Practice area · 03

Compliance

Regulatory compliance programs for Colombian organizations

Home·Practice Areas·Compliance

Practice area

An effective compliance program is not just a regulatory requirement: it is a strategic tool that protects organizations and their executives from criminal, disciplinary, and administrative liability. At Guevara Castaño Abogados we design and implement regulatory compliance programs adapted to the needs and sector of each of our clients.

Design and Implementation of Compliance Programs

Regulatory compliance seeks to protect organizations through ethical and transparent practices in each of their processes. In Colombia it is regulated by key laws such as Law 1474 of 2011, Law 1778 of 2016, and Law 2195 of 2022, which establish best practices within corporate governance to reduce and mitigate the risk of administrative, criminal, and reputational sanctions through evaluation, clear policies, and continuous monitoring.

We accompany any type of organization at every stage to build a solid culture of compliance, transparent and aligned with Colombian regulations, protecting it before control entities and potential legal contingencies.

SAGRILAFT, SARLAFT and PTEE Programs

SARLAFT, SAGRILAFT, and PTEE programs are mandatory systems for certain organizations, through which self-control and risk management systems are implemented. SAGRILAFT and PTEE apply to the real sector and are regulated by Law 1778 of 2016, Law 2195 of 2022, and the Basic Legal Circular of the Superintendence of Companies. SARLAFT applies to companies operating in the financial sector and is regulated by Law 1121 of 2006, Law 144 of 2011, Law 2195 of 2022, and the Basic Legal Circular of the Financial Superintendence.

We accompany organizations through every phase of implementation and follow-up of these programs to ensure compliance with all designated functions and the standards required by each control body.

Regulatory compliance is not an administrative burden: it is the tangible evidence that an organization acts with integrity.
— Guevara Castaño Abogados

Due Diligence in M&A Operations

A merger or acquisition may imply assuming various types of risks. Through due diligence, the buyer obtains the necessary information about the company or asset to be acquired (the target), closing the knowledge gap with the seller. The process audits the robustness of the target's anti-fraud and anti-corruption systems to obtain a clear understanding of its control mechanisms. The analysis must weigh the risk derived from interaction with the public sector and execute specific tests to verify the reliability of financial statements and valuation premises, detecting irregularities such as organized fraud, conflicts of interest, or anomalous related-party operations.

We support companies through this process: examining complex corporate structures, high-risk commercial relationships, relevant litigation, and exposure to legal liabilities to protect the value of your business and its reputation.

Counsel and Representation before Authorities

When a company faces an investigation before a Superintendence or the Colombian Attorney General's Office (Fiscalía), time and defensive strategy become crucial. We structure defenses before inspection, surveillance, and control entities, manage official communications, and present technical arguments demonstrating compliance with regulations. Our objective is to defend the interests of your organization.

We also advise executives, employees, and compliance officers during these proceedings, guiding them on personal responsibilities and communication strategy with authorities. We have experience in successful negotiations that have resulted in significantly more favorable agreements than the sanctions initially proposed by control entities.

§

Frequently asked questions

What our clients ask

SAGRILAFT (Self-Control and Integral Risk Management System for Money Laundering and Terrorism Financing) is an organizational structure integrating processes, technology, and human resources to prevent and detect suspicious operations within the company. It is not a procedure manual but a living risk management system. Required by the Superintendence of Companies, it applies to legal entities and branches of foreign companies exceeding gross income of 40,000 SMMLV in a fiscal year. For high-risk sectors (real estate, legal services providers, precious metals and stones dealers) the threshold drops to 30,000 SMMLV. Additionally, any legal entity receiving cash or virtual assets exceeding 50 million COP must implement it regardless of annual income. Late implementation is no longer an option: the Superintendence has moved past the educational phase and now effectively sanctions.

The PTEE is a corporate compliance system designed to prevent corruption and transnational bribery risks, required by Law 1778 of 2016, Decree 1736 of 2020, and Chapter XIII of the Basic Legal Circular of the Superintendence of Companies. Not having it, or having it merely formally, exposes the company to fines of up to 200 SMLMV under article 86 of Law 222 of 1995. When transnational bribery is configured under Law 1778, fines escalate to 200,000 SMLMV, plus disqualification from contracting with the State and publication of the sanction. Liability extends not only to the legal entity: sanctions may reach the compliance officer, statutory auditor, and administrators.

The Compliance Officer is the natural person designated to design, supervise, and operate the risk prevention system required by regulations (SAGRILAFT, PTEE, SARLAFT). Liability operates on two levels. Administratively, they are responsible for the diligent exercise of their functions, regardless of whether a money laundering or corruption event materializes. The Superintendences of Companies and Finance may investigate and sanction them when they omit controls, fail to submit mandatory reports, or neglect supervisory duties. Criminally, in Colombia there is no rule that automatically attributes criminal guarantor status by the mere fact of holding the position; however, they may be criminally liable when they participate by intentional action or omission in a crime. Three practices are indispensable for their defense: documenting all their actions, leaving written record of reports to the board, and formally demanding resources and autonomy.

Due diligence is the systematic process to investigate, verify, and assess background, integrity, and risk level of counterparties (clients, suppliers, partners, intermediaries). It fulfills two functions: satisfying regulatory obligations (SAGRILAFT, PTEE, SARLAFT, ISO 37001) and protecting the organization against legal, financial, operational, and reputational risks. A robust process follows four stages: planning (defining scope according to counterparty risk level), identification (knowledge forms, corporate documentation, ultimate beneficial owner identification, consultation in binding lists UN, OFAC, and Clinton), analysis (filtering false positives, identifying red flags, classifying risks), and documented decision. Due diligence does not end with initial knowledge: it requires at least annual updating, permanent monitoring, and reassessment when conditions change.

The ROS is the mechanism by which obligated subjects (financial entities, companies covered by SAGRILAFT, designated professions) inform the Financial Information and Analysis Unit (UIAF) about operations deviating from normal business practices that cannot reasonably be justified. It originates from FATF Recommendation 20. Critical point: the ROS is not a criminal complaint. It is anonymous, confidential, does not constitute judicial evidence, and is not given under oath. The reporter does not need certainty about the existence of the crime; a well-founded suspicion based on reasonable red flags suffices. Neither the compliance officer nor the company can be pursued civilly or criminally for submitting a good-faith ROS.

A well-designed and implemented compliance system is not an absolute guarantee of criminal exoneration, but it can operate as an effective mechanism to exclude or significantly mitigate the liability of administrators and executives. In Colombia there is no autonomous criminal liability of legal entities as in Spain or the United States: the system is structured on administrative sanctions (Laws 1778 of 2016 and 2195 of 2022) and criminal liability still falls on natural persons. In this context, a robust compliance program fulfills four legal functions: demonstrates compliance with the duty of diligence required by corporate law; proves the executive did not create a legally disapproved risk; allows breaking imputation when an employee fraudulently evaded existing controls; and operates as a mitigating factor in sanctioning proceedings. Key warning: only effective, suitable, and effectively applied systems produce these effects. A paper-only compliance is not just useless but can aggravate the executive's position by evidencing negligence in their supervisory duty.

Other practice areas

Criminal Law Corporate & White-Collar Compliance Asset Forfeiture Constitutional Law Disciplinary Law Insurance Law Fiscal Liability Criminal Investigation Expert Witness Other areas