Mexico CFDI 4.0: Complete Guide to Electronic Invoicing

Every commercial transaction in Mexico, whether a local sale, a cross-border service, or a government contract, must be documented with a CFDI: Comprobante Fiscal Digital por Internet, Mexico's mandatory electronic invoicing system. There are no exemptions based on transaction size, industry, or whether the parties are domestic or foreign. If goods or services change hands on Mexican soil, a CFDI is legally required.

Mexico pioneered mandatory e-invoicing in 2011, predating most European mandates by over a decade. The system has evolved through several versions since then, with CFDI 4.0 becoming the current standard, mandatory for all taxpayers since April 2023. For finance professionals encountering Mexico's electronic invoicing requirements for the first time, the scope can be surprising: CFDI covers B2B, B2C, B2G, and international transactions without exception. Payroll, payments, credit notes, and withholding certificates all fall under the same framework.

At its core, Mexico CFDI electronic invoicing operates on a three-party clearance model. Taxpayers generate a structured XML invoice, submit it to a certified PAC (Proveedor Autorizado de Certificación) for digital stamping (timbrado), and the validated invoice is transmitted to SAT (Servicio de Administración Tributaria), Mexico's federal tax authority, in real time.

Each validated CFDI receives a UUID (Folio Fiscal), a universally unique identifier that links the invoice permanently within SAT's database. This UUID creates end-to-end traceability: any invoice can be verified, any cancellation can be tracked, and any audit trail leads back to a single, immutable record. For AP teams reconciling payments or auditors verifying deductions, the UUID is the definitive reference point.

Who needs to understand this system? The answer is broader than many finance teams initially expect:

• Companies operating in Mexico — domestic businesses of any size must issue CFDIs for every sale, service, or payroll payment.
• Multinationals with Mexican suppliers — if your organization receives invoices from Mexican vendors, those documents are CFDIs. Understanding their structure matters for payment validation, tax recovery, and audit readiness.
• Foreign companies entering the Mexican market — Mexico attracted $40.9 billion in foreign direct investment in the first three quarters of 2025 alone, up 14.5% year over year. Every one of those investment projects requires CFDI compliance from day one.
• ERP implementers and finance system architects — Mexico localization requires native CFDI generation, PAC integration, and XML handling. Bolting it on as an afterthought creates costly rework.

Finance teams planning that transition often need a clearer roadmap for what foreign companies must line up before issuing compliant Mexican invoices.

Mexico's e-invoicing framework is one of the most mature in the world, and understanding its full scope is essential for any organization doing business in the country.

---

How Mexico's Three-Party Clearance Model Works

Mexico's CFDI system operates as a real-time clearance model involving three parties: the taxpayer, a PAC (Proveedor Autorizado de Certificación), and SAT itself. Every invoice passes through all three before it becomes legally valid. This is fundamentally different from post-audit systems used in many countries, where businesses issue invoices freely and the tax authority reviews them later. In Mexico, SAT sees each transaction the moment it occurs.

The process follows three concrete steps.

Step 1: The taxpayer generates the CFDI XML. The invoice originates as a structured XML document that conforms to SAT's published schema, defined in the Anexo 20 technical specification. This XML can be generated in the taxpayer's ERP system, dedicated accounting software, or through the PAC's own web interface. The document must include all mandatory fields: the issuer's and receiver's RFC (Registro Federal de Contribuyentes), fiscal regime codes for both parties, individual line items mapped to SAT's standardized product and service catalog codes (c_ClaveProdServ), unit codes, tax breakdowns showing IVA and any applicable withholdings, payment method, and currency. The Anexo 20 specification dictates not just which fields are required but also the acceptable values and formats for each, so an XML that includes all fields but uses an invalid fiscal regime code will still be rejected downstream.

