Corporate Compliance 2026
Corporate Compliance 2026
Below, we present an informational bulletin outlining the main corporate obligations to be addressed during 2026, together with a detailed explanation of each.
Obligation | Due date |
| Ordinary meetings of the highest corporate body (Shareholders’ Assembly / Partners’ Meeting) | March 31, 2026 |
| Renewal of Commercial Registration, Registration of Non-Profit Entities and National Tourism Registry (as applicable) | March 31, 2026 |
| Renewal of the Single Registry of Proponents (RUP) | April 9, 2026 |
| Filing of Financial Statements | Within one (1) month following the approval of the financial statements |
| Appointment of Statutory Auditor (Revisor Fiscal) (if applicable) | Within three (3) months following the end of the fiscal year, unless otherwise provided in the bylaws |
| Registration of a Situation of Control or Business Group (if applicable) | Within thirty (30) business days following the occurrence of the control situation |
| Registration of Colombian Websites with the Commercial Registry (if applicable) | Within one (1) month following the date on which the website was made available to the public |
| Filing of Financial Statements before the Superintendence of Companies (if supervised or controlled) | In accordance with the deadline established in the Single Circular for Financial Information Requirements (CURIF) issued by the Superintendence of Companies |
Corporate Secretariat – First quarter of 2026
Annual compliance with corporate obligations due for the first quarter of 2026, in accordance with Colombian regulations. For this purpose, the obligation includes the following:
1. Ordinary shareholders' meeting or highest corporate body for the year 2026, whereby the financial statements of the previous year and the management report of the legal representative are approved, on a business date within the first three months of the year 2026.
2. Deposit of Financial Statements before the Chamber of Commerce, within the month following their approval by the highest corporate body.
3. Renewal of Mercantile Registration and Registration of Non-Profit Entities (if applicable), within the first three months of the year.
Single Registry of Proponents (RUP) – April 9, 2026
The companies that have the Sole Registry of Bidders - RUP, must comply annually with the obligation to renew it, within the first 5 working days of the month of april. For this year, its expiration date is april 9, 2026.
Statutory Auditor – As of the date of the Ordinary Shareholders’ Meeting at which the Financial Statements are approved, provided that the minimum thresholds are met.
All companies whose total assets as of december 31, 2025 are equal to or greater than 5.000 statutory monthly minimum wages (SMMLV) and/or whose gross income as of the same date is equal to or greater than 3.000 SMMLV are required to appoint a Statutory Auditor.
Statutory Auditor | ||
Requirements | Threshold | SMMLV 2025 |
$1.423.500 COP | ||
Assets | 5.000 | $7.117.500.000 COP |
Income | 3.000 | $4.270.500.000 COP |
On the other hand, the Code of Commerce has established the following as obligated, regardless of whether they comply with the aforementioned ceilings:
- Corporations and limited partnerships by shares.
- Branches of foreign companies.
- Companies in which, by law or by the bylaws, the administration does not correspond to all the partners, when so provided by any number of partners excluded from the administration representing not less than twenty percent (20%) of the capital.
Filing of Financial Statements with the Superintendence of Companies (if supervised or controlled)
Companies subject to supervision or control by the Superintendence of Companies are required to file the financial information requested within the deadlines established in the Single Circular and in any specific information requests issued by such authority.
Last two (2) digits of the NIT | Deadline for filing – 2026 | Last two (2) digits of the NIT | Deadline for filing – 2026 |
01 – 05 | Monday, april 13, 2026 | 51 – 55 | Monday, april 27, 2026 |
06 – 10 | Tuesday, april 14, 2026 | 56 – 60 | Tuesday, april 28, 2026 |
11 – 15 | Wednesday, april 15, 2026 | 61 – 65 | Wednesday, april 29, 2026 |
16 – 20 | Thursday, april 16, 2026 | 66 – 70 | Thursday, april 30, 2026 |
21 – 25 | Friday, april 17, 2026 | 71 – 75 | Monday, may 4, 2026 |
26 – 30 | Monday, april 20, 2026 | 76 – 80 | Tuesday, may 5, 2026 |
31 – 35 | Tuesday, april 21, 2026 | 81 – 85 | Wednesday, may 6, 2026 |
36 – 40 | Wednesday, april 22, 2026 | 86 – 90 | Thursday, may 7, 2026 |
41 – 45 | Thursday, april 23, 2026 | 91 – 95 | Friday, may 8, 2026 |
46 – 50 | Friday, april 24, 2026 | 96 – 00 | Monday, may 11, 2026 |
Superintendence of Companies
1. SAGRILAFT – May 31, 2026
All companies subject to inspection, surveillance, or control by the Superintendence of Companies of Colombia that, during the immediately preceding year, obtained revenues or assets equivalent to forty thousand (40.000) Monthly Legal Minimum Wages (SMMLV), as well as certain specific sectors with different thresholds depending on their activities and CIIU codes, are required to implement the Self-Control and Comprehensive Risk Management System for Money Laundering and Terrorist Financing (SAGRILAFT) by may 31, 2026.
