Comprehensive Self-Control and Risk Management System for Money Laundering, Terrorist Financing and Financing the Proliferation of Weapons of Mass Destruction (SAGRILAFT/FPADM)

Document No: M-GDR-01
Version: 04
Date: 04/08/2022
Written by: Compliance Officer
Revised Approved
Name Victor Hugo Riaño Felipe Villa Murra
Title Compliance Officer Legal Representative
Date 10/06/2022 28/07/2022



Date Version Author Description
18/03/2019 02 Luz Silva Modification of company name to Sophos Solutions
19/03/2020 03 Juan Álvarez Corporate logo update
04/08/2022 04 Victor Riaño The manual is updated in a general manner in agreement with the Superintendencia de Sociedades and adding all the considerations for “FPADM”


We are a Colombian multinational company created in 2007 by investors and visionaries from India. Sophos Solutions is a simplified stock company (S.A.S by its acronym in Spanish), offering Consulting, Core Banking Implementation, Testing Factory and Software Factory services primarily for financial and stock market companies. We are currently a company of Advent International.

At SOPHOS, we specialize in IT products and services for the financial sector, offering solutions for Banking Core, Digital Channels, Capital Markets, Risk, Comprehensive Information Management and Data Analysis.

Sophos has a presence in more than 12 countries of America, covering North America, Central America, and South America. Currently, we have offices in Colombia, Mexico, Panama, United States and Chile. We have more than 14 years of experience in IT solutions, always with partners specialized in different services and technologies. In order to gain greater access to national and international markets, the company establishes working relationships with specialized collaborators from all over the world, working remotely and other modes of operation such as NearShore (Latam remote work), OffShore (remote work in other continents), and Inside (customer work).

Considering the company’s growth, the Colombian parent company exercises direct control over each of its subsidiaries (Panama, Mexico, and Chile) and indirect control over its subsidiary (United States), the administrative structure is carried out in a centralized manner. However, for the proper and timely development of functions, powers are granted to natural or legal persons according to their needs.
SOPHOS SOLUTIONS S.A.S implements the Comprehensive Self-Control and Risk Management System of LA/FT/FPADM (hereinafter SAGRILAFT by its acronym in Spanish), with the aim of having policies, procedures, controls and all kinds of mechanisms aimed at protecting the company from being used by any means for money laundering, terrorist financing and the financing of the proliferation of weapons of mass destruction, considering that these actions represent a risk to the stability and integrity of the company.
The LA/FT/FPADM Comprehensive Risk Management and Self-Control System applies to all Sophos Solutions collaborators including the parent, subsidiaries and all related parties, interest groups, partners and business partners, understood as customers, strategic allies, business allies, contractors, consultants, subcontractors, domestic and international suppliers, advisors, representatives, intermediaries, investors, licensors, lessors and their analogy to the countries that operate the subsidiaries, in general to all those with whom any business or contractual relationship is established directly or indirectly.

It is applicable to all internal processes that demonstrate risk factors surrounding the applicability and regulation of money laundering, terrorist financing and the financing of the proliferation of weapons of mass destruction (LA/FT/FPADM by its acronym in Spanish).
3.4 AIMS
The objective of this system is to prevent, detect and mitigate in a timely manner operations that may be used for money laundering, terrorist financing or the proliferation of weapons of mass destruction against Sophos Solutions and its subsidiaries.
  • Apply procedures to inform current and potential counterparties.
  • Create reporting and inquiry channels that are available to collaborators.
  • Develop training to publicize the SAGRILAFT/FPADM Policy, as well as the role of each collaborator in preventing LAFT crimes in the organization.
  • Build a sanction regime for when the policy or procedures of this manual are not complied with.
  • Describe the policies, procedures, documents, and other tools that the company will use for the comprehensive risk management of LA/FT/FPADM.
For the purposes of this manual, all definitions are understood according to those established in Circular 100-000016 of December 24, 2020 of the Superintendencia de Sociedades of Colombia. In addition, the following definitions:

Unlawful activities: Conduct or activities that under an existing rule are unlawful, that is, against the law.

Close Associate: These are legal persons who have as administrators, shareholders, controllers, or managers Politically Exposed Persons, or who have constituted autonomous or fiduciary assets for the benefit of these, or with whom business relations are maintained.

