Why We Built Gu1: Compliance Infrastructure for Latin America

Compliance in Latin America is broken. Not in the abstract, institutional sense. Broken in the sense that an onboarding flow you designed in São Paulo does not work in Mexico City, a rule you wired for the CNBV does not map to the UIF in Buenos Aires, and the KYC vendor you picked last year already lags behind the fraud patterns you will see next quarter. Every fintech in the region rebuilds the same stack. Every team hires the same compliance analysts. Every product roadmap loses quarters to the same regulatory cycle.

We built Gu1 because we got tired of watching that waste happen in front of us. This is the first post on this blog, and it is the right place to say clearly what we are doing and why.

The compliance layer in LatAm is fragmented by design#

Latin America is not one market. It is 35+ countries, a handful of dominant regulators, a long tail of smaller ones, at least four legal traditions, and a set of ID documents that do not share a common format. A Brazilian CPF is not an Argentine DNI is not a Mexican CURP is not a Colombian Cédula. Biometric standards differ. Sanctions lists differ. PEP definitions differ. Data residency rules differ.

Fintechs treat this as a problem to be solved once per country and then maintained forever. In practice, it becomes a problem to be solved once per country, per product, per regulator update, per fraud wave. The cost shows up in the budget.

Fintechs in Latin America spend 15 to 20 percent of their operational budget on compliance, and most of that spend goes to legacy tools that do not talk to each other.

There are more than 2,800 active fintechs in the region according to Finnovista, with Brazil, Mexico, and Colombia leading the count. They are all paying a tax to build and maintain the same compliance layer. The regulators that oversee them do not coordinate. Mexico, Brazil, and Argentina are FATF members and carry the weight of the international framework, but they implement it differently, at different speeds, with different tolerances for automation.

The legacy stack was not built for this#

Most of the compliance tooling in use today was built for a different environment. Identity verification vendors were designed around US or European ID documents, then ported to LatAm with a thin localization layer. Transaction monitoring systems were designed for card rails, then forced to cover PIX, SPEI, Transferencias 3.0, and PSE. AML alert engines were designed around batch processing, then asked to keep up with real-time instant payments.

The result is a stack that is expensive to run, slow to update, and produces alert queues that no one has the headcount to clear. Compliance becomes a cost center that ships slower than the regulator, which is a losing position to be in.

Fraud is moving faster than the tools#

The other half of the picture is fraud. The numbers are hard to look at:

• LatAm fraud +32 percent in the first half of 2024 (Veriff).
• Mexico account takeover +324 percent in 15 months (BioCatch).
• Brazil deepfake fraud +700 percent, synthetic identity fraud +140 percent (Sumsub).
• Scam attempts in LatAm +155 percent in 2025 across 36 institutions and 300 million clients (BioCatch).
• Malware attacks +225 percent, stolen devices +344 percent, remote-access tool usage 5x (BioCatch).
• 59 percent of Mexicans suffered at least one scam attempt per month in 2024 (GASA).
• Colombia identity theft +400 percent since 2020.

Globally, synthetic identity fraud grew 8x in 2025 according to LexisNexis, and roughly half of that volume landed in LatAm. More than half of fraud today involves AI in some form (Feedzai). The attackers have already upgraded. The defense, in most institutions, has not.

The regulators noticed. Brazil published BCB Resolution 519/2025 making CPF validation and liveness mandatory for tier 1 accounts. Mexico put a CNBV rule into effect in June 2024 requiring every regulated fintech to maintain a documented fraud prevention plan. PIX fraud reached R$2.7 billion in Brazil, a 43 percent increase year over year according to Febraban. The compliance and fraud functions are being fused into one operational reality, and the old separation between KYC, AML, and fraud prevention does not hold anymore.

The market is catching up to the numbers. The LatAm fraud detection market was $1.74 billion in 2025 and is projected to reach $9.14 billion by 2034, a CAGR of 20.2 percent. That is a lot of capital chasing a problem that the incumbents have not figured out how to solve.

What Gu1 is#

Gu1 is AI-native compliance infrastructure for Latin American financial institutions. One stack, one API, three surfaces:

• KYC for onboarding and identity verification, with first-class support for CPF, CURP, DNI, Cédula, RFC, RUC, and the biometric and document formats that ship with them.
• AML for transaction monitoring, sanctions screening, PEP screening, and case management.
• KYT (know your transaction) for real-time risk scoring on instant payment rails, wallet flows, and cross-border movement.

AI-native is a term that gets overused, so let us be specific about what we mean. Our rule engine is written and maintained with AI agents in the loop. Our analyst queue is triaged by agents before a human sees it. Our document parsing does not depend on a third-party OCR vendor. Our alert tuning happens continuously against live data instead of quarterly against a frozen snapshot. The humans in our compliance team write policy, not tickets.

If you want a deeper view of the architecture, we wrote it up in the AI-native compliance stack post.

From 35 people to 5 plus AI agents#

A year ago our compliance operation ran with 35 people. Today it runs with 5 people plus AI agents, and the output is the same or higher. That sentence is easy to write and hard to live through, so it deserves some honesty.