The applicable thresholds for 2026 are as follows:
Sector | Criter | Value SMMLV 2025 ($ 1.423.500) |
| All sectors | Assets or revenues equal to or greater than 40.000 SMMLV | COP $ 56.940.000.000 |
Specific sectors · Real estate agents · Precious metals and stones trading · Legal services · Accounting services · Civil engineering works | Revenues equal to or greater than 30.000 SMMLV | COP $ 42.705.000.000 |
| Virtual asset service providers & companies receiving virtual asset contributions | Income ≥ 3.000 SMMLV or assets ≥ 5.000 SMMLV | Income ≥ COP $4.270.500.000 or Assets ≥ COP $7.117.500.000 |
| Chambers of Commerce | Income ≥ 40.000 SMMLV | COP 56.940.000.000 |
Special supervision sectors (Regardless of revenue or asset thresholds) | a. Commercial Self-Financing Plan Management Companies (SAPAC). b. Payroll loan operators supervised by the Superintendence of Companies. c. Companies engaged in multi-level marketing activities. d. Livestock funds. e. Factoring companies supervised by the Superintendence of Companies. | |
2. Minimum Measures Regime - May 31, 2026
The Minimum Measures Regime associated with Money Laundering and Terrorist Financing (ML/TF) must be implemented by Chambers of Commerce, foreign Non-Profit Entities (ESALES), and Designated Non-Financial Businesses and Professions or DNFBPs (real estate agents, dealers in precious stones and metals, legal services, or accounting services) with revenues equal to or greater than 3.000 Current Minimum Legal Monthly Wages (SMMLV) or assets equal to or greater than 5.000 SMMLV, provided they fall under the economic activity code defined for their specific sector:
Sector | Critery | Value SMMLV 2025 ($ 1.423.500) |
| APNFD: Designated Non-Financial Businesses and Professions | Income equal to or greater than 3.000 SMMLV or assets equal to or greater than 5.000 SMMLV | Income (≥) to $4.270.500.000 or Assets (≥) to $7.117.500.00 |
| Foreign Non-Profit Entities | Those with permanent operations in Colombia with revenues equal to or greater than 9.000 SMMLV and that report revenues equal to or greater than 9.000 SMMLV | $ 12.811.500.000 COP |
| Chambers of Commerce | Revenues between 9.000 and less than 40.000 SMMLV | $ 12.811.500.000 – $ 56.939.999.999 COP |
Transparency and Business Ethics Program (PTEE) – May 31, 2026
Supervised companies are required to implement the Transparency and Business Ethics Program (PTEE) if, as of december 31 of the immediately preceding year (2025), they have carried out transactions with foreign natural or legal persons for amounts equal to or greater than one hundred (100) Monthly Legal Minimum Wages (SMMLV) and, additionally, have obtained total revenues or total assets equal to or greater than thirty thousand (30.000) SMMLV.
The implementation deadline is may 31, 2026.
