Section Home

Home	Hidden
Home	2

Name

Global FinTech Guide

Country _ Name

Colombia

SectionTitle

KYC requirements

Body

The know your customer or know your client (KYC) guidelines and regulations for financial services require that professionals try to verify the identity, suitability, and risks involved with maintaining a business relationship.

Legal affairs

National regulatory framework regarding AML and effective date of the regulations

2000. Law 599: Criminal Code, new financial crimes.
2003. Law 795: some norms of the Organic Statute of the Financial System are adjusted, and other provisions are enacted.
2008. External Circular 026: SARLAFT, ALA/CFT systems applicable to those supervised by the Superintendency of Finance.
2012. Law 1508: regime for public-private partnerships’ identification of the beneficial owner of the contract and the origin of the resources to prevent money laundering activities.
2013. CONPES 3793: national public policy on anti-money laundering and against the financing of terrorism.
2017. External Circular 04: the Superintendency of Solidary Economy issued instructions for the management of the risk of money laundering and financing of terrorism SARLAFT in the supervised solidarity organisations and set deadlines for its implementation.
2018. External Circular 004 of June 2018: the Superintendency of Finance issued regulations regarding the code of conduct and good organisational governance, the integrated risk management system, and its risk management subsystems.
2020. External Circular 027: the Superintendency of Finance issued instructions regarding the management of the risk of money laundering and terrorist financing, SARLAFT 4.0.
2022. External Circular 11: Superintendency of finance issued instructions in order to embrace the FATF recommendations, defines ultimate beneficiary owner, adopts special provisions for customer due diligence in insurance, among others

National regulator or relevant authority for AML controls

The Financial Information and Analysis Unit (Unidad de Información y Análisis Financiero – UIAF), which works with the help of other public authorities, such as the Attorney General's Office, the National Police.

Customer Due Diligence

Conduct of a typical KYC identification process

As mentioned in the previous section, in Colombia the different control entities have adopted the international recommendations for the mitigation of LAFT. The instructions of the Financial Superintendence and the Superintendence of Companies will be detailed below.

Chapter 4, title 4, part 1 of the Basic Legal Circular of the Superintendency of Finance (in charge of supervising banks and financial institutions in Colombia), sets out the instructions related to the administration of money laundering risk and the financing of terrorism – SARLAFT.

This regulation outlines the administration system that entities supervised by the Superintendency of Finance must implement with to manage the risk of Money Laundering/Terrorism Financing (ML/TF). In addition, this regulation requires supervised entities to create a KYC system. This management process consists of two (2) stages. The first stage comprises four (4) phases that supervised institutions must comply with (identification, evaluation, control, and monitoring), while the second stage involves organized implementation of components for effective ML/TF risk management.

KYC is part of the second stage. In this context, the SARLAFT must establish procedures that allow effective, efficient, and timely knowledge of current and potential clients. In general terms, the essential data required for comprehensive and updated client knowledge include:

ID.
Economic activity.
Characteristics, amounts and origin of their income and expenses.
Regarding current clients, the characteristics and amounts of their transactions and operations.

To initiate a contractual or legal relationship with the potential client, the entities supervised by the Superintendency of Finance must have filled out a form that contains the information listed in section 4.2.2.2.1.3 of the Basic Legal Circular of the Superintendency of Finance, which includes: name, number of identification, place and date of birth, main economic activity, type of company, declaration of origin of assets, monthly income and expenses, total assets and liabilities, among others. The entities must also have carried out an interview, attached the required supports and approved the client's relationship.

KYC involves three (3) methodologies to collect client information: i) collecting data enabling comparison of transaction characteristics with the client’s economic activity, ii) continuously monitoring client operations, and iii) employing criteria to analyze unusual transactions and identify potential suspicious activities.

In Colombia there are different regulations that oblige companies in different sectors to implement a system to prevent and manage this type of risk: SARLAFT and SAGRILAFT are among the most important systems.

