Does SAGRILAFT apply to my company if I am not supervised by Supersociedades?

If your company is not supervised by Supersociedades but operates in specific sectors (financial, insurance, gambling, international trade), other regimes apply (such as SARLAFT for financial entities) with similar logic but their own structures. Whether you are obligated should be verified with your legal counsel or Compliance Officer.

What happens if my company exceeds the threshold but does not implement SAGRILAFT?

The Colombian Superintendence of Companies (Supersociedades) can impose significant administrative sanctions. Additionally, directors may face personal liability. Omission of the system can also be treated as an aggravating factor if an ML/TF risk materializes.

Who is ultimately responsible for SAGRILAFT compliance in supplier management?

Ultimate responsibility lies with the company's directors and the Compliance Officer. The procurement team is responsible for the operational execution of the controls defined by the SAGRILAFT system.

When will the new unified SAGRILAFT and PTEE circular come into force?

As of the publication date of this article, the draft is in the post-comments phase. The exact effective date will be known with the official publication of the final circular. We recommend monitoring Supersociedades communications.

Does a supplier management software replace the Compliance Officer?

No. The software automates operational tasks and produces evidence, but judgment-based decisions (approving a high-risk supplier, reporting a suspicious transaction, defining system policies) remain the non-delegable human responsibility of the Compliance Officer.

How often should I screen a supplier against restricted lists?

Frequency is defined in your risk segmentation matrix. High-risk suppliers typically require continuous monitoring (daily or weekly via automated APIs); low-risk suppliers, monthly or quarterly checks. What matters is that the frequency is formalized in your SAGRILAFT policy and consistently executed.

SAGRILAFT 2026 in supplier management: what it requires from procurement and how to automate it

TLDR

SAGRILAFT (Colombia) requires companies supervised by Supersociedades above the threshold to operate a formal AML/CFT/CPF system. Suppliers are "counterparties", which makes procurement a critical compliance actor: onboarding, restricted-list screening, ongoing monitoring and document traceability. In March 2026 Supersociedades published the second draft that unifies SAGRILAFT and PTEE and replaces SMMLV with the UVB unit for thresholds. Automating supplier due diligence inside the procurement flow cuts compliance cost and removes the human errors that drive audit findings.

What SAGRILAFT is and why procurement should care

SAGRILAFT (the Colombian Self-Control and Integral Risk Management System for Money Laundering, Terrorism Financing and Weapons-of-Mass-Destruction Proliferation Financing) is the regime the Superintendence of Companies (Supersociedades) requires from real-sector firms to prevent their operations from being used as a vehicle for economic crime. It is set out in Chapter X of the Basic Legal Circular.

What many procurement teams have not fully internalized is that SAGRILAFT is not just a Compliance Officer or legal matter. The regulation defines five risk factors — counterparties, products, activities, channels and jurisdictions — and suppliers are counterparties by definition. That means every new supplier onboarding, every contract renewal and every third-party payment runs, in practice, through the SAGRILAFT system.

If procurement lacks formal processes to identify the supplier's ultimate beneficial owner, screen them against restricted lists and monitor changes in their risk profile, the company is exposed to sanctions, audit findings and, in serious cases, personal liability for directors.

Who is obligated in 2026

Whether the regime applies depends on sector and revenue/assets thresholds. As of 2026, the regulation differentiates between high-risk sectors (special regime) and the rest of companies supervised by Supersociedades (general regime). Approximately 8,000 Colombian companies are currently obligated to implement SAGRILAFT.

Sector	Applicable threshold	Required action
Real sector supervised by Supersociedades	Total revenue equal to or above 40,000 SMMLV	Full SAGRILAFT implementation
Specific sectors: real estate, legal, accounting, collections, building construction	By economic activity, with their own thresholds	Full SAGRILAFT implementation
Companies below the threshold	—	Minimum Measures Regime (RMM) if applicable
Foreign company branches, companies in reorganization or liquidation	—	Specific exceptions (check regime)

Change in motion: Basic Legal Circular draft (March 2026)

On 27 March 2026 Supersociedades published the second draft that structurally reforms the regime. The most relevant changes for procurement are:

Unification of SAGRILAFT and PTEE into a single integrated system: Self-Control and Risk Management System for ML/TF/PF and Local Corruption / Transnational Bribery.
Replacement of SMMLV with UVB (Basic Value Unit) as the threshold reference. The new proposed threshold is approximately 4,929,017 UVB in revenue or assets.
Mandatory Principal and Alternate Compliance Officer with formal experience requirements (minimum 1 year in risk management) and certifiable training.
Minimum permanence period of compliance programs of 2 years (1 year for the Minimum Measures Regime).

Legal notice

This content is informational and does not constitute legal advice. Whether SAGRILAFT applies to your specific company should be determined by your Compliance Officer or legal counsel based on the regulations in force at the time of consultation.

The five SAGRILAFT obligations that fall on procurement

This is the part legal guides rarely operationalize. Here is the mapping between the regulation's language and the concrete actions the procurement team must execute.

1. Supplier identification and knowledge (KYS — Know Your Supplier)

Before a supplier can receive purchase orders, procurement must:

Collect and validate legal documentation: chamber of commerce certificate, tax ID (RUT), financial statements, tax certifications.
Identify the supplier's ultimate beneficial owner — the natural person who ultimately owns or controls the company. Many companies skip this specific obligation.
Document the commercial reason for the relationship (which goods or services, at what volume and frequency).