Step 2: The PAC validates and stamps the XML (timbrado). Once the taxpayer submits the XML to their chosen PAC, the PAC runs it through SAT's validation rules. This includes schema compliance checks, field-level value validation, and under CFDI 4.0, pre-validation of the receiver's data against SAT's taxpayer registry (confirming the receiver's RFC, name, and fiscal regime match what SAT has on file). If the XML passes all checks, the PAC applies a digital stamp, a process known as timbrado. At this point the PAC assigns the invoice its Folio Fiscal, a UUID that becomes the document's permanent unique identifier across every system in Mexico's tax infrastructure. This UUID is how SAT, the issuer, the receiver, and any auditor will reference that specific transaction for the rest of its lifecycle. A CFDI without a Folio Fiscal is not a CFDI; it is just an unsigned XML file with no legal standing.

Step 3: SAT receives the certified CFDI in real time. The PAC transmits the stamped, UUID-bearing CFDI to SAT immediately after timbrado. There is no batch window or end-of-month reporting cycle. SAT now holds a complete, validated record of the transaction, including every line item, tax amount, and party involved. This gives the tax authority a continuously updated view of economic activity across the entire country.

The real-time nature of this model is worth emphasizing. Mexico's approach shares structural similarities with other major Latin American e-invoicing systems, such as Brazil's NF-e electronic invoice framework, though each country implements its own distinct architecture and validation rules. What they have in common is the principle that the tax authority participates in invoice certification before the document reaches the buyer, rather than auditing paper trails after the fact.

For ERP implementers and integration architects, the practical implication is that your system must be capable of generating valid Anexo 20 XML, communicating with a PAC's API for timbrado, handling validation errors returned by the PAC, storing the stamped XML with its Folio Fiscal UUID, and delivering the certified CFDI to the receiver. Each of these steps has failure modes that need to be accounted for in workflow design: malformed XML, PAC downtime, receiver data mismatches under CFDI 4.0's stricter validation, and UUID storage for downstream processes like cancellations and payment complement linking.

---

e.Firma and CSD: Mexico's Two-Tier Digital Certificate System

Before a business can issue a single CFDI, it needs two distinct digital certificates from SAT. These certificates serve different purposes, follow different issuance procedures, and carry different consequences when revoked. Understanding the distinction is essential because the certificate infrastructure is not just a technical prerequisite. It is also one of SAT's primary enforcement tools.

e.Firma: The Identity Layer

The e.Firma, formerly known as FIEL (Firma Electrónica Avanzada), is the foundational electronic signature certificate for any entity or individual registered with SAT. It functions as a universal digital identity across all SAT interactions, not just invoicing. Tax filings, formal requests, power-of-attorney delegations, and access to SAT's online portal all depend on a valid e.Firma.

Obtaining an e.Firma requires an in-person biometric appointment at a SAT office. During the appointment, SAT captures fingerprints and an iris scan to bind the certificate to a specific individual, whether that person is a sole proprietor or the legal representative of a corporation. The appointment must be scheduled through SAT's online booking system, Citas SAT, and availability varies significantly by region and time of year. In major cities like Mexico City, Monterrey, and Guadalajara, wait times of several weeks are common during peak tax season. For foreign businesses establishing Mexican operations, this process is often the first unexpected bottleneck. There is no remote alternative.

The e.Firma is valid for four years from the date of issuance. Upon expiration, the holder must renew it through another SAT appointment, though renewal can sometimes be completed online if the current certificate has not yet expired.

CSD: The Invoice-Signing Certificate

The CSD, or Certificado de Sello Digital, is the certificate used exclusively to sign CFDI documents. It is derived from the e.Firma, meaning a valid e.Firma is a prerequisite for obtaining a CSD. While the e.Firma proves identity, the CSD authorizes a specific taxpayer to stamp electronic invoices.

A taxpayer can hold multiple active CSDs simultaneously. This is useful for businesses that operate through different branches or systems and want to segregate invoice signing by location or department. Each CSD is also valid for four years.

The process for obtaining a CSD is less burdensome than the e.Firma. Once the e.Firma is in place, the taxpayer generates a certificate signing request using SAT's Certifica application (or equivalent tools), then submits it through SAT's online portal. No additional in-person appointment is required. Turnaround is typically fast, often within the same business day.

