KYC.IO

Global Regulations and Requirements for KYC Onboarding
(powered by KYC-Chain)

KYC to onboard domestic persons

identificationtax paymentyearly income

KYC to onboard international persons

identificationtax paymentyearly income

corporate requirements

chamber of commerce registrationcompany namedate of incorporation.addressTelephone numbertax identification numberby-lawsmain activityrevenue volumeshareholders&ultimate beneficial owners

National ID card name

Cédula de Ciudadanía

National ID Photo

back of national id photo back

Does the country have Esignature Laws?

Law on Legal and Evidential Validity of Data Messages (1999); Law of personal data protection and electronic commerce

E-sig law files

What year did the relevant AML laws and regulations become effective?

1996

Further details on AML regime

1996. Financial institutions had to comply with the Integral System for the Prevention of Asset Laundering (“SIPLA”) regulation by reporting financial transactions over defined limits. In 2008, the Superintendent of Finance of Colombia issued External Circular No. 022 2007, regarding the implementation of the System for Preventing Asset Laundering and Terrorism Financing (“SARLAFT”) with a risk based approach. The 2009 regulation incorporates some new reporting standards that must be adhered to when reporting to the Regulator. Currently Circular Basica Juridica 029 de 2014 in its Titulo IV Capitulo IV regulates (“SARLAFT”). In 2014, the Superintendent of Corporations of Colombia issued External Circular No. 100-00005, regarding the implementation of the System for Preventing Assets Laundering and Terrorism Financing and was changed for the External Circular No. 100-00003 in Jun 2015.

Who is the regulator for AML controls for Banking

Normativa/NormativaGeneral/CircularBasicaJuridica(C.E029/14)/ParteI/TituloIV/CapituloIV

Link to site

https://www.superfinanciera.gov.co

Other financial Services

Normativa/NormativaGeneral/CircularBasicaJuridica(C.E029/14)/ParteI/TituloIV/CapituloIV

Website of Regulator

https://www.superfinanciera.gov.co

Financial Sector regulator

http://www.supersociedades.gov.co

Practical Guidance for AML

The regulation provides specific details of how the SARLAFT should be considered by financial institutions. Although the segmentation methodologies and activities related to risk management and transactional monitoring should be designed by each individual entity. For entities of the real sector there is a guide created by the United Nations Office on Drugs and Crime (“UNODC”),the British Embassy and the chamber of commerce of Bogotá “El Modelo de Gestion del Riesgo de LA/FT en el sector real”.

Practical guidance PDF's

index.jsf

Is there a requirement to verify the identity of customers retroactively?

Yes

Retroactive details

Yes, new regulation establishes the parameters for KYC procedures which incorporate the requirement to update a customer’s information.

Has the country been the subject of FATF mutal evaluation in the last 3 years?

No. Colombia is a member of the Financial Action Task Force on Money Laundering in South America (“GAFISUD”).

Are there minimum transaction thresholds (Y/N)

Yes

More details on minimum transaction thresholds.

Yes, there are various thresholds depending on the type of transaction, including no customer due diligence for the transfer of electronic funds or foreign currency exchange transactions less than USD5,000, and if a signed signature card for an account with the institution also exists for such transactions over USD5,000. No due diligence is required for cash transactions of less than USD5,000 (other than when two or more transactions totalling more than USD5,000 are believed to be linked).

What are the requirements for customer identification information for individuals

Individuals: The regulator has defined the basic form each customer should complete. The requirements surrounding independent verification or authentication vary according to each customer. Individuals should provide identification, tax payment copy or yearly income certificate and other relevant financial information.

Details to be Collected on Corporates

Legal entities: The regulator has defined the basic form that legal entities should complete. Legal entities should provide Chamber of Commerce registration, details of partners with shares greater than 5%, an antitax payments certificate and other relevant financial information.Legal entities: a) company name; b) date of incorporation; c) address and telephone number; d) tax identification number; e) bylaws and other information; f) main activity; g) revenue volume; and h) shareholders and ultimate beneficial owners;

What are the high level requirements around beneficial ownership (identification and verification)?

