Compliance Center · SofiExpress

Public Items Tracked

4

Seed data for weekly manual update

Critical / High

2

Payment transfer and fraud risk

Relevant to Us

3

Sofipo · SPEI · APP fraud controls

Mexico Local Items

4/ 4

All entries are Mexico-focused

Filter: All Cyberattack Identity Impersonation SPEI Risk Regulatory Coordination High Risk Only

High 2025.01.27

Mexican Financial Sector Cyberattacks Reached MXN 140.49M in 2024

Public reporting based on Banxico data said four cyberattacks affected Mexican financial institutions in 2024: one Sofipo and three banks. The Sofipo transfer-service incident was reported at MXN 124.11M, with no customer economic impact reported.

Source: Expansión, citing Banxico data · Relevant to us: SPEI transfer controls and incident escalation

Cyberattack Sofipo Banxico Transfer Service

High 2025.03

CONDUSEF Reported Identity Impersonation of 9 Financial Institutions

CONDUSEF reported that in March 2025, 9 registered financial institutions notified identity impersonation or unauthorized use of names, logos, commercial names, or administrative data, including one S.F.P. and one electronic payment fund institution.

Source: CONDUSEF press notice · Relevant to us: APP download channels, brand impersonation, customer fraud response

Identity Impersonation CONDUSEF SIPRES APP Fraud

Medium 2025.02.21

Banxico Updated SPEI Indirect Participation Risk-Management Rules

Banxico Circular 2/2025 amended Circular 14/2017 for SPEI indirect participation and miscellaneous items, adding clearer risk-administration criteria and staged effective dates from March 2025 to February 2026.

Source: Banxico Circular 2/2025 · Relevant to us: SPEI center operating model and third-party dependency review

Banxico SPEI Risk Management

Info 2024 Annual

CNBV Annual Report Highlighted Cross-Authority Cybersecurity Exercises

CNBV's 2024 annual report referenced cybersecurity work involving Banxico, SHCP, IPAB, CNBV, and five multiple-banking institutions. This is useful as a reference model for financial-sector incident drills and escalation playbooks.

Source: CNBV Annual Report 2024

CNBV Cyber Drill Incident Response

Weekly Situation Snapshot

By Incident Type

Cyberattack

1

Fraud

1

SPEI Risk

1

Drill

1

Our Action Items

Validate SPEI transfer monitoring and abnormal-transaction thresholds
Review brand and APP impersonation monitoring coverage
Add annual incident-response drill evidence to SOC module

Published

Consultations / Public Comments

Enforcement Cases

Published Items Loaded

4

CNBV · Banxico · CONDUSEF · PCI SSC

Action Required

3

Mapping, SPEI, fraud monitoring

Aligned

1

PCI version source in library

Under Review

0

Ready for SME refinement

Publication Date	Source	Title / Summary	Affected Business Lines	Effective Date	Action	Status
2025.12.26	CNBV	CUSOFIPO Consolidated Source Updated for Sofipo Prudential Rules The SME source PDF includes CNBV/DOF updates through late 2025, covering capital, risk, reporting, operations, and prudential regulation levels.	Sofipo	Staged / source-dependent	Deepen CUSOFIPO clause-to-control mapping	Remediating
2025.02.21	BANXICO	Circular 2/2025 Modified SPEI Circular 14/2017 Banxico updated the framework for indirect participation in SPEI and clarified risk-administration criteria for those services.	Credit Card Cash Loan	2025.03.24-2026.02.23	Review SPEI center controls and vendor dependencies	Scheduled
2025.03	CONDUSEF	9 Financial Institutions Reported Identity Impersonation CONDUSEF reported unauthorized use of financial institutions' names, logos, and commercial identity to defraud credit seekers.	Cash Loan Sofipo	Immediate monitoring	Add brand/APP impersonation checks	Remediating
2024.06.11	PCI SSC	PCI DSS v4.0.1 Published as a Limited Revision PCI SSC published v4.0.1 to address stakeholder feedback and clarify requirements, without adding a separate regulatory download flow.	Credit Card	Active standard	Maintain v4.0.1 evidence inventory	Aligned

