Global FinTech Guide
Country Name
KYC requirements
The know your customer or know your client (KYC) guidelines and regulations for financial services require that professionals try to verify the identity, suitability, and risks involved with maintaining a business relationship.

Legal affairs

National regulatory framework regarding AML and effective date of the regulations

  • 2000. Law 599: Penal Code, new financial crimes. 
  • 2003. Law 795: Some norms of the Organic Statute of the Financial System are adjusted, and other provisions are enacted.
  • 2008. External Circular 026 - SARLAFT, ALA/CFT systems applicable to those supervised by the Financial Superintendency of Colombia.
  • 2012. Law 1508: Regime for public-private partnerships "identification of the beneficial owner of the contract and the origin of the resources to prevent money laundering activities.
  • 2013. CONPES 3793: National public policy on anti-money laundering and against the financing of terrorism.
  • 2017. EXTERNAL CIRCULAR 04: the Superintendence of the Solidarity Economy issued instructions for the management of the risk of money laundering and financing of terrorism SARLAFT in the supervised solidarity organisations and set deadlines for its implementation.
  • External Circular 004/Jun 2018, by which general instructions are issued regarding the code of conduct and good organisational governance, the integrated risk management system, and its risk management subsystems.
  • 2020. External Circular 027: the Superintendence of Finance of Colombia, issued instructions regarding the management of the risk of money laundering and terrorist financing, SARLAFT 4.0.

National regulator or relevant authority for AML controls

The Financial Information and Analysis Unit (Unidad de Información y Análisis Financiero – UIAF), which works with the help of other public authorities, such as the Attorney General's Office, the National Police.

Customer Due Diligence

Conduct of a typical KYC identification process

As mentioned in the previous section, in Colombia the different control entities have adopted the international recommendations for the mitigation of LAFT. The instructions of the Financial Superintendence and the Superintendence of Companies will be detailed below. 

In chapter 4, of title 4, of part 1 of the Basic Legal Circular, of the Financial Superintendence (in charge of supervising banks and financial institutions in Colombia), the "Instructions related to the administration of money laundering risk are established of assets and the financing of terrorism – SAGRILAFT. It administration system that entities supervised by the Financial Superintendence must comply with to manage the risk of Money Laundering/Terrorism Financing (ML/TF) and it encompasses the need to create a KYC system. This management is implemented through two (2) stages. The first is made up of the four (4) phases that the supervised institutions must comply with (identification, evaluation, control, and monitoring) and the second are the components that, in an organised manner, implement proper ML/TF risk management.

Within the second stage is what is considered an essential mechanism for risk management: knowledge of the client. In this context, the SAGRILAFT must have procedures that allow effective, efficient, and timely knowledge of current and potential clients. In general terms, the essential data for knowing the client in a permanent and updated manner are:

  • ID.
  • Economic activity.
  • Characteristics, amounts and origin of your income and expenses.
  • Regarding current clients, the characteristics and amounts of their transactions and operations.
  • To initiate a contractual or legal relationship with the potential client, the entities supervised by the Financial Superintendence must have filled out a form that contains the 25 data that appear in numeral, among which are: the name, number of identification, place and date of birth, main economic activity, type of company, declaration of origin of goods, monthly income and expenses, total assets, and liabilities, among others. The entities must also have carried out an interview, attached the required supports and approved the client's relationship.
An important point of KYC are the three (3) methodologies to know it: i) collect information that allows comparing the characteristics of its transactions with that of its economic activity, ii) the continuous monitoring of the client's operations and iii) have elements of judgment that allow analysing the unusual transactions of these clients and determining the existence of suspicious operations.

Superintendency of Companies
The Superintendence of Companies published Circular 100-00005/2014, under which obligations are established to establish a self-control and risk management system for money laundering and financing of terrorism. It applies to companies that meet the following requirements: i) Be supervised by the Superintendency and ii) register gross income equal to or greater than 160,000 monthly minimum wages in force as of 31 December 2013. The supervised companies that do not comply with the second requirement can also take as recommendations the provisions of this standard.

The companies must carry out a series of measures to fulfil the main objective – to minimise the possibility of money laundering and financing of terrorism by means of the supervised companies. One (1) of these measures is KYC or know-your-customer due diligence. The following is presented as an example: knowing by any legal means the origin of the resources, verifying the identity of the client, his address and telephone number, and in the case of legal persons, the certificate of existence and legal representation. This information must be clearly documented. 

