Fintech 2020

Last Updated March 02, 2020


Law and Practice


Baker McKenzie S.A.S. is a recognised global firm with strong representation in Latin America, where it has won many awards and has the widest geographical coverage of the region of any law firm. It is ranked among the top three law firms in Colombia with a multidisciplinary team of professionals who are specialists in their clients' industries. Technically and commercially skilled, these professionals are trained to anticipate risks in a permanently changing and globalised business environment. Baker McKenzie's global network enables it to have a unique best-practices and knowledge exchange between its branches and incentivises the firm to maintain international service standards. Its Innovation Centres represent a strategic investment to keep the firm at the forefront of the legal services industry.

Fintech initiatives and business models in Colombia are booming. Currently, Colombia Fintech, an industry forum, has over 100 fintech companies/projects registered as members. 2019 was a year with a lot of firsts. Following the regulation issued in 2018 to develop crowdfunding and peer-to-peer lending platforms, the first platform, a2censo, was authorised to operate. There was also the first partnering of a superapp with a licensed financial institution to offer e-deposits (Rappi and Davivienda). The law also made it possible for the first time for the regulator to issue traditional licences on a temporary basis with a reduced regulation burden, and the Colombian Financial Superintendency (SFC) allowed for simplified know-your-customer and anti-money laundering/combating the financing of terrorism (AML/CFT) requirements for products beyond e-deposits, such as investments in portfolio funds.

The field also appears to be booming in payments, e-deposits and online/streamlined lending overcrowded with payment platforms (both in the gateway model) and online or streamlined lending. Colombia is yet to decide whether it will adopt fintech regulation that will foster competition, thus putting some pressure on legacy players, or whether the regulation will be more likely to facilitate co-operation between new industry players and legacy players.

The fact is that most of the recent types of licences available, eg, aCompanies (sociedades) Specialised in Deposits and Electronic Payments (Sedpe) licence for e-deposits and transfers and crowdfunding peer-to-peer lending, seem to be more attractive to legacy players than to new players, and increased co-operation between legacy players and new industry players is the norm in the SFC sandbox.

Material Developments in Verticals

There have been material developments in the following fintech verticals:

  • payment platforms both in the aggregator and in the gateway models;
  • online lending;
  • credit scoring; and
  • e-deposits and mobile wallets.

There are yet to be material developments in other verticals such as:

  • crowdfunding;
  • peer-to-peer lending;
  • crypto-assets; and
  • open banking.

Payment Platforms

No specific regulation is required in connection with payment platforms. Regulation is mostly limited to minimum security and contractual requirements that must be met when rendering services to financial institutions. The aggregator model faced many challenges since the keeping of balances by the aggregator could have qualified as illegal deposit-taking, but the consensus seems to be that it would be a permitted form of deposit-taking.

Online Lending

Lending of the lender’s own resources does not require any licensing. However, lending out of deposits taken from the public would require a licence such as a banking, financial company or financial corporation financing licence. Unregulated lending is subject to certain consumer protection restrictions, mainly associated with information disclosure and periodic reporting to the consumer. 

Credit Scoring

There is no specific regulation applicable to credit scoring.

E-deposits/Mobile Wallets

In 2014 the Colombian congress enacted Law 1735 regulating a licence for e-deposits and transfer-only entities. With a regulatory capital well below the level required for financial intermediation, today, more than seven of these entities work in the Colombian market. Funds kept in deposit cannot be held directly by the new type of entities (Sedpes) but must be deposited with Colombian banks or the Colombian Central Bank. While mobile wallets are not specifically regulated, the actual holding of funds and balances by the operator of the mobile wallet is only possible if the holder is an entity with the power to take deposits, such as a Sedpe or bank. 

Crowdfunding and Peer-to-Peer Lending

In 2018 the Colombian government issued Decree 1357 that created a new licence for the management of crowdfunding and peer-to-peer lending platforms in which a company may issue both debt and equity securities. There is a limit to the size of each issuance and the manager of the platform cannot hold funds disbursed by the purchasers of the securities or paid by the issuer of the securities directly, but rather they must be held by another financial institution such as a bank or trust company.


Congress is currently studying a bill to regulate crypto-asset exchanges. Crypto-assets are not currently acknowledged as either a currency or a security. Financial institutions cannot, therefore, invest in crypto-assets. However, any Colombian person or entity other than a financial institution or a government-owned entity may invest, trade or manage trading systems for crypto-assets.

Regulation of Compensation Models for New Industry Participants

Crowdfunding, lending by non-financial entities and e-deposits are regulated in Colombia within the fintech business models. In respect of crowdfunding, regulation does not impose limits or forms for the purpose of compensation but it does require that fees and other charges must be previously disclosed to the participants. For lending activity by non-licensed lenders there are also no models imposed by the regulator and all charges must be disclosed to the debtor and accepted by him/her in the contract; however, it is important to mention that the interest will be subject to maximum interest rates and charges cannot be changed during the term of the loan.   

