Table of Contents
Kenya AML laws have evolved rapidly from basic reporting obligations into a more demanding, evidence-based compliance regime. For banks, fintechs, insurers, capital markets firms and designated non-financial businesses, the issue is no longer whether an anti money laundering policy exists. The question is whether the institution can prove that its controls work.
This guide explains the legal framework, regulator expectations, and practical controls that reporting institutions should prioritise in 2026.
Overview of Kenya AML Laws and AML/CFT Framework
Kenya’s anti money laundering and combating of terrorism financing framework is primarily established under the Proceeds of Crime and Anti-Money Laundering Act, 2009 (POCAMLA). Kenya’s AML regime is supported by subsidiary instruments that translate statutory obligations into operational requirements.
Since 2009, the framework has evolved through key amendment act changes in 2012, 2017 and 2023. These reforms strengthened customer due diligence, beneficial ownership information, suspicious transaction reports, targeted financial sanctions, counter terrorism financing, and countering proliferation financing controls.
Kenya’s anti-money laundering regulatory framework is aimed at curbing illicit financial flows and aligning with international standards set by the Financial Action Task Force. It applies to financial institutions, payment service providers, legal professionals, capital markets participants, insurers, SACCOs, fintechs, and other reporting institutions.
Core statutes include the following:
Proceeds of Crime and Anti-Money Laundering Act, 2009, Kenya’s main anti money laundering act
Prevention of Terrorism Act, 2012, the key terrorism act for terrorism-financing laws
Proceeds of Crime and Anti-Money Laundering Regulations, 2023
Banking Act, Companies Act, Insurance Act, Capital Markets Act and sector laws
Virtual Asset Service Providers Act, 2025, for crypto-related financial crime risk
Key obligations include:
KYC, customer due diligence and ongoing due diligence
Screening for sanctions, politically exposed persons and high risk jurisdictions
Transaction monitoring and escalation of each suspicious transaction
Filing suspicious transaction reports and other reports with the FRC
Keeping audit-ready records and applying strict adherence to AML policies
ZIGRAM AML Solutions helps institutions automate these obligations through screening, entity risk assessment, due diligence reports, adverse media monitoring and transaction monitoring workflows.
POCAMLA and Core Kenya AML Laws
POCAMLA defines, criminalizes and penalizes money laundering in Kenya. It also establishes the financial reporting centre, imposes reporting duties, and gives authorities powers to trace, freeze, and confiscate proceeds of crime and other assets.
The Proceeds of Crime and Anti-Money Laundering Regulations, 2023, set out preventive measures that include counter-terrorism financing obligations reinforced through the Prevention of Terrorism Act, 2012. Together, these laws cover money laundering and terrorism financing, proliferation financing, targeted financial sanctions and reporting procedures.
Under the 2023 reforms, Kenya tightened several areas:
Cash transactions reporting threshold increased from USD 10,000 to USD 15,000 equivalent.
Suspicious transaction reports must be filed promptly, commonly within two days after suspicion arises.
Beneficial owner identification now covers persons who ultimately own, control, or benefit from a legal person.
AML and CFT Laws amendments update provisions related to corporate criminal liability and operational transparency.
Severe penalties for non-compliance include fines, imprisonment, and revocation of operating licenses.
POCAMLA penalties are significant. The Act penalizes money laundering with fines that may reach up to fifty percent (50%) of the monetary instrument involved in the offence, increased from the previous penalty of ten percent (10%). Other penalties can include imprisonment and administrative penalties imposed by competent authorities.
POCAMLA also interacts with prudential laws. The Banking Act, Central Bank of Kenya Act, Insurance Act and Capital Markets Act embed AML duties into licensing and supervision. This means that combating money laundering is no longer treated as a separate compliance silo. It is part of how regulatory bodies judge governance, risk management, and fitness to operate.
Before the 2023 reforms, some areas, such as beneficial ownership, CPF, and DNFBP supervision, were less developed. After the reforms, institutions must show stronger controls, better records, and clearer accountability across AML/CFT compliance.
Institutional Landscape and Supervisory Authorities
Kenya applies a sector-based supervisory model for AML compliance, where each industry regulator enforces AML obligations relevant to their sector, while the Financial Reporting Centre centralizes intelligence and reporting.
The Financial Reporting Centre (FRC) serves as Kenya’s Financial Intelligence Unit (FIU), responsible for receiving suspicious transaction reports, disseminating financial intelligence, and issuing guidance to reporting institutions.
Key authorities include the following:
Central Bank of Kenya: supervises banks, microfinance banks, payment service providers, remittance firms, forex bureaus, and digital credit providers. The central bank expects evidence of KYC, sanctions screening, risk assessment, and transaction monitoring.
