KYC in Latin America: A Complete Country-by-Country Guide (2026)

KYC — Know Your Customer — is one of the most operationally complex capabilities a financial institution handles in Latin America, precisely because each country has distinct regulatory bodies, documentation requirements, and sanction list cross-checks. This guide provides a country-by-country reference for KYC in Argentina, Brazil, Mexico, Chile, Colombia, Peru, and the United States — from the regulators involved to the specific verification workflows required.

At Gu1, we treat KYC as one capability among 25+ specialized AI agents that orchestrate full compliance stack for banks and fintechs: KYB (business verification), AML transaction monitoring, sanctions screening, risk scoring, pattern detection, and automated regulatory reporting formatted per local regulator. This guide focuses specifically on KYC, but the regulatory landscape it describes applies to the entire compliance stack.

Why LatAm KYC is different#

Before we touch any country, the four structural differences you have to internalize:

• Non-standardized IDs. Brazil uses CPF. Mexico uses CURP plus INE. Argentina uses DNI. Colombia uses Cédula. There is no cross-border registry, no federated identity layer, no equivalent to eIDAS. A user who moves from Bogotá to Buenos Aires starts from zero. Every KYC stack you build has to handle at least one ID schema per country, and the validation logic is nothing alike — CPF has a checksum digit; DNI does not; CURP encodes birth date and gender in the string itself.
• Informal economy. Roughly 55% of the LatAm workforce operates in the informal sector (ILO). That means source-of-funds — the hardest question in any KYC flow — frequently has no clean paper trail. A user earning honest money as a street vendor in Mexico City has no payslip, no tax return, no bank statement. If your risk model treats "no formal income" as "suspicious," you're excluding half the continent.
• Uneven digital infrastructure. Rural zones across all four countries have spotty access to online registries. Document verification systems that assume always-on connectivity to a government API will time out. Your OCR pipeline has to work offline-first and reconcile asynchronously.
• Multiple regulators with overlapping mandates. BCB and COAF in Brazil. CNBV and UIF in Mexico. UIF and CNV in Argentina. UIAF in Colombia. Each one has its own reporting format, its own cadence, its own escalation path. A fintech operating in three countries is feeding three SAR formats to three different FIUs on three different timelines.

That's the baseline. One more number worth holding in your head: Finnovista counts 2,800+ active fintechs across LatAm, and Brazil, Mexico and Colombia account for the majority of them. The regulatory load scales with the ecosystem, and every new entrant inherits the same stack of problems.

Now, country by country.

Country-by-country#

Brazil#

Regulators: Banco Central do Brasil (BCB) for prudential supervision, COAF as the Financial Intelligence Unit, Receita Federal for tax.

The key ID is CPF — an 11-digit number with a verifying checksum. Every adult resident has one. Any fintech onboarding flow that doesn't validate the CPF checksum before hitting the federal registry is burning money on API calls.

Required controls under BCB Resolution 519/2025:

• Mandatory CPF verification against Receita Federal
• Mandatory liveness selfie for tier-1 accounts (accounts that can move money above a de minimis threshold)
• Document OCR on RG or CNH
• Biometric match between liveness capture and document photo

Reporting obligations:

• Travel Rule on any transfer above R$30,000 — originator and beneficiary data attached
• R$200 per-transaction cap on unregistered devices (PIX hardening rule, 2024)
• SAR to COAF within 24 hours for urgent cases, 60 days for standard reports

Recent context:

PIX fraud grew 43% year-over-year to R$2.7 billion in 2024 (Febraban).

That number is why BCB keeps tightening. The R$200 cap, the device registration requirement, the liveness mandate — all of it is a direct regulatory response to the fraud curve. Expect more, not less.

Brazil is also a FATF member, which means BCB and COAF are held to international standards on top of local rules. The practical consequence: reporting formats are stricter and audit trails have to survive international review. When we built our Brazil integration, the first constraint wasn't UX — it was producing COAF-compatible structured reports that could be pulled up in a mutual evaluation without rework.