Legacy Participants

Compensation charged by licensed entities is subject to full disclosure of all fees and costs to be paid by the consumer. Recently, Law 2009/2019 required that when a licensed entity charges an ongoing management fee for debit or credit cards or saving accounts, certain services must be covered by those fees, not allowing for any extra charge, such as cash withdrawals in the entities' own network of offices or ATMs.

Colombia has not decided on the adoption of a framework law for all fintech verticals. When Colombia has opted to regulate certain specific verticals it has generally chosen to do so by issuing regulation specific to that vertical and subjecting the new activity to licensing requirements, even if with a reduced regulation burden (eg, less regulatory capital). It is noteworthy that the SFC has acknowledged that payment platforms, especially in the gateway model, are not subject to licensing.

Recently, the law has opened the door for temporary traditional licences, such as a banking licence, with a reduced regulatory burden. However, secondary legislation is required to give effect to such temporary licences. 

In practice, an outdated deposit-taking regulation makes it very difficult to undertake any fintech activities that may entail holding funds from clients, even if the funds are merely held and not deployed in other investments. Updating such regulations is a crucial missing step to developing the fintech market.

Regulatory Sandbox

Law 1955/2019 introduced the possibility of allowing the SFC to issue traditional licences (such as banking, financial corporation, financial company, trust company or Sedpes, among others) with a reduced regulatory burden on a temporary basis for up to two years.

Such initiative is aimed at allowing new ventures with a significant technological component to try their business model. The regulation acknowledges that a new venture in its initial stages may not have sufficient capital or cash flow to meet standard regulatory requirements.

However, the Colombian government is yet to issue the secondary legislation necessary to give effect to the new temporary licences.

Supervisor Sandbox

The SFC introduced a supervisor sandbox in 2018. This supervisor sandbox may allow for the testing of new forms of delivery of financial products or new business models in a controlled environment. The supervisor sandbox is very limited because it cannot be used to allow non-licensed entities to try products that may entail illegal deposit-taking (basically any activity that implies holding funds or balances on behalf of customers, even if the funds are not invested or otherwise deployed).

In practice, it has been used with some level of success both by several combinations of licensed and non-licensed entities, to test simplified know-your-customer and AML/CFT requirements. For example, simplified e-deposits allowed for completion of KYC requirements without an interview, but that was not the case for investments in portfolio funds, so the SFC has now allowed simplified KYC proceedings in portfolio funds.

Access to the supervisor sandbox is fairly straightforward. Any industry or legacy player can ask for admission online and secure a visit with the SFC to discuss the new project. The SFC makes an assessment as to whether the new project merits further guidance or assistance in the supervisor sandbox and, if admitted, the SFC and the applicant will agree on the rules, steps, monitoring and testing applicable to the new project. If, on the other hand, the SFC believes that the new project lacks significant innovation or would only be available to legacy players (eg, because it entails deposit-taking) the SFC would deny access to the sandbox, explaining the reasons behind its decision. 

The Colombian congress has the power to issue laws regulating financial activity. The Central Bank also has the power to regulate foreign exchange matters and payment systems. The Colombian government comprised of the president and the Ministry of the Treasury issues secondary legislation in connection with laws regulating financial activity.

As a general rule, the SFC is the only entity with the jurisdiction to oversee the activities of licensed entities. However, there are specific licences for money-transmitters that qualify as postal wires, which are subject to the oversight of the Ministry of Technology, Information and Communications.

Non-licensed entities are generally subject to the oversight of the Superintendency of Companies. However, if the SFC finds that such non-licensed entities have been undertaking activities that are exclusive to financial institutions, then the SFC may order the reversal of such activities and impose financial penalties. The SFC's powers overlap with those of the Superintendency of Companies which retains the right, with respect to such non-licensed entities, to stop activities that qualify as illegal deposit-taking and are at the same time exclusive of financial institutions. 

Furthermore, if the activity qualifies as illegal deposit-taking, the Superintendency of Companies would also have the power to stop those activities and to order the reversal of such illegal deposit-taking.

Finally, while the Central Bank has the power to regulate the exchange of cryptocurrencies for legal tender if cryptocurrencies were considered an actual currency, the Central Bank currently believes that cryptocurrencies do not qualify as actual currencies, in the absence of backing by a sovereign or another central bank.

Licensed financial institutions may outsource many of their activities as long as they do not delegate their core responsibilities. What constitutes the core responsibilities of a financial entity will depend on the type of financial institution. However, in very broad terms, the decision to underwrite financial products or services (granting a loan, deciding to open a bank account or e-deposit, entering into a trust arrangement) and the monitoring and management of risks cannot be delegated. 

