Keeping Up With AML Regulatory Change: Obligation Registries and Change Notices
AML obligations in East Africa change constantly, and 'we did not know' is not a defence. How an obligation registry, change-notice ingestion and tenant acknowledgement keep your controls aligned to current rules — with evidence you stayed current.
Ask a head of compliance to name the obligation that tripped them up at their last examination, and the answer is rarely a rule they ignored on purpose. It is almost always a rule that changed — a threshold that moved, a new reporting trigger, a fresh designation, a guidance note issued by the regulator three months ago that nobody internally caught — and a control that quietly carried on doing what it did before. The institution was not negligent in the everyday sense. It was simply out of date, and it could not prove otherwise.
Keeping up with AML regulatory change is one of the least glamorous parts of running a compliance programme and one of the most consequential. The obligations placed on banks, SACCOs, microfinance institutions, fintechs, mobile-money operators, forex bureaus and designated non-financial businesses across East Africa are not static. They shift as regulators issue new directives, as FATF and ESAAMLG assessments drive legislative change, and as designation lists are updated. When they shift, your controls have to shift with them — and you need a record showing that you knew about the change and acted on it. This article explains how an obligation registry, change-notice ingestion and per-tenant acknowledgement turn that scramble into a managed process. For the wider picture of how this fits alongside screening, monitoring, case management and reporting, start with the complete AML platform guide.
The pace and risk of AML regulatory change
AML obligations in East Africa do not sit still, and the sources of change are plural. A single institution operating across the region is exposed to several at once.
- Primary legislation and regulations. Anti-money-laundering and counter-terrorism-financing statutes are amended, and the regulations beneath them are reissued, often in response to FATF mutual evaluations or ESAAMLG follow-up assessments. A revised obligation can change who you must report on, what you must hold, and how long you must retain it.
- Regulator directives and guidance. The Financial Reporting Centre (FRC) in Kenya, the Financial Intelligence Authority (FIA) in Uganda, the Financial Intelligence Unit (FIU) in Tanzania, and the Financial Intelligence Centres (FIC) in Zambia and Rwanda each issue directives, circulars and guidance notes. These rarely arrive on a predictable schedule, and they frequently carry effective dates that give you weeks, not months, to comply.
- Designation and list changes. Sanctions and politically exposed person designations are a form of regulatory change too. A new designation creates an immediate obligation to screen against it, and the window between publication and adoption is pure exposure.
- Cross-border divergence. An institution operating in Kenya, Uganda and Tanzania is subject to three regulators whose rules move independently. A change in one jurisdiction does not announce itself in the others, and a control tuned to one country's threshold can silently breach another's.
The risk is not only that you fail to comply. It is that you cannot demonstrate you were even aware. "We did not know" has never been an adequate answer to a regulator, and increasingly it is treated as an admission that your governance failed. Examiners do not just test whether your controls are correct today; they test whether you have a process for noticing when the rules move and a record of acting when they did. An institution that can produce a dated trail — change noticed, obligation assessed, control updated, decision approved — is in a fundamentally stronger position than one relying on the memory of a single compliance officer.
The obligation registry: knowing what you are accountable for
You cannot manage change against a baseline you have never written down. The first building block is an obligation registry — a structured, maintained record of the obligations that actually apply to your institution, by jurisdiction.
Creodata's Regulatory Intelligence service provides exactly this: an obligation registry that holds the obligations relevant to each tenant, so there is a single authoritative list of what the institution is accountable for rather than a folder of PDFs and a few people's recollections. Done well, an obligation registry does several things at once:
- It makes the universe of obligations explicit and reviewable, so a new MLRO inheriting the programme can see what is in scope rather than reconstructing it.
- It gives every obligation an owner and a home, so accountability is not diffuse.
- It provides the anchor points to which controls are mapped — the connective tissue between "the rule says X" and "this is the control that satisfies X."
The registry is most valuable when it is more than a list. Each obligation should be traceable to the control or controls that satisfy it: a transaction-monitoring rule, a screening configuration, a reporting workflow, a retention setting, a risk-scoring factor. That mapping is what lets you answer the examiner's real question, which is never "do you know the rule exists" but "show me the control that implements it." When an obligation in the registry is linked to a concrete control elsewhere in the platform, a change to that obligation immediately tells you which control needs attention.
This is also where the obligation registry intersects with the risk-based approach. Not every obligation carries equal weight, and not every change demands the same response. Maintaining a registry that distinguishes core obligations from peripheral ones helps you direct effort where the risk is, which is the same discipline that keeps the wider programme proportionate. We cover that thinking in depth in our guide to applying a risk-based approach as the rules evolve.
Change-notice ingestion: catching the change
A registry tells you what you are accountable for at a point in time. Change-notice ingestion is how that registry stays current rather than ageing quietly into inaccuracy.
The Regulatory Intelligence service ingests change notices — the directives, amendments and guidance that alter your obligations — so that a regulatory change becomes a tracked item rather than an email someone may or may not have opened. The point is to convert an unstructured stream of external events into structured, routable work. A change notice that lands in the platform can be assessed, assigned, and worked, with a clear record of what was decided, instead of dissolving into an inbox.
Two categories of change deserve particular attention because they move fastest and bite hardest.
