In January, the Superintendency of Banks of Panama (SBP) issued Agreement No. 1-2026, which not only repeals Agreement No. 10-2015, but also redefines the compliance framework within Panama’s financial sector. After a decade under the previous framework, this new regulation responds to two inescapable pressures: the need for operational efficiency through technology and the increasing sophistication of international compliance standards.
For our clients in the banking and fiduciary sectors, the transition will require strategic adjustments. Below, we provide an in-depth analysis of the structural reforms, contrasting the repealed provisions with the new regulatory regime (“vis-à-vis”).
- Innovation: “Inferential Geolocation” as a Regulatory Standard
Perhaps the most innovative element of the Agreement is the technical regulation of digital onboarding procedures.
Previous framework: Relied heavily on physical or documentary validation to mitigate impersonation or fraud risks in non-face-to-face account openings.
Current regulation (Art. 14): Introduces the concept of inferential geolocation. In digital onboarding, it is no longer optional entities must utilize technical signals (such as IP address, network type, VPN or proxy detection) to verify that the client’s actual location corresponds to the declared location. This increases the barrier for malicious actors and modernizes the digital security infrastructure of Panama’s banking sector.
- Efficiency: Risk-Based Simplification of Due Diligence
The Agreement abandons the “one-size-fits-all” approach in favor of a truly risk-based model.
Previous framework: Account opening processes could be equally burdensome for both simple savings accounts and complex wealth structures, generating unnecessary friction.
Current regulation (Arts. 15–17): Formalizes the regime for Simplified Account Opening and Due Diligence.
Threshold: Accounts with balances or aggregate monthly movements not exceeding B/. 5,000.00 (e.g., Christmas, school, or payroll accounts) qualify for reduced due diligence requirements.
Impact: Enables institutions to automate onboarding for low-risk clients, while reserving expert human review for Enhanced Due Diligence cases (e.g., PEPs or complex corporate structures).
- Corporate Governance: Strengthening the Lines of Defense
The SBP has placed renewed emphasis on the independence and technical capability of compliance functions.
Previous framework: While independence was required, there were grey areas concerning personnel rotation across control areas.
Current regulation (Arts. 4, 47, 49):
- Incompatibilities: Establishes a strict “Chinese wall.” An auditor (internal or external) may not be appointed as Compliance Officer if they performed audit functions at the same institution in the past 12 months.
- Committee Composition: Elevates the profile of the Prevention Committee. It must now include two Board Members and the General Manager, all with voice and vote. Internal Audit may participate with voice only, thereby preserving its independence.
- Technical Profile: Compliance Officers must now demonstrate specific competencies in information systems management and data analysis, reflecting the evolving dual legal-technological nature of the role.
- Monitoring: Defined Timeframes and Mandatory Closure
Alert management is no longer an open-ended process—it now requires a defined workflow with regulatory deadlines.
Previous framework: Monitoring was a continuous obligation but often lacked time-bound regulatory requirements for alert resolution.
Current regulation (Art. 25): Establishes a maximum period of 60 calendar days to analyze and close alerts—either by justifying dismissal or escalating to a Suspicious Transaction Report (STR). Moreover, monitoring must be client-based rather than product-based, requiring institutions to adopt a 360-degree view of the client relationship.
- Transition Periods: Implementation Timeline
Although the Agreement enters into force in six months, the SBP has granted extended timelines for reforms that require significant technological investment:
- January 2027: Deadline to implement risk-based differentiated monitoring systems.
June 2027: Deadline to implement inferential geolocation capabilities in digital channels.
Conclusion:
Agreement No. 1-2026 sends a clear message: Panama is transitioning toward a compliance regime driven by data, technology, and effective risk management—departing from formalistic compliance. At Alcogal, we recommend that our clients initiate a gap analysis immediately, especially concerning the new technological and governance requirements.
Read more articles here
