Compliance Center · SofiExpress

Total Incidents This Week

▼ 2 vs last week

Critical / High

— 0 unchanged

Relevant to Us

AI triage + human review

Mexico Local Incidents

4/ 7

Other 3 are LATAM regional

Filter: All Ransomware Data Breach API Abuse Phishing / Social Engineering Supply Chain DDoS High Risk Only

Critical · CVSS 9.4 May 9

Mexican Sofipo Hit by Ransomware; About 2.3M Customer Records Potentially Exposed

Attackers used an unpatched VPN appliance vulnerability (Fortinet CVE-2024-21762 variant) for initial access and deployed LockBit 4.0 to encrypt core databases. The affected institution has reported to CNBV and suspended online services for 48 hours.

Source: Reuters MX / El Financiero · ⚠ Relevant to us: verify VPN appliance patch status

Ransomware Sofipo LockBit CVE-2024-21762

High May 8

LATAM Payment Gateway API Keys Exposed, Affecting Multiple Mexican Cash-Loan Platforms

A third-party payment aggregator accidentally exposed configuration files containing production API keys in a GitHub repository. Payout channels for at least three Mexican cash-loan platforms were affected, with unauthorized transactions already reported.

Source: BleepingComputer · ⚠ Relevant to us: confirm third-party payment key status

API Key Exposure Cash Loan Third Party GitHub

High May 7

Banxico SPEI Briefly Disrupted, Suspected DDoS Attack

Mexico's SPEI interbank electronic payment system had intermittent outages from 14:00 to 16:30 local time. Banxico described it as a "technical failure," while multiple security-community sources pointed to a DDoS attack. About 1.8M transactions were backlogged.

Source: Expansión / CERT-MX

DDoS SPEI Infrastructure

Medium May 7

Colombian Bank Phished; Internal Employee Credentials Stolen

Attackers spoofed a CNBV email domain (cnbv-gob[.]mx) and sent macro-enabled Excel files to the bank's Mexico branch. Two operations employees clicked and exposed VPN credentials. The pattern may target multiple LATAM financial institutions.

Source: The Record

Phishing Social Engineering LATAM Regional

Medium May 6

Mexican Digital Bank KYC Face Recognition Bypassed with Deepfake

Fraud groups used AI-generated liveness videos to open about 40 synthetic accounts for money laundering. The bank has reported to UIF and upgraded liveness checks to 3D structured-light verification.

Source: El Economista

Deepfake KYC AML

Low May 5

Brazilian Payment Processor PCI Compliance Certification Suspended

The processor's AOC was suspended by PCI SSC after a QSA annual review found unencrypted PAN storage (PCI Req 3.4 violation), affecting settlement paths for some cross-border Mexican merchants.

Source: PCI SSC Announcement

PCI Credit Card Brazil

Info May 4

CERT-MX Released 2026 Q1 Mexico Financial Sector Threat Report

The report says cyberattacks against Mexico's financial sector rose 34% year over year in Q1, with ransomware and business email compromise (BEC) as the main categories. It recommends stronger MFA deployment and employee security-awareness training.

Source: CERT-MX Website

Quarterly Report CERT-MX Trend

Weekly Situation Snapshot

By Incident Type

Ransomware

Data Breach

DDoS

Phishing

AI Forgery

Our Action Items

✅ VPN appliance patch status checked
🔄 Reviewing third-party payment API keys
📋 Scheduling spoofed-domain detection rules

Published

Consultations / Public Comments

Enforcement Cases

Published This Month

CNBV 3 · Banxico 1 · UIF 1 · INAI 1

Action Required

Average remediation window: 45 days

Aligned

No additional action required

Under Review

Awaiting Legal interpretation

Publication Date	Source	Title / Summary	Affected Business Lines	Effective Date	Action	Status
2026.05.08	CNBV	Circular Única Sofipo Amendment: Minimum Capital Adequacy Adjustment Article 75 amended: unsecured consumer-loan risk weight raised from 100% to 115%	Sofipo Cash Loan	2026.07.01	Recalculate NICAP	Remediating
2026.05.06	CNBV	Final Version of Amended Cybersecurity Provisions Adds mandatory 72-hour cyber incident reporting obligation	Sofipo Credit Card Cash Loan	2026.09.01	Build incident reporting process	Under Review
2026.05.03	BANXICO	Circular 4/2026: New Cross-Border Payment Reporting Requirements Cross-border remittances must include sender full address and CURP	Cash Loan	2026.08.15	Check payout interface fields	Scheduled
2026.04.28	UIF	AML Guidance Update: Enhanced Due Diligence (EDD) for High-Risk Customers PEP customers must be reviewed every 6 months instead of every 12 months	Sofipo Cash Loan Credit Card	Effective Immediately	Adjust EDD cycle	Urgent
2026.04.25	INAI	New Standard Contractual Clauses (SCCs) for Cross-Border Personal Data Transfers Released Data processing agreements with cloud providers such as AWS / GCP must be updated	Sofipo Credit Card Cash Loan	2026.10.01	Update DPA appendix	Aligned
2026.04.20	CNBV	R-28 Reporting Format Amendment Notice Adds loan portfolio risk concentration detail fields	Sofipo	2026 Q3 Filing	Adjust reporting template	Aligned

