AML regulations in Kenya operate within a mature but increasingly outcomes-focused regulatory framework. As a regional financial hub for East Africa, Kenya’s exposure to cross-border trade, remittances, digital payments, and platform-based finance has elevated supervisory expectations across regulated sectors.

By 2026, regulators are less concerned with whether AML policies exist and more focused on whether controls function effectively in practice. For reporting institutions, this means stronger scrutiny of customer due diligence, beneficial ownership identification, monitoring, escalation, and documentation.

Kenya’s AML/CFT Framework: Legal Foundations

Kenya’s AML regime is primarily established under the Proceeds of Crime and Anti-Money Laundering Act, 2009 (POCAMLA). This legislation is supported by subsidiary instruments that translate statutory obligations into operational requirements.

A key reference point is the Proceeds of Crime and Anti-Money Laundering Regulations, 2023, which set out preventive measures covering:

  • Customer due diligence and enhanced due diligence
  • Ongoing monitoring
  • Record-keeping
  • Internal controls and governance
  • Suspicious transaction reporting

Counter-terrorism financing obligations are reinforced through the Prevention of Terrorism Act, 2012 and related regulations, enabling implementation of targeted financial sanctions in line with United Nations Security Council requirements.

International Context and Supervisory Pressure

Kenya participates in the FATF global network through the Eastern and Southern Africa Anti-Money Laundering Group (ESAAMLG) and has been subject to FATF increased monitoring since 2024.

This international context has intensified supervisory focus on:

  • Effectiveness of controls
  • Quality of reporting
  • Consistency of implementation across sectors
  • Alignment between risk assessments and operational outcomes

Who Supervises AML Compliance in Kenya

Kenya applies a sector-based supervisory model, where AML obligations are enforced through the regulator responsible for each industry, while intelligence and reporting are centralised.

Key Supervisory Authorities

  • Central Bank of Kenya (CBK) – supervises banks, microfinance institutions, remittance providers, foreign exchange bureaus, payment service providers, digital credit providers, and related entities
  • Capital Markets Authority (CMA) – oversees securities and investment firms, including expectations around sanctions screening and escalation
  • Insurance Regulatory Authority (IRA) – enforces AML/CFT requirements within the insurance sector
  • Retirement Benefits Authority (RBA) – regulates pension and retirement benefit schemes
  • Sacco Societies Regulatory Authority (SASRA) – supervises SACCOs and applies sector-specific AML guidance

The Financial Reporting Centre (FRC) operates as Kenya’s Financial Intelligence Unit (FIU), receiving suspicious transaction reports and issuing guidance on reporting quality and timeliness.

Customer Due Diligence: From Policy to Practice

Identity and Beneficial Ownership

Under Kenya’s AML regulations, customer due diligence extends beyond basic identification. Reporting institutions must take reasonable measures to identify:

  • The customer
  • Any beneficial owner of a legal person or arrangement
  • Any individual exercising ultimate control
  • Any person acting on behalf of another

Recent legislative amendments strengthened definitions of beneficial ownership and reinforced record-keeping obligations. Supervisors increasingly treat failures in this area as fundamental weaknesses, particularly for corporate customers and cross-border relationships.

Risk-Based Controls and Enhanced Due Diligence

Kenya’s AML framework mandates a risk-based approach. Enhanced Due Diligence (EDD) is not optional where higher risk is identified.

EDD measures may include:

  • Obtaining additional customer or transaction information
  • Verifying source of funds or source of wealth
  • Applying stronger or independent verification steps
  • Requiring senior management approval
  • Increasing monitoring intensity

During inspections, supervisors test whether institutions can clearly explain why enhanced measures were applied, or why they were not.

Transaction Monitoring and Internal Escalation

Ongoing transaction monitoring is expected to operate effectively, not merely exist as a system configuration.

Regulators assess whether institutions can demonstrate:

  • Monitoring aligned to customer risk profiles
  • Clear internal escalation to the MLRO
  • Documented review and decision-making
  • Timely escalation and external reporting where required

Supervisory communications from the CBK have repeatedly emphasised that AML escalation pathways must not be weakened by commercial pressure or operational shortcuts.

Suspicious Transaction Reporting and the Role of the FRC

Suspicious transaction and activity reporting must be submitted to the Financial Reporting Centre promptly once suspicion arises.

Increasingly, FRC guidance focuses on:

  • Quality and clarity of reports
  • Consistency of internal case handling
  • Clear documentation of decision rationale
  • Timeliness of submission

In practice, many enforcement issues arise not from failure to detect unusual activity, but from weak documentation, delayed escalation, or inconsistent reporting decisions.

Record-Keeping and Audit Readiness

The 2023 regulations require institutions to maintain records sufficient to allow regulators to reconstruct:

  • Customer identity and risk assessment
  • Monitoring activity undertaken
  • Internal escalation and decisions
  • Reporting outcomes

Weak documentation is often treated as a substantive compliance failure, even where institutions claim controls exist.

Conclusion

AML regulations in Kenya reflect a regulatory environment that increasingly prioritises effectiveness over form. In 2026, reporting institutions are expected to demonstrate sound judgement, disciplined execution, and strong auditability across all AML processes

Looking ahead, supervisory trends suggest continued focus on:

  • Practical effectiveness of AML controls
  • Consistency across branches, products, and channels
  • Governance accountability
  • Evidence-based compliance rather than policy volume

Organisations that align risk assessment, monitoring, escalation, and reporting into a coherent operational framework will be best positioned to meet supervisory expectations.

contact-us-update

Frequently Asked Questions (FAQs)

1. What law governs AML compliance in Kenya?
AML compliance is primarily governed by the Proceeds of Crime and Anti-Money Laundering Act (POCAMLA), supported by the 2023 AML regulations and sector-specific guidance.

2. Who supervises AML compliance in Kenya?
Supervision is sector-based, led by regulators such as the CBK, CMA, IRA, RBA, and SASRA, with suspicious reporting centralised through the Financial Reporting Centre.

3. What is a common AML weakness identified by supervisors?
Inconsistent risk assessments, weak beneficial ownership identification, and poor documentation.

4. Are digital credit providers subject to AML regulations?
Yes. Digital credit providers fall under CBK supervision and must comply with AML/CFT requirements.

5. Why is record-keeping critical under Kenya’s AML framework?
Regulators must be able to reconstruct transactions and understand how and why compliance decisions were made.