KYC Compliance for Fintech Companies in Colombia (SFC & SARLAFT)

In-depth guide to KYC and AML compliance for fintech companies in Colombia, covering SFC regulations, SARLAFT requirements, crowdfunding rules, and UIAF reporting obligations.

Overview of Fintech Regulation in Colombia

Colombia has emerged as one of Latin America's most dynamic fintech markets, supported by a regulatory framework that balances innovation with consumer protection and financial integrity. The Superintendencia Financiera de Colombia (SFC) serves as the primary regulator, overseeing banks, insurers, capital markets, and an expanding range of fintech activities.

Colombia's approach to fintech regulation has been pragmatic, leveraging existing financial regulation while introducing specific frameworks for new business models. Decree 1357 of 2018 created a dedicated regulatory space for crowdfunding platforms, and subsequent regulations have addressed electronic deposits, digital payments, and open finance initiatives.

The SFC's Role in Fintech Oversight

The SFC exercises comprehensive supervisory authority over entities that engage in financial activities in Colombia. For fintech companies, the SFC's oversight covers:

Licensing and authorization: Fintech companies providing regulated financial services must obtain appropriate licenses or operate through licensed partners.
Prudential requirements: Capital adequacy, risk management, and corporate governance standards.
Consumer protection: Transparency, fair dealing, and complaint resolution mechanisms.
AML/CFT compliance: Implementation and maintenance of the SARLAFT system.

The SFC conducts regular inspections and has enforcement authority including fines, operational restrictions, and license revocations for non-compliant entities.

SARLAFT: Colombia's AML/CFT Compliance System

The Sistema de Administracion del Riesgo de Lavado de Activos y de la Financiacion del Terrorismo (SARLAFT) is Colombia's mandatory AML/CFT risk management system. All entities supervised by the SFC must implement SARLAFT, which provides a comprehensive, risk-based framework for preventing money laundering and terrorism financing.

SARLAFT Components

SARLAFT requires regulated entities to establish:

Policies: Board-approved AML/CFT policies that define the institution's risk appetite and compliance strategy.
Procedures: Detailed operational procedures for customer identification, transaction monitoring, suspicious activity reporting, and record keeping.
Documentation: Comprehensive documentation of all SARLAFT elements, including risk assessments and methodology.
Organizational structure: A designated compliance officer with direct reporting to the board, supported by adequate staff and resources.
Technology infrastructure: Systems capable of supporting customer screening, transaction monitoring, and regulatory reporting.
Training programs: Regular training for all employees on AML/CFT obligations and red flag indicators.
Internal audit: Independent review of SARLAFT effectiveness on a regular basis.

Risk-Based Customer Classification

Under SARLAFT, entities must classify customers into risk categories based on factors including:

Customer type (individual vs. legal entity)
Economic activity and industry sector
Geographic location and jurisdictional risk
Transaction volume and patterns
Product and service risk profile
PEP (Politically Exposed Person) status

Higher-risk customers require enhanced due diligence measures, including more extensive documentation, senior management approval, and increased monitoring frequency.

KYC Requirements for Colombian Fintechs

Standard CDD for Individuals

Colombian fintechs must collect and verify the following for individual customers:

Cedula de Ciudadania: Colombia's national identification document for citizens, or Cedula de Extranjeria for foreign residents.
Full legal name, date, and place of birth.
Address and contact information.
Economic activity and source of income.
Tax identification number (NIT) where applicable.
Declaration of funds origin for account opening and significant transactions.

CDD for Legal Entities

For corporate customers, requirements include:

Certificate of existence and legal representation from the Chamber of Commerce
NIT (Numero de Identificacion Tributaria)
Identification of beneficial owners holding 5% or more of capital
Financial statements for the most recent fiscal year
Board resolution authorizing the business relationship

Simplified KYC for Financial Inclusion

Colombia has recognized the importance of financial inclusion and permits simplified KYC for low-value products. Electronic deposits (depositos electronicos) and certain digital wallet products can be opened with reduced documentation requirements, subject to strict transaction and balance limits. This approach has been instrumental in expanding financial access to Colombia's unbanked population.

Joinble's AI-powered identity verification supports both standard and simplified KYC flows, enabling Colombian fintechs to onboard customers at any tier while maintaining full regulatory compliance. For foundational KYC concepts, visit our guide on what is KYC.