Within the two (2) previous regulations there are know-your-customer provisions for PEPs – politically exposed persons. For these people, more demanding linking and monitoring procedures are required since their profile exposes the entity to a greater risk of ML/TF. PEPs may abuse the trust of entities and exert influence so as not to be controlled, leading for example to laundering large sums of money. In addition, many times the PEPs, when they are public directives, run the risk of being exposed

Possibility to meet customer due diligence requirements by relying on third parties who are obliged by law themselves to comply with AML regulations

Yes. Companies required to comply with SAGRILAFT must have a person responsible for auditing and verifying their compliance, for which they must appoint a Compliance Officer, who may be external to the Company and may work for a company. 

The Compliance Officer, within the framework of SAGRILAFT, has, among others, the following functions:

  • Ensure effective, efficient, and timely compliance with SAGRILAFT.
  • Present, at least once a year, reports to the Board of Directors, which must contain: i) Evaluation and analysis of the efficiency and effectiveness of SAGRILAFT; ii) Proposal of the respective improvements; and iii) Results of the Compliance Officer's management, and of the Company's administration in compliance with SAGRILAFT.
  • Coordinate the development of internal training programs.
  • Certify before the Superintendence of Companies compliance with the stages, elements, and other provisions before SAGRILAFT, as required by the Superintendency of Companies.
  • Certify before the Superintendence of Companies compliance with the stages, elements, and other provisions before SAGRILAFT, as required by the Superintendency of Companies.

Possibility to outsource customer due diligence by contract to other third parties who are not obliged by law to meet AML regulations and rely on these (e.g., WebID, IDnow, PostIdent)

It is legally permitted to outsource customer due diligence. Yet, it needs to be a person appointed as compliance officer. Being this so, platforms such as WebID, IDnow and PostIdent are allowed to be used, yet they must be verified by the compliance officer. 

Presence of a license or registration requirement for the third party in case of outsourcing customer due diligence

There are no specific licenses to be appointed as a compliance officer. Yet, its appointment must be filed with the Superintendency of Companies. The compliance officer must meet the following criteria in order to be appointed: 

  • Have the capacity to make decisions to manage ML/TF Risk and have direct communication with, and report directly to, the board of directors or the highest corporate body in the event that there is no board of directors.
  • Have sufficient knowledge in terms of risk management and understand the ordinary course of business of the Company. This implies having a professional title and accrediting a minimum of six (6) months of experience in the performance of positions related to the administration of SAGRILAFT and, additionally, accrediting knowledge in terms of ML/TF Risk management through specialisation, courses, diplomas, seminars, congresses or any other similar.
  • Have the support of a human and technical work team, according to the ML/TF Risk and the size of the Obliged Company.
  • Not belong to the administration or to the corporate bodies, or internal or external audit or control (tax auditor or linked to the tax auditing company that performs this function, if applicable) or who performs similar functions or acts in their stead in the Obligated Company.
  • Not act as Compliance Officer in more than 10 Obligated Companies. To act as Compliance Officer of more than one (1) Obliged Company, (i) the Compliance Officer must certify; and (ii) the body that appoints the Compliance Officer must verify that the Compliance Officer does not act as such in Companies that compete with each other.
  • When the Compliance Officer is not professionally linked to the Obliged Company, this natural person, and the legal person to which he is linked, if applicable, must demonstrate that in their professional activities they comply with the minimum measures established in section 5.3 .1 (Due Diligence) of this Chapter X of the Basic Financial Circular.
  • When there is a business group or a declared control situation, the Compliance Officer of the parent or controlling company may be the same person for all the Companies that make up the group or conglomerate, regardless of the number of Companies that comprise it.

Further questions

Entities that could be relied on specifically by law as a third party to comply with AML regulations (regardless of outsourcing)

Yes credit institutions
Yes financial institutions
Yes auditors, external accountants, and tax advisors
Yes notaries and other independent legal professionals
Yes other trust or company service providers
Yes estate agents
Yes other persons trading high-value goods
Yes providers of gambling services
Yes real estate
Yes mining and quarrying sector
Yes trade sector of vehicles, its parts, part, and accessories
Yes  building construction sector
Yes the other companies subject to the permanent surveillance or control exercised by the superintendency of companies, even when they do not belong to any of the previously mentioned sectors, provided that as of December 31 of the immediately preceding year, they had obtained total income equal to or greater than to 160,000 monthly minimum wages (approximately USD $ 40.000.000).




© 2022, Parra Rodríguez Abogados S.A.S.. All rights reserved by Parra Rodríguez Abogados S.A.S. as author and the owner of the copyright in this chapter. Parra Rodríguez Abogados S.A.S. has granted to Multilaw non-exclusive worldwide license to use and include this chapter in this guide and to sublicense Lexis Nexis, a division of RELX Inc. and its affiliates certain rights to use and distribute this guide.

The information in this guide provides a general overview at the time of publication and is not intended to be a comprehensive review of all legal developments nor should it be taken as opinion or legal advice on the matters covered. It is for general information purposes only and readers should take legal advice from a Multilaw member firm.


Choose country