At Bancolombia Group we have a series of principles that rule our Corporate Governance. Further details may be found below:
Interested people may find information about our Supply Chain here (Spanish).
Measure What matters
If you are a Bancolombia Supplier and you received the invitation to take part, come in and measure the social and environmental impact of your company.
Establish, lead and develop the corporate tax strategy in accordance with the Grupo Bancolombia strategy, through the planning, advice and control of tax processes with the objectives of complying with the tax regulations applicable to each country, optimizing tax management and influencing the business decision-making process, to finally manage the tax risk and contribute to the generation of value of the Grupo Bancolombia.
Our Tax Policy can be consulted here.
Below there are other tax references of our institution:
By paying our taxes, Bancolombia Group contributes to the public finance of the countries where we are present.
Segment Tax Report
Taxes by geographic regions, profits and income please see years.
Effective Tax Rate
Click here to find the report on our paid and reported tax rate of the last two years.
In order to timely comply with the tax obligations, pursuant to the current standards, at Bancolombia Group we review and analyze the laws, decrees and opinions issued by the local and territorial entities.In the taxable year of 2019, tax considerations regarding the implementation of the Economic Growth Law 2010 of 2019 were taken into account. Full text of considerations, see Note 12 , to the Form 20F, number 12.7.3 (page F-111 – F-120) URL: https://www.sec.gov/Archives/edgar/data/1071371/000110465920051519/tm206804d3_20f.htm
Encourage the Tax Liability
At Bancolombia Group we are involved in debates, public and private forums, summoned by industry associations and regulators addressing tax issues. Through such events, the inquiries with regard to the policies and proposals that impact the industry or the sustainability of the business are stated on a respectful way, and the tax liability is encouraged by understanding the financing impact of the State in the sustainable development of the community.
Bancolombia Group continuously seeks to improve its capacity in the governance of Cybersecurity and Information Security. Our processes are referenced in international information security standards, in addition to the most relevant national and international regulations. Our strategy is part of the development of the competitive strategy defined by the businesses, as well as the Corporate strategy of the Bancolombia Group, through the empowerment of capacities that guarantee the confidentiality, integrity and availability of information, contributing to the trust of our clients and improving the internal user experience; also seeking that cybersecurity is part of the daily life of all people.
At Bancolombia Group we have a comprehensive security strategy that covers:
- Information security.
- Protection of personal data.
- Fraud management.
CSO (Chief Security Officer)
Mauricio Botero Wolff
Administrative Services and Security VP
Current Chief Administrative Services and Security Officer of Bancolombia Group where he has worked for 19 years. He has served as Director of Corporate Projects, Director of Planning and Projects, Manager of Procurement Integration, Manager of Investor Relations and Corporate Trader.
He is an Administrative Engineer from the EIA University. He has a specialization in economics from the Universidad de Los Andes and an MBA as a Fulbright Emory University Fellow (Atlanta, EU). He is currently the chairman of the Cybersecurity and Fraud Prevention Committees of the Banking Association and a member of several Boards of Directors.
Within the Cybersecurity Government of the Bancolombia Group, the ISMS (Information Security Management System) has been implemented to manage the Organization's information security, through policies, standards, baselines, methodologies, governance frameworks and maturity models; which have an annual continuous improvement cycle. These are socialized with employees and third parties who have a labor and commercial relationship with the Organization.
The Bancolombia Group's ISMS is managed through:
ISO / IEC 27001: 2013
NIST CSF (National Institute of Standards and Technology - Cyber Security Framework)
The CMM and ITIL models measure the maturity of Information security and Cybersecurity, respectively. Each model has defined levels to evaluate the controls of the governance frameworks.
Policies: The Cybersecurity and Information Security Policies are in place to establish the Organization's intention regarding the treatment of risks associated with information. They are reviewed annually by interested areas and approved by the Board of Directors.
Standards: They contain the mandatory guidelines that support compliance with the policies and guarantee the coherence of security in the Organization.
Committee of Cybersecurity:
The purpose of Bancolombia Group´s Committee of Cybersecurity and Information Security is to approve and promote the most important security policies, strategies and projects; Inform and make decisions about the controls associated with cybersecurity and information security events.
It also periodically evaluates the degree of compliance with the defined cybersecurity and information security strategic plan.
The Bancolombia´s Group Committee of Cybersecurity and Information Security meets quarterly and is made up of the following permanent members:
- Vicepresident of Corporate Services
- Vicepresident of Services Banco Agrícola
- Vicepresident of Services Banitsmo
- Manager of Corporate Services Division BAM
- Chief Administrative Services and Security Officer of Bancolombia. (CSO)
- Chief Human Resources Officer of Bancolombia.