CSD Revocation as an Enforcement Weapon

The practical distinction between these two certificates becomes starkest when SAT exercises its authority to revoke a CSD. Under Article 17-H Bis of the Código Fiscal de la Federación, SAT can temporarily restrict a taxpayer's CSD when it detects irregularities such as discrepancies between declared income and issued CFDIs, simulated operations, or failure to file tax returns.

The impact is immediate and severe. Without a valid CSD, a business cannot issue legally valid invoices. For any company operating in Mexico, this effectively halts commercial activity. Customers cannot deduct payments made without a proper CFDI, so most will simply stop doing business with a supplier whose CSD has been revoked.

Resolving a CSD restriction requires the taxpayer to address the underlying issue and submit a formal clarification through SAT's portal. Depending on the complexity of the case, reinstatement can take days or weeks. During that period, the business has no mechanism to issue compliant invoices.

This dual-certificate architecture gives SAT a graduated enforcement capability. Revoking a CSD blocks invoicing without invalidating the taxpayer's broader digital identity. The e.Firma remains intact, allowing the business to continue interacting with SAT to resolve the problem. It is a precisely targeted sanction, and one that foreign companies operating in Mexico frequently underestimate until they encounter it firsthand.

---

How to Choose a PAC for CFDI Compliance

Every CFDI must be validated and stamped by a Proveedor Autorizado de Certificacion (PAC) before it becomes legally valid. PACs are private companies that SAT has authorized to perform this critical intermediary function: they receive your unsigned CFDI XML, validate its structure and data against SAT's rules, apply the digital fiscal stamp (timbre fiscal digital), and return the completed document. SAT publishes an official list of authorized PACs, which currently includes over 70 active providers. To earn and maintain authorization, each PAC must meet SAT's technical, security, and infrastructure requirements, including periodic audits and connectivity standards.

With dozens of authorized providers, the selection decision comes down to five practical criteria that most guides overlook entirely.

API quality and uptime. For any business integrating CFDI issuance into an ERP or accounting system, the PAC's API reliability is the single most consequential factor. When a PAC experiences downtime during the stamp process, your organization simply cannot issue invoices. Before committing, ask prospective PACs for their historical uptime figures and whether they offer formal SLAs with penalties for service interruptions. A PAC advertising 99.9% uptime still allows roughly eight hours of downtime per year, which can land on month-end closing or peak billing periods.

Timbrado speed. Processing time per stamp varies meaningfully across PACs. For a business issuing a few dozen invoices per month, stamp latency is irrelevant. For operations generating hundreds or thousands of CFDIs daily, the difference between 200 milliseconds and 2 seconds per stamp compounds into hours of processing time. Request benchmark data or trial access to test stamp speed under realistic volume conditions before signing a contract.

Pricing structure. PACs typically charge per stamp (timbrado), and the cost range is wide. High-volume contracts can bring the per-stamp cost down to fractions of a peso, while low-volume pay-as-you-go plans may charge several pesos per timbrado. Some PACs bundle stamping services with ERP modules or accounting software, which can simplify the vendor relationship but makes direct cost comparison harder. Always calculate total cost of ownership at your actual monthly volume rather than comparing headline per-stamp rates alone.

Complemento support. SAT maintains over 26 active complementos, and not every PAC supports all of them. This matters most for businesses with specialized invoicing requirements. If your operations involve freight logistics, you need a PAC that fully supports Carta Porte. International trade requires Comercio Exterior. Installment-based collections require Complemento de Pago. Verify support for your specific complemento types before selection, and confirm that the PAC has a track record of implementing new complemento versions promptly when SAT publishes updates.

Technical support. SAT updates CFDI rules, validation matrices, and catalog versions on a regular cadence, and each update can break existing integrations. Evaluate whether the PAC provides dedicated technical support for integration issues, how quickly they communicate upcoming SAT changes, and whether they offer sandbox environments for testing against new rule versions before they take effect.

For very low-volume issuers, SAT offers its own free invoicing tool, Factura SAT, accessible through the SAT portal. It handles basic CFDI generation without requiring a third-party PAC. However, its limitations are significant: the interface is minimal, there is no API access, batch processing capability is effectively nonexistent, and it cannot integrate with ERP or accounting systems. Businesses issuing more than a handful of invoices per month will outgrow it quickly.