Customers should be able to demonstrate the source of income and ownership by way of a copy of a tax payment or income certificate. Entities should monitor changes in income or properties of their clients,

What circumstances are enhanced customer due diligence measures required?

Enhanced due diligence is required for PEPs. In Colombia, this includes not only politically related people but also publicly recognised people. This also includes due diligence of deposit accounts which will be used by political parties and during political campaigns.

How should FI's deal with Politically exposed persons

There are regulatory requirements in relation to PEPs. In Colombia, a PEP is defined as a publicly relevant person (not only politicians). Each time a PEP is identified, additional due diligence has to be performed, especially when the client manages public resources.

What enhanced due diligence must be performed for correspondent banking relationships?

For correspondent banking relationships, every international transaction should be reported to the authorities. Each report requires information on the origin of the money i.e. client, address, telephone

Are relationships with banks who might be considered a 'shell' and without substance permitted?

No.

In what circumstances is additional due diligence required for non face-to-face transactions and/or relationships?

Entities must define special procedures in order to perform KYC for non-face-to-face interviews. They must also implement follow up procedures for clients’ transactions

To whom are SAR's made? (suspicious activity reports)

UIAF of Colombia

Link to website of SAR reporting

www.uiaf.gov.co

Other Suspicious or unusual transactions obligations.

Yes, institutions should report individual cash transactions above USD5,000 and total monthly cash transactions above USD25,000. They should also report: a) suspicious transactions b) transactions of remittances and buy and sell of foreign exchange; c) transactions with international credits cards; d) products offered; and e) information about campaigns and parties political.

Are there any de-minimis thresholds below which transactions do not need to be reported?

USD25,000

Are there any penalties for non compliance with reporting requirements e.g. tipping off?

Special requirements and an investigation from the regulator shall be performed at an institution that does not report the required periodical AML information.

Are there any requirements (legal or regulatory) to use automated Suspicious Transaction monitoring technology?

No, each entity is free to develop or use their specific methodology to perform transaction monitoring according to their KYC policies.

Is there a requirement to obtain authority to proceed with a current/ongoing transaction that is identified as suspicious?

No, each entity shall define if a suspicious transaction shall be continued or not, although it has to be reported to the UIAF.

Does the local legislation allow transactions to be monitored outside the jurisdiction?

Entities monitor all transactions regardless of the entity’s jurisdiction.

Is there a legal requirement for a bank’s external auditor/other external organisation to report on the bank’s AML systems and controls?

Yes, the financial Colombian regulation defines that the external auditor must perform audits of the AML risk management system quarterly. Additionally, the internal auditor must perform an audit annually.

If an external report on the bank’s AML systems and controls is required: a) how frequently must the report be provided?

the external auditor performs an audit quarterly

To whom should the report on AML systems be submitted?

the results are reported to the board of directors

Is an AML system part of the financial statement audit?

the final opinion is part of the financial statement audit.

What are the requirements for the content of this external report on a bank’s AML systems and controls? Does it require: a) sample testing of KYC files? b) sample testing of SAR reports? c) examination of risk assessments?

The external and internal auditors must evaluate that the risk management system is operating according to all requirements of the regulation. The audit is performed in accordance with the auditor judgement

Data Protection Laws And Personal Data

the regulation for personal data protection stipulates that all individuals have the right to know about and update personal information that has been gathered about them by public or private entities and prohibits the processing of any individual's sensitive information without the prior, explicit, and informed consent of that individual.

Data Protection for Corporate Data

N/A

Data protection for "sensitive Data" and additional protections.

Sensitive data is expressly protected. The law has a reinforced protection for so-called sensitive data, which is information that deserves special protection because of the high risk posed by its processing to citizen’s rights and freedoms. The incorrect use of this sensitive data might cause discrimination. Sensitive data includes people’s racial and ethnic origins; colour and sexuality; their political, religious, philosophical, or other beliefs; their participation in a given association; or their membership in a trade union, among others.