SARLAFT (System for the Administration of the Risk of Money Laundering and Terrorism Financing):

Application: Entities supervised by Colombian Superintendency of Finance.
Objective: To prevent and manage risks of money laundering and terrorism financing.
Key Elements: Identification, measurement, control, and monitoring of money laundering and terrorism financing risks.
Responsible Authority: Colombian Superintendency of Finance.
Approach: Specifies stages and elements for implementation, adaptable to each organization's context.

SAGRILAFT (System for the Self-control of Integral Risk Management of Money Laundering, Terrorism Financing, and Financing of the Proliferation of Weapons of Mass Destruction):

Application: Entities supervised by the Colombian Superintendency of Companies.
Objective: To prevent and manage risks of money laundering, terrorism financing, and proliferation of weapons.
Key Elements: Design and approval, audit and compliance, disclosure and training, assignment of responsibilities.

Responsible Authority: Superintendency of Companies.
Approach: Emphasizes counterpart due diligence and reporting of suspicious transactions.

In summary, SARLAFT focuses on financial institutions supervised by the Financial Superintendence to prevent and manage money laundering and terrorism financing risks, while SAGRILAFT, under the Superintendence of Companies, extends to entities in the real sector, emphasizing due diligence and reporting mechanisms for a broader scope of risks.

Superintendency of Companies

The Superintendency of Companies issued External Circular No. 100-000016 2020, updating regulations on AML/CFT risk prevention for supervised companies. The changes aim to enhance risk management by adopting a more rigorous approach and aligning with international standards. SAGRILAFT, introduces updated definitions and categories to cover a wider range of sectors and threats, including virtual assets and financing of weapons proliferation. It also emphasizes the importance of due diligence and introduces enhanced measures for high-risk counterparts. Overall, the circular aims to strengthen risk prevention efforts and ensure compliance with AML/CFT regulations.

PEPs

Within the two (2) previous regulations there are know-your-customer provisions for PEPs (politically exposed persons). These individuals require more rigorous monitoring procedures since their profile exposes the entity to a greater risk of ML/TF. PEPs may abuse the trust of entities and exert influence so as not to be controlled, leading for example to laundering large sums of money. In addition, public officials who are PEPs are often at risk of exposure

Possibility to meet customer due diligence requirements by relying on third parties who are obliged by law themselves to comply with AML regulations

Yes. Companies required to comply with SAGRILAFT must appoint a Compliance Officer responsible for auditing and ensuring compliance with regulatory requirements. The Compliance Officer may be internal to the company or may also be an external consultant working for a separate firm.

Functions

The Compliance Officer, within the framework of SAGRILAFT, has, among others, the following functions:

Ensure effective, efficient, and timely compliance with SAGRILAFT.
Submit, at least once a year, reports to the Board of Directors, which must contain: i) Evaluation and analysis of the efficiency and effectiveness of SAGRILAFT; ii) Proposal of the respective improvements; and iii) Results of the Compliance Officer's management, and of the Company's administration in compliance with SAGRILAFT.
Coordinate the development of internal training programs.
Certify before the Superintendency of Companies compliance with the stages, elements, and other provisions of SAGRILAFT, as required by the Superintendency of Companies.
Design the methodologies for classification, identification, measurement, and control of ML/TF/FPADM Risk that will form part of SAGRILAFT.

Possibility to outsource customer due diligence by contract to other third parties who are not obliged by law to meet AML regulations and rely on these (e.g., WebID, IDnow, PostIdent)

It is legally permitted to outsource customer due diligence. Being this so, platforms such as WebID, IDnow and PostIdent may be used, yet they must be verified by the company’s compliance officer.