Validation criteria for the implementation of the Transparency and Business Ethics Program (PTEE) | |||
Obligated parties | Concept | Threshold in SMMLV | Total 2025 (COP) |
| Supervised Companies | (i) That, as of december 31 of the immediately preceding year, have carried out International Business or Transactions of any nature, directly or through an intermediary, contractor, or by means of a Subsidiary Company or a branch, with foreign natural or legal persons governed by public or private law, equal to or greater (individually or jointly) than one hundred (100) SMMLV | 100 | COP 142.350.000 |
Companies | (ii) Additionally, that as of december 31 of the immediately preceding year have obtained Total Revenues or hold Total Assets equal to or greater than thirty thousand (30.000) SMMLV, must comply with the provisions of the Single Circular of the Superintendence of Companies. Supervised Companies that are required to comply with the requirements set forth in this item shall be required to identify and assess Transnational Bribery Risks. | 30.000 | COP 42.705.000.000 |
| (i) That, as of december 31 of the immediately preceding year, directly or indirectly (through consortia, temporary unions, or any other structure permitted by law), have entered into contracts with State Entities for an amount equal to or greater (individually or jointly) than five hundred (500) SMMLV. | 500 | COP 711.750.000 | |
| (ii) Additionally, that contemplate the economic activity code corresponding to the Pharmaceutical, Infrastructure and Construction, Manufacturing, Mining–Energy, Information and Communications Technologies (ICT), Vehicle Trade, its parts, components and accessories; and auxiliary financial services activities sectors, and that, as of December 31 of the immediately preceding year, have obtained Total Revenues equal to or greater than three thousand (3.000) SMMLV or held Total Assets equal to or greater than five thousand (5.000) SMMLV. Supervised Entities that are required to comply with these requirements shall only be required to identify and assess Corruption Risks. | 30.000 | COP 42.705.000.000 | |
| (i) That, as of december 31 of the immediately preceding year, directly or indirectly (through consortia, temporary unions, or any other structure permitted by law), have entered into contracts with State Entities for an amount equal to or greater (individually or jointly) than five hundred (500) SMMLV. | 500 | COP 711.750.000 | |
| (ii) Additionally, that contemplate the economic activity code corresponding to the Pharmaceutical, Infrastructure and Construction, Manufacturing, Mining–Energy, Information and Communications Technologies (ICT), Vehicle Trade, its parts, components and accessories; and auxiliary financial services activities sectors, and that, as of december 31 of the immediately preceding year, have obtained Total Revenues equal to or greater than three thousand (3.000) SMMLV or held Total Assets equal to or greater than five thousand (5.000) SMMLV. Supervised Entities that are required to comply with these requirements shall only be required to identify and assess Corruption Risks. | Revenues equal to or greater than 3.000 SMMLV or assets equal to or greater than 5.000 SMMLV | Revenues (≥) COP 4.270,500.000 or Assets (≥) COP 7.117.500.000 | |
| Foreign Non-Profit Entities | Foreign Non-Profit Entities (Foreign ESALES) with permanent operations in Colombia, whose revenues are equal to or greater than nine thousand (9.000) SMMLV, must implement this program, focused on corruption and transnational bribery risks (C/TB). | 9.000 | COP 12.811.500.000 |
Report No. 75 – SAGRILAFT and PTEE
Informe Report submitted to the Superintendence of Companies regarding the management of the Self-Control and Comprehensive Risk Management System for Money Laundering, Terrorist Financing and the Financing of the Proliferation of Weapons of Mass Destruction (SAGRILAFT) and the Transparency and Business Ethics Program (PTEE). Pursuant to External Circular 100-000003 of 2024, this report now consolidates those previously filed as Report No. 50 and Report No. 52 (now Report No. 75).
Report No. 75 must be submitted by companies required to implement SAGRILAFT and/or PTEE, in accordance with the provisions set forth in Chapters X and XIII of the Basic Legal Circular.
For 2026, the maximum filing deadline falls in July, and the exact date depends on the last two (2) digits of the Tax Identification Number (NIT):
Last two (2) digits of the NIT | Maximum deadline for submission |
01 – 10 | Eleventh business day of july |
11 – 20 | Twelfth business day of july |
21 – 30 | Thirteenth business day of july |
31 – 40 | Fourteenth business day of july |
41 – 50 | Fifteenth business day of july |
51 – 60 | Sixteenth business day of july |
61 – 70 | Seventeenth business day of july |
71 – 80 | Eighteenth business day of july |
81 – 90 | Nineteenth business day of july |
91 – 00 | Twentieth business day of july |
Report No. 58 – Compliance Officers
Obligated parties that are required to appoint (i) a SAGRILAFT Compliance Officer and/or (ii) a Transparency and Business Ethics Program (PTEE) Compliance Officer, as well as their respective alternate compliance officers, must complete Report No. 58 – Compliance Officers within fifteen (15) business days following the initial appointment, modification, or replacement, of either the principal or alternate compliance officer, as applicable.
