SARLAFT: Colombia’s AML Compliance Framework—Complete Guide (2026)

In the last decade, Colombia has made significant progress in tackling financial crime, including money laundering, according to the Financial Action Task Force (FATF). A key tool in Colombia’s fight against financial crime has been the SARLAFT framework, which certain regulated entities under the Superintendencia Financiera oversight must use to identify and manage risks related to money laundering and terrorist financing.

Let’s take a closer look at how SARLAFT works in practice and why it matters for compliance teams on the ground. By understanding its structure and purpose, organizations can better spot AML risks, strengthen internal controls, and stay aligned with Colombia’s regulatory expectations.

What is SARLAFT?

SARLAFT is Colombia’s Anti-Money Laundering and Counter Terrorism Financing Risk Management System (in Spanish, Sistema de Administración del Riesgo de Lavado de Activos y de Financiación del Terrorismo).

It is a framework that entities regulated by Colombia’s Financial Superintendence (Superintendencia Financiera de Colombia) must use as part of their regulatory obligations for money laundering prevention and countering the financing of terrorism. 

SARLAFT vs SAGRILAFT: Key differences

SARLAFT and SAGRILAFT are both anti-money laundering risk management frameworks mandated by Colombian authorities, but they apply to different types of regulated entities and are overseen by different supervisory bodies. 

SARLAFT applies primarily to financial institutions such as banks, insurers, and other entities supervised by the Financial Superintendence of Colombia, and its core focus is the prevention and management of money laundering and terrorist financing risks.

SAGRILAFT, by contrast, applies to certain non-financial companies supervised by the Superintendence of Companies (Superintendencia de Sociedades), based on factors such as sector, size, revenue thresholds, and risk exposure. It is required for qualifying commercial and industrial companies, including certain Virtual Asset Service Providers (VASPs). In addition to addressing money laundering and terrorist financing risks, SAGRILAFT explicitly extends to cover financing the proliferation of weapons of mass destruction.

While both frameworks follow a risk-based approach and share similar structural principles, their scope, regulatory oversight, and applicability criteria reflect Colombia’s differentiated approach to AML supervision across financial and non-financial sectors.

Another framework with a similar purpose is SIPLAFT, which covers AML/CTF in industries such as iGaming, private security and surveillance, and land transport.

SARLAFT 4.0: Latest updates from Colombia's Financial Superintendence 

SARLAFT 4.0 refers to the updated Risk Management System for Money Laundering and Terrorism Financing under the supervision of Colombia’s Financial Superintendence, designed to strengthen risk identification, control, and monitoring across financial institutions in line with international standards. 

Unique characteristics of SARLAFT

Unlike generic compliance checklists, SARLAFT requires entities to build a tailored system of risk identification, measurement, control, and ongoing monitoring specific to their own business and client profiles, with a strong focus on documentation, governance, and continuous risk evaluation. This helps to ensure financial crime prevention measures are robust and consistent across the industry.

Legal framework of SARLAFT in Colombia 

Cornerstone AML regulations in Colombia include:

• Law 599 of 2000 (Penal Code), which defines money laundering, makes it a criminal offence, and sets penalties for such offences.
• Law 793 of 2002 (Anti-Money Laundering Regime), which establishes AML measures, including regulatory obligations for reporting entities.
• Law 1121 of 2006 (Counterterrorism Financing Regime), which establishes measures for combating terrorism financing in Colombia, including obligations for reporting entities.
• Decree 1497 of 2014, which regulates Colombia’s Financial Information and Analysis Unit - UIAF (Unidad de Información y Análisis Financiero). UIAF is the government agency that deals with suspicious transaction reports from reporting entities.
• Resolution 0555 of 2019, which was issued by Colombia’s Financial Superintendence of Colombia and sets guidelines for financial institutions to implement AML/CTF measures.

The basic legal circular and organic statute of the financial system 

SARLAFT is underpinned by two main financial regulations: 

1. The Basic Legal Circular (Circular Básica Jurídica). This provides guidance on how regulated entities should interpret and apply the law to their organizations.
2. The Organic Statute of the Financial System (Decree 663 of 1993). This sets out key principles such as the general structure of Colombia’s financial system for intermediaries and the activities that regulated entities can perform.  

