The Silence That Costs More Than the Breach

Banxico reported 3 cyberattacks on the Mexican financial system in 2025. That same year, 3.82 million Mexicans filed fraud complaints — averaging 13,995 per day. Someone isn't counting the same thing. This article counts both — and what the gap between them is costing everyone in the room.

JM

Jorge Mercado · #JMCoachEnterprise Architect · Financial Risk · Digital Transformation · Fintech & Regulatory Strategy

10 min read
May 2026

The financial system's most expensive failure is rarely the attack. It's the institutional choice to manage it quietly — and absorb the cost in silence.

3

Cyber incidents officially reported by Banxico in 2025

Banxico Financial Stability Report · 2025

3.82M

Fraud complaints from users that same year — 13,995 per day

BEF / CONDUSEF · 9 months 2025

$16.7B

MXN in user-reported losses in 9 months of 2025

Buró de Entidades Financieras · 2025

$20.9B

USD in cybercrime losses reported by FBI IC3 in 2025 — a new record

FBI Internet Crime Complaint Center · 2025

$10.8T

Estimated real global cybercrime cost in 2026 — including unreported incidents

Cybersecurity Ventures · 2026

$250T

Authorized Push Payment fraud volumes projected by 2027

LSEG · Fintechmagazine.com · July 2025

The gap between what is reported and what is real

In Mexico, the regulatory protocol for a cyberattack on a financial institution goes something like this: the institution detects an incident, activates its internal Sensitive Information Security Incident Response Group (GRI), manages containment internally, and reports to Banxico and the CNBV. What gets reported publicly is what was confirmed, contained, and determined not to have "materially affected customers." What doesn't get reported is the attack that was managed quietly before it could be classified as a material event — and the thousands of user accounts that were compromised in the margins of that determination.

This is not a Mexican problem. It is an institutional incentive problem with a North American address. Banxico officially documented three cyberattacks on the financial system in 2025, with a declared total loss of 33.2 million pesos. In the same period, the Buró de Entidades Financieras registered 3.82 million fraud complaints from users — an average of 13,995 per day — with a combined financial impact of 16,678 million pesos. The math doesn't reconcile. One side of that equation is institutions reporting what they are required to report. The other side is users reporting what actually happened to them.

"Observed increases in ransomware are almost certainly higher since many incidents go unreported." — Canadian Centre for Cyber Security, National Cyber Threat Assessment 2025–2026. The same logic applies to every jurisdiction where institutions face reputational and legal risk from disclosure.

In the United States, the FBI's Internet Crime Complaint Center recorded $20.877 billion in cybercrime losses in 2025 — the first time the figure crossed $20 billion, representing 859,532 voluntary complaints. Cybersecurity Ventures estimates the actual global cybercrime damage at $10.8 trillion in 2026 when unreported incidents and indirect costs are included. The ratio between reported and estimated real losses is roughly 500 to 1. That is not a measurement gap. That is a structural silence.

In Canada, the Anti-Fraud Centre received nearly 100,000 fraud reports in 2024, representing $638 million in reported losses. In the same period, Canadian businesses spent over $1.2 billion just in recovery costs — nearly double what was formally reported as lost. 72% of Canadian small and medium-sized businesses experienced a cyberattack in 2024. Most never filed a formal complaint. Most never disclosed the breach. Most absorbed the cost and moved on — hoping the next quarter's numbers would be better.

Financial fraud is not a risk to manage. It is an industry to understand.

Organized cybercrime has its own product development cycles, its own talent pipelines, and its own ROI metrics. The institutions that underestimate this are paying for it in their claims data.

The infographic published by Fintechmagazine.com in July 2025 contains a number that most financial executives read and then move past: 156% year-on-year growth in fraud rates in the fintech sector in 2024. Not 56%. Not 16%. One hundred and fifty-six percent in twelve months. That is not fraud growing alongside digital adoption. That is a parallel industry that has professionalised faster than the defenses it is exploiting.

