Home/Insights/Blogs/Superintendencia Financiera meets cloud: What every CTO in the Colombian financial sector needs to know in 2026

Superintendencia Financiera meets cloud: What every CTO in the Colombian financial sector needs to know in 2026

  • Blog
  • 10min read

As we’re sure you’re aware, the Colombian Superintendencia Financiera (SFC) doesn’t just regulate financial products. It also audits technology infrastructure and is doing so with increasingly strict criteria. 

With the recent issuing of the ‘Circular Básica Financiera’ (C.E. 004/2026) and the new mandatory ‘finanzas abiertas’ framework (Decree 0368/2026), the technological bar that banks, fintechs and PSPs in Colombia must meet has just raised considerably.  

The problem? Most entities have gaps in their infrastructure. Many don’t realise this until it’s too late – the audit arrives.  

Luckily, if you’re a CTO, CIO, CISO, or a technical lead within the Colombian financial sector who want to understand exactly what the SFC checks, don’t go anywhere.  

By the end of this article, you’ll have a better understanding of which infrastructure architecture best fits the SFC requirements, and where to start if you currently have outstanding issues.  

Specifically, it covers:  

Let’s dive in! 

What is the Superintendencia Financiera, and what does it have to do with your infrastructure?  

The Colombian Superintendencia Financiera (SFC) is the governing body responsible for supervising, inspecting and regulating the entire Colombian financial system. This includes traditional banks, financial corporations, cooperatives, finance companies, insurance companies, pension fund managers, and also fintech firms operating within its regulatory remit.  

Its mandate is not limited to reviewing balance sheets and capital. The SFC has the power to audit the operational soundness of regulated entity, which includes its technological infrastructure, its business continuity plans, and its contracts with critical service providers, including cloud providers.  

Since the Circular Externa 005 of 2019, the SFC has formalised specific instructions on the use of cloud computing services. In recent years, the framework has evolved, for examples, CE 004/2024 defined the architectural standards for ‘finanzas abiertas’, CE 014/2022 reinforced business continuity requirements, and the new Circular Básica Financiera (CE 004/2026) consolidates much of this regulation into a single body of rules.  

Simply put, if the SFC audits your organisation and finds that your infrastructure is non-compliant, it may impose sanctions, demand immediate remediation or, in serious cases, restrict your operations. And this is precisely what you want to avoid.  

What does the SFC actually audit when it reviews your IT infrastructure? 

When the SFC carries out a technology inspection, it’s not checking whether you have the most up-to-date servers. It’s verifying that your infrastructure ensures operational continuity and the protection of financial consumers’ data. Namely, a…  

Business Continuity Plan (BCP): documented, approved and tested.  

And, it is not enough to have a BCP in a PDF document. The SFC requires that the plan: 

  1. Be approved by the relevant body. (For example, the company board) 
  2. Has effectively passed all required tests 
  3. Is known back-to-front by the relevant users.  

This includes contingency procedures for system failures, operational alternatives, and protocols for returning to normal operations.  

And this is where two concrete metrics come into play: RTO and RPO. 

  • RTO – Recovery Time Objective (maximum tolerable downtime)  
  • RPO – Recovery Point Objective (maximum acceptable data loss)  

We’re highlighting this, not as a best practice, but because there is a clear list of SFC requirements stated at the contractual level specifically for cloud services, one of which is the BCP.  

10 minimum requirements for cloud contracts  

The decree 005/2019 stipulates that any contract with a cloud computing service provider must, as a minimum, cover:     

  1. Who is the contract with? Identify of the cloud provider, as well as any third party involved with the provision of the service.  
  2. What data and processes are stored in the cloud? There must be a clear inventory of which applications, processes and types of data are stored and managed under that contract.  
  3. Where is your data physically located? Specifically, the exact region or data centre where the information is held.   
  4. Does the provider posses the valid certifications? They must, at a minimum have an active ISO 27001 security certification, throughout the duration of the contract. Although not mandatory, it is also recommended that certifications such as ISO 27017 and 27018 are in place as well.  
  5. Can you audit the provider? The organisation, the SFC or external auditors must have a contractual right to carry out security and compliance inspections whenever required.  
  6. What happens if there is a service outage? SLAs must be defined, with at least 99.95% availability, as well as response times and clear compensation if these are not met.  
  7. How does the provider protect your data? There must be documented technical protocols: encryption, key management and methods that prevent data leaks.  
  8. What happens in the event of an incident? The contract must include business continuity plans with defined RTOs and RPOs, not just as targets, but part of a contractual obligation. 
  9. Can you terminate the contract without data loss? There should be clauses stating that when a contract ends,  all information is fully extracted and securely deleted. 
  10. Is your data kept separate from that of other customers? The provider must guarantee effective data segregation and ensure that any international data transfers comply with the relevant Colombian regulations. 

And, since then, the recent Decreto 0368/2026 on mandatory ‘finanzas abiertas’ adds a further layer:  

Data sovereignty and localisation 

To be clear: the SFC does not prohibit the use of international cloud providers.   

However, it does require that entities maintain effective control over their data. Allowing access of it at any time, and ensuring that your Colombian consumers are protected under local regulations (Laws 1266/2008 and 1581/2012).  

Additionally, the Decree 0368/2026 on mandatory ‘finanzas abiertas’ adds a layer: data circulating within the ‘finanzas abiertas’ system must be handled in accordance with technical standards defined by the SFC, using interoperable APIs and auditable security protocols.   

This has direct implications for where and how information is processed.  