Agency	Draft Title	Comment Deadline	Potential Impact	Submit Comment?
CNBV	Draft Rules for Sofipo Digital-Channel Remote Account Opening Would make video verification mandatory for non-face-to-face account opening	2026.06.15	High Impact	Planned
INAI	Draft Personal Data Protection Guidelines for AI Decision Systems Would require explainability reports for credit-decision AI models	2026.07.01	High Impact	Under Review
CONDUSEF	Unified CAT Disclosure Format Standard for Online Loan Advertising Would set 12pt minimum mobile CAT font size and placement requirements	2026.05.30	Medium Impact	No Submission Planned

Recent Enforcement Cases

Mexico Financial Sector · Last 90 Days

Date	Regulator	Penalized Entity	Violation	Fine Amount	Legal Basis	Our Risk
2026.05.02	CONDUSEF	Cash-Loan Platform A	CAT font size in ads was below the required minimum; CAT not shown in the first viewport	$4.2M MXN	LGOAAC Art. 56 bis	Medium · Check ad creatives
2026.04.22	CNBV	Sofipo B	R-04 report submitted late for 2 consecutive periods (15 days overdue)	$1.8M MXN	LACP Art. 116	High · Check reporting SLA
2026.04.15	UIF	Bank C	Suspicious transaction reports (ROS) not submitted on time; incomplete EDD records	$8.5M MXN	LFPIORPI Art. 53	Medium · Review ROS process
2026.04.08	INAI	Fintech D	Transferred personal data to a third-party collection agency without explicit user consent	$2.1M MXN	LFPDPPP Art. 36, 67	Low · Compliance process in place
2026.03.28	CNBV	Sofipo E	NICAP capital adequacy stayed below the minimum requirement (8%) for 30 days	$3.6M + timed remediation	LACP Art. 116, CU Art. 75	Low · currently 14.2%

AI Reverse Benchmark Analysis

● Phase 2 AI Reserved

Based on the enforcement cases above, AI automatically compares our control status:

⚠ Needs Attention:Sofipo B was fined for late R-04 reporting → our current R-04 SLA achievement is 88% (target 100%); recommend adding automated reminders 7 days in advance.

✓ Safe:Sofipo E was fined for NICAP non-compliance → we are currently at 14.2%, well above the 8% threshold.

In Phase 2, this feature can connect to the retrieval pipeline to automatically retrieve internal policies and controls and generate a full benchmark report.

Regulator: Business Line:

Showing 20 of 20 source documents

CNBV Fully Mapped

CU

Circular Única de Sofipos

Sofipo single circular · covers capital adequacy, governance, regulatory reporting, credit classification, and broad regulatory requirements

142 Controls

28 Reports

Sofipo

Federal Law Fully Mapped

LA

Ley de Ahorro y Crédito Popular (LACP)

Savings and Popular Credit Law · the parent law for Sofipo licensing, defining incorporation conditions, minimum capital, and governance requirements

116 Articles

38 Controls

Sofipo

International Standard Partially Mapped

PC

PCI DSS v4.0

Payment Card Industry Data Security Standard · 12 requirements · security baseline for credit-card processing and storage environments

12 Requirements

340+ Subitems

Credit Card

INAI Fully Mapped

DP

LFPDPPP + Reglamento

Federal personal data protection law and implementing regulations · data subject rights, consent mechanisms, cross-border transfers, breach notification

69 Articles

45 Controls

All

UIF Fully Mapped

PL

LFPIORPI + Reglas de Carácter General

AML parent law and general rules · customer due diligence (CDD/EDD), suspicious transaction reports (ROS), large-transaction reporting

65 Articles

52 Controls

All

ISO Partially Mapped

IS

ISO 27001:2022

Information security management system · Annex A 93 controls · ISMS buildout, risk assessment, continual improvement

93 Controls

4 Domains

All

Federal Law In Entry

FT

Ley Fintech

Fintech Law · regulates electronic payments, crowdfunding, virtual assets, and regulatory sandbox

145 Articles

— Pending Mapping

All

CONDUSEF Fully Mapped

CO

LGOAAC + Disposiciones CAT

Financial Services User Protection Law + CAT (annual total cost) calculation and disclosure rules