Obligations of Financial Superintendency
1. SARLAFT
All entities subject to inspection, surveillance, or control by the Financial Superintendency of Colombia are required to implement, maintain, update, and effectively apply the System for the Administration of the Risk of Money Laundering, Terrorist Financing, and the Proliferation of Weapons of Mass Destruction (SARLAFT), in accordance with the instructions set forth in the Basic Legal Circular, the Organic Statute of the Financial System, and other applicable regulations.
The obligation to implement SARLAFT is not subject to minimum thresholds of income, assets, or operational size. This requirement is objective and sector-based, and arises solely from holding the status of an entity supervised by the Financial Superintendency of Colombia.
Obligated entities | Authorized or registered activity |
| Credit institutions | Deposit-taking, lending, and provision of financial services |
| Trust companies | Trust businesses and management of autonomous estates |
| Brokerage firms | Intermediation in the securities market |
| Pension and severance fund administrators | Management of pension and severance resources |
| Insurance and reinsurance companies | Insurance and reinsurance operations |
| Insurance and reinsurance intermediaries | Marketing and intermediation of insurance and reinsurance |
| Payment system administrators | Operation of high-value and low-value payment systems |
| SEDPE (Specialized Electronic Payment and Deposit Institutions) | Electronic deposits and payment services |
| Supervised FinTech entities | Financial activities within the regulatory perimeter of the Superintendencia Financiera de Colombia |
| Other supervised entities | Financial, insurance, or securities market activities |
2. Minimum Measures Regime
Entities supervised by the Financial Superintendency of Colombia are not subject to a minimum measures regime equivalent to that applicable to other sectors, since the general rule is the full and comprehensive implementation of SARLAFT, in accordance with the parameters established in the Basic Legal Circular.
However, certain entities exempt from the full application of Chapter IV must, in all cases, comply with specific AML/CFT risk control obligations, particularly those related to the reporting of suspicious transactions, cash transaction reports, and other reports required by the Unidad de Información y Análisis Financiero (UIAF), as provided for in the Organic Statute of the Financial System.
Obligated Entities | Criters |
| Supervised entities exempt from Chapter IV | Compliance with minimum AML/CFT control and reporting obligations |
| Entities with limited scope | Proportional application according to their nature and activity |
3. Transparency and Business Ethics Program (PTEE)
Entities supervised by the Financial Superintendency of Colombia (SFC) are not subject to the Transparency and Business Ethics Program (PTEE).
4. SARLAFT Compliance Officer
Entities required to implement SARLAFT must appoint a Compliance Officer, along with a duly designated alternate when applicable, who must meet the requirements of suitability, experience, independence, and dedication established by the Financial Superintendency of Colombia.
The Compliance Officer shall be responsible for the proper implementation, execution, monitoring, and continuous improvement of SARLAFT, as well as for coordination with the competent authorities in matters related to AML/CFT risk prevention.
Obligation | Deadline |
| Appointment of the Compliance Officer | Prior to or concurrent with the implementation of SARLAFT. |
| Reporting of appointment, change, or removal | No specific deadline established. |
5. UIAF Reports
Entities supervised by the Financial Superintendency of Colombia must comply with the reporting obligations required by the UIAF, in accordance with the applicable technical specifications, deadlines, and reporting frequency, through the SIREL system.
Report | What is reported? | Obligated entities | Deadline and frequency | Triggering conditio |
| Suspicious Transaction Report (STR) | All transactions classified as suspicious based on internal analysis | Entities subject to SARLAFT 2.0 or Minimum Measures | Immediately upon determining the suspicion | Submitted through SIREL; it does not constitute a criminal complaint. |
| Absence of Suspicious Transactions Report (ASTR) | Confirmation that no suspicious transactions were identified during the period | Entities subject to SARLAFT 2.0 or Minimum Measures | Within ten (10) calendar days following the end of the period with no STRs | Monthly |
| Objective UIAF reports | Cash transactions, exempt clients, foreign exchange operations, international cards, products offered, autonomous estates, and transactions related to political parties and movements | Supervised entities carrying out these operations, including credit institutions, trust companies, insurance entities, brokerage firms, fund administrators, SEDPE, and other supervised entities offering or managing these products or services | Monthly, in accordance with the UIAF calendar | Includes reporting of non-occurrence where applicable |
6. Mandatory AML/CFT Training
Supervised entities must implement ongoing training programs on the prevention of money laundering, terrorist financing, and the financing of the proliferation of weapons of mass destruction, addressed to directors, employees, and any other individuals linked to the entity.
