Colombia -- Custody Regulations Regulatory Overview

Colombia's regulatory framework for cryptocurrency and digital assets, particularly concerning custody, is still in its nascent stages and largely lacks specific, dedicated legislation. Instead, regulators have primarily adopted a cautious approach, issuing warnings and attempting to fit nascent crypto activities into existing financial regulations where possible. The most significant development to date is the regulatory sandbox.

Here's a breakdown of the current situation:

Overview of Regulatory Stance

The Superintendencia Financiera de Colombia (SFC), the main financial regulator, has consistently stated that:

• Cryptocurrencies are not legal tender in Colombia.
• They are not regulated by the SFC as financial products or securities, unless they exhibit characteristics that make them fall under existing definitions (e.g., a security token).
• Entities offering services related to virtual assets are not supervised by the SFC under traditional financial market regulations, unless they are already a regulated entity providing traditional services that touch crypto.

1. Custodial License Requirements

• No specific "crypto custody license" currently exists in Colombia.
• However, if a firm engaged in crypto custody also conducts activities that fall under existing financial services laws (e.g., operating as a payment service provider, managing collective investment schemes, or issuing securities), then it would be subject to the SFC's licensing and supervision requirements for those specific activities.
• The "La Arenera" Regulatory Sandbox: This is the closest Colombia has to a structured approach for crypto firms.
  • Decree 1234 of 2020 established the framework for innovative projects in financial technologies (FinTech) within a regulatory sandbox (known as "La Arenera").
  • Purpose: It allows regulated entities (banks, trusts) and new FinTech firms (including those dealing with crypto assets) to test innovative products and services under the SFC's supervision for a limited period, with certain regulatory waivers.
  • Custody Aspect: While not a "custody license," participating crypto platforms in the sandbox, especially those handling client funds/assets, are subject to heightened scrutiny regarding risk management, cybersecurity, and consumer protection. Some projects involving the intermediation of crypto assets have been approved, which inherently involves some form of custody.
  • Reference:
    • Decreto 1234 de 2020 (Ministerio de Hacienda y Crédito Público): https://www.funcionpublica.gov.co/eva/gestornormativo/norma.php?i=141870
    • Superintendencia Financiera de Colombia - La Arenera: https://www.superfinanciera.gov.co/inicio/la-arenera-sandbox-regulatorio-fintech-10078049

2. Segregation of Client Assets Rules

• No specific regulations for segregation of client crypto assets.
• General Principles: For any entity operating within the traditional financial system or within the sandbox, the general principles of financial law and trust law would apply, demanding:
  • Separation: Client assets must be clearly segregated from the firm's own assets to protect clients in case of firm insolvency.
  • Fiduciary Duty: Entities holding client assets (e.g., fiduciaries, custodians) have a fiduciary duty to act in the best interest of their clients.
• These principles are deeply embedded in Colombian financial law (e.g., Estatuto Orgánico del Sistema Financiero (Decree 663 of 1993)) and would likely be extended to crypto custody if a firm operates under SFC oversight.
• Reference:
  • Decreto 663 de 1993 (Estatuto Orgánico del Sistema Financiero): https://www.funcionpublica.gov.co/eva/gestornormativo/norma.php?i=2450 (Search for articles related to fiduciary duties and client asset protection within financial intermediaries).

3. Insurance/Bonding Requirements

• No specific insurance or bonding requirements for crypto custody.
• General Principles: Regulated financial institutions in Colombia are subject to various insurance requirements (e.g., deposit insurance for banks via Fogafín, professional indemnity insurance for fiduciaries). If a crypto custody service were to be performed by a regulated entity, then these existing requirements would apply to the regulated entity as a whole.
• For unregulated crypto service providers, there are no mandatory insurance requirements.

4. Cold Storage Mandates

• No specific legal mandates for cold storage of crypto assets.
• Best Practices: While not legally mandated, cold storage is widely recognized as a critical security best practice within the crypto industry. Any reputable custodian, especially those aiming for regulatory approval or operating within the sandbox, would be expected to implement robust cybersecurity measures, which typically include a significant use of cold storage for the majority of client assets.
• General Cybersecurity & Data Protection: Colombia has general data protection laws (Ley 1581 de 2012) that require entities handling personal data to implement appropriate security measures. While not directly about asset storage, it sets a precedent for strong cybersecurity.
• Reference:
  • Ley 1581 de 2012 (Protección de Datos Personales): https://www.funcionpublica.gov.co/eva/gestornormativo/norma.php?i=49981

5. Qualified Custodian Definitions

• No specific legal definition for "qualified custodian" in the context of crypto assets.
• In traditional Colombian financial law, a "custodian" or "fiduciary" is a regulated entity (e.g., banks, trust companies – sociedades fiduciarias) subject to SFC oversight.
• Should crypto custody become specifically regulated, it is highly probable that a "qualified custodian" would be defined as an entity that is:
  • Properly licensed and supervised by the SFC.
  • Meets stringent capital, governance, technology, and risk management requirements.
  • Demonstrates expertise and robust systems for safeguarding digital assets.

6. Pending Custody Legislation

• Draft Law on Crypto Asset Regulation: There have been several attempts to introduce comprehensive legislation for crypto assets in Colombia. The most significant recent one is Proyecto de Ley 139 de 2023 Cámara (and its predecessors), which seeks to regulate activities related to virtual assets.
  • Key Provisions (Proposed): This draft law aims to define virtual assets, establish a framework for Virtual Asset Service Providers (VASPs), and create a registry for them under the SFC. While not exclusively focused on custody, any such comprehensive regulation would inevitably address custody aspects, including:
    • Licensing requirements for VASPs.
    • Operational standards, including security protocols.
    • Consumer protection measures.
    • Anti-Money Laundering (AML) and Counter-Terrorist Financing (CTF) obligations.
  • Status: These legislative efforts have faced delays and significant debate. They represent the current direction of legislative intent to bring clarity and regulation to the crypto space, but no law has been enacted yet.
  • Reference: You would typically find information on the legislative progress via the Congress of the Republic's website. A search for "Proyecto de Ley 139 de 2023 cripto" or similar terms on the Congreso de la República website (http://www.camara.gov.co/ or http://www.senado.gov.co/) would yield the most current legislative text and status.

Conclusion

Colombia is in a transitional phase regarding crypto custody regulations. While explicit laws are absent, the SFC has established the "La Arenera" sandbox as a mechanism to explore and supervise innovative FinTech projects, including those involving crypto. The ongoing legislative efforts (like Proyecto de Ley 139 de 2023) indicate a clear intention to establish a more comprehensive regulatory framework, which is expected to include specific provisions for licensing, operational requirements, and client asset protection for virtual asset service providers, including custodians. For now, firms dealing with crypto assets must navigate a landscape where existing financial regulations may be applied by extension, and adherence to industry best practices is paramount.

Disclaimer: This information is for general informational purposes only and does not constitute legal advice. Given the dynamic nature of cryptocurrency regulation, it is essential to consult with legal professionals specializing in Colombian financial law for specific guidance.