Role of Colombia's Financial Superintendence (Superfinanciera) 

The Financial Superintendence (Superfinanciera) is Colombia’s government agency responsible for regulating the banking and insurance sectors. Its role is to combat financial crime and preserve the integrity of Colombia’s financial system. 

The Financial Superintendence sets regulatory compliance requirements for banks and insurers and can impose penalties for non-compliance.

Counter-terrorism financing regulations in Colombia

As well as being designed to combat money laundering, SARLAFT is also intended to help prevent terrorism financing through banks and insurers. SAGRILAFT performs the same role for companies in the commercial and industrial sectors.

These frameworks operate alongside Colombia’s wider counter-terrorism financing regime, which includes criminal law provisions, asset-freezing obligations, and compliance with UN Security Council sanctions. Together, they form part of Colombia’s risk-based approach to identifying, monitoring, and mitigating terrorism financing risks across both financial and non-financial sectors.

Suggested read: Understanding the UN Sanctions List in 2026

The four essential elements of SARLAFT

There are four essential elements of a compliance program for SARLAFT that organizations must implement:

1. Policies and procedures for AML compliance 

Effective compliance policies must be developed that provide an organization with a framework to meet its SARLAFT compliance obligations. These policies should cover all of the rules and procedures that the organization and its employees must follow to ensure each element of the SATLAFT process is carried out correctly and that the risk of financial crime is minimized.

2. Documentation and record-keeping requirements 

All policies and procedures should be clearly documented and stored in an accessible format. Detailed records should be kept of actions taken to comply with SARLAFT requirements. This helps to demonstrate compliance and gives an organization the information it needs to identify any gaps in implementation.

3. Organizational structure and control bodies

An organization should review its structure and determine what responsibilities different teams and individuals have for implementing SARLAFT. These roles and responsibilities should be clearly documented, and appropriate training should be provided to the relevant people.

Control bodies should be established to oversee and evaluate the effectiveness of an organization’s SARLAFT implementation and compliance. These bodies can be internal teams and/or individuals, as well as external auditors.

4. Technology infrastructure for AML/CFT

Modern approaches to the prevention of financial crime are heavily reliant on technology. Organizations must understand their technical requirements for SARLAFT compliance, then make sure they have suitable tools in place to meet those requirements. Advanced anti-fraud tools using technology such as AI can often make compliance faster, less labor-intensive, and more effective, so this is a very important area to get right.

4. Training and information disclosure programs

Any framework is only as effective as the people implementing it. All employees should receive appropriate training on their roles and responsibilities within the SARLAFT framework so they can carry out their parts of the process correctly. AML training should be ongoing, so employees' knowledge stays fresh and they are informed of any updates.

It is also critical that the right people have the right information at the right time, so information disclosure must be carefully planned. Procedures should be in place to keep internal and external stakeholders up to date on the organization’s AML and CTF efforts, with regular, transparent reporting.

The four stages of the SARLAFT risk management 

There are four stages of money laundering prevention covered by SARLAFT:

Stage 1: ML/TF risk identification

The risk identification stage involves rigorously assessing an organization’s processes and transactions to spot any potential areas where financial crime could occur. For example, what processes are there to deal with business customers with complex corporate structures that could pose a greater risk of being used to hide illicit funds? 

Stage 2: Probability and impact measurement using a risk matrix 

All identified risks should then be assessed for how likely they are to occur and what impact they would have if they did occur. This is commonly visualised using a ‘risk matrix’ that compares the likelihood and impact of different risks to determine what level of control would be required to manage these risks.

Risk matrix example

Suggested read: AML & Fraud Risk Assessment: Risk Matrices, Risk Scoring, and Best Practices

Stage 3: Risk control and internal controls implementation 

Once risks have been identified and assessed, internal controls will be needed to manage those risks. These are processes that an organization’s risk management teams and other employees must follow to minimize the likelihood of a risk occurring and the impact of any risks that cannot be avoided.

