The 6 CNBV Fraud Behaviors, Operationalised

CNBV Circular 14/2021 established six fraud-related behaviors that Mexican banks are required to monitor. Three years later, the distinction that separates the banks with contained fraud losses from the ones with spiraling losses is not whether they monitor the six behaviors — virtually all do. The distinction is whether they have operationalised them. Monitoring and operationalising are not the same thing, and the gap between them is where fraud losses live.

The six CNBV behaviors

CNBV Circular 14/2021 defined six behavioral patterns that financial institutions must monitor as part of their anti-fraud framework. Here is what each one means in operational terms:

Monitor vs. operationalise: where the gap is

Monitoring behavior #3 (atypical outflow velocity) means generating an alert when the threshold is crossed. The alert goes to a queue. A fraud analyst reviews the queue. The analyst makes a decision. The analyst executes the decision — blocks the transaction, calls the customer, flags the account.

In a traditional fraud operations setup, this process takes 4-8 hours for a non-real-time payment and 15-45 minutes for a high-priority escalation. In a real-time payment environment (Pix, SPEI), the transfer clears in under 10 seconds. The monitoring alert arrives after the money has moved.

Operationalising behavior #3 means: the detection engine evaluates the behavior in real time, makes a disposition decision (block, step-up authenticate, or allow) within 90 seconds, executes the decision without human intervention, and logs the decision with the rationale for audit purposes. The analyst reviews the decision log — not the pending queue — after the fact.

This is the architectural difference. Monitoring is a reporting function. Operationalising is a control function. The CNBV circular requires monitoring. Containing fraud losses requires operationalising.

Five structural controls that close the gap

Control 1: A fraud risk appetite with numeric thresholds per behavior. Without quantified thresholds, the behavior definitions are policy language, not controls. For behavior #3, the threshold might be: "More than three outbound transfers totaling more than 3x the 90-day average daily outflow in any 60-minute window triggers an automatic hold pending step-up authentication." The threshold must be approved by the board as part of the fraud risk appetite statement — not set by the fraud operations team and buried in a procedure manual.

Control 2: A decision engine with three dispositions. The engine must support three outcomes — block, step-up authenticate, or allow with enhanced monitoring — not just alert-or-pass. Step-up authentication (biometric re-verification, OTP to a pre-registered device) is the disposition that reduces false positives without blocking legitimate transactions. Banks that operate with binary block/pass logic generate excessive friction for customers and miss the middle-ground scenarios where a confirmation step would have prevented the loss.

Control 3: A 90-second escalation protocol. For the subset of transactions that cannot be resolved by the decision engine automatically — typically large-value transfers where the customer-impact of a wrong decision is highest — there must be a human escalation protocol with a defined time window. The protocol must be tested quarterly. The Fraud & Scam Prevention Kit includes a tabletop exercise script designed specifically to test this protocol under realistic time pressure.

Control 4: A behavioral graph updated in near-real-time. Behavior #6 (network link to known fraud clusters) cannot be operationalised with a static blacklist. The fraud ecosystem evolves continuously: mule accounts are activated and discarded within 48-72 hours, device fingerprints rotate, IP ranges shift. The graph must be updated as new confirmed fraud cases are resolved — which means the fraud investigation team must close cases in near-real-time, not batch-weekly. This is an organizational process design question, not just a technology question.

Control 5: A board metric tied to each behavior. Each of the six behaviors should have a board-visible KPI — at minimum, detection rate (what percentage of known fraud involved this behavior, and was it detected) and response time (from behavior trigger to disposition, measured in seconds for real-time payments). These metrics belong in the board risk committee report alongside LCR and NPL. The AI Governance Framework for Banks includes the model risk elements that apply when the detection engine uses machine learning — which is increasingly common for behaviors #1, #3, and #6.

The 5-country extension

CNBV's six behaviors are Mexico-specific, but the behavioral patterns they describe are universal across LatAm. Brazil's Banco Central do Brasil has an analogous framework under Resolution 4.557 as updated in 2024. Colombia's Superintendencia Financiera issued Circular Externa 029 de 2014 as updated by CE 033 de 2023 with equivalent behavioral monitoring requirements. Argentina's BCRA Resolution A 7543 (2023) expanded transaction monitoring requirements. Peru's SBS Resolución SBS Nº 1765-2005 as updated includes similar provisions.

The practical implication for a multi-country LatAm bank is that the six-behavior framework is the minimum denominator, not the ceiling. A bank operating in Mexico, Brazil, and Colombia must operationalise six behaviors under CNBV, align them with BCB Resolution 4.557, and cross-reference with Circular 029. The controls must satisfy all three simultaneously.

Audit-readiness checklist

The difference between a bank that passes a CNBV audit and a bank that actually contains fraud losses is this checklist. Passing an audit requires documentation and monitoring evidence. Containing fraud requires that the controls execute in real time, every time, faster than the payment rail clears. The two are related but not identical, and it is the second requirement — not the first — that protects the P&L.