Global credit card fraud losses are projected to reach US$43 billion by 2026. Authorised Push Payment (APP) fraud — where victims are psychologically manipulated into transferring funds to criminal accounts — is projected to surge from $150 billion in 2017 to an estimated $250 trillion by 2027. The scale of APP fraud alone makes it not just a financial crime problem but a systemic economic risk that dwarfs the declared reserves of most national banking systems.

The Fraud Iceberg — What Gets Reported vs. What's Real

Mexico 2025 · Official vs. user-reported losses — same year, same system

Sources: Banxico Financial Stability Report 2025 · Buró de Entidades Financieras (BEF) / CONDUSEF · 9 months 2025

The financial mathematics of this silence are not neutral. When a bank absorbs a fraud loss without reporting it, three things happen simultaneously: the attack vector remains active for other institutions, the regulators cannot calibrate supervisory resources to actual risk, and the user who was defrauded receives an explanation — "chargeback under review" — that is technically accurate and practically useless. Mexican banks returned only 25% of the $10.7 billion pesos claimed by users in the first half of 2025. Identity theft alone generated $634 million in claims — and institutions reimbursed one-tenth of that amount.

Regulators are beginning to count — and the fines are escalating sharply

CNBV fines up 162% in 2024, then a further 41.5% in 2025 — historic records two years running

The CNBV's enforcement trajectory tells the structural story clearly. In 2023, fines were modest. In 2024, approximately 800 sanctions totalling 216.2 million pesos were imposed — a 162% increase over the prior year. In 2025, the figure jumped to 1,154.9 million pesos — a further 41.5% increase, the highest total in the commission's history. Nearly a third of those fines — 366 million pesos — were directly related to anti-money laundering control deficiencies.

Institution	Sanction — amount	Reason	Year
CIBanco + Intercam + Vector	$185.7M MXN (~$9.8M USD)	AML failures; facilitating cartel money laundering — flagged by US FinCEN	2025
Banorte	$13.9M MXN	Failure to provide information within regulatory deadline (Ley de Instituciones de Crédito)	Dec 2024
Banca Mifel	$64.5M MXN	AML failures, internal control deficiencies, risk diversification non-compliance	2025
BBVA México	6 sanctions (part of $6.7M MXN)	Regulatory reporting and compliance deficiencies	2024
Invex	$400,000+ MXN	No automated system for detecting unusual client transactions	Dec 2024
Banco del Bienestar	$767,580 MXN	Internal control deficiencies + failure to report in first two months of 2024	Dec 2024
Morgan Stanley (Mexico)	$896,200 MXN	No internal controls ensuring compliance with own internal regulations	Dec 2024
Santander México	$1.6M MXN + sanctions	Regulatory compliance deficiencies — among top 6 for user fraud complaints	2024

The CNBV has been explicit about what's driving the escalation: the U.S. Treasury's FinCEN designation of six Mexican drug cartels as terrorist organizations in early 2025 introduced new international compliance pressure that is being transmitted directly into Mexico's supervisory framework. "We are strengthening supervision to avoid any situation," said CNBV President Jesús de la Fuente. The translation for institutions is blunt: the supervisory tolerance of prior years is over.

CONDUSEF's enforcement lens operates in parallel — focused on user protection rather than prudential regulation. The six banks with the highest complaint volumes in the first nine months of 2025 were BanCoppel (1.07M complaints), Banco Azteca (503K), BBVA (409K), Banamex (396K), Banorte (371K), and Santander (250K). The concentration of complaints at digital-first and mass-market institutions reveals where the fraud vectors are densest — and where the technological defenses are most clearly insufficient relative to the client base being served.

The leverage risk: inflating the bubble while reporting it under control

The NPL ratio shows 2.02%. The adjusted IMORA including restructured loans shows 10.4%. Two metrics, one portfolio. The gap between them is where the risk is being parked.

