Mexico SAT demands permanent real-time access to platform transaction systems

Mexico is about to discover a truth of the digital age: “tax compliance” is a highly reusable pretext in government.

According to El País, amendments to Mexico’s Federal Tax Code (Article 30-B) will require digital platforms—from e-commerce and ride-hailing to delivery and vacation rentals—to provide the Tax Administration Service (SAT) with “permanent, real-time online access” to information “necessary to verify compliance” starting April 1. SAT revenue-collection chief Gari Flores frames the change as a modernization of data already submitted monthly: transaction counts, product type and origin, whether foreign-trade taxes apply, and whether goods face tariff restrictions.

The novelty isn’t the dataset; it’s the interface. The state is not asking for periodic reports but for a standing pipe into private systems. That matters technically and institutionally.

Technically, “live access” implies: (1) a shared data model defining what constitutes a transaction, a seller, a shipment, a cross-border movement, and the linkage between them; (2) an authentication and authorization scheme (API keys, mutual TLS, OAuth-style delegated access, or some bespoke government identity system) that must be continuously available; (3) audit logging and retention rules—because any real-time feed becomes evidentiary material; and (4) operational requirements (uptime, rate limits, incident response) that turn platforms into quasi-critical infrastructure for SAT.

Once that permanent connection exists, it becomes a single point of failure and a tempting pivot point. Industry group Internet MX told El País that real-time integration with high-traffic platforms creates “weak points and back doors” that criminals can exploit—an anxiety sharpened by reports of a large hack in late January affecting multiple Mexican agencies, including SAT and the social security institute (IMSS). When government systems leak, the downstream market is not “identity theft,” it’s organized crime’s customer relationship management: fraud, extortion, and targeted coercion.

Flores insists implementation will meet “the highest” international cybersecurity standards and that no connection will go live until those standards are satisfied. A press release can’t substitute for architecture.

The deeper issue is path dependence. A real-time compliance API is not a one-off request; it is a permanent surveillance primitive. Today it is framed as anti-evasion and anti-smuggling. Tomorrow it can be repurposed—quietly—for selective enforcement, capital controls (monitoring and throttling cross-border commerce), or pressure campaigns against disfavored sellers, creators, or platforms. The state does not need to “ban” speech or commerce when it can slow it, audit it, or make it legally radioactive.

Europe and the US have already done this: build a data tap for one mission, then expand the mission. Mexico is simply skipping the pretense of gradualism and going straight to the plumbing.