Agency	Draft Title	Comment Deadline	Potential Impact	Submit Comment?
CNBV	Draft Rules for Sofipo Digital-Channel Remote Account Opening Would make video verification mandatory for non-face-to-face account opening	2026.06.15	High Impact	Planned
INAI	Draft Personal Data Protection Guidelines for AI Decision Systems Would require explainability reports for credit-decision AI models	2026.07.01	High Impact	Under Review
CONDUSEF	Unified CAT Disclosure Format Standard for Online Loan Advertising Would set 12pt minimum mobile CAT font size and placement requirements	2026.05.30	Medium Impact	No Submission Planned

Recent Enforcement Cases

Mexico Financial Sector · Last 90 Days

Date	Regulator	Penalized Entity	Violation	Fine Amount	Legal Basis	Our Risk
2026.05.02	CONDUSEF	Cash-Loan Platform A	CAT font size in ads was below the required minimum; CAT not shown in the first viewport	$4.2M MXN	LGOAAC Art. 56 bis	Medium · Check ad creatives
2026.04.22	CNBV	Sofipo B	R-04 report submitted late for 2 consecutive periods (15 days overdue)	$1.8M MXN	LACP Art. 116	High · Check reporting SLA
2026.04.15	UIF	Bank C	Suspicious transaction reports (ROS) not submitted on time; incomplete EDD records	$8.5M MXN	LFPIORPI Art. 53	Medium · Review ROS process
2026.04.08	INAI	Fintech D	Transferred personal data to a third-party collection agency without explicit user consent	$2.1M MXN	LFPDPPP Art. 36, 67	Low · Compliance process in place
2026.03.28	CNBV	Sofipo E	NICAP capital adequacy stayed below the minimum requirement (8%) for 30 days	$3.6M + timed remediation	LACP Art. 116, CU Art. 75	Low · currently 14.2%

AI Reverse Benchmark Analysis

● Phase 2 RAG Enhanced

Based on the enforcement cases above, AI automatically compares our control status:

⚠ Needs Attention:Sofipo B was fined for late R-04 reporting → our current R-04 SLA achievement is 88% (target 100%); recommend adding automated reminders 7 days in advance.

✓ Safe:Sofipo E was fined for NICAP non-compliance → we are currently at 14.2%, well above the 8% threshold.

In Phase 2, this feature will connect to RAG to automatically retrieve internal policies and controls and generate a full benchmark report.

Regulator: All CNBV Banxico Condusef UIF INAI PCI SSC ISO Business Line: Credit Card Cash Loan Sofipo

CNBV Fully Mapped

Circular Única de Sofipos

Sofipo single circular · covers capital adequacy, governance, regulatory reporting, credit classification, and broad regulatory requirements

142 Controls

28 Reports

Sofipo

Federal Law Fully Mapped

Ley de Ahorro y Crédito Popular (LACP)

Savings and Popular Credit Law · the parent law for Sofipo licensing, defining incorporation conditions, minimum capital, and governance requirements

116 Articles

38 Controls

Sofipo

International Standard Partially Mapped

PCI DSS v4.0

Payment Card Industry Data Security Standard · 12 requirements · security baseline for credit-card processing and storage environments

12 Requirements

340+ Subitems

Credit Card

INAI Fully Mapped

LFPDPPP + Reglamento

Federal personal data protection law and implementing regulations · data subject rights, consent mechanisms, cross-border transfers, breach notification

69 Articles

45 Controls

All

UIF Fully Mapped

LFPIORPI + Reglas de Carácter General

AML parent law and general rules · customer due diligence (CDD/EDD), suspicious transaction reports (ROS), large-transaction reporting

65 Articles

52 Controls

All

ISO Partially Mapped

ISO 27001:2022

Information security management system · Annex A 93 controls · ISMS buildout, risk assessment, continual improvement

93 Controls

4 Domains

All

Federal Law In Entry

Ley Fintech

Fintech Law · regulates electronic payments, crowdfunding, virtual assets, and regulatory sandbox

