The 5 AML Challenges Every LatAm Fintech Is Going to Hit

Every fintech that scales past one country in Latin America hits the same five walls. We have watched it happen to dozens of our customers at Gu1 — teams that raised their Series A in São Paulo or Ciudad de México, expanded to a second market, and suddenly found that the compliance posture that worked at home no longer holds anywhere else.

This is not a story about bad teams. The teams we work with are good. The product is working. Usage is climbing. And then they trip on something structural — a regulator, a reporting format, a threat vector, a capacity problem — that nobody warned them about because nobody had written it down in one place.

So here it is. The five challenges that show up every time, and what we have seen work in the field across 54 active clients operating in Brazil, Mexico, Argentina, and Colombia.

1. Regulatory fragmentation#

The first wall is the one that hits you the moment you cross a border. Latin America is not a single compliance regime. It is a patchwork of national FIUs (Financial Intelligence Units), each with its own mandate, its own reporting templates, and its own idea of what a suspicious transaction looks like.

Operating in three countries is not one compliance regime scaled three times. It is three complete compliance regimes running in parallel.

The key agencies:

• COAF in Brazil
• UIF in Argentina and in Mexico (two separate UIFs, do not confuse them)
• UIAF in Colombia
• UAF in Chile

Different reports. Different deadlines. Different formats — some accept XML, some demand PDF uploads to a proprietary portal, some still want a signed paper filing alongside the electronic one. The reporting windows also diverge: 24 hours for urgent filings in most jurisdictions, 60 days for a standard SAR (Suspicious Activity Report), but the clock starts at different events depending on the country.

The tax on a growing fintech is real. You can either hire compliance staff in every market (expensive, slow, and hard to standardize) or you build an abstraction layer — one internal model of what a suspicious case looks like, and a translation layer underneath that emits the right format, to the right regulator, within the right window. The abstraction model is the only one we have seen scale. We built Gu1 on exactly that assumption.

What we have watched work#

The fintechs that handle this best separate two things cleanly: the risk decision (is this customer, this transaction, this pattern concerning?) from the reporting obligation (what does COAF need at 9:00 a.m. tomorrow?). When those two live together in the same code path, every new country doubles your complexity. When they are separated, a new country is a new output adapter, not a new compliance team.

2. The informal economy, and cash#

The second wall is the one most imported playbooks get wrong. Europe and the United States wrote the global AML rulebook around a mostly formal economy. Payroll arrives by direct deposit. Income is verifiable. Source-of-funds is a database query.

Latin America does not look like that.

Roughly 55% of Latin America's workforce is in the informal sector, according to the ILO. A majority of economic activity happens outside of formal employment records.

Informal income is hard to trace. It is not fraudulent — it is legal cash income from legitimate work — but it does not produce the documentary trail that a European-style AML model expects to see. When a fintech runs a customer through a copy-pasted risk engine from a European vendor, the informal income shows up as a red flag by default. The customer is flagged as suspicious. The fintech either approves them anyway (and breaks its own policy) or rejects them (and leaves a huge addressable market on the table).

The failure mode is the model, not the customer. Source-of-funds in Latin America needs to be calibrated on local signals:

• Informal cash inflows that cluster around pay cycles for specific sectors
• Mobile money and wallet-to-wallet transfer patterns that are normal here and rare in Europe
• Regional remittance corridors — Mexico to the United States, Venezuela across the region, Argentina to Spain
• Rotating savings and credit group patterns (tandas, juntas, chitas, cundinas)

What works is risk modeling built on Latin American ground truth. The same customer who looks suspicious to a European engine looks perfectly normal to a model trained on 50 million local transactions. This is one of the core reasons we built Gu1 in region, on regional data, rather than licensing a foreign engine and translating the UI.

3. AI-powered fraud is outpacing AI-powered defense#

The third wall arrived faster than anyone wanted. The same generative tools that compliance and product teams are adopting, criminals are adopting faster — and in some cases better.

The numbers are ugly.

Brazil saw deepfake fraud grow 700% in 2024–2025, with synthetic identity attempts up 140% over the same period (Sumsub). Globally, synthetic identity grew 8x in 2025, and Latin America accounted for roughly half of that volume (LexisNexis). More than 50% of fraud attempts now involve AI in some form (Feedzai).

The broader picture is consistent. LatAm fraud overall was up 32% in the first half of 2024 (Veriff). Scam attempts across 36 institutions and 300 million clients grew 155% in 2025 (BioCatch). Account takeover in Mexico is up 324% in 15 months (BioCatch). These are not projections. They are already in the logs.

The structural problem: legacy fraud systems were designed to detect humans trying to game humans. They were not designed to detect a model that generates a face that passes liveness, a document that passes OCR, and a voice that passes a call-center verification — all in the same session. A synthetic identity is, by construction, engineered to pass the check. The check is the target function of the model that is attacking you.

