The gap between what is reported and what is real
In Mexico, the regulatory protocol for a cyberattack on a financial institution goes something like this: the institution detects an incident, activates its internal Sensitive Information Security Incident Response Group (GRI), manages containment internally, and reports to Banxico and the CNBV. What gets reported publicly is what was confirmed, contained, and determined not to have "materially affected customers." What doesn't get reported is the attack that was managed quietly before it could be classified as a material event — and the thousands of user accounts that were compromised in the margins of that determination.
This is not a Mexican problem. It is an institutional incentive problem with a North American address. Banxico officially documented three cyberattacks on the financial system in 2025, with a declared total loss of 33.2 million pesos. In the same period, the Buró de Entidades Financieras registered 3.82 million fraud complaints from users — an average of 13,995 per day — with a combined financial impact of 16,678 million pesos. The math doesn't reconcile. One side of that equation is institutions reporting what they are required to report. The other side is users reporting what actually happened to them.
In the United States, the FBI's Internet Crime Complaint Center recorded $20.877 billion in cybercrime losses in 2025 — the first time the figure crossed $20 billion, representing 859,532 voluntary complaints. Cybersecurity Ventures estimates the actual global cybercrime damage at $10.8 trillion in 2026 when unreported incidents and indirect costs are included. The ratio between reported and estimated real losses is roughly 500 to 1. That is not a measurement gap. That is a structural silence.
In Canada, the Anti-Fraud Centre received nearly 100,000 fraud reports in 2024, representing $638 million in reported losses. In the same period, Canadian businesses spent over $1.2 billion just in recovery costs — nearly double what was formally reported as lost. 72% of Canadian small and medium-sized businesses experienced a cyberattack in 2024. Most never filed a formal complaint. Most never disclosed the breach. Most absorbed the cost and moved on — hoping the next quarter's numbers would be better.
Financial fraud is not a risk to manage. It is an industry to understand.
The infographic published by Fintechmagazine.com in July 2025 contains a number that most financial executives read and then move past: 156% year-on-year growth in fraud rates in the fintech sector in 2024. Not 56%. Not 16%. One hundred and fifty-six percent in twelve months. That is not fraud growing alongside digital adoption. That is a parallel industry that has professionalised faster than the defenses it is exploiting.
Global credit card fraud losses are projected to reach US$43 billion by 2026. Authorised Push Payment (APP) fraud — where victims are psychologically manipulated into transferring funds to criminal accounts — is projected to surge from $150 billion in 2017 to an estimated $250 trillion by 2027. The scale of APP fraud alone makes it not just a financial crime problem but a systemic economic risk that dwarfs the declared reserves of most national banking systems.
The financial mathematics of this silence are not neutral. When a bank absorbs a fraud loss without reporting it, three things happen simultaneously: the attack vector remains active for other institutions, the regulators cannot calibrate supervisory resources to actual risk, and the user who was defrauded receives an explanation — "chargeback under review" — that is technically accurate and practically useless. Mexican banks returned only 25% of the $10.7 billion pesos claimed by users in the first half of 2025. Identity theft alone generated $634 million in claims — and institutions reimbursed one-tenth of that amount.
Regulators are beginning to count — and the fines are escalating sharply
The CNBV's enforcement trajectory tells the structural story clearly. In 2023, fines were modest. In 2024, approximately 800 sanctions totalling 216.2 million pesos were imposed — a 162% increase over the prior year. In 2025, the figure jumped to 1,154.9 million pesos — a further 41.5% increase, the highest total in the commission's history. Nearly a third of those fines — 366 million pesos — were directly related to anti-money laundering control deficiencies.
| Institution | Sanction — amount | Reason | Year |
|---|---|---|---|
| CIBanco + Intercam + Vector | $185.7M MXN (~$9.8M USD) | AML failures; facilitating cartel money laundering — flagged by US FinCEN | 2025 |
| Banorte | $13.9M MXN | Failure to provide information within regulatory deadline (Ley de Instituciones de Crédito) | Dec 2024 |
| Banca Mifel | $64.5M MXN | AML failures, internal control deficiencies, risk diversification non-compliance | 2025 |
| BBVA México | 6 sanctions (part of $6.7M MXN) | Regulatory reporting and compliance deficiencies | 2024 |
| Invex | $400,000+ MXN | No automated system for detecting unusual client transactions | Dec 2024 |
| Banco del Bienestar | $767,580 MXN | Internal control deficiencies + failure to report in first two months of 2024 | Dec 2024 |
| Morgan Stanley (Mexico) | $896,200 MXN | No internal controls ensuring compliance with own internal regulations | Dec 2024 |
| Santander México | $1.6M MXN + sanctions | Regulatory compliance deficiencies — among top 6 for user fraud complaints | 2024 |
The CNBV has been explicit about what's driving the escalation: the U.S. Treasury's FinCEN designation of six Mexican drug cartels as terrorist organizations in early 2025 introduced new international compliance pressure that is being transmitted directly into Mexico's supervisory framework. "We are strengthening supervision to avoid any situation," said CNBV President Jesús de la Fuente. The translation for institutions is blunt: the supervisory tolerance of prior years is over.
