By means of Carta Circular 0014 de 2026, , the Financial Superintendence of Colombia (hereinafter, the “SFC”) reminded supervised entities of the main regulatory obligations that apply when they outsource processes or activities related to the provision of financial services.
The SFC reiterated that, although outsourcing may contribute to improving operational efficiency and facilitating access to specialized providers, this practice also entails risks that must be adequately managed by supervised entities, which always remain responsible for the services provided to financial consumers.
In this regard, the SFC highlighted the following regulatory obligations applicable to supervised entities, including insurance companies:
- Instructions set forth in the Basic Legal Circular (“CBJ”)
The SFC recalled that Part I, Title II, Chapter I of the CBJ requires supervised entities to incorporate, within their information management policies and procedures, minimum security and information quality criteria and requirements applicable to the information handled through the channels and instruments used to provide financial services.Likewise, the SFC mentioned that individuals or legal entities participating in outsourcing arrangements must comply with the requirements set forth in Section 2.3.6 of Part I, Title II, Chapter I of the CBJ, particularly when they:
-
participate, wholly or partially, in the operation or management of the channels or devices used for the provision of financial services; or
-
have access, in connection with the outsourced activity, to confidential information of the supervised entity or its clients.
-
- Instructions set forth in the Basic Accounting and Financial Circular (“CBCF”)
The SFC also recalled that the CBCF allows the outsourcing of processes or activities, provided that such outsourcing does not imply the delegation of professional responsibility.Likewise, pursuant to Section 4.3.1.3.1 of Chapter XXXI, Part II of the CBCF, supervised entities must comply, among others, with the following requirements to outsource their functions:
-
Conduct a risk analysis of the processes and activities to be outsourced.
-
Understand the operational risk associated with outsourced processes and/or activities.
-
Adopt effective policies to incorporate, within their risk management strategy, the risks related to outsourcing.
-
Identify, among the outsourced processes, those that may be considered critical for the entity.
Where processes or activities are identified as critical, the regulation establishes additional obligations regarding control, monitoring, and risk management.
-
- Information security and cybersecurity obligations
With respect to minimum information security and cybersecurity requirements, the SFC recalled that Section 3.9 of Part I, Title IV, Chapter V of the CBJ requires that agreements entered with critical third parties include the measures and obligations necessary to adopt and comply with information security and cybersecurity risk management policies.These obligations are intended to ensure that contracted third parties adopt appropriate information protection standards and that the risks associated with outsourcing are adequately mitigated.
- Obligations arising from Law 1328 of 2009
Finally, the SFC recalled that, pursuant to Article 3(a) of Law 1328 of 2009, the relationships between supervised entities and financial consumers must be governed by the principle of due diligence.This principle requires entities to act with the necessary care when offering products and providing financial services, ensuring that financial consumers receive sufficient information, adequate assistance, and respectful treatment throughout all stages of the contractual relationship.
Accordingly, even when certain activities are carried out through third parties, supervised entities must ensure that such providers act in accordance with these standards and that the services provided maintain the levels of quality and protection required under financial regulation.