Licentium

Licensing Hub

Colombia

Colombia has no general VASP licence. Providers report to the UIAF under Resolution 314/2021, and the SFC has not authorised supervised entities to custody crypto.

Available licences

UIAF PSAV Reporting (Resolution 314 of 2021)

Mandatory reporting registration as a virtual asset service provider with the Unidad de Información y Análisis Financiero. Applies to natural persons and companies that, as a business, perform covered activities for or on behalf of others, including fiat/virtual-asset and virtual-asset/virtual-asset exchange, virtual-asset transfer, custody or administration, instruments enabling control, issuer-offer-related financial services and general virtual-asset services. PSAV status applies regardless of transaction amount. Filing obligations: immediate suspicious-operation reports through SIREL; monthly absence-of-suspicious-operation reports where no SAR is filed; monthly transaction reports for multiple transactions equal to or above USD 450 and individual transactions equal to or above USD 150; monthly absence-of-transaction reports; monthly active/inactive/disassociated client reports. Wallet addresses and transaction hashes must be reported with exact case preservation.

SAGRILAFT (Superintendencia de Sociedades Chapter X)

Self-administered AML/CFT/CPF compliance system for companies supervised by the Superintendencia de Sociedades. The virtual-asset trigger applies where the company performs covered virtual-asset activities for or on behalf of another person at or above 100 SMLMV and meets the annual income (>= 3,000 SMLMV) or assets (>= 5,000 SMLMV) thresholds as of 31 December of the prior year. Companies receiving virtual-asset contributions at or above 100 SMLMV must also comply. Enhanced due diligence applies to virtual-asset activity: counterparty identification, virtual-asset and intermediary risk assessment, senior management approval, source-of-funds analysis and intensified continuous monitoring.

DIAN Tax and Exogenous Information Reporting

DIAN treats cryptoassets as intangible assets that can form part of a taxpayer's patrimony and generate taxable income. PSAVs domiciled in Colombia or with Colombian operations must report exogenous information from taxable year 2026 onward for operations involving conversion of legal tender to digital assets or digital assets to legal tender. Sale of a cryptoasset is generally not VAT-taxed where the intangible asset is not associated with industrial property, but intermediation services by exchanges, ATMs or similar providers for crypto purchase and sale can be VAT-taxable.

SFC Securities-Law Pathway for Tokenised Rights

Generic cryptoassets are not 'valores' under Colombian law, but Law 964 of 2005 defines a 'valor' as a negotiable right forming part of an issuance where its object or effect is raising resources from the public. A tokenised share, debt instrument, fund interest, receivable, revenue right, investment-contract-like right, asset-backed token or public-fundraising token requires separate securities-law analysis covering SFC authorization, public-offering rules, market-infrastructure rules and custody requirements.

Detailed overview

Colombia: Cryptoasset Regulation, UIAF Reporting and SAGRILAFT

Regulators

Colombia does not currently have a single comprehensive virtual-asset service provider licence administered by one regulator.

The main authorities relevant to cryptoasset and virtual-asset activity are the Superintendencia Financiera de Colombia, Banco de la República, Unidad de Información y Análisis Financiero, Superintendencia de Sociedades and DIAN.

The SFC is relevant for financial institutions, securities-market issues, supervised entities and consumer warnings. Banco de la RepĂşblica is relevant for legal currency, foreign exchange and payment-system issues. UIAF administers reporting obligations for virtual-asset service providers. Superintendencia de Sociedades supervises SAGRILAFT obligations for covered companies. DIAN administers tax and information-reporting treatment.

Colombia should be treated as a partial-regulation jurisdiction rather than a full VASP-licensing jurisdiction.

There is no comprehensive prudential authorization regime for all crypto exchanges, brokers, custodians or wallet providers. Official SFC materials state that cryptoasset trading and operations are not part of the financial system and are not supervised or endorsed by the SFC as financial products.

This does not mean that crypto activity is unregulated. Virtual-asset service providers may be subject to UIAF reporting, Superintendencia de Sociedades SAGRILAFT, tax reporting, consumer protection, data-protection, securities-law and ordinary corporate-law obligations.