Obligated entities | Scope | Frequency |
| All subjects supervised by the Superintendency | Training in ML/TF prevention for managers, employees, and operational staff | Annual minimum |
Obligations of the National Superintendency of Health
1. SARLAFT
All legal entities subject to inspection, surveillance, or control by the National Health Superintendency are required to implement, maintain, update, and effectively apply the System for the Administration of the Risk of Money Laundering and Terrorist Financing (SARLAFT), in accordance with the provisions of External Circular No. 009 of 2016 and other applicable regulations.
The obligation to implement SARLAFT is not subject to income, asset, or operational size thresholds, but rather derives directly from the entity’s status as a supervised entity within the General System of Social Security in Health (SGSSS).
Obligated entities | Authorized or registered activity |
| Health Promoting Entities (EPS) | Health insurance and coverage |
| Health Service Provider Institutions (IPS) | Provision of healthcare services |
| Pharmaceutical managers |
Management and dispensing of medicines |
| Adapted entities and special regimes |
Administration of system resources |
| Other supervised entities | Activities related to the SGSSS |
2. Transparency and Business Ethics Program (PTEE)
Entities supervised by the National Superintendency of Health are required to adopt and implement a Transparency and Business Ethics Program (PTEE), in accordance with the guidelines established in External Circular No. 2022151000000053-5 of 2022, which sets forth specific directives for the healthcare sector regarding ethics, transparency, and good corporate governance.
3. SARLAFT and PTEE Compliance Officer
Entities required to implement SARLAFT must appoint a Compliance Officer, along with a duly designated alternative, when applicable. Such officers must meet the requirements of suitability, experience, independence, and dedication established by the competent supervisory authority.
The Compliance Officer shall be responsible for the proper implementation, execution, monitoring, and continuous improvement of SARLAFT and PTEE, as well as for coordination with the competent authorities in matters related to the prevention of AML/CFT risk.
4. UIAF Reports
Entities supervised by the National Superintendency of Health must comply with the reporting obligations required by the Unidad de Información y Análisis Financiero (UIAF), in accordance with the applicable technical specifications, deadlines, and reporting frequency, through the SIREL system.
Report | What is reported? | Obligated entities | Deadlines and frequency | Triggering condition / notes |
| Suspicious Transaction Report (STR) | All transactions classified as suspicious based on internal analysis. | Entities subject to SARLAFT 2.0 or Minimum Measures | Immediately upon determination of suspicion | Submitted via SIREL; it does not constitute a criminal complaint |
| Absence of Suspicious Transactions Report (ASTR) | Confirmation that no suspicious transactions were identified during the period. | Entities subject to SARLAFT 2.0 or Minimum MeasuresMedidas Mínimas | Within ten (10) calendar days following the end of the period without STRs | Monthly |
| Cash Transaction Report – payments to suppliers | Transactions reported based on objective criteria | Supervised entities | Within ten (10) calendar days following the end of the reporting period | Monthly |
| Cash Transaction Report – medical procedures | Transactions reported based on objective criteria | Supervised entities | Within ten (10) calendar days following the end of the reporting period | Monthly |
5. Mandatory AML/CFT and PTEE Training
Supervised entities must implement ongoing training programs on the prevention of money laundering, terrorist financing, and the financing of the proliferation of weapons of mass destruction, as well as on PTEE, aimed at directors, employees, and any other individuals linked to the entity.
Obligated entities | Scope | Frequency |
| All entities supervised by the National Superintendency of Health | AML/CFT and PTEE training for directors, employees, and operational staff | At least annual |
Obligations of the Superintendency of the Solidarity Economy
1. SARLAFT
Solidarity economy organizations subject to inspection, surveillance, or control by the Superintendencia de la Economía Solidaria are required to implement, maintain, and apply the System for the Administration of the Risk of Money Laundering and Terrorist Financing (SARLAFT), in accordance with the provisions of External Circular No. 20 of 2020, External Circular No. 32 of 2021, and any other regulations that amend or supplement them.