Decree 1357/2018: Crowdfunding Regulation

Decree 1357 of 2018 created a specific regulatory framework for collaborative financing (crowdfunding) in Colombia. Crowdfunding platforms must register with the SFC and comply with SARLAFT requirements, including:

Full KYC on all investors and project creators
Investment limits based on investor classification (qualified vs. non-qualified)
Ongoing monitoring of funded projects
Transparent disclosure of risks and fees
Anti-fraud controls and conflict of interest management

Crowdfunding platforms are classified as a distinct category within the Colombian financial system and must demonstrate to the SFC that their compliance infrastructure meets SARLAFT standards before receiving authorization.

UIAF Reporting Obligations

The Unidad de Informacion y Analisis Financiero (UIAF) is Colombia's financial intelligence unit. All SARLAFT-obligated entities must report to the UIAF through established channels:

Suspicious Transaction Reports (ROS)

When a fintech identifies transactions or activities that raise suspicion of money laundering or terrorism financing, it must file a Reporte de Operaciones Sospechosas (ROS) with the UIAF. Key aspects:

Reports must be filed immediately upon detection, regardless of transaction amount.
The tipping-off prohibition prevents entities from informing customers about filed reports.
Quality of reports is monitored by the UIAF, and entities may receive feedback on reporting standards.

Cash Transaction Reports

Transactions in cash exceeding defined thresholds must be reported to the UIAF through systematic reporting mechanisms.

Absence Reports

Entities must also file reports confirming the absence of suspicious activity during reporting periods when no suspicious transactions were detected.

Technology and Digital Verification

The SFC has progressively embraced digital identity verification methods, recognizing their importance for fintech competitiveness and financial inclusion. Key developments include:

Biometric verification: The Colombian government's biometric database, managed by the Registraduria Nacional, can be leveraged for identity confirmation.
Video identification: Remote onboarding through video calls with trained agents is permitted under certain conditions.
AI-powered document verification: Automated systems that validate Colombian cedulas and other documents against security features are widely accepted.

Joinble's platform integrates these capabilities, offering Colombian fintechs a compliant digital onboarding solution that combines document verification, biometric matching, and real-time sanctions screening in a single workflow.

Penalties and Enforcement

The SFC has robust enforcement mechanisms for SARLAFT non-compliance:

Administrative fines that can reach significant multiples of the minimum monthly wage
Personal liability for compliance officers and directors who fail to implement adequate controls
License revocation for systemic or repeated failures
Criminal referrals to the Fiscalia General de la Nacion for suspected money laundering or terrorism financing facilitation

Frequently Asked Questions

What is SARLAFT and who must comply with it?

SARLAFT (Sistema de Administracion del Riesgo de Lavado de Activos y de la Financiacion del Terrorismo) is Colombia's mandatory AML/CFT risk management system. All entities supervised by the SFC, including fintech companies providing regulated financial services, must implement SARLAFT.

What documents do Colombian fintechs need to collect for KYC?

For individuals, the primary document is the Cedula de Ciudadania (or Cedula de Extranjeria for foreigners). Additional requirements include proof of address, economic activity declaration, source of funds, and tax identification where applicable.

Is simplified KYC available for fintech products in Colombia?

Yes. Colombia permits simplified KYC for low-value products such as electronic deposits and certain digital wallets. These accounts have strict transaction and balance limits but allow broader financial inclusion with reduced documentation requirements.

How do Colombian fintechs report suspicious transactions?

Suspicious transactions are reported to the UIAF through Reportes de Operaciones Sospechosas (ROS). Reports must be filed immediately upon detection, and the entity must not inform the customer about the report.

What are the requirements for crowdfunding platforms under Decree 1357/2018?

Crowdfunding platforms must register with the SFC, implement full SARLAFT compliance, perform KYC on all investors and project creators, enforce investment limits, and maintain transparent disclosure and anti-fraud controls.

Can Colombian fintechs use digital identity verification?

Yes. The SFC permits digital verification methods including biometric verification against national databases, AI-powered document validation, and video identification under certain conditions. Solutions like Joinble's AI-powered platform help fintechs implement these methods compliantly.