Capital Markets Authority: supervises brokers, fund managers, dealers, investment banks, and custodians operating in capital markets.
Insurance Regulatory Authority: supervises insurers and intermediaries, especially around the source of funds, payouts, and investment-linked products.
SACCO Societies Regulatory Authority: Supervises deposit-taking SACCOs and related financial institutions.
FRC: receives STRs and cash transaction reports, disseminates financial intelligence, and issues guidance to reporting institutions.
Law enforcement agencies: the DCI, Ethics and Anti-Corruption Commission, Office of the Director of Public Prosecutions, and other competent authorities investigate and prosecute money laundering, corruption, and economic crime.
Supervisory authorities in Kenya, including the Central Bank of Kenya (CBK), Capital Markets Authority (CMA), and Insurance Regulatory Authority (IRA), have been granted powers to enforce AML compliance across various financial sectors.
The FRC’s operational independence is also important. The State Corporations Act carve-out for the FRC supports effective financial intelligence work by reducing ordinary administrative constraints that could interfere with sensitive analysis and information sharing.
Customer Due Diligence, Beneficial Ownership and Risk-Based Approach
Risk-based customer due diligence is at the centre of Kenya AML laws. Kenya’s AML framework mandates a risk-based approach, requiring institutions to apply Enhanced Due Diligence (EDD) measures when higher risks are identified.
Basic CDD requires institutions to identify and verify each natural person, company, partnership, trust or other legal entities before and during a business relationship. A legal person must be understood beyond its registration certificate. Institutions must identify who owns it, who controls it and who benefits from it.
Standard CDD steps include:
Verify national ID, passport, KRA PIN, and contact details.
Confirm directors, shareholders, signatories, and the contact person.
Search corporate registries for companies and limited liability partnerships.
Capture beneficial ownership information and identify each beneficial owner.
Understand the source of funds, the source of wealth, and the purpose of the relationship.
Screen against sanctions, PEPs, and adverse media.
Companies in Kenya must keep records relating to directors, shareholders, and beneficial owners for a minimum period of ten years from the date a person ceases to hold such positions. For private companies, governance records may involve either a company secretary or an authorised contact person, depending on the company structure, paid-up capital, and applicable company secretary requirements.
Enhanced due diligence applies to high-risk customers and high-risk situations, including:
politically exposed persons
high-risk jurisdictions
complex or opaque ownership chains
correspondent banking relationships
unusual cash activity
virtual assets and anonymity-enhancing channels
transactions requiring senior management approval
Politically Exposed Persons (PEPs) must be screened, and enhanced due diligence applied to transactions involving them. Supervisors in Kenya assess whether financial institutions can clearly explain the rationale behind the application of enhanced measures during inspections.
A good file should show the risk assessment, the diligence measures applied, why enhanced due diligence measures were triggered and why the institution accepted, rejected or exited the customer.
Practical CDD and EDD Controls for Kenyan Institutions
In practice, institutions should build CDD controls that are consistent, searchable, and easy to evidence.
Useful controls include:
Identity verification: validate national ID, passport, KRA PIN, and business registration records.
Beneficial ownership mapping: identify nominee directors, nominee partners, controlling shareholders, and indirect owners.
Risk scoring: combine geography, product, customer type, delivery channel, and transaction behaviour.
Screening: check sanctions, PEPs, adverse media, and targeted financial sanctions lists.
Periodic review: refresh KYC files on a risk-based cycle, with event-driven reviews when ownership or behaviour changes.
Training: Invest in staff training because compliance with AML laws requires significant investment in technology and staff training to meet regulatory obligations.
ZIGRAM AML Solutions supports this operating model through PreScreening.io for name screening, Entity Hero for entity risk assessment, companies, and DueDiliger for due diligence reporting.
Transaction Monitoring and Suspicious Transaction Reporting in Kenya
Kenyan regulators expect ongoing monitoring, not one-time onboarding checks. The Financial Reporting Centre (FRC) emphasizes that ongoing transaction monitoring must be effective and not merely a system configuration, reflecting a risk-based compliance approach.
Institutions should monitor:
cash transactions at or above reporting thresholds
rapid movement of funds with no clear economic purpose
trade-based schemes and invoice inconsistencies
mobile money layering
unusual securities trades
cross-border transfers involving high risk jurisdictions
currency carried across borders where declarations or patterns raise concern
When reasonable grounds for suspicion exist, reporting institutions must file reports with the FRC. Suspicious transaction reports should explain the customer, transaction pattern, suspected offence, value, dates, counterparties, and internal review. Confidentiality is critical; tipping off is prohibited.
Businesses are required to maintain detailed records of client data and transactions for a minimum of 10 years. Under Kenya’s AML regulations, institutions are required to maintain records sufficient to allow regulators to reconstruct transactions and understand compliance decisions.