Operation attempted or rejected: It is configured when the intention of a natural or legal person to carry out a suspicious operation is known, but it is not perfected because when attempting to carry it out it ceases or because the controls established or defined do not allow to carry it out. Only attempted or rejected operations that have the characteristics of a suspicious operation should be reported.

Non-Cooperating Countries and High-Risk Jurisdictions: This list refers to the list of jurisdictions that do not meet international standards for combating money laundering and terrorist financing, and the degree of political commitment of their authorities to address the identified deficiencies, as defined by the Financial Action Task Force (FATF).

PEP (Politically Exposed Persons): They may be public servants of any system of nomenclature and classification of jobs of the national and territorial public administration, when in the positions they occupy, they have in the functions of the area to which they belong or in those of the record of employment that they occupy, under their direct responsibility or by delegation, the general direction, of the formulation of institutional policies and of the adoption of plans, programs and projects, the direct management of assets, money or values of the State. These can be through spending management, public procurement, management of investment projects, payments, settlements, administration of movable and real estate. It also includes foreign PEPs and PEPs from international organizations.4

PEP (People exposed publicly): They are those who for their activities have national and/or international recognition. For example, prominent lawyers, senior executives, architects, athletes, celebrities, military and police forces, civil servants, judges, politicians, registrars and prominent religious.

Warning Signs: These are all the particular facts and circumstances surrounding the conduct of transactions specific to each third party with which the Company relates, from which it can be identified in a preventive manner if they are subject to careful and detailed study. We can classify operations into: Unusual and suspicious operations.


SAGRILAFT is divided into two phases:
  1. The prevention phase, Sophos Solutions will take the measures at its disposal to prevent being used in carrying out activities that go against its principles and SAGRILAFT/FPADM, within these measures are:
    • Counterparty risk analysis processes
    • Identification and reporting of warning signs
    • Identification of risks

  2. In the control phase, Sophos Solutions will implement the tools at its disposal to identify all operations that have been carried out or are intended to be carried out that are against the law and are associated with LA/FT/FPADM activities.
These are systematic, interrelated steps that manage the risk of LA/FT/FPADM.
For the identification of the Inherent Risk, Sophos will consider any Risk Factor, internal or external, associated with the activity or incursion into new markets. The Company has and will consider the context of its business, the jurisdictions and regions in which it operates, and the counterparties with which it interacts.

For this, it will be done according to the Risk Assessment Guide in item 5.1 Risk identification. The due diligence process can also identify risks.

The risk identification process is led by the risk department of the company, with the participation of the compliance officer and the members of the evaluated processes.
At this stage, the probability of occurrence and the impact that would have its materialization of the LA/FT/FPADM risk are assessed.

For this purpose, it shall be done in accordance with the Risk Assessment Guide in item 5.2.1. Determination of inherent risk and sections a) probability and b) impact.

The risk measurement process is led by the risk department of the company, with the participation of the compliance officer and members of the processes evaluated.
The LA/FT/FPADM Risk controls will be applied according to the results of the previous stages, with the purpose of establishing its Residual Risk profile. The objective is to mitigate the risk by taking the necessary measures to decrease the probability of occurrence and/or impact to which Sophos is exposed. The Company plans the assessment and types of controls listed in the Risk Assessment Guide in item 3.2.2.