This obligation arises solely from holding the status of a supervised entity, without prejudice to the criteria of graduality and proportionality defined by the Superintendency of the Solidarity Economy.
Obligated entities | Authorized or registered activity |
| Cooperatives | Solidarity-based and financial activities |
| Employee funds | Savings and credit for members |
| Mutual associations | Solidarity services |
| Supervised solidarity organizations | Authorized activities |
| Solidarity economy entities with financial activity | Deposit-taking and lending operations |
2. Transparency and Business Ethics Program (PTEE)
Entities supervised by the Superintendency of the Solidarity Economy are not required to implement a Transparency and Business Ethics Program (PTEE), as there is currently no sector-specific regulation in force mandating its adoption.
3. SARLAFT Compliance Officer
Organizations required to implement SARLAFT must appoint a Compliance Officer, in accordance with the suitability and experience requirements established by the Superintendency of the Solidarity Economy.
The Compliance Officer shall be responsible for the implementation, execution, and monitoring of SARLAFT, as well as for fulfilling reporting obligations before the competent authorities.
Obligation | Deadline |
| Appointment of the Compliance Officer | Prior to or concurrent with the implementation of SARLAFT |
| Reporting of appointment, change, or removal | No specific deadline established |
4. UIAF Reports
Solidarity economy organizations subject to inspection, surveillance, or control by the Superintendency of the Solidarity Economy must comply with the mandatory reporting obligations before the Unidad de Información y Análisis Financiero (UIAF), in accordance with the technical guidelines, deadlines, and reporting frequency defined for each type of entity, based on their level and nature of activity, through the SIREL system.
4.1. Solidarity Economy Organizations that DO NOT carry out financial activities
(Level 2 and Level 3 cooperativism)
These organizations must comply with the following reports:
Report | What is reported? | Obligated entities | Deadline and frequency | Triggering condition / notes |
| Suspicious Transaction Report (STR) | All transactions classified as suspicious based on internal analysis | Entities subject to SARLAFT | Immediately upon determination of suspicion | Submitted via SIREL; it does not constitute a criminal complaint |
| Absence of Suspicious Transactions Report (ASTR) | Confirmation that no suspicious transactions were identified during the period | Entities subject to SARLAFT 2.0 or Minimum Measures | Within twenty (20) calendar days following the end of the period without STRs | Monthly |
| Individual and Multiple Transactions Report | Individual transactions ≥ COP 5.000,000 and multiple transactions ≥ COP 30.000.000 | Entities carrying out financial activities | Within the first twenty (20) calendar days of the month following the reported month | Amounts frozen for 2026 |
| Products Report | Financial and solidarity products | Entities that do not carry out financial activities | Every six (6) months | Mandatory |
| Card Transactions Report | Card-based transactions | Entities that do not carry out financial activities | Every six (6) months | Mandatory |
4.2. Solidarity Economy Organizations that DO carry out financial activities
(Cooperatives with financial activity)
Report | What is reported? | Obligated entities | Deadline and frequency | Triggering condition / notes |
| Suspicious Transaction Report (STR) | All transactions classified as suspicious based on internal analysis | Entities subject to SARLAFT | Immediately upon determination of suspicion | Submitted via SIREL; it does not constitute a criminal complaint |
| Absence of Suspicious Transactions Report (ASTR) | Confirmation that no suspicious transactions were identified during the period | Entities subject to SARLAFT 2.0 or Minimum Measures | Within twenty (20) calendar days following the end of the period without STRs | Monthly |
| Individual and Multiple Transactions Report | Individual transactions ≥ COP 5.000.000 and multiple transactions ≥ COP 30.000.000 | Entities carrying out financial activities | Within twenty (20) calendar days following the end of the period without STRs | Montos congelados para 2026 |
| Products Report | Financial and solidarity products | Entities carrying out financial activities | Within twenty (20) calendar days following the end of the period without STRs | Mensual |
| Card Transactions Report | Card-based transactions | Entities carrying out financial activities | Within twenty (20) calendar days following the end of the period without STRs | Monthly |
5. Mandatory AML/CFT Training
Supervised organizations must implement continuous training programs on the prevention of money laundering and terrorist financing, aimed at directors, employees, and members.
