (ii) Client Registrations and Cancellations, with information identifying the clients of the Reporting Party. Annual Systematic Reports, to be submitted between January 2 and March 15 of each year with respect to the previous calendar year, proving the UIF general information (name, domicile, and activity), corporate and structure information, accounting information, information on the business conducted and types and number of clients of the Reporting Party.

4 Pursuant to paragraph j) of section 2 of the UIF Resolution, "Unusual Transactions" are those attempted or carried out in an isolated or repeated manner, regardless of the amount, which lack economic and/or legal justification, and/or are not related to the client's risk level or transactional profile, and/or which, due to their frequency, regularity, amount, complexity, nature and/or other particular characteristics, deviate from usual market practices and customs.

5 Pursuant to paragraph o) of section 2 of the Resolution, "Suspicious Transactions" are those attempted or carried out that give rise to suspicion, or reasonable grounds to suspect, that the property or assets involved come from or are linked to a criminal offense or are related to the financing of terrorism, or the financing for the proliferation of mass destruction weapons or that, having been previously identified as unusual, and after the analysis and evaluation carried out by the Reporting Party, the transaction’s unusual nature is unjustifiable.

6 A Group is understood as two or more Reporting Parties included in section 20 of Law No. 25,246, as amended, linked to each other by a control relationship or belonging to the same economic and/or corporate organization, pursuant to section 2 l) of the UIF Resolution.

7 The penalties provided for by section 24 of Law No. 25,246 include: (i) warning; (ii) warning with the obligation to publish the operative part of the resolution in the Official Gazette of the Argentine Republic and in up to two (2) newspapers of national circulation at the expense of the punished party, (iii) fine, from one (1) to ten (10) times the total value of the good(s) or operation(s) in those cases in which the non-compliance refers to the failure to report suspicious transactions or to the elaboration of such reports outside the terms and forms established for that purpose, (iv) a fine of between fifteen (15) and two thousand five hundred (2,500) modules for the rest of the non-compliances, for each one of them, and (v) disqualification of up to five (5) years to act as a compliance officer.

Rules and Regulations Mexico

Mexico is the first country in Latin America to enact specific laws to regulate Internet financial companies in the fintech sector. Currently, the country has three departments responsible for regulating the financial industry: the Bank of Mexico, the Ministry of Finance and Public Credit (SHCP) and the National Banking and Securities Commission (CNBV). Mexico’s cryptocurrency regulatory policies mainly revolve around laws such as the Fintech Law (Ley Fintech) and the Regulations of the Fintech Institutions Supervision Law (secondary law).

Payments and payment systems are regulated level by several federal laws and regulations. The main laws governing payments and payment systems in Mexico are:

The Mexican Constitution - Grants the Mexican Central Bank (Banco de México, “Banxico”) constitutional autonomy and the mandate to among others, regulate financial services in Mexico.

The Law of Payment Systems (Ley de Sistemas de Pago) - Outlines the requirements for a payment system to be considered systemically relevant, Banxico’s broad authority to regulate and supervise such systems, and a framework for the clearing and settlement of transactions through such systems.

The Central Bank Law (Ley del Banco de México) - Stipulates Banxico’s main purposes, including, promoting the correct functionality of Mexican payment systems.

The Law for the Transparency and Order of the Financial Services (Ley para la Transparencia y Ordenamiento de Servicios Financieros) - Provides additional tools to regulate payment systems and promote their transparency and competitiveness, including the regulation of fees charged by the participants of card networks.

The Law to Regulate Financial Technology Institutions (Ley para regular las Instituciones de Tecnología Financiera, known as the “Fintech Law”) - Main purpose is to keep e-wallets on behalf of their clients.

Secondary regulation issued by Banxico and/or by CNBV include: (i) Rule (Circular) 14/2017, which regulates the Mexican Peso denominated Interbank Electronic Payments System (SPEI) (amended in 2019 to implement a P2P online and mobile payment system called CoDI (Cobro Digital)); (ii) the Regulations applicable to the Network of Means of Utilization of Funds (Disposiciones PDF Generated: 4-11-2022 de carácter general aplicables a los Medios de Pago), which specifically regulate card networks (the “Payment Regulations”); and (iii) the Regulations applicable to IFPEs (Disposiciones de carácter general aplicables a las Instituciones de Tecnología Financiera and Disposiciones de carácter general aplicables a las Instituciones de Fondos de Pago Electrónico). The Anti-Money Laundering Law (Ley Federal para la Prevención e Identificación de Operaciones con Recursos de Procedencia Ilícita, the “AML Law”), its regulations and interpretative notes by the Financial Intelligence Unit (Unidad de Inteligencia Financiera) also apply to payment systems, among others, given that they apply to issuers and distributors of prepaid, debit, credit and service cards, traveler checks issued by entities other than financial entities, as well as cryptocurrency exchanges. There are important judicial holdings to take into consideration by any participant in a card system, including precedents regarding authenticity and use of electronic signatures, vouchers and burden of proof with respect to authorization of transactions.