The official Non-Performing Loan (NPL) ratio for Mexico's banking sector closed 2024 at 2.02% — a number that reads as stable and well-managed. The same portfolio, measured using the IMORA (adjusted index that includes restructured loans and those with elevated default probability) closed at 10.4% — five times higher. Both metrics are reported by the CNBV. One circulates in press releases. The other lives in the technical annexes.

The mechanism that produces this divergence is well-documented: write-offs and portfolio restructurings allow institutions to remove impaired loans from the NPL numerator while the economic exposure remains. In 2024, Mexico's banking sector processed write-offs and castigos (loan cancellations) at a real annual average growth rate of 27.3% — significantly exceeding the rate of new credit creation. The effect is a reported NPL ratio that looks controlled while the credit portfolio is being cleaned through the income statement at an accelerating pace.

⚠ Bubble Inflation Signals — Mexico's Consumer Credit Portfolio, 2024–2025

Consumer credit +13.7% in 2024Rapid growth creates a "denominator effect" that suppresses the NPL ratio even as the absolute volume of impaired loans grows. The ratio looks stable; the exposure doesn't.

Credit card NPL: +18.4% real in 2024After moderating from 38.4% growth in 2023 — still accelerating in absolute terms. Tarjetas de Débito and nómina portfolios "starting to show signs" of stress, per BBVA Research March 2025.

Write-offs +27.3% real growthInstitutions are cleaning the portfolio faster than credit is growing — a structural pattern that historically precedes reported NPL deterioration when write-off capacity is exhausted.

Financial leverage at the system level increasedBanxico's Financial Stability Report (June 2025) notes that aggregate system risk increased "driven by higher financial sector leverage and an increase in macroeconomic risks" — the heat map moved toward red.

Fraud losses not fully provisionedThe $10.7B pesos in user-reported fraud claims in H1 2025 represent unrecovered exposure. Of this, institutions reimbursed $2.5B — leaving $8.2B in unresolved claims with uncertain provisioning treatment.

IMORA adjusted = 10.4% — five times the headline NPLThe gap between the headline 2.02% and the adjusted 10.4% is where the true credit quality picture lives. Investors pricing sovereign and institutional risk on the headline metric are pricing the wrong number.

The parallels with pre-crisis dynamics in other markets are not allegorical. As one NPL specialist noted with reference to 2008: "Institutions were celebrating NPL ratios 'under control' while ignoring critical signals: geographic concentrations, accelerated migration between categories, or the real quality of restructurings." The difference between a managed credit cycle and a developing crisis is often not the data — it's the interpretation that institutions choose to present publicly versus what their internal risk committees are reading.

North America: three markets, one structural pattern

$17.4B

MXN — projected Mexico financial fraud losses in 2025

Inversor Latam · CONDUSEF · 2025

$6.08M

USD — average cost per breach in the financial sector globally, 2024

IBM Cost of a Data Breach 2024

$10.22M

USD — average US breach cost 2025 · record high · up 9% YoY

IBM Cost of a Data Breach 2025

27%

Of all global breaches targeted financial institutions in 2023 — more than healthcare

Verizon DBIR 2024

65%

Of Mexican businesses reported an increase in breaches in 2024

Embroker Cybersecurity Statistics 2025

72%

Of Canadian SMBs experienced a cyberattack in 2024

Embroker · Scotiabank Cybersecurity Report 2025

In the United States, the pattern of institutional silence carries specific regulatory consequences. The FDIC explicitly does not protect depositors against "losses due to theft or fraud" — meaning that cyber-enabled fraud losses are absorbed entirely by the institution or the customer, with no federal backstop. This creates a systemic incentive to minimize the reported scope of fraud events. Business Email Compromise (BEC) alone generated $3.046 billion in US losses in 2025 — the single most financially destructive enterprise-targeted cybercrime, and one that by definition involves institutional infrastructure being weaponized against the institution's own clients.