CONDUSEF's enforcement lens operates in parallel — focused on user protection rather than prudential regulation. The six banks with the highest complaint volumes in the first nine months of 2025 were BanCoppel (1.07M complaints), Banco Azteca (503K), BBVA (409K), Banamex (396K), Banorte (371K), and Santander (250K). The concentration of complaints at digital-first and mass-market institutions reveals where the fraud vectors are densest — and where the technological defenses are most clearly insufficient relative to the client base being served.
The leverage risk: inflating the bubble while reporting it under control
The official Non-Performing Loan (NPL) ratio for Mexico's banking sector closed 2024 at 2.02% — a number that reads as stable and well-managed. The same portfolio, measured using the IMORA (adjusted index that includes restructured loans and those with elevated default probability) closed at 10.4% — five times higher. Both metrics are reported by the CNBV. One circulates in press releases. The other lives in the technical annexes.
The mechanism that produces this divergence is well-documented: write-offs and portfolio restructurings allow institutions to remove impaired loans from the NPL numerator while the economic exposure remains. In 2024, Mexico's banking sector processed write-offs and castigos (loan cancellations) at a real annual average growth rate of 27.3% — significantly exceeding the rate of new credit creation. The effect is a reported NPL ratio that looks controlled while the credit portfolio is being cleaned through the income statement at an accelerating pace.
The parallels with pre-crisis dynamics in other markets are not allegorical. As one NPL specialist noted with reference to 2008: "Institutions were celebrating NPL ratios 'under control' while ignoring critical signals: geographic concentrations, accelerated migration between categories, or the real quality of restructurings." The difference between a managed credit cycle and a developing crisis is often not the data — it's the interpretation that institutions choose to present publicly versus what their internal risk committees are reading.
North America: three markets, one structural pattern
In the United States, the pattern of institutional silence carries specific regulatory consequences. The FDIC explicitly does not protect depositors against "losses due to theft or fraud" — meaning that cyber-enabled fraud losses are absorbed entirely by the institution or the customer, with no federal backstop. This creates a systemic incentive to minimize the reported scope of fraud events. Business Email Compromise (BEC) alone generated $3.046 billion in US losses in 2025 — the single most financially destructive enterprise-targeted cybercrime, and one that by definition involves institutional infrastructure being weaponized against the institution's own clients.
In Canada, the picture is defined by asymmetry of sophistication. The Canadian Anti-Fraud Centre received 100,000 fraud reports in 2024 with $638 million in declared losses — while Canadian businesses simultaneously spent over $1.2 billion in recovery costs. The gap between those two numbers is not rounding error. Investment scams represent nearly half of all dollar losses in Canada, with seniors over 60 accounting for more than a quarter of total reported losses despite lower reporting volumes. The sophistication of the attacks is rising: AI-generated deepfakes, hyper-personalized phishing, and synthetic identity fraud are documented by the Canadian Centre for Cyber Security as active and accelerating threats.
In Mexico, the telecommunications fraud vector adds a dimension absent from US and Canadian analysis: fraud in the telecom sector reached 4 billion pesos in 2024, largely attributable to account activations using false identities. The intersection of financial fraud and telecom fraud means that the attack surface extends from the banking app to the SIM card — and the regulatory perimeter of each sector ends at the boundary of the other. Criminal actors operate across both. Regulators operate within their respective jurisdictions. The gap is systematically exploited.
Doing things right is not a cost. It is the only viable strategy.
The infographic that opened this analysis contains two numbers that belong together: 86% of banks surveyed are investing in new technology to combat fraud, and adaptive technology can reduce phishing losses by up to 90%. Read separately, they are statistics. Read together, they describe the exact distance between where most institutions are and where they need to be — and the size of the return available to those that close it.
