goAML Reporting: The Complete Guide for Banks and FIUs (2026)

Q: Which goAML schema version is used in East Africa?

The deployments covered in this guide use goAML XML schema version 5.0.2. Always confirm the current version published by your specific FIU before generating files, as FIUs upgrade their schema periodically. --- This is the hub for Creodata's goAML coverage. Explore the linked guides for jurisdiction-specific detail, or talk to our compliance advisory team about automating your reporting end to end.

June 18, 2026

If your institution has anti-money laundering obligations anywhere in East Africa, sooner or later every compliance conversation comes back to one word: goAML. It is the system your Financial Intelligence Unit (FIU) uses to receive reports, the format your transaction data must be translated into, and the gatekeeper that decides whether a filing is accepted or rejected.

This guide is the starting point for everything goAML. It explains what the system is, who has to report, how the core report types work, what the XML schema demands, how submission and rejection handling works in practice, and how the rules differ across Kenya, Uganda, Tanzania, Zambia, and Rwanda. Wherever a topic deserves a deeper treatment, we link to a dedicated guide so you can go as deep as you need.

What is goAML?

goAML is an integrated software platform developed by the United Nations Office on Drugs and Crime (UNODC) specifically for Financial Intelligence Units. It gives an FIU a single system to collect reports from regulated institutions, analyse them, and disseminate intelligence to law enforcement. More than a hundred FIUs around the world now run on goAML, which is exactly why it has become the common language of AML reporting across the region.

For a reporting institution — a bank, SACCO, microfinance institution, forex bureau, payment service provider, or other designated entity — goAML has two faces:

The web portal, where authorised officers register, log in, key in reports manually, upload report files, and track acknowledgements.
The XML schema, a strict machine-readable format that every report must conform to before the system will accept it.

Small institutions filing a handful of reports a month can live in the web portal. For anyone filing at volume, the schema is where compliance succeeds or fails — which is why so much of this guide, and the cluster of articles it links to, is about getting the XML right the first time.

Who must report through goAML?

The exact list of "reporting institutions" or "accountable persons" is set by each country's AML legislation, but it almost always includes banks, microfinance and deposit-taking institutions, SACCOs, forex bureaus, money remittance providers, mobile money operators, insurers, capital markets intermediaries, and a range of designated non-financial businesses and professions (DNFBPs) such as lawyers, accountants, real estate agents, and dealers in precious metals and stones.

If you are unsure whether your obligations are being met end to end — from customer due diligence to filing — our financial crime compliance advisory team works with institutions of every size to build and test the full reporting chain.

CTRs and STRs: the two core report types

Almost everything filed through goAML is one of two report types.

A Cash Transaction Report (CTR) is filed when a cash transaction meets or exceeds a defined threshold. It is objective and rule-based: above the threshold, you report, regardless of whether anything looks suspicious. In Kenya, for example, that threshold is USD 15,000 or its equivalent, and the detail of what counts toward it is more subtle than it first appears — we break it down in Kenya CTR Threshold: The USD 15,000 Rule Explained and walk through an end-to-end filing in How to File a CTR with Kenya FRC.

A Suspicious Transaction Report (STR) is filed whenever an institution forms a suspicion of money laundering, terrorism financing, or another predicate offence — with no threshold at all. STRs are where judgement, typology knowledge, and narrative writing matter most. To get them right, see:

How to Write an STR Narrative for goAML — structuring a defensible, decision-ready narrative.
STR Indicator Library: AML Typologies for Kenya Banks — the red flags that should trigger a report.
AML Risk Scoring Engines: How Automated STR Recommendations Work — how automation surfaces candidates without replacing the analyst's decision.

Mobile money deserves special mention in this region: the speed and structuring risk of wallet transactions changes how both CTRs and STRs are generated, which we cover in Mobile Money AML Reporting in Kenya: M-PESA, Airtel Money and goAML.

The goAML XML schema: where filings pass or fail

A goAML report is only accepted if it validates against the FIU's published XML schema (XSD). The East African deployments covered in this guide use schema version 5.0.2, and the schema enforces which fields are mandatory, their data types, code lists, and structure. A single malformed date, a missing mandatory party, or an invalid account type will cause the whole submission to bounce.

Three guides take you from schema theory to a clean, validated file:

goAML XML Schema v5.0.2: CTR and STR Mandatory Fields Reference — exactly which fields are required for each report type.
goAML XSD v5 XML Generation: The Complete Technical Guide — generating schema-valid XML programmatically.
Core Banking Integration with goAML: API, SFTP, and CSV Options — getting transaction data out of the core system and into the pipeline.

Before you submit anything to the live portal, validate it. Our free, browser-based goAML XML Validator checks a file against the v5.0.2 schema entirely in your browser — no data leaves the machine — and our goAML Error Code Library explains what each rejection code actually means.