Mexico#

Regulators: CNBV (Comisión Nacional Bancaria y de Valores) and UIF (Unidad de Inteligencia Financiera). The 2018 Fintech Law (Ley Fintech) is supervised jointly by both — CNBV handles the prudential side, UIF the AML side.

The key ID stack is CURP (18-character personal ID that encodes birth data) plus the INE credencial (the physical voter ID, which doubles as the de facto national ID). Mexican KYC flows typically verify both.

Required controls:

• CURP validation against RENAPO
• INE verification against the INE registry (with the QR on the back since the 2021 credencial)
• Liveness + biometric match
• Proof of address — this one is a recurring pain point because Mexico lacks a standardized address registry

A CNBV rule that took effect June 2024 added a mandatory fraud prevention plan for every regulated fintech, with a 10-year audit log retention requirement. That last part is operational: if your logging stack can't retain structured audit events for a decade, you have an architecture problem, not a compliance problem.

59% of Mexicans reported at least one scam attempt per month in 2024 (GASA), and account takeover fraud grew 324% in the preceding 15 months (BioCatch).

That's the threat model. Mexico's fraud surface is dominated by social engineering and ATO, which means KYC at onboarding is necessary but not sufficient — you need ongoing KYT signal on behavioral anomalies. We've written more about that half of the problem in the AML side of things.

Argentina#

Regulators: UIF for AML; CNV (Comisión Nacional de Valores) registers virtual asset service providers under Resolution 1058/2025.

The key ID is DNI — 8-digit number, no checksum, with a version counter (ejemplar) that changes on reissue. Validating "current DNI version" is its own API call to RENAPER.

Required controls:

• DNI validation against RENAPER
• Liveness + document OCR
• Monthly reporting on foreign remittances — this is an Argentina-specific obligation driven by capital controls
• VASP-specific registration and reporting under CNV 1058/2025

Argentina's enforcement environment is complicated by macroeconomic volatility. Peso inflation means every transaction threshold in pesos is effectively a moving target, and operators frequently have to retune risk engines quarterly. A static threshold config in your KYC stack will be obsolete within six months. Build the thresholds as a hot-reloadable config surface from day one, not as constants in code. That's the kind of architectural decision that sounds trivial in January and saves the team a weekend of emergency deploys every quarter.

Argentina is also a FATF member, which raises the baseline for any operator handling cross-border flows. The monthly remittance report is not optional, and the format is precise — mis-structured files get rejected silently and count as non-filing. We built the Argentina integration with a dry-run validator that fails loudly in staging before anything hits UIF.

Colombia#

Regulator: UIAF (Unidad de Información y Análisis Financiero).

The key ID is Cédula de Ciudadanía — 8 to 10 digits, no checksum. The Registraduría Nacional issues and validates.

Required controls:

• Cédula validation against Registraduría
• Liveness + document OCR (the new digital cédula has a chip, which adds NFC read as an optional control)
• PEP screening against UIAF lists
• Risk-scored enhanced due diligence above defined thresholds

Colombia has 560+ active fintechs — one of the densest ecosystems per capita in the region. The regulatory pressure matches.

Identity theft in Colombia grew 400% since 2020, and Law 2502/2025 now classifies AI-enabled identity theft as an aggravating factor in criminal sentencing.

That law is the first in LatAm to explicitly address synthetic identity fraud as a distinct offense. If you're building in Colombia, your UBO tracing and deepfake detection layers need to be production-grade, not research-grade.

Timing and common traps#

Reporting windows across the four countries cluster around two anchors:

• 24 hours for urgent cases (active fraud, sanctions hits, terror finance)
• 60 days for standard SAR — the classic "we saw something, we investigated, here's the package"

The cross-border edge case is where most operators break. If you're running in Brazil + Mexico + Colombia, a single suspicious transaction can trigger three filings with three different FIUs, each in a different format, each with a different cadence. Your compliance platform either generates all three programmatically from one event, or your analysts are doing it by hand. We've seen teams staff 8-person filing desks because nobody automated this layer.