Licensed entities would generally use three types of outsourcing (channel outsourcing, agency outsourcing and general outsourcing). A channel outsourcing would allow a financial institution to delegate the channel to which services are rendered (eg, a bank would enter into an agreement with an ATM operator to allow customers to make cash withdrawals, or a trust company manages a hotline receiving requests for assistance). Agency outsourcing, where a bank would allow a third party to carry out certain actions in its place, such as authorising a shop in a city to receive cash deposits, where the Sedpe does not have a presence). General (regular, non-financial) outsourcing allows for the outsourcing of other critical activities such as cloud-computing services.

There are, in fact, mandatory rules that vary depending on the type of outsourcing. Generally, this may entail entering into an agreement that would have to cover certain minimum matters or thresholds (eg, an agency agreement will generally be subject to prior review by the SFC) and the demand to observe certain security and/or cybersecurity measures.

Additionally, sometimes the law allows for the delegation of certain core activities. For example, the investment decisions of a portfolio fund manager may be delegated to other portfolio fund managers.

There have only been significant enforcement actions in two of the main verticals. 

Non-regulated Lenders

Non-regulated lenders must refrain from taking deposits from the public at large. This limits their source of funds to loans from offshore entities or loans from licensed entities in Colombia. Certain non-regulated lenders have been ordered to wind down their operations when they have used discretionary mandates with other persons or entities to invest their funds in loans, as these discretionary mandates represent in practice a form of deposit-taking.

Cryptocurrency Exchanges or Sellers

Both the SFC and Colombian Central Bank do not consider cryptocurrencies (in the absence of sovereign backing) as currencies or securities. The SFC has highlighted the risks the cryptocurrencies represent in facilitating money-laundering and terrorism-financing and this has resulted in local banks refusing to allow cryptocurrency exchanges, or sellers to open bank accounts. This has hindered the development of cryptocurrency exchanges in Colombia. 

Security and Cybersecurity

No additional regulation is generally applicable to non-licensed entities. On the contrary, licensed entities are generally subject to more stringent regulations. For example, a bank would have to put in place an AML/CFT system, regardless of the size of its operation, whereas a non-licensed entity would only require such a system if it met certain thresholds or criteria.

More recently, the SFC has focused on making sure that when non-regulated entities act for or render services to financial institutions, they meet certain minimum security standards and, in this way, financial regulation has spilled over to non-licensed entities.

Personal Data

Personal data protection rules apply to the fintech industry in the same way as to any industry. There is no specific regulation on personal data protection that applies to fintech, and no precedents on its application to fintech exist at present. The data protection regime comprises the law on the protection of financial data (Law 1266, 2008) and the law on the protection of personal data of individuals (Law 1581, 2012).

The financial data protection law includes provisions regarding commercial, financial and credit services. In general, it includes the rights and duties of the data subjects (entities and individuals), sources of information, users of the information, and credit bureaus. The law on the protection of personal data of individuals applies to any person (entity or individual) acting as a processor or controller in the processing of individuals' personal data. 

Violations of the personal data protection law may result in sanctions being imposed by the Superintendency of Industry and Commerce (SIC) or the SFC (which will depend on which agency supervises the controller or processor of the data). Fines from the SIC can be as high as approximately USD500,000, and from the SFC as high as approximately USD400,000.

AML and Anti-bribery

In Colombia, AML and anti-bribery and corruption (ABC) provisions are divided into two categories. On the one hand, there are prohibitive provisions that sanction the commission of acts considered illegal (bribery, money laundering, transnational bribery, influence peddling, etc), and on the other hand, there are preventive provisions that impose on some entities the obligation to implement AML and ABC programmes. The first category of standards is applicable to all. As for the second category, in the absence of special rules for the fintech industry, the obligation to implement AML and ABC programmes will depend on the entity's commercial activity or the volume of assets and total income. 

The entities supervised by the SFC must implement AML and ABC provisions according to the organic statute of the financial system, and the regulation of said superintendency. Entities of the real sector under the surveillance of the Superintendency of Companies will have the obligation required under the regulation of that entity, depending on their economic sector and the volume of their assets and total income.

There is no regulation of social media or similar tools other than as they may be used by licensed entities as a channel for rendering services, in which case there are certain security and cybersecurity minimum requirements that must be met.

Use of social media and similar tools by non-licensed entities is not regulated. 

A statutory auditor will review the activity of industry participants, if they are required to appoint one by law. As a general rule, licensed entities must take the form of a corporation (sociedad anónima) and must have a statutory auditor. Other industry participants would generally choose a simplified shares corporation where no statutory auditor is required at the outset, but only if their gross assets by 31 December of a given year are equivalent to, or exceed, 5,000 minimum monthly wages (for 2020, COP4,389,015,000 or approximately USD1,348,632) or if their gross income during the immediately preceding year is equivalent to or exceeds 3,000 minimum monthly wages (for 2020, COP2,633,409,000 or approximately USD809,179).

As a general rule, industry participants (non-licensed entities) cannot offer regulated products. By the same token, licensed entities must generally limit their offer to regulated services.