The transition was not about replacing people. Most of the 35 moved into other parts of the product, some left, and the 5 who stayed on compliance changed what they did during the day. They stopped reviewing alerts. They started writing the rules that generated the alerts, tuning the models that suppressed the false positives, and auditing the agent decisions. The job shifted from operator to policy author.

Culturally, that shift is the interesting part. A compliance officer reviewing 400 alerts a day cannot be strategic. A compliance officer defining the risk posture of the stack can be. An engineer writing compliance rules in code can ship a Brazil-specific PIX rule on Tuesday and have it live in production on Wednesday. That cadence does not exist in a legacy shop.

What it means for the people we hire#

We hire engineers who can read a CNBV circular and compliance people who can read a pull request. The overlap is smaller than the market assumes, and we have learned to build for that overlap rather than work against it. The rulebooks we ship look more like SDKs than like policy documents, and the policy documents we ship look more like specs than like memos.

Where we are today#

As of April 2026, Gu1 is live with 54 active clients across Brazil, Mexico, Argentina, and Colombia. The client mix skews toward fintechs and neobanks, with a smaller share of crypto, remittance, and marketplaces that carry payment flows. Brazil is our largest market by volume, Mexico by number of institutions, Argentina by product depth, and Colombia by growth rate.

We are not everywhere, and we are deliberate about that. Each country we add is a full KYC + AML + KYT surface with local document coverage, local sanctions lists, and local reporting integrations. Launching a fifth country is not a matter of flipping a flag. We expect to add one or two more markets in 2026, and we will write about each one here when it happens.

If you want the country-by-country breakdown of how KYC works in the region today, we put it in the complete KYC LatAm guide, and the real-world AML problems our customers keep running into are collected in AML challenges for LatAm fintechs.

What this blog will cover#

This blog is for the operators, engineers, and compliance leads who have to make the decisions we spend our days on. We are going to write about:

• Regulatory deep dives, country by country. BCB, CVM, and Febraban in Brazil. CNBV, Banxico, and UIF in Mexico. BCRA and UIF in Argentina. Superfinanciera and UIAF in Colombia. When a circular lands, we will explain what changed, who it affects, and what you have to ship.
• Product decisions. When we change how our liveness check works, or swap a sanctions provider, or redesign our case management UI, we will explain what drove the change. Including the ones that did not work.
• Field notes from customers. Anonymized when we have to, named when the customer wants to be named. The patterns we see across 54 clients are more useful than any single case study.
• Market intelligence on fraud and AML. The numbers we opened this post with will keep moving. We will publish what we see in the data, including the uncomfortable parts. Fraud patterns in emerging markets behave differently from what most global vendors model, and we keep a running view of that in fraud prevention in emerging markets.

We will not write vendor puff pieces. We will not publish anything we cannot defend with data. If we get something wrong, we will correct it in a later post and link back.

What it looks like day to day for a customer#

The abstract case for compliance infrastructure Latin America is easy to make. The concrete case is more useful. When a fintech plugs into our API, the first thing that changes is the onboarding funnel. The KYC surface absorbs the document capture, the liveness check, the database validation against the local tax authority or civil registry, and the first pass of sanctions and PEP screening. The engineering team on the customer side stops owning OCR prompts and biometric thresholds, and starts owning business logic. That split is important. OCR prompts and biometric thresholds are not a competitive advantage for a fintech. Business logic is.

The second thing that changes is the alert queue. AML alerts do not arrive in a flat list anymore. They arrive scored, clustered, and annotated by agents that have already run the first investigation steps against the transaction history, the device signal, and the counterparty graph. The compliance lead on the customer side still owns the final decision and the SAR filing, but they do not own the first 80 percent of the triage work. That is what takes the headcount from double digits to single digits.

The third thing that changes is the reporting surface. Every regulator in the region has a different template, a different cadence, and a different set of fields. We generate the UIF, UAF, COAF, and UIAF submissions from the same underlying data model, which means a customer operating in four countries does not maintain four reporting pipelines. They maintain one policy configuration.

The hard parts we are still working on#

We are not done. The stack is live and in production at 54 institutions, but there are parts of the problem that we have solved better than others. Cross-border flows between Brazil and Argentina are easier for us than flows between Mexico and Colombia, because the data availability is different. PEP coverage in Argentina is deeper than PEP coverage in Colombia because the public sources are more structured. Liveness detection against high-quality deepfakes is a moving target, and we retrain faster than most, but not as fast as the attackers publish new models. We are explicit about these gaps with our customers. Pretending otherwise would be a bad way to run this company.

The bet we are making#

The bet underneath Gu1 is simple. The compliance layer in LatAm does not need more point solutions. It needs a single stack that covers KYC, AML, and KYT, that is AI-native from the ground up, that ships at the speed of the regulator, and that lets a small team do the work that used to take a large one. The fragmented approach has had twenty years to work. It has not.

There is a version of this market where the incumbents adapt and the stack gets cheaper and faster on its own. We do not think that is the version we are in. The incumbents are boxed in by their data models, their sales cycles, and their customer promises. The cost of rebuilding the core is higher than the cost of defending the revenue. That gap is the opening we are building into.

If you run compliance or engineering at a LatAm fintech and you are thinking about the next cycle of your stack, we would like to hear what you are running into. The team is active on LinkedIn and the API is documented. You can also subscribe to the blog and we will send the next posts as they go live. More soon.