Stage 4: Continuous transaction monitoring

Transaction monitoring must be carried out on a continuous basis to make sure that an organization’s internal controls are effective. This involves actively checking customer transactions for signs of any suspicious activity that could indicate financial crime is taking place. Organizations should also continually review their risks and controls to make sure they are effective and spot any changes in the risk landscape.

From KYC to KYR: Evolution of customer risk assessment

SARLAFT compliance is built on a risk-based approach to customer assessment rather than a one-size-fits-all model. This is where traditional Know Your Customer (KYC) processes are evolving into broader, more dynamic approaches to understanding customer risk. As financial crime risks become more complex, organizations are moving beyond basic identity checks toward continuous risk evaluation—often described as the shift from KYC to Know Your Risk (KYR).

KYC involves organizations identifying their customers, verifying that these identities are accurate, and determining what level of risk each customer may pose for financial crime. KYC is a well-established approach to reducing the risk of money laundering and other financial crimes.

Now, it is increasingly complemented by the Know Your Risk (KYR) approach, which tailors an organization’s approach to each customer's individual risk profile.

Know Your Customer (KYC): The traditional approach

Know Your Customer is an approach used all over the world by regulated and unregulated organizations seeking to prevent financial crime. 

KYC typically includes:

1. Collecting basic identity information (such as name, address, and date of birth)
2. Verifying identity using official documents and trusted data sources
3. Confirming the individual matches the identity through checks like liveness detection
4. Assessing financial crime risk based on factors such as history, location, and watchlists
5. Assigning a risk profile to determine the appropriate level of ongoing monitoring

Know Your Risk (KYR): The modern risk-based paradigm 

Within SARLAFT’s risk-based framework, customer risk assessment plays a central role in shaping compliance controls.

Modern AML relies on a risk-based approach, where organizations tailor their efforts based on the risk profile of individual customers. This means that low-risk customers can be put through a simplified due diligence process while higher-risk customers are put through more comprehensive checks. So, organizations can deploy their resources more efficiently as they are not needlessly carrying out more rigorous due diligence on low-risk customers. A risk-based approach also means companies can ensure the customers at higher risk of involvement in financial crime are thoroughly examined.

Customers also benefit as low-risk customers do not need to go through the time and hassle of more in-depth due diligence checks.

Customer Due Diligence and Enhanced Due Diligence

Customer Due Diligence (CDD) is the process of verifying a customer’s identity and assessing their risk level. Enhanced Due Diligence (EDD) is carried out where a customer is believed to pose a higher risk of involvement in financial crime and involves more in-depth assessments.

The SARLAFT Compliance Officer: Roles and responsibilities 

Organizations required to implement SARLAFT must appoint a Compliance Officer. Their role is to ensure the organization meets the regulatory requirements. A Compliance Officer must be an employee of an organization, as their functions, as well as those related to the identification and reporting of unusual transactions and the determination and reporting of suspicious transactions, cannot be contracted with third parties.

What is a Compliance Officer, and what do they do?

A Compliance Officer is someone who takes legal liability for an organization's compliance with particular regulations. In the case of SARLAFT, this means they have a duty to ensure an organization properly implements the framework set out by Colombia’s Financial Superintendence.

Key tasks a SARLAFT Compliance Officer must carry out include:

• Ensuring SARLAFT requirements are met
• Overseeing the implementation of the framework
• Coordinating employee training on the requirements of the framework
• Preparing an annual report to the organization’s Board of Directors on the organization’s compliance with regulatory requirements and any areas for improvement
• Certifying to the Financial Superintendence that regulatory requirements are being met

AML Officer certifications and professional development

While it is not a regulatory requirement in Colombia for SARLAFT Compliance Officers to have any particular qualifications or training, this is highly recommended. Organizations such as the United Nations Institute for Training and Research (UNITAR) offer training programs for Anti-Money Laundering and Counter-Financing of Terrorism (AML/CFT) in Colombia.

Having specialist training and certification helps Compliance Officers to understand their obligations and have the skills to carry them out effectively. It can also help to give them more authority within an organization by acting as an independent verification of their expertise.