56 Articles

28 Controls

Cash Loan

BANXICO In Entry

BX

Circular 3/2012 + Circular 4/2026

Banxico payment-system circulars · POS terminals, SPEI access, cross-border remittance information reporting

48 Articles

— Pending Mapping

Credit Card

Featured Deep Dive · CUSOFIPO Requirements

CNBV · Sofipo · RM-002-CUSOFIPO.pdf

Source Pages

297

SME source PDF

Mapped Requirement Areas

8

Phase 1 operating view

Primary Regulator

CNBV

Popular credit sector

Business Scope

Sofipo

Operations, risk, reporting

This section turns the CUSOFIPO source document into a practical operating map. It is not a legal opinion; it is a Phase 1 control and evidence index for product, risk, finance, compliance, operations, and reporting teams.

Requirement Area	Business Meaning	Core Obligation	Evidence Needed	Owner	Status	Source
Nivel de Operaciones Operating level assignment	Sofipo permitted activity boundary	Confirm approved operating level and map allowed passive, active, and service operations before product launch.	Authorization file, product inventory, board approval, launch checklist	Legal / Compliance	Mapped	View PDF
Capital mínimo y capitalización Minimum capital and risk capitalization	Prudential capital baseline	Maintain capital baseline and risk-capital calculations aligned with portfolio, credit, market, and operational risk exposure.	Capital calculation, finance close package, risk report, committee minutes	Finance / Risk	Needs periodic evidence	View PDF
Administración de riesgos Risk management	Enterprise risk governance	Define risk policies, limits, monitoring routines, escalation paths, and independent reporting to management bodies.	Risk manual, KRI dashboard, limit breach logs, risk committee minutes	Risk Management	Mapped	View PDF
Control interno Internal control framework	Governance and control discipline	Maintain internal controls, segregation of duties, monitoring controls, remediation follow-up, and management reporting.	Control matrix, testing records, issue tracker, remediation evidence	Compliance / Internal Control	Pending testing	View PDF
Proceso crediticio Credit process and credit manual	Loan origination and collection	Maintain credit policies for origination, approval, credit scoring, disbursement, monitoring, restructuring, and collection.	Credit manual, approval workflow, model policy, sample files, collection procedure	Credit Risk / Product	Mapped	View PDF
Provisionamiento de cartera Loan-loss provisioning	Credit portfolio accounting	Calculate, review, and document provisioning for consumer, commercial, housing, and microcredit portfolios as applicable.	Provisioning model, monthly ledger, portfolio aging, management approval	Finance / Credit Risk	Needs review	View PDF
Coeficiente de liquidez Liquidity coefficient	Liquidity resilience	Monitor liquidity threshold, maintain escalation routines, and document management actions for liquidity stress conditions.	Liquidity report, treasury dashboard, stress scenario, escalation record	Treasury / Risk	Mapped	View PDF
Reportes y revelación Regulatory reporting and disclosure	CNBV reporting discipline	Submit reports and disclosures by due date, maintain submission receipts, and control source-data lineage.	Reporting calendar, filing receipts, source-data reconciliation, sign-off record	Regulatory Reporting	In progress	View PDF