Handling submissions and rejections

Even well-formed files get rejected, and a rejection is rarely a dead end — it is a diagnosable problem with a specific cause. The most common culprits are schema validation failures, reference-data mismatches (a code that is not on the FIU's accepted list), duplicate report IDs, and account or party records that fail the FIU's business rules.

When the portal returns an error, goAML Submission Rejected? How to Diagnose and Fix Common Errors walks through reading the rejection, mapping it to a root cause, and resubmitting cleanly. The goal every compliance team should aim for is zero-rejection reporting — files that validate locally and are accepted on the first attempt, every time.

Country-by-country: goAML across East Africa

The schema may be shared, but the legal framework, thresholds, deadlines, and localisation rules are national. Each country guide below is the authoritative, institution-ready reference for its jurisdiction:

Kenya — the Financial Reporting Centre (FRC), under POCAMLA: Kenya FRC goAML Reporting: Complete Guide 2026. For the underlying offences and counter-terrorism dimension, see POCAMLA and POTA Compliance for Kenya Banks.
Uganda — the Financial Intelligence Authority (FIA): Uganda FIA goAML Reporting: A Practical Guide for Banks.
Tanzania — the Financial Intelligence Unit (FIU): Tanzania FIU goAML Reporting: A Practical Guide for Banks.
Zambia — the Financial Intelligence Centre (FIC): Zambia FIC goAML Compliance: A Practical Guide for Banks.
Rwanda — the Financial Intelligence Centre (FIC): Rwanda FIC goAML Reporting: A Practical Guide for Banks.

The regional picture — and why it is tightening — is set out in AML Compliance Landscape in East Africa: 2026 Outlook and ESAAMLG Mutual Evaluations: What Every East African Bank Must Know.

Automating goAML reporting

Manual goAML reporting does not scale. As transaction volumes grow, hand-keying reports or hand-editing XML becomes slow, error-prone, and impossible to audit. Automation changes the economics: transactions are pulled from the core banking system, thresholds and typologies are applied, schema-valid XML is generated, and files are validated before they ever reach the portal.

Two articles cover the build-or-buy and deployment questions every institution faces:

How to Automate AML Reporting in East Africa: A Practical Approach
On-Premises vs Cloud AML Platform: Which Is Right for African Banks? and the engineering view in Microservices Architecture for AML Platforms.

Creodata's goAML Reporting Platform does exactly this: it integrates with your core banking system, generates schema-valid v5.0.2 XML, and validates every file for zero-rejection submission. For a one-page overview to share with management, see the goAML executive brief, or book a demo to see it against your own data.

Frequently asked questions

What does goAML stand for?

goAML is not a conventional acronym — it is the name of the UNODC's anti-money laundering reporting platform for Financial Intelligence Units. The "AML" refers to anti-money laundering; the platform is used by FIUs to collect, analyse, and disseminate financial intelligence.

Is goAML mandatory?

Where an FIU has adopted goAML, filing through it is mandatory for the institutions named as reporting entities under that country's AML law. Across Kenya, Uganda, Tanzania, Zambia, and Rwanda, banks and most other financial institutions are required to submit CTRs and STRs through the goAML system, and failure to report can carry administrative penalties and personal liability for responsible officers.

What is the difference between a CTR and an STR?

A Cash Transaction Report is filed for cash transactions at or above a defined threshold and is purely rule-based — no suspicion is required. A Suspicious Transaction Report is filed whenever the institution forms a suspicion of money laundering or a related offence, with no monetary threshold. CTRs test your data pipeline; STRs test your analysts' judgement.

Why do goAML submissions get rejected?

The most common reasons are XML that fails schema validation, reference codes that are not on the FIU's accepted list, duplicate report identifiers, and party or account records that breach business rules. Validating files against the v5.0.2 schema before submission — for example with our free goAML XML Validator — eliminates the large majority of rejections.

Which goAML schema version is used in East Africa?

The deployments covered in this guide use goAML XML schema version 5.0.2. Always confirm the current version published by your specific FIU before generating files, as FIUs upgrade their schema periodically.

This is the hub for Creodata's goAML coverage. Explore the linked guides for jurisdiction-specific detail, or talk to our compliance advisory team about automating your reporting end to end.

AML Risk Scoring Engines: How Automated STR Recommendations Work
How AML risk scoring engines reduce false positives from 85% to under 50%, automate STR recommendations, and help compliance officers focus on real threats.
How to Automate AML Reporting in East Africa: A Practical Guide
Learn how East African banks can automate AML reporting, reduce CTR/STR errors, and cut 87+ hours of manual work per month. A practical implementation guide.
goAML XSD v5 XML Generation: The Complete Technical Guide
Complete technical guide to goAML XSD v5.0.2 XML generation — schema structure, mandatory fields, encoding pitfalls, country extensions, and validation pipelines.
Microservices Architecture for AML Platforms: Why It Matters for Banks
Discover how microservices architecture solves the scalability, resilience, and update challenges that cripple monolithic AML systems in East African banks.