In Canada, the picture is defined by asymmetry of sophistication. The Canadian Anti-Fraud Centre received 100,000 fraud reports in 2024 with $638 million in declared losses — while Canadian businesses simultaneously spent over $1.2 billion in recovery costs. The gap between those two numbers is not rounding error. Investment scams represent nearly half of all dollar losses in Canada, with seniors over 60 accounting for more than a quarter of total reported losses despite lower reporting volumes. The sophistication of the attacks is rising: AI-generated deepfakes, hyper-personalized phishing, and synthetic identity fraud are documented by the Canadian Centre for Cyber Security as active and accelerating threats.

In Mexico, the telecommunications fraud vector adds a dimension absent from US and Canadian analysis: fraud in the telecom sector reached 4 billion pesos in 2024, largely attributable to account activations using false identities. The intersection of financial fraud and telecom fraud means that the attack surface extends from the banking app to the SIM card — and the regulatory perimeter of each sector ends at the boundary of the other. Criminal actors operate across both. Regulators operate within their respective jurisdictions. The gap is systematically exploited.

Doing things right is not a cost. It is the only viable strategy.

The institutions that built robust security and compliance architecture first are not slower. They are the ones that didn't spend Q3 in crisis mode explaining a breach to their regulator.

The infographic that opened this analysis contains two numbers that belong together: 86% of banks surveyed are investing in new technology to combat fraud, and adaptive technology can reduce phishing losses by up to 90%. Read separately, they are statistics. Read together, they describe the exact distance between where most institutions are and where they need to be — and the size of the return available to those that close it.

The Credit Union documented elsewhere in this series built a world-class financial platform in eleven months — passing a global penetration test with only three minor observations. It did so with a team that combined regulatory expertise, architectural discipline, and committed talent, on a budget that most mid-sized banks would classify as a rounding error in their technology spend. The result was not a compromise between speed and security. It was a demonstration that the two are not in tension — they are the same decision, made correctly from the beginning.

✓ What "Doing Things Right" Actually Looks Like — Operationally

Security is an architecture decision, not a compliance checkboxInstitutions that build Zero Trust frameworks, real-time transaction monitoring, and behavioral analytics into their core stack don't face a tradeoff between security and speed. They build once and scale cleanly.

Transparency with regulators is cheaper than managing finesCNBV fines reached $1,154M MXN in 2025. The technology to detect and report suspicious transactions in real time costs a fraction of that — and positions the institution as a regulatory partner rather than a regulatory target.

Fraud detection reduces NPL exposure — not just cybercrime riskSynthetic identity fraud, account takeover, and application fraud inflate the performing loan portfolio with credits that will never be repaid. Institutions with robust KYC and behavioral analytics see lower NPL because they never originate those loans.

Reporting honestly does not destroy confidence — it builds itThe institutions that disclosed breaches clearly, acted quickly, and communicated transparently with affected users maintained client relationships at higher rates than those that minimized. The silence is not protecting the institution — it is delaying the consequence.

AI works on both sides of the ledger86% of banks are investing in fraud-fighting technology. The same AI that detects anomalous transactions also optimizes credit origination, reduces operational cost, and generates the regulatory reporting that previously required full compliance teams. The investment has multiple returns.

The window to act is open — it won't stay open indefinitelyCNBV's enforcement trajectory is clear. FinCEN's reach into Mexican institutions is documented. The FBI's cross-border enforcement cooperation with Mexico and Canada is expanding. The cost of voluntary action today is a fraction of the cost of regulatory-compelled action tomorrow.

The processes are not complex when observed from the right perspective. The fraud problem, the NPL risk, the regulatory escalation — they are each a signal pointing at the same root cause: decisions deferred, controls under-resourced, and risk managed for the quarterly report rather than for the institutional balance sheet. The solution is not different technology. It is the decision to use it honestly.

Financial fraud will cost the North American economy more in 2026 than in any prior year. The question for every executive reading this is not whether their institution has experienced a significant incident. The actuarial probability says it has — or is in the process of discovering one. The question is what the institution chooses to do with that information.