---

What Changed from CFDI 3.3 to CFDI 4.0

CFDI 4.0 became mandatory on April 1, 2023, replacing version 3.3 as the only accepted schema for electronic invoicing in Mexico. Every CFDI issued after that date must conform to the 4.0 standard, and PACs will reject any document submitted under the old format.

The single most disruptive change is receiver data pre-validation. Under CFDI 3.3, issuers could fill in the receiver's information with minimal verification. Version 4.0 eliminated that flexibility entirely. Before a PAC will stamp a CFDI, four receiver fields must match exactly against SAT's Registro Federal de Contribuyentes database:

• Legal name (razón social or nombre)
• RFC identifier
• Fiscal regime code (régimen fiscal)
• Postal code of the fiscal domicile

If any of these four fields contains a discrepancy, the PAC rejects the invoice outright. A misspelled legal name, an outdated postal code after an office relocation, or an incorrect fiscal regime selection will all produce the same result: a failed stamp attempt and a delayed transaction.

For businesses with hundreds or thousands of customers, this pre-validation requirement created a significant operational burden. Companies needed to collect updated fiscal data from every client, verify it against SAT records, and build processes to keep that data current. Many organizations discovered during the transition that their customer databases contained years of accumulated inaccuracies that had never caused problems under 3.3 but now blocked invoice issuance entirely.

Beyond receiver validation, CFDI 4.0 introduced several additional changes. The cancellation workflow now requires mandatory reason codes that specify why a CFDI is being cancelled, and the receiver-consent model for cancellations was strengthened with tighter deadlines and fewer exceptions. A new export field became mandatory for cross-border transactions, requiring issuers to indicate whether goods or services are leaving Mexico. SAT also updated the catalogs for fiscal regime codes and CFDI use codes (uso de CFDI), expanding some categories and retiring others. Every CFDI must now specify whether its subject is goods, services, or both, using a dedicated field that did not exist in version 3.3.

The cumulative effect of these changes shifted compliance responsibility upstream. Where CFDI 3.3 allowed issuers to generate invoices quickly and correct errors later, 4.0 demands that data accuracy problems are resolved before the invoice can exist at all. ERP systems and billing platforms needed schema updates, new validation routines, and customer data collection workflows that many organizations are still refining.

---

The Five CFDI Document Types and Key Complementos

Every fiscal transaction in Mexico maps to one of five CFDI document types. Each serves a distinct purpose in the SAT's tax reporting framework, and finance teams processing Mexican invoices need to recognize what they are looking at when a supplier sends a CFDI.

Ingreso (Income)

The Ingreso is the standard sales invoice and by far the most common CFDI type. It covers B2B transactions, B2C sales, and export invoices. When a Mexican supplier bills for goods or services, the resulting CFDI will almost always be an Ingreso. Each one carries the full tax breakdown required by SAT, including IVA and, where applicable, ISR withholdings. If your AP team needs the calculation workflow behind those deductions, Mexico's invoice retenciones guide breaks down when ISR and IVA must be withheld and how the CFDI retention data should line up with the payment.

Egreso (Credit Notes and Returns)

An Egreso reverses or adjusts a previously issued Ingreso. Mexican tax law does not allow informal corrections to invoices. If a supplier grants a discount after invoicing, processes a return, or needs to partially cancel a transaction while keeping the original CFDI on record, they issue an Egreso that references the original Ingreso UUID. This creates an auditable paper trail linking the adjustment to the source document.

Traslado (Transfer of Goods)

The Traslado documents physical movement of goods where no payment transaction occurs. Companies use it for inventory transfers between warehouses or branch locations, consignment shipments, and free samples. The Traslado does not reflect revenue or trigger tax obligations on its own, but SAT requires it to account for the location and movement of taxable goods.

Nomina (Payroll)

Every payroll payment to an employee in Mexico must generate a Nomina CFDI. Employers issue one per employee per pay period, and each receipt contains a granular breakdown of salary components, deductions, employer social security contributions, and income tax withholdings. The Nomina CFDI feeds directly into the employee's annual tax filing and the employer's deductibility records, making accuracy non-negotiable.