Industry participants do, however, partner with licensed entities to offer both non-regulated and regulated products in tandem. For example, the Rappi superapp includes Rappi brand offers and e-deposits offered by Banco Davivienda (a licensed bank). A similar situation occurs with Tpaga, a payment aggregator, and Acciones y Valores a local broker-dealer, where through Tpaga’s app, a Tpaga customer will be able to access a portfolio fund managed by the local broker-dealer. In both cases, the client experience makes it seem as if the services are offered mainly by the non-licensed entity, but the contract terms make it abundantly clear that the regulated products are offered by the licensed entity. 

Only legacy players may use robo-advisers. Advisory in capital markets is a regulated activity which may only be undertaken by certain licensed entities (eg, broker-dealers or pension fund managers). General advertisements and publication of research do not qualify as advisory and are not, therefore, limited to licensed entities. Advisory, however, means giving specific guidance to a specified customer on a specific product or service. 

Activities of intermediation and distribution of funds, among others, require professional advisory services. The regulation requires advisers to consider the clients’ and products’ profiles and match the most appropriate product to the client. In advising a client, no adviser may state that that specific result is guaranteed.

Colombian regulations acknowledge two types of customers, professional investors and client-investors. Client-investors (that is, unsophisticated investors) have the right to receive advisory services from licensed entities. However, Colombian regulations allow client-investors to waive their right to receive a professional recommendation regarding simple assets, but such waiver is not possible with respect to complex assets.

Classification is made by each licensed entity based on:

  • the complexity of the structure of the product;
  • related risks and the capacity to analyse such risks;
  • available information on the product;
  • exit limitations;
  • complexity of the formulas for calculating yields; and
  • the inclusion of conditions in the equity protection mechanisms. 

This differentiation does not require a different business model in terms of robo-advisory, however, as it may be offered both with respect to complex and simple assets.

Legacy players are currently implementing robo-advisory solutions. Robo-advisory services were authorised and regulated for the first time in 2018. By April 2018, the same month in which the regulation was issued, the Colombian Securities Self-Regulating Organisation (AMV for its acronym in Spanish) reported that two robo-advisers had already been created.

Licensed entities have a duty to act in accordance with the principle of best execution of the mandate. Licensed entities must put a policy or manual in place that sets out the rules and procedures that the legacy player must use in the execution of trades, in accordance with the principle of best execution of the mandate. They must also put in place internal assessment mechanisms to verify compliance with this principle. 

Loans to Individuals, Small Businesses and Others

Regulation is basically the same for microcredits (microcréditos), ordinary loans (ordinarios y de consumo) and low-value loans (bajo monto) that are granted both by legacy players and non-licensed entities. The main difference among these loans is the maximum interest rate that may be charged by the lender.

Microcredits are business loans granted to small businesses, that is, businesses with less than ten employees or with total assets worth less than 500 minimum monthly legal wages (approximately USD135,000). The minimum principal amount of these loans is 25 minimum monthly legal wages (approximately USD6,750), provided that the total amount of the loan and the total indebtedness of the small business do not exceed 120 minimum monthly legal wages (approximately USD32,400). Microcredits allow the lender to charge the maximum interest rate and default rate that a lender may charge on a local loan. Additionally, the lender may charge a microcredit fee that does not compute as interest and this is deemed to compensate the lender for special collection and advisory services associated with the microcredit loan (this fee is also limited by regulation).

Low-value loans are only available to individuals and must not exceed two minimum salaries (approximately USD540) per person, their tenure cannot be more than 36 months and they cannot be a revolving loan. The interest rate and default rate for these loans tend to be the second highest rates that a lender may charge on a local loan.

Ordinary loans, which do not qualify as microcredit loans or low-value loans, are subject to the standard limits, both with respect to term and default rates.

Based on the information posted by the SFC on its website on 9 January 2020, the maximum interest rate for ordinary loans is 18.77%, for low-value loans is 34.18% and for microcredits is 36.53%, excluding the microcredit fee ( Generally, default rate limits equal 1.5 times the regular rate. 

Please note that interest rates for each type of loan are not static and the benchmark is established for a set period in accordance with the weighted average rates at which licensed entities made such loans available in the preceding period. 

Legacy Players v Industry Players

There are different regulations for loans granted by licensed entities as opposed to non-licensed entities, but they refer mostly to the levels and types of disclosures and information that need to be provided to the borrowers. Certain activities are also restricted to licensed entities, such as open-loop credit cards, limiting the activity of non-licensed entities to the operation of private brand credit cards (this limitation stems in part from the fact that under current regulation, non-licensed entities would not have direct access to the payment rails, as access is limited to licensed entities). Another significant difference includes the fact that under certain thresholds, licensed entities must allow for prepayment.

Regulation only dictates the underwriting process with respect to lenders that are licensed entities. Regulation does not itself limit or govern the loans underwriting process but rather, sets forth the requirements needed for an individual or company to obtain their first financial product, generally a bank account or similar type of deposit, because the most simplified form of KYC regulated proceeding applies to e-deposits or simplified saving accounts. This results in licensed entities such as banks not granting loans to first-time customers based merely on information available online about the customer. 