Obligated entities | Scope | Periodicidad |
| All obligated entities | Training in FT prevention for managers, employees and operational staff | At least annually |
Obligations of the Superintendency of Private Surveillance and Security
1. SARLAFT 2.0
All legal entities subject to inspection, surveillance, or control by the Superintendencia de Vigilancia y Seguridad Privada are required to implement the System for the Administration of the Risk of Money Laundering and Terrorist Financing (SARLAFT 2.0), in accordance with the instructions issued by such authority.
No minimum income or asset thresholds apply. This obligation arises solely from carrying out private surveillance and security activities.
Obligated entities | Authorized or registered activity |
| Private surveillance and security companies | Fixed and mobile surveillance, bodyguards, cash-in-transit |
| Electronic surveillance companies | Monitoring, alarms, CCTV, technological security systems |
| Security technology leasing companies | Rental of security equipment and devices |
| Armoring companies | Manufacturing, installation, or adaption of armored protection |
| Empresas de capacitación y entrenamiento | Formación en vigilancia y seguridad privada |
| Training and instruction companies | Departamentos internos autorizados en entidades públicas o privadas |
| Special and ancillary services | Servicios autorizados distintos a vigilancia tradicional |
| Security advisors, consultants, and auditors | Personas naturales o jurídicas inscritas ante la Supervigilancia |
| Manufacturers, marketers, and installers of security equipment | Actividades registradas ante la Supervigilancia |
| Licensed natural persons | Prestación individual de servicios de seguridad privada |
2. Transparency and Business Ethics Program (PTEE) – March 16, 2026
Legal entities supervised by the Superintendency of Private Surveillance and Security must implement a Transparency and Business Ethics Program (PTEE), in accordance with External Circular No. 20251000000035CS of 2025.
The obligation derives from the status of a supervised entity, without the application of income or asset thresholds.
Obligated entities | Criteria | Deadline |
| Private surveillance and security companies | Legal entities supervised by the Superintendency | March 16, 2026 |
| Companies authorized after the issuance of the Circular | Newly supervised or authorized entities | Six (6) months from the issuance of the administrative authorization act |
3. SARLAFT and PTEE Compliance Officer
Entities required to implement SARLAFT and PTEE must appoint a Compliance Officer, along with an alternate, where applicable, meeting the suitability and experience requirements established by the Superintendency of Private Surveillance and Security.
Obligation | Deadline |
| Appointment of the Compliance Officer | Prior to or concurrent with the implementation of SARLAFT 2.0 and PTEE |
| Reporting of appointment, change, or removal | No specific deadline established |
4. UIAF Reports
Report | What is reported? | Obligated entities | Deadline and frequency | Triggering condition / notes |
| Suspicious Transaction Report (STR) | All transactions classified as suspicious based on internal analysis | Entities subject to SARLAFT 2.0 or Minimum Measures | Immediately upon determination of suspicion | Submitted via SIREL; it does not constitute a criminal complaint |
| Absence of Suspicious Transactions Report (ASTR) | Confirmation that no suspicious transactions were identified during the period | Entities subject to SARLAFT 2.0 or Minimum Measures | Within ten (10) calendar days following the end of the period without STRs | Monthly |
| Cash Transaction Report -TRSO | Details of cash transactions carried out by clients meeting objective UIAF criteria | Entities subject to SARLAFT across all sector | Within the first ten (10) calendar days of the month following the reported month | Includes reporting of absence of cash transactions, if applicable |
5. Mandatory AML/CFT and PTEE Training
Obligated entities | Scope | Frequency |
| All entities supervised by the Superintendency | AML/CFT and PTEE training for directors, employees, and operational staff | At least annually |
Obligations of the Superintendency of Transport
1. SARLAFT
Natural and legal persons subject to inspection, surveillance, and control by the Superintendencia de Transporte are required to implement the System for the Administration of the Risk of Money Laundering, Terrorist Financing, and the Financing of the Proliferation of Weapons of Mass Destruction (SARLAFT), in accordance with the provisions of the Unified Infrastructure and Transport Circular and the resolutions that implement it.