Pago (Payment Receipts)

The Pago CFDI exists for transactions where payment does not happen at the time of invoicing. When a supplier issues an Ingreso with deferred payment terms, or when a buyer pays in installments, each subsequent payment triggers a Pago CFDI. This type always works in conjunction with the Complemento de Pago, which links the payment event back to the original invoice UUID and records the amount, date, and payment method for each installment.

Beyond these five types, businesses making high-volume B2C sales (retail, restaurants, service businesses) can issue a consolidated Factura Global covering all transactions in a period for which individual customers did not request a named CFDI. When a specific transaction from a Factura Global later needs its own individual CFDI, cancellation reason code 04 applies.

Key Complementos

Complementos are modular XML extensions that attach to base CFDIs, adding structured data for specific transaction types. SAT maintains over 26 active complemento types covering industries from aviation fuel to educational institutions. Four complementos appear most frequently in cross-border and domestic operations.

Complemento de Pago. Attached to every Pago CFDI, this complement tracks partial and deferred payments against previously issued Ingreso invoices. It records the payment amount, currency, exchange rate, payment method, and the UUID of the original invoice being settled. When reconciling supplier payments, the Complemento de Pago is the authoritative record that a specific payment was applied to a specific invoice, and teams that need the operational details can use this guide to manage PPD, PUE, and REP deadlines in Mexico.

Carta Porte. The transport waybill complement became mandatory for goods moving within Mexico by certain carriers and routes. It documents origin, destination, merchandise descriptions, and carrier information. Any company shipping physical goods domestically, whether using its own fleet or a third-party logistics provider, needs to verify whether Carta Porte applies to their shipments. Teams that want a practical breakdown can use this Mexico Carta Porte guide for requirements, penalties, and CFDI type selection.

Comercio Exterior. Required for cross-border export transactions, this complement contains customs data, tariff classifications, and trade-specific fields that Mexican customs authorities use to validate export declarations. Multinationals moving goods out of Mexico will see this complement attached to their suppliers' export Ingreso CFDIs.

Nomina Complement. The payroll complement extends the base Nomina CFDI with detailed fields for ordinary and extraordinary income, employer contributions to housing funds and retirement accounts, overtime calculations, and separation payments. It transforms the Nomina from a simple receipt into a comprehensive payroll record that SAT can audit down to individual line items.

Processing Mixed CFDI Types at Scale

Businesses with Mexican operations routinely receive a mix of Ingreso, Egreso, and Pago CFDIs from dozens or hundreds of suppliers, each carrying different complementos with their own XML schemas and field structures. Extracting structured data from this variety manually is slow and error-prone, particularly when AP teams need to reconcile payments, match credit notes to original invoices, or consolidate payroll records across entities.

Automated invoice data extraction tools built for batch processing can handle this complexity directly. A finance team receiving hundreds of CFDI documents from Mexican suppliers across all five document types can upload the full batch, up to 6,000 mixed-format files, and extract the specific fields they need into a standardized Excel or CSV output. Because the extraction is prompt-driven and supports Spanish natively, teams can specify exactly which data points to pull from each CFDI type without building separate parsing rules for every complemento schema.

---

CFDI Cancellation Rules Under the Receiver-Consent Model

CFDI 4.0 fundamentally changed how invoice cancellations work in Mexico. Under the previous framework, an issuer could unilaterally cancel a CFDI without the receiver's knowledge or approval. The receiver-consent model eliminated that practice. Now, cancelling a stamped CFDI is a two-party process with defined timelines, mandatory reason codes, and real consequences for getting it wrong.

When an issuer needs to cancel a CFDI, they submit a cancellation request through the SAT's systems. That request is routed to the receiver via the Buzon Tributario, SAT's electronic tax mailbox. The receiver then has 72 hours to accept or reject the cancellation. If the receiver takes no action within that window, the cancellation is automatically approved. This makes it critical for both parties to have their Buzon Tributario properly configured and actively monitored. Companies that neglect their tax mailbox risk having cancellations approved by default, or missing cancellation requests that affect their own deductibility.