By contrast, non-licensed entities may rely simply on information available online for underwriting and scoring, and may even base their decision exclusively on their assessment of social network activity.

In Colombia, only licensed entities are authorised to take deposits from the general public (savings and checking accounts included) and use them for lending purposes. Therefore, if deposits are used for loans, the lender must be incorporated as a financial entity and meet all the regulatory and capital requirements set forth in the legislation. 

Currently, and as a general rule, non-licensed entities involved in lending activity use their own balance and equity as the source for loans, in addition to loans from offshore lenders and loans from licensed entities. They are in practice prevented from taking loans from a broad base of Colombian individuals or businesses (other than licensed entities) because that would qualify as illegal deposit-taking.

There does not appear to be syndication for the purpose of loans being granted by non-licensed lenders. There is evidence, however, specifically in the consumer loans vertical, that non-licensed lenders will put together a package of loans that they have already disbursed for sale to other types of investors. In this way, the non-licensed lenders transfer the risk of a specific portfolio of loans to other lenders and re-use the funds to grant new loans.   

High-Value Payment Systems

The Colombian Central Bank operates the only high-value transactions payment rail (sistema de pagos de alto valor) in Colombia. The Central Bank payment rails are mainly used to liquidate and settle transactions among Colombian financial institutions, such as interbank loans, transactions stemming from the purchase and sale of securities among financial institutions, or the obligations stemming from the cashing of cheques between banks (there is a subset of rules and systems for each of these types of transaction).

No other person may operate a high-value payment system and, therefore, there is currently no need to create or implement a new one.

Low-Value Payment Systems

As a general rule, payment processors use existing payment rails. There are three main operators of payment rails: Credibanco and Redeban,which are both bank-owned and in charge of liquidation and settlement of card payments, and ACH which operates e-transfers and payments.

In addition to these payment rails, there arefive other card payment rails generally focused on a single franchise or private brand cards.

The management of payment rails requires prior authorisation by the SFC. Although Colombian regulations do not restrict the creation of new payment rails, this is restricted in practice due to the market structure and lack of regulation that orders interoperation between different payment rails. The URF has issued a draft regulation to address these issues and new regulation may be issued during 2020.

Regulated Transactions

Certain regulated payments can only be transacted through a licensed foreign exchange intermediary (FEI) or through a Colombian resident’s offshore bank account registered with the Colombian Central Bank (so-called "compensation" accounts).

The following transactions result in regulated payments:

  • import of goods;
  • export of goods;
  • foreign investments into Colombia;
  • certain investments by Colombian residents offshore; and
  • certain payments made on cross-border guarantees.

Most notably, payment of services, whether imported or exported, or personal remittances is not considered a regulated transaction. However, the offering of those products en masse is limited to FEIs or certain postal service entities.


Only certain limited entities may act as FEIs. These include:

  • banks;
  • financial corporations (corporaciones financieras);
  • financing companies (compañías de financiamiento);
  • Financiera de Desarrollo Nacional SA;
  • Banco de Comercio Exterior de Colombia S.A. (BANCOLDEX);
  • financial co-operatives;
  • securities broker-dealers; and
  • special financial services and foreign exchange intermediation companies (sociedades de intermediación cambiaria y de servicios financieros especiales), which are similar to exchange bureaus. 


All these FEI’s are licensed entities, subject to the oversight of the SFC, except for the special financial services and foreign exchange intermediation companies.

The fund’s industry is regulated in all its functions: whether administration, management or distribution. Only certain licensed entities can act as fund administrators for portfolio funds and private equity funds (trust companies, broker-dealers and investment management companies) or pension and severance investment funds (pension and severance investment fund managers and trust companies).

Certain back-office activities of a fund manager could, in theory, be outsourced to a non-regulated entity, such as accounting, collections or a call centre, but Colombia does not have a thriving fund administration industry outside of the legacy players.

Since Colombia does not have non-regulated fund administrators, there is no market practice for contractual terms demanded by fund advisers from fund administrators to assure performance and accuracy. However, insofar as a regulated fund administrator, such as a trust company or pension fund manager, may delegate some back-office work to a third party, regulation is mainly concerned with making sure that the third party follows certain minimum requirements in terms of security, cybersecurity and business continuity plans.

Regulated fund administrators are required to keep in place an AML/CFT risk management system and must report any suspicious activity. Since there is no market for non-regulated fund administrators, there are no rules requiring any such fund administrators to act as gatekeepers.

Colombia regulates three different types of trading platforms, marketplaces and exchanges (stock exchanges, securities trading systems and currencies trading systems).

Stock Exchanges

Regulation is applicable to stock exchanges, which are the only type of trading platforms on which shares and bonds that are mandatorily convertible into shares and derivatives, of which the underlying assets are shares, may be traded (except for certain low-value trades that parties may conduct outside of the exchange because they are not material enough to affect price formation). 