What has to change#

The answer is AI against AI. Specifically:

• Liveness 3D with active challenges rather than passive photo comparison
• Behavioral biometrics — how the user types, scrolls, and holds the device, not just what they type
• Anomaly detection on device, network, and session features combined, not any one of them alone
• Network graph analysis to surface rings that share devices, IPs, or phone numbers across dozens of apparently unrelated accounts

The teams that are holding the line are the ones that treat fraud as an adversarial ML problem rather than a rules problem. Rules lag. Models learn.

4. Speed against depth#

The fourth wall is cultural before it is technical. Nubank set the baseline. Every Latin American user who has opened an account in the last five years expects onboarding to be minutes, not days. Mercado Pago, Nequi, Uala, Albo — the incumbents have all converged on the same expectation. If your onboarding takes a week, you do not have a compliance problem, you have a growth problem.

And yet. Real enhanced due diligence — the kind that clears a PEP (Politically Exposed Person), verifies a source of funds for a large inflow, or reviews an ownership structure with multiple layers — takes time. The honest version of the conversation is that deep due diligence is measured in days, not minutes.

The tension between the two is real, and it is not going away. The UX team is right to push for speed. The risk team is right to push for depth. The bad answer is to pick one and ignore the other. The good answer, and the one we keep seeing in our best customers, is tiered KYC.

How tiered KYC actually looks#

• A basic tier for low-risk, low-limit accounts that clears in seconds — document, liveness, sanctions screen, done
• A middle tier that kicks in automatically when a customer crosses a transaction threshold or when a specific behavioral signal fires — additional document, source-of-funds question, light enhanced due diligence
• A deep tier for PEPs, large corporate accounts, and accounts where multiple risk signals have fired — manual review, enhanced due diligence, ongoing monitoring

The customer does not see a blanket experience. They see the friction that is actually warranted by their risk profile. The 95% of users who are low risk get the Nubank experience. The 5% who need a real conversation get a real conversation. That distinction is worth a lot of conversion and a lot of audit quality at the same time.

5. The capacity ceiling at early-stage fintechs#

The fifth wall is about people, and it is the one founders underestimate most often. Compliance is not just technology. It is a function with opinions, judgment, and a signature on a filing. And that function, right now, is hard to staff in Latin America.

Good compliance officers are expensive. They are also slow to hire — the best ones have waiting lists, they are being recruited by banks with ten times the comp budget of a Series A fintech, and they are the single most common bottleneck we see when a customer tells us they want to expand into a new country next quarter.

Compliance is already 15–20% of the operational budget of a typical fintech in 2026. That is a big number when headcount is the dominant line item inside it.

The in-house approach — build it yourself, hire ten compliance people, design your own workflows — does work, eventually. It is also the slowest and most expensive way to get there, and it rebuilds from scratch what the rest of the industry has already built.

The alternative we believe in#

Compliance as infrastructure. A fintech should consume AML, KYC, and transaction monitoring the same way it consumes payments through Stripe or card issuance through Pomelo — as an API that handles the boring, regulated, undifferentiated layer so the team can focus on product.

That is what we are doing at Gu1. A KYC, AML, and KYT (Know Your Transaction) stack in one API, pre-wired for COAF, UIF, UIAF, and UAF, calibrated on Latin American data. Our customers do not hire ten compliance engineers. They hire one compliance officer who owns policy and uses our platform as the execution layer. The unit economics of that are very different from the in-house path.

For more on how the stack fits together, see our post on the AI-native compliance stack and the complete KYC guide for LatAm.

What this is not#

None of the above is a complaint about regulators. Let me say that clearly because the line between "here is a hard problem" and "regulators are the villain" is one a lot of fintech commentary crosses too casually.

COAF, UIF, UIAF, and UAF are trying to solve genuinely difficult problems with limited budgets, limited headcount, and a threat landscape that is shifting under them in real time. Mexico, Brazil, and Argentina are full members of FATF and are delivering on obligations that were written for much larger economies. The friction a cross-border fintech experiences is not any single regulator failing. It is the structural cost of running an operation that touches five national regimes at once.

That cost is a design problem for infrastructure providers. It is our job, and the job of the rest of the RegTech layer, to absorb that cost so that operators do not have to solve it from first principles in every new market. The failure mode is an infrastructure gap, not a regulatory one.

Closing#

If you are running a fintech in one country today and thinking about the second, start the regulatory work twelve months before you think you need to. Map the FIU of the target market. Read the last two years of guidance. Talk to one operator who already runs there. Budget the compliance spend into the expansion model — not as an overhead line, but as a product cost, because in this region it is.

We will keep writing per-country deep dives over the next few weeks — Brazil and COAF specifics, Mexico UIF expectations, Argentina's fast-moving framework, Colombia's UIAF reporting stack. If you want them in your inbox, subscribe to the blog at the link below. And if you are building and hitting one of these walls already, see our piece on fraud prevention in emerging markets or come talk to us directly.

For the full context on what Gu1 is and why we are building it, start with welcome to the Gu1 blog.