Regulatory Source Documents

条款原文PDF_20260509 · 20 source files · individual view and download enabled

Requirement Name	Regulator	Business Line	Document Type	Status	Actions
Ley de Ahorro y Crédito Popular (LACP) Source file: RM-001-LACP.pdf Sofipo licensing, governance, capital, and reporting baseline.	Federal Law	Sofipo	Law	Available	View Download
Circular Única de Sofipos Source file: RM-002-CUSOFIPO.pdf Core Sofipo operating requirements and regulatory reporting.	CNBV	Sofipo	Circular	Available	View Download
LACP Art. 124 AML General Provisions for Sofipos Source file: RM-004-UIF-LACP-ART124-DCG(DCG_SOFIPOS_compilado_2021).pdf AML obligations, customer due diligence, and reporting controls.	UIF	Sofipo Cash Loan	General Provisions	Available	View Download
LPDUSF · User Protection for Financial Services Source file: RM-005-LPDUSF.pdf Customer protection, claims, disclosure, and service obligations.	CONDUSEF	Cash Loan Credit Card	Law	Available	View Download
LTOSF · Transparency and Ordering of Financial Services Source file: RM-006-LTOSF.pdf Financial service transparency, fees, contracts, and disclosure controls.	CONDUSEF	Cash Loan Credit Card	Law	Available	View Download
Transparency Provisions for Sofipos · 2015 Source file: RM-007-CONDUSEF-TRANSPARENCIA-SOFIPO-2015-Original.pdf Sofipo-facing transparency and customer disclosure requirements.	CONDUSEF	Sofipo	General Provisions	Available	View Download
CONDUSEF Registry Provisions · 2022 Source file: RM-008-010-DISPOSICION-REGISTROS-CONDUSEF-2022.pdf Registration and disclosure-related operational requirements.	CONDUSEF	Sofipo Cash Loan Credit Card	General Provisions	Available	View Download
LSP · Payment Systems Law Source file: RM-011-LSP.pdf Payment-system participation and operating obligations.	BANXICO	Credit Card	Law	Available	View Download
Banxico Circular 3/2012 Source file: RM-016-BanxicoCircular3-2012.pdf Payment systems, SPEI, cards, and financial operations requirements.	BANXICO	Credit Card Cash Loan	Circular	Available	View Download
LFPDPPP · Federal Personal Data Protection Law Source file: RM-017-LFPDPPP.pdf Consent, privacy notice, ARCO rights, transfer, and breach obligations.	INAI	All	Law	Available	View Download
Reglamento de la LFPDPPP Source file: RM-018-reglamento de la LFPDPPP.pdf Implementation rules for personal data protection controls.	INAI	All	Regulation	Needs extraction check	View Download
Diario Oficial de la Federación Source Notice Source file: RM-019-DOF - Diario Oficial de la Federacion.pdf Official gazette source document for regulatory traceability.	DOF	All	Official Gazette	Available	View Download
LRSIC · Credit Information Companies Law Source file: RM-020-LRSIC.pdf Credit bureau, credit information, and reporting obligations.	CNBV	Cash Loan Credit Card	Law	Available	View Download
LGTOC · General Law of Credit Instruments and Operations Source file: RM-021-LGTOC.pdf Credit instruments, obligations, and commercial financing operations.	Federal Law	Cash Loan Credit Card	Law	Available	View Download
NOM-151-SCFI-2016 · Data Message Preservation Source file: RM-022-NOM-151-SCFI-2016-... Digital document preservation and data-message integrity requirements.	NOM	All	Official Standard	Available	View Download
Código de Comercio (CCom) Source file: RM-023-CCom.pdf Commercial code provisions relevant to contracts and digital records.	Federal Law	All	Code	Available	View Download
PCI DSS v4.0.1 Source file: RM-032-PCI-DSS-v4_0_1.pdf Payment card data security baseline and 12-requirement control set.	PCI SSC	Credit Card	Standard	Available	View Download
PCI PIN Security Requirements and Testing v3.1 Source file: RM-033-PCI_PIN_Security_Requirements_Testing_v3_1.pdf PIN security control requirements and testing procedures.	PCI SSC	Credit Card	Standard	Available	View Download
PCI 3DS Core Security Standard v1 Source file: RM-034-PCI-3DS-Core-Security-Standard-v1.pdf 3-D Secure environment security requirements.	PCI SSC	Credit Card	Standard	Available	View Download
Banxico Circular 14/2017 Source file: B1-Circular 14_2017.pdf Banxico circular source added by SME team.	BANXICO	Credit Card Cash Loan	Circular	Available	View Download

No source documents match the current filters.

Future AI Knowledge Base (Phase 2 Reserved)

Current phase focuses on source-document access: users can filter by regulator, business line, or keyword, then view or download the exact regulatory PDF.

Phase 2 can connect these source documents to an AI knowledge base after the retrieval pipeline is ready. That future layer should support cited Q&A, PRD compliance checks, and clause-to-control mapping, but no ingestion workflow is exposed in Phase 1.