Securities Exchanges

Other types of securities may be listed either on a stock exchange or on a securities trading system. 

Management or administration of stock exchanges and securities trading platforms requires a licence from the SFC and is subject to its oversight and the regulations issued by the Colombian government (the president and the Ministry of the Treasury).

Currencies Exchanges

Currency trading platforms are also regulated for the trading of currencies and derivatives over currencies. Rules applicable to currency trading platforms are issued both by the Colombian government and the Colombian Central Bank. 

Regulation of stock exchanges (the only type of platform on which shares, bonds mandatorily convertible into shares, and derivatives on shares may be traded) is much more complex than the regulation of exchanges of other types of securities or currencies. For example, access to the trading platform for shares is limited to licensed broker-dealers; corporate governance regulation requires that at least 40% of the board of a stock exchange be comprised of independent directors; there is no room for over-the-counter trading of listed shares, except for transactions of a very low value; the affiliates to the exchange must submit to the disciplinary authority of self-regulation bodies; and the stock exchange may also manage its own clearing and settlement systems.

By contrast, other securities trading systems can receive other affiliates, including licensed and non-licensed entities; are not subject to the same corporate governance rules; allow a lot of room for OTC trading; and cannot manage their own clearing and settlement systems.

Colombia does not have regulations on cryptocurrencies. The Colombian Central Bank has stated that virtual currencies have not been recognised as currency by lawmakers or by the monetary authority. To the extent that a cryptocurrency does not constitute an asset equivalent to legal tender, it cannot release from or make obligations extinct. The Central Bank has also stated that virtual currencies cannot be considered currency because they do not have the backing of the central banks of other countries and they could not be used to pay for the operations of the exchange regime.

The SFC has also shared its thoughts on this. The Superintendency has warned about the risks of virtual money and recently ratified that cryptocurrencies (specifically referring to bitcoin) are not considered as valid currency in Colombia.

Virtual currencies are therefore considered as commodities in Colombia, and not as currencies. However, the SFC has banned financial entities from safeguarding, investing in, intermediating or operating with cryptocurrencies, and from using their platforms to carry out trade with virtual assets. 

Additionally, the SFC has urged the entities under its surveillance to continue applying adequate and sufficient AML measures in order to prevent them from being used as an instrument for money laundering in the framework of the use of “Electronic Currencies – Cryptocurrencies or Virtual Currencies”.

In August 2018, the Chilean cryptocurrency trader, Buda, announced the suspension of its activities in Colombia after the financial entities of the country blocked their accounts based on their interpretation of the warning from the SFC regarding AML risks. However, Buda recently announced its return to the Colombian market after almost a year of discussion with the banks over how to see the warning more as an encouragement to implement proper controls, than a strict prohibition. 

There is no regulation or industry standard that addresses what is required for a cryptocurrency to be listed. 

There are listing standards available for the listing of equities on the Colombian stock exchange (Bolsa de Valores de Colombia), but such listing standards are so heavy that only top corporates are able, or willing, to meet them and the number of listed equities has actually decreased in the last ten years, to 73 entities. 

Order handling rules apply both at the level of the trading systems and stock exchanges that require orders, and offers to be disclosed to the affiliates upon receipt and at the level of brokers that participate in the trading system. Broker-dealers and any affiliates to a trading system that are registered with a self-regulation body acknowledged by the SFC must observe the so-called principles for the handling of orders. 

The following principles are applicable to the handling of rules by broker-dealers and other affiliates to such a system:

  • the manner in which orders are received and performed must be traceable;
  • investors must be treated equitably;
  • the rules for handling orders, by each broker-dealer or affiliate to such system, must be disclosed to investors; and
  • the integrity of record-keeping.

The AMV (a self-regulating body of securities traders in Colombia) requires that all orders be handled in the order in which they were received, with exceptions allowed for:

  • high-value orders;
  • orders whose fulfilment depends on market conditions (VWAP orders);
  • consolidation of orders; and
  • when the broker reasonably believes that fulfilment of the order is likely to harm the investor; and
  • when processing of orders is subject to a different set of rules, such as auctions or public offerings. 

Any system that allows the trading of listed securities in Colombia is subject to regulation and prior authorisation of the SFC. There has therefore not been a rise in peer-to-peer trading platforms in connection with securities, because regulation limits the type of entities that may participate in such a system to licensed entities that may act as securities intermediaries or brokers, and certain government entities. 

While the SFC and the Central Bank have stated that, in their view, crypto-assets do not qualify as securities and therefore there is nothing that would prevent the creation of crypto-assets trading platforms, in practice, the operation of trading platforms and exchanges has been very difficult, as most banks shy away from rendering services to these platforms or exchanges (eg, they do not offer bank accounts to these participants), in part because lack of controls and regulation would facilitate money-laundering activities. 

