Country _ Name
KYC requirements
The know your customer or know your client (KYC) guidelines and regulations for financial services require that professionals try to verify the identity, suitability, and risks involved with maintaining a business relationship.

Legal affairs

National regulatory framework regarding AML and effective date of the regulations

  • 2000. Law 599: Penal Code, new financial crimes. 
  • 2003. Law 795: Some norms of the Organic Statute of the Financial System are adjusted, and other provisions are enacted.
  • 2008. External Circular 026 - SARLAFT, ALA/CFT systems applicable to those supervised by the Financial Superintendency of Colombia.
  • 2012. Law 1508: Regime for public-private partnerships "identification of the beneficial owner of the contract and the origin of the resources to prevent money laundering activities.
  • 2013. CONPES 3793: National public policy on anti-money laundering and against the financing of terrorism.
  • 2017. EXTERNAL CIRCULAR 04: the Superintendence of the Solidarity Economy issued instructions for the management of the risk of money laundering and financing of terrorism SARLAFT in the supervised solidarity organisations and set deadlines for its implementation.
  • External Circular 004/Jun 2018, by which general instructions are issued regarding the code of conduct and good organisational governance, the integrated risk management system, and its risk management subsystems.
  • 2020. External Circular 027: the Superintendence of Finance of Colombia, issued instructions regarding the management of the risk of money laundering and terrorist financing, SARLAFT 4.0.

National regulator or relevant authority for AML controls

The Financial Information and Analysis Unit (Unidad de Información y Análisis Financiero – UIAF), which works with the help of other public authorities, such as the Attorney General's Office, the National Police.

Customer Due Diligence

Conduct of a typical KYC identification process

As mentioned in the previous section, in Colombia the different control entities have adopted the international recommendations for the mitigation of LAFT. The instructions of the Financial Superintendence and the Superintendence of Companies will be detailed below. 

In chapter 4, of title 4, of part 1 of the Basic Legal Circular, of the Financial Superintendence (in charge of supervising banks and financial institutions in Colombia), the "Instructions related to the administration of money laundering risk are established of assets and the financing of terrorism – SAGRILAFT. It administration system that entities supervised by the Financial Superintendence must comply with to manage the risk of Money Laundering/Terrorism Financing (ML/TF) and it encompasses the need to create a KYC system. This management is implemented through two (2) stages. The first is made up of the four (4) phases that the supervised institutions must comply with (identification, evaluation, control, and monitoring) and the second are the components that, in an organised manner, implement proper ML/TF risk management.

Within the second stage is what is considered an essential mechanism for risk management: knowledge of the client. In this context, the SAGRILAFT must have procedures that allow effective, efficient, and timely knowledge of current and potential clients. In general terms, the essential data for knowing the client in a permanent and updated manner are:

  • ID.
  • Economic activity.
  • Characteristics, amounts and origin of your income and expenses.
  • Regarding current clients, the characteristics and amounts of their transactions and operations.
  • To initiate a contractual
perintendence of Companies compliance with the stages, elements, and other provisions before SAGRILAFT, as required by the Superintendency of Companies.

Possibility to outsource customer due diligence by contract to other third parties who are not obliged by law to meet AML regulations and rely on these (e.g., WebID, IDnow, PostIdent)

It is legally permitted to outsource customer due diligence. Yet, it needs to be a person appointed as compliance officer. Being this so, platforms such as WebID, IDnow and PostIdent are allowed to be used, yet they must be verified by the compliance officer. 

Presence of a license or registration requirement for the third party in case of outsourcing customer due diligence

There are no specific licenses to be appointed as a compliance officer. Yet, its appointment must be filed with the Superintendency of Companies. The compliance officer must meet the following criteria in order to be appointed: 

  • Have the capacity to make decisions to manage ML/TF Risk and have direct communication with, and report directly to, the board of directors or the highest corporate body in the event that there is no board of directors.
  • Have sufficient knowledge in terms of risk management and understand the ordinary course of business of the Company. This implies having a professional title and accrediting a minimum of six (6) months of experience in the performance of positions related to the administration of SAGRILAFT and, additionally, accrediting knowledge in terms of ML/TF Risk management through specialisation, courses, diplomas, seminars, congresses or any other similar.
  • Have the support of a human and technical work team, according to the ML/TF Risk and the size of the Obliged Company.
  • Not belong to the administration or to the corporate bodies, or internal or external audit or control (tax auditor or linked to the tax auditing company that performs this function, if applicable) or who performs similar functions or acts in their stead in the Obligated Company.
  • Not act as Compliance Officer in more than 10 Obligated Companies. To act as Compliance Officer of more than one (1) Obliged Company, (i) the Compliance Officer must certify; and (ii) the body that appoints the Compliance Officer must verify that the Compliance Officer does not act as such in Companies that compete with each other.
  • When the Compliance Officer is not professionally linked to the Obliged Company, this natural person, and the legal person to which he is linked, if applicable, must demonstrate that in their professional activities they comply with the minimum measures established in section 5.3 .1 (Due Diligence) of this Chapter X of the Basic Financial Circular.
  • When there is a business group or a declared control situation, the Compliance Officer of the parent or controlling company may be the same person for all the Companies that make up the group or conglomerate, regardless of the number of Companies that comprise it.

Further questions

Entities that could be relied on specifically by law as a third party to comply with AML regulations (regardless of outsourcing)

Yes credit institutions
Yes financial institutions
Yes auditors, external accountants, and tax advisors
Yes notaries and other independent legal professionals
Yes other trust or company service providers
Yes estate agents



Choose country