Do any restrictions on the transfer of credit reports exist?

In Colombian legislation, banking secrecy and the right to privacy are not considered valid arguments to reject banking information requests issued by judges of the Republic of Colombia or Colombian AML authorities, within the limits established by article 15 of the Constitution and 2 of Law 1121 of 2006, also known as Organic Statute of the Financial (“EOSF”). Banking secrecy includes the financial and personal information in custody of the financial entities. Information relating to criminal records (those that are part of ongoing investigations without final decision of competent authority) and medical histories are considered sensitive and require prior, explicit and written authorization of the owner to be transferred.

Regulator Acronym

FSC

Year of last FATF mutual evaluation

N/A

National ID card details

Issued at age of 7.

Compulsory?

National ID source

https://commons.wikimedia.org/wiki/File:C%C3%A9dula_de_Ciudadan%C3%ADa_Colombia_a%C3%B1o_2000.jpg

Passport Photo

practical Guidance yes / no

Is there a risk based approach

Legal Requirement

Yes

Requirement to proceed

requirement to use automated suspicious transaction tools

Who are SARS made to?

UIAF

shell banks

EDD for correspondent banking

Yes

Minimum transactions

COP 14,856,633

Min transaction USD

5000

key restrictions

Conveyance of real estate rights, aircraft, ships, corporation or other business associations; by laws; mortgage agreements; unlimited agency agreements and incorporation of branches are exempted from the law.

Summary

Yes, the law provides that the parties may use electronic signatures with consent. Summary of law Electronics signatures are used in both the public and private sectors in Colombia. It is considered two-tier jurisdiction because it gives digital signatures the same status as handwritten signatures but also recognizes simple electronics signatures as legal and enforceable. Countries that follow this model gives companies the opportunity to select different forms of signatures and customize their business process based on the form that is most convenient and appropriate for each use case. Legal rulings regarding electronic signature have been somewhat general and do not address specific types of electronic signature. However, a Colombian Supreme Court decision in December 16, 2010, included digital and electronic signatures as recognized legal categories under Law 527. Obtaining consent prior to using electronic signature is a good practice to ensure enforceability.

Are e-signatures acceptable

If the AML laws and/or regulations became effective in the last 2 years, what were the requirements of the previous AML regime?

The main features of the regulation included implementing adequate KYC procedures, monitoring transactions, investigating unusual transactions and reporting any suspicious transactions to the relevant

Non financial sector (e.g. casinos, high value goods etc.)

Normatividad/circulares-externas/CircularExterna100-00005 Junio del 2014.

Does the country have a risk based approach?

Yes, new regulation has a risk based approach regarding AML.

Where copies of identification documentation are provided, what are the requirements around independent verification or authentication?

There is no need for copies to be certified by a notary (this was a requirement previously). Entities compare the copy with the original identification when the customer brings in the required documentation.

Is there case law, other constitutional law or any other laws or regulations that may impact upon the transfer of information to this jurisdiction?

Habeas Data law expressly prohibits the transfer of information to another country without the prior, express and written permission of the owner of the information and further states that the other country must have an equal or higher standard of protection of information and guarantees for the owner of the information. In Colombian legislation, banking secrecy and the right to privacy are not considered valid arguments to reject banking information requests issued by judges of the Republic of Colombia or Colombian AML authorities, within the limits established by article 15 of the Constitution and 2 of Law 1121 of 2006, also known as Organic Statute of the Financial (“EOSF”). Banking secrecy includes the financial and personal information in custody of the financial entities. Information relating to criminal records (those that are part of ongoing investigations without final decision of competent authority) and medical histories are considered sensitive and require prior, explicit and written authorization of the owner to be transferred.

List of case law, constitutional law or any other laws or regulations that may impact upon the transfer of information.