Furthermore, to the extent that the trading platforms would also allow for the clearing and settlement of operations between participants, the operators could risk running foul of regulations on the operation of payment rails, which require a licence from the SFC.

As discussed in 3.3 Issues Relating to Best Execution of Customer Trades, licensed entities are subject to the rules of best execution of the mandate when dealing in securities. However, in the absence of regulations applicable to crypto-assets, which are currently not acknowledged as securities by the Colombian government, there are no specific rules on best execution of customer trades affecting the trading of crypto-assets. 

There are no specific rules that require a broker-dealer or fund manager to pay in order to receiver order flows, or broker-dealers to receive payments to send orders from clients in a given direction.

However, this would be subject to the general rules of conflict of interest applicable to broker-dealers, where the conflict should be clearly disclosed to the client and the client would have to consent to the payments being kept by the applicable broker-dealer.

There is no express regulation on high-frequency and algorithmic trading. The AMV has issued certain guidelines in connection with the implementation of algorithmic trading, that mainly focus on corporate governance issues. 

These guidelines require:

  • active board involvement in the determination of policies applicable to the creation and use of this technology;
  • adequate environments and infrastructure for development, testing and operation;
  • adequate record-keeping that would allow the internal bodies in charge of approval of the algorithm to make sure that the rules or results that the algorithm would follow or pursue are understandable;
  • that clear rules for the suspension or termination of the operation of the algorithm be put in place;
  • rules for the adequate recording of creation, development, testing, operation and material amendments to the algorithm; and
  • the disclosure of all information on the application of the algorithm to the self-regulating body.

The use of algorithms and high-frequency trading (HFT) does not make a market participant, such as a broker-dealer or fund, qualify as a securities trading system.

Broker-dealers are the only entities authorised to act as market makers. When acting as market makers they must disclose to the market through their own website that they are acting in that capacity. If registered as market-makers as a general rule, a market-maker cannot acquire for its own account the securities for which it has agreed to be a market-maker unless it is acting as market-maker without an agreement to do so with the issuer and without using funds of the issuer. 

As discussed in 3.3 Issues Relating to Best Execution of Customer Trades, broker-dealers are subject to the best execution of trades. However, the generality of the principle does not provide sufficient specific content to give effect to such rules beyond the rules for order-handling discussed in 7 Marketplaces, Exchanges and Trading Platforms.

There is no express distinction between funds and dealers applicable to HFT or algorithmic trading. 

See 7.8 Rules of Payment for Order Flow

Financial research platforms are not subject to registration or licensing.

The consequences of spreading rumours and other unverified information in Colombia depend on the content and impact of the information disseminated. As mentioned in 2.10 Regulation of Social Media and Similar Tools, the Constitutional Court has recognised that the intervention of the authorities (more specifically, the judges) depends on multiple factors (among others, who is the information from, who is the target, what is the content, and what impact does it have) and this must be analysed on a case-by-case basis. Consequences can lead to crimes such as economic panic, defamation and slander, among others.

Despite being key actors in the protection of freedom of speech and privacy, financial research platform operators should not have responsibility for the content published by their users and must preserve freedom of speech principles, subject to contractual rules. Those contractual rules could provide for deleting posts that the platform operators might reasonably believe could result in a crime, financial panic or other form of material harm in the market.

The Constitutional Court has recognised that data intermediaries (a category that ranges from internet service providers to search engines, and from blog services to online community platforms, e-commerce platforms, web servers, and social media, among others) have different levels of control over the dissemination of information on their platforms. However, as key actors in the protection of freedom of speech and privacy, they should not be held responsible for the content published by their users.

The underwriting process for insurance companies and insurance intermediaries is regulated by law in line with certain minimum KYC/AML regulations and proceedings. Insurance may only be offered by insurance companies and insurance intermediaries so the closing of each transaction should be made by the insurance company through any of the commercialisation channels allowed by law.

The regulator currently has 38 different types of insurance. However, the regulation for all these types of products is similar, except for certain requirements regarding, for example, technical reserves and other capital requirements. 

Regtech providers are not regulated in Colombia.

There are no regulations requiring minimum contractual terms to assure performance and accuracy. There is little experience of regtech and, therefore, not that much applicable industry custom. However, as with respect to any outsourcing agreement, licensed entities must ensure that providers meet certain security and cybersecurity standards and that they make information available and co-operate with the SFC with respect to the licensed entity’s information.

Regtech providers do not have a duty to speak up when they see suspicious or unlawful behaviour.

Certain legacy players already have pilots in place to implement blockchain in the financial services industry. For example, a consortium was formed by certain financial institutions (trust companies, price providers, pension funds, banks and technology companies) to use blockchain in their operations. In November 2019, this consortium announced a successful test of blockchain to facilitate the exchange of collateral in connection with the OTC derivatives market.

Of course, blockchain or DLT in general is more often implemented in the infrastructure-providers industry, such as stock exchanges, securities trading systems, currencies trading systems, systems for the registration of OTC transactions on securities or currencies, and clearing and settlement systems. 