There is one notable exemption to the consent requirement. CFDIs with a total value below MXN $1,000 (roughly USD $50) can be cancelled without receiver approval. This threshold prevents the consent process from becoming an administrative burden on low-value transactions, though the issuer must still provide a valid reason code.

Every cancellation request requires a Motivo de Cancelacion, a standardized reason code that tells SAT why the CFDI is being voided. The four codes are:

• 01 — CFDI issued with errors related to the receiver's data (wrong RFC, name, or fiscal regime of the recipient)
• 02 — CFDI issued with errors not related to the receiver's data (incorrect amounts, descriptions, or other issuer-side mistakes)
• 03 — The operation was not carried out (the sale, service, or transaction never actually occurred)
• 04 — Nominative operation related to a global CFDI (used when a specific transaction originally included in a consolidated global invoice needs to be broken out separately)

Reason code 01 carries an additional requirement that catches many companies off guard. Because the cancellation is specifically due to incorrect receiver data, SAT requires the issuer to specify the UUID of the replacement CFDI at the time of cancellation. In practice, this means the corrected CFDI must be stamped before or simultaneously with the cancellation request. You cannot cancel under code 01 and issue the replacement later.

CFDIs can only be cancelled within the fiscal year in which they were issued. A CFDI stamped in March 2026 must be cancelled before December 31, 2026. Missing this window leaves the original CFDI as a permanent tax record, which can create reconciliation problems for both parties. The 2026 tax reform introduced limited extensions to this deadline under specific circumstances, but the general rule remains: cancel within the same fiscal year or accept the document as final.

---

Penalties for CFDI Non-Compliance in Mexico

SAT enforces CFDI compliance through a layered penalty structure that escalates from administrative fines to criminal prosecution. The specific amounts, codified in the Código Fiscal de la Federación and updated annually through the Resolución Miscelánea Fiscal, create meaningful financial exposure for businesses operating in Mexico.

Administrative Fines

The base penalty for issuing incorrect, incomplete, or missing CFDIs ranges from MXN $19,700 to $112,000 per infraction, roughly USD $1,000 to $5,600 at current exchange rates. These are per-instance fines, meaning a company that routinely issues malformed invoices can accumulate six-figure exposure within a single audit cycle. Certain violations also trigger percentage-based penalties of 5% to 10% of the invoice value, which for high-value B2B transactions can dwarf the flat-rate fines.

The per-instance structure is what catches multinational operations off guard. A systematic error in an ERP integration that produces thousands of non-compliant CFDIs does not result in a single penalty. Each document is assessed independently.

Operational Consequences

Beyond monetary fines, SAT wields two enforcement mechanisms that directly disrupt business continuity.

CSD revocation is the most immediately damaging. When SAT cancels a taxpayer's Certificado de Sello Digital, that entity cannot stamp or issue any CFDI until the problem is resolved and a new certificate is obtained. For a business that must issue invoices to collect payment, CSD revocation effectively freezes commercial operations. The resolution process requires addressing the underlying compliance failure, submitting documentation to SAT, and waiting for reissuance, a timeline that can stretch from days to weeks depending on the severity of the violation.

Temporary business closure applies to serious or repeated infractions. SAT has the authority to order physical closure of business premises for 3 to 15 days. While this penalty is exercised less frequently than CSD revocation, it remains a statutory tool that SAT deploys against persistent non-compliance.

Criminal Liability

Fraudulent invoicing carries criminal penalties of 2 to 9 years imprisonment. This applies specifically to the sale or purchase of fictitious CFDIs used to fabricate tax deductions, a practice SAT categorizes under operaciones simuladas (simulated operations). Companies identified as participants in EFOS (Empresas que Facturan Operaciones Simuladas) networks face immediate consequences.

SAT maintains a public EFOS list under Article 69-B of the CFF. Appearing on this list triggers immediate scrutiny of every transaction the listed entity has participated in, and counterparties who received CFDIs from a listed company face their own compliance burden to demonstrate the transactions were legitimate. For a practical control workflow, finance teams can follow this guide to screen Mexican suppliers against the EFOS blacklist before accepting invoices. The reputational damage alone can sever supplier and client relationships overnight.

