Your Company Owns Those Lines. Do You Know Who Is Using Them? | ChessMap
Your Company Owns Those Lines. Do You Know Who Is Using Them?
How the new CRT regulatory framework turns corporate mobile phone management into a matter of legal liability.
On December 9, 2025, Mexico's Federal Official Gazette published an agreement issued by the Telecommunications Regulatory Commission (CRT) requiring all mobile phone lines to be registered and linked to their account holder and, where applicable, to their end user. On paper, it looks like a routine administrative filing. In practice, it touches something few companies have properly addressed: who is responsible if a corporate mobile line is used improperly?
The answer, until you can prove otherwise, is your company.
The Regulation Distinguishes Between Account Holder and End User
The guidelines establish a distinction that is critical to understanding the full scope of the risk. The account holder is the party that contracts and registers the line; in a corporate setting, that is the legal entity, identified by its corporate name and tax identification number (RFC). The end user is the person who actually uses the line on a day-to-day basis, and need not be the same as the account holder.
The regulation allows each line to be linked to a single end user, which creates an important opportunity: formally registering the employee assigned to each device. However, there is a point that few companies have noticed: if that end user requests to be deregistered, the line is not canceled. It remains active. It remains in your company's name. And if an incident occurs afterward, your company is still the first point of reference.
In other words, the regulation does not automatically close the risk. It simply makes it visible.
The Problem Is Not Registration. It Is the Lack of Internal Controls.
Most companies assign corporate mobile phones with little formality: a device, a number, an employee. No written delivery record, no usage policy, no offboarding procedure. While everything runs smoothly, this does not seem like a problem.
The problem arises when an employee uses the phone for something they should not, or when they leave the company and the line remains active without anyone recording the change, or when a dispute emerges and the company has no way to demonstrate that it acted with due diligence.
At that point, the ability to distance the company from liability does not depend on the CRT regulation. It depends on what the company can substantiate with its own internal records.
Four Measures That Actually Make a Difference
These are not extraordinary measures. They are basic processes that, when properly documented, can make all the difference if you ever need to establish that your company is not liable:
- Assignment and acceptable use policy. Set out in writing who is eligible to hold a corporate line, the authorized purposes for its use, and the consequences of misuse.
- Device and line handover record. Every time a line is assigned or returned, document it — line number, device, date, and employee name — signed by both parties.
- User registration and deregistration procedure. Link this process to your employee onboarding and offboarding workflows. When someone leaves the company, the line must be deactivated or reassigned immediately.
- Coordination with your mobile carrier. Ask your carrier how it will implement the registration and deregistration mechanisms for corporate account holders. Not all carriers will handle this the same way.
A Regulatory Obligation — and an Opportunity for Internal Order
The publication of these guidelines is, above all, a reminder that the management of communication assets carries real legal consequences. This is not about generating paperwork. It is about having evidence that your company acted responsibly.
Companies that already have well-defined processes in place will need to make few adjustments. Those that do not have a concrete reason to start now.
Does your company have these processes documented?
At ChessMap, we help companies review their regulatory compliance and build the internal processes they need to operate with confidence. If you would like to explore where your company stands on this issue, we would be happy to schedule a conversation.
This publication has been prepared exclusively by Manuel Giménez Martínez, who bears sole responsibility for its content. ChessMap acts solely as a dissemination platform and assumes no responsibility for the opinions, interpretations, or information contained herein. This material is intended for general informational and opinion purposes only; it does not constitute legal advice, an institutional opinion, a legal opinion, or a legal expert report, nor does it create an attorney-client relationship. For any specific matter, professional personalized legal advice is recommended.
Escribe un comentario