- Chief Risks officer
They can participate as permanent guests:
- Chief Information Security Officer (CISO)
- Fraud Management Director
- Chief Internal Auditor Officer
- Vicepresident of Technology Services
- Security Directors Banitsmo, Banco Agrícola and BAM
In addition, the people who are invited to inform and develop the different plans for comprehensive security. For the evaluation of fraud behaviors, the Fraud Management Committee is carried out, where this issue is specifically evaluated.
Participation of Cybersecurity, Information Security and Fraud Management in other committees:
Bancolombia Group Audit Committee: Made up of members of the Board of Directors and other participants.
Bancolombia Group risk committee: Made up of members of the Board of Directors and other participants.
To learn more about the risk and audit committees, enter the Good Governance code.
Cybersecurity Reports and Fraud Management
Cybersecurity and Information Security Management Report
Audience: Board of Directors
Frequency: biannual, July – January
Content: Progress of the strategy, semester achievements, main figures, relevant topics of the semester.
Audience: President, Corporate Vice president and Administrative and Security Vice president and selected Directors.
Content: figures, strategic indicators and relevant topics.
Audience: Specific teams and charges.
Content: figures, strategic indicators and relevant topics.
Cybersecurity Processes and Fraud Management:
At Bancolombia Group the Cybersecurity, Information Security and Fraud Management processes are defined in accordance with COBIT 2019 - NIST - ISO27000:
- Govern Cybersecurity and Information Security: It guarantees the definition, implementation and monitoring of the strategy and governance of cybersecurity and information security, for the treatment of the Organization's risks, in accordance with applicable regulations and good practices.
- Protect information assets: Ensures the critical information assets identified and classified within the processes, to minimize information security risks based on the governance model of information protection defined within the organization.
- Securing digital services: Protects the information assets that rest on the organization's digital systems, guaranteeing coverage and the level of risk defined by it.
- Manage Identities and accesses: Manage Identities and accesses in the systems, seeking compliance of the accesses, the treatment of risks to unauthorized accesses, complying with organizational policies and regulatory requirements.
- Monitor and Respond to Security Events: Prevents, detects, responds and recovers in the face of Cybersecurity and information security threats, events and incidents that threaten the information and availability of the services of the Bancolombia Group, in a timely and truthful manner, remediating the shortest possible time.
- Fraud Management Strategy: Defines the transactional fraud management strategy and leads its development, according to the risk profile of the channels and products, regulatory frameworks, policies and security standards; ensuring the experience of our clients in the safe use of transactional channels.
- Fraud Management and Containment: Defines and leads the typification of the fraud modus operandi, efficiently identifying any exposure of fraud and loss to clients, employees and assets of the Bancolombia Group, according to the needs of our clients, risk management, business requirements and operational support areas and thus, anticipate or react in a timely manner.
- Special Investigations Services: Investigate and monitor possible internal fraud and malpractice events in order to prevent, deter, detect and minimize internal fraud and malpractice.
- Fraud Management Analytics: Identify fraud trends by performing information analysis, for the subsequent design and implementation of statistical models and monitoring rules that allow preventing, detecting and reacting to internal and external fraud events.
- Fraud Management Services: Leads, manages and comprehensively defines the functions of customer service for potential clients or victims of fraud, external fraud investigation processes; as well as the administration and management of the operation related to transactional monitoring.
- People Security and Physical Infrastructure: Defines and leads the Bancolombia Group's Physical and Electronic Security operation, in accordance with risk management, customer expectations, standards and regulatory frameworks of the national territory, positively influencing the relationship with the authorities, unions and control entities. In order to protect the technological, physical integrity of people (customers and employees), processes and assets.
Culture of Cybersecurity, Information Security and Fraud Prevention
GRUPO BANCOLOMBIA processes personal data in accordance with Colombian regulations and with the guidelines and international standards established in its Data Protection Policy (the “Policy”). Respecting and protecting personal data of clients, users, employees, suppliers and other individuals whose personal information we collect, use and process is one of our priorities and we have adopted strong principles in that respect.
Click here to find more about our privacy politic.
Customer Privacy Complaints
GRUPO BANCOLOMBIA is committed with the confidentiality, integrity or availability of our information, including personal data. The measures we adopt always are based on the respect for the data subject rights, in accordance to this, we promote the highest standards of information security in all process we develop and among our collaborators daily labors.
Under the Data Protection legislation in Colombia, data subjects have the following rights with regards to their personal information: the right to access, to rectification, to restriction or processing, to erasure and the possibility to lodge a complaint with supervisory authorities.
GRUPO BANCOLOMBIA had adopted clear guidelines on data subject requests, we trained our collaborators, and we stay vigilant in order to receive and manage this type of requests. In this sense, a data subject request is a formal demand by a data subject to GRUPO BANCOLOMBIA as a data controller to take an action on their personal data.
In order to comply with our internal Policy, in 2019, we received 10.090 data subject request, and 21 supervisory authority requests.
Investor and Shareholder
The following is information related to our investors and shareholders: