On May 19, 2026, Law 2573 was enacted, establishing measures to protect individuals from negative reporting before information operators and debt collection in cases of identity theft before telecom operators, financial and/or credit institutions, and other commercial establishments.

The law imposes specific obligations on these entities, including: (i) adopting sufficient and reasonable digital security measures to verify individuals’ identity; (ii) suspending the collection of fraudulently acquired goods and services, including interest and collection costs; (iii) reporting to information operators by marking the data subject as a “victim of personal forgery” without impacting their credit score; (iv) filing a report with the DIAN to prevent tax-related harm to the impersonated individual; and (v) conducting internal investigations into potential involvement of the entity’s employees in the identity theft, among others. 

Additionally, the law imposes obligations on the impersonated individual, who must notify the entity, provide summary evidence of the impersonation, and file a criminal complaint before the Attorney General’s Office. Furthermore, if the entity fails to comply with the security protocols issued by the competent authorities, it must return the funds and/or eliminate the debts resulting from the fraud. 

The law also establishes a special procedure before credit bureaus: the source must compare documents within ten (10) business days and, upon finding discrepancies, request the modification of the negative record and include the legend “victim of personal forgery” in the data subject’s record, without this constituting a negative report or reducing their risk rating. 

The suspension of collection remains in effect until a final judicial decision is issued. The impersonated individual has twenty (20) business days to file the criminal complaint; failure to do so will allow the entity to resume collection. If the identity theft is confirmed, the individual will be exonerated from any collection and negative reporting. If not confirmed, the entity may resume collection with all accrued interest and charges. However, if the entity itself verifies the identity theft, it may exonerate the individual without requiring a criminal complaint. 

The law will enter into force within six (6) months following its enactment, except for the first and second paragraphs of Article 5, which enter into force upon enactment. The SIC and the SFC, in coordination with MinTIC, must regulate the service protocols within the same period.