The control design process is led by the risk department of the company, with the participation of the compliance officer and the members of the evaluated processes. Controls are executed by each of the processes where risks are identified and specified in the risk matrix.
  • The Compliance Officer will continuously monitor the System to assess the timeliness, effectiveness, and efficiency of controls, ensuring that they are comprehensive and address all LA/FT/FPADM Risk Events identified. This monitoring should be carried out annually. The Company’s employees must constantly monitor their activities to show that there are no LA/FT/FPADM risk situations and that the controls applied operate in a timely, effective, and efficient manner. Any deviation shall be reported to the Compliance Officer.
  • The monitoring should be carried out by the Compliance Officer with the respective collaboration of the process leaders, and its purpose is to apply and suggest the necessary corrective and adjustments to ensure an effective management of the LA/FT/FPADM Risk.
  • The Compliance Officer will then evaluate the monitoring, its results and, in conjunction with the leaders of the processes, make proposals for improvement and treatment of the detected situations to the Legal Representative and the Board of Directors.
  • The statutory auditor also makes periodic reviews to facilitate the detection and correction of SAGRILAFT/FPADM deficiencies, the results of which are communicated to the Board of Directors, the Legal Representative and the Compliance Officer. On these, the Compliance Officer will conduct an assessment and take appropriate action on reported deficiencies.
  • The team of Risks holds monthly follow-up meetings to the different areas focusing on the due diligence carried out by the areas where the risks of LA/FT/FPDAM and Bribery and corruption are identified.
  • The LA/FT/FPADM risk profile should be presented on a quarterly basis to the legal representative and biannually to the board of directors for monitoring.
The elements that make up the SAGRILAFT/FPADM are the following:
  • Design and Approval
  • Compliance and Audit
  • Outreach and Training
  • Assignment of responsibilities to managers and other generalities
  • For the design of the SAGRILAFT/FPADM should consider the characteristics of the Company and its activity, also consider the identification of the risk factors LA/FT/FPADM, the responsible for the design is the compliance officer.
  • The Company must have risk matrices, and must update these documents progressively, this activity will be led by the risk management team. However, risk control is the responsibility of each process.
  • The Board should provide the necessary operational, financial, physical, technological resources to enable the Compliance Officer to carry out his or her duties in an appropriate manner.
  • The SAGRILAFT/FPADM must be presented by the legal representative and the Compliance Officer to the SOPHOS Board, and the latter must approve its updates.
  • The formalization of SAGRILAFT/FPADM must comply with the standard process of document management of the company, led by the quality area in such a way as to ensure that the measures of SAGRILAFT/FPADM are consistent with the management system of the organization. The compliance officer is responsible for submitting this document for document management.
  • The design of the SAGRILAFT/FPADM should address the consequences of non-compliance with this manual, policy, or established provisions. Such consequences must be established by the compliance officer after approval from the human resources department and presidency.
  • The Management Board should appoint a Compliance Officer, responsible for ensuring the audit and verification of compliance with SAGRILAFT/FPADM. The designated official must comply with the requirements set out in chapter X of the Basic Legal Circular 100-000016 of the Superintendencia de Sociedades of Colombia.
  • Internal audit and statutory auditor will execute the audit to SAGRILAFT/FPADM ensuring the necessary competencies of the auditors for this activity.
  • SAGRILAFT/FPADM should be audited at least once a year, led by the internal audit team.
  • The compliance officer shall submit a compliance report to the board on a semi-annual basis and to the legal representative and/or president on a quarterly basis.
  • SOPHOS will maintain a permanent training program aimed at all collaborators of the Company, in order to spread the culture of prevention and detection of LA/FT/FPADM and compliance with the policy, as well as training during onboarding and / or connections to new collaborators and third parties involved with the company. The responsibility for the design and implementation of the training plan is the Compliance Officer.