Enforcement Trajectory

SAT has invested heavily in automated cross-referencing systems that flag discrepancies between issued and received CFDIs, detect patterns consistent with simulated operations, and identify taxpayers whose CFDI volume or values deviate from historical norms. The agency's enforcement posture has shifted from reactive audits to proactive detection, making the probability of identifying non-compliant behavior materially higher than it was under earlier CFDI versions.

Separate from penalties, taxpayers must retain all CFDI XML files and their corresponding PDF representations for a minimum of five years from the date of issuance, consistent with the general statute of limitations under the CFF. Failure to produce CFDIs during an audit due to inadequate archiving can itself trigger penalties.

---

2026 Tax Reform: New CFDI Enforcement Powers

Mexico's 2026 fiscal reform package represents the most significant expansion of SAT's enforcement capabilities in over a decade. The changes target every stage of the CFDI lifecycle, from issuance verification to cancellation timelines, and they compress the window taxpayers have to respond to audits.

Expanded Evidence Requirements

Article 29-A Bis of the Código Fiscal de la Federación now authorizes SAT to demand photographic, video, or audio evidence to verify that the transactions behind issued CFDIs actually occurred. This goes well beyond traditional documentary proof such as contracts, delivery receipts, and bank statements. SAT auditors can request visual evidence of goods at a warehouse, video of services being performed, or audio recordings of business negotiations. The provision is aimed squarely at EFOS networks, where fictitious invoices describe transactions that never took place, but it applies broadly to any CFDI under review.

Fast-Track Verification for Suspected False CFDIs

Article 49 Bis CFF introduced an expedited audit process specifically designed for cases involving suspected false invoices. According to KPMG's analysis of Mexico's 2026 CFDI tax reform, this fast-track verification process must be completed within 24 business days, with taxpayers given just 5 business days to present supporting documentation to SAT. Compare that to standard audit timelines, which can stretch across months. The compressed schedule means companies need pre-organized compliance files that can be produced on short notice. Waiting until a verification request arrives to start gathering evidence is no longer viable.

Criminal Liability for Facilitators

Previous enforcement focused on the buyers and sellers of fictitious CFDIs. The 2026 reforms extend criminal sanctions to platforms and intermediaries that facilitate the sale of false invoices. Software providers, brokers, and any entity that enables EFOS transactions now face prosecution. This provision targets the infrastructure behind invoice fraud rather than just individual participants.

Extended Cancellation Deadlines

The reform also adjusts CFDI cancellation rules under specific circumstances, allowing cancellations beyond the original fiscal year constraint. While the general rule still requires cancellations within the same fiscal year the CFDI was issued, the new provisions create defined exceptions where late cancellations are permitted with proper justification and documentation.

Buzon Tributario as the Central Compliance Channel

These reforms make Buzon Tributario, SAT's mandatory electronic tax mailbox, even more critical to daily compliance operations. Audit notifications under the fast-track verification process, evidence requests under Article 29-A Bis, and cancellation approvals all flow through this system. Taxpayers must activate Buzon Tributario within two months of RFC registration and monitor it continuously. A missed notification in Buzon Tributario can trigger default judgments, and the 5-business-day response window for fast-track verifications starts when SAT deposits the request, not when the taxpayer reads it.

Part of a Continental Enforcement Trend

Mexico's tightening of e-invoicing enforcement does not exist in isolation. Across Latin America, tax authorities are expanding real-time validation, shortening audit response windows, and increasing penalties for non-compliance. Brazil's NF-e system continues to add mandatory fields and cross-referencing capabilities. Chile's SII has progressively automated its audit triggers, and the Chile electronic invoicing requirements guide shows how that control model centers the broader DTE framework rather than a PDF invoice alone. Argentina's Factura Electrónica system has moved toward stricter controls on invoice authorization and cancellation. Mexico's 2026 reforms follow the same trajectory: fewer gaps for fraudulent invoices to pass through, faster consequences when they do, and broader liability for everyone involved in the chain.