PCI DSS v4.0.1 · 12-Requirement Coverage Matrix

Coverage 83% · 10/12 covered

1

Install and Maintain Network Security Controls

2

Apply Secure Configurations to All System Components

3

Protect Stored Account Data

4

Protect Data in Transit with Strong Cryptography

5

Protect Against Malware

6

Develop and Maintain Secure Systems

7

Restrict Access by Business Need

8

Identify Users and Authenticate Access

9

Restrict Physical Access to Cardholder Data

10

Log and Monitor All Access

11

Regularly Test Security Systems

12

Maintain an Information Security Policy

Complete Coverage Partial Coverage Missing / Expired

PCI DSS Requirement Detail

Phase 1 · control and evidence view

Req 1

Network Security Controls

Maintain firewall, security group, segmentation, and traffic-rule standards for the cardholder data environment. Evidence: network diagram, rule review, change tickets, segmentation scope.

Complete

Req 2

Secure Configurations

Harden all system components, remove default accounts, document configuration baselines, and test drift. Evidence: CIS baseline, build standard, configuration scan.

Complete

Req 3

Stored Account Data Protection

Minimize PAN storage, define retention, render stored account data unreadable, and manage cryptographic keys. Evidence: data inventory, tokenization design, key ceremony records.

Complete

Req 4

Transmission Encryption

Protect cardholder data over open and public networks with strong cryptography and certificate lifecycle controls. Evidence: TLS scan, cipher policy, certificate inventory.

Complete

Req 5

Malware Protection

Deploy malware controls on in-scope systems and document compensating rationale where agent deployment is not applicable. Evidence: EDR coverage, exception approval, alert review.

Partial

Req 6

Secure Software and Vulnerability Management

Run secure SDLC, vulnerability remediation, change control, and payment-page script controls where applicable. Evidence: code review, SAST/DAST, patch SLA, change approvals.

Complete

Req 7

Access by Business Need

Restrict access to system components and cardholder data by role, least privilege, and approved business need. Evidence: RBAC matrix, access approval, quarterly review.

Complete

Req 8

Identity and Authentication

Identify users uniquely, enforce MFA for in-scope access, manage service accounts, and remove inactive credentials. Evidence: IAM policy, MFA report, account review.

Complete

Req 9

Physical Access Protection

Restrict physical access to systems, media, backup materials, and areas that could affect cardholder data security. Evidence: access logs, visitor records, media inventory.

Complete

Req 10

Logging and Monitoring

Log user and system activity, synchronize time, protect logs, and review security events. Evidence: SIEM scope, log retention, alert runbook, review records.

Complete

Req 11

Security Testing

Perform vulnerability scans, ASV scans, penetration tests, segmentation validation, and change-detection checks. Evidence: ASV report, pentest report, remediation proof.

Gap

Req 12

Security Policy and Program Governance

Maintain information security policy, risk assessment, service-provider management, incident response, and security-awareness training. Evidence: policy, risk register, TPSP matrix, training records.

Complete

📄

Drag or click to upload PCI-related documents

Supports PDF / DOCX / ZIP · encrypted storage · AI document-type detection

Document Inventory

Document Name

Covered Requirements

Issue Date

Expiry Date

Status

AOC

Attestation of Compliance (AOC) 2025

QSA: TrustWave · PCI DSS v4.0 · Level 2

Req 1–12

2025.12.15

2026.12.14

Valid

SAQ

SAQ D · 2026 Q1 Self-Assessment

Completed internally · 340 self-check items · 298 passed

Req 1–12

2026.03.30

2026.06.29

Valid

ASV

ASV Quarterly Scan Report · 2026 Q1

Scanner: Qualys · 12 external IPs · 0 high-risk

Req 11.3

2026.03.15

2026.06.14

Expires Within 30 Days

ASV

ASV Quarterly Scan Report · 2025 Q4

Scanner: Qualys · 12 external IPs · 1 medium-risk (remediated)