Compliance Officer's relationship with the Board of Directors

The relationship between a Compliance Officer and the Board of Directors is critical to effective compliance. The Compliance Officer should have direct access to the Board and sufficient independence from management to avoid conflicts of interest, particularly when reporting compliance issues.

Where the Compliance Officer holds additional roles, organizations must have controls in place to identify and manage potential conflicts. In addition to oversight, the Compliance Officer supports the Board by providing strategic guidance on regulatory obligations, emerging risks, and the development of a strong risk and compliance culture.

History and international background of SARLAFT

From SIPLA to SARLAFT: Evolution in Colombia 

SIPLA is Colombia’s ‘System for the Prevention of Money Laundering’ (in Spanish, Sistema para la Prevención del Lavado de Activos). It is a mandatory anti-money laundering framework overseen by DIAN, the country’s National Tax and Customs Directorate (in Spanish, Dirección de Impuestos y Aduanas Nacionales). 

SIPLA applies to various entities, including those involved in imports and exports, brokerages, traders in high-value assets such as precious stones and metals, and Virtual Asset traders. SIPLA requirements include following a manual of procedures, appointing a Compliance Officer, carrying out Customer Due Diligence, and reporting high-risk transactions.

At the same time, SIPLA has several important limitations. It does not require a risk-based approach, nor does it explicitly mandate periodic reviews of customer risk profiles. 

By contrast, SARLAFT in Colombia imposes more comprehensive requirements on covered sectors, including an obligation to adopt a more modern, risk-based approach to AML and counter-terrorist financing.

International Standards: FATF, ISO 31000, and COSO ERM 

Colombia is a member of the Financial Action Task Force (FATF), which sets international standards for combating financial crime. As a FATF member, Colombia is required to meet FATF standards and undergo periodic evaluations to see how it is performing against those standards.

Previous FATF evaluations identified areas for improvement in Colombia’s approach to AML/CTF. A 2018 report noted issues including systems and tools that were “not entirely in line with the risk-based approach,” as well as “significant deficiencies in the customer due diligence (CDD) framework”.

SARLAFT helps to address some of these concerns by imposing a risk-based approach and clearer Customer Due Diligence requirements on banks and insurers. This progress has been noted in more recent FATF reports in 2022 and 2023.

Colombia has also implemented the ISO 31000:2018 standard for risk management, which is set by the International Organization for Standardization (ISO) and has been widely adopted around the world. This standard helps to ensure organizations in Colombia are using equivalent definitions and principles for risk management compared to other leading nations.

The COSO Enterprise Risk Management Framework (‘COSO ERM’) is also widely used in Colombia. This is a leading risk management framework for organizations that provides a comprehensive approach to managing risks, including those from financial crime.

Global Influences: US Bank Secrecy Act and Australian AML/CTF 

The United States is Colombia’s top trading partner, responsible for nearly a third (28%) of its international trade. Therefore, while US laws do not directly apply to Colombia, some do have the potential to seriously impact the Colombian economy. 

The Bank Secrecy Act is a pioneer piece of US anti-money laundering legislation that helped shape international AML standards that Colombia later adopted. It imposes requirements on US financial institutions and other businesses to help prevent money laundering. Colombian businesses trading with counterparts in the US need to be mindful of these requirements if they wish to continue working with US businesses. This is one factor that has helped to encourage Colombian lawmakers to introduce stricter AML/CTF regulations.

Colombia also works closely with many different countries, such as Australia, on issues including transnational crime. As a result, Colombia’s approach to issues such as AML/CTF is influenced by a wide range of international partners and regulations from around the world.

Benefits of implementing SARLAFT 

Implementing SARLAFT offers a number of benefits when it comes to AML best practices, including:

Professionalization of ML/TF prevention programs

SARLAFT requirements help to make AML programs more consistent and professional by setting a standardized approach. This ensures that all regulated entities understand what is required, and that there are suitable checks and accountable people within organizations to maximize the likelihood of compliance.

Improving decision-making with risk-based approaches 

A risk-based approach to financial crime prevention can lead to better outcomes by ensuring resources are deployed where they are most needed while minimizing disruption for legitimate customers. 