The Credit Union documented elsewhere in this series built a world-class financial platform in eleven months — passing a global penetration test with only three minor observations. It did so with a team that combined regulatory expertise, architectural discipline, and committed talent, on a budget that most mid-sized banks would classify as a rounding error in their technology spend. The result was not a compromise between speed and security. It was a demonstration that the two are not in tension — they are the same decision, made correctly from the beginning.
Financial fraud will cost the North American economy more in 2026 than in any prior year. The question for every executive reading this is not whether their institution has experienced a significant incident. The actuarial probability says it has — or is in the process of discovering one. The question is what the institution chooses to do with that information.
Silence is a choice. Transparency is also a choice. The institutions that survive the next regulatory cycle with their licenses, their client relationships, and their reputations intact will be the ones that made the second choice — and made it before the regulator forced the first one.
Financial Fraud Cybersecurity CNBV CONDUSEF NPL Risk Mexico USA Canada Fintech Regulatory Risk #JMCoach @JormerMx
Verified Sources · May 2026
- Banxico · Financial Stability Report 2025 — 3 cyber incidents officially reported · $33.2M MXN declared · banxico.org.mx
- CONDUSEF / Buró de Entidades Financieras (BEF) · 3.82M fraud complaints in first 9 months of 2025 · 13,995/day · $16,678M MXN · buro.gob.mx
- CONDUSEF · H1 2025 fraud report · 2.4M cases · $10,714M MXN claimed · $2,556M reimbursed · condusef.gob.mx
- CONDUSEF · Identity theft H1 2025 · $634M MXN claimed · only $65M reimbursed · +24.6% YoY · vanguardia.com.mx
- CNBV · ~800 sanctions in 2024 · $216.2M MXN · +162% vs 2023 · expansion.mx · March 2025
- Cadena Política · CNBV 2025 historic fines · $1,154.9M MXN · +41.5% vs 2024 · cadenapolitica.com · February 2026
- La Jornada · CIBanco + Intercam + Vector · $185.7M MXN sanctions · FinCEN AML designation · July 2025
- Revista Fortuna · CNBV December 2024 · 262 sanctions · $103.6M MXN · Banorte, Santander, Mifel, Morgan Stanley, Bienestar · January 2025
- BBVA Research · Situación Banca México · March 2025 · IMOR 2.02% · IMORA 10.4% · castigos +27.3% real · NPL tarjetas +18.4%
- Banxico · Financial Stability Report June 2025 · aggregate risk increased · higher financial leverage · macroeconomic risk up
- Mexico Business News · IMOR 2.02% December 2024 · consumer credit +13.7% · February 2025
- FBI Internet Crime Complaint Center (IC3) · 2025 Annual Report · $20.877B in losses · record high · BEC $3.046B · Seniors $7.7B
- Axis Intelligence · Cybersecurity Statistics 2026 · IC3 $16.6B (2024) · US breach cost $10.22M (+9%) · ibm.com/security · April 2026
- Cybersecurity Ventures · Global cybercrime $10.8T 2026 (estimated, includes unreported)
- Canadian Centre for Cyber Security · National Cyber Threat Assessment 2025–2026 · underreporting confirmed · $1.13M avg ransom Canada 2023
- CAFC / Scotiabank · 100,000 fraud reports Canada 2024 · $638M reported losses · $1.2B recovery costs 2023 · scotiabank.com
- Embroker Cybersecurity Statistics 2025 · 72% Canadian SMBs attacked · 65% Mexican businesses reported breach increase
- IBM Cost of a Data Breach Report 2024 · $6.08M avg financial sector breach (22% above cross-industry avg) · ibm.com
- Verizon Data Breach Investigations Report 2025 · Financial sector 27% of all global breaches · phishing 16% of initial vectors
- Inversor Latam · Mexico fraud losses 2024: $14,500M MXN · 2025 projection: $17,400M MXN · February 2025
- Fintechmagazine.com · July 2025 · Cybersecurity infographic · 156% YoY fintech fraud · $43B credit card fraud by 2026 · $250T APP by 2027
- Fortinet · Global Threat Landscape Report 2025 · +42% credentials shared on dark web forums
- Consumer Federation of America · The Scam Economy Report · March 2026 · FBI IC3 + FTC underreporting analysis
Enterprise Architect · Financial Risk · Digital Transformation · Fintech · Regulatory Strategy