The other common pitfall — this one is architectural — is copy-pasting European KYC models. Taking a stack that was tuned for BaFin or the FCA and dropping it onto a LatAm identity base produces false-positive rates in the 15-25% range on day one. The European models assume a clean income paper trail, a unified ID namespace, and a low informal-sector baseline. None of those hold here. If you're starting from a European reference architecture, budget for a full risk-model rewrite, not a port.

Compliance cost, across the board, runs 15-20% of fintech operational budget in the region. That number is high because the above problems compound. Every country you add is not a linear cost increase — it's a new FIU integration, a new ID system, a new reporting cadence, and a new risk model calibration. Teams that underestimate this ship their second-country launch six months late.

One architectural principle we learned the hard way: treat each country's reporting pipeline as a separate service with a shared event bus, not as branches inside one monolith. When BCB changes its SAR format next quarter — and it will — you want to deploy one service, not retest the whole compliance stack.

Solving it at the infrastructure level#

What "modern KYC" actually looks like in LatAm, in 2026:

• Liveness that is 3D, not 2D. 2D liveness (the "turn your head" flow) was bypassed by printed-photo attacks years ago and now by generative video. You need depth capture, passive liveness signal, and a model trained on regional spoofing patterns. 2D stacks can no longer reliably separate high-quality deepfakes from real sessions.
• Document OCR tuned for regional ID templates. Across the four countries we cover, there are many distinct document types in active circulation — multiple CNH versions in Brazil, pre-2019 and post-2019 INE credentials in Mexico, several DNI formats in Argentina, the old and new Colombian cédulas. Generic OCR struggles with the long tail of old-format documents that still show up in production traffic; tuned models handle them reliably.
• Real beneficiary database lookups. UBO (ultimate beneficial owner) tracing is underspecified in the regulatory text but heavily scrutinized in audits. You need automated lookups against corporate registries in all four countries, plus manual escalation for ownership chains that cross borders. Done by hand — Junta Comercial in Brazil, RFC in Mexico, Cámara de Comercio in Colombia, each with its own portal — every corporate onboarding becomes a bottleneck for the ops team.
• Tiered onboarding. Basic identity verification in seconds for low-risk users, escalated enhanced due diligence triggered by risk score, not by rule. If every user goes through the maximum-friction flow, your conversion collapses. If nobody does, your filings pile up.
• Onboarding in seconds, not 3-7 days. The legacy batch model — where KYC is a queue processed overnight — is not survivable against PIX-speed payments. The regulatory clock and the product clock have to run at the same rate.

This is the shape of the stack we built at Gu1. AI-native doesn't mean "we put a model in front of the flow" — it means the risk scoring, document classification, and anomaly detection layers were designed around machine learning from the first line of code, not bolted on later. If you want the longer architectural version, the AI-native compliance stack post walks through it.

Closing#

LatAm KYC is not hard because the rules are vague — they're actually more concrete than most people assume. It's hard because the rules interact with a fragmented identity layer, a large informal economy, and a fraud surface that evolves faster than European threat models account for. Every fintech operating here is solving some version of this problem; the question is whether you build it in-house or buy infrastructure that was designed for the region from the start.

If you want the broader context on where Gu1 fits, start here. The AML side of the same problem is covered in the AML challenges post, and the fraud patterns specific to emerging markets are in the fraud prevention post. If you're building in LatAm and the above resonates, the compliance stack is one API call away.

Beyond KYC: the full compliance stack#

KYC is the entry point to compliance, not its totality. For most institutions operating across multiple LatAm jurisdictions, the real challenge is maintaining consistent KYC + KYB + AML + sanctions + reporting across 7 regulators simultaneously, with reports pre-formatted per country (BCRA, BACEN, COAF, CNBV, CMF, SFC, SBS). That's what Gu1 was built for.

See the AI-Native Compliance Stack for how we architected 25+ agents to handle this multi-jurisdiction complexity, and AML Challenges for LATAM Fintechs for the AML-specific regulatory breakdown.