SARLAFT in Colombia: The Compliance Officer’s Evidence Test
The Compliance Traveller Series | Field Guide: Colombia
The Compliance Traveller series explores the world through ‘regulation glasses,’ reading a country’s AML landscape the way a traveller reads a new destination.
Colombia is a country that rewards deep preparation. What follows is not an abstract map of compliance obligations, but a ground-level account of what the Oficial de Cumplimiento must now demonstrate, highlighting exactly where institutions fail to bridge the gap between SARLAFT documentation and the operational evidence regulators expect to see.
Discovering a suspicious transaction used to feel like the end point of a monitoring process. Today, it is only the start.
Where did the customer come from? Which checks were performed at onboarding? Was the beneficial owner verified? Did the fraud team see the same warning signs as the AML team? Was the case escalated in time?
This is where SARLAFT pressure is building. The framework is not new. Banks, payment providers, SEDPEs and other regulated institutions already know the language of customer due diligence, PEPs, sanctions screening, transaction monitoring, ROS reporting and board oversight. What is changing is the level of proof expected from the Compliance Officer.
Colombia is entering this phase under pressure from two directions. Regulation is tightening, while digital fraud is growing faster and becoming harder to contain. TransUnion reported a 43.5% year-on-year increase in suspected digital fraud attempts in Colombia during the first half of 2024. ACIS has warned that identity-fraud losses could exceed COP 50 trillion in 2025, and more than 80% of Colombian banking users report having been targeted by attempted fraud, citing FICO.
Beyond SARLAFT itself, the broader risk-governance environment is tightening on parallel tracks. Circular Externa 015 of 2025 introduces SARAS — environmental, social and climate risk management, a separate framework but one demanding the same evidence-based posture and integration with existing risk systems including SARLAFT. Within the AML/CFT perimeter, Resolution 16615 of 2025 brings the transport sector further into the SARLAFT framework. Circular Externa 001 of 2026 shows that Open Finance implementation is guiding institutions to manage consent, APIs, security and evidence as part of the same control environment.
For the Compliance Officer, these developments meet in one place: the ability to show that controls work inside the business, through real files, alerts, decisions and escalations.
The fraud gap
The numbers above expose the gap between formal compliance and operational control. A SARLAFT manual, a risk matrix and a board-approved policy do not stop synthetic identities from passing onboarding checks. They do not stop mule accounts from moving funds across institutions. They do not help if fraud alerts exist in one system and AML monitoring is in another.
SARLAFT was never meant to be a filing cabinet. Just as a guidebook tells you what to expect, it does not protect you from what actually happens when you arrive. SARLAFT is supposed to help the institution understand who the customer is, what risk the customer presents, how transactions behave, when suspicion arises and whether the institution can prove what it did.
The job now turns on proof.
What the Compliance Officer has to prove
The Colombian Compliance Officer has always carried serious responsibility. Under SARLAFT, the Oficial de Cumplimiento is not simply an owner of policies. The role belongs close to the board, the risk framework and the UIAF reporting process. What is changing is the practical burden. A documented SARLAFT programme is the entry requirement, but what regulators and the UIAF now examine is whether that programme produced a traceable trail and real case files, documented reviews, escalation records that hold up under scrutiny.
In practice, the questions are simple: why was this customer classified as high risk? Which checks were performed at onboarding? Was beneficial ownership reviewed? Did fraud signals reach the AML team? Why did one case become a ROS while another did not?
The last question is usually the hardest: can the institution show that the board saw the right information in time to act?
Many institutions struggle at that point. Their formal compliance documents look acceptable. Their operational evidence is weaker.
SARLAFT now has to connect the dots
The older compliance model treated risks in separate compartments. AML had one workflow, fraud had another, cybersecurity and consumer protection sat somewhere else. Data protection often lived with legal or privacy teams.
Digital financial services make that separation harder to defend.
A phishing attack can become a consumer-protection issue, a cybersecurity incident, an account-takeover case and a potential AML event. A synthetic identity can enter through onboarding, obtain access to a financial product, build a normal-looking profile and later support mule activity. A third-party relationship in an Open Finance environment can raise SARLAFT, data protection, API security, consent and operational-risk questions at the same time.
The Compliance Officer’s challenge is to connect the signals already existing inside the institution. The SARLAFT risk assessment needs to speak to fraud intelligence. Customer due diligence needs to connect with transaction monitoring. Sanctions and PEP screening need to operate across the lifecycle. Case management needs to preserve a clean trail of decisions. Data governance needs to support the explanation.
Technology matters, but the legal question remains control effectiveness. Colombian law does not mandate one specific identity, monitoring or authentication technology. Institutions choose controls based on their risk profile, products, channels and data protection analysis. The test is whether the control environment is strong enough to identify risk, monitor behaviour, escalate suspicion and preserve evidence.