If you need better understanding of whether you’re compliant with these decrees and laws, we recommend you contact your legal department. 

Now that we’ve got a general understanding of what the SFC is seeking, let’s explore in greater depth the different cloud models and how they may (or may not) be suitable for the requirements of an audit in 2026 and beyond. 

Public, private or hybrid cloud: which one meets the SFC’s requirements?  

The short answer, it depends. But not public cloud alone. 

But one thing is clear, the choice of architecture is no longer just a technical one. In the Colombian financial sector, the SFC’s regulatory framework sets out specific limits that make certain options more viable than others, especially when it comes down to critical workloads.   

Although it is not specified in precise terms, it all comes down to sound business management, that also prioritises the consumer. Which, when you think about it, is a win-win situation.  

Public cloud  

Using a public cloud may make sense for development, testing or non-regulated workloads, but for critical workloads, in the financial sector, this is not a suitable option.  

For mission-critical systems, it presents significant regulatory hurdles: standard contracts rarely cover the 10 minimum requirements of Circular Externa 005/2019 without negotiations that few medium-sized entities can achieve.   

But here, data sovereignty is the most critical issue; when data is processed in international regions, the audit and effective control required by the SFC become difficult to demonstrate. 

 And in the event of an incident, traceability and access to logs may not be guaranteed under the default contractual terms.  

Private cloud (with sovereign colocation)   

This option that is the one that is most naturally aligned with the SFC’s requirements. The institution retains full control over its data, the infrastructure falls under Colombian jurisdiction, the SLAs are contractually enforceable, and the RTOs/RPOs are predictable and auditable.  

For core systems, like banking, payment processing, risk management, etc., this model eliminates regulatory ambiguities.   

It also facilitates inspections: when the SFC requests evidence of controls, the organisation can respond with direct documentation without relying on an international third party.  

Hybrid cloud infrastructure  

This is the logical evolution for organisations that need to combine strict compliance for their critical systems with flexibility for complementary workloads.   

The correct design is based on a clear premise: regulated data and systems run on sovereign infrastructure in Colombia; non-critical services can operate with greater flexibility.   

This model does not sacrifice compliance for agility; it strategically separates them.  

Jorge Mejía, Solutions Architect at Ilkari, sums it up as follows: ‘The organisations that close their regulatory gaps most quickly are those that separate their workloads according to their criticality. Not everything needs to be on-premise, but core financial data does need to be on infrastructure where the organisation has real and auditable control.’ 

The important thing is to choose the architecture that is suitable for your project AND that allows you to demonstrate to the SFC that you have real control over your data, your business continuity and your contracts with third parties.  

Example: A sovereign data centre in Colombia, with ISO 27001 and ICREA Level IV certifications, can serve as the anchor for that hybrid strategy. Critical systems are hosted there, with clear contractual SLAs and under Colombian jurisdiction. Other complementary services can operate from the cloud with greater flexibility.  

TL; DR. Here’s a quick run-down of what to do, and how to move forward with cloud infrastructure, all while staying SFC compliant ahead of that audit. 

The 90 days before an audit: where to start?  

If there are gaps today, the most useful thing is a clear order of priority. These are the four actions we recommend implementing over the next 90 days:  

1. Review and update the Business Continuity Plan.   

Does it exist? And, was it approved by the board?   

Has it been tested in the last 12 months? If the answer to any of these questions is ‘no’ or ‘I don’t know’, start here.  

This is the most common gap, and the one that carries the most weight in an SFC inspection.  

2. Audit contracts with cloud providers.   

Compile an inventory of all your current cloud service providers and check each one individually to ensure the contracts meet the minimum requirements of EC 005/2019.   

If they do not meet these requirements, or if there are no formal contracts, this constitutes a direct regulatory exposure.  

3. Document RTOs and RPOs for each critical system.   

Define what constitutes a critical system within your organisation, set recovery objectives for each one, and verify that your current infrastructure can meet them. This must be demonstrated through documented evidence.  

4. Assess the data sovereignty of your mission-critical workloads.   

  • Do you know exactly where your customers’ data is stored and processed?   
  • Do you have contractual control over it?   
  • Is it under Colombian jurisdiction or in international regions without specific agreements?   

This last point is particularly relevant under the new ‘finanzas abiertas’ framework.  

Navigating cloud infrastructure, for 2026 and beyond  

The SFC’s regulations are not the obstacle. They are the roadmap. Organisations that understand exactly what the Superfinanciera requires of their technology infrastructure have a huge advantage: they can build their cloud architecture, be that private or hybrid, with clear criteria, avoid surprises during audits and, at the same time, offer more resilient services to their customers.  

A hybrid cloud infrastructure with a sovereign anchor in Colombia is not just a viable technical option. In the current regulatory context, it is a smart architectural choice for a Colombian financial institution that wants to grow without compromising compliance. 

Want to dig deeper?  

If, after reading this article, you’d like a comprehensive analysis of the gaps that the SFC is already auditing, complete with metrics, examples and a framework for closing them, you can download our white paper (available in Spanish only):  

Listo para la auditoría: cómo evaluar, medir y cerrar las brechas que la Superfinanciera ya está auditando

It is a practical guide for CTOs, CIOs and CISOs in the Colombian financial sector. No unnecessary theory. Featuring technical and regulatory criteria, plus a concrete action plan. 

Related resources

Stay ahead of the curve with Ilkari

Sign up to the latest news, cutting-edge insight, product updates and exclusive announcements – delivered straight ot your inbox.