2. Restricted-list screening

Each supplier — and, depending on risk level, also its ultimate beneficial owner and legal representatives — must be screened against:

OFAC lists (U.S. Treasury Office of Foreign Assets Control)
UN lists (Security Council resolutions)
European Union lists
Local lists and special-organization lists (Interpol, PEP, etc.)

This screening is not one-and-done. It must be repeated periodically and re-triggered on any relevant change in the supplier.

3. Risk segmentation and rating

Not every supplier requires the same level of diligence. The regulation requires applying simplified, normal or enhanced due diligence (EDD) based on the supplier's risk profile, calculated from variables such as:

Operating jurisdiction
Economic activity
Transaction volume and frequency
Cash operations
Presence of Politically Exposed Persons (PEPs) in ownership or management

The output is a segmentation matrix that defines, for example, that a supplier in a FATF non-cooperative jurisdiction requires quarterly monitoring, while a low-risk local supplier requires annual monitoring.

4. Continuous monitoring and reporting of unusual operations

Monitoring does not end at onboarding. Procurement must:

Detect significant changes in the supplier's transactional behavior (sudden spikes, bank account changes, corporate changes).
Report any unusual or suspicious operation identified in the procurement flow to the Compliance Officer.
Maintain documented evidence of every review performed.

5. Traceability and audit archive

Supersociedades can request documentary evidence of every step in the process. That means every decision to enable, block or request additional information from a supplier must be logged with date, owner and supporting documents. The regulation establishes minimum retention periods.

Additionally, the company must annually file Report 75 (which integrated former Reports 50 and 52), reporting how its system operates. The quality of the information reported depends largely on the quality of the records procurement maintains throughout the year.

Why Excel is not enough

Loss of traceability

When an auditor requests evidence of a supplier's restricted-list screening on a specific date, scattered files rarely survive staff rotations and folder reorganizations.

Continuous monitoring is impossible

Restricted lists update constantly. A manual check at onboarding does not guarantee the supplier remains clean six months later.

Versioning and capture errors

Expired documents, miskeyed data and missing fields generate audit findings and force costly rework.

How to automate SAGRILAFT compliance in the supplier cycle

Effective SAGRILAFT automation does not mean replacing the Compliance Officer. It means giving procurement a system that executes checks consistently, logs everything, and only escalates to humans what requires judgment.

A supplier management software designed for SAGRILAFT should at minimum offer:

Self-service supplier portal where the supplier uploads its own documentation, keeps it current and signs the mandatory SAGRILAFT declarations (lawful source of funds, PEP declarations, etc.).
Automatic document validation (RUT, chamber of commerce and tax certificate expirations).
Restricted-list API integration running screening at onboarding and continuously. Compliance Bot →
Risk segmentation engine configurable to your Compliance Officer's policies.
Risk-conditioned approval workflows: a high-risk supplier auto-escalates to the Compliance Officer before being enabled.
Auditable log of every action with timestamp, user and supporting documents.
Automatic evidence generation for the annual Report 75.
Native ERP integration (SAP, Oracle, JDE, Siesa, World Office) to avoid duplicating supplier masters.

Where Egixia fits

Egixia is an orchestrator that connects to your existing ERP and resolves the processes the ERP does not execute well: the supplier relationship, document capture and validation, approval workflows and audit traceability. Layering AI agents that automate document reading, spend categorization and anomaly detection significantly reduces the operational compliance burden.

One important caveat: no software, on its own, guarantees SAGRILAFT compliance. Responsibility still lies with directors and the Compliance Officer. What a well-designed system does is eliminate the operational cost of compliance, reduce human errors and leave clean evidence for audits.

Common procurement mistakes with SAGRILAFT

Confusing initial screening with continuous monitoring. Screening only at onboarding leaves the company exposed when that supplier's profile shifts months later.
Not identifying the ultimate beneficial owner. Collecting the chamber of commerce certificate is not enough; you must reach the natural person controlling the company.
Applying the same diligence to everyone. Risk segmentation is not optional, it is in the regulation.
Centralizing all compliance on the Compliance Officer. If procurement does not run day-to-day controls, the Officer becomes an impossible bottleneck.
Not documenting block decisions. When you reject a supplier, leave evidence of why. Audit will ask.

Frequently asked questions

Next step

If your procurement team is currently running SAGRILAFT due diligence in Excel, email and SharePoint, it is worth sizing the cost in team-hours and audit exposure. A 30-minute conversation with our team can help estimate that cost and evaluate whether automating it makes sense.

Is your procurement team still running SAGRILAFT due diligence in Excel?

A 30-minute conversation with our team helps you size the current operational cost and evaluate whether automating it on top of your existing ERP makes sense.

Book a SAGRILAFT diagnostic (30 min)

Related SAGRILAFT resources

Checklist · PDFLATAM Supplier Compliance Checklist 2026SAGRILAFT (CO), REPSE/SAT (MX) and SUNAT (PE) in a single actionable list.Download →Guide · PDFLATAM Supplier Evaluation Guide 2026Criteria, weights and matrices to qualify and re-evaluate suppliers.Download →Free ExcelBuyer Dashboard TemplateAutomated KPIs to measure your procurement team's performance.Get it →