Presence of a license or registration requirement for the third party in case of outsourcing customer due diligence

There are no specific licenses to be appointed as a compliance officer. Yet, the appointment must be reported to the Superintendency of Companies. The compliance officer must meet the following criteria in order to be appointed:

Have the capacity to make decisions to manage ML/TF Risk and have direct communication with, and report directly to, the board of directors or the highest corporate body in the event that there is no board of directors.
Have sufficient knowledge in terms of risk management and understand the ordinary course of business of the Company. This implies having a professional title and accrediting a minimum of six (6) months of experience in the performance of positions related to the administration of SAGRILAFT and, additionally, accrediting knowledge in terms of ML/TF Risk management through specialization, courses, diplomas, seminars, congresses or any other similar.
Have the support of a human and technical work team, according to the ML/TF Risk and the size of the Obliged Company.
Independence from the administration or to the corporate bodies, or internal or external audit or control (tax auditor or linked to the tax auditing company that performs this function, if applicable).
Limitation of acting as compliance officer for more than 10 companies. To act as compliance officer of more than one (1) obliged company, the compliance officer must certify, and the body that appoints the compliance officer must verify that the compliance officer does not act as such in companies that compete with each other.
When the Compliance Officer is not internally linked to the obliged company, both the individual and the legal entity to which this individual is affiliated, if applicable, must demonstrate that in their professional activities they comply with the minimum measures established in the Basic Financial Circular.
In cases of a business group or declared control situation, the compliance officer of the parent or controlling company may serve as the compliance officer for all companies within the group or conglomerate, regardless of the number of companies involved

Further questions

Entities that could be relied on specifically by law as a third party to comply with AML regulations (regardless of outsourcing)

Yes	credit institutions
Yes	financial institutions
Yes	auditors, external accountants, and tax advisors
Yes	notaries and other independent legal professionals
Yes	other trust or company service providers
Yes	estate agents
Yes	other persons trading high-value goods
Yes	providers of gambling services
Yes	real estate
Yes	mining and quarrying sector
Yes	trade sector of vehicles, its parts, part, and accessories
Yes	building construction sector
Yes	the other companies subject to the permanent surveillance or control exercised by the superintendency of companies, even when they do not belong to any of the previously mentioned sectors, provided that as of December 31 of the immediately preceding year, they had obtained total income equal to or greater than to 160,000 monthly minimum wages (approximately USD $ 40.000.000).

BackToCountry	Hidden	Hidden
Back to country	Colombia	2

Switch country

Global overview

Authors

Name	Organisation	Email	Hidden
Álvaro Parra Gómez	Parra Rodríguez Abogados S.A.S.	[email protected]	2128
Bernardo Rodríguez Ossa	Parra Rodríguez Abogados S.A.S.	[email protected]	2128
César Barajas Ruiz	Parra Rodríguez Abogados S.A.S.	[email protected]	2128
Elisa Muskus Escamilla	Parra Rodríguez Abogados S.A.S.	[email protected]	2128
Federico García Gutiérrez	Parra Rodríguez Abogados S.A.S.	[email protected]	2128
Daniel Abril Parra	Parra Rodríguez Abogados S.A.S.	[email protected]	2128

Choose country

	Hidden	Hidden
Albania	167	2
Argentina	512	2
Australia	182	2
Austria	677	2
Bolivia	1012	2
Bosnia and Herzegovina	197	2
Bulgaria	980	2
Canada	152	2
Chile	242	2
China	257	2
Colombia	272	2
Costa Rica	287	2
Croatia	302	2
Czech Republic	812	2
Dominican Republic	824	2
Finland	921	2
France	722	2
Germany	137	2
Hong Kong	737	2
Hungary	347	2
Ireland	692	2
Italy	332	2
Japan	850	2
Kenya	998	2
Korea, Republic of	362	2
Malaysia	662	2
Mexico	632	2
Montenegro	377	2
New Zealand	392	2
Nigeria	904	2
North Macedonia	437	2
Peru	422	2
Philippines	407	2
Poland	482	2
Portugal	497	2
Romania	797	2
Russia	912	2
Saudi Arabia	881	2
Serbia	467	2
Singapore	945	2
Slovenia	527	2
Spain	542	2
Switzerland	707	2
Thailand	557	2
Turkey	752	2
United Kingdom	782	2
United Rep of Tanzania	767	2
United States	587	2
Vietnam	962	2