Regulators are yet to issue regulations or guidelines about the use of blockchain. In October 2019, both the SFC and the Colombian Central Bank entered into collaboration agreements with R3 to try to implement DLT technology, both for the eventual regulation and implementation of infrastructure providers and with respect to the SFC in its own regulation activities. 

On the other hand, the Financial Information and Analysis Unit (UIAF) referred to the challenges of financial intelligence units, as AML regulators, in facing the increasingly recurring application of Blockchain in business. In general, the UIAF understands that it must adapt to these new technologies and develop ways to identify the pseudo-anonymous holder in Blockchain records. As potential solutions for these new challenges, it proposes the implementation of due diligence and background checks into the service provider's business and policies, or, in the case of public Blockchain or big private Blockchain, the use of unique digital identification like that proposed by the ID2020 alliance. However, regulatory provisions have not yet adopted these recommendations. 

There is no specific regulation governing the classification of blockchain assets. There are only certain opinions issued by the Colombian Central Bank and the SFC on the nature of cryptocurrencies.

There are currently no specific regulations in Colombia governing the issuance or sale of blockchain assets. It could be argued that to the extent that tokenised assets represent an interest in a project or other underlying asset, such tokens could eventually qualify as an equity security. This would subject their issuance to rules on public offering of securities, which would require prior authorisation from the SFC. However, there has yet to be any case where a blockchain asset is acknowledged as a security. 

There is no specific regulation of blockchain asset trading platforms or the secondary market of blockchain assets. However, certain blockchain assets could, at least in theory, qualify as securities and thus the trading platforms for such assets would be subject to the regulation applicable to securities trading systems.

Investment funds, such as portfolio funds or pensions funds, cannot invest in blockchain assets.

The Colombian Central Bank considers that cryptocurrencies do not qualify as a currency in the absence of, issuance by and backing of a sovereign. The SFC also believes that cryptocurrencies do not qualify as securities. Due to the lack of regulation, the SFC’s and the Colombian Central Bank’s position is aimed at preventing legacy players (licensed entities) from investing their funds in cryptocurrencies, given their high price volatility.

In the absence of a special data protection provision in the fintech sector, the standards described in 2.9 Implications of Additional Regulation must be applied to any activity that involves personal data processing, including developments using Blockchain technology.

In order to know if the regulation of personal data of individuals applies it would be necessary to identify whether any individual or entity within the Blockchain is processing any information relating to an identified or identifiable individual (Data Subject). If this is the case, the entity processing the data must have prior, express and informed consent from the Data Subject to process its data according to the controller's privacy policy. 

This is the first potential incompatibility within Blockchain and the regulation of data privacy of individuals in Colombia. As long as the information contained in the ledger is shared among all the participants of the Blockchain, all those interacting within the Blockchain must apply the privacy policy accepted by the Data Subjects and process the data for the purposes informed and agreed by them.

Another potential conflict would arise regarding the Data Subject's right to request the deletion of their data and the immutability of the information contained in the Blockchain. Taking into account that the principle of immutability of the Blockchain is based on the sequential record of entries in the chain, in which any information is amended by a new entry, the information in a previous block cannot be eliminated and the Data Subject's right of full deletion cannot be granted. This represents additional issues regarding the fulfilment of the "principle of purpose", in which the controller or processor of personal data must keep and process only the data it requires, reasonably, for the development of the activity for which the data was provided by the Data Subject.

The SFC recently issued regulations allowing licensed entities to share with Application Programming Interface (API) developers information such as products, channels, services and fees charged to their users, as well as information that their consumers may have authorised to share with those developers. 

However, such regulation hardly represents an incentive to allow access to competitors, to foster open banking services and products.

Heavy data privacy regulations and data security concerns represent a challenge to the actual development of open banking services and products. The Financial Regulation Unit (Unidad de Regulación Financiera or URF) has announced that draft regulations to foster open banking will be published by Q4 2020. No material developments have yet occurred on the open banking vertical. 

Baker McKenzie S.A.S.

Avenida 82 No. 10 - 62
Piso 7
D.C. 110221

+57 1 634 1666

+57 1 376 2211
Author Business Card

Law and Practice


Baker McKenzie S.A.S. is a recognised global firm with strong representation in Latin America, where it has won many awards and has the widest geographical coverage of the region of any law firm. It is ranked among the top three law firms in Colombia with a multidisciplinary team of professionals who are specialists in their clients' industries. Technically and commercially skilled, these professionals are trained to anticipate risks in a permanently changing and globalised business environment. Baker McKenzie's global network enables it to have a unique best-practices and knowledge exchange between its branches and incentivises the firm to maintain international service standards. Its Innovation Centres represent a strategic investment to keep the firm at the forefront of the legal services industry.

Compare law and practice by selecting locations and topic(s)


Select Topic(s)

loading ...

Please select at least one chapter and one topic to use the compare functionality.