This obligation does not depend on income or asset thresholds, but rather on the status of a supervised entity and the type of activity carried out within the transport sector.
Obligated entities | Supervised activity |
| Automotive land transport companies | Passenger, freight, special, and mixed transpor |
| Rail, river, maritime, and cable transport companies | Operation and administration |
| Transport infrastructure concessionaires | Road, port, and airport concessions |
| Multimodal and logistics transport operators | Activities subject to supervision |
| Driving schools (CEA) | Driver training |
| Automotive diagnostic centers (CDA) | Technical and mechanical inspections |
| Driver certification centers (CRC) | Aptitude and competency assessments |
2. Transparency and Business Ethics Program (PTEE) – May 18, 2026
The Transparency and Business Ethics Program (PTEE) was incorporated into the regulatory framework of the Superintendency of Transport through Resolution No. 14673 of September 18, 2025, which added Chapter 10 to Title V of the Unified Infrastructure and Transport Circular, in implementation of Law 2195 of 2022.
All legal entities supervised by the Superintendency of Transport that carry out business activities are required to implement the PTEE, without the application of thresholds expressed in statutory minimum monthly wages (SMMLV).
Implementation deadline
The Resolution established a transitional period of eight (8) months.
Obligated entities | Deadline |
| Entities supervised as of september 18, 2025 | 18 de mayo de 2026 |
| Newly supervised entities | Eight (8) months from the granting of authorization, registration, or the relevant administrative act |
3. SARLAFT and PTEE Compliance Officer
Entities obligated to implement SARLAFT and the Transparency and Business Ethics Program (PTEE) must appoint a Compliance Officer, who may perform both functions concurrently, provided that they meet the requirements of suitability, experience, independence, and dedication established by the applicable regulations of the Superintendency of Transport.
The appointment must be made by the competent governing body of the entity and must ensure continuity of the compliance function.
Obligation | Deadline |
| Appointment of the SARLAFT and PTEE Compliance Officer | Prior to or concurrent with the implementation of the programs |
| Reporting of appointment or change to the Superintendency of Transport | Within ten (10) business days |
| Appointment in case of definitive or permanent absence | Within ten (10) business days |
4. UIAF Reports
Entities subject to SARLAFT must comply with the reporting obligations required by the Unidad de Información y Análisis Financiero (UIAF), through the SIREL system.
Report | Obligated entities | Deadline |
| Suspicious Transaction Report (STR) | Entities subject to SARLAFT | Immediate |
| bsence of Suspicious Transactions Report (ASTR) | Entities subject to SARLAFT | Within the first ten (10) calendar days of the following month |
5. Mandatory AML/CFT and PTEE Training
Obligated entities | Scope | Frequency |
| All supervised entities | AML/CFT and PTEE training for directors, employees, and operational staff | At least annually |
National Database Registry (RNBD)
Obligations related to the National Database Registry (RNBD) are governed by Law 1581 of 2012, Decree 1074 of 2015, and External Circular No. 002 of 2015, issued by the Superintendency of Industry and Trade, the national authority for personal data protection.
These obligations apply to personal data controllers that meet the objective criteria established by the regulations, regardless of the economic sector or the Superintendency responsible for their supervision.
Who is required to register with the RNBD?
Public or private legal entities, as well as individual merchants, acting as data controllers, are required to register with the RNBD if they meet at least one of the following criteria:
Criterion | Threshold |
| Total assets | Exceeding 100.000 UVT |
| Processing of sensitive personal data | Regardless of asset value |
| Processing of data of children and adolescents | Regardless of asset value |
RNBD Obligations
Obligation | Obligated entities | Deadline |
| Initial registration of databases in the RNBD | Controllers exceeding 100.000 UVT or processing sensitive data or data of minors | Within two (2) months following the creation of the database |
| Annual update of registered information | Controllers registered with the RNBD | By march 31 of each year |
| Update due to substantial changes | Controllers registered with the RNBD | Within ten (10) business days following the change |
| Registration of security incidents | Data controllers | Within fifteen (15) business days following detection |
| Reporting of data subject complaints | Data controllers | Before february 20 and before august 25 |
| Retention of RNBD supporting documentation | Data controllers | For as long as the database exists and for the applicable statutory period |