  • Managers and leaders of areas from which LA/FT/FPADM risks are identified should know and implement the SAGRILAFT/FPADM policy, ensuring the transparency of the process, and should integrate the Risk department when it finds warning signs, in line with the above the communication and training plan should contain training specific to its risks and warning signs.
  • Partners with access to information provided by counterparties, as well as those responsible for advancing due diligence processes, will make responsible use of the platforms and other technical resources enabled by the Company to advance the various activities. The SAGRILAFT/FPADM will be disclosed internally and externally, the Company will socialize and report on the policy to workers, contractors, subordinate companies, clients, and suppliers. The frequency with which this information will be shared may not be less than that required by the Basic Legal Circular which is at least once a year. This activity is the responsibility of the compliance officer.
  • The roles and responsibilities for each of the policies of the elements and stages of SAGRILAFT/FPADM are assigned in numbers 4.2 and 4.3 of this manual, since each line has its responsible.
  • A job profile shall be created for the compliance officer that covers at least the legal requirements set out in Chapter X of the Basic Legal Circular 100-000016 of the Superintendencia de Sociedades. The persons responsible for creating the profile are the Talent acquisition department, which may ask for advice from the persons or departments it deems necessary.
  • The roles and responsibilities for each of the policies of the elements and stages of SAGRILAFT/FPADM are assigned in numbers 4.2 and 4.3 of this manual, since each line has its responsible.
  • A job profile shall be created for the compliance officer that covers at least the legal requirements set out in Chapter X of the Basic Legal Circular 100-000016 of the Superintendencia de Sociedades. The persons responsible for creating the profile are the Talent acquisition department, which may ask for advice from the persons or departments it deems necessary. BOARD OF DIRECTORS
  1. Establish and approve for the Company an LA/FT/FPADM Policy.
  2. Approve the SAGRILAFT and its updates, submitted by the legal representative and the ComplianceOfficer.
  3. Approve the SAGRILAFT procedure manual and its updates.
  4. Select and designate the Compliance Officer and his or her respective deputy, as appropriate.
  5. To analyze in a timely manner the reports on the operation of SAGRILAFT, on the proposals for corrective actions and updates submitted by the Compliance Officer, and to take decisions on all the issues addressed therein. This shall be recorded in the minutes of the relevant body.
  6. Analyze in a timely manner the reports and requests submitted by the legal representative
  7. Take a decision on the reports submitted by the statutory auditor or the internal and external audits, which relate to the implementation and operation of SAGRILAFT, and follow up on the observations or recommendations included. Such follow-up and its periodic progress should be noted in the relevant records.
  8. Order and guarantee the technical, logistical and human resources necessary to implement and maintain SAGRILAFT, according to the requirements for this purpose made by the Compliance Officer.
  9. Set the criteria for approving the Counterparty linkage when it is a PEP.
  10. Establish guidelines and determine those responsible for carrying out audits on the compliance and effectiveness of SAGRILAFT/FPADM, if so determined.
  11. Verify that the Compliance Officer is available and capable to perform his or her duties.
  12. To establish that the Obliged Company, the Compliance Officer and the leg DUTIES OF THE LEGAL REPRESENTATIVE
  1. Present with the Compliance Officer, for approval by the board of directors or the highest social body, the proposal of SAGRILAFT/FPADM and its updates, as well as its respective manual of procedures.
  2. Review the results of the LA/FT/FPADM Risk Assessment conducted by the Compliance Officer and establish appropriate action plans.
  3. Efficiently allocate the technical and human resources, as determined by the board of directors or the highest social body, necessary to implement SAGRILAFT.
  4. Verify that the Compliance Officer is available and capable to perform his or her duties.
  5. Provide effective, efficient, and timely support to the Compliance Officer in the design, direction, supervision and monitoring of SAGRILAFT.
  6. Submit to the board of directors or the highest social body, reports, requests, and alerts that it considers should be dealt with by those bodies and that are related to SAGRILAFT.
  7. Ensure that the activities resulting from the development of SAGRILAFT are properly documented, so that the information is allowed to meet criteria of integrity, reliability, availability, compliance, effectiveness, efficiency, and confidentiality.
