Mexico's RFC Waiver: Expanding Financial Inclusion While Heightening KYC and AML Fraud Risks
In April 2026, Mexican President Claudia Sheinbaum announced a sweeping regulatory directive that fundamentally changes how digital and traditional banks acquire customers. Under the new guidance, banks will no longer be permitted to require a Federal Taxpayer Registry (RFC) number to open Level 2 (N2) or Level 3 (N3) bank accounts. This policy is designed to bring Mexico's estimated 32 million unbanked, informal, and low-income workers into the digital economy.
The CNBV and Banxico are currently drafting formal policy memorandums to codify this directive into their respective regulatory frameworks.
Understanding Mexico's Tiered Account Framework
Mexico's banking regulations utilize a risk-based approach to Anti-Money Laundering (AML), organizing bank accounts into four distinct tiers:
- Level 1 (N1): Basic, low-limit accounts (monthly deposits capped at ~6,600 MXN) that can be opened remotely with minimal KYC (name, DOB, gender).
- Level 2 (N2): Simplified accounts (deposits capped at ~26,400 MXN) that require an official ID and Unique Population Registry Code (CURP).
- Level 3 (N3): Intermediate accounts (deposits capped at ~88,000 MXN) requiring CURP, ID, home address, phone, and email.
- Level 4 (N4): Full-service accounts with no deposit limits, requiring full KYC, including the mandatory RFC number.
Previously, although the law did not strictly require an RFC for N2 and N3 accounts, many banks demanded it in practice, requiring customers to first register with the Tax Administration Service (SAT). This created an insurmountable barrier for informal workers. Under the new waiver, individuals can open N2 and N3 accounts without an RFC and upgrade their accounts later if they register with the SAT.
The Strategic Trade-Off: Friction vs. Fraud
For US fintech expansion teams, the RFC waiver dramatically lowers customer acquisition friction, opening a massive addressable market. However, removing a verified unique identifier like the RFC significantly escalates operational and compliance risks.
Fintechs must prepare for three primary fraud vectors:
- Duplicate Accounts: Fraudsters will open multiple N2 or N3 accounts across different institutions to bypass monthly transaction caps and launder larger sums without triggering full N4 KYC.
- Synthetic Identity Fraud: Without the RFC to cross-reference against CURP and ID databases, bad actors can more easily manufacture synthetic identities.
- Account Takeovers and Identity Mules: Criminal networks will pay low-income individuals to open legitimate N2/N3 accounts and then hand them over to be used for illicit transactions.
Mitigation Strategies for Expanding Fintechs
To safely leverage the RFC waiver, expanding fintechs must design sophisticated, tier-appropriate verification flows and back-end monitoring:
- Multi-Factor IDV: Implement robust government ID checks and facial biometric/selfie verification during onboarding to tie the physical person to the CURP database records.
- Link Analysis: Use advanced browser and device fingerprinting, IP tracking, and image similarity checks to identify when multiple accounts are controlled by a single device or criminal ring.
- Strategic Reverification: Trigger mandatory biometric reverification when a user initiates a high-risk transaction, alters account details, or logs in from an unrecognized device.
- Transaction Monitoring: Build real-time transaction monitoring to detect "structuring" (breaking large transactions into smaller amounts to sit under N2/N3 limits).
The RFC waiver represents a massive opportunity for digital-first neobanks to capture market share rapidly, but only if they deploy modern, alternative identity verification and link-analysis tools to offset the loss of the RFC anchor.