Open Finance adds a new evidence problem
Open Finance changes the Compliance Officer’s job because it creates new relationships, new data flows and new evidence requirements.
Navigating Colombia’s Open Finance model is like managing a flight with multiple connection stops: data sharing relies on a chain of customer authorizations, technical standards, security controls, and third-party handoffs. Missing the compliance ‘check-in’ at any single point compromises the entire journey.
The SFC’s transition rules through Circular Externa 001 of 2026 show that implementation is complex. Institutions need time to meet technical, security and operational standards, and supervisors know that the technical build is part of the compliance challenge.
For SARLAFT, the challenge is practical: those new relationships have to be screened, monitored and evidenced.
A data recipient may need to be treated as a client or potential client for AML due diligence. Consent records must be reliable. API logs need to support auditability. Third-party risk must be understood. Payment initiation, once in operation, adds a further layer because the third party may help initiate movement of funds, not merely read data.
For the Compliance Officer and institutions, the practical problem is explaining the whole chain.
To be able to explain who accessed the data, what authorisation supported it, which participant received it and whether the recipient was subject to due diligence. If payment initiation is involved, the trail should also show what happened, which alerts were generated, who reviewed them and where the evidence is stored.
Therefore, the SARLAFT answer cannot be outside that flow. It has to be built into it.
The transport-sector signal
Resolution 16615 of 2025 matters beyond the transport sector. Transport, logistics and infrastructure have been attractive to trade-based laundering, contraband, cash movement, organised crime and high-risk counterparties. When the Superintendencia de Transporte modifies its SARLAFT chapter, the message is consistent with the broader pattern: AML/CFT expectations are becoming more operational across sectors.
For banks and payment providers, this matters because their customers and counterparties may operate in those sectors. A bank onboarding a transport company does not need to become the transport supervisor. It should, however, understand whether that company is subject to sectoral SARLAFT duties, whether controls are in place and if its risk profile matches its activity. This also gives the Compliance Officer a more commercial role: helping the institution decide which customers it can serve, under what controls and with what level of confidence.
The board problem
Boards usually ask for clarity. They do not always receive it. Long reports. Static dashboards. Policy updates. Training numbers. Alert volumes. ROS counts.
Those figures matter, but they do not always answer the right question.
A stronger board pack should show where risk is moving. Which typologies are rising? Which customer segments are producing more alerts? Which channels are showing account-opening fraud? How fast are high-priority cases escalated? How many cases are reopened because the first analysis was incomplete? Where are the delays: onboarding, monitoring, investigation, legal review or reporting?
That is the difference between a compliance programme on paper and a compliance function that can defend itself. The Compliance Officer should not have to convince the board that SARLAFT matters. The evidence should already make that clear.
What this means for the Compliance Officer
Colombia’s compliance environment is entering a more demanding chapter. SARAS, Open Finance, transport-sector SARLAFT, AI governance debates, data protection and fraud pressure come from different places, but they meet inside the same institution.
They meet in onboarding, customer-risk scoring, third-party due diligence, monitoring, case files and board reporting.
The institutions that handle this well will not be the ones with the longest manuals. They will be the ones that can answer a supervisor’s practical questions: what happened, why was it treated that way, who approved it, what changed afterwards and where is the evidence?
That is the SARLAFT test now. The manual still matters, but the evidence has to stand on its own.
Frequently asked questions
SARLAFT (Sistema de Administración del Riesgo de Lavado de Activos y Financiación del Terrorismo) is the mandatory framework imposed by Colombia’s Superintendencia Financiera (SFC) on its supervised institutions — banks, insurers, financing companies, financial cooperatives, regulated fintechs and SEDPEs — to prevent, detect and report money laundering and terrorist financing activities.
All institutions supervised by the SFC: banks, financing companies, financial cooperatives, insurers, fiduciaries, pension fund administrators, investment fund managers, regulated fintechs and SEDPEs. The non-financial real sector has an equivalent framework — SAGRILAFT — under the Superintendencia de Sociedades.
SARLAFT non-compliance can result in fines imposed by the SFC, personal sanctions against directors and Compliance Officers, and in severe cases revocation of the operating license. The magnitude depends on the severity and recurrence of the breach under the Estatuto Orgánico del Sistema Financiero (Decreto 663 of 1993).
A Reporte de Operación Sospechosa (ROS) must be filed with the UIAF when, after applying customer due diligence, the institution has reasonable elements to consider that a transaction is suspicious — without needing to prove the underlying offence. The timeliness and quality of the report form part of the evidence supervisors examine.
SARLAFT applies to the financial sector supervised by the SFC. SAGRILAFT (Sistema de Autocontrol y Gestión del Riesgo Integral de LA/FT) applies to the non-financial real sector under the Superintendencia de Sociedades. Both share principles (risk-based approach, due diligence, reporting to UIAF) but differ in scope, proportionality and reporting frequency.