  8. Certify to the Superintendencia de Sociedades the compliance with the provisions of this Chapter X, when required by this Superintendency. DUTIES OF THE COMPLIANCE OFFICER
  1. Ensure effective, efficient, and timely compliance with SAGRILAFT.
  2. Submit reports at least once a year to the board of directors or, failing that, to the highest social body. At a minimum, the reports shall contain an evaluation and analysis of the efficiency and effectiveness of SAGRILAFT and, if appropriate, propose the respective improvements. Likewise, to demonstrate the results of the management of the Compliance Officer, and of the administration of the Company, in general, in the fulfillment of the SAGRILAFT.
  3. Promote the adoption of corrective measures and updates to SAGRILAFT, when circumstances require and at least once every two (2) years. To this end, it must submit to the board of directors or to the highest social body, as the case may be, the proposals and justifications for the corrections and updates suggested to SAGRILAFT.
  4. Coordinate the development of internal training programs.
  5. Evaluate reports submitted by the internal audit or by someone performing similar functions or acting in their stead, and reports submitted by the statutory auditor or external audit, if any, and take reasonable action to address reported deficiencies. If the measures to be taken require the authorization of other bodies, it shall encourage the bringing of such matters to the attention of the competent bodies.
  6. To certify to the Superintendency of Societies the compliance with the provisions of Chapter X of the Basic Circular of the Law of SuperSociedades.
  7. Verify compliance with the Due Diligence and Intensified Due Diligence procedures applicable to the Company.
  8. Ensure the proper archiving of documentary media and other information relating to the management and prevention of LA/FT/FPADM risk. Design the methodologies for classification, identification, measurement, and control of LA/FT/FPADM Risk that will be part of SAGRILAFT.
  9. To make the report of suspicious transactions to the UIAF and any other report or report required by the current regulations, as established by those regulations. COLLABORATORS
  1. Comply with the manual, policy and other instructions pertaining to self-control and comprehensive risk management of money laundering, terrorist financing, financing of the proliferation of weapons of mass destruction (LA/FT/FPADM) – SAGRILAFT.
  2. Participate in the training, awareness-raising, testing and other activities to which they are invited.
  3. Refrain from authorizing, motivating, approving, participating in or tolerating breaches of this policy.
  4. Report through the channels established by the company any breach of this policy.
  5. Refrain from retaliating, directly or indirectly, or encourage others to do so, against any other collaborator for reporting a suspected breach of this policy. STATUTORY AUDITOR
  1. Report Suspicious Operations to UIAF when they are aware of them within the ordinary course of their work.
  2. Request user and password in the SIREL managed by the UIAF, for the sending of the ROS.
  3. They have the duty to report to the criminal, disciplinary and administrative authorities the alleged commission of an offense against the economic and social order, such as money laundering, which they detect in the exercise of their duties. They must also report these facts to the social bodies and to the administration of society. COMPLIANCE COMMITTEE
  1. Recommend action plans in cases related to the findings made by the control bodies to SAGRILAFT/FPADM.
  2. Keep confidential the information which he/she knows in the course of his/her duties in the field of SAGRILAFT/FPADM.
  3. Previous revision of policies, manuals and/or instructions and their updates, corresponding to the prevention of money laundering, financing of terrorism, financing of the proliferation of weapons of mass destruction (LA/FT/FPADM) – SAGRILAFT/FPADM, for the respective approval of the highest social body.
  4. Follow up on the different practices aimed at preventing money laundering, financing terrorism, financing the proliferation of weapons of mass destruction (LA/FT/FPADM) SAGRILAFT/FPADM. INTERNAL AUDIT
  1. Include within their annual audit plans the review of SAGRILAFT’s effectiveness and compliance, in order to provide a basis for both the Compliance Officer and the management of the Obliged Company to determine the existence of SAGRILAFT’s deficiencies and possible solutions.
  2. result of internal audits should be communicated to the legal representative, the Compliance Officer and the board of directors. INCOMPATIBILITY OF GOVERNING BODIES