Some rules also refer to retaining records for at least seven years, so institutions should apply the longer retention period where multiple obligations overlap. Records should include:
CDD files and identification data
beneficial ownership information
transaction records
screening results
internal investigations
STR decisions and MLRO notes
training logs
Risk assessment approvals
communications with competent authorities
The Financial Reporting Centre (FRC) emphasizes that weak documentation is treated as a substantive compliance failure, highlighting the importance of robust record-keeping practices.
A simple escalation path should look like this:
Front-office staff detect unusual activity.
The compliance team reviews the alert and requests supporting information.
MLRO assesses whether a suspicious transaction report is required.
If suspicion remains, the institution files with the FRC.
The institution preserves all records and restricts disclosure.
Designing Effective Monitoring and Escalation Frameworks
A defensible monitoring framework should include:
Customer segmentation by risk profile.
Rules for cash, velocity, structuring, cross-border flows, and unusual counterparties.
Machine-learning or rules-based alerts, depending on size and complexity.
Regular alert tuning based on false positives, STR outcomes, and regulator feedback.
Independence for the MLRO and protection from commercial interference.
Clear escalation timelines, especially where suspicion may require reporting within two days.
Senior management approval for high-risk relationships.
Red flags for Kenya-specific risks such as cash-intensive businesses, mobile money layering, trade-based money laundering, and misuse of agent networks.
Adverse media workflows using Dragnet Alpha or SATOC.
Transaction monitoring using ZIGRAM AML Solutions’ Transact Comply to create alerts, investigation notes and audit trails.
Sector-Specific Considerations: Banks, Fintechs and Capital Markets
AML obligations are broadly similar across sectors, but implementation differs. The same AML regulations may require different controls depending on customer type, products and delivery channels.
For banks and payment institutions:
The Central Bank of Kenya expects strong controls for correspondent banking relationships, cross-border payments, agency banking, mobile money integration and foreign exchange.
Banks should document source of funds, purpose of payments and sanctions screening outcomes.
Payment service providers should monitor wallets, agents, merchant accounts and rapid fund movement.
For fintechs and digital credit providers:
Remote onboarding needs reliable eKYC and fraud controls.
Digital lenders should monitor repeated loan cycling, mule accounts and synthetic identities.
Technology must support audit trails, not only fast onboarding.
For capital markets firms:
Brokers, dealers, fund managers and custodians must understand investor profiles and source of funds.
Large or unusual securities trades should be compared with the customer’s expected activity.
The capital markets authority may expect files to show suitability, beneficial ownership and ongoing monitoring.
For insurers and pension schemes:
The insurance regulatory authority and retirement regulators focus on premium funding, early cancellations, suspicious claims and payout instructions.
Group-wide controls matter where insurers operate across jurisdictions.
For DNFBPs and legal professionals:
Legal professionals in Kenya are compelled to report any suspicious transactions, with failure to comply potentially leading to significant penalties under the AML framework.
Firms dealing with real estate, trusts, companies or client funds should treat legal entities and private companies as higher-risk where ownership is opaque.
Entities classified as “Reporting Institutions” must adhere to rigorous obligations such as KYC policies and reporting procedures.
International Standards, FATF Grey Listing and Strategic Outlook
Kenya is a member of the Eastern and Southern Africa Anti-Money Laundering Group, part of the FATF global network. As of 2024, Kenya is under increased monitoring by the Financial Action Task Force (FATF), which has intensified supervisory focus on AML compliance and enforcement measures across various sectors.
Grey listing affects Kenya’s financial system because foreign banks and investors may apply additional checks. This can increase costs, slow payments, and strain correspondent banking relationships.
FATF and ESAAMLG reviews have highlighted recurring issues:
weak beneficial ownership transparency
uneven supervision of designated non-financial businesses
limited effectiveness in using financial intelligence
gaps in prosecutions and convictions
need for stronger countering proliferation financing controls
Looking ahead, Kenya is likely to prioritise digital beneficial ownership registries, better data sharing, SupTech, more intrusive inspections, and stronger enforcement. Institutions should expect regulators to test whether AML controls are effective in practice, not just written in a policy.
That is where scalable RegTech becomes useful. ZIGRAM AML Solution, “The Complete AML System“, helps Kenyan institutions connect name screening, transaction monitoring, adverse media, entity risk assessments/management, and audit trails into one defensible compliance workflow.
Kenya AML laws are now moving from formal compliance to evidence-based effectiveness. The institutions best prepared for this shift will be those that can explain their risks, prove their decisions, and respond quickly to regulators.
To assess gaps in your AML/CFT programme, book a demo with ZIGRAM and see how automated screening, monitoring, and due diligence can support compliance with Kenyan law.