Silence is a choice. Transparency is also a choice. The institutions that survive the next regulatory cycle with their licenses, their client relationships, and their reputations intact will be the ones that made the second choice — and made it before the regulator forced the first one.

Financial Fraud Cybersecurity CNBV CONDUSEF NPL Risk Mexico USA Canada Fintech Regulatory Risk #JMCoach @JormerMx

---

Verified Sources · May 2026

• Banxico · Financial Stability Report 2025 — 3 cyber incidents officially reported · $33.2M MXN declared · banxico.org.mx
• CONDUSEF / Buró de Entidades Financieras (BEF) · 3.82M fraud complaints in first 9 months of 2025 · 13,995/day · $16,678M MXN · buro.gob.mx
• CONDUSEF · H1 2025 fraud report · 2.4M cases · $10,714M MXN claimed · $2,556M reimbursed · condusef.gob.mx
• CONDUSEF · Identity theft H1 2025 · $634M MXN claimed · only $65M reimbursed · +24.6% YoY · vanguardia.com.mx
• CNBV · ~800 sanctions in 2024 · $216.2M MXN · +162% vs 2023 · expansion.mx · March 2025
• Cadena Política · CNBV 2025 historic fines · $1,154.9M MXN · +41.5% vs 2024 · cadenapolitica.com · February 2026
• La Jornada · CIBanco + Intercam + Vector · $185.7M MXN sanctions · FinCEN AML designation · July 2025
• Revista Fortuna · CNBV December 2024 · 262 sanctions · $103.6M MXN · Banorte, Santander, Mifel, Morgan Stanley, Bienestar · January 2025
• BBVA Research · Situación Banca México · March 2025 · IMOR 2.02% · IMORA 10.4% · castigos +27.3% real · NPL tarjetas +18.4%
• Banxico · Financial Stability Report June 2025 · aggregate risk increased · higher financial leverage · macroeconomic risk up
• Mexico Business News · IMOR 2.02% December 2024 · consumer credit +13.7% · February 2025
• FBI Internet Crime Complaint Center (IC3) · 2025 Annual Report · $20.877B in losses · record high · BEC $3.046B · Seniors $7.7B
• Axis Intelligence · Cybersecurity Statistics 2026 · IC3 $16.6B (2024) · US breach cost $10.22M (+9%) · ibm.com/security · April 2026
• Cybersecurity Ventures · Global cybercrime $10.8T 2026 (estimated, includes unreported)
• Canadian Centre for Cyber Security · National Cyber Threat Assessment 2025–2026 · underreporting confirmed · $1.13M avg ransom Canada 2023
• CAFC / Scotiabank · 100,000 fraud reports Canada 2024 · $638M reported losses · $1.2B recovery costs 2023 · scotiabank.com
• Embroker Cybersecurity Statistics 2025 · 72% Canadian SMBs attacked · 65% Mexican businesses reported breach increase
• IBM Cost of a Data Breach Report 2024 · $6.08M avg financial sector breach (22% above cross-industry avg) · ibm.com
• Verizon Data Breach Investigations Report 2025 · Financial sector 27% of all global breaches · phishing 16% of initial vectors
• Inversor Latam · Mexico fraud losses 2024: $14,500M MXN · 2025 projection: $17,400M MXN · February 2025
• Fintechmagazine.com · July 2025 · Cybersecurity infographic · 156% YoY fintech fraud · $43B credit card fraud by 2026 · $250T APP by 2027
• Fortinet · Global Threat Landscape Report 2025 · +42% credentials shared on dark web forums
• Consumer Federation of America · The Scam Economy Report · March 2026 · FBI IC3 + FTC underreporting analysis

JM

Jorge Mercado · #JMCoach

Enterprise Architect · Financial Risk · Digital Transformation · Fintech · Regulatory Strategy