Latin America · GDP rank #40

Colombia

CO · COP @ 0.0002380/USD

Bre-B went into full-scale operation in October 2025 and within seven months has cleared more than 600 million transactions across 35 million registered users and 103 million aliases — the fastest stand-up of a Pix-style instant rail outside Brazil. Nequi (Bancolombia spin-out, 26 million registered users) and Daviplata (Davivienda, 19 million) define the consumer-wallet duopoly. The United States is the dominant remittance origin, the Superintendencia Financiera de Colombia regulates non-bank PSPs under Decreto 222/2020, and the SEDPE (Sociedad Especializada en Depósitos y Pagos Electrónicos) charter is the operative fintech-deposit vehicle.

Tab 06

Fraud & security

Headline fraud totals and typology splits, the rollout of EMV chip, tokenisation, 3DS and biometrics, and the controlling data-protection and payments statutes.

Annual fraud losses

COP 320B▲ +19% vs 2023

COP · 2024

Loss rate

13.4bp

basis points on transaction value · 2024

CNP share of fraud

74%

% · 2024

Fraud typology

Where losses come from

Card-not-present dominates every developed-market fraud profile — counterfeit and lost/stolen have both been mechanically suppressed by EMV and tokenisation over the last decade.

Share of card fraud

Card-not-present (e-commerce)74%
Wallet account takeover (Nequi/Daviplata)11%
Authorised push payment fraud on Bre-B (early indicators)6%

Authentication

What's deployed on cards today

EMV is the floor; tokenisation removes PAN from merchant systems; 3DS covers the CNP flow; biometric auth drives device-level wallet transactions. Adoption gaps between markets are the clearest signal of fraud-regime maturity.

EMV chip penetration

100%

% · 2024

Tokenised transactions

38%

% · 2024

3DS coverage · CNP

68%

% · 2024

Biometric mobile wallet txns

93%

% · 2024

Consumer protection

Framework: SFC Defensoría del Consumidor Financiero + Estatuto del Consumidor (Ley 1480/2011)
Max consumer liability: Zero where notified within 24 hours; capped at COP 1 million if delayed
Liability rules: Issuer bears unauthorised-transaction loss unless gross negligence or fraud by consumer proven. SFC requires resolution of disputed charges within 15 business days; consumer notification within 24 hours of detection is the safe-harbour standard.

Source · SFC

Security standards

▌PCI DSS 4.0 (mandated by SFC Circular Externa 007/2018 + updates)
▌Bre-B Reglamento Operativo (Banco de la República — fraud loss-sharing rules)
▌Ley 1581/2012 — Habeas Data financial information
▌SFC Circular 029/2014 (chapter on operational risk management)