Colombia -- AML/CFT Compliance Regulatory Overview

**Identify, measure, control, and monitor** the risks of money laundering and terrorist financing (ML/TF).

**Report suspicious transactions (SARs)** to the UIAF.

**Conduct comprehensive customer due diligence (CDD)**, including identifying ultimate beneficial owners (UBOs) and politically exposed persons (PEPs).

**Implement policies, procedures, and internal controls** to prevent ML/TF.

**Train personnel** on AML/CFT obligations.

**Resolución 314 de 2021 de la UIAF:** Por la cual se imparten instrucciones relacionadas con el SARLAFT a los proveedores de servicios de activos virtuales.

[Link to official UIAF Resolution 314/2021 (often found via UIAF's regulations section or official gazettes)] - *Note: Official direct link may vary as government sites update. Search "Resolución UIAF 314 de 2021" for the most current access.* A common source for these regulations is the "Diario Oficial" (Official Gazette) or the UIAF's own regulatory publications page. As an example, a legal portal reference: Resolución 314 de 2021 - Legis Xperta (subscription required, but shows its existence)

**UN Sanctions:** As a member state of the United Nations, Colombia is legally obligated to implement sanctions imposed by the UN Security Council. UIAF Resolution 314/2021 directly references adherence to UN Security Council resolutions as a core component of ML/TF risk management. This includes asset freezes and other restrictions against listed individuals and entities.

**How Colombia implements:** UN sanctions are generally incorporated into Colombia's domestic legal system through presidential decrees or ministerial resolutions, requiring financial institutions (now including VASPs) to monitor and comply.

**Legal Reference:** While a single overarching decree for all UN sanctions isn't typical, specific resolutions are adopted. The UIAF's mandate inherently covers adherence.

**OFAC (U.S. Office of Foreign Assets Control) Sanctions:** While OFAC sanctions are extraterritorial and primarily apply to U.S. persons, Colombian VASPs (and any entity operating in Colombia) are effectively compelled to comply for several reasons:

**Access to the U.S. financial system:** Many international transactions involve U.S. dollars or U.S. correspondent banking relationships. Non-compliance can lead to "de-risking" by banks, refusal to process transactions, and difficulties accessing global financial services.

**Secondary Sanctions:** Some OFAC sanctions include provisions for secondary sanctions against non-U.S. persons who engage in certain activities with sanctioned entities or countries.

**International Partnerships:** VASPs with international clients or partners will find OFAC compliance a standard requirement.

**Best Practice:** Adhering to OFAC lists is considered an international best practice for robust AML/CFT compliance.

**OFAC Sanctions List (SDN):** https://home.treasury.gov/policy-issues/financial-sanctions/specially-designated-nationals-and-blocked-persons-list-sdn-human-readable-lists

**EU (European Union) Sanctions:** Similar to OFAC, EU sanctions primarily apply to EU persons and entities. However, for the same reasons mentioned above (international financial access, global partnerships, and best practice), Colombian VASPs dealing with European entities or customers will generally need to screen against EU sanctions lists to mitigate risks.

**EU Consolidated Sanctions List:** https://www.sanctionsmap.eu/

**Identify clients and transactions linked to individuals or entities on national and international restrictive lists.** This means continuous screening of new and existing clients, as well as ongoing transaction monitoring.

**Block or freeze assets** of sanctioned individuals/entities as required by UN Security Council resolutions, and other applicable laws.

**Report any hits or suspicious activity** related to sanctioned entities to the UIAF.

OFAC Specially Designated Nationals (SDN) List and other relevant OFAC lists

EU Consolidated List of persons, groups, and entities subject to financial sanctions

Any other relevant lists provided by local law enforcement or judicial authorities.

**UN-Sanctioned Countries:** Transactions involving countries under UN arms embargoes, financial restrictions, or other measures (e.g., North Korea, Iran in specific contexts) must be flagged and handled in accordance with UN resolutions and Colombian domestic implementation.

**OFAC-Sanctioned Countries:** VASPs dealing with international clients or operating globally will need to restrict or block transactions involving comprehensively sanctioned jurisdictions by OFAC (e.g., Cuba, Iran, North Korea, Syria, certain regions of Ukraine/Russia, Venezuela for specific entities/individuals). While Colombia does not directly enforce these, non-compliance can lead to severe operational and reputational consequences.

**FATF High-Risk Jurisdictions:** While not a "sanction," VASPs must exercise enhanced due diligence for transactions involving jurisdictions identified by FATF as high-risk for ML/TF (e.g., DPRK, Iran, Myanmar), or those with strategic deficiencies.

**Fines:** The UIAF and other supervisory bodies (like the Superintendencia Financiera, Superintendencia de Sociedades) can impose substantial administrative fines on VASPs and their directors for non-compliance with SARLAFT obligations, including failure to report suspicious transactions or adequately screen for sanctioned entities.

**Suspension or Revocation of Operations:** In severe cases, particularly for unregulated VASPs that fail to adhere to AML/CFT guidelines, authorities could pursue actions to suspend or cease their operations.

**Legal Reference:** The powers for administrative sanctions are typically derived from specific laws establishing the supervisory bodies and their mandates (e.g., Decree 663 of 1993, which is the Organic Statute of the Financial System, and subsequent regulations expanding UIAF's powers).

**Criminal Penalties (Money Laundering and Terrorist Financing):**

Failure to implement proper AML/CFT controls, which results in the facilitation of money laundering or terrorist financing, can lead to criminal charges against individuals (e.g., directors, compliance officers) and corporate liability.