Following a risk assessment, customers will be assigned a risk profile based on various criteria indicating an organization’s perception of how likely each customer is to be involved in financial crime. Low-risk customers can then be put through Simplified Due Diligence, making onboarding faster and less onerous for them. Higher-risk customers can be put through Enhanced Due Diligence, giving a better chance of spotting any signs of financial crime. 

Standardizing Suspicious Activity Reporting criteria

Suspicious Activity Reports (SARs) must be filed when a regulated entity finds evidence of suspicious activity, e.g., a customer receiving funds from or sending them to a high-risk jurisdiction. Having standardized criteria for when a SAR should be filed can help to ensure consistent standards across the banking and insurance sectors. This avoids the risk that some institutions are seen as a “soft touch” and thus become prime targets for criminals.

SAR criteria under SARLAFT must be approved by an institution’s board or directors or equivalent body, and these must be reviewed every 6 months. When suspicious activity is detected, an investigation should be carried out promptly, and a report prepared and submitted in a timely manner with all necessary information included. 

The report must include the reasons why a transaction was deemed unusual. It is not necessary for the institution to be certain that a transaction was related to criminal activity in order to make a report.

Common concerns when using SARLAFT and other AML risk management frameworks

Imperceptibility of money laundering risk

Money laundering risk is often subtle and can mimic legitimate behaviour, making it difficult to detect what is money laundering without robust risk assessments, continuous monitoring, and trend analysis, rather than isolated transaction checks.

Confidentiality and sensitivity of AML information 

AML systems like SARLAFT involve highly sensitive personal, transactional, and risk data that must be protected to avoid tipping off and to respect privacy laws while still enabling effective risk reporting to Financial Intelligence Units (FIUs) and regulatory oversight.

Why complete risk elimination is impossible 

Absolute elimination of money laundering risk is unattainable because financial crime evolves faster than rules can be written, and even advanced controls cannot perfectly distinguish between legitimate and illicit activity without generating false positives or impeding normal business. What regulated entities must do is have a robust, compliant risk management framework in place, so that if something slips through the net, they cannot be found negligent. This is important both for regulatory and reputational risk. 

FAQ

• What is SARLAFT, and what is it used for?

  SARLAFT is a mandatory anti-money laundering framework that must be followed by banks and insurers regulated by Colombia’s Financial Superintendence. As well as being used to prevent money laundering, it is also used to prevent the financing of terrorism.

• What are the four stages of money laundering prevention in SARLAFT?

  SARLAFT follows four core stages:

  • Identification: Identifying money laundering and terrorist financing risks based on defined risk factors.
  • Measurement: Assessing the likelihood and potential impact of those risks, using qualitative or quantitative methods.  
  • Control: Implementing measures to mitigate and manage identified risks.
  • Monitoring: Continuously reviewing risk profiles and the effectiveness of the SARLAFT system.

• What is the difference between SARLAFT and SAGRILAFT?

  SARLAFT is required for banks and insurers regulated by the Financial Superintendence. SAGRILAFT must be used by companies in the commercial and industrial sectors that are regulated by the Superintendence of Corporations (Superintendencia de Sociedades), as well as by Virtual Asset Service Providers (VASPs).

• What is Customer Due Diligence in AML compliance?

  Customer Due Diligence (CDD) is the process businesses must follow to verify their customers’ identities and assess what level of risk they pose for financial crimes, such as money laundering and financing terrorism. When an institution implements a SARLAFT-compliant risk management framework, it must include procedures to obtain an effective, efficient, and timely knowledge of all current and potential clients (KYC procedures), as well as to verify the information and its supporting documents.

• What is a Suspicious Activity Report, and when should it be filed?

  A Suspicious Activity Report (SAR) is a report that a regulated entity makes when they have identified signs of suspicious activity involving one of their customers (e.g., a financial transaction that exceeds a certain threshold set by a regulator or that does not match the customer’s usual behavior). Regulators set their own criteria for when a SAR should be filed. Under SARLAFT, SARs must comply with the objective criteria set by the institution.