In establishing the bodies and agencies responsible for carrying out an assessment of SAGRILAFT’s compliance and effectiveness, the Company shall consider conflicts of interest, incompatibilities and inabilities of those responsible in the performance of their duties. The statutory auditor or legal representative shall not be designated as Compliance Officer.
For due diligence and extended due diligence procedures should go to the instructors that are in the document management system called “due diligence” with code I-CMP-01 and “extended due diligence” with code codeI-SGC-0202, where the steps to follow to make the process, responsible, the documentation to validate, the segmentation of the PEPS, the evidence that the company should store when doing this procedure, among others.
  • Warning signs should be designed for those identified risks. Responsible: Compliance Officer
  • These warning signs should be an integral part of every LA/FT/FPADM risk process. Responsible:
    Process and quality management process.
  • When any collaborator identifies an alert signal, it is within their responsibilities to do due reporting by established media. Email:, by the ethical channel available on the website or by the form of the annex.
  • The compliance officer shall analyze the warning signal and determine whether it is a suspicious operation.
  • The compliance officer may request additional information from the departments or counterparties to determine the unusual status of a transaction.
  • In the event that it is determined that this is a suspicious operation, the compliance officer shall report it to the UIAF.
  • The applicable criterion for determining whether a transaction is suspicious is:

    • Lack of a reasonable explanation to any of the warning signs mentioned in the SAGRILAFT/FPADM Policy or to any unusual operation or activity.
    • An attempted operation containing suspicious operations is considered an ROS and must be reported to the UIAF.
The documents generated by SAGRILAFT must comply with all the rules and policies established by the company’s document management system, as well as information security rules and policies.
  • The minutes of the Board of Directors where the approval and/or updating of the Manual is recorded.
  • The minutes of the Board of Directors where the approval and / or update of the Policy is recorded.
  • The record by which the Compliance Officer is appointed.
  • The SAGRILAFT/FPADM policy.
  • The documents that support the design, development, and implementation of the system methodologies.
  • Documents and records that demonstrate the effective and efficient operation of the system, including, but not limited to, documentation and information from Counterparties, documentation related to unusual operations, suspicious transaction report (ROS), and AROS.
  • The Compliance Officer’s reports to the various bodies and individuals involved in SAGRILAFT.
  • The documents by which the authorities require information together with their replies.
  • Disciplinary proceedings brought for possible breaches of the system.
  • The training and outreach plans and programs of the system.
  • Internal reports of unusual or external system operations to UIAF and other authorities.
  • All additional documentation that somehow supports the system. This documentation will be provided by the Compliance Officer, who will ensure its integrity, availability, compliance, effectiveness, efficiency, reservation, reliability and updating. It will be stored centrally and chronologically with the appropriate assurances, either in written or magnetic media.
  • On unusual and attempted transactions: When any of the collaborators or any counterparty, evidence unusual or attempted transactions, they must report it to the Compliance Officer, indicating the reasons that determine the transaction as unusual or attempted. This report can be made to, to the form of the annex or to the ethical channel of the company.
  • On warning signs: When any of the collaborators or any counterparty, evidence any warning signal must report to the Compliance Officer, indicating the reasons that determine that the warning signal is given. This report can be made to, to the form of the annex or to the ethical channel of the company.
  • On the monitoring of the LA/FT/FPADM: The Compliance Officer will report biannually to both the board of directors and the Legal Representative on the evaluation and analysis of the efficiency and effectiveness of the system, and if appropriate, propose the respective improvements. The report will also show the results of the Compliance Officer’s overall compliance with the system.
  • Mandatory Suspicious Operation Report (“SOR”) to UIAF: Once the Operation is determined as suspicious, the Compliance Officer makes the immediate and direct report to UIAF. Attempted or rejected operations with characteristics that give them the character of suspects will also be reported, as will attempts to establish commercial links. As the Suspicious Operations Report (SOR) does not constitute a criminal complaint, it does not require the signature of any official, but is carried out at the institutional level. The SOR shall not give rise to any liability whatsoever for SOPHOS SOLUTIONS SAS, or for the directors or employees who have participated in its determination and reporting, particularly to the Compliance Officer. The SOR does not exempt from the duty to denounce, if this is the case. For control purposes and to support the risk management of LA/FT/FPADM, the Compliance Officer will keep a record of the reports that have been sent to UIAF.
  • Report of absence of attempted or suspicious operation (“AROS”) to the UIAF: In the event that during a period of three (3) months no operation has been listed as suspicious, the Compliance Officer must report this fact to the UIAF within the first ten (10) calendar days of the month following the period cut by the UIAF Online Reporting System (SIREL).
Failure to comply with or breach the guidelines contained in the Code of Ethics, the LA/FT/FPADM Prevention Policies, and the internal control measures, shall constitute a SERIOUS misconduct as established in the SOPHOS Internal Labor Regulations, without prejudice to the applicable legal penalties.

The sanction procedure to be followed is that set out in the section “SCALE OF MISDEMEANORS AND DISCIPLINARY SANCTIONS” of the Sophos Internal Labor Regulations for employees, articles 46 to 51.
Legal sanctions against money laundering, terrorist financing, financing for the proliferation of weapons of destruction (LA/FT/FPADM) are serious and may involve fines, administrative or criminal penalties, such as money laundering, imprisonment from ten (10) to thirty (30) years and a fine of one thousand (1,000) to fifty thousand (50,000) current legal monthly minimum wages contained in the Colombian Penal Code.

In addition, Sophos Solutions could face severe fines or other criminal penalties for money laundering, terrorist financing, financing for the proliferation of weapons of destruction (LA/FT/FPADM) by third parties linked to the company. However, Sophos will investigate any activity that violates the SAGRILAFT/FPADM Policy and, where appropriate, inform the competent authorities of any event related to (LA/FT/FPADM) and will initiate and accompany the appropriate legal actions, in addition to taking appropriate disciplinary measures and penalties that may involve termination of the employment, contractual, commercial or any other relationship
This site uses cookies to improve your online experience, allow you to share content on social media, measure traffic to this website and display customised ads based on your browsing activity.