**Money Laundering (Lavado de Activos):** Articles 323 to 323A of the Colombian Criminal Code. Penalties can range from **10 to 30 years in prison** and significant fines.

**Terrorist Financing (Financiación del Terrorismo):** Article 345 of the Colombian Criminal Code. Penalties can range from **13 to 22 years in prison** and substantial fines.

**Illicit Enrichment (Enriquecimiento Ilícito):** Article 327 of the Colombian Criminal Code.

**Ley 599 de 2000 (Código Penal Colombiano):**

**UN Security Council Sanctions:** These are adopted into Colombian law as described above.

**Domestic Lists for AML/CFT Risk Management:** Colombian financial institutions and VASPs are also expected to screen against internal lists generated by local law enforcement and judicial authorities for AML/CFT purposes. These might include:

Lists of individuals under criminal investigation for ML/TF, corruption, or other illicit activities.

Politically Exposed Persons (PEPs) lists.

Lists related to individuals or entities linked to organized crime or terrorist groups operating domestically.

**Adopted:** Yes, Colombia has formally adopted requirements aligned with the FATF Travel Rule. This aligns with its commitment as a member of GAFILAT (Financial Action Task Force of Latin America), which enforces FATF standards in the region.

**Key Legislation/Guidance:** The primary regulation is the **UIAF Circular Externa 001 of 2023**, which modifies and updates the "Sistema de Administración del Riesgo de Lavado de Activos y Financiación del Terrorismo para el sector de Activos Virtuales" (SARCIM - AML/CFT Risk Management System for the Virtual Assets Sector). This circular explicitly requires Virtual Asset Service Providers (VASPs) to implement measures to identify and transmit information on originators and beneficiaries of virtual asset transfers.

UIAF Circular Externa 001 of 2021 (the predecessor to the 2023 circular) initially established the SARCIM and its obligations, becoming effective shortly after its publication in **2021**.

The **UIAF Circular Externa 001 of 2023** modified the SARCIM, entering into force upon its publication on **March 10, 2023**. VASPs were given specific deadlines to comply with the updated requirements, generally within 6 months to a year, depending on the specific obligation.

The UIAF Circular Externa 001 of 2023 mandates the collection of originator and beneficiary information as part of the VASP's overall AML/CFT risk management for **all virtual asset transfers involving their customers**.

While the circular does not explicitly state a *threshold for data transmission between VASPs* for the Travel Rule (like the FATF's recommended $1,000/€1,000 equivalent), the general AML/CFT framework, and the spirit of the Travel Rule, implies that for inter-VASP transfers, this threshold applies for the *full set of Travel Rule data transmission*. VASPs are generally required to identify customers and collect basic transaction information for all amounts. For transfers equal to or greater than the equivalent of **USD 1,000** (or local currency equivalent), enhanced due diligence and the full set of Travel Rule data (originator and beneficiary information) should be collected and transmitted.

The UIAF Circular Externa 001 of 2023 covers "Providers of Virtual Asset Services" (Proveedores de Servicios de Activos Virtuales - PSAV), which includes:

Entities that exchange virtual assets for fiat currency.

Entities that exchange one or more forms of virtual assets.

Entities that transfer virtual assets.

Entities that safeguard and/or administer virtual assets or instruments enabling control over virtual assets.

Entities that participate in and provide financial services related to an issuer's offer and/or sale of a virtual asset.

This broad definition aligns with FATF Recommendation 15 on virtual assets and VASPs.

**Data to be Collected and Transmitted:** The Circular requires VASPs to obtain and retain information about the **originator** and **beneficiary** of virtual asset transfers. This typically includes:

Name (natural person) or legal name (legal person).

Account number or identifier used for the transaction.

Physical address (if available) or unique national identification number (e.g., passport, national ID) or customer identification number (e.g., RUT).

Unique national identification number (e.g., passport, national ID) or customer identification number (e.g., RUT).

**Transmission Method:** While the Circular mandates the *collection* and *retention* of this information, it does not specify a particular technical standard or protocol (e.g., TRISA, OpenVASP) for *transmitting* this data between VASPs. It expects VASPs to establish secure and reliable means for such transmission, consistent with data privacy and security regulations. VASPs must have robust internal systems to manage and securely store this information.

Non-compliance with UIAF regulations, including those related to SARCIM and the Travel Rule, can result in significant penalties under Colombia's broader AML/CFT framework.

**Regulatory Body:** The UIAF, in conjunction with other supervisory bodies like the Superintendencia Financiera de Colombia (SFC) for entities under its direct supervision, is responsible for enforcing these rules.

**Types of Penalties:** Penalties can include:

**Fines:** Substantial monetary fines, which can be tiered based on the severity of the violation, the VASP's size, and the amount of money involved.

**Reputational Damage:** Public sanctions and regulatory enforcement actions can severely damage a VASP's reputation and trust among users.

**Operational Restrictions:** In severe cases, regulatory authorities may impose operational restrictions, suspend licenses, or even order the closure of the VASP.

**Criminal Charges:** In instances where non-compliance is linked to money laundering or terrorist financing activities, individuals (e.g., VASP management) can face criminal prosecution and imprisonment.

The specific penalty regime is outlined in Colombian Law 526 of 1999 (which created the UIAF) and other related AML/CFT statutes, which generally apply to all obligated entities, including VASPs.