Req 11.3

2025.12.18

2026.03.17

Expired

PEN

Annual Penetration Test Report 2025

Tester: Securitize MX · black-box + gray-box · 3 high / 7 medium / 12 low

Req 11.4

2025.11.20

2026.11.19

Valid

SEG

Network Segmentation Test Report · 2026 H1

CDE scope: 14 systems · segmentation validation passed

Req 11.4.5

2026.02.10

2026.08.09

Valid

QSA

QSA Auditor Qualification Certificate

TrustWave · Auditor: J. Rodriguez · PCIP #28341

—

2025.06.01

2026.05.31

Expires Within 21 Days

TRN

PCI Security Awareness Training Records · 2026 Q1

142 participants · 96% pass rate · includes developer-team track

Req 12.6

2026.03.28

—

Archived

Total Documents

12

Valid

9

Expires Within 30 Days

2

ASV Q1 · QSA Qualification

Expired

1

ASV Q4 — needs update

Standards Tracked

3

ISMS · PIMS · BCMS

Valid Certificates

2

ISO 27001 · ISO 22301

Under Buildout

1

ISO 27701 privacy extension

Next Surveillance

2026 Q3

Evidence refresh needed

ISO Certificate Inventory

Demo structure aligned to PCI evidence style

Standard	Scope	Certification Body	Issue / Expiry	Surveillance	Status	Key Evidence
ISO 27001	Information Security Management System SOFI platform, cloud infrastructure, security operations	Demo Certification Body	2025.09.01 / 2028.08.31	2026 Q3	Valid	SOA, risk assessment, internal audit, management review
ISO 27701	Privacy Information Management Extension Personal-data lifecycle, APP data collection, processor controls	To be selected	Target 2026 H2	N/A	Buildout	PII inventory, privacy notice, consent flow, DSAR procedure
ISO 22301	Business Continuity Management System Critical services, SPEI center, customer support, cloud recovery	Demo Certification Body	2025.11.15 / 2028.11.14	2026 Q4	Valid	BIA, BCP, DR test, crisis communication record

ISMS Control Backbone

ISO 27001:2022 Annex A

Reuse policy, risk, access, cryptography, operations, supplier, incident, and continuity evidence across PCI and CUSOFIPO where possible.

Privacy Extension

ISO 27701

Use this as the asset home for privacy-management evidence, while APP-specific permission and SDK checks live in the APP Compliance module.

Continuity Linkage

ISO 22301

Connect BIA, RTO/RPO, recovery testing, crisis escalation, and SPEI operating continuity evidence to the Security Operations Center.

Release Gates

7

before production release

Open Issues

3

SDK review, permission copy, store metadata

SDKs Under Review

6

analytics, KYC, crash, payment

Last Review

2026.05.13

demo release board

APP Release Compliance Checklist

Android / iOS · production release gate

Gate	Compliance Requirement	Evidence	Owner	Status	Risk
APP-01	Permission and SDK Review camera, location, contacts, device identifiers, analytics SDKs	permission matrix, SDK inventory, third-party due diligence	Mobile / Compliance	In Review	Excess permission request or undisclosed SDK data sharing
APP-02	Privacy Notice and Data Collection Disclosure LFPDPPP / consent / ARCO-facing language	privacy notice version, screen capture, legal approval	Legal / Product	Ready	Notice mismatch with actual collection behavior
APP-03	Account Deletion and User Rights in-app path, support workflow, evidence retention	flow capture, SOP, ticket sample, retention exception list	Customer Ops	Ready	ARCO request handling gap
APP-04	Consent and Marketing Preferences push, SMS, email, profiling consent	consent event log, opt-out test, preference center screenshot	Growth / Data	Needs Test	Unclear consent trail
APP-05	KYC Camera and Liveness Controls biometric capture, anti-spoofing, retention control	KYC vendor control report, data-flow map, retention approval	KYC / Security	Ready	Deepfake and biometric retention risk
APP-06	Sensitive Data Storage and Transmission token, PAN, credential, personal data	mobile security test, TLS check, local storage scan	Security Engineering	Open	Local sensitive-data caching
APP-07	Store Listing and Brand Impersonation Monitoring Google Play, App Store, third-party APK sites	official listing record, takedown playbook, monitoring log	Brand / Security Ops	In Progress	Fake APP and fraud campaign exposure