Watchlist and designation changes
Designation changes are regulatory changes with the shortest fuse. When a new sanctions or PEP designation is published, the obligation to screen against it is immediate, and the gap between publication and adoption is a live exposure. This is why list management and regulatory change management belong in the same conversation. The discipline of getting new designations into your platform quickly, with versioning and a record of when each list became active, is its own substantial topic — one we treat in detail in our guide to handling designation and list changes. Treat designation updates as a high-priority lane within your change process, not as something the screening team handles in isolation.
Threshold and reporting changes
Changes to reporting thresholds, triggers and formats ripple straight into your operational controls — your transaction-monitoring rules and your reporting workflows. A moved threshold that is not reflected in a rule produces either missed reports or a flood of false ones. The mechanics of the reporting changes themselves — goAML filing formats, CTR thresholds, country-specific submission steps — are covered separately in our goAML reporting material and the goAML Reporting Platform; the job of regulatory change management is to make sure the change is noticed, assessed and routed to whoever owns the affected control.
Per-tenant acknowledgement: the record that you knew and acted
The piece that converts awareness into defensible governance is acknowledgement. The Regulatory Intelligence service supports per-tenant acknowledgement of regulatory changes — a positive, recorded confirmation that the institution has received a change, considered it, and decided what to do.
This matters for two reasons. First, acknowledgement is an active control rather than a passive one. A change notice that merely appears in a dashboard can be scrolled past; a change that requires explicit acknowledgement forces a decision and names a decision-maker. Second, the acknowledgement is the evidence. When an examiner asks whether you were aware of a directive issued last quarter, the answer is not a verbal assurance — it is a dated record showing the change was received, who acknowledged it, and what followed.
Because Creodata is multi-tenant with per-tenant configuration, acknowledgement is scoped to the institution. Each tenant maintains its own registry, its own ingested change notices, and its own acknowledgement record, reflecting the obligations that actually apply to that institution in its jurisdictions rather than a generic regional default.
Acknowledgement is at its strongest when it feeds the platform's wider audit discipline. Creodata applies four-eyes approval to consequential decisions and writes them to an append-only, immutable audit log, so a regulatory-change decision is not just acknowledged but approved and permanently recorded. That is precisely the trail — awareness, decision, approval, action — that demonstrates a functioning programme. The principles behind it are set out in our piece on evidencing awareness and action through the audit trail and four-eyes approval.
Mapping obligations to controls: closing the loop
The full value appears when the registry, change ingestion and acknowledgement are joined to the controls they govern. The loop runs like this:
| Step | What happens | Where the evidence lives |
|---|---|---|
| Baseline | Obligations recorded in the registry, each linked to a control | Obligation registry |
| Detect | A change notice is ingested and matched to affected obligations | Change-notice record |
| Assess | The change is reviewed against the linked controls | Case/decision record |
| Act | The affected control is updated and the decision approved | Audit log, four-eyes record |
| Acknowledge | The tenant confirms receipt and the action taken | Acknowledgement record |
When an obligation is mapped to a transaction-monitoring rule, a screening configuration or a reporting workflow, a change to the obligation points directly at the control that must move — and the eventual update is captured with its evidence one click away. That is the difference between a programme that reacts to regulatory change and one that can prove it stayed aligned to current rules throughout. The whole capability is part of the Creodata AML Platform, where Regulatory Intelligence sits alongside the controls it governs rather than as a disconnected tracker.
Regulatory change management is also the part of the programme where outside perspective often helps, particularly when a wave of legislative or guidance change lands at once. Where an institution wants a second pair of hands to interpret a change and translate it into control updates, Creodata's financial-crime-compliance advisory works alongside the platform.
Frequently asked questions
How is an obligation registry different from just keeping copies of the regulations?
A folder of regulations tells you what the rules say; an obligation registry tells you what you are accountable for and which control satisfies each obligation. The registry is structured, owned and mapped to controls, so when a rule changes you can see immediately which part of your programme is affected. A document folder cannot do that, and it cannot produce a record that you noticed and acted on a change.
Does this replace our compliance team's judgement?
No. The Regulatory Intelligence service catches and routes change and records the decision; it does not make the decision. A change notice still needs a compliance professional to assess its impact, decide on the control update, and — under four-eyes approval — have that decision reviewed. The platform's job is to make sure nothing falls through the cracks and that the judgement, once exercised, is permanently recorded.
How does regulatory change management connect to the rest of the AML programme?
Tightly. A threshold change feeds transaction monitoring; a designation change feeds watchlist management and screening; a reporting change feeds the STR/CTR and goAML workflows. The obligation registry is the connective tissue that links each external change to the internal control it affects, which is why it sits inside the platform rather than beside it.
How does this differ across the East African jurisdictions we operate in?
Because configuration and acknowledgement are per-tenant, the obligations, change notices and records reflect each institution's actual footprint across Kenya, Uganda, Tanzania, Zambia and Rwanda. For the specifics of Kenya's framework, see our guide to Kenya's POCAMLA and POTA obligations, and for the wider regional picture our overview of the East African AML landscape.
Regulatory change is relentless, but it does not have to be chaotic. An obligation registry that knows what you are accountable for, change-notice ingestion that catches what moves, and per-tenant acknowledgement that records you knew and acted — backed by four-eyes approval and an immutable audit log — turn "keeping up" into a managed, evidenced process. If you would like to see how Regulatory Intelligence works alongside the controls it governs, book a demo of the Creodata AML Platform and we will walk through it against the jurisdictions and obligations that actually apply to your institution.