Cryptoassets are not legal tender in Colombia. They are not Colombian currency, money, foreign exchange or cash equivalents under the official position of Banco de la RepĂşblica and other Colombian authorities.

There is no obligation to accept cryptoassets as payment. A person or business may contractually agree to accept cryptoassets, but that private agreement does not convert the asset into legal tender or foreign exchange.

Cryptoassets are not recognized as “divisas” and cannot be used as foreign currency for Colombian foreign-exchange-regime purposes merely because they are traded internationally or referenced to foreign currency. Cross-border settlement, remittance, import or export payment structures using cryptoassets require separate foreign-exchange analysis.

No general SFC crypto licence

Colombia does not currently offer a general SFC licence for ordinary crypto exchange, brokerage, custody or wallet activity.

The SFC has stated that it has not generally authorized supervised entities to custody, invest, intermediate or operate with virtual-currency instruments, or to allow the use of their platforms for those operations.

A crypto business should not advertise itself as SFC-authorized, SFC-supervised or part of the Colombian financial system unless it has a separate valid authorization and the statement is legally accurate.

UIAF reporting regime

Colombia has a UIAF reporting regime for virtual-asset service providers.

UIAF Resolution 314 of 2021 is listed by UIAF as current. It imposes reporting obligations on natural persons and companies that provide virtual-asset services in Colombia.

For UIAF purposes, a virtual asset is a digital representation of value that can be digitally traded or transferred and used for payment or investment. A PSAV is a natural or legal person that, as a business, performs covered virtual-asset activities for or on behalf of another person.

Covered PSAV activities

Covered activities include exchange between virtual assets and fiat currency, exchange between one or more forms of virtual asset, transfer of virtual assets, custody or administration of virtual assets, instruments enabling control over virtual assets, participation in or provision of financial services related to an issuer’s offer or sale of virtual assets, and general services related to virtual assets.

A centralized exchange, OTC desk, crypto-fiat on/off-ramp, hosted wallet, custodial wallet, private-key control service, virtual-asset transfer provider or token-offer support provider is likely to fall within the UIAF PSAV reporting perimeter where it provides services in Colombia for customers.

Subject-person status under Resolution 314 applies regardless of transaction amount. Monetary thresholds apply to transaction reporting, not to the initial question of whether the person is a covered PSAV.

UIAF reports

PSAVs must file suspicious-operation reports immediately and directly through SIREL when a suspicious operation is identified. Suspicious-operation reporting does not depend on a fixed monetary threshold.

Where no suspicious operation is detected during the month, the PSAV must file the monthly absence-of-suspicious-operation report.

PSAVs must also file monthly virtual-asset transaction reports within the first 20 calendar days of the following month. Multiple transactions must be reported where they equal or exceed USD 450 or the equivalent in other currencies. Individual transactions must be reported where they equal or exceed USD 150 or the equivalent and are not reported as multiple transactions.

Where no reportable virtual-asset transactions occur, the PSAV must file the monthly absence-of-transaction report.

PSAVs must also file monthly client reports covering active, inactive and disassociated clients.

UIAF’s transaction annex requires exact transaction data, including sending wallet, transaction hash and receiving wallet. Upper-case and lower-case wallet and hash characters must be preserved exactly.

Resolution 84 of 2022 extended the initial start date for Resolution 314 reports to 1 July 2022 and left the other Resolution 314 conditions unchanged.

SAGRILAFT

Companies supervised by the Superintendencia de Sociedades may be required to implement SAGRILAFT where they conduct virtual-asset activities above the relevant thresholds.

Chapter X of the Basic Legal Circular treats virtual assets as digital representations of value that can be digitally traded or transferred and used for payment or investment. The definition excludes digital representations of fiat currency, securities and other financial assets covered elsewhere under FATF standards.

The virtual-asset SAGRILAFT trigger applies where the company performs covered virtual-asset activities for or on behalf of another person at or above 100 SMLMV and also meets the annual income or asset thresholds. The current thresholds are total income of at least 3,000 SMLMV or total assets of at least 5,000 SMLMV as of 31 December of the prior year.

Covered activities include exchange between virtual assets and fiat currency, exchange between virtual assets, transfer of virtual assets, custody or administration, instruments enabling control over virtual assets, issuer-offer-related financial services and general virtual-asset services.