SOFI Internal

86

3 open risks · owner IT Security

AWS

82

4 open risks · owner CloudSec

IDC Center

78

5 open risks · owner Infrastructure

SPEI Center

90

2 open risks · owner Payment Ops

Environment Control Board

demo operating model · evidence-driven

Environment	Scope	Key Controls	Open Risks	Evidence	Owner	Status
SOFI Internal	employee endpoint, office network, internal tools, identity platform	MFA, endpoint protection, privileged access, DLP, awareness training	3: local admin cleanup, phishing drill gap, asset-owner mismatch	EDR dashboard, IAM review, device inventory, training report	IT Security	Operating
AWS	production VPC, Kubernetes, logging, secrets, backup, cloud perimeter	IAM, network segmentation, encryption, logging, vulnerability scan	4: stale roles, untagged assets, alert tuning, backup test evidence	CSPM report, CloudTrail, KMS inventory, DR test	CloudSec	Needs Evidence
IDC Center	network room, physical access, servers, backup media, connectivity	physical access, CCTV, rack control, environmental monitoring, media handling	5: visitor-log aging, CCTV retention, backup media labeling, rack review, UPS test	visitor log, access list, rack inventory, maintenance report	Infrastructure	Remediating
SPEI Center	SPEI integration, transfer monitoring, payment operations, incident escalation	transaction monitoring, reconciliation, dual control, vendor dependency, incident drill	2: drill evidence refresh, vendor dependency mapping	monitoring rules, reconciliation report, runbook, drill record	Payment Ops	Operating

Weekly Operating Rhythm

manual static update first

Every Monday, paste the latest security events and regulatory updates into the static site, then deploy the same Cloudflare Pages project.

Evidence Reuse

PCI · ISO · CUSOFIPO

Reuse IAM review, vulnerability scan, logging, incident response, vendor, continuity, and training evidence across the asset modules.

Next Automation Path

future phase

Once Hermes or scheduled Code updates are stable, this page can become the output target for weekly Markdown-to-HTML static regeneration.

Input Types

3

PRD · user flow · data-flow diagram

Review Domains

8

CUSOFIPO · SPEI · APP · PCI · ISO

Decision Types

3

go · conditional go · block

Approval Mode

Human

AI drafts, owners approve

Phase 2 Planning · PRD Auto Review

Independent module under Security Compliance Operations Center

This is a reserved capability for the next phase. It should review product PRDs before launch and flag regulatory, security, privacy, PCI, ISO, APP, and CUSOFIPO impacts for LATAM Sofipo operations.

Input

PRD / user flow / data-flow diagram

Product teams upload or paste a PRD, including target country, business line, data collected, payment flow, vendor dependency, and release timeline.

Review Dimensions

regulatory + security + evidence

Map the PRD against CUSOFIPO, CONDUSEF, INAI/LFPDPPP, Banxico/SPEI, PCI DSS, ISO 27001, ISO 27701, APP permissions, and operational evidence needs.

Output

go / conditional go / block

Generate risk rating, missing controls, required evidence, owner, remediation deadline, and regulator-facing rationale before release approval.

Guardrails

human approval required

AI can draft the review and clause mapping, but Compliance, Legal, Security, and Product owners must approve the final release decision.

Next Two Weeks · Build Plan

short execution plan

Window	Priority Work	Expected Output	Owner	Status
Week 1	Define PRD intake template country, product type, data, payment flow, vendor, release scope	One-page PRD review template and required fields	Product / Compliance	Next
Week 1	Create clause-to-review taxonomy CUSOFIPO, CONDUSEF, INAI, Banxico/SPEI, PCI, ISO, APP	Review checklist grouped by regulatory and security domain	Compliance / Security	Next
Week 2	Pilot with one real product PRD cash loan, card, or SPEI-related flow	Sample review report: risks, missing controls, evidence, owner, decision	Product / Legal / Security	Planned
Week 2	Turn review output into static data JSON/YAML first, RAG later	Static PRD review demo that can be manually updated on Cloudflare Pages	Engineering	Planned

Near-Term Direction

two-week focus

Make the PRD review template and taxonomy usable before building automation. The first milestone is a reliable manual review workflow.

Medium-Term Direction

after static demo stabilizes

Move regulatory items, controls, evidence, and PRD findings into structured files so weekly updates do not require editing HTML by hand.

Long-Term Direction

RAG and workflow phase

Connect cited retrieval, approval workflow, evidence repository, and Jira/Linear-style remediation tracking after the control library is stable.

Mexico Financial Sector · Weekly Security Incidents

Regulatory Updates Monitor

Regulatory Compliance Library

PCI Library

ISO Certificate Library

APP Compliance

Security Operations Center

PRD Auto Review