145 Articles

— Pending Mapping

All

CONDUSEF Fully Mapped

LGOAAC + Disposiciones CAT

Financial Services User Protection Law + CAT (annual total cost) calculation and disclosure rules

56 Articles

28 Controls

Cash Loan

BANXICO In Entry

Circular 3/2012 + Circular 4/2026

Banxico payment-system circulars · POS terminals, SPEI access, cross-border remittance information reporting

48 Articles

— Pending Mapping

Credit Card

Compliance Library → RAG Knowledge Base (Phase 2 Plan)

These 24 regulations will become the core knowledge base for RAG (retrieval-augmented generation):

Step 1 (now): ingest full regulatory text + chapter structure + control mappings into the system and build a structured index
Step 2 (Phase 2): chunk each regulation, generate vector embeddings, and store them in a vector database
Step 3: when users ask questions, retrieve the most relevant regulatory passages by vector search → inject them into the Claude prompt → generate cited answers
Step 4: during PRD review, automatically retrieve relevant clauses from the knowledge base and generate a compliance checklist

💡 Example Question:"If we add face recognition to the Sofipo onboarding flow, what compliance requirements must we meet?"
→ AI retrieves LFPDPPP (biometric-data clauses) + CU Sofipo (remote onboarding) + INAI guidance → returns an answer with clause citations

PCI DSS v4.0 · 12-Requirement Coverage Matrix

Coverage 83% · 10/12 covered

Install and Maintain Network Security Controls

Apply Secure Configurations to All System Components

Protect Stored Account Data

Protect Data in Transit with Strong Cryptography

Protect Against Malware

Develop and Maintain Secure Systems

Restrict Access by Business Need

Identify Users and Authenticate Access

Restrict Physical Access to Cardholder Data

Log and Monitor All Access

Regularly Test Security Systems

Maintain an Information Security Policy

Complete Coverage Partial Coverage Missing / Expired

📄

Drag or click to upload PCI-related documents

Supports PDF / DOCX / ZIP · encrypted storage · AI document-type detection

Document Inventory

Document Name

Covered Requirements

Issue Date

Expiry Date

Status

AOC

Attestation of Compliance (AOC) 2025

QSA: TrustWave · PCI DSS v4.0 · Level 2

Req 1–12

2025.12.15

2026.12.14

Valid

SAQ

SAQ D · 2026 Q1 Self-Assessment

Completed internally · 340 self-check items · 298 passed

Req 1–12

2026.03.30

2026.06.29

Valid

ASV

ASV Quarterly Scan Report · 2026 Q1

Scanner: Qualys · 12 external IPs · 0 high-risk

Req 11.3

2026.03.15

2026.06.14

Expires Within 30 Days

ASV

ASV Quarterly Scan Report · 2025 Q4

Scanner: Qualys · 12 external IPs · 1 medium-risk (remediated)

Req 11.3

2025.12.18

2026.03.17

Expired

PEN

Annual Penetration Test Report 2025

Tester: Securitize MX · black-box + gray-box · 3 high / 7 medium / 12 low

Req 11.4

2025.11.20

2026.11.19

Valid

SEG

Network Segmentation Test Report · 2026 H1

CDE scope: 14 systems · segmentation validation passed

Req 11.4.5

2026.02.10

2026.08.09

Valid

QSA

QSA Auditor Qualification Certificate

TrustWave · Auditor: J. Rodriguez · PCIP #28341

—

2025.06.01

2026.05.31

Expires Within 21 Days

TRN

PCI Security Awareness Training Records · 2026 Q1

142 participants · 96% pass rate · includes developer-team track

Req 12.6

2026.03.28

—

Archived

Total Documents

Valid

Expires Within 30 Days

ASV Q1 · QSA Qualification

Expired

ASV Q4 — needs update

Incident Summary / Regulation Summary

This is a generic detail-panel preview. In actual development:

Security Incidents: show full description, IOC list, MITRE ATT&CK mapping, recommended actions, linked controls

Regulatory Updates: show original regulation summary (Spanish + English comparison), impact analysis, action items, owners

Compliance Library Regulations: show chapter tree (left navigation + right-side clauses), each linked to controls + evidence + owner

PCI Certificates: show file preview, metadata, linked PCI requirements, version history, audit trail

Metadata

Entry Time: 2026-05-10 14:28
Source: Reuters MX / El Financiero
Severity: Critical
Affected Business Lines: Sofipo
Owner: Rubén García (CISO)
Linked Controls: CTL-008, CTL-045, CTL-089

Actions

Mexico Financial Sector · Weekly Security Incidents

Regulatory Updates Monitor

Regulatory Compliance Library

PCI Certificates & Document Library