Legal 500 · Practice area

Compliance & Data Protection in Colombia.

SAGRILAFT, SARLAFT, SIPLAFT, and personal data protection.

Overview

Integrated counsel.

Design and implementation of corporate compliance programs: SAGRILAFT, SARLAFT, SIPLAFT, AML/CFT, RNBD, and personal data protection.

5 services covered

Services

How we work compliance & data protection.

01

SAGRILAFT / SARLAFT / SIPLAFT

02

AML/CFT programs

03

National Database Registry (RNBD)

04

Personal data protection

05

Compliance audits

Why CMC

Specialists, not generalists.

The difference with large firms is depth of attention; with solo practitioners, breadth of coverage.

  • 01

    Legal 500

    Independent recognition from the international Legal 500 directory — the highest tier in Business Law in Colombia, based on research with clients and peers.

  • 02

    Internationally trained

    Attorneys with master's degrees and specializations from Leiden, Madrid, and Germany — combined with deep knowledge of Colombian legal practice.

  • 03

    Preventive approach

    We anticipate risks before they become contingencies. Early counsel always costs less than late defense.

  • 04

    13 integrated areas

    Every legal decision crosses multiple disciplines. At CMC a single team covers them all — without re-explaining the case to each external specialist.

How we work

From inquiry to ongoing engagement.

A clear and transparent process designed to give you peace of mind from the first contact.

  1. 1

    Contact

    Briefly describe your situation through the form or WhatsApp. A specialist attorney will reach out within 24 business hours.

  2. 2

    Diagnosis

    We review the key documents and map the risks. We identify which additional legal areas the case crosses to handle it holistically.

  3. 3

    Action plan

    We present a plan with priorities, execution timelines, and defined fees before starting. No surprises, no hidden charges.

  4. 4

    Engagement

    We execute alongside your team and become your permanent legal partner — with proactive follow-up and ongoing preventive counsel.

Frequently asked questions

What clients ask us most.

Don't see your question? Reach out and a specialist attorney responds within 24 business hours.

  • 01

    Which companies must implement SAGRILAFT?

    +
    SAGRILAFT (Integrated AML Risk Management System) is mandatory for companies supervised by Supersociedades with revenue or assets above 30,000 minimum monthly wages, and for specific sectors (real estate, jewelry, exporters) regardless of size. Other Supers have equivalent systems (financial SARLAFT, insurance SIPLAFT). Proper implementation takes 3-6 months.
  • 02

    What is the difference between SAGRILAFT, SARLAFT and SIPLAFT?

    +
    SAGRILAFT: companies supervised by Supersociedades (real sector). SARLAFT: financial entities (Superfinanciera). SIPLAFT: insurance and reinsurance companies. The three share methodology (risk identification, due diligence, monitoring, training, compliance officer) but regulatory scope and reporting (UIAF) vary by sector.
  • 03

    What is the National Database Registry (RNBD)?

    +
    Mandatory registration with SIC for all companies processing personal data in Colombia of more than 100,000 individuals or qualifying as sensitive data. Annual renewal. Registration requires identifying databases, their source, purpose, processors and security mechanisms. Omission triggers fines up to 2,000 minimum monthly wages.
  • 04

    How to comply with Colombian data protection law?

    +
    Implement: published data treatment policy, prior authorization to process data (informed consent), procedures to handle data subject rights (access, rectification, deletion), technical and organizational security measures, processor contracts (DPAs), incident response protocol, and RNBD registration if applicable. Annual audit prevents penalties.
  • 05

    What is an AML/CFT program?

    +
    Anti-Money Laundering (AML) and Counter-Terrorism Financing (CFT) prevention program. Includes: risk matrix by customer, product and geography; enhanced due diligence (EDD) for PEPs and high-risk; transactional monitoring; UIAF reporting (SARs, cash transactions); certified compliance officer. Required for regulated sectors, expected in multinationals.
  • 06

    What penalties apply for noncompliance?

    +
    Company fines: up to 100,000 minimum monthly wages (Supersociedades), up to 200,000 (Superfinanciera). Personal fines to compliance officer and legal representatives. Suspension of economic activity in severe cases. License loss for supervised entities. Self-disclosure or repeat offenses change the penalty significantly.

Related areas

Compliance & Data Protection often intersects with these other areas.

Request a consultation

Need counsel on compliance & data protection?

Briefly describe your case. An attorney from the team will contact you within 24 business hours to schedule an evaluation session.