KYC in Colombia: SARLAFT, Cédula Verification, and the Fintech Boom (2026)
How KYC works in Colombia in 2026: SARLAFT requirements, cédula and Registraduría verification, data protection under Ley 1581, and instant-payment fraud.
Colombia has quietly become one of Latin America's strongest fintech stories. Bogotá and Medellín ship neobanks, lenders, and crypto platforms at a pace that rivals far larger markets, and the country's compliance framework is among the region's most structured. The acronym every compliance team learns first is SARLAFT.
Here is how verification works in Colombia in 2026, from the cédula to the country's new instant-payment rails.
SARLAFT: the risk system, not just a checklist
SARLAFT, the Sistema de Administración del Riesgo de Lavado de Activos y de la Financiación del Terrorismo, is the risk-management system that entities supervised by the Superintendencia Financiera de Colombia must operate, with the UIAF as the financial intelligence unit receiving reports. The current generation of the framework is explicitly risk-based and explicitly digital-friendly: it contemplates electronic customer identification and remote onboarding, provided controls match the risk. The duties are familiar in shape: identify and verify the customer, understand beneficial ownership, segment by risk, monitor continuously, and report suspicious operations. But SARLAFT's distinctive demand is the documented risk system itself: examiners review the methodology, not just the outcomes.
The cédula and the verification stack
Colombian identity centers on the cédula de ciudadanía issued by the Registraduría Nacional, including the newer digital cédula, with the cédula de extranjería covering foreign residents. A compliant remote stack validates the document's security features, confirms the holder against the document with biometric face match and liveness, and screens the verified identity against sanctions, PEP, and adverse media lists, the continuous-screening layer that the Arbiter compliance engine (/arbiter) automates. Document fraud pressure is meaningful and synthetic-media attacks are arriving on the same curve seen elsewhere, which puts deepfake-resistant liveness on the requirements list for any 2026 deployment.
Data protection and the instant-payment era
Ley 1581 of 2012, Colombia's data protection statute supervised by the SIC, governs verification data, with biometric data treated as sensitive and consent-driven. Meanwhile Banco de la República's new interoperable instant-payment system has begun doing for Colombia what PIX did for Brazil: collapsing payment friction and, with it, compressing the fraud window. The Brazilian lesson applies directly: when money moves in seconds, identity at account opening becomes the control that matters most.
What good looks like for a Colombian launch
A defensible stack in Colombia verifies the cédula with full document forensics, runs biometric match and liveness with injection-attack defense, screens and monitors continuously, keeps Spanish-language onboarding native rather than translated, and produces examiner-ready evidence for SFC review. The deepidv verification engine covers Colombia within its 211+ country footprint at published per-check pricing (/pricing), with every check independently verifiable at proof.deepidv.com, evidence an examiner can confirm without taking anyone's word for it.
Colombia KYC FAQ
- What is SARLAFT?
- SARLAFT is Colombia's mandated risk-management system for money laundering and terrorism financing, operated by entities supervised by the Superintendencia Financiera, covering identification, segmentation, monitoring, and reporting to the UIAF.
- Can KYC be done remotely in Colombia?
- Yes. The framework contemplates electronic identification and remote onboarding with risk-appropriate controls, typically document verification of the cédula plus biometric face match and liveness.
- What is the cédula de ciudadanía?
- The national identity card issued by the Registraduría Nacional, including a digital version, and the primary identity document for Colombian citizens, with the cédula de extranjería covering foreign residents.
- How is biometric data regulated in Colombia?
- Under Ley 1581 of 2012, biometric data is sensitive personal data requiring consent and heightened protection, supervised by the Superintendencia de Industria y Comercio.
- Why is verification urgency rising in Colombia?
- Interoperable instant payments compress the fraud window the way PIX did in Brazil, making identity controls at account opening the highest-leverage defense.
Relevant Articles
What is deepidv?
Not everyone loves compliance — but we do. deepidv is the AI-native verification engine and agentic compliance suite built from scratch. No third-party APIs, no legacy stack. We verify users across 211+ countries in under 150 milliseconds, catch deepfakes that liveness checks miss, and let honest users through while keeping bad actors out.
Learn More