With fintech on the rise, Mexico passed the Fintech Law in 2018. The law focuses on authorizations for crowdfunding institutions (Instituciones de Financiamiento Colectivo-IFC) to carry out “crowdfunding” transactions, such as capital transactions regarding bonds, equity or ownership, and the other is to authorize electronic payment institutions (Instituciones de Fondos de Pago Electrónico-IFPE) to issue, manage, redeem and transfer electronic funds in a digital way, and virtual assets such as cryptocurrencies are also included. Both types of institutions must comply with the minimum capital requirements. If an electronic payment institution operates only with Mexican currency, it needs to meet the standard of 500,000 UDI (index fund units used as a stable substitute for the Mexican peso), and if it conducts virtual asset transactions or foreign currency transactions or uses basic virtual assets to operate derivatives, it needs to reach the standard of 700,000 UDI.

El Banco de Mexico issued the secondary law of the Fintech Law, bringing cryptocurrency companies under its jurisdiction. Since then, companies using cryptocurrencies to conduct business must also obtain relevant authorization, and violators may be fined between $9,500 and $47,000, which means that the cryptocurrency business is subject to stricter qualification review and control. Important note: small and medium-sized enterprises that use cryptocurrencies as a payment method are not subject to this law, only companies in the fintech field that use electronic transaction mechanisms or raise funds need to be authorized.

In addition to these regulations, the Financial Intelligence Unit (UIF) of Mexico has also issued a guide on cryptocurrency reports, requiring the reporting of cryptocurrency transactions and related intermediary and service provider information.

Reporting Party's AML System

UIF Resolution incorporates a AML system with a risk-based approach, which shall contain policies, procedures, and controls to identify, evaluate, monitor, manage and mitigate risks identified according to a self-assessment made by the Reporting Party and in the national AML risk assessments with respect to the VASP activities, considering, at least, risks associated to: (i) clients (background, activities, behavior, volume or materiality of operations); (ii) products and/or services provided by the Reporting Party; (iii) distribution channels (face-to-face, internet or ATMs); and (iv) geographical areas in which the products and/or services of the Reporting Party are offered as well as those areas linked to the operation’s process.

Compliance with the AML System

It is established that, to comply with the AML system, the Reporting Parties must adopt -as a minimum- policies, procedures, and controls for the purposes of:

corroborating that clients and their ultimate beneficiary owners are not included in certain registers and lists related to AML (before, and during, the entire business relationship);

applying all regulations related to Politically Exposed Persons;

carrying out an initial and continuous "due diligence" process for Clients (keeping their respective files updated);

identifying, verifying, and knowing their Clients’ ultimate beneficiary owners on an ongoing basis;

qualifying and segmenting all Clients according to risk factors;

establishing alerts and monitoring all operations and/or transactions linked to VASP Activities, with a risk-based approach;

formulating systematic reports to the UIF;

determining in which cases the Reporting Party shall be entitled to not credit, or to suspend, a Virtual Asset transfer that lacks the required originator and/or beneficiary information, as well as the appropriate follow-up action;

analyzing and recording all Unusual Transactions, and detecting and reporting all Suspicious Transactions;

cooperating with the competent authorities;

not accepting, or dismissing, clients and stating the reasons for such decision;

developing an annual training on AML for its employees and collaborators;

designating a compliance officer and an alternate compliance officer before the UIF and establishing their functions;

registering, filing, and keeping information and documentation of a) Clients and ultimate beneficiary owners from the beginning of the relationship and for a minimum of ten (10) years as from the termination of the relationship, and b) the transactions carried out for a minimum of ten (10) years as from the date on which they are made;

evaluating the effectiveness of the AML system through an independent external review to be carried out annually and the annual internal audit; and

ensuring adequate standards in the selection and hiring of directors, managers, employees, and collaborators;

establishing a code of conduct;

preparing an AML manual, which shall contain the abovementioned policies, procedures, and controls and which shall be reviewed annually; and

taking into consideration in its risk analysis the countries included by the FATF in the list of jurisdictions under enhanced monitoring and applying enhanced measures in these cases.

The UIF Resolution regulates the duties of the Reporting Party’s management body or highest authority, and the appointment and functions of the compliance officer and deputy compliance officer. The compliance officer shall be supported by an AML Committee, which shall be created by the Reporting Party for such purposes.

Due Diligence. Policy for Identification, Verification and Knowledge of the Client and the Ultimate Beneficiary Owner

The non-identification of clients, or the impossibility to identify them, shall be understood as an impediment to engage in professional relationships, or if already engaged, to continue them.

Monitoring, Analysis and Reporting