A company that receives virtual-asset contributions equal to or above 100 SMLMV must also comply with SAGRILAFT and enhanced due diligence.

Enhanced due diligence

Virtual-asset activity requires enhanced due diligence. Covered companies must take reasonable measures to identify counterparties and the risks associated with the virtual assets involved. They must also assess virtual-asset counterparties, virtual assets and intermediaries.

Enhanced measures can include senior management approval, source-of-funds analysis, and continuous intensified monitoring.

A Colombian crypto company should therefore maintain customer due diligence, beneficial-owner controls, source-of-funds procedures, transaction monitoring, sanctions and high-risk jurisdiction controls, virtual-asset risk assessment and suspicious-activity escalation.

Financial institutions and payment rails

Crypto platforms should treat Colombian financial rails as sensitive.

The SFC has not generally authorized supervised entities to custody, invest, intermediate or operate with virtual-currency instruments or to allow use of their platforms for such operations.

The SFC’s cash-in/cash-out pilot between cryptoasset platforms and supervised financial entities ended in June 2024. The pilot involved specific alliances between supervised banks or SEDPEs and Colombian exchange platforms.

The SFC sandbox framework is temporary and does not amend the general regulatory framework. A sandbox approval or pilot does not create a general authorization for all crypto businesses or all supervised financial institutions.

A crypto business using Colombian banks, SEDPEs, payment accounts, cards or other payment rails should obtain product-specific legal analysis and should not imply that banking access equals regulatory authorization.

Securities tokens

Generic cryptoassets are not treated by Colombian financial authorities as securities or “valores.” Banco de la República’s official materials state that digital assets should not be assimilated to “valores” under Law 964 of 2005, and SFC materials have similarly stated that virtual currencies are not “valores” under Colombian law.

That position does not eliminate securities-law analysis for tokenised rights.

Law 964 of 2005 defines a “valor” as a negotiable right forming part of an issuance where its object or effect is raising resources from the public.

A tokenised share, debt instrument, fund interest, receivable, revenue right, investment contract-like right, asset-backed token or public fundraising token may therefore require separate securities-law analysis. A platform offering, listing, intermediating or advising on such tokens should assess SFC authorization, public-offering rules, market-infrastructure rules and custody requirements.

Tax treatment

DIAN treats cryptoassets as intangible assets for tax purposes. Cryptoassets can form part of a taxpayer’s patrimony and can generate taxable income.

DIAN’s 2026 doctrine states that PSAVs domiciled in Colombia or with operations in Colombia must report information for taxable year 2026 onward where users carry out operations involving conversion of legal tender to digital assets or digital assets to legal tender.

Users that are subject to exogenous-information reporting must also analyze payments, income, investments and crypto positions for reporting purposes.

DIAN doctrine indicates that sale of a cryptoasset is generally not VAT-taxed where the intangible asset is not associated with industrial property. However, intermediation services by exchanges, ATMs or similar providers for crypto purchase and sale can be VAT-taxable services.

Tax analysis should be performed separately from UIAF and SAGRILAFT compliance.

Travel rule and transaction information

Colombia’s current UIAF framework requires PSAV reporting to UIAF, including transaction reports, client reports, suspicious-operation reports and wallet/hash information. It should not be described as a full comprehensive VASP licensing regime.

Product teams should distinguish UIAF reporting from a full VASP-to-VASP travel rule transmission regime. Future Colombian regulation may develop further FATF Recommendation 15 implementation.

Regulatory outlook

Colombia remains in a transitional regulatory position. The country has official AML/reporting obligations for PSAVs, SAGRILAFT obligations for covered companies, tax reporting and official warnings from the SFC and Banco de la RepĂşblica. It does not yet have a comprehensive prudential VASP licensing framework.

New entrants should map their Colombian nexus, UIAF status, SAGRILAFT status, financial-rail structure, token classification, tax reporting, securities-law exposure, foreign-exchange treatment, consumer disclosures and data-protection obligations before launching.

Ready to launch legally?

Book a 30-minute consultation. We'll map your licensing path and tell you exactly what's required, in plain language.

Get Started