Kenya Financial Crime & AML Compliance: Regulators, Laws, and What Foreign Banks Need to Know

Who regulates financial crime in Kenya?

The Central Bank of Kenya (CBK) is the primary AML/CFT supervisor for commercial banks, microfinance banks, and payment service providers. It issues prudential guidelines, conducts on-site examinations, and can impose administrative penalties or revoke licences under POCAMLA. The CBK's Banking Supervision Department leads AML oversight for the licensed banking sector. Its regulatory framework and guidance are published at centralbank.go.ke.

The Financial Reporting Centre (FRC) is Kenya's Financial Intelligence Unit, established directly under POCAMLA. It receives Suspicious Transaction Reports and Cash Transaction Reports, analyzes patterns, and shares intelligence with the Directorate of Criminal Investigations and foreign FIUs. Kenya joined the Egmont Group through the FRC in 2012. The FRC also publishes AML/CFT typologies specific to the Kenyan market, including mobile money layering patterns. Its guidance library is at frc.go.ke.

The Capital Markets Authority (CMA) supervises AML compliance for stockbrokers, investment banks, fund managers, and collective investment schemes. It operates under the Capital Markets Act (Cap 485A) and issues sector-specific AML directives. Any institution running capital market activities in Kenya is subject to dual supervision: both the CBK and the CMA.

Other sector supervisors include the Insurance Regulatory Authority (IRA), the Sacco Societies Regulatory Authority (SASRA) for savings and credit cooperatives, and the Retirement Benefits Authority (RBA) for pension funds. Each applies POCAMLA obligations within its licensed population.

Kenya is a member of ESAAMLG (the Eastern and Southern Africa Anti-Money Laundering Group). Following an ESAAMLG mutual evaluation published in 2022 that identified effectiveness gaps across several FATF recommendations, the FATF plenary added Kenya to its increased-monitoring list in February 2024. That grey-list designation has direct consequences for correspondent banking relationships with Kenyan institutions. Foreign banks should monitor Kenya's status at fatf-gafi.org.

What are the key AML and fraud laws in Kenya?

The Proceeds of Crime and Anti-Money Laundering Act (POCAMLA), Cap 323 of 2009, is Kenya's primary AML statute. It criminalises money laundering, establishes the FRC, imposes CDD and reporting obligations on "reporting institutions" (a category covering banks, fintechs, lawyers, and accountants), and sets penalties of up to KES 5 million per breach plus the potential for criminal prosecution of individuals. The POCAMLA (Amendment) Act 2017 tightened beneficial ownership requirements and expanded the FRC's powers to compel disclosure. The Proceeds of Crime and Anti-Money Laundering Regulations 2013 set out operational requirements: record-keeping standards, STR content requirements, and the KES 1,000,000 threshold that triggers Cash Transaction Reports.

POCAMLA's risk-based structure is consistent with the FATF risk-based approach. Reporting institutions are expected to scale controls to the risk profile of their customers and products, directly mirroring FATF Recommendation 10 on customer due diligence.

The Prevention of Terrorism Act 2012 (as amended in 2014) handles counter-terrorist financing. It requires STR filing where TF suspicion exists and enables the Cabinet Secretary for Interior to freeze assets based on government or UN Security Council designations.

The Data Protection Act 2019 governs the collection, processing, and cross-border transfer of personal data, including data gathered during KYC and CDD processes. It restricts transfers to countries without adequate protection and requires a documented lawful basis for all processing. The Act is enforced by the Office of the Data Protection Commissioner (ODPC). Institutions routing Kenyan customer data through offshore group compliance systems must structure transfer safeguards explicitly.

The Companies Act 2015 and the Business Laws (Amendment) Act 2020 require companies to maintain a register of Ultimate Beneficial Owners and file this data with the Business Registration Service. Reporting institutions must verify and record beneficial ownership as a core CDD step. Kenya's legislation is available at kenyalaw.org, the official legal database maintained by the National Council for Law Reporting.

What controls do Kenya regulators expect?

The FRC's AML/CFT Guidelines for Reporting Institutions and the CBK's Prudential Guideline on AML/CFT set out the expected control framework. In practice, they follow the FATF standards closely.

Customer due diligence. Reporting institutions must verify customer identity, understand the business purpose of the relationship, and assess risk before onboarding. Customer due diligence is mandatory for all new customers and must be refreshed when doubts arise about existing records. Enhanced due diligence applies to PEPs, high-risk jurisdictions, and complex or unusual transactions. For legal entity customers, CDD must extend to identifying and verifying the Ultimate Beneficial Owner. Adverse media screening for high-risk customers is expected as part of enhanced due diligence procedures, though no specific tool is mandated.

Transaction monitoring. Banks must run continuous transaction monitoring against established customer profiles and document alert dispositions. The FRC's typologies set expected coverage, with particular emphasis on mobile money corridors. There's no prescriptive system requirement, but examination teams look for evidence that alert rules cover the local payment landscape.

Sanctions and PEP screening. Sanctions screening must cover the UN Consolidated Sanctions List plus the Kenya National Sanctions List maintained by the National Counter-Terrorism Centre. PEP screening must address domestic and foreign PEPs, consistent with FATF Recommendation 12.

STR and CTR filing. Suspicious Transaction Reports must be filed with the FRC as soon as practicable after suspicion forms. The FRC's guidance treats three days as the standard expectation in most cases. Cash Transaction Reports are required for transactions at or above KES 1,000,000 (approximately USD 7,700).

Record-keeping. CDD documents and transaction records must be retained for seven years, consistent with FATF Recommendation 11. Records must be readily retrievable for examination.

What is unique about compliance in Kenya?

Mobile money scale. Kenya's mobile money market is one of the world's deepest by penetration. Safaricom's M-Pesa processed transactions worth KES 36.8 trillion in the twelve months to June 2023, per Safaricom's annual report. The CBK's National Payment System Regulations 2014 govern mobile money providers, who carry their own AML/CFT obligations. Banks providing float accounts or banking rails to mobile money operators face correspondent-type AML risks: the bank's systems need to monitor flows they don't directly initiate. The FRC publishes typologies specific to mobile-money-enabled layering and fraud. Most global AML platforms don't cover this risk profile out of the box.

FATF grey-list status. Kenya's February 2024 grey-listing has immediate operational consequences. Under FATF Recommendation 13 on correspondent banking, counterparties in grey-list jurisdictions attract enhanced scrutiny. Foreign banks must apply and document EDD for transactions involving Kenyan institutions. Kenya has submitted an action plan to the FATF; progress is reviewed at each plenary, and the grey-list status could change as remediation advances.

Data localisation. The Data Protection Act 2019, enforced by the ODPC, restricts cross-border personal data transfers unless the recipient country provides comparable protection or appropriate safeguards (such as standard contractual clauses) are in place. Banks using overseas data centres for AML screening, or sharing Kenyan customer data with group compliance hubs, must document transfer mechanisms explicitly. The ODPC has enforcement powers and has signalled active oversight.

Beneficial ownership registry. The Business Registration Service runs Kenya's official beneficial ownership register, fed by mandatory filings under the 2020 Business Laws amendments. Reporting institutions are expected to cross-reference BRS registry data against customer-declared ownership structures. Discrepancies between the two are an active supervisory focus.

Virtual assets. The CBK's 2015 guidance warned banks against dealing with unregulated crypto providers. The 2023 draft Virtual Asset Service Providers policy framework began charting a formal regulatory path, but it's not yet fully enacted. Until it is, banks processing transactions linked to crypto exchanges should apply heightened monitoring, consistent with FATF Recommendation 15.

Recent enforcement actions in Kenya

The highest-profile AML enforcement in Kenya's recent history came in May 2018, when the CBK imposed fines totalling KES 392.5 million on eight commercial banks for failures connected to the National Youth Service (NYS) procurement scandal. The penalised institutions were Kenya Commercial Bank (KCB), Equity Bank, Standard Chartered Bank Kenya, Co-operative Bank, Diamond Trust Bank, Family Bank, NIC Bank, and Guaranty Trust Bank. The CBK cited each institution's failure to file timely STRs on transactions showing clear red flags: large cash movements from government accounts, rapid layering across multiple accounts, and structuring patterns. At the time of the action, the CBK described the total as the highest fines it had imposed on banking institutions to that point.

The NYS case illustrates a recurring pattern in global enforcement. Institutions had, in most cases, generated internal alerts. Those alerts weren't escalated or reported. That dynamic, detection without action, is the factor regulators pursue most aggressively. The same logic drove the scale of penalties in the Standard Chartered 2019 sanctions enforcement action and the Westpac 2020 AML case. Kenya's regulator is operating from the same playbook.

Since 2019, the CBK has continued to impose administrative sanctions under POCAMLA, though individual action amounts aren't always publicly itemised. The FRC's annual reports provide aggregate statistics on STRs received, intelligence referrals, and prosecution outcomes.

Kenya's 2022 ESAAMLG mutual evaluation noted increased supervisory activity but flagged gaps in prosecution rates and asset recovery. The grey-list remediation plan directly targets those gaps. Enforcement intensity is expected to rise through 2025 and 2026 as Kenya demonstrates progress to the FATF. Institutions that haven't invested in their monitoring and reporting infrastructure are taking on more regulatory risk than they may realise.

What foreign banks operating in Kenya need to know

Licensing. A foreign bank entering Kenya must incorporate a local subsidiary under the Companies Act or register a branch, and in either case obtain a CBK banking licence under the Banking Act (Cap 488). The CBK's AML/CFT assessment during the licensing process is substantive. If the parent entity is based in a FATF grey or black list jurisdiction, expect additional scrutiny and a longer approval timeline.

Local MLRO. The CBK requires a designated, Kenya-resident Money Laundering Reporting Officer who passes the fit-and-proper test. The MLRO must have direct access to senior management or the board and cannot simultaneously hold a revenue-generating business line role. This is a structural requirement, not optional guidance. Many foreign banks underestimate the seniority and independence the CBK actually expects here.

Reporting timelines. STRs must reach the FRC as soon as practicable after suspicion forms. The FRC's guidance treats three days as the standard expectation. CTRs for cash transactions at or above KES 1,000,000 carry the same urgency. Late filing is itself a POCAMLA breach, separate from any underlying AML failure.

Outsourcing. The CBK permits outsourcing of AML functions to group or third-party vendors. The licensed institution retains full regulatory accountability. Any offshore processing of Kenyan customer data requires Data Protection Act compliance, including explicit transfer safeguards under the ODPC's rules.

Group systems integration. Foreign banks feeding Kenyan customer data into group transaction monitoring platforms need to map Kenya-specific data elements: M-Pesa transaction identifiers, BRS beneficial ownership outputs, and NCTC sanctions list formats. Generic global typologies won't cover mobile money risk adequately. Build the local layer before go-live, not after.

The India AML compliance and UAE AML compliance pages cover comparable challenges for foreign banks operating in high-growth, multi-risk regulatory markets.

How FluxForce supports Kenya compliance

Kenya's framework demands real-time transaction monitoring calibrated to mobile money volumes, automated STR drafting against FRC templates, and sanctions and PEP screening that covers both the UN consolidated lists and the Kenya National Sanctions List. FluxForce delivers these through a single platform, with audit-ready evidence for every decision. Given Kenya's FATF grey-list status, the correspondent banking documentation burden is real. FluxForce's configurable autonomy and full decision audit trail make that burden manageable without slowing